From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 20 Oct 2023 16:52:38 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v4.14.328~103
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=477374f528d0153e529f13f23755997e15c29b6e;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	bluetooth-avoid-memcmp-out-of-bounds-warning.patch
	bluetooth-hci_event-fix-coding-style.patch
	ice-fix-over-shifted-variable.patch
---

diff --git a/queue-5.10/bluetooth-avoid-memcmp-out-of-bounds-warning.patch b/queue-5.10/bluetooth-avoid-memcmp-out-of-bounds-warning.patch
new file mode 100644
index 00000000000..9b22feaea62
--- /dev/null
+++ b/queue-5.10/bluetooth-avoid-memcmp-out-of-bounds-warning.patch
@@ -0,0 +1,52 @@
+From 9d1a3c74746428102d55371fbf74b484733937d9 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 9 Oct 2023 22:31:31 +0200
+Subject: Bluetooth: avoid memcmp() out of bounds warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 9d1a3c74746428102d55371fbf74b484733937d9 upstream.
+
+bacmp() is a wrapper around memcpy(), which contain compile-time
+checks for buffer overflow. Since the hci_conn_request_evt() also calls
+bt_dev_dbg() with an implicit NULL pointer check, the compiler is now
+aware of a case where 'hdev' is NULL and treats this as meaning that
+zero bytes are available:
+
+In file included from net/bluetooth/hci_event.c:32:
+In function 'bacmp',
+    inlined from 'hci_conn_request_evt' at net/bluetooth/hci_event.c:3276:7:
+include/net/bluetooth/bluetooth.h:364:16: error: 'memcmp' specified bound 6 exceeds source size 0 [-Werror=stringop-overread]
+  364 |         return memcmp(ba1, ba2, sizeof(bdaddr_t));
+      |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add another NULL pointer check before the bacmp() to ensure the compiler
+understands the code flow enough to not warn about it.  Since the patch
+that introduced the warning is marked for stable backports, this one
+should also go that way to avoid introducing build regressions.
+
+Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
+Cc: Kees Cook <keescook@chromium.org>
+Cc: "Lee, Chun-Yi" <jlee@suse.com>
+Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2704,7 +2704,7 @@ static void hci_conn_request_evt(struct
+ 	/* Reject incoming connection from device with same BD ADDR against
+ 	 * CVE-2020-26555
+ 	 */
+-	if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) {
++	if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
+ 		bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ 			   &ev->bdaddr);
+ 		hci_reject_conn(hdev, &ev->bdaddr);
diff --git a/queue-5.10/bluetooth-hci_event-fix-coding-style.patch b/queue-5.10/bluetooth-hci_event-fix-coding-style.patch
new file mode 100644
index 00000000000..fad60d8b091
--- /dev/null
+++ b/queue-5.10/bluetooth-hci_event-fix-coding-style.patch
@@ -0,0 +1,34 @@
+From 35d91d95a0cd61ebb90e0246dc917fd25e519b8c Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 5 Oct 2023 14:12:19 -0700
+Subject: Bluetooth: hci_event: Fix coding style
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 35d91d95a0cd61ebb90e0246dc917fd25e519b8c upstream.
+
+This fixes the following code style problem:
+
+ERROR: that open brace { should be on the previous line
++	if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
++	{
+
+Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2704,8 +2704,7 @@ static void hci_conn_request_evt(struct
+ 	/* Reject incoming connection from device with same BD ADDR against
+ 	 * CVE-2020-26555
+ 	 */
+-	if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
+-	{
++	if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) {
+ 		bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ 			   &ev->bdaddr);
+ 		hci_reject_conn(hdev, &ev->bdaddr);
diff --git a/queue-5.10/ice-fix-over-shifted-variable.patch b/queue-5.10/ice-fix-over-shifted-variable.patch
new file mode 100644
index 00000000000..0fd30754909
--- /dev/null
+++ b/queue-5.10/ice-fix-over-shifted-variable.patch
@@ -0,0 +1,45 @@
+From 242e34500a32631f85c2b4eb6cb42a368a39e54f Mon Sep 17 00:00:00 2001
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Tue, 10 Oct 2023 13:30:59 -0700
+Subject: ice: fix over-shifted variable
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+commit 242e34500a32631f85c2b4eb6cb42a368a39e54f upstream.
+
+Since the introduction of the ice driver the code has been
+double-shifting the RSS enabling field, because the define already has
+shifts in it and can't have the regular pattern of "a << shiftval &
+mask" applied.
+
+Most places in the code got it right, but one line was still wrong. Fix
+this one location for easy backports to stable. An in-progress patch
+fixes the defines to "standard" and will be applied as part of the
+regular -next process sometime after this one.
+
+Fixes: d76a60ba7afb ("ice: Add support for VLANs and offloads")
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20231010203101.406248-1-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -931,8 +931,7 @@ static void ice_set_rss_vsi_ctx(struct i
+ 
+ 	ctxt->info.q_opt_rss = ((lut_type << ICE_AQ_VSI_Q_OPT_RSS_LUT_S) &
+ 				ICE_AQ_VSI_Q_OPT_RSS_LUT_M) |
+-				((hash_type << ICE_AQ_VSI_Q_OPT_RSS_HASH_S) &
+-				 ICE_AQ_VSI_Q_OPT_RSS_HASH_M);
++				(hash_type & ICE_AQ_VSI_Q_OPT_RSS_HASH_M);
+ }
+ 
+ /**
diff --git a/queue-5.10/series b/queue-5.10/series
index 4fbb3c079b0..28eac9f5677 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -92,3 +92,6 @@ bluetooth-hci_event-ignore-null-link-key.patch
 bluetooth-reject-connection-with-the-device-which-has-same-bd_addr.patch
 bluetooth-fix-a-refcnt-underflow-problem-for-hci_conn.patch
 bluetooth-vhci-fix-race-when-opening-vhci-device.patch
+bluetooth-hci_event-fix-coding-style.patch
+bluetooth-avoid-memcmp-out-of-bounds-warning.patch
+ice-fix-over-shifted-variable.patch