Merge remote-tracking branch 'origin/f33' into f33-user-thl-vanilla-fedora

4 files changed, 80 insertions, 5 deletions

diff --git a/Patchlist.changelog b/Patchlist.changelog
index cdab61233..beb8d9d69 100644
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@@ -1,3 +1,6 @@
+https://gitlab.com/cki-project/kernel-ark/-/commit/d6845a028944f7b9ee8fe7b5fe0239fa6c363c90
+ d6845a028944f7b9ee8fe7b5fe0239fa6c363c90 Bluetooth: btqca: Don't modify firmware contents in-place
+
 https://gitlab.com/cki-project/kernel-ark/-/commit/b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1
  b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1 Bluetooth: use correct lock to prevent UAF of hdev object
 
diff --git a/kernel.spec b/kernel.spec
index c639a2eda..7189d204c 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -2797,6 +2797,9 @@ fi
 #
 #
 %changelog
+* Wed Jun 16 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.11-0]
+- Bluetooth: btqca: Don't modify firmware contents in-place (Connor Abbott)
+
 * Thu Jun 10 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.10-0]
 - Bluetooth: use correct lock to prevent UAF of hdev object (Lin Ma)
 - nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect (Krzysztof Kozlowski)
diff --git a/patch-5.12-redhat.patch b/patch-5.12-redhat.patch
index af5ab8ea3..46b8d09e1 100644
--- a/patch-5.12-redhat.patch
+++ b/patch-5.12-redhat.patch
@@ -12,6 +12,7 @@
  drivers/acpi/pci_mcfg.c                            |   7 ++
  drivers/acpi/scan.c                                |   9 ++
  drivers/ata/libahci.c                              |  18 +++
+ drivers/bluetooth/btqca.c                          |  27 +++--
  drivers/char/ipmi/ipmi_dmi.c                       |  15 +++
  drivers/char/ipmi/ipmi_msghandler.c                |  16 ++-
  drivers/firmware/efi/Makefile                      |   1 +
@@ -40,7 +41,7 @@
  security/lockdown/lockdown.c                       |   1 +
  security/security.c                                |   6 +
  security/selinux/hooks.c                           |   3 +-
- 42 files changed, 621 insertions(+), 178 deletions(-)
+ 43 files changed, 641 insertions(+), 185 deletions(-)
 
 diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst
 index 75a9dd98e76e..3ff3291551f9 100644
@@ -65,7 +66,7 @@ index 75a9dd98e76e..3ff3291551f9 100644
 
  Boot into System Kernel
 diff --git a/Makefile b/Makefile
-index ebc02c56db03..13bbf56b1bd3 100644
+index 82ca490ce5f4..75fbedcd7e67 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -495,6 +495,7 @@ KBUILD_AFLAGS   := -D__ASSEMBLY__ -fno-PIE
@@ -340,6 +341,74 @@ index fec2e9754aed..bea4e2973259 100644
  	/* wait for engine to stop. This could be as long as 500 msec */
  	tmp = ata_wait_register(ap, port_mmio + PORT_CMD,
  				PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500);
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index 25114f0d1319..bd71dfc9c974 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -183,7 +183,7 @@ int qca_send_pre_shutdown_cmd(struct hci_dev *hdev)
+ EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd);
+
+ static void qca_tlv_check_data(struct qca_fw_config *config,
+-		const struct firmware *fw, enum qca_btsoc_type soc_type)
++		u8 *fw_data, enum qca_btsoc_type soc_type)
+ {
+ 	const u8 *data;
+ 	u32 type_len;
+@@ -194,7 +194,7 @@ static void qca_tlv_check_data(struct qca_fw_config *config,
+ 	struct tlv_type_nvm *tlv_nvm;
+ 	uint8_t nvm_baud_rate = config->user_baud_rate;
+
+-	tlv = (struct tlv_type_hdr *)fw->data;
++	tlv = (struct tlv_type_hdr *)fw_data;
+
+ 	type_len = le32_to_cpu(tlv->type_len);
+ 	length = (type_len >> 8) & 0x00ffffff;
+@@ -390,8 +390,9 @@ static int qca_download_firmware(struct hci_dev *hdev,
+ 				 enum qca_btsoc_type soc_type)
+ {
+ 	const struct firmware *fw;
++	u8 *data;
+ 	const u8 *segment;
+-	int ret, remain, i = 0;
++	int ret, size, remain, i = 0;
+
+ 	bt_dev_info(hdev, "QCA Downloading %s", config->fwname);
+
+@@ -402,10 +403,22 @@ static int qca_download_firmware(struct hci_dev *hdev,
+ 		return ret;
+ 	}
+
+-	qca_tlv_check_data(config, fw, soc_type);
++	size = fw->size;
++	data = vmalloc(fw->size);
++	if (!data) {
++		bt_dev_err(hdev, "QCA Failed to allocate memory for file: %s",
++			   config->fwname);
++		release_firmware(fw);
++		return -ENOMEM;
++	}
++
++	memcpy(data, fw->data, size);
++	release_firmware(fw);
++
++	qca_tlv_check_data(config, data, soc_type);
+
+-	segment = fw->data;
+-	remain = fw->size;
++	segment = data;
++	remain = size;
+ 	while (remain > 0) {
+ 		int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain);
+
+@@ -435,7 +448,7 @@ static int qca_download_firmware(struct hci_dev *hdev,
+ 		ret = qca_inject_cmd_complete_event(hdev);
+
+ out:
+-	release_firmware(fw);
++	vfree(data);
+
+ 	return ret;
+ }
 diff --git a/drivers/char/ipmi/ipmi_dmi.c b/drivers/char/ipmi/ipmi_dmi.c
 index bbf7029e224b..cf7faa970dd6 100644
 --- a/drivers/char/ipmi/ipmi_dmi.c
diff --git a/sources b/sources
index 7219baa80..15f43c801 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.12.10.tar.xz) = d5bd7acad98d6c2872b5ed38cd976bd8dcb69613eb3aafb50c3a94f382918772a5506aa4e67bd698d0a1fd464e544409dda6c126a530652a082337cd7959f8d7
-SHA512 (kernel-abi-whitelists-5.12.10-200.tar.bz2) = 279faf9ef19310907684bea80daaee57c8239e04167f0d9f93993d751d33999742a6c4100d6e41b63e82bc2f7318658e776ba65e57e559300216b85bee4aefb7
-SHA512 (kernel-kabi-dw-5.12.10-200.tar.bz2) = 3177f38d555e65042bf7c4db4c55913beeef1793c21bdf204f26f486d1c5a2603eb2c091179c42f7657b54a9a3944e9410030c13be0b7e1feb16271fca3ea0d4
+SHA512 (linux-5.12.11.tar.xz) = 84dba10c2d555372d043e0cbb9824e39903d9f1ae7494a519a9e465c17111738c7acf9b0344170dc7e830a0a0616c320f3ff1935abf23480209346d02241feb4
+SHA512 (kernel-abi-whitelists-5.12.11-200.tar.bz2) = 55a040fcbcfcbef51ff6ed517a3f56b434ebaf17f443da4540a03a16abbab665d3a8ff73238c7eb6c62daac46cc6ac7d6dc2721aab823c5b0c95f62bba44f559
+SHA512 (kernel-kabi-dw-5.12.11-200.tar.bz2) = 0d7f9d9ef6d2ed3ea642eca344b69b305e5625c3602b22bf12f1b19716e9ccaa996da082c191bc49b3fc484a5b432c657c4a04236e1b3a6f51770aac6fb357c2