Annotation of /trunk/kernel-alx-legacy/patches-4.9/0339-4.9.240-all-fixes.patch
Parent Directory | Revision Log
Revision 3641 -
(hide annotations)
(download)
Mon Oct 24 14:07:21 2022 UTC (19 months, 3 weeks ago) by niro
File size: 20430 byte(s)
Mon Oct 24 14:07:21 2022 UTC (19 months, 3 weeks ago) by niro
File size: 20430 byte(s)
-linux-4.9.240
1 | niro | 3641 | diff --git a/Makefile b/Makefile |
2 | index 82bb1b27d2f57..a6a9d494dc18f 100644 | ||
3 | --- a/Makefile | ||
4 | +++ b/Makefile | ||
5 | @@ -1,6 +1,6 @@ | ||
6 | VERSION = 4 | ||
7 | PATCHLEVEL = 9 | ||
8 | -SUBLEVEL = 239 | ||
9 | +SUBLEVEL = 240 | ||
10 | EXTRAVERSION = | ||
11 | NAME = Roaring Lionus | ||
12 | |||
13 | diff --git a/drivers/crypto/qat/qat_common/qat_algs.c b/drivers/crypto/qat/qat_common/qat_algs.c | ||
14 | index 20f35df8a01fa..4f4884521a877 100644 | ||
15 | --- a/drivers/crypto/qat/qat_common/qat_algs.c | ||
16 | +++ b/drivers/crypto/qat/qat_common/qat_algs.c | ||
17 | @@ -822,6 +822,11 @@ static int qat_alg_aead_dec(struct aead_request *areq) | ||
18 | struct icp_qat_fw_la_bulk_req *msg; | ||
19 | int digst_size = crypto_aead_authsize(aead_tfm); | ||
20 | int ret, ctr = 0; | ||
21 | + u32 cipher_len; | ||
22 | + | ||
23 | + cipher_len = areq->cryptlen - digst_size; | ||
24 | + if (cipher_len % AES_BLOCK_SIZE != 0) | ||
25 | + return -EINVAL; | ||
26 | |||
27 | ret = qat_alg_sgl_to_bufl(ctx->inst, areq->src, areq->dst, qat_req); | ||
28 | if (unlikely(ret)) | ||
29 | @@ -836,7 +841,7 @@ static int qat_alg_aead_dec(struct aead_request *areq) | ||
30 | qat_req->req.comn_mid.src_data_addr = qat_req->buf.blp; | ||
31 | qat_req->req.comn_mid.dest_data_addr = qat_req->buf.bloutp; | ||
32 | cipher_param = (void *)&qat_req->req.serv_specif_rqpars; | ||
33 | - cipher_param->cipher_length = areq->cryptlen - digst_size; | ||
34 | + cipher_param->cipher_length = cipher_len; | ||
35 | cipher_param->cipher_offset = areq->assoclen; | ||
36 | memcpy(cipher_param->u.cipher_IV_array, areq->iv, AES_BLOCK_SIZE); | ||
37 | auth_param = (void *)((uint8_t *)cipher_param + sizeof(*cipher_param)); | ||
38 | @@ -865,6 +870,9 @@ static int qat_alg_aead_enc(struct aead_request *areq) | ||
39 | uint8_t *iv = areq->iv; | ||
40 | int ret, ctr = 0; | ||
41 | |||
42 | + if (areq->cryptlen % AES_BLOCK_SIZE != 0) | ||
43 | + return -EINVAL; | ||
44 | + | ||
45 | ret = qat_alg_sgl_to_bufl(ctx->inst, areq->src, areq->dst, qat_req); | ||
46 | if (unlikely(ret)) | ||
47 | return ret; | ||
48 | diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c | ||
49 | index d8ce7d75ff187..fcbabd2a41144 100644 | ||
50 | --- a/drivers/media/usb/usbtv/usbtv-core.c | ||
51 | +++ b/drivers/media/usb/usbtv/usbtv-core.c | ||
52 | @@ -110,7 +110,8 @@ static int usbtv_probe(struct usb_interface *intf, | ||
53 | |||
54 | usbtv_audio_fail: | ||
55 | /* we must not free at this point */ | ||
56 | - usb_get_dev(usbtv->udev); | ||
57 | + v4l2_device_get(&usbtv->v4l2_dev); | ||
58 | + /* this will undo the v4l2_device_get() */ | ||
59 | usbtv_video_free(usbtv); | ||
60 | |||
61 | usbtv_video_fail: | ||
62 | diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c | ||
63 | index 1800eb3ae0176..cdf86284dd047 100644 | ||
64 | --- a/drivers/staging/comedi/drivers/vmk80xx.c | ||
