From: Greg Kroah-Hartman Date: Fri, 16 Oct 2020 06:13:25 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v5.9.1~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d082b81aabc8df58a7b2001c8a7e249fd2983ae;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: bluetooth-a2mp-fix-not-initializing-all-members.patch bluetooth-fix-kernel-oops-in-store_pending_adv_report.patch bluetooth-mgmt-fix-not-checking-if-bt_hs-is-enabled.patch --- diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..f313f7b5be8 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,4 @@ +bluetooth-fix-kernel-oops-in-store_pending_adv_report.patch +bluetooth-a2mp-fix-not-initializing-all-members.patch +bluetooth-l2cap-fix-calling-sk_filter-on-non-socket-based-channel.patch +bluetooth-mgmt-fix-not-checking-if-bt_hs-is-enabled.patch diff --git a/queue-4.4/bluetooth-a2mp-fix-not-initializing-all-members.patch b/queue-4.4/bluetooth-a2mp-fix-not-initializing-all-members.patch new file mode 100644 index 00000000000..ae5eee439bd --- /dev/null +++ b/queue-4.4/bluetooth-a2mp-fix-not-initializing-all-members.patch @@ -0,0 +1,120 @@ +From eddb7732119d53400f48a02536a84c509692faa8 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Thu, 6 Aug 2020 11:17:11 -0700 +Subject: Bluetooth: A2MP: Fix not initializing all members + +From: Luiz Augusto von Dentz + +commit eddb7732119d53400f48a02536a84c509692faa8 upstream. + +This fixes various places where a stack variable is used uninitialized. + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/a2mp.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/a2mp.c ++++ b/net/bluetooth/a2mp.c +@@ -233,6 +233,9 @@ static int a2mp_discover_rsp(struct amp_ + struct a2mp_info_req req; + + found = true; ++ ++ memset(&req, 0, sizeof(req)); ++ + req.id = cl->id; + a2mp_send(mgr, A2MP_GETINFO_REQ, __next_ident(mgr), + sizeof(req), &req); +@@ -312,6 +315,8 @@ static int a2mp_getinfo_req(struct amp_m + if (!hdev || hdev->dev_type != HCI_AMP) { + struct a2mp_info_rsp rsp; + ++ memset(&rsp, 0, sizeof(rsp)); ++ + rsp.id = req->id; + rsp.status = A2MP_STATUS_INVALID_CTRL_ID; + +@@ -355,6 +360,8 @@ static int a2mp_getinfo_rsp(struct amp_m + if (!ctrl) + return -ENOMEM; + ++ memset(&req, 0, sizeof(req)); ++ + req.id = rsp->id; + a2mp_send(mgr, A2MP_GETAMPASSOC_REQ, __next_ident(mgr), sizeof(req), + &req); +@@ -383,6 +390,8 @@ static int a2mp_getampassoc_req(struct a + struct a2mp_amp_assoc_rsp rsp; + rsp.id = req->id; + ++ memset(&rsp, 0, sizeof(rsp)); ++ + if (tmp) { + rsp.status = A2MP_STATUS_COLLISION_OCCURED; + amp_mgr_put(tmp); +@@ -471,7 +480,6 @@ static int a2mp_createphyslink_req(struc + struct a2mp_cmd *hdr) + { + struct a2mp_physlink_req *req = (void *) skb->data; +- + struct a2mp_physlink_rsp rsp; + struct hci_dev *hdev; + struct hci_conn *hcon; +@@ -482,6 +490,8 @@ static int a2mp_createphyslink_req(struc + + BT_DBG("local_id %d, remote_id %d", req->local_id, req->remote_id); + ++ memset(&rsp, 0, sizeof(rsp)); ++ + rsp.local_id = req->remote_id; + rsp.remote_id = req->local_id; + +@@ -560,6 +570,8 @@ static int a2mp_discphyslink_req(struct + + BT_DBG("local_id %d remote_id %d", req->local_id, req->remote_id); + ++ memset(&rsp, 0, sizeof(rsp)); ++ + rsp.local_id = req->remote_id; + rsp.remote_id = req->local_id; + rsp.status = A2MP_STATUS_SUCCESS; +@@ -682,6 +694,8 @@ static int a2mp_chan_recv_cb(struct l2ca + if (err) { + struct a2mp_cmd_rej rej; + ++ memset(&rej, 0, sizeof(rej)); ++ + rej.reason = cpu_to_le16(0); + hdr = (void *) skb->data; + +@@ -905,6 +919,8 @@ void