From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 20 Jan 2025 15:41:58 +0000 (+0100)
Subject: drop broken bluetooth patch
X-Git-Tag: v6.6.73~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d5197ef528b5deb3b9addea91ba4eb569383a5d7;p=thirdparty%2Fkernel%2Fstable-queue.git

drop broken bluetooth patch
---

diff --git a/queue-5.10/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch b/queue-5.10/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch
deleted file mode 100644
index 7348381d1f..0000000000
--- a/queue-5.10/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 Mon Sep 17 00:00:00 2001
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date: Fri, 5 Apr 2024 15:43:45 -0400
-Subject: Bluetooth: RFCOMM: Fix not validating setsockopt user input
-
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-
-commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 upstream.
-
-syzbot reported rfcomm_sock_setsockopt_old() is copying data without
-checking user input length.
-
-BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset
-include/linux/sockptr.h:49 [inline]
-BUG: KASAN: slab-out-of-bounds in copy_from_sockptr
-include/linux/sockptr.h:55 [inline]
-BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old
-net/bluetooth/rfcomm/sock.c:632 [inline]
-BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70
-net/bluetooth/rfcomm/sock.c:673
-Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064
-
-Fixes: 9f2c8a03fbb3 ("Bluetooth: Replace RFCOMM link mode with security level")
-Fixes: bb23c0ab8246 ("Bluetooth: Add support for deferring RFCOMM connection setup")
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/bluetooth/rfcomm/sock.c |   14 +++++---------
- 1 file changed, 5 insertions(+), 9 deletions(-)
-
---- a/net/bluetooth/rfcomm/sock.c
-+++ b/net/bluetooth/rfcomm/sock.c
-@@ -631,7 +631,7 @@ static int rfcomm_sock_setsockopt_old(st
- 
- 	switch (optname) {
- 	case RFCOMM_LM:
--		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
-+		if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) {
- 			err = -EFAULT;
- 			break;
- 		}
-@@ -666,7 +666,6 @@ static int rfcomm_sock_setsockopt(struct
- 	struct sock *sk = sock->sk;
- 	struct bt_security sec;
- 	int err = 0;
--	size_t len;
- 	u32 opt;
- 
- 	BT_DBG("sk %p", sk);
-@@ -688,11 +687,9 @@ static int rfcomm_sock_setsockopt(struct
- 
- 		sec.level = BT_SECURITY_LOW;
- 
--		len = min_t(unsigned int, sizeof(sec), optlen);
--		if (copy_from_sockptr(&sec, optval, len)) {
--			err = -EFAULT;
-+		err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
-+		if (err)
- 			break;
--		}
- 
- 		if (sec.level > BT_SECURITY_HIGH) {
- 			err = -EINVAL;
-@@ -708,10 +705,9 @@ static int rfcomm_sock_setsockopt(struct
- 			break;
- 		}
- 
--		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
--			err = -EFAULT;
-+		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
-+		if (err)
- 			break;
--		}
- 
- 		if (opt)
- 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
diff --git a/queue-5.10/series b/queue-5.10/series
index 220deadfb0..7472eda818 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -106,7 +106,6 @@ vsock-virtio-cancel-close-work-in-the-destructor.patch
 vsock-reset-socket-state-when-de-assigning-the-transport.patch
 fs-proc-fix-softlockup-in-__read_vmcore-part-2.patch
 gpiolib-cdev-fix-use-after-free-in-lineinfo_changed_notify.patch
-bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch
 irqchip-gic-v3-handle-cpu_pm_enter_failed-correctly.patch
 hrtimers-handle-cpu-state-correctly-on-hotplug.patch
 revert-pci-use-preserve_config-in-place-of-pci_flags.patch
diff --git a/queue-5.15/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch b/queue-5.15/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch
deleted file mode 100644
index f2159e15fc..0000000000
--- a/queue-5.15/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 Mon Sep 17 00:00:00 2001
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date: Fri, 5 Apr 2024 15:43:45 -0400
-Subject: Bluetooth: RFCOMM: Fix not validating setsockopt user input
-
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-
-commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 upstream.
-
-syzbot reported rfcomm_sock_setsockopt_old() is copying data without
-checking user input length.
-
-BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset
-include/linux/sockptr.h:49 [inline]
-BUG: KASAN: slab-out-of-bounds in copy_from_sockptr
-include/linux/sockptr.h:55 [inline]
-BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old
-net/bluetooth/rfcomm/sock.c:632 [inline]
-BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70
-net/bluetooth/rfcomm/sock.c:673
-Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064
-
-Fixes: 9f2c8a03fbb3 ("Bluetooth: Replace RFCOMM link mode with security level")
-Fixes: bb23c0ab8246 ("Bluetooth: Add support for deferring RFCOMM connection setup")
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/bluetooth/rfcomm/sock.c |   14 +++++---------
- 1 file changed, 5 insertions(+), 9 deletions(-)
-
---- a/net/bluetooth/rfcomm/sock.c
-+++ b/net/bluetooth/rfcomm/sock.c
-@@ -636,7 +636,7 @@ static int rfcomm_sock_setsockopt_old(st
- 
- 	switch (optname) {
- 	case RFCOMM_LM:
--		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
-+		if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) {
- 			err = -EFAULT;
- 			break;
- 		}
-@@ -671,7 +671,6 @@ static int rfcomm_sock_setsockopt(struct
- 	struct sock *sk = sock->sk;
- 	struct bt_security sec;
- 	int err = 0;
--	size_t len;
- 	u32 opt;
- 
- 	BT_DBG("sk %p", sk);
-@@ -693,11 +692,9 @@ static int rfcomm_sock_setsockopt(struct
- 
- 		sec.level = BT_SECURITY_LOW;
- 
--		len = min_t(unsigned int, sizeof(sec), optlen);
--		if (copy_from_sockptr(&sec, optval, len)) {
--			err = -EFAULT;
-+		err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
-+		if (err)
- 			break;
--		}
- 
- 		if (sec.level > BT_SECURITY_HIGH) {
- 			err = -EINVAL;
-@@ -713,10 +710,9 @@ static int rfcomm_sock_setsockopt(struct
- 			break;
- 		}
- 
--		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
--			err = -EFAULT;
-+		err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
-+		if (err)
- 			break;
--		}
- 
- 		if (opt)
- 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
diff --git a/queue-5.15/series b/queue-5.15/series
index 033997a485..355f35f8c7 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -109,7 +109,6 @@ vsock-prevent-null-ptr-deref-in-vsock_.patch
 filemap-avoid-truncating-64-bit-offset-to-32-bits.patch
 fs-proc-fix-softlockup-in-__read_vmcore-part-2.patch
 gpiolib-cdev-fix-use-after-free-in-lineinfo_changed_notify.patch
-bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch
 irqchip-gic-v3-handle-cpu_pm_enter_failed-correctly.patch
 hrtimers-handle-cpu-state-correctly-on-hotplug.patch
 drm-i915-fb-relax-clear-color-alignment-to-64-bytes.patch