65 | +++ b/drivers/staging/comedi/drivers/vmk80xx.c | ||
66 | @@ -676,6 +676,9 @@ static int vmk80xx_find_usb_endpoints(struct comedi_device *dev) | ||
67 | if (!devpriv->ep_rx || !devpriv->ep_tx) | ||
68 | return -ENODEV; | ||
69 | |||
70 | + if (!usb_endpoint_maxp(devpriv->ep_rx) || !usb_endpoint_maxp(devpriv->ep_tx)) | ||
71 | + return -EINVAL; | ||
72 | + | ||
73 | return 0; | ||
74 | } | ||
75 | |||
76 | diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c | ||
77 | index 838123dc390ca..c9f979063af13 100644 | ||
78 | --- a/drivers/usb/serial/ftdi_sio.c | ||
79 | +++ b/drivers/usb/serial/ftdi_sio.c | ||
80 | @@ -1032,6 +1032,11 @@ static const struct usb_device_id id_table_combined[] = { | ||
81 | /* U-Blox devices */ | ||
82 | { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) }, | ||
83 | { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) }, | ||
84 | + /* FreeCalypso USB adapters */ | ||
85 | + { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID), | ||
86 | + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, | ||
87 | + { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID), | ||
88 | + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, | ||
89 | { } /* Terminating entry */ | ||
90 | }; | ||
91 | |||
92 | diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h | ||
93 | index c33e06752b5f0..f3302516a1e4f 100644 | ||
94 | --- a/drivers/usb/serial/ftdi_sio_ids.h | ||
95 | +++ b/drivers/usb/serial/ftdi_sio_ids.h | ||
96 | @@ -38,6 +38,13 @@ | ||
97 | |||
98 | #define FTDI_LUMEL_PD12_PID 0x6002 | ||
99 | |||
100 | +/* | ||
101 | + * Custom USB adapters made by Falconia Partners LLC | ||
102 | + * for FreeCalypso project, ID codes allocated to Falconia by FTDI. | ||
103 | + */ | ||
104 | +#define FTDI_FALCONIA_JTAG_BUF_PID 0x7150 | ||
105 | +#define FTDI_FALCONIA_JTAG_UNBUF_PID 0x7151 | ||
106 | + | ||
107 | /* Sienna Serial Interface by Secyourit GmbH */ | ||
108 | #define FTDI_SIENNA_PID 0x8348 | ||
109 | |||
110 | diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c | ||
111 | index 8cff50ef4fd14..5017d37afe392 100644 | ||
112 | --- a/drivers/usb/serial/option.c | ||
113 | +++ b/drivers/usb/serial/option.c | ||
114 | @@ -529,6 +529,7 @@ static void option_instat_callback(struct urb *urb); | ||
115 | /* Cellient products */ | ||
116 | #define CELLIENT_VENDOR_ID 0x2692 | ||
117 | #define CELLIENT_PRODUCT_MEN200 0x9005 | ||
118 | +#define CELLIENT_PRODUCT_MPL200 0x9025 | ||
119 | |||
120 | /* Hyundai Petatel Inc. products */ | ||
121 | #define PETATEL_VENDOR_ID 0x1ff4 | ||
122 | @@ -1171,6 +1172,8 @@ static const struct usb_device_id option_ids[] = { | ||
123 | .driver_info = NCTRL(2) | RSVD(3) }, | ||
124 | { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1053, 0xff), /* Telit FN980 (ECM) */ | ||
125 | .driver_info = NCTRL(0) | RSVD(1) }, | ||
126 | + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1054, 0xff), /* Telit FT980-KS */ | ||
127 | + .driver_info = NCTRL(2) | RSVD(3) }, | ||
128 | { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), | ||
129 | .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, | ||
130 | { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), | ||
131 | @@ -1967,6 +1970,8 @@ static const struct usb_device_id option_ids[] = { | ||
