From: Greg Kroah-Hartman Date: Fri, 20 Oct 2023 16:53:05 +0000 (+0200) Subject: 6.5-stable patches X-Git-Tag: v4.14.328~100 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=243228bde940485fa2211fe8b5b432a72cfb34ae;p=thirdparty%2Fkernel%2Fstable-queue.git 6.5-stable patches added patches: bluetooth-avoid-memcmp-out-of-bounds-warning.patch bluetooth-hci_conn-fix-modifying-handle-while-aborting.patch bluetooth-hci_event-fix-coding-style.patch ice-fix-over-shifted-variable.patch ice-fix-safe-mode-when-ddp-is-missing.patch --- diff --git a/queue-6.5/bluetooth-avoid-memcmp-out-of-bounds-warning.patch b/queue-6.5/bluetooth-avoid-memcmp-out-of-bounds-warning.patch new file mode 100644 index 00000000000..8a568b96308 --- /dev/null +++ b/queue-6.5/bluetooth-avoid-memcmp-out-of-bounds-warning.patch @@ -0,0 +1,52 @@ +From 9d1a3c74746428102d55371fbf74b484733937d9 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 9 Oct 2023 22:31:31 +0200 +Subject: Bluetooth: avoid memcmp() out of bounds warning + +From: Arnd Bergmann + +commit 9d1a3c74746428102d55371fbf74b484733937d9 upstream. + +bacmp() is a wrapper around memcpy(), which contain compile-time +checks for buffer overflow. Since the hci_conn_request_evt() also calls +bt_dev_dbg() with an implicit NULL pointer check, the compiler is now +aware of a case where 'hdev' is NULL and treats this as meaning that +zero bytes are available: + +In file included from net/bluetooth/hci_event.c:32: +In function 'bacmp', + inlined from 'hci_conn_request_evt' at net/bluetooth/hci_event.c:3276:7: +include/net/bluetooth/bluetooth.h:364:16: error: 'memcmp' specified bound 6 exceeds source size 0 [-Werror=stringop-overread] + 364 | return memcmp(ba1, ba2, sizeof(bdaddr_t)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Add another NULL pointer check before the bacmp() to ensure the compiler +understands the code flow enough to not warn about it. Since the patch +that introduced the warning is marked for stable backports, this one +should also go that way to avoid introducing build regressions. + +Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR") +Cc: Kees Cook +Cc: "Lee, Chun-Yi" +Cc: Luiz Augusto von Dentz +Cc: Marcel Holtmann +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Reviewed-by: Kees Cook +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3275,7 +3275,7 @@ static void hci_conn_request_evt(struct + /* Reject incoming connection from device with same BD ADDR against + * CVE-2020-26555 + */ +- if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) { ++ if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) { + bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", + &ev->bdaddr); + hci_reject_conn(hdev, &ev->bdaddr); diff --git a/queue-6.5/bluetooth-hci_conn-fix-modifying-handle-while-aborting.patch b/queue-6.5/bluetooth-hci_conn-fix-modifying-handle-while-aborting.patch new file mode 100644 index 00000000000..d81ffd68942 --- /dev/null +++ b/queue-6.5/bluetooth-hci_conn-fix-modifying-handle-while-aborting.patch @@ -0,0 +1,143 @@ +From 16e3b6429159795a87add7584eb100b19aa1d70b Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Thu, 3 Aug 2023 14:49:14 -0700 +Subject: Bluetooth: hci_conn: Fix modifying handle while aborting + +From: Luiz Augusto von Dentz + +commit 16e3b6429159795a87add7584eb100b19aa1d70b upstream. + +This introduces hci_conn_set_handle which takes care of verifying the +conditions where the hci_conn handle can be modified, including when +hci_conn_abort has been called and also checks that the handles is +valid as well. + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/hci_core.h | 1 + + net/bluetooth/hci_conn.c | 27 +++++++++++++++++++++++++++ + net/bluetooth/hci_event.c | 29 +++++++++++------------------ + 3 files changed, 39 insertions(+), 18 deletions(-) + +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -1426,6 +1426,7 @@ int hci_conn_switch_role(struct hci_conn + void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active); + + void hci_conn_failed(struct hci_conn *conn, u8 