From: Greg Kroah-Hartman Date: Thu, 11 Apr 2024 09:21:43 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.19.312~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d5514785b20eb99ceec73fa98a2ee054231de524;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bluetooth-btintel-fixe-build-regression.patch vmci-fix-possible-memcpy-run-time-warning-in-vmci_datagram_invoke_guest_handler.patch --- diff --git a/queue-4.19/bluetooth-btintel-fixe-build-regression.patch b/queue-4.19/bluetooth-btintel-fixe-build-regression.patch new file mode 100644 index 00000000000..feb218a9492 --- /dev/null +++ b/queue-4.19/bluetooth-btintel-fixe-build-regression.patch @@ -0,0 +1,39 @@ +From 6e62ebfb49eb65bdcbfc5797db55e0ce7f79c3dd Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Fri, 23 Feb 2024 12:36:23 -0500 +Subject: Bluetooth: btintel: Fixe build regression + +From: Luiz Augusto von Dentz + +commit 6e62ebfb49eb65bdcbfc5797db55e0ce7f79c3dd upstream. + +This fixes the following build regression: + +drivers-bluetooth-btintel.c-btintel_read_version()-warn: +passing-zero-to-PTR_ERR + +Fixes: b79e04091010 ("Bluetooth: btintel: Fix null ptr deref in btintel_read_version") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btintel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -355,13 +355,13 @@ int btintel_read_version(struct hci_dev + struct sk_buff *skb; + + skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); +- if (IS_ERR_OR_NULL(skb)) { ++ if (IS_ERR(skb)) { + bt_dev_err(hdev, "Reading Intel version information failed (%ld)", + PTR_ERR(skb)); + return PTR_ERR(skb); + } + +- if (skb->len != sizeof(*ver)) { ++ if (!skb || skb->len != sizeof(*ver)) { + bt_dev_err(hdev, "Intel version event size mismatch"); + kfree_skb(skb); + return -EILSEQ; diff --git a/queue-4.19/series b/queue-4.19/series index 3a5031cda58..16a3397eeca 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -168,3 +168,5 @@ tty-n_gsm-require-cap_net_admin-to-attach-n_gsm0710-ldisc.patch drm-vkms-call-drm_atomic_helper_shutdown-before-drm_dev_put.patch virtio-reenable-config-if-freezing-device-failed.patch x86-mm-pat-fix-vm_pat-handling-in-cow-mappings.patch +bluetooth-btintel-fixe-build-regression.patch +vmci-fix-possible-memcpy-run-time-warning-in-vmci_datagram_invoke_guest_handler.patch diff --git a/queue-4.19/vmci-fix-possible-memcpy-run-time-warning-in-vmci_datagram_invoke_guest_handler.patch b/queue-4.19/vmci-fix-possible-memcpy-run-time-warning-in-vmci_datagram_invoke_guest_handler.patch new file mode 100644 index 00000000000..dd077370de8 --- /dev/null +++ b/queue-4.19/vmci-fix-possible-memcpy-run-time-warning-in-vmci_datagram_invoke_guest_handler.patch @@ -0,0 +1,36 @@ +From e606e4b71798cc1df20e987dde2468e9527bd376 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Mon, 19 Feb 2024 13:53:15 +0300 +Subject: VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() + +From: Vasiliy Kovalev + +commit e606e4b71798cc1df20e987dde2468e9527bd376 upstream. + +The changes are similar to those given in the commit 19b070fefd0d +("VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()"). + +Fix filling of the msg and msg_payload in dg_info struct, which prevents a +possible "detected field-spanning write" of memcpy warning that is issued +by the tracking mechanism __fortify_memcpy_chk. + +Signed-off-by: Vasiliy Kovalev +Link: https://lore.kernel.org/r/20240219105315.76955-1-kovalev@altlinux.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_vmci/vmci_datagram.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/misc/vmw_vmci/vmci_datagram.c ++++ b/drivers/misc/vmw_vmci/vmci_datagram.c +@@ -386,7 +386,8 @@ int vmci_datagram_invoke_guest_handler(s + + dg_info->in_dg_host_queue = false; + dg_info->entry = dst_entry; +- memcpy(&dg_info->msg, dg, VMCI_DG_SIZE(dg)); ++ dg_info->msg = *dg; ++ memcpy(&dg_info->msg_payload, dg + 1, dg->payload_size); + + INIT_WORK(&dg_info->work, dg_delayed_dispatch); + schedule_work(&dg_info->work);