From afa0d09a4c48a9889a6e05ae2e14b2b7dc04ad00 Mon Sep 17 00:00:00 2001 From: Jan200101 Date: Thu, 17 Jun 2021 20:38:22 +0200 Subject: kernel 5.12.11 --- SOURCES/Patchlist.changelog | 3 ++ SOURCES/patch-5.12-redhat.patch | 73 +++++++++++++++++++++++++++++++++++++++-- 2 files changed, 74 insertions(+), 2 deletions(-) (limited to 'SOURCES') diff --git a/SOURCES/Patchlist.changelog b/SOURCES/Patchlist.changelog index cdab612..beb8d9d 100644 --- a/SOURCES/Patchlist.changelog +++ b/SOURCES/Patchlist.changelog @@ -1,3 +1,6 @@ +https://gitlab.com/cki-project/kernel-ark/-/commit/d6845a028944f7b9ee8fe7b5fe0239fa6c363c90 + d6845a028944f7b9ee8fe7b5fe0239fa6c363c90 Bluetooth: btqca: Don't modify firmware contents in-place + https://gitlab.com/cki-project/kernel-ark/-/commit/b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1 b2d7ee79e7db6c474f9aa4ff14f53d860f6df8c1 Bluetooth: use correct lock to prevent UAF of hdev object diff --git a/SOURCES/patch-5.12-redhat.patch b/SOURCES/patch-5.12-redhat.patch index af5ab8e..46b8d09 100644 --- a/SOURCES/patch-5.12-redhat.patch +++ b/SOURCES/patch-5.12-redhat.patch @@ -12,6 +12,7 @@ drivers/acpi/pci_mcfg.c | 7 ++ drivers/acpi/scan.c | 9 ++ drivers/ata/libahci.c | 18 +++ + drivers/bluetooth/btqca.c | 27 +++-- drivers/char/ipmi/ipmi_dmi.c | 15 +++ drivers/char/ipmi/ipmi_msghandler.c | 16 ++- drivers/firmware/efi/Makefile | 1 + @@ -40,7 +41,7 @@ security/lockdown/lockdown.c | 1 + security/security.c | 6 + security/selinux/hooks.c | 3 +- - 42 files changed, 621 insertions(+), 178 deletions(-) + 43 files changed, 641 insertions(+), 185 deletions(-) diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst index 75a9dd98e76e..3ff3291551f9 100644 @@ -65,7 +66,7 @@ index 75a9dd98e76e..3ff3291551f9 100644 Boot into System Kernel diff --git a/Makefile b/Makefile -index ebc02c56db03..13bbf56b1bd3 100644 +index 82ca490ce5f4..75fbedcd7e67 100644 --- a/Makefile +++ b/Makefile @@ -495,6 +495,7 @@ KBUILD_AFLAGS := -D__ASSEMBLY__ -fno-PIE @@ -340,6 +341,74 @@ index fec2e9754aed..bea4e2973259 100644 /* wait for engine to stop. This could be as long as 500 msec */ tmp = ata_wait_register(ap, port_mmio + PORT_CMD, PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500); +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 25114f0d1319..bd71dfc9c974 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -183,7 +183,7 @@ int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) + EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd); + + static void qca_tlv_check_data(struct qca_fw_config *config, +- const struct firmware *fw, enum qca_btsoc_type soc_type) ++ u8 *fw_data, enum qca_btsoc_type soc_type) + { + const u8 *data; + u32 type_len; +@@ -194,7 +194,7 @@ static void qca_tlv_check_data(struct qca_fw_config *config, + struct tlv_type_nvm *tlv_nvm; + uint8_t nvm_baud_rate = config->user_baud_rate; + +- tlv = (struct tlv_type_hdr *)fw->data; ++ tlv = (struct tlv_type_hdr *)fw_data; + + type_len = le32_to_cpu(tlv->type_len); + length = (type_len >> 8) & 0x00ffffff; +@@ -390,8 +390,9 @@ static int qca_download_firmware(struct hci_dev *hdev, + enum qca_btsoc_type soc_type) + { + const struct firmware *fw; ++ u8 *data; + const u8 *segment; +- int ret, remain, i = 0; ++ int ret, size, remain, i = 0; + + bt_dev_info(hdev, "QCA Downloading %s", config->fwname); + +@@ -402,10 +403,22 @@ static int qca_download_firmware(struct hci_dev *hdev, + return ret; + } + +- qca_tlv_check_data(config, fw, soc_type); ++ size = fw->size; ++ data = vmalloc(fw->size); ++ if (!data) { ++ bt_dev_err(hdev, "QCA Failed to allocate memory for file: %s", ++ config->fwname); ++ release_firmware(fw); ++ return -ENOMEM; ++ } ++ ++ memcpy(data, fw->data, size); ++ release_firmware(fw); ++ ++ qca_tlv_check_data(config, data, soc_type); + +- segment = fw->data; +- remain = fw->size; ++ segment = data; ++ remain = size; + while (remain > 0) { + int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain); + +@@ -435,7 +448,7 @@ static int qca_download_firmware(struct hci_dev *hdev, + ret = qca_inject_cmd_complete_event(hdev); + + out: +- release_firmware(fw); ++ vfree(data); + + return ret; + } diff --git a/drivers/char/ipmi/ipmi_dmi.c b/drivers/char/ipmi/ipmi_dmi.c index bbf7029e224b..cf7faa970dd6 100644 --- a/drivers/char/ipmi/ipmi_dmi.c -- cgit v1.2.3