132 | { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x02, 0x01) }, | ||
133 | { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x00, 0x00) }, | ||
134 | { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) }, | ||
135 | + { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MPL200), | ||
136 | + .driver_info = RSVD(1) | RSVD(4) }, | ||
137 | { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600A) }, | ||
138 | { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) }, | ||
139 | { USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, TPLINK_PRODUCT_LTE, 0xff, 0x00, 0x00) }, /* TP-Link LTE Module */ | ||
140 | diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c | ||
141 | index 4fcded2971d1d..bf5533d6d83bd 100644 | ||
142 | --- a/drivers/usb/serial/pl2303.c | ||
143 | +++ b/drivers/usb/serial/pl2303.c | ||
144 | @@ -89,6 +89,7 @@ static const struct usb_device_id id_table[] = { | ||
145 | { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) }, | ||
146 | { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) }, | ||
147 | { USB_DEVICE(HP_VENDOR_ID, HP_LD381_PRODUCT_ID) }, | ||
148 | + { USB_DEVICE(HP_VENDOR_ID, HP_LD381GC_PRODUCT_ID) }, | ||
149 | { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) }, | ||
150 | { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) }, | ||
151 | { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) }, | ||
152 | diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h | ||
153 | index 54d2fb974a418..9d27c076f477e 100644 | ||
154 | --- a/drivers/usb/serial/pl2303.h | ||
155 | +++ b/drivers/usb/serial/pl2303.h | ||
156 | @@ -125,6 +125,7 @@ | ||
157 | |||
158 | /* Hewlett-Packard POS Pole Displays */ | ||
159 | #define HP_VENDOR_ID 0x03f0 | ||
160 | +#define HP_LD381GC_PRODUCT_ID 0x0183 | ||
161 | #define HP_LM920_PRODUCT_ID 0x026b | ||
162 | #define HP_TD620_PRODUCT_ID 0x0956 | ||
163 | #define HP_LD960_PRODUCT_ID 0x0b39 | ||
164 | diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c | ||
165 | index 9531b6c18ac7b..897154e993800 100644 | ||
166 | --- a/fs/reiserfs/inode.c | ||
167 | +++ b/fs/reiserfs/inode.c | ||
168 | @@ -1554,11 +1554,7 @@ void reiserfs_read_locked_inode(struct inode *inode, | ||
169 | * set version 1, version 2 could be used too, because stat data | ||
170 | * key is the same in both versions | ||
171 | */ | ||
172 | - key.version = KEY_FORMAT_3_5; | ||
173 | - key.on_disk_key.k_dir_id = dirino; | ||
174 | - key.on_disk_key.k_objectid = inode->i_ino; | ||
175 | - key.on_disk_key.k_offset = 0; | ||
176 | - key.on_disk_key.k_type = 0; | ||
177 | + _make_cpu_key(&key, KEY_FORMAT_3_5, dirino, inode->i_ino, 0, 0, 3); | ||
178 | |||
179 | /* look for the object's stat data */ | ||
180 | retval = search_item(inode->i_sb, &key, &path_to_sd); | ||
181 | diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c | ||
182 | index 07900105523f0..645ee1bbd0255 100644 | ||
183 | --- a/fs/reiserfs/xattr.c | ||
184 | +++ b/fs/reiserfs/xattr.c | ||
185 | @@ -664,6 +664,13 @@ reiserfs_xattr_get(struct inode *inode, const char *name, void *buffer, | ||
186 | if (get_inode_sd_version(inode) == STAT_DATA_V1) | ||
187 | return -EOPNOTSUPP; | ||
188 | |||
189 | + /* | ||
