From: Greg Kroah-Hartman Date: Mon, 23 Oct 2023 07:45:36 +0000 (+0200) Subject: 6.5-stable patches X-Git-Tag: v4.14.328~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=420605a13c352c16f65d070333011cb819384b2e;p=thirdparty%2Fkernel%2Fstable-queue.git 6.5-stable patches added patches: bluetooth-hci_sock-fix-slab-oob-read-in-create_monitor_event.patch docs-rust-update-rust-docs-output-path.patch kbuild-remove-old-rust-docs-output-path.patch net-rfkill-reduce-data-mtx-scope-in-rfkill_fop_open.patch --- diff --git a/queue-6.5/bluetooth-hci_sock-fix-slab-oob-read-in-create_monitor_event.patch b/queue-6.5/bluetooth-hci_sock-fix-slab-oob-read-in-create_monitor_event.patch new file mode 100644 index 00000000000..3d00ef01715 --- /dev/null +++ b/queue-6.5/bluetooth-hci_sock-fix-slab-oob-read-in-create_monitor_event.patch @@ -0,0 +1,31 @@ +From 18f547f3fc074500ab5d419cf482240324e73a7e Mon Sep 17 00:00:00 2001 +From: Edward AD +Date: Tue, 10 Oct 2023 13:36:57 +0800 +Subject: Bluetooth: hci_sock: fix slab oob read in create_monitor_event + +From: Edward AD + +commit 18f547f3fc074500ab5d419cf482240324e73a7e upstream. + +When accessing hdev->name, the actual string length should prevail + +Reported-by: syzbot+c90849c50ed209d77689@syzkaller.appspotmail.com +Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings") +Signed-off-by: Edward AD +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -439,7 +439,7 @@ static struct sk_buff *create_monitor_ev + ni->type = hdev->dev_type; + ni->bus = hdev->bus; + bacpy(&ni->bdaddr, &hdev->bdaddr); +- memcpy(ni->name, hdev->name, 8); ++ memcpy(ni->name, hdev->name, strlen(hdev->name)); + + opcode = cpu_to_le16(HCI_MON_NEW_INDEX); + break; diff --git a/queue-6.5/docs-rust-update-rust-docs-output-path.patch b/queue-6.5/docs-rust-update-rust-docs-output-path.patch new file mode 100644 index 00000000000..9ceaad75ad4 --- /dev/null +++ b/queue-6.5/docs-rust-update-rust-docs-output-path.patch @@ -0,0 +1,34 @@ +From bd9e54a42ce26026d67963c21b3fdfe8c7e68430 Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Wed, 18 Oct 2023 18:01:44 +0200 +Subject: docs: rust: update Rust docs output path + +From: Miguel Ojeda + +commit bd9e54a42ce26026d67963c21b3fdfe8c7e68430 upstream. + +The Rust code documentation output path moved from `rust/doc` to +`Documentation/output/rust/rustdoc`, thus update the old reference. + +Fixes: 48fadf440075 ("docs: Move rustdoc output, cross-reference it") +Reviewed-by: Benno Lossin +Reviewed-by: Alice Ryhl +Reviewed-by: Andreas Hindborg +Link: https://lore.kernel.org/r/20231018160145.1017340-1-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/rust/general-information.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/rust/general-information.rst ++++ b/Documentation/rust/general-information.rst +@@ -29,7 +29,7 @@ target with the same invocation used for + + To read the docs locally in your web browser, run e.g.:: + +- xdg-open rust/doc/kernel/index.html ++ xdg-open Documentation/output/rust/rustdoc/kernel/index.html + + To learn about how to write the documentation, please see coding-guidelines.rst. + diff --git a/queue-6.5/kbuild-remove-old-rust-docs-output-path.patch b/queue-6.5/kbuild-remove-old-rust-docs-output-path.patch new file mode 100644 index 00000000000..70ea3cfb1d0 --- /dev/null +++ b/queue-6.5/kbuild-remove-old-rust-docs-output-path.patch @@ -0,0 +1,38 @@ +From 1db773da58df20772dcc037a47163ce472d39c4d Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Wed, 18 Oct 2023 18:01:45 +0200 +Subject: kbuild: remove old Rust docs output path + +From: Miguel Ojeda + +commit 1db773da58df20772dcc037a47163ce472d39c4d upstream. + +The Rust code documentation output path moved from `rust/doc` to +`Documentation/output/rust/rustdoc`. The `make cleandocs` target +takes care of cleaning it now since it is integrated with the rest +of