a2mp_send_getinfo_rsp(struct hci_de + + BT_DBG("%s mgr %p", hdev->name, mgr); + ++ memset(&rsp, 0, sizeof(rsp)); ++ + rsp.id = hdev->id; + rsp.status = A2MP_STATUS_INVALID_CTRL_ID; + +@@ -1002,6 +1018,8 @@ void a2mp_send_create_phy_link_rsp(struc + if (!mgr) + return; + ++ memset(&rsp, 0, sizeof(rsp)); ++ + hs_hcon = hci_conn_hash_lookup_state(hdev, AMP_LINK, BT_CONNECT); + if (!hs_hcon) { + rsp.status = A2MP_STATUS_UNABLE_START_LINK_CREATION; +@@ -1034,6 +1052,8 @@ void a2mp_discover_amp(struct l2cap_chan + + mgr->bredr_chan = chan; + ++ memset(&req, 0, sizeof(req)); ++ + req.mtu = cpu_to_le16(L2CAP_A2MP_DEFAULT_MTU); + req.ext_feat = 0; + a2mp_send(mgr, A2MP_DISCOVER_REQ, 1, sizeof(req), &req); diff --git a/queue-4.4/bluetooth-fix-kernel-oops-in-store_pending_adv_report.patch b/queue-4.4/bluetooth-fix-kernel-oops-in-store_pending_adv_report.patch new file mode 100644 index 00000000000..5eb010f252a --- /dev/null +++ b/queue-4.4/bluetooth-fix-kernel-oops-in-store_pending_adv_report.patch @@ -0,0 +1,112 @@ +From a2ec905d1e160a33b2e210e45ad30445ef26ce0e Mon Sep 17 00:00:00 2001 +From: Alain Michaud +Date: Mon, 27 Jul 2020 20:48:55 +0000 +Subject: Bluetooth: fix kernel oops in store_pending_adv_report + +From: Alain Michaud + +commit a2ec905d1e160a33b2e210e45ad30445ef26ce0e upstream. + +Fix kernel oops observed when an ext adv data is larger than 31 bytes. + +This can be reproduced by setting up an advertiser with advertisement +larger than 31 bytes. The issue is not sensitive to the advertisement +content. In particular, this was reproduced with an advertisement of +229 bytes filled with 'A'. See stack trace below. + +This is fixed by not catching ext_adv as legacy adv are only cached to +be able to concatenate a scanable adv with its scan response before +sending it up through mgmt. + +With ext_adv, this is no longer necessary. + + general protection fault: 0000 [#1] SMP PTI + CPU: 6 PID: 205 Comm: kworker/u17:0 Not tainted 5.4.0-37-generic #41-Ubuntu + Hardware name: Dell Inc. XPS 15 7590/0CF6RR, BIOS 1.7.0 05/11/2020 + Workqueue: hci0 hci_rx_work [bluetooth] + RIP: 0010:hci_bdaddr_list_lookup+0x1e/0x40 [bluetooth] + Code: ff ff e9 26 ff ff ff 0f 1f 44 00 00 0f 1f 44 00 00 55 48 8b 07 48 89 e5 48 39 c7 75 0a eb 24 48 8b 00 48 39 f8 74 1c 44 8b 06 <44> 39 40 10 75 ef 44 0f b7 4e 04 66 44 39 48 14 75 e3 38 50 16 75 + RSP: 0018:ffffbc6a40493c70 EFLAGS: 00010286 + RAX: 4141414141414141 RBX: 000000000000001b RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff9903e76c100f RDI: ffff9904289d4b28 + RBP: ffffbc6a40493c70 R08: 0000000093570362 R09: 0000000000000000 + R10: 0000000000000000 R11: ffff9904344eae38 R12: ffff9904289d4000 + R13: 0000000000000000 R14: 00000000ffffffa3 R15: ffff9903e76c100f + FS: 0000000000000000(0000) GS:ffff990434580000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007feed125a000 CR3: 00000001b860a003 CR4: 00000000003606e0 + Call Trace: + process_adv_report+0x12e/0x560 [bluetooth] + hci_le_meta_evt+0x7b2/0xba0 [bluetooth] + hci_event_packet+0x1c29/0x2a90 [bluetooth] + hci_rx_work+0x19b/0x360 [bluetooth] + process_one_work+0x1eb/0x3b0 + worker_thread+0x4d/0x400 + kthread+0x104/0x140 + +Fixes: c215e9397b00 ("Bluetooth: Process extended ADV report event") +Reported-by: Andy Nguyen +Reported-by: Linus Torvalds +Reported-by: Balakrishna Godavarthi +Signed-off-by: Alain Michaud +Tested-by: Sonny Sasaka +Acked-by: Marcel Holtmann +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1133,6 +1133,9 @@ static void store_pending_adv_report(str + { + struct