190 | + * priv_root needn't be initialized during mount so allow initial | ||
191 | + * lookups to succeed. | ||
192 | + */ | ||
193 | + if (!REISERFS_SB(inode->i_sb)->priv_root) | ||
194 | + return 0; | ||
195 | + | ||
196 | dentry = xattr_lookup(inode, name, XATTR_REPLACE); | ||
197 | if (IS_ERR(dentry)) { | ||
198 | err = PTR_ERR(dentry); | ||
199 | diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h | ||
200 | index 57a7dba49d298..52b5352e8fe08 100644 | ||
201 | --- a/include/net/bluetooth/hci_core.h | ||
202 | +++ b/include/net/bluetooth/hci_core.h | ||
203 | @@ -1250,16 +1250,34 @@ static inline void hci_auth_cfm(struct hci_conn *conn, __u8 status) | ||
204 | conn->security_cfm_cb(conn, status); | ||
205 | } | ||
206 | |||
207 | -static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status, | ||
208 | - __u8 encrypt) | ||
209 | +static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status) | ||
210 | { | ||
211 | struct hci_cb *cb; | ||
212 | + __u8 encrypt; | ||
213 | + | ||
214 | + if (conn->state == BT_CONFIG) { | ||
215 | + if (!status) | ||
216 | + conn->state = BT_CONNECTED; | ||
217 | |||
218 | - if (conn->sec_level == BT_SECURITY_SDP) | ||
219 | - conn->sec_level = BT_SECURITY_LOW; | ||
220 | + hci_connect_cfm(conn, status); | ||
221 | + hci_conn_drop(conn); | ||
222 | + return; | ||
223 | + } | ||
224 | |||
225 | - if (conn->pending_sec_level > conn->sec_level) | ||
226 | - conn->sec_level = conn->pending_sec_level; | ||
227 | + if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) | ||
228 | + encrypt = 0x00; | ||
229 | + else if (test_bit(HCI_CONN_AES_CCM, &conn->flags)) | ||
230 | + encrypt = 0x02; | ||
231 | + else | ||
232 | + encrypt = 0x01; | ||
233 | + | ||
234 | + if (!status) { | ||
235 | + if (conn->sec_level == BT_SECURITY_SDP) | ||
236 | + conn->sec_level = BT_SECURITY_LOW; | ||
237 | + | ||
238 | + if (conn->pending_sec_level > conn->sec_level) | ||
239 | + conn->sec_level = conn->pending_sec_level; | ||
240 | + } | ||
241 | |||
242 | mutex_lock(&hci_cb_list_lock); | ||
243 | list_for_each_entry(cb, &hci_cb_list, list) { | ||
244 | diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h | ||
245 | index 5ee3c689c8637..9c50d458ee83b 100644 | ||
246 | --- a/include/net/bluetooth/l2cap.h | ||
247 | +++ b/include/net/bluetooth/l2cap.h | ||
248 | @@ -619,6 +619,8 @@ struct l2cap_ops { | ||
249 | struct sk_buff *(*alloc_skb) (struct l2cap_chan *chan, | ||
250 | unsigned long hdr_len, | ||
251 | unsigned long len, int nb); | ||
252 | + int (*filter) (struct l2cap_chan * chan, | ||
253 | + struct sk_buff *skb); | ||
254 | }; | ||
255 | |||
256 | struct l2cap_conn { | ||
257 | diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c | ||
258 | index 5f123c3320a7b..8f918155685db 100644 | ||
259 | --- a/net/bluetooth/a2mp.c | ||
260 | +++ b/net/bluetooth/a2mp.c | ||
261 | @@ -233,6 +233,9 @@ static int a2mp_discover_rsp(struct amp_mgr *mgr, struct sk_buff *skb, | ||
262 | struct a2mp_info_req req; | ||
263 | |||
264 | found = true; | ||
265 | + | ||
266 | + memset(&req, 0, sizeof(req)); | ||
267 | + | ||
268 | req.id = cl->id; | ||
269 | a2mp_send(mgr, A2MP_GETINFO_REQ, __next_ident(mgr), | ||
270 | sizeof(req), &req); | ||
271 | @@ -312,6 +315,8 @@ static int a2mp_getinfo_req(struct amp_mgr *mgr, struct sk_buff *skb, | ||
