From efbcf1daafb6688abc74ddce96c06397d381aacf Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Wed, 16 Jun 2021 10:25:05 -0500
Subject: kernel-5.12.11-0

* Wed Jun 16 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.11-0]
- Bluetooth: btqca: Don't modify firmware contents in-place (Connor Abbott)
Resolves: rhbz#

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
---
 Patchlist.changelog     |  3 ++
 kernel.spec             | 11 +++++---
 patch-5.12-redhat.patch | 73 +++++++++++++++++++++++++++++++++++++++++++++++--
 sources                 |  6 ++--
 4 files changed, 84 insertions(+), 9 deletions(-)

diff --git a/Patchlist.changelog b/Patchlist.changelog
index cdab61233..beb8d9d69 100644
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@@ -1,3 +1,6 @@
+https://gitlab.com/cki-project/kernel-ark/-/commit/d6845a028944f7b9ee8fe7b5fe0239fa6c363c90
+ d6845a028944f7b9ee8fe7b5fe0239fa6c363c90 Bluetooth: btqca: Don't modify firmware contents in-place
+
 https://gitlab.com/cki-project/kernel-ark/-/commit/b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1
  b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1 Bluetooth: use correct lock to prevent UAF of hdev object
 
diff --git a/kernel.spec b/kernel.spec
index 8efdc14bd..8e74e9f6b 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -106,7 +106,7 @@ Summary: The Linux kernel
 %define primary_target rhel
 %endif
 
-%define rpmversion 5.12.10
+%define rpmversion 5.12.11
 %define stableversion 5.12
 %define pkgrelease 300
 
@@ -623,7 +623,7 @@ BuildRequires: clang
 # exact git commit you can run
 #
 # xzcat -qq ${TARBALL} | git get-tar-commit-id
-Source0: linux-5.12.10.tar.xz
+Source0: linux-5.12.11.tar.xz
 
 Source1: Makefile.rhelver
 
@@ -1277,8 +1277,8 @@ ApplyOptionalPatch()
   fi
 }
 
-%setup -q -n kernel-5.12.10 -c
-mv linux-5.12.10 linux-%{KVERREL}
+%setup -q -n kernel-5.12.11 -c
+mv linux-5.12.11 linux-%{KVERREL}
 
 cd linux-%{KVERREL}
 cp -a %{SOURCE1} .
@@ -2792,6 +2792,9 @@ fi
 #
 #
 %changelog
+* Wed Jun 16 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.11-0]
+- Bluetooth: btqca: Don't modify firmware contents in-place (Connor Abbott)
+
 * Thu Jun 10 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.10-0]
 - Bluetooth: use correct lock to prevent UAF of hdev object (Lin Ma)
 - nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect (Krzysztof Kozlowski)
diff --git a/patch-5.12-redhat.patch b/patch-5.12-redhat.patch
index af5ab8ea3..46b8d09e1 100644
--- a/patch-5.12-redhat.patch
+++ b/patch-5.12-redhat.patch
@@ -12,6 +12,7 @@
  drivers/acpi/pci_mcfg.c                            |   7 ++
  drivers/acpi/scan.c                                |   9 ++
  drivers/ata/libahci.c                              |  18 +++
+ drivers/bluetooth/btqca.c                          |  27 +++--
  drivers/char/ipmi/ipmi_dmi.c                       |  15 +++
  drivers/char/ipmi/ipmi_msghandler.c                |  16 ++-
  drivers/firmware/efi/Makefile                      |   1 +
@@ -40,7 +41,7 @@
  security/lockdown/lockdown.c                       |   1 +
  security/security.c                                |   6 +
  security/selinux/hooks.c                           |   3 +-
- 42 files changed, 621 insertions(+), 178 deletions(-)
+ 43 files changed, 641 insertions(+), 185 deletions(-)
 
 diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst
 index 75a9dd98e76e..3ff3291551f9 100644
@@ -65,7 +66,7 @@ index 75a9dd98e76e..3ff3291551f9 100644
 