status); ++u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle); + + /* + * hci_conn_get() and hci_conn_put() are used to control the life-time of an +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1248,6 +1248,33 @@ void hci_conn_failed(struct hci_conn *co + hci_conn_del(conn); + } + ++/* This function requires the caller holds hdev->lock */ ++u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle) ++{ ++ struct hci_dev *hdev = conn->hdev; ++ ++ bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle); ++ ++ if (conn->handle == handle) ++ return 0; ++ ++ if (handle > HCI_CONN_HANDLE_MAX) { ++ bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", ++ handle, HCI_CONN_HANDLE_MAX); ++ return HCI_ERROR_INVALID_PARAMETERS; ++ } ++ ++ /* If abort_reason has been sent it means the connection is being ++ * aborted and the handle shall not be changed. ++ */ ++ if (conn->abort_reason) ++ return conn->abort_reason; ++ ++ conn->handle = handle; ++ ++ return 0; ++} ++ + static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) + { + struct hci_conn *conn = data; +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3180,13 +3180,9 @@ static void hci_conn_complete_evt(struct + } + + if (!status) { +- conn->handle = __le16_to_cpu(ev->handle); +- if (conn->handle > HCI_CONN_HANDLE_MAX) { +- bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", +- conn->handle, HCI_CONN_HANDLE_MAX); +- status = HCI_ERROR_INVALID_PARAMETERS; ++ status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); ++ if (status) + goto done; +- } + + if (conn->type == ACL_LINK) { + conn->state = BT_CONFIG; +@@ -3879,11 +3875,9 @@ static u8 hci_cc_le_set_cig_params(struc + if (conn->state != BT_BOUND && conn->state != BT_CONNECT) + continue; + +- conn->handle = __le16_to_cpu(rp->handle[i]); ++ if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i]))) ++ continue; + +- bt_dev_dbg(hdev, "%p handle 0x%4.4x parent %p", conn, +- conn->handle, conn->parent); +- + if (conn->state == BT_CONNECT) + pending = true; + } +@@ -5055,11 +5049,8 @@ static void hci_sync_conn_complete_evt(s + + switch (status) { + case 0x00: +- conn->handle = __le16_to_cpu(ev->handle); +- if (conn->handle > HCI_CONN_HANDLE_MAX) { +- bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", +- conn->handle, HCI_CONN_HANDLE_MAX); +- status = HCI_ERROR_INVALID_PARAMETERS; ++ status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); ++ if (status) { + conn->state = BT_CLOSED; + break; + } +@@ -6992,7 +6983,7 @@ static void hci_le_create_big_complete_e + { + struct hci_evt_le_create_big_complete *ev = data; + struct hci_conn *conn; +- __u8 bis_idx = 0; ++ __u8 i = 0; + + BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); + +@@ -7010,7 +7001,9 @@ static void hci_le_create_big_complete_e + conn->iso_qos.bcast.big != ev->handle) + continue; + +- conn->handle = __le16_to_cpu(ev->bis_handle[bis_idx++]); ++ if (hci_conn_set_handle(conn, ++ __le16_to_cpu(ev->bis_handle[i++]))) ++ continue; + + if (!ev->status) { + conn->state = BT_CONNECTED; +@@ -7029,7 +7022,7 @@ static void hci_le_create_big_complete_e + rcu_read_lock(); + } + +- if (!ev->status && !bis_idx) ++ if (!ev->status && !i) + /* If no BISes have been connected for the BIG, + * terminate. This is in case all bound connections + * have been closed before the BIG creation diff --git a/queue-6.5/bluetooth-hci_event-fix-coding-style.patch b/queue-6.5/bluetooth-hci_event-fix-coding-style.patch new file mode 100644 index 00000000000..51f71efc17e --- /dev/null +++ b/queue-6.5/bluetooth-hci_event-fix-coding-style.patch @@ -0,0 +1,34 @@ +From 35d91d95a0cd61ebb90e0246dc917fd25e519b8c Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Thu, 5 Oct 2023 14:12:19 -0700 +Subject: Bluetooth: hci_event: Fix coding style + +From: Luiz Augusto von Dentz + +commit 35d91d95a0cd61ebb90e0246dc917fd25e519b8c upstream. + +This fixes the following code style problem: + +ERROR: that open brace { should be on the previous line ++ if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) ++ { + +Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_event.