272 | if (!hdev || hdev->dev_type != HCI_AMP) { | ||
273 | struct a2mp_info_rsp rsp; | ||
274 | |||
275 | + memset(&rsp, 0, sizeof(rsp)); | ||
276 | + | ||
277 | rsp.id = req->id; | ||
278 | rsp.status = A2MP_STATUS_INVALID_CTRL_ID; | ||
279 | |||
280 | @@ -355,6 +360,8 @@ static int a2mp_getinfo_rsp(struct amp_mgr *mgr, struct sk_buff *skb, | ||
281 | if (!ctrl) | ||
282 | return -ENOMEM; | ||
283 | |||
284 | + memset(&req, 0, sizeof(req)); | ||
285 | + | ||
286 | req.id = rsp->id; | ||
287 | a2mp_send(mgr, A2MP_GETAMPASSOC_REQ, __next_ident(mgr), sizeof(req), | ||
288 | &req); | ||
289 | @@ -383,6 +390,8 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb, | ||
290 | struct a2mp_amp_assoc_rsp rsp; | ||
291 | rsp.id = req->id; | ||
292 | |||
293 | + memset(&rsp, 0, sizeof(rsp)); | ||
294 | + | ||
295 | if (tmp) { | ||
296 | rsp.status = A2MP_STATUS_COLLISION_OCCURED; | ||
297 | amp_mgr_put(tmp); | ||
298 | @@ -471,7 +480,6 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, | ||
299 | struct a2mp_cmd *hdr) | ||
300 | { | ||
301 | struct a2mp_physlink_req *req = (void *) skb->data; | ||
302 | - | ||
303 | struct a2mp_physlink_rsp rsp; | ||
304 | struct hci_dev *hdev; | ||
305 | struct hci_conn *hcon; | ||
306 | @@ -482,6 +490,8 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, | ||
307 | |||
308 | BT_DBG("local_id %d, remote_id %d", req->local_id, req->remote_id); | ||
309 | |||
310 | + memset(&rsp, 0, sizeof(rsp)); | ||
311 | + | ||
312 | rsp.local_id = req->remote_id; | ||
313 | rsp.remote_id = req->local_id; | ||
314 | |||
315 | @@ -560,6 +570,8 @@ static int a2mp_discphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, | ||
316 | |||
317 | BT_DBG("local_id %d remote_id %d", req->local_id, req->remote_id); | ||
318 | |||
319 | + memset(&rsp, 0, sizeof(rsp)); | ||
320 | + | ||
321 | rsp.local_id = req->remote_id; | ||
322 | rsp.remote_id = req->local_id; | ||
323 | rsp.status = A2MP_STATUS_SUCCESS; | ||
324 | @@ -682,6 +694,8 @@ static int a2mp_chan_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) | ||
325 | if (err) { | ||
326 | struct a2mp_cmd_rej rej; | ||
327 | |||
328 | + memset(&rej, 0, sizeof(rej)); | ||
329 | + | ||
330 | rej.reason = cpu_to_le16(0); | ||
331 | hdr = (void *) skb->data; | ||
332 | |||
333 | @@ -905,6 +919,8 @@ void a2mp_send_getinfo_rsp(struct hci_dev *hdev) | ||
334 | |||
335 | BT_DBG("%s mgr %p", hdev->name, mgr); | ||
336 | |||
337 | + memset(&rsp, 0, sizeof(rsp)); | ||
338 | + | ||
339 | rsp.id = hdev->id; | ||
340 | rsp.status = A2MP_STATUS_INVALID_CTRL_ID; | ||
341 | |||
342 | @@ -1002,6 +1018,8 @@ void a2mp_send_create_phy_link_rsp(struct hci_dev *hdev, u8 status) | ||
343 | if (!mgr) | ||
344 | return; | ||
345 | |||
346 | + memset(&rsp, 0, sizeof(rsp)); | ||
347 | + | ||
348 | hs_hcon = hci_conn_hash_lookup_state(hdev, AMP_LINK, BT_CONNECT); | ||
349 | if (!hs_hcon) { | ||
350 | rsp.status = A2MP_STATUS_UNABLE_START_LINK_CREATION; | ||
351 | @@ -1034,6 +1052,8 @@ void a2mp_discover_amp(struct l2cap_chan *chan) | ||
352 | |||
353 | mgr->bredr_chan = chan; | ||
354 | |||
355 | + memset(&req, 0, sizeof(req)); | ||
356 | + | ||
357 | req.mtu = cpu_to_le16(L2CAP_A2MP_DEFAULT_MTU); | ||
358 | req.ext_feat = 0; | ||
