--- /dev/null
+From 9d1a3c74746428102d55371fbf74b484733937d9 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 9 Oct 2023 22:31:31 +0200
+Subject: Bluetooth: avoid memcmp() out of bounds warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 9d1a3c74746428102d55371fbf74b484733937d9 upstream.
+
+bacmp() is a wrapper around memcpy(), which contain compile-time
+checks for buffer overflow. Since the hci_conn_request_evt() also calls
+bt_dev_dbg() with an implicit NULL pointer check, the compiler is now
+aware of a case where 'hdev' is NULL and treats this as meaning that
+zero bytes are available:
+
+In file included from net/bluetooth/hci_event.c:32:
+In function 'bacmp',
+ inlined from 'hci_conn_request_evt' at net/bluetooth/hci_event.c:3276:7:
+include/net/bluetooth/bluetooth.h:364:16: error: 'memcmp' specified bound 6 exceeds source size 0 [-Werror=stringop-overread]
+ 364 | return memcmp(ba1, ba2, sizeof(bdaddr_t));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add another NULL pointer check before the bacmp() to ensure the compiler
+understands the code flow enough to not warn about it. Since the patch
+that introduced the warning is marked for stable backports, this one
+should also go that way to avoid introducing build regressions.
+
+Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
+Cc: Kees Cook <keescook@chromium.org>
+Cc: "Lee, Chun-Yi" <jlee@suse.com>
+Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3275,7 +3275,7 @@ static void hci_conn_request_evt(struct
+ /* Reject incoming connection from device with same BD ADDR against
+ * CVE-2020-26555
+ */
+- if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) {
++ if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
+ bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ &ev->bdaddr);
+ hci_reject_conn(hdev, &ev->bdaddr);
--- /dev/null
+From 16e3b6429159795a87add7584eb100b19aa1d70b Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 3 Aug 2023 14:49:14 -0700
+Subject: Bluetooth: hci_conn: Fix modifying handle while aborting
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 16e3b6429159795a87add7584eb100b19aa1d70b upstream.
+
+This introduces hci_conn_set_handle which takes care of verifying the
+conditions where the hci_conn handle can be modified, including when
+hci_conn_abort has been called and also checks that the handles is
+valid as well.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/hci_core.h | 1 +
+ net/bluetooth/hci_conn.c | 27 +++++++++++++++++++++++++++
+ net/bluetooth/hci_event.c | 29 +++++++++++------------------
+ 3 files changed, 39 insertions(+), 18 deletions(-)
+
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -1426,6 +1426,7 @@ int hci_conn_switch_role(struct hci_conn
+ void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active);
+
+ void hci_conn_failed(struct hci_conn *conn, u8 status);
++u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle);
+
+ /*
+ * hci_conn_get() and hci_conn_put() are used to control the life-time of an
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1248,6 +1248,33 @@ void hci_conn_failed(struct hci_conn *co
+ hci_conn_del(conn);
+ }
+
++/* This function requires the caller holds hdev->lock */
++u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
++{
++ struct hci_dev *hdev = conn->hdev;
++
++ bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
++
++ if (conn->handle == handle)
++ return 0;
++
++ if (handle > HCI_CONN_HANDLE_MAX) {
++ bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
++ handle, HCI_CONN_HANDLE_MAX);
++ return HCI_ERROR_INVALID_PARAMETERS;
++ }
++
++ /* If abort_reason has been sent it means the connection is being
++ * aborted and the handle shall not be changed.
++ */
++ if (conn->abort_reason)
++ return conn->abort_reason;
++
++ conn->handle = handle;
++
++ return 0;
++}
++
+ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
+ {
+ struct hci_conn *conn = data;
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3180,13 +3180,9 @@ static void hci_conn_complete_evt(struct
+ }
+
+ if (!status) {
+- conn->handle = __le16_to_cpu(ev->handle);
+- if (conn->handle > HCI_CONN_HANDLE_MAX) {
+- bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
+- conn->handle, HCI_CONN_HANDLE_MAX);
+- status = HCI_ERROR_INVALID_PARAMETERS;
++ status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
++ if (status)
+ goto done;
+- }
+
+ if (conn->type == ACL_LINK) {
+ conn->state = BT_CONFIG;
+@@ -3879,11 +3875,9 @@ static u8 hci_cc_le_set_cig_params(struc
+ if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
+ continue;
+
+- conn->handle = __le16_to_cpu(rp->handle[i]);
++ if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
++ continue;
+
+- bt_dev_dbg(hdev, "%p handle 0x%4.4x parent %p", conn,
+- conn->handle, conn->parent);
+-
+ if (conn->state == BT_CONNECT)
+ pending = true;
+ }
+@@ -5055,11 +5049,8 @@ static void hci_sync_conn_complete_evt(s
+
+ switch (status) {
+ case 0x00:
+- conn->handle = __le16_to_cpu(ev->handle);
+- if (conn->handle > HCI_CONN_HANDLE_MAX) {
+- bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
+- conn->handle, HCI_CONN_HANDLE_MAX);
+- status = HCI_ERROR_INVALID_PARAMETERS;
++ status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
++ if (status) {
+ conn->state = BT_CLOSED;
+ break;
+ }
+@@ -6992,7 +6983,7 @@ static void hci_le_create_big_complete_e
+ {
+ struct hci_evt_le_create_big_complete *ev = data;
+ struct hci_conn *conn;
+- __u8 bis_idx = 0;
++ __u8 i = 0;
+
+ BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
+
+@@ -7010,7 +7001,9 @@ static void hci_le_create_big_complete_e
+ conn->iso_qos.bcast.big != ev->handle)
+ continue;
+
+- conn->handle = __le16_to_cpu(ev->bis_handle[bis_idx++]);
++ if (hci_conn_set_handle(conn,
++ __le16_to_cpu(ev->bis_handle[i++])))
++ continue;
+
+ if (!ev->status) {
+ conn->state = BT_CONNECTED;
+@@ -7029,7 +7022,7 @@ static void hci_le_create_big_complete_e
+ rcu_read_lock();
+ }
+
+- if (!ev->status && !bis_idx)
++ if (!ev->status && !i)
+ /* If no BISes have been connected for the BIG,
+ * terminate. This is in case all bound connections
+ * have been closed before the BIG creation
--- /dev/null
+From 35d91d95a0cd61ebb90e0246dc917fd25e519b8c Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 5 Oct 2023 14:12:19 -0700
+Subject: Bluetooth: hci_event: Fix coding style
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 35d91d95a0cd61ebb90e0246dc917fd25e519b8c upstream.
