Annotation of /trunk/kernel-alx-legacy/patches-4.9/0339-4.9.240-all-fixes.patch
Parent Directory
| 
Revision Log
Revision 3641 -
(hide annotations)
(download)
Mon Oct 24 14:07:21 2022 UTC (19 months, 3 weeks ago) by niro
File size: 20430 byte(s)
Mon Oct 24 14:07:21 2022 UTC (19 months, 3 weeks ago) by niro
File size: 20430 byte(s)
-linux-4.9.240
| 1 | niro | 3641 | diff --git a/Makefile b/Makefile |
| 2 | index 82bb1b27d2f57..a6a9d494dc18f 100644 | ||
| 3 | --- a/Makefile | ||
| 4 | +++ b/Makefile | ||
| 5 | @@ -1,6 +1,6 @@ | ||
| 6 | VERSION = 4 | ||
| 7 | PATCHLEVEL = 9 | ||
| 8 | -SUBLEVEL = 239 | ||
| 9 | +SUBLEVEL = 240 | ||
| 10 | EXTRAVERSION = | ||
| 11 | NAME = Roaring Lionus | ||
| 12 | |||
| 13 | diff --git a/drivers/crypto/qat/qat_common/qat_algs.c b/drivers/crypto/qat/qat_common/qat_algs.c | ||
| 14 | index 20f35df8a01fa..4f4884521a877 100644 | ||
| 15 | --- a/drivers/crypto/qat/qat_common/qat_algs.c | ||
| 16 | +++ b/drivers/crypto/qat/qat_common/qat_algs.c | ||
| 17 | @@ -822,6 +822,11 @@ static int qat_alg_aead_dec(struct aead_request *areq) | ||
| 18 | struct icp_qat_fw_la_bulk_req *msg; | ||
| 19 | int digst_size = crypto_aead_authsize(aead_tfm); | ||
| 20 | int ret, ctr = 0; | ||
| 21 | + u32 cipher_len; | ||
| 22 | + | ||
| 23 | + cipher_len = areq->cryptlen - digst_size; | ||
| 24 | + if (cipher_len % AES_BLOCK_SIZE != 0) | ||
| 25 | + return -EINVAL; | ||
| 26 | |||
| 27 | ret = qat_alg_sgl_to_bufl(ctx->inst, areq->src, areq->dst, qat_req); | ||
| 28 | if (unlikely(ret)) | ||
| 29 | @@ -836,7 +841,7 @@ static int qat_alg_aead_dec(struct aead_request *areq) | ||
| 30 | qat_req->req.comn_mid.src_data_addr = qat_req->buf.blp; | ||
| 31 | qat_req->req.comn_mid.dest_data_addr = qat_req->buf.bloutp; | ||
| 32 | cipher_param = (void *)&qat_req->req.serv_specif_rqpars; | ||
| 33 | - cipher_param->cipher_length = areq->cryptlen - digst_size; | ||
| 34 | + cipher_param->cipher_length = cipher_len; | ||
| 35 | cipher_param->cipher_offset = areq->assoclen; | ||
| 36 | memcpy(cipher_param->u.cipher_IV_array, areq->iv, AES_BLOCK_SIZE); | ||
| 37 | auth_param = (void *)((uint8_t *)cipher_param + sizeof(*cipher_param)); | ||
| 38 | @@ -865,6 +870,9 @@ static int qat_alg_aead_enc(struct aead_request *areq) | ||
| 39 | uint8_t *iv = areq->iv; | ||
| 40 | int ret, ctr = 0; | ||
| 41 | |||
| 42 | + if (areq->cryptlen % AES_BLOCK_SIZE != 0) | ||
| 43 | + return -EINVAL; | ||
| 44 | + | ||
| 45 | ret = qat_alg_sgl_to_bufl(ctx->inst, areq->src, areq->dst, qat_req); | ||
| 46 | if (unlikely(ret)) | ||
| 47 | return ret; | ||
| 48 | diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c | ||
| 49 | index d8ce7d75ff187..fcbabd2a41144 100644 | ||
| 50 | --- a/drivers/media/usb/usbtv/usbtv-core.c | ||
| 51 | +++ b/drivers/media/usb/usbtv/usbtv-core.c | ||
| 52 | @@ -110,7 +110,8 @@ static int usbtv_probe(struct usb_interface *intf, | ||
| 53 | |||
| 54 | usbtv_audio_fail: | ||
| 55 | /* we must not free at this point */ | ||
| 56 | - usb_get_dev(usbtv->udev); | ||
| 57 | + v4l2_device_get(&usbtv->v4l2_dev); | ||
| 58 | + /* this will undo the v4l2_device_get() */ | ||
| 59 | usbtv_video_free(usbtv); | ||
| 60 | |||
| 61 | usbtv_video_fail: | ||
| 62 | diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c | ||
| 63 | index 1800eb3ae0176..cdf86284dd047 100644 | ||
| 64 | --- a/drivers/staging/comedi/drivers/vmk80xx.c | ||
| 65 | +++ b/drivers/staging/comedi/drivers/vmk80xx.c | ||
| 66 | @@ -676,6 +676,9 @@ static int vmk80xx_find_usb_endpoints(struct comedi_device *dev) | ||
| 67 | if (!devpriv->ep_rx || !devpriv->ep_tx) | ||
| 68 | return -ENODEV; | ||
| 69 | |||
| 70 | + if (!usb_endpoint_maxp(devpriv->ep_rx) || !usb_endpoint_maxp(devpriv->ep_tx)) | ||
| 71 | + return -EINVAL; | ||
| 72 | + | ||
| 73 | return 0; | ||
| 74 | } | ||
| 75 | |||
| 76 | diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c | ||
| 77 | index 838123dc390ca..c9f979063af13 100644 | ||
| 78 | --- a/drivers/usb/serial/ftdi_sio.c | ||
| 79 | +++ b/drivers/usb/serial/ftdi_sio.c | ||
| 80 | @@ -1032,6 +1032,11 @@ static const struct usb_device_id id_table_combined[] = { | ||
| 81 | /* U-Blox devices */ | ||
| 82 | { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) }, | ||
| 83 | { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) }, | ||
| 84 | + /* FreeCalypso USB adapters */ | ||
| 85 | + { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID), | ||
| 86 | + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, | ||
| 87 | + { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID), | ||
| 88 | + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, | ||
| 89 | { } /* Terminating entry */ | ||
| 90 | }; | ||
| 91 | |||
| 92 | diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h | ||
| 93 | index c33e06752b5f0..f3302516a1e4f 100644 | ||
| 94 | --- a/drivers/usb/serial/ftdi_sio_ids.h | ||
| 95 | +++ b/drivers/usb/serial/ftdi_sio_ids.h | ||
| 96 | @@ -38,6 +38,13 @@ | ||
| 97 | |||
| 98 | #define FTDI_LUMEL_PD12_PID 0x6002 | ||
| 99 | |||
| 100 | +/* | ||
| 101 | + * Custom USB adapters made by Falconia Partners LLC | ||
| 102 | + * for FreeCalypso project, ID codes allocated to Falconia by FTDI. | ||
| 103 