summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@fedoraproject.org>2021-06-16 10:25:05 -0500
committerJustin M. Forbes <jforbes@fedoraproject.org>2021-06-16 10:25:05 -0500
commitefbcf1daafb6688abc74ddce96c06397d381aacf (patch)
tree285697323ccc122a32763bdf1481afffc22d53b2
parent9e47a9f3e8f3e0057f7f5bcb8f963e94bc28f200 (diff)
downloadkernel-efbcf1daafb6688abc74ddce96c06397d381aacf.tar.gz
kernel-efbcf1daafb6688abc74ddce96c06397d381aacf.tar.xz
kernel-efbcf1daafb6688abc74ddce96c06397d381aacf.zip
kernel-5.12.11-0
* Wed Jun 16 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.11-0] - Bluetooth: btqca: Don't modify firmware contents in-place (Connor Abbott) Resolves: rhbz# Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
-rw-r--r--Patchlist.changelog3
-rwxr-xr-xkernel.spec11
-rw-r--r--patch-5.12-redhat.patch73
-rw-r--r--sources6
4 files changed, 84 insertions, 9 deletions
diff --git a/Patchlist.changelog b/Patchlist.changelog
index cdab61233..beb8d9d69 100644
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@@ -1,3 +1,6 @@
+https://gitlab.com/cki-project/kernel-ark/-/commit/d6845a028944f7b9ee8fe7b5fe0239fa6c363c90
+ d6845a028944f7b9ee8fe7b5fe0239fa6c363c90 Bluetooth: btqca: Don't modify firmware contents in-place
+
https://gitlab.com/cki-project/kernel-ark/-/commit/b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1
b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1 Bluetooth: use correct lock to prevent UAF of hdev object
diff --git a/kernel.spec b/kernel.spec
index 8efdc14bd..8e74e9f6b 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -106,7 +106,7 @@ Summary: The Linux kernel
%define primary_target rhel
%endif
-%define rpmversion 5.12.10
+%define rpmversion 5.12.11
%define stableversion 5.12
%define pkgrelease 300
@@ -623,7 +623,7 @@ BuildRequires: clang
# exact git commit you can run
#
# xzcat -qq ${TARBALL} | git get-tar-commit-id
-Source0: linux-5.12.10.tar.xz
+Source0: linux-5.12.11.tar.xz
Source1: Makefile.rhelver
@@ -1277,8 +1277,8 @@ ApplyOptionalPatch()
fi
}
-%setup -q -n kernel-5.12.10 -c
-mv linux-5.12.10 linux-%{KVERREL}
+%setup -q -n kernel-5.12.11 -c
+mv linux-5.12.11 linux-%{KVERREL}
cd linux-%{KVERREL}
cp -a %{SOURCE1} .
@@ -2792,6 +2792,9 @@ fi
#
#
%changelog
+* Wed Jun 16 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.11-0]
+- Bluetooth: btqca: Don't modify firmware contents in-place (Connor Abbott)
+
* Thu Jun 10 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.10-0]
- Bluetooth: use correct lock to prevent UAF of hdev object (Lin Ma)
- nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect (Krzysztof Kozlowski)
diff --git a/patch-5.12-redhat.patch b/patch-5.12-redhat.patch
index af5ab8ea3..46b8d09e1 100644
--- a/patch-5.12-redhat.patch
+++ b/patch-5.12-redhat.patch
@@ -12,6 +12,7 @@
drivers/acpi/pci_mcfg.c | 7 ++
drivers/acpi/scan.c | 9 ++
drivers/ata/libahci.c | 18 +++
+ drivers/bluetooth/btqca.c | 27 +++--
drivers/char/ipmi/ipmi_dmi.c | 15 +++
drivers/char/ipmi/ipmi_msghandler.c | 16 ++-
drivers/firmware/efi/Makefile | 1 +
@@ -40,7 +41,7 @@
security/lockdown/lockdown.c | 1 +
security/security.c | 6 +
security/selinux/hooks.c | 3 +-
- 42 files changed, 621 insertions(+), 178 deletions(-)
+ 43 files changed, 641 insertions(+), 185 deletions(-)
diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst
index 75a9dd98e76e..3ff3291551f9 100644
@@ -65,7 +66,7 @@ index 75a9dd98e76e..3ff3291551f9 100644
Boot into System Kernel
diff --git a/Makefile b/Makefile
-index ebc02c56db03..13bbf56b1bd3 100644
+index 82ca490ce5f4..75fbedcd7e67 100644
