From 11d9af4adb9926630654f275b16c5d2ae1586b75 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 19 Jun 2024 14:51:54 +0200
Subject: [PATCH] 5.15-stable patches

added patches:
	bluetooth-qca-fix-info-leak-when-fetching-board-id.patch
---
 ...fix-info-leak-when-fetching-board-id.patch | 36 +++++++++++++++++++
 queue-5.15/series                             |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 queue-5.15/bluetooth-qca-fix-info-leak-when-fetching-board-id.patch

diff --git a/queue-5.15/bluetooth-qca-fix-info-leak-when-fetching-board-id.patch b/queue-5.15/bluetooth-qca-fix-info-leak-when-fetching-board-id.patch
new file mode 100644
index 00000000000..eeb629ee23b
--- /dev/null
+++ b/queue-5.15/bluetooth-qca-fix-info-leak-when-fetching-board-id.patch
@@ -0,0 +1,36 @@
+From 0adcf6be1445ed50bfd4a451a7a782568f270197 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Wed, 1 May 2024 14:34:53 +0200
+Subject: Bluetooth: qca: fix info leak when fetching board id
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 0adcf6be1445ed50bfd4a451a7a782568f270197 upstream.
+
+Add the missing sanity check when fetching the board id to avoid leaking
+slab data when later requesting the firmware.
+
+Fixes: a7f8dedb4be2 ("Bluetooth: qca: add support for QCA2066")
+Cc: stable@vger.kernel.org	# 6.7
+Cc: Tim Jiang <quic_tjiang@quicinc.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btqca.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -209,6 +209,11 @@ static int qca_read_fw_board_id(struct h
+ 		goto out;
+ 	}
+ 
++	if (skb->len < 3) {
++		err = -EILSEQ;
++		goto out;
++	}
++
+ 	*bid = (edl->data[1] << 8) + edl->data[2];
+ 	bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid);
+ 
diff --git a/queue-5.15/series b/queue-5.15/series
index d67f2599a0d..d10f6367a51 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -173,3 +173,4 @@ i2c-at91-fix-the-functionality-flags-of-the-slave-on.patch
 i2c-designware-fix-the-functionality-flags-of-the-sl.patch
 zap_pid_ns_processes-clear-tif_notify_signal-along-w.patch
 bluetooth-qca-fix-error-code-in-qca_read_fw_build_info.patch
+bluetooth-qca-fix-info-leak-when-fetching-board-id.patch
-- 
2.47.3