From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 13 May 2022 08:28:39 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.9.314~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d96b4311593ddaf325f774836c1f7acf47982be3;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	bluetooth-fix-the-creation-of-hdev-name.patch
---

diff --git a/queue-5.4/bluetooth-fix-the-creation-of-hdev-name.patch b/queue-5.4/bluetooth-fix-the-creation-of-hdev-name.patch
new file mode 100644
index 00000000000..69563b69642
--- /dev/null
+++ b/queue-5.4/bluetooth-fix-the-creation-of-hdev-name.patch
@@ -0,0 +1,65 @@
+From 103a2f3255a95991252f8f13375c3a96a75011cd Mon Sep 17 00:00:00 2001
+From: Itay Iellin <ieitayie@gmail.com>
+Date: Sat, 7 May 2022 08:32:48 -0400
+Subject: Bluetooth: Fix the creation of hdev->name
+
+From: Itay Iellin <ieitayie@gmail.com>
+
+commit 103a2f3255a95991252f8f13375c3a96a75011cd upstream.
+
+Set a size limit of 8 bytes of the written buffer to "hdev->name"
+including the terminating null byte, as the size of "hdev->name" is 8
+bytes. If an id value which is greater than 9999 is allocated,
+then the "snprintf(hdev->name, sizeof(hdev->name), "hci%d", id)"
+function call would lead to a truncation of the id value in decimal
+notation.
+
+Set an explicit maximum id parameter in the id allocation function call.
+The id allocation function defines the maximum allocated id value as the
+maximum id parameter value minus one. Therefore, HCI_MAX_ID is defined
+as 10000.
+
+Signed-off-by: Itay Iellin <ieitayie@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/hci_core.h |    3 +++
+ net/bluetooth/hci_core.c         |    6 +++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -34,6 +34,9 @@
+ /* HCI priority */
+ #define HCI_PRIO_MAX	7
+ 
++/* HCI maximum id value */
++#define HCI_MAX_ID 10000
++
+ /* HCI Core structures */
+ struct inquiry_data {
+ 	bdaddr_t	bdaddr;
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3304,10 +3304,10 @@ int hci_register_dev(struct hci_dev *hde
+ 	 */
+ 	switch (hdev->dev_type) {
+ 	case HCI_PRIMARY:
+-		id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
++		id = ida_simple_get(&hci_index_ida, 0, HCI_MAX_ID, GFP_KERNEL);
+ 		break;
+ 	case HCI_AMP:
+-		id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
++		id = ida_simple_get(&hci_index_ida, 1, HCI_MAX_ID, GFP_KERNEL);
+ 		break;
+ 	default:
+ 		return -EINVAL;
+@@ -3316,7 +3316,7 @@ int hci_register_dev(struct hci_dev *hde
+ 	if (id < 0)
+ 		return id;
+ 
+-	sprintf(hdev->name, "hci%d", id);
++	snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
+ 	hdev->id = id;
+ 
+ 	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
diff --git a/queue-5.4/series b/queue-5.4/series
index 762eebd40ef..5fb624d799f 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -12,3 +12,4 @@ x86-xen-kvm-gather-the-definition-of-emulate-prefixes.patch
 x86-xen-insn-decode-xen-and-kvm-emulate-prefix-signature.patch
 x86-kprobes-prohibit-probing-on-instruction-which-has-emulate-prefix.patch
 kvm-x86-svm-account-for-family-17h-event-renumberings-in-amd_pmc_perf_hw_id.patch
+bluetooth-fix-the-creation-of-hdev-name.patch