From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 13 May 2022 08:29:02 +0000 (+0200)
Subject: 5.17-stable patches
X-Git-Tag: v4.9.314~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e5709346dce142a0e0adeb55c277d6161c27f6f8;p=thirdparty%2Fkernel%2Fstable-queue.git

5.17-stable patches

added patches:
	bluetooth-fix-the-creation-of-hdev-name.patch
	rfkill-uapi-fix-rfkill_ioctl_max_size-ioctl-request-definition.patch
	udf-avoid-using-stale-lengthofimpuse.patch
---

diff --git a/queue-5.17/bluetooth-fix-the-creation-of-hdev-name.patch b/queue-5.17/bluetooth-fix-the-creation-of-hdev-name.patch
new file mode 100644
index 00000000000..4bfd9eb3377
--- /dev/null
+++ b/queue-5.17/bluetooth-fix-the-creation-of-hdev-name.patch
@@ -0,0 +1,65 @@
+From 103a2f3255a95991252f8f13375c3a96a75011cd Mon Sep 17 00:00:00 2001
+From: Itay Iellin <ieitayie@gmail.com>
+Date: Sat, 7 May 2022 08:32:48 -0400
+Subject: Bluetooth: Fix the creation of hdev->name
+
+From: Itay Iellin <ieitayie@gmail.com>
+
+commit 103a2f3255a95991252f8f13375c3a96a75011cd upstream.
+
+Set a size limit of 8 bytes of the written buffer to "hdev->name"
+including the terminating null byte, as the size of "hdev->name" is 8
+bytes. If an id value which is greater than 9999 is allocated,
+then the "snprintf(hdev->name, sizeof(hdev->name), "hci%d", id)"
+function call would lead to a truncation of the id value in decimal
+notation.
+
+Set an explicit maximum id parameter in the id allocation function call.
+The id allocation function defines the maximum allocated id value as the
+maximum id parameter value minus one. Therefore, HCI_MAX_ID is defined
+as 10000.
+
+Signed-off-by: Itay Iellin <ieitayie@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/hci_core.h |    3 +++
+ net/bluetooth/hci_core.c         |    6 +++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -36,6 +36,9 @@
+ /* HCI priority */
+ #define HCI_PRIO_MAX	7
+ 
++/* HCI maximum id value */
++#define HCI_MAX_ID 10000
++
+ /* HCI Core structures */
+ struct inquiry_data {
+ 	bdaddr_t	bdaddr;
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -2554,10 +2554,10 @@ int hci_register_dev(struct hci_dev *hde
+ 	 */
+ 	switch (hdev->dev_type) {
+ 	case HCI_PRIMARY:
+-		id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
++		id = ida_simple_get(&hci_index_ida, 0, HCI_MAX_ID, GFP_KERNEL);
+ 		break;
+ 	case HCI_AMP:
+-		id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
++		id = ida_simple_get(&hci_index_ida, 1, HCI_MAX_ID, GFP_KERNEL);
+ 		break;
+ 	default:
+ 		return -EINVAL;
+@@ -2566,7 +2566,7 @@ int hci_register_dev(struct hci_dev *hde
+ 	if (id < 0)
+ 		return id;
+ 
+-	sprintf(hdev->name, "hci%d", id);
++	snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
+ 	hdev->id = id;
+ 
+ 	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
diff --git a/queue-5.17/rfkill-uapi-fix-rfkill_ioctl_max_size-ioctl-request-definition.patch b/queue-5.17/rfkill-uapi-fix-rfkill_ioctl_max_size-ioctl-request-definition.patch
new file mode 100644
index 00000000000..6197e447b6a
--- /dev/null
+++ b/queue-5.17/rfkill-uapi-fix-rfkill_ioctl_max_size-ioctl-request-definition.patch
@@ -0,0 +1,38 @@
+From a36e07dfe6ee71e209383ea9288cd8d1617e14f9 Mon Sep 17 00:00:00 2001
+From: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+Date: Fri, 6 May 2022 17:24:54 +0000
+Subject: rfkill: uapi: fix RFKILL_IOCTL_MAX_SIZE ioctl request definition
+
+From: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+
+commit a36e07dfe6ee71e209383ea9288cd8d1617e14f9 upstream.
+
+The definition of RFKILL_IOCTL_MAX_SIZE introduced by commit