the documentation. + +Thus remove the old reference. + +Fixes: 48fadf440075 ("docs: Move rustdoc output, cross-reference it") +Reviewed-by: Benno Lossin +Reviewed-by: Alice Ryhl +Reviewed-by: Andreas Hindborg +Link: https://lore.kernel.org/r/20231018160145.1017340-2-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Makefile ++++ b/Makefile +@@ -1595,7 +1595,7 @@ endif + # Directories & files removed with 'make clean' + CLEAN_FILES += include/ksym vmlinux.symvers modules-only.symvers \ + modules.builtin modules.builtin.modinfo modules.nsdeps \ +- compile_commands.json .thinlto-cache rust/test rust/doc \ ++ compile_commands.json .thinlto-cache rust/test \ + rust-project.json .vmlinux.objs .vmlinux.export.c + + # Directories & files removed with 'make mrproper' diff --git a/queue-6.5/net-rfkill-reduce-data-mtx-scope-in-rfkill_fop_open.patch b/queue-6.5/net-rfkill-reduce-data-mtx-scope-in-rfkill_fop_open.patch new file mode 100644 index 00000000000..48fad4c2831 --- /dev/null +++ b/queue-6.5/net-rfkill-reduce-data-mtx-scope-in-rfkill_fop_open.patch @@ -0,0 +1,64 @@ +From f2ac54ebf85615a6d78f5eb213a8bbeeb17ebe5d Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 11 Oct 2023 16:55:10 +0200 +Subject: net: rfkill: reduce data->mtx scope in rfkill_fop_open + +From: Johannes Berg + +commit f2ac54ebf85615a6d78f5eb213a8bbeeb17ebe5d upstream. + +In syzbot runs, lockdep reports that there's a (potential) +deadlock here of data->mtx being locked recursively. This +isn't really a deadlock since they are different instances, +but lockdep cannot know, and teaching it would be far more +difficult than other fixes. + +At the same time we don't even really _need_ the mutex to +be locked in rfkill_fop_open(), since we're modifying only +a completely fresh instance of 'data' (struct rfkill_data) +that's not yet added to the global list. + +However, to avoid any reordering etc. within the globally +locked section, and to make the code look more symmetric, +we should still lock the data->events list manipulation, +but also need to lock _only_ that. So do that. + +Reported-by: syzbot+509238e523e032442b80@syzkaller.appspotmail.com +Fixes: 2c3dfba4cf84 ("rfkill: sync before userspace visibility/changes") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/rfkill/core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -1180,7 +1180,6 @@ static int rfkill_fop_open(struct inode + init_waitqueue_head(&data->read_wait); + + mutex_lock(&rfkill_global_mutex); +- mutex_lock(&data->mtx); + /* + * start getting events from elsewhere but hold mtx to get + * startup events added first +@@ -1192,10 +1191,11 @@ static int rfkill_fop_open(struct inode + goto free; + rfkill_sync(rfkill); + rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD); ++ mutex_lock(&data->mtx); + list_add_tail(&ev->list, &data->events); ++ mutex_unlock(&data->mtx); + } + list_add(&data->list, &rfkill_fds); +- mutex_unlock(&data->mtx); + mutex_unlock(&rfkill_global_mutex); + + file->private_data = data; +@@ -1203,7 +1203,6 @@ static int rfkill_fop_open(struct inode + return stream_open(inode, file); + + free: +- mutex_unlock(&data->mtx); + mutex_unlock(&rfkill_global_mutex); + mutex_destroy(&data->mtx); + list_for_each_entry_safe(ev, tmp, &data->events, list) diff --git a/queue-6.5/series b/queue-6.5/series index ea6808b6423..7df5d230a9d 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -232,3 +232,7 @@ phy-qcom-qmp-combo-square-out-8550-power_state_confi.patch phy-qcom-qmp-combo-initialize-pcs_usb-registers.patch efi-unaccepted-fix-soft-lockups-caused-by-parallel-m.patch net-move-altnames-together-with-the-netdevice.patch +bluetooth-hci_sock-fix-slab-oob-read-in-create_monitor_event.patch +net-rfkill-reduce-data-mtx-scope-in-rfkill_fop_open.patch +docs-rust-update-rust-docs-output-path.patch +kbuild-remove-old-rust-docs-output-path.patch