diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2021-06-18 10:18:56 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2021-06-18 10:18:56 +0200 |
commit | 4566382c744ff4b18d2f68ab02f129d13e58892c (patch) | |
tree | 5958075ba57729fc5ff503a8d98e7300cef433d4 | |
parent | e4ed70aafe992540c2a53d0390452a18eb69109e (diff) | |
parent | efbcf1daafb6688abc74ddce96c06397d381aacf (diff) | |
download | kernel-4566382c744ff4b18d2f68ab02f129d13e58892c.tar.gz kernel-4566382c744ff4b18d2f68ab02f129d13e58892c.tar.xz kernel-4566382c744ff4b18d2f68ab02f129d13e58892c.zip |
Merge remote-tracking branch 'origin/f34' into f34-user-thl-vanilla-fedora
-rw-r--r-- | Patchlist.changelog | 3 | ||||
-rwxr-xr-x | kernel.spec | 3 | ||||
-rw-r--r-- | patch-5.12-redhat.patch | 73 | ||||
-rw-r--r-- | sources | 6 |
4 files changed, 80 insertions, 5 deletions
diff --git a/Patchlist.changelog b/Patchlist.changelog index cdab61233..beb8d9d69 100644 --- a/Patchlist.changelog +++ b/Patchlist.changelog @@ -1,3 +1,6 @@ +https://gitlab.com/cki-project/kernel-ark/-/commit/d6845a028944f7b9ee8fe7b5fe0239fa6c363c90 + d6845a028944f7b9ee8fe7b5fe0239fa6c363c90 Bluetooth: btqca: Don't modify firmware contents in-place + https://gitlab.com/cki-project/kernel-ark/-/commit/b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1 b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1 Bluetooth: use correct lock to prevent UAF of hdev object diff --git a/kernel.spec b/kernel.spec index acf3d87db..881d19043 100755 --- a/kernel.spec +++ b/kernel.spec @@ -2797,6 +2797,9 @@ fi # # %changelog +* Wed Jun 16 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.11-0] +- Bluetooth: btqca: Don't modify firmware contents in-place (Connor Abbott) + * Thu Jun 10 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.10-0] - Bluetooth: use correct lock to prevent UAF of hdev object (Lin Ma) - nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect (Krzysztof Kozlowski) diff --git a/patch-5.12-redhat.patch b/patch-5.12-redhat.patch index af5ab8ea3..46b8d09e1 100644 --- a/patch-5.12-redhat.patch +++ b/patch-5.12-redhat.patch @@ -12,6 +12,7 @@ drivers/acpi/pci_mcfg.c | 7 ++ drivers/acpi/scan.c | 9 ++ drivers/ata/libahci.c | 18 +++ + drivers/bluetooth/btqca.c | 27 +++-- drivers/char/ipmi/ipmi_dmi.c | 15 +++ drivers/char/ipmi/ipmi_msghandler.c | 16 ++- drivers/firmware/efi/Makefile | 1 + @@ -40,7 +41,7 @@ security/lockdown/lockdown.c | 1 + security/security.c | 6 + security/selinux/hooks.c | 3 +- - 42 files changed, 621 insertions(+), 178 deletions(-) + 43 files changed, 641 insertions(+), 185 deletions(-) diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst index 75a9dd98e76e..3ff3291551f9 100644 @@ -65,7 +66,7 @@ index 75a9dd98e76e..3ff3291551f9 100644 Boot into System Kernel diff --git a/Makefile b/Makefile -index ebc02c56db03..13bbf56b1bd3 100644 +index 82ca490ce5f4..75fbedcd7e67 100644 --- a/Makefile +++ b/Makefile @@ -495,6 +495,7 @@ KBUILD_AFLAGS := -D__ASSEMBLY__ -fno-PIE @@ -340,6 +341,74 @@ index fec2e9754aed..bea4e2973259 100644 /* wait for engine to stop. This could be as long as 500 msec */ tmp = ata_wait_register(ap, port_mmio + PORT_CMD, PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500); +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 25114f0d1319..bd71dfc9c974 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -183,7 +183,7 @@ int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) + EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd); + + static void qca_tlv_check_data(struct qca_fw_config *config, +- const struct firmware *fw, enum qca_btsoc_type soc_type) ++ u8 *fw_data, enum qca_btsoc_type soc_type) + { + const u8 *data; + u32 type_len; +@@ -194,7 +194,7 @@ static void qca_tlv_check_data(struct qca_fw_config *config, + struct tlv_type_nvm *tlv_nvm; + uint8_t nvm_baud_rate = config->user_baud_rate; + +- tlv = (struct tlv_type_hdr *)fw->data; ++ tlv = (struct tlv_type_hdr *)fw_data; + + type_len = le32_to_cpu(tlv->type_len); + length = (type_len >> 8) & 0x00ffffff; +@@ -390,8 +390,9 @@ static int qca_download_firmware(struct hci_dev *hdev, + enum qca_btsoc_type soc_type) + { + const struct firmware *fw; ++ u8 *data; + const u8 *segment; +- int ret, remain, i = 0; ++ int ret, size, remain, i = 0; + + bt_dev_info(hdev, "QCA Downloading %s", config->fwname); + +@@ -402,10 +403,22 @@ static int qca_download_firmware(struct hci_dev *hdev, + return ret; + } + +- qca_tlv_check_data(config, fw, soc_type); ++ size = fw->size; ++ data = vmalloc(fw->size); ++ if (!data) { ++ bt_dev_err(hdev, "QCA Failed to allocate memory for file: %s", ++ config->fwname); ++ release_firmware(fw); ++ return -ENOMEM; ++ } ++ ++ memcpy(data, fw->data, size); ++ release_firmware(fw); ++ ++ qca_tlv_check_data(config, data, soc_type); + +- segment = fw->data; +- remain = fw->size; ++ segment = data; ++ remain = size; + while (remain > 0) { + int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain); + +@@ -435,7 +448,7 @@ static int qca_download_firmware(struct hci_dev *hdev, + ret = qca_inject_cmd_complete_event(hdev); + + out: +- release_firmware(fw); ++ vfree(data); + + return ret; + } diff --git a/drivers/char/ipmi/ipmi_dmi.c b/drivers/char/ipmi/ipmi_dmi.c index bbf7029e224b..cf7faa970dd6 100644 --- a/drivers/char/ipmi/ipmi_dmi.c @@ -1,3 +1,3 @@ -SHA512 (linux-5.12.10.tar.xz) = d5bd7acad98d6c2872b5ed38cd976bd8dcb69613eb3aafb50c3a94f382918772a5506aa4e67bd698d0a1fd464e544409dda6c126a530652a082337cd7959f8d7 -SHA512 (kernel-abi-whitelists-5.12.10-300.tar.bz2) = ceeb600cf28a5cab719be05e4c41a75a655bbc67abbfe42a3e1d0f485f2a64603dc1a94f7df53e184311fd7a5100e6fb12ae9b5815ff3771ec946adb8050584e -SHA512 (kernel-kabi-dw-5.12.10-300.tar.bz2) = 3177f38d555e65042bf7c4db4c55913beeef1793c21bdf204f26f486d1c5a2603eb2c091179c42f7657b54a9a3944e9410030c13be0b7e1feb16271fca3ea0d4 +SHA512 (linux-5.12.11.tar.xz) = 84dba10c2d555372d043e0cbb9824e39903d9f1ae7494a519a9e465c17111738c7acf9b0344170dc7e830a0a0616c320f3ff1935abf23480209346d02241feb4 +SHA512 (kernel-abi-whitelists-5.12.11-300.tar.bz2) = ec1efedfd22316d56343f06273f86afb110b4cdff0adb6d070f08e07e09766afb18a26d92342e82bf45d13879f4ec0b5d18d6b213330ceabccc621241bf6bb12 +SHA512 (kernel-kabi-dw-5.12.11-300.tar.bz2) = 0d7f9d9ef6d2ed3ea642eca344b69b305e5625c3602b22bf12f1b19716e9ccaa996da082c191bc49b3fc484a5b432c657c4a04236e1b3a6f51770aac6fb357c2 |