+
+This fixes the following code style problem:
+
+ERROR: that open brace { should be on the previous line
++ if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
++ {
+
+Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3275,8 +3275,7 @@ static void hci_conn_request_evt(struct
+ /* Reject incoming connection from device with same BD ADDR against
+ * CVE-2020-26555
+ */
+- if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
+- {
++ if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) {
+ bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ &ev->bdaddr);
+ hci_reject_conn(hdev, &ev->bdaddr);
--- /dev/null
+From 242e34500a32631f85c2b4eb6cb42a368a39e54f Mon Sep 17 00:00:00 2001
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Tue, 10 Oct 2023 13:30:59 -0700
+Subject: ice: fix over-shifted variable
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+commit 242e34500a32631f85c2b4eb6cb42a368a39e54f upstream.
+
+Since the introduction of the ice driver the code has been
+double-shifting the RSS enabling field, because the define already has
+shifts in it and can't have the regular pattern of "a << shiftval &
+mask" applied.
+
+Most places in the code got it right, but one line was still wrong. Fix
+this one location for easy backports to stable. An in-progress patch
+fixes the defines to "standard" and will be applied as part of the
+regular -next process sometime after this one.
+
+Fixes: d76a60ba7afb ("ice: Add support for VLANs and offloads")
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20231010203101.406248-1-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -1201,8 +1201,7 @@ static void ice_set_rss_vsi_ctx(struct i
+
+ ctxt->info.q_opt_rss = ((lut_type << ICE_AQ_VSI_Q_OPT_RSS_LUT_S) &
+ ICE_AQ_VSI_Q_OPT_RSS_LUT_M) |
+- ((hash_type << ICE_AQ_VSI_Q_OPT_RSS_HASH_S) &
+- ICE_AQ_VSI_Q_OPT_RSS_HASH_M);
++ (hash_type & ICE_AQ_VSI_Q_OPT_RSS_HASH_M);
+ }
+
+ static void
--- /dev/null
+From 42066c4d5d344cdf8564556cdbe0aa36854fefa4 Mon Sep 17 00:00:00 2001
+From: Mateusz Pacuszka <mateuszx.pacuszka@intel.com>
+Date: Wed, 11 Oct 2023 16:33:34 -0700
+Subject: ice: Fix safe mode when DDP is missing
+
+From: Mateusz Pacuszka <mateuszx.pacuszka@intel.com>
+
+commit 42066c4d5d344cdf8564556cdbe0aa36854fefa4 upstream.
+
+One thing is broken in the safe mode, that is
+ice_deinit_features() is being executed even
+that ice_init_features() was not causing stack
+trace during pci_unregister_driver().
+
+Add check on the top of the function.
+
+Fixes: 5b246e533d01 ("ice: split probe into smaller functions")
+Signed-off-by: Mateusz Pacuszka <mateuszx.pacuszka@intel.com>
+Signed-off-by: Jan Sokolowski <jan.sokolowski@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Link: https://lore.kernel.org/r/20231011233334.336092-4-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -4632,6 +4632,9 @@ static void ice_init_features(struct ice
+
+ static void ice_deinit_features(struct ice_pf *pf)
+ {
++ if (ice_is_safe_mode(pf))
++ return;
++
+ ice_deinit_lag(pf);
+ if (test_bit(ICE_FLAG_DCB_CAPABLE, pf->flags))
+ ice_cfg_lldp_mib_change(&pf->hw, false);
bluetooth-reject-connection-with-the-device-which-has-same-bd_addr.patch
bluetooth-fix-a-refcnt-underflow-problem-for-hci_conn.patch
bluetooth-vhci-fix-race-when-opening-vhci-device.patch
+bluetooth-hci_event-fix-coding-style.patch
+bluetooth-avoid-memcmp-out-of-bounds-warning.patch
+bluetooth-hci_conn-fix-modifying-handle-while-aborting.patch
+ice-fix-over-shifted-variable.patch
+ice-fix-safe-mode-when-ddp-is-missing.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