359 | a2mp_send(mgr, A2MP_DISCOVER_REQ, 1, sizeof(req), &req); | ||
360 | diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c | ||
361 | index 1d085eed72d0c..e3cd81ce2a7bb 100644 | ||
362 | --- a/net/bluetooth/hci_conn.c | ||
363 | +++ b/net/bluetooth/hci_conn.c | ||
364 | @@ -1163,6 +1163,23 @@ int hci_conn_check_link_mode(struct hci_conn *conn) | ||
365 | return 0; | ||
366 | } | ||
367 | |||
368 | + /* AES encryption is required for Level 4: | ||
369 | + * | ||
370 | + * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C | ||
371 | + * page 1319: | ||
372 | + * | ||
373 | + * 128-bit equivalent strength for link and encryption keys | ||
374 | + * required using FIPS approved algorithms (E0 not allowed, | ||
375 | + * SAFER+ not allowed, and P-192 not allowed; encryption key | ||
376 | + * not shortened) | ||
377 | + */ | ||
378 | + if (conn->sec_level == BT_SECURITY_FIPS && | ||
379 | + !test_bit(HCI_CONN_AES_CCM, &conn->flags)) { | ||
380 | + bt_dev_err(conn->hdev, | ||
381 | + "Invalid security: Missing AES-CCM usage"); | ||
382 | + return 0; | ||
383 | + } | ||
384 | + | ||
385 | if (hci_conn_ssp_enabled(conn) && | ||
386 | !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) | ||
387 | return 0; | ||
388 | diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c | ||
389 | index d6da119f5082e..1f5c48d1493c9 100644 | ||
390 | --- a/net/bluetooth/hci_event.c | ||
391 | +++ b/net/bluetooth/hci_event.c | ||
392 | @@ -1133,6 +1133,9 @@ static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, | ||
393 | { | ||
394 | struct discovery_state *d = &hdev->discovery; | ||
395 | |||
396 | + if (len > HCI_MAX_AD_LENGTH) | ||
397 | + return; | ||
398 | + | ||
399 | bacpy(&d->last_adv_addr, bdaddr); | ||
400 | d->last_adv_addr_type = bdaddr_type; | ||
401 | d->last_adv_rssi = rssi; | ||
402 | @@ -2490,7 +2493,7 @@ static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) | ||
403 | &cp); | ||
404 | } else { | ||
405 | clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); | ||
406 | - hci_encrypt_cfm(conn, ev->status, 0x00); | ||
407 | + hci_encrypt_cfm(conn, ev->status); | ||
408 | } | ||
409 | } | ||
410 | |||
411 | @@ -2576,22 +2579,7 @@ static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, | ||
412 | conn->enc_key_size = rp->key_size; | ||
413 | } | ||
414 | |||
415 | - if (conn->state == BT_CONFIG) { | ||
416 | - conn->state = BT_CONNECTED; | ||
417 | - hci_connect_cfm(conn, 0); | ||
418 | - hci_conn_drop(conn); | ||
419 | - } else { | ||
420 | - u8 encrypt; | ||
421 | - | ||
422 | - if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) | ||
423 | - encrypt = 0x00; | ||
424 | - else if (test_bit(HCI_CONN_AES_CCM, &conn->flags)) | ||
425 | - encrypt = 0x02; | ||
426 | - else | ||
427 | - encrypt = 0x01; | ||
428 | - | ||
429 | - hci_encrypt_cfm(conn, 0, encrypt); | ||
430 | - } | ||
431 | + hci_encrypt_cfm(conn, 0); | ||
432 | |||
433 | unlock: | ||
434 | hci_dev_unlock(hdev); | ||
435 | @@ -2638,27 +2626,23 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) | ||
436 | |||
437 | clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); | ||
438 | |||
439 | + /* Check link security requirements are met */ | ||
440 | + if (!hci_conn_check_link_mode(conn)) | ||