  Boot into System Kernel
 diff --git a/Makefile b/Makefile
-index ebc02c56db03..13bbf56b1bd3 100644
+index 82ca490ce5f4..75fbedcd7e67 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -495,6 +495,7 @@ KBUILD_AFLAGS   := -D__ASSEMBLY__ -fno-PIE
@@ -340,6 +341,74 @@ index fec2e9754aed..bea4e2973259 100644
  	/* wait for engine to stop. This could be as long as 500 msec */
  	tmp = ata_wait_register(ap, port_mmio + PORT_CMD,
  				PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500);
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index 25114f0d1319..bd71dfc9c974 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -183,7 +183,7 @@ int qca_send_pre_shutdown_cmd(struct hci_dev *hdev)
+ EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd);
+
+ static void qca_tlv_check_data(struct qca_fw_config *config,
+-		const struct firmware *fw, enum qca_btsoc_type soc_type)
++		u8 *fw_data, enum qca_btsoc_type soc_type)
+ {
+ 	const u8 *data;
+ 	u32 type_len;
+@@ -194,7 +194,7 @@ static void qca_tlv_check_data(struct qca_fw_config *config,
+ 	struct tlv_type_nvm *tlv_nvm;
+ 	uint8_t nvm_baud_rate = config->user_baud_rate;
+
+-	tlv = (struct tlv_type_hdr *)fw->data;
++	tlv = (struct tlv_type_hdr *)fw_data;
+
+ 	type_len = le32_to_cpu(tlv->type_len);
+ 	length = (type_len >> 8) & 0x00ffffff;
+@@ -390,8 +390,9 @@ static int qca_download_firmware(struct hci_dev *hdev,
+ 				 enum qca_btsoc_type soc_type)
+ {
+ 	const struct firmware *fw;
++	u8 *data;
+ 	const u8 *segment;
+-	int ret, remain, i = 0;
++	int ret, size, remain, i = 0;
+
+ 	bt_dev_info(hdev, "QCA Downloading %s", config->fwname);
+
+@@ -402,10 +403,22 @@ static int qca_download_firmware(struct hci_dev *hdev,
+ 		return ret;
+ 	}
+
+-	qca_tlv_check_data(config, fw, soc_type);
++	size = fw->size;
++	data = vmalloc(fw->size);
++	if (!data) {
++		bt_dev_err(hdev, "QCA Failed to allocate memory for file: %s",
++			   config->fwname);
++		release_firmware(fw);
++		return -ENOMEM;
++	}
++
++	memcpy(data, fw->data, size);
++	release_firmware(fw);
++
++	qca_tlv_check_data(config, data, soc_type);
+
+-	segment = fw->data;
+-	remain = fw->size;
++	segment = data;
++	remain = size;
+ 	while (remain > 0) {
+ 		int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain);
+
+@@ -435,7 +448,7 @@ static int qca_download_firmware(struct hci_dev *hdev,
+ 		ret = qca_inject_cmd_complete_event(hdev);
+
+ out:
+-	release_firmware(fw);
++	vfree(data);
+
+ 	return ret;
+ }
 diff --git a/drivers/char/ipmi/ipmi_dmi.c b/drivers/char/ipmi/ipmi_dmi.c
 index bbf7029e224b..cf7faa970dd6 100644
 --- a/drivers/char/ipmi/ipmi_dmi.c
diff --git a/sources b/sources
index 5831e42e5..0690ac1df 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.12.10.tar.xz) = d5bd7acad98d6c2872b5ed38cd976bd8dcb69613eb3aafb50c3a94f382918772a5506aa4e67bd698d0a1fd464e544409dda6c126a530652a082337cd7959f8d7
-SHA512 (kernel-abi-whitelists-5.12.10-300.tar.bz2) = ceeb600cf28a5cab719be05e4c41a75a655bbc67abbfe42a3e1d0f485f2a64603dc1a94f7df53e184311fd7a5100e6fb12ae9b5815ff3771ec946adb8050584e
-SHA512 (kernel-kabi-dw-5.12.10-300.tar.bz2) = 3177f38d555e65042bf7c4db4c55913beeef1793c21bdf204f26f486d1c5a2603eb2c091179c42f7657b54a9a3944e9410030c13be0b7e1feb16271fca3ea0d4
+SHA512 (linux-5.12.11.tar.xz) = 84dba10c2d555372d043e0cbb9824e39903d9f1ae7494a519a9e465c17111738c7acf9b0344170dc7e830a0a0616c320f3ff1935abf23480209346d02241feb4
+SHA512 (kernel-abi-whitelists-5.12.11-300.tar.bz2) = ec1efedfd22316d56343f06273f86afb110b4cdff0adb6d070f08e07e09766afb18a26d92342e82bf45d13879f4ec0b5d18d6b213330ceabccc621241bf6bb12
+SHA512 (kernel-kabi-dw-5.12.11-300.tar.bz2) = 0d7f9d9ef6d2ed3ea642eca344b69b305e5625c3602b22bf12f1b19716e9ccaa996da082c191bc49b3fc484a5b432c657c4a04236e1b3a6f51770aac6fb357c2
-- 
cgit