From d00e6480bc3d714047668f89dbe83808846c7229 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 19 Dec 2022 11:35:37 -0500 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- .../bluetooth-l2cap-fix-u8-overflow.patch | 65 +++++++++++++++++++ ...-net_name_predictable-for-name_assig.patch | 50 ++++++++++++++ queue-4.9/series | 2 + 3 files changed, 117 insertions(+) create mode 100644 queue-4.9/bluetooth-l2cap-fix-u8-overflow.patch create mode 100644 queue-4.9/net-loopback-use-net_name_predictable-for-name_assig.patch diff --git a/queue-4.9/bluetooth-l2cap-fix-u8-overflow.patch b/queue-4.9/bluetooth-l2cap-fix-u8-overflow.patch new file mode 100644 index 00000000000..1081c69fa6e --- /dev/null +++ b/queue-4.9/bluetooth-l2cap-fix-u8-overflow.patch @@ -0,0 +1,65 @@ +From 7410f749c96a8ff2d377aa0f9668c8b27b9bbe09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 15:01:47 -0500 +Subject: Bluetooth: L2CAP: Fix u8 overflow + +From: Sungwoo Kim + +[ Upstream commit bcd70260ef56e0aee8a4fc6cd214a419900b0765 ] + +By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases +multiple times and eventually it will wrap around the maximum number +(i.e., 255). +This patch prevents this by adding a boundary check with +L2CAP_MAX_CONF_RSP + +Btmon log: +Bluetooth monitor ver 5.64 += Note: Linux version 6.1.0-rc2 (x86_64) 0.264594 += Note: Bluetooth subsystem version 2.22 0.264636 +@ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191 += New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604 +@ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741 += Open Index: 00:00:00:00:00:00 [hci0] 13.900426 +(...) +> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106 + invalid packet size (12 != 1033) + 08 00 01 00 02 01 04 00 01 10 ff ff ............ +> ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561 + invalid packet size (14 != 1547) + 0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@..... +> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390 + invalid packet size (16 != 2061) + 0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@....... +> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932 + invalid packet size (16 != 2061) + 0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@....... += bluetoothd: Bluetooth daemon 5.43 14.401828 +> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753 + invalid packet size (12 != 1033) + 08 00 01 00 04 01 04 00 40 00 00 00 ........@... + +Signed-off-by: Sungwoo Kim +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 5e7fb30b2320..cbf0a9d5aabc 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4183,7 +4183,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, + + chan->ident = cmd->ident; + l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp); +- chan->num_conf_rsp++; ++ if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP) ++ chan->num_conf_rsp++; + + /* Reset config buffer. */ + chan->conf_len = 0; +-- +2.35.1 + diff --git a/queue-4.9/net-loopback-use-net_name_predictable-for-name_assig.patch b/queue-4.9/net-loopback-use-net_name_predictable-for-name_assig.patch new file mode 100644 index 00000000000..fc0d9c497d8 --- /dev/null +++ b/queue-4.9/net-loopback-use-net_name_predictable-for-name_assig.patch @@ -0,0 +1,50 @@ +From 4699319830727549ab2cf421010226bf92103679 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 15:18:28 +0100 +Subject: net: loopback: use NET_NAME_PREDICTABLE for name_assign_type + +From: Rasmus Villemoes + +[ Upstream commit 31d929de5a112ee1b977a89c57de74710894bbbf ] + +When the name_assign_type attribute was introduced (commit +685343fc3ba6, "net: add name_assign_type netdev attribute"), the +loopback device was explicitly mentioned as one which would make use +of NET_NAME_PREDICTABLE: + + The name_assign_type attribute gives hints where the interface name of a + given net-device comes from. These values are currently defined: +... + NET_NAME_PREDICTABLE: + The ifname has been assigned by the kernel in a predictable way + that is guaranteed to avoid reuse and always be the same for a + given device. Examples include statically created devices like + the loopback device [...] + +Switch to that so that reading /sys/class/net/lo/name_assign_type +produces something sensible instead of returning -EINVAL. + +Signed-off-by: Rasmus Villemoes +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/loopback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c +index 1b65f0f975cf..f04f9a87840e 100644 +--- a/drivers/net/loopback.c ++++ b/drivers/net/loopback.c +@@ -194,7 +194,7 @@ static __net_init int loopback_net_init(struct net *net) + int err; + + err = -ENOMEM; +- dev = alloc_netdev(0, "lo", NET_NAME_UNKNOWN, loopback_setup); ++ dev = alloc_netdev(0, "lo", NET_NAME_PREDICTABLE, loopback_setup); + if (!dev) + goto out; + +-- +2.35.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 295c526e573..9a0b2ee6d81 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -11,3 +11,5 @@ udf-do-not-bother-looking-for-prealloc-extents-if-i_lenextents-matches-i_size.pa udf-fix-extending-file-within-last-block.patch usb-gadget-uvc-prevent-buffer-overflow-in-setup-handler.patch usb-serial-cp210x-add-kamstrup-rf-sniffer-pids.patch +bluetooth-l2cap-fix-u8-overflow.patch +net-loopback-use-net_name_predictable-for-name_assig.patch -- 2.47.3