441 | + ev->status = HCI_ERROR_AUTH_FAILURE; | ||
442 | + | ||
443 | if (ev->status && conn->state == BT_CONNECTED) { | ||
444 | if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) | ||
445 | set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); | ||
446 | |||
447 | + /* Notify upper layers so they can cleanup before | ||
448 | + * disconnecting. | ||
449 | + */ | ||
450 | + hci_encrypt_cfm(conn, ev->status); | ||
451 | hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); | ||
452 | hci_conn_drop(conn); | ||
453 | goto unlock; | ||
454 | } | ||
455 | |||
456 | - /* In Secure Connections Only mode, do not allow any connections | ||
457 | - * that are not encrypted with AES-CCM using a P-256 authenticated | ||
458 | - * combination key. | ||
459 | - */ | ||
460 | - if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && | ||
461 | - (!test_bit(HCI_CONN_AES_CCM, &conn->flags) || | ||
462 | - conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) { | ||
463 | - hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE); | ||
464 | - hci_conn_drop(conn); | ||
465 | - goto unlock; | ||
466 | - } | ||
467 | - | ||
468 | /* Try reading the encryption key size for encrypted ACL links */ | ||
469 | if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { | ||
470 | struct hci_cp_read_enc_key_size cp; | ||
471 | @@ -2688,14 +2672,7 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) | ||
472 | } | ||
473 | |||
474 | notify: | ||
475 | - if (conn->state == BT_CONFIG) { | ||
476 | - if (!ev->status) | ||
477 | - conn->state = BT_CONNECTED; | ||
478 | - | ||
479 | - hci_connect_cfm(conn, ev->status); | ||
480 | - hci_conn_drop(conn); | ||
481 | - } else | ||
482 | - hci_encrypt_cfm(conn, ev->status, ev->encrypt); | ||
483 | + hci_encrypt_cfm(conn, ev->status); | ||
484 | |||
485 | unlock: | ||
486 | hci_dev_unlock(hdev); | ||
487 | @@ -4779,6 +4756,11 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, | ||
488 | return; | ||
489 | } | ||
490 | |||
491 | + if (len > HCI_MAX_AD_LENGTH) { | ||
492 | + pr_err_ratelimited("legacy adv larger than 31 bytes"); | ||
493 | + return; | ||
494 | + } | ||
495 | + | ||
496 | /* Find the end of the data in case the report contains padded zero | ||
497 | * bytes at the end causing an invalid length value. | ||
498 | * | ||
499 | @@ -4839,7 +4821,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, | ||
500 | */ | ||
501 | conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, | ||
502 | direct_addr); | ||
503 | - if (conn && type == LE_ADV_IND) { | ||
504 | + if (conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) { | ||
505 | /* Store report for later inclusion by | ||
506 | * mgmt_device_connected | ||
507 | */ | ||
508 | @@ -4964,10 +4946,14 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) | ||
509 | struct hci_ev_le_advertising_info *ev = ptr; | ||
510 | s8 rssi; | ||
511 | |||
512 | - rssi = ev->data[ev->length]; | ||
513 | - process_adv_report(hdev, ev->evt_type, &ev->bdaddr, | ||
514 | - ev->bdaddr_type, NULL, 0, rssi, | ||
515 | - ev->data, ev->length); | ||
516 | + if (ev->length <= HCI_MAX_AD_LENGTH) { | ||
517 | + rssi = ev->data[ev->length]; | ||
518 | + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, | ||
