merge origin

3 files changed, 102 insertions, 0 deletions

diff --git a/0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch b/0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch
new file mode 100644
index 000000000..b91e6f158
--- /dev/null
+++ b/0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch
@@ -0,0 +1,45 @@
+From 70ecdd3d8b36cd2bb960bc4e7ae047fbb94c031b Mon Sep 17 00:00:00 2001
+From: "Cho, Yu-Chen" <acho@suse.com>
+Date: Tue, 2 Oct 2018 17:57:04 +0800
+Subject: [PATCH] Bluetooth: btsdio: Do not bind to non-removable BCM43430
+
+BCM43430 devices soldered onto the PCB (non-removable)
+use an UART connection for bluetooth.
+But also advertise btsdio support on their 3th sdio function.
+
+Signed-off-by: Cho, Yu-Chen <acho@suse.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+---
+ drivers/bluetooth/btsdio.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c
+index 20142bc77554..282d1af1d3ba 100644
+--- a/drivers/bluetooth/btsdio.c
++++ b/drivers/bluetooth/btsdio.c
+@@ -293,13 +293,17 @@ static int btsdio_probe(struct sdio_func *func,
+ 		tuple = tuple->next;
+ 	}
+ 
+-	/* BCM43341 devices soldered onto the PCB (non-removable) use an
+-	 * uart connection for bluetooth, ignore the BT SDIO interface.
++	/* Broadcom devices soldered onto the PCB (non-removable) use an
++	 * UART connection for Bluetooth, ignore the BT SDIO interface.
+ 	 */
+ 	if (func->vendor == SDIO_VENDOR_ID_BROADCOM &&
+-	    func->device == SDIO_DEVICE_ID_BROADCOM_43341 &&
+-	    !mmc_card_is_removable(func->card->host))
+-		return -ENODEV;
++	    !mmc_card_is_removable(func->card->host)) {
++		switch (func->device) {
++		case SDIO_DEVICE_ID_BROADCOM_43341:
++		case SDIO_DEVICE_ID_BROADCOM_43430:
++			return -ENODEV;
++		}
++	}
+ 
+ 	data = devm_kzalloc(&func->dev, sizeof(*data), GFP_KERNEL);
+ 	if (!data)
+-- 
+2.20.1
+
diff --git a/CVE-2019-3701.patch b/CVE-2019-3701.patch
new file mode 100644
index 000000000..06ee36a63
--- /dev/null
+++ b/CVE-2019-3701.patch
@@ -0,0 +1,42 @@
+From linux-netdev  Thu Jan 03 12:26:34 2019
+From: Oliver Hartkopp <socketcan () hartkopp ! net>
+Date: Thu, 03 Jan 2019 12:26:34 +0000
+To: linux-netdev
+Subject: [PATCH] can: gw: ensure DLC boundaries after CAN frame modification
+Message-Id: <20190103122634.2530-1-socketcan () hartkopp ! net>
+X-MARC-Message: https://marc.info/?l=linux-netdev&m=154651842302479
+
+The CAN frame modification rules allow bitwise logical operations which can
+be also applied to the can_dlc field. Ensure the manipulation result to
+maintain the can_dlc boundaries so that the CAN drivers do not accidently
+write arbitrary content beyond the data registers in the CAN controllers
+I/O mem when processing can-gw manipulated outgoing frames. When passing these
+frames to user space this issue did not have any effect to the kernel or any
+leaked data as we always strictly copy sizeof(struct can_frame) bytes.
+
+Reported-by: Muyu Yu <ieatmuttonchuan@gmail.com>
+Reported-by: Marcus Meissner <meissner@suse.de>
+Tested-by: Muyu Yu <ieatmuttonchuan@gmail.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
+---
+ net/can/gw.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/can/gw.c b/net/can/gw.c
+index faa3da88a127..9000d9b8a133 100644
+--- a/net/can/gw.c
++++ b/net/can/gw.c
+@@ -418,6 +418,10 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
+ 
+ 	/* check for checksum updates when the CAN frame has been modified */
+ 	if (modidx) {
++		/* ensure DLC boundaries after the different mods */
++		if (cf->can_dlc > 8)
++			cf->can_dlc = 8;
++
+ 		if (gwj->mod.csumfunc.crc8)
+ 			(*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8);
+ 
+-- 
+2.19.2
diff --git a/kernel.spec b/kernel.spec
index bf906be1f..3b41f01d5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -652,6 +652,12 @@ Patch510: iio-accel-kxcjk1013-Add-more-hardware-ids.patch
 # rhbz 1645070 patch queued upstream for merging into 4.21
 Patch516: asus-fx503-keyb.patch
 
+# rhbz 1661961 patch merged upstream in 4.20
+Patch517: 0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch
+
+# CVE-2019-3701 rhbz 1663729 1663730
+Patch518: CVE-2019-3701.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1916,6 +1922,15 @@ fi
 #
 #
 %changelog
+* Wed Jan 09 2019 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2019-3701 (rhbz 1663729 1663730)
+
+* Mon Jan  7 2019 Hans de Goede <hdegoede@redhat.com>
+- Add patch to fix bluetooth on RPI 3B+ registering twice (rhbz#1661961)
+
+* Sat Dec 29 2018 Jeremy Cline <jcline@redhat.com> - 4.19.13-300
+- Linux v4.19.13
+
 * Thu Dec 27 2018 Hans de Goede <hdegoede@redhat.com>
 - Set CONFIG_REALTEK_PHY=y to workaround realtek ethernet issues (rhbz 1650984)