diff options
-rw-r--r-- | SOURCES/Patchlist.changelog | 3 | ||||
-rw-r--r-- | SOURCES/patch-5.12-redhat.patch | 73 | ||||
-rwxr-xr-x | SPECS/kernel.spec | 15 |
3 files changed, 83 insertions, 8 deletions
diff --git a/SOURCES/Patchlist.changelog b/SOURCES/Patchlist.changelog index cdab612..beb8d9d 100644 --- a/SOURCES/Patchlist.changelog +++ b/SOURCES/Patchlist.changelog @@ -1,3 +1,6 @@ +https://gitlab.com/cki-project/kernel-ark/-/commit/d6845a028944f7b9ee8fe7b5fe0239fa6c363c90 + d6845a028944f7b9ee8fe7b5fe0239fa6c363c90 Bluetooth: btqca: Don't modify firmware contents in-place + https://gitlab.com/cki-project/kernel-ark/-/commit/b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1 b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1 Bluetooth: use correct lock to prevent UAF of hdev object diff --git a/SOURCES/patch-5.12-redhat.patch b/SOURCES/patch-5.12-redhat.patch index af5ab8e..46b8d09 100644 --- a/SOURCES/patch-5.12-redhat.patch +++ b/SOURCES/patch-5.12-redhat.patch @@ -12,6 +12,7 @@ drivers/acpi/pci_mcfg.c | 7 ++ drivers/acpi/scan.c | 9 ++ drivers/ata/libahci.c | 18 +++ + drivers/bluetooth/btqca.c | 27 +++-- drivers/char/ipmi/ipmi_dmi.c | 15 +++ drivers/char/ipmi/ipmi_msghandler.c | 16 ++- drivers/firmware/efi/Makefile | 1 + @@ -40,7 +41,7 @@ security/lockdown/lockdown.c | 1 + security/security.c | 6 + security/selinux/hooks.c | 3 +- - 42 files changed, 621 insertions(+), 178 deletions(-) + 43 files changed, 641 insertions(+), 185 deletions(-) diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst index 75a9dd98e76e..3ff3291551f9 100644 @@ -65,7 +66,7 @@ index 75a9dd98e76e..3ff3291551f9 100644 Boot into System Kernel diff --git a/Makefile b/Makefile -index ebc02c56db03..13bbf56b1bd3 100644 +index 82ca490ce5f4..75fbedcd7e67 100644 --- a/Makefile +++ b/Makefile @@ -495,6 +495,7 @@ KBUILD_AFLAGS := -D__ASSEMBLY__ -fno-PIE @@ -340,6 +341,74 @@ index fec2e9754aed..bea4e2973259 100644 /* wait for engine to stop. This could be as long as 500 msec */ tmp = ata_wait_register(ap, port_mmio + PORT_CMD, PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500); +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 25114f0d1319..bd71dfc9c974 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -183,7 +183,7 @@ int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) + EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd); + + static void qca_tlv_check_data(struct qca_fw_config *config, +- const struct firmware *fw, enum qca_btsoc_type soc_type) ++ u8 *fw_data, enum qca_btsoc_type soc_type) + { + const u8 *data; + u32 type_len; +@@ -194,7 +194,7 @@ static void qca_tlv_check_data(struct qca_fw_config *config, + struct tlv_type_nvm *tlv_nvm; + uint8_t nvm_baud_rate = config->user_baud_rate; + +- tlv = (struct tlv_type_hdr *)fw->data; ++ tlv = (struct tlv_type_hdr *)fw_data; + + type_len = le32_to_cpu(tlv->type_len); + length = (type_len >> 8) & 0x00ffffff; +@@ -390,8 +390,9 @@ static int qca_download_firmware(struct hci_dev *hdev, + enum qca_btsoc_type soc_type) + { + const struct firmware *fw; ++ u8 *data; + const u8 *segment; +- int ret, remain, i = 0; ++ int ret, size, remain, i = 0; + + bt_dev_info(hdev, "QCA Downloading %s", config->fwname); + +@@ -402,10 +403,22 @@ static int qca_download_firmware(struct hci_dev *hdev, + return ret; + } + +- qca_tlv_check_data(config, fw, soc_type); ++ size = fw->size; ++ data = vmalloc(fw->size); ++ if (!data) { ++ bt_dev_err(hdev, "QCA Failed to allocate memory for file: %s", ++ config->fwname); ++ release_firmware(fw); ++ return -ENOMEM; ++ } ++ ++ memcpy(data, fw->data, size); ++ release_firmware(fw); ++ ++ qca_tlv_check_data(config, data, soc_type); + +- segment = fw->data; +- remain = fw->size; ++ segment = data; ++ remain = size; + while (remain > 0) { + int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain); + +@@ -435,7 +448,7 @@ static int qca_download_firmware(struct hci_dev *hdev, + ret = qca_inject_cmd_complete_event(hdev); + + out: +- release_firmware(fw); ++ vfree(data); + + return ret; + } diff --git a/drivers/char/ipmi/ipmi_dmi.c b/drivers/char/ipmi/ipmi_dmi.c index bbf7029e224b..cf7faa970dd6 100644 --- a/drivers/char/ipmi/ipmi_dmi.c diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 8194fd1..83411e1 100755 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -106,7 +106,7 @@ Summary: The Linux kernel %define primary_target rhel %endif -%define rpmversion 5.12.10 +%define rpmversion 5.12.11 %define stableversion 5.12 %define pkgrelease 301 @@ -623,7 +623,7 @@ BuildRequires: clang # exact git commit you can run # # xzcat -qq ${TARBALL} | git get-tar-commit-id -Source0: linux-5.12.10.tar.xz +Source0: linux-5.12.11.tar.xz Source1: Makefile.rhelver @@ -1282,8 +1282,8 @@ ApplyOptionalPatch() fi } -%setup -q -n kernel-5.12.10 -c -mv linux-5.12.10 linux-%{KVERREL} +%setup -q -n kernel-5.12.11 -c +mv linux-5.12.11 linux-%{KVERREL} cd linux-%{KVERREL} cp -a %{SOURCE1} . @@ -2802,8 +2802,11 @@ fi # # %changelog -* Fri Jun 11 2021 Jan Drögehoff <sentrycraft123@gmail.com> - 5.12.10-300 -- Linux v5.12.10 futex2 zen openrgb +* Thu Jun 17 2021 Jan Drögehoff <sentrycraft123@gmail.com> - 5.12.11-300 +- Linux v5.12.11 futex2 zen openrgb + +* Wed Jun 16 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.11-0] +- Bluetooth: btqca: Don't modify firmware contents in-place (Connor Abbott) * Thu Jun 10 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.10-0] - Bluetooth: use correct lock to prevent UAF of hdev object (Lin Ma) |