discovery_state *d = &hdev->discovery; + ++ if (len > HCI_MAX_AD_LENGTH) ++ return; ++ + bacpy(&d->last_adv_addr, bdaddr); + d->last_adv_addr_type = bdaddr_type; + d->last_adv_rssi = rssi; +@@ -4752,6 +4755,11 @@ static void process_adv_report(struct hc + u32 flags; + u8 *ptr, real_len; + ++ if (len > HCI_MAX_AD_LENGTH) { ++ pr_err_ratelimited("legacy adv larger than 31 bytes"); ++ return; ++ } ++ + /* Find the end of the data in case the report contains padded zero + * bytes at the end causing an invalid length value. + * +@@ -4812,7 +4820,7 @@ static void process_adv_report(struct hc + */ + conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, + direct_addr); +- if (conn && type == LE_ADV_IND) { ++ if (conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) { + /* Store report for later inclusion by + * mgmt_device_connected + */ +@@ -4937,10 +4945,14 @@ static void hci_le_adv_report_evt(struct + struct hci_ev_le_advertising_info *ev = ptr; + s8 rssi; + +- rssi = ev->data[ev->length]; +- process_adv_report(hdev, ev->evt_type, &ev->bdaddr, +- ev->bdaddr_type, NULL, 0, rssi, +- ev->data, ev->length); ++ if (ev->length <= HCI_MAX_AD_LENGTH) { ++ rssi = ev->data[ev->length]; ++ process_adv_report(hdev, ev->evt_type, &ev->bdaddr, ++ ev->bdaddr_type, NULL, 0, rssi, ++ ev->data, ev->length); ++ } else { ++ bt_dev_err(hdev, "Dropping invalid advertising data"); ++ } + + ptr += sizeof(*ev) + ev->length + 1; + } diff --git a/queue-4.4/bluetooth-mgmt-fix-not-checking-if-bt_hs-is-enabled.patch b/queue-4.4/bluetooth-mgmt-fix-not-checking-if-bt_hs-is-enabled.patch new file mode 100644 index 00000000000..b433763abd7 --- /dev/null +++ b/queue-4.4/bluetooth-mgmt-fix-not-checking-if-bt_hs-is-enabled.patch @@ -0,0 +1,43 @@ +From b560a208cda0297fef6ff85bbfd58a8f0a52a543 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Thu, 6 Aug 2020 11:17:14 -0700 +Subject: Bluetooth: MGMT: Fix not checking if BT_HS is enabled + +From: Luiz Augusto von Dentz + +commit b560a208cda0297fef6ff85bbfd58a8f0a52a543 upstream. + +This checks if BT_HS is enabled relecting it on MGMT_SETTING_HS instead +of always reporting it as supported. + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/mgmt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -628,7 +628,8 @@ static u32 get_supported_settings(struct + + if (lmp_ssp_capable(hdev)) { + settings |= MGMT_SETTING_SSP; +- settings |= MGMT_SETTING_HS; ++ if (IS_ENABLED(CONFIG_BT_HS)) ++ settings |= MGMT_SETTING_HS; + } + + if (lmp_sc_capable(hdev)) +@@ -2281,6 +2282,10 @@ static int set_link_security(struct sock + + BT_DBG("request for %s", hdev->name); + ++ if (!IS_ENABLED(CONFIG_BT_HS)) ++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, ++ MGMT_STATUS_NOT_SUPPORTED); ++ + status = mgmt_bredr_support(hdev); + if (status) + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY, diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..213ac772a25 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,3 @@ +bluetooth-a2mp-fix-not-initializing-all-members.patch +bluetooth-mgmt-fix-not-checking-if-bt_hs-is-enabled.patch +bluetooth-fix-kernel-oops-in-store_pending_adv_report.patch diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..d3e93188fec --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,4 @@ +bluetooth-a2mp-fix-not-initializing-all-members.patch +bluetooth-l2cap-fix-calling-sk_filter-on-non-socket-based-channel.patch +bluetooth-mgmt-fix-not-checking-if-bt_hs-is-enabled.patch +bluetooth-fix-kernel-oops-in-store_pending_adv_report.patch