--- a/Makefile
+++ b/Makefile
@@ -495,6 +495,7 @@ KBUILD_AFLAGS := -D__ASSEMBLY__ -fno-PIE
@@ -340,6 +341,74 @@ index fec2e9754aed..bea4e2973259 100644
/* wait for engine to stop. This could be as long as 500 msec */
tmp = ata_wait_register(ap, port_mmio + PORT_CMD,
PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500);
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index 25114f0d1319..bd71dfc9c974 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -183,7 +183,7 @@ int qca_send_pre_shutdown_cmd(struct hci_dev *hdev)
+ EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd);
+
+ static void qca_tlv_check_data(struct qca_fw_config *config,
+- const struct firmware *fw, enum qca_btsoc_type soc_type)
++ u8 *fw_data, enum qca_btsoc_type soc_type)
+ {
+ const u8 *data;
+ u32 type_len;
+@@ -194,7 +194,7 @@ static void qca_tlv_check_data(struct qca_fw_config *config,
+ struct tlv_type_nvm *tlv_nvm;
+ uint8_t nvm_baud_rate = config->user_baud_rate;
+
+- tlv = (struct tlv_type_hdr *)fw->data;
++ tlv = (struct tlv_type_hdr *)fw_data;
+
+ type_len = le32_to_cpu(tlv->type_len);
+ length = (type_len >> 8) & 0x00ffffff;
+@@ -390,8 +390,9 @@ static int qca_download_firmware(struct hci_dev *hdev,
+ enum qca_btsoc_type soc_type)
+ {
+ const struct firmware *fw;
++ u8 *data;
+ const u8 *segment;
+- int ret, remain, i = 0;
++ int ret, size, remain, i = 0;
+
+ bt_dev_info(hdev, "QCA Downloading %s", config->fwname);
+
+@@ -402,10 +403,22 @@ static int qca_download_firmware(struct hci_dev *hdev,
+ return ret;
+ }
+
+- qca_tlv_check_data(config, fw, soc_type);
++ size = fw->size;
++ data = vmalloc(fw->size);
++ if (!data) {
++ bt_dev_err(hdev, "QCA Failed to allocate memory for file: %s",
++ config->fwname);
++ release_firmware(fw);
++ return -ENOMEM;
++ }
++
++ memcpy(data, fw->data, size);
++ release_firmware(fw);
++
++ qca_tlv_check_data(config, data, soc_type);
+
+- segment = fw->data;
+- remain = fw->size;
++ segment = data;
++ remain = size;
+ while (remain > 0) {
+ int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain);
+
+@@ -435,7 +448,7 @@ static int qca_download_firmware(struct hci_dev *hdev,
+ ret = qca_inject_cmd_complete_event(hdev);
+
+ out:
+- release_firmware(fw);
++ vfree(data);
+
+ return ret;
+ }
diff --git a/drivers/char/ipmi/ipmi_dmi.c b/drivers/char/ipmi/ipmi_dmi.c
index bbf7029e224b..cf7faa970dd6 100644
--- a/drivers/char/ipmi/ipmi_dmi.c
diff --git a/sources b/sources
index 5831e42e5..0690ac1df 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.12.10.tar.xz) = d5bd7acad98d6c2872b5ed38cd976bd8dcb69613eb3aafb50c3a94f382918772a5506aa4e67bd698d0a1fd464e544409dda6c126a530652a082337cd7959f8d7
-SHA512 (kernel-abi-whitelists-5.12.10-300.tar.bz2) = ceeb600cf28a5cab719be05e4c41a75a655bbc67abbfe42a3e1d0f485f2a64603dc1a94f7df53e184311fd7a5100e6fb12ae9b5815ff3771ec946adb8050584e
-SHA512 (kernel-kabi-dw-5.12.10-300.tar.bz2) = 3177f38d555e65042bf7c4db4c55913beeef1793c21bdf204f26f486d1c5a2603eb2c091179c42f7657b54a9a3944e9410030c13be0b7e1feb16271fca3ea0d4
+SHA512 (linux-5.12.11.tar.xz) = 84dba10c2d555372d043e0cbb9824e39903d9f1ae7494a519a9e465c17111738c7acf9b0344170dc7e830a0a0616c320f3ff1935abf23480209346d02241feb4
+SHA512 (kernel-abi-whitelists-5.12.11-300.tar.bz2) = ec1efedfd22316d56343f06273f86afb110b4cdff0adb6d070f08e07e09766afb18a26d92342e82bf45d13879f4ec0b5d18d6b213330ceabccc621241bf6bb12
+SHA512 (kernel-kabi-dw-5.12.11-300.tar.bz2) = 0d7f9d9ef6d2ed3ea642eca344b69b305e5625c3602b22bf12f1b19716e9ccaa996da082c191bc49b3fc484a5b432c657c4a04236e1b3a6f51770aac6fb357c2