519 | + ev->bdaddr_type, NULL, 0, rssi, | ||
520 | + ev->data, ev->length); | ||
521 | + } else { | ||
522 | + bt_dev_err(hdev, "Dropping invalid advertising data"); | ||
523 | + } | ||
524 | |||
525 | ptr += sizeof(*ev) + ev->length + 1; | ||
526 | } | ||
527 | diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c | ||
528 | index 5e3f5c1ba07d6..b96818cda12da 100644 | ||
529 | --- a/net/bluetooth/l2cap_core.c | ||
530 | +++ b/net/bluetooth/l2cap_core.c | ||
531 | @@ -6675,9 +6675,10 @@ static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) | ||
532 | goto drop; | ||
533 | } | ||
534 | |||
535 | - if ((chan->mode == L2CAP_MODE_ERTM || | ||
536 | - chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb)) | ||
537 | - goto drop; | ||
538 | + if (chan->ops->filter) { | ||
539 | + if (chan->ops->filter(chan, skb)) | ||
540 | + goto drop; | ||
541 | + } | ||
542 | |||
543 | if (!control->sframe) { | ||
544 | int err; | ||
545 | diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c | ||
546 | index bbf08c6092f4a..ab6b1788dbfc3 100644 | ||
547 | --- a/net/bluetooth/l2cap_sock.c | ||
548 | +++ b/net/bluetooth/l2cap_sock.c | ||
549 | @@ -1475,6 +1475,19 @@ static void l2cap_sock_suspend_cb(struct l2cap_chan *chan) | ||
550 | sk->sk_state_change(sk); | ||
551 | } | ||
552 | |||
553 | +static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb) | ||
554 | +{ | ||
555 | + struct sock *sk = chan->data; | ||
556 | + | ||
557 | + switch (chan->mode) { | ||
558 | + case L2CAP_MODE_ERTM: | ||
559 | + case L2CAP_MODE_STREAMING: | ||
560 | + return sk_filter(sk, skb); | ||
561 | + } | ||
562 | + | ||
563 | + return 0; | ||
564 | +} | ||
565 | + | ||
566 | static const struct l2cap_ops l2cap_chan_ops = { | ||
567 | .name = "L2CAP Socket Interface", | ||
568 | .new_connection = l2cap_sock_new_connection_cb, | ||
569 | @@ -1489,6 +1502,7 @@ static const struct l2cap_ops l2cap_chan_ops = { | ||
570 | .set_shutdown = l2cap_sock_set_shutdown_cb, | ||
571 | .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, | ||
572 | .alloc_skb = l2cap_sock_alloc_skb_cb, | ||
573 | + .filter = l2cap_sock_filter, | ||
574 | }; | ||
575 | |||
576 | static void l2cap_sock_destruct(struct sock *sk) | ||
577 | diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c | ||
578 | index ba24f613c0fc1..bca1408f815ff 100644 | ||
579 | --- a/net/bluetooth/mgmt.c | ||
580 | +++ b/net/bluetooth/mgmt.c | ||
581 | @@ -635,7 +635,8 @@ static u32 get_supported_settings(struct hci_dev *hdev) | ||
582 | |||
583 | if (lmp_ssp_capable(hdev)) { | ||
584 | settings |= MGMT_SETTING_SSP; | ||
585 | - settings |= MGMT_SETTING_HS; | ||
586 | + if (IS_ENABLED(CONFIG_BT_HS)) | ||
587 | + settings |= MGMT_SETTING_HS; | ||
588 | } | ||
589 | |||
590 | if (lmp_sc_capable(hdev)) | ||
591 | @@ -1645,6 +1646,10 @@ static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len) | ||
592 | |||
593 | BT_DBG("request for %s", hdev->name); | ||
594 | |||
595 | + if (!IS_ENABLED(CONFIG_BT_HS)) | ||
596 | + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, | ||
597 | + MGMT_STATUS_NOT_SUPPORTED); | ||
598 | + | ||
599 | status = mgmt_bredr_support(hdev); | ||
600 | if (status) | ||
601 | return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status); |