From: Greg Kroah-Hartman Date: Thu, 11 Apr 2024 09:22:10 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.312~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=97c4a94d620372df790f86a2563d7c0f6a2a238c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: bluetooth-btintel-fixe-build-regression.patch vmci-fix-possible-memcpy-run-time-warning-in-vmci_datagram_invoke_guest_handler.patch --- diff --git a/queue-5.4/bluetooth-btintel-fixe-build-regression.patch b/queue-5.4/bluetooth-btintel-fixe-build-regression.patch new file mode 100644 index 00000000000..592f359830b --- /dev/null +++ b/queue-5.4/bluetooth-btintel-fixe-build-regression.patch @@ -0,0 +1,39 @@ +From 6e62ebfb49eb65bdcbfc5797db55e0ce7f79c3dd Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Fri, 23 Feb 2024 12:36:23 -0500 +Subject: Bluetooth: btintel: Fixe build regression + +From: Luiz Augusto von Dentz + +commit 6e62ebfb49eb65bdcbfc5797db55e0ce7f79c3dd upstream. + +This fixes the following build regression: + +drivers-bluetooth-btintel.c-btintel_read_version()-warn: +passing-zero-to-PTR_ERR + +Fixes: b79e04091010 ("Bluetooth: btintel: Fix null ptr deref in btintel_read_version") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btintel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -340,13 +340,13 @@ int btintel_read_version(struct hci_dev + struct sk_buff *skb; + + skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); +- if (IS_ERR_OR_NULL(skb)) { ++ if (IS_ERR(skb)) { + bt_dev_err(hdev, "Reading Intel version information failed (%ld)", + PTR_ERR(skb)); + return PTR_ERR(skb); + } + +- if (skb->len != sizeof(*ver)) { ++ if (!skb || skb->len != sizeof(*ver)) { + bt_dev_err(hdev, "Intel version event size mismatch"); + kfree_skb(skb); + return -EILSEQ; diff --git a/queue-5.4/series b/queue-5.4/series index b0cbe88d89a..ec55fa9a1e8 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -208,3 +208,5 @@ virtio-reenable-config-if-freezing-device-failed.patch x86-mm-pat-fix-vm_pat-handling-in-cow-mappings.patch drm-i915-gt-reset-queue_priority_hint-on-parking.patch x86-alternative-don-t-call-text_poke-in-lazy-tlb-mode.patch +bluetooth-btintel-fixe-build-regression.patch +vmci-fix-possible-memcpy-run-time-warning-in-vmci_datagram_invoke_guest_handler.patch diff --git a/queue-5.4/vmci-fix-possible-memcpy-run-time-warning-in-vmci_datagram_invoke_guest_handler.patch b/queue-5.4/vmci-fix-possible-memcpy-run-time-warning-in-vmci_datagram_invoke_guest_handler.patch new file mode 100644 index 00000000000..a48f3d9e301 --- /dev/null +++ b/queue-5.4/vmci-fix-possible-memcpy-run-time-warning-in-vmci_datagram_invoke_guest_handler.patch @@ -0,0 +1,36 @@ +From e606e4b71798cc1df20e987dde2468e9527bd376 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Mon, 19 Feb 2024 13:53:15 +0300 +Subject: VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() + +From: Vasiliy Kovalev + +commit e606e4b71798cc1df20e987dde2468e9527bd376 upstream. + +The changes are similar to those given in the commit 19b070fefd0d +("VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()"). + +Fix filling of the msg and msg_payload in dg_info struct, which prevents a +possible "detected field-spanning write" of memcpy warning that is issued +by the tracking mechanism __fortify_memcpy_chk. + +Signed-off-by: Vasiliy Kovalev +Link: https://lore.kernel.org/r/20240219105315.76955-1-kovalev@altlinux.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_vmci/vmci_datagram.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/misc/vmw_vmci/vmci_datagram.c ++++ b/drivers/misc/vmw_vmci/vmci_datagram.c +@@ -378,7 +378,8 @@ int vmci_datagram_invoke_guest_handler(s + + dg_info->in_dg_host_queue = false; + dg_info->entry = dst_entry; +- memcpy(&dg_info->msg, dg, VMCI_DG_SIZE(dg)); ++ dg_info->msg = *dg; ++ memcpy(&dg_info->msg_payload, dg + 1, dg->payload_size); + + INIT_WORK(&dg_info->work, dg_delayed_dispatch); + schedule_work(&dg_info->work);