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3275,8 +3275,7 @@ static void hci_conn_request_evt(struct + /* Reject incoming connection from device with same BD ADDR against + * CVE-2020-26555 + */ +- if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) +- { ++ if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) { + bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", + &ev->bdaddr); + hci_reject_conn(hdev, &ev->bdaddr); diff --git a/queue-6.5/ice-fix-over-shifted-variable.patch b/queue-6.5/ice-fix-over-shifted-variable.patch new file mode 100644 index 00000000000..c8260eda0d0 --- /dev/null +++ b/queue-6.5/ice-fix-over-shifted-variable.patch @@ -0,0 +1,45 @@ +From 242e34500a32631f85c2b4eb6cb42a368a39e54f Mon Sep 17 00:00:00 2001 +From: Jesse Brandeburg +Date: Tue, 10 Oct 2023 13:30:59 -0700 +Subject: ice: fix over-shifted variable + +From: Jesse Brandeburg + +commit 242e34500a32631f85c2b4eb6cb42a368a39e54f upstream. + +Since the introduction of the ice driver the code has been +double-shifting the RSS enabling field, because the define already has +shifts in it and can't have the regular pattern of "a << shiftval & +mask" applied. + +Most places in the code got it right, but one line was still wrong. Fix +this one location for easy backports to stable. An in-progress patch +fixes the defines to "standard" and will be applied as part of the +regular -next process sometime after this one. + +Fixes: d76a60ba7afb ("ice: Add support for VLANs and offloads") +Reviewed-by: Przemek Kitszel +CC: stable@vger.kernel.org +Signed-off-by: Jesse Brandeburg +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Jacob Keller +Link: https://lore.kernel.org/r/20231010203101.406248-1-jacob.e.keller@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -1201,8 +1201,7 @@ static void ice_set_rss_vsi_ctx(struct i + + ctxt->info.q_opt_rss = ((lut_type << ICE_AQ_VSI_Q_OPT_RSS_LUT_S) & + ICE_AQ_VSI_Q_OPT_RSS_LUT_M) | +- ((hash_type << ICE_AQ_VSI_Q_OPT_RSS_HASH_S) & +- ICE_AQ_VSI_Q_OPT_RSS_HASH_M); ++ (hash_type & ICE_AQ_VSI_Q_OPT_RSS_HASH_M); + } + + static void diff --git a/queue-6.5/ice-fix-safe-mode-when-ddp-is-missing.patch b/queue-6.5/ice-fix-safe-mode-when-ddp-is-missing.patch new file mode 100644 index 00000000000..0ef9bcb13de --- /dev/null +++ b/queue-6.5/ice-fix-safe-mode-when-ddp-is-missing.patch @@ -0,0 +1,40 @@ +From 42066c4d5d344cdf8564556cdbe0aa36854fefa4 Mon Sep 17 00:00:00 2001 +From: Mateusz Pacuszka +Date: Wed, 11 Oct 2023 16:33:34 -0700 +Subject: ice: Fix safe mode when DDP is missing + +From: Mateusz Pacuszka + +commit 42066c4d5d344cdf8564556cdbe0aa36854fefa4 upstream. + +One thing is broken in the safe mode, that is +ice_deinit_features() is being executed even +that ice_init_features() was not causing stack +trace during pci_unregister_driver(). + +Add check on the top of the function. + +Fixes: 5b246e533d01 ("ice: split probe into smaller functions") +Signed-off-by: Mateusz Pacuszka +Signed-off-by: Jan Sokolowski +Reviewed-by: Przemek Kitszel +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Link: https://lore.kernel.org/r/20231011233334.336092-4-jacob.e.keller@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -4632,6 +4632,9 @@ static void ice_init_features(struct ice + + static void ice_deinit_features(struct ice_pf *pf) + { ++ if (ice_is_safe_mode(pf)) ++ return; ++ + ice_deinit_lag(pf); + if (test_bit(ICE_FLAG_DCB_CAPABLE, pf->flags)) + ice_cfg_lldp_mib_change(&pf->hw, false); diff --git a/queue-6.5/series b/queue-6.5/series index 4836629f189..85425ed0703 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -2,3 +2,8 @@ bluetooth-hci_event-ignore-null-link-key.patch bluetooth-reject-connection-with-the-device-which-has-same-bd_addr.patch bluetooth-fix-a-refcnt-underflow-problem-for-hci_conn.patch bluetooth-vhci-fix-race-when-opening-vhci-device.patch +bluetooth-hci_event-fix-coding-style.patch +bluetooth-avoid-memcmp-out-of-bounds-warning.patch +bluetooth-hci_conn-fix-modifying-handle-while-aborting.patch +ice-fix-over-shifted-variable.patch +ice-fix-safe-mode-when-ddp-is-missing.patch