+54f586a91532 ("rfkill: make new event layout opt-in") is unusable
+since it is based on RFKILL_IOC_EXT_SIZE which has not been defined.
+Fix that by replacing the undefined constant with the constant which
+is intended to be used in this definition.
+
+Fixes: 54f586a91532 ("rfkill: make new event layout opt-in")
+Cc: stable@vger.kernel.org # 5.11+
+Signed-off-by: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
+Link: https://lore.kernel.org/r/20220506172454.120319-1-glebfm@altlinux.org
+[add commit message provided later by Dmitry]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/rfkill.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/uapi/linux/rfkill.h
++++ b/include/uapi/linux/rfkill.h
+@@ -184,7 +184,7 @@ struct rfkill_event_ext {
+ #define RFKILL_IOC_NOINPUT	1
+ #define RFKILL_IOCTL_NOINPUT	_IO(RFKILL_IOC_MAGIC, RFKILL_IOC_NOINPUT)
+ #define RFKILL_IOC_MAX_SIZE	2
+-#define RFKILL_IOCTL_MAX_SIZE	_IOW(RFKILL_IOC_MAGIC, RFKILL_IOC_EXT_SIZE, __u32)
++#define RFKILL_IOCTL_MAX_SIZE	_IOW(RFKILL_IOC_MAGIC, RFKILL_IOC_MAX_SIZE, __u32)
+ 
+ /* and that's all userspace gets */
+ 
diff --git a/queue-5.17/series b/queue-5.17/series
index e69de29bb2d..d59a7a093e6 100644
--- a/queue-5.17/series
+++ b/queue-5.17/series
@@ -0,0 +1,3 @@
+bluetooth-fix-the-creation-of-hdev-name.patch
+rfkill-uapi-fix-rfkill_ioctl_max_size-ioctl-request-definition.patch
+udf-avoid-using-stale-lengthofimpuse.patch
diff --git a/queue-5.17/udf-avoid-using-stale-lengthofimpuse.patch b/queue-5.17/udf-avoid-using-stale-lengthofimpuse.patch
new file mode 100644
index 00000000000..e82fec47c12
--- /dev/null
+++ b/queue-5.17/udf-avoid-using-stale-lengthofimpuse.patch
@@ -0,0 +1,54 @@
+From c1ad35dd0548ce947d97aaf92f7f2f9a202951cf Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 10 May 2022 12:36:04 +0200
+Subject: udf: Avoid using stale lengthOfImpUse
+
+From: Jan Kara <jack@suse.cz>
+
+commit c1ad35dd0548ce947d97aaf92f7f2f9a202951cf upstream.
+
+udf_write_fi() uses lengthOfImpUse of the entry it is writing to.
+However this field has not yet been initialized so it either contains
+completely bogus value or value from last directory entry at that place.
+In either case this is wrong and can lead to filesystem corruption or
+kernel crashes.
+
+Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+CC: stable@vger.kernel.org
+Fixes: 979a6e28dd96 ("udf: Get rid of 0-length arrays in struct fileIdentDesc")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/namei.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -75,11 +75,11 @@ int udf_write_fi(struct inode *inode, st
+ 
+ 	if (fileident) {
+ 		if (adinicb || (offset + lfi < 0)) {
+-			memcpy(udf_get_fi_ident(sfi), fileident, lfi);
++			memcpy(sfi->impUse + liu, fileident, lfi);
+ 		} else if (offset >= 0) {
+ 			memcpy(fibh->ebh->b_data + offset, fileident, lfi);
+ 		} else {
+-			memcpy(udf_get_fi_ident(sfi), fileident, -offset);
++			memcpy(sfi->impUse + liu, fileident, -offset);
+ 			memcpy(fibh->ebh->b_data, fileident - offset,
+ 				lfi + offset);
+ 		}
+@@ -88,11 +88,11 @@ int udf_write_fi(struct inode *inode, st
+ 	offset += lfi;
+ 
+ 	if (adinicb || (offset + padlen < 0)) {
+-		memset(udf_get_fi_ident(sfi) + lfi, 0x00, padlen);
++		memset(sfi->impUse + liu + lfi, 0x00, padlen);
+ 	} else if (offset >= 0) {
+ 		memset(fibh->ebh->b_data + offset, 0x00, padlen);
+ 	} else {
+-		memset(udf_get_fi_ident(sfi) + lfi, 0x00, -offset);
++		memset(sfi->impUse + liu + lfi, 0x00, -offset);
+ 		memset(fibh->ebh->b_data, 0x00, padlen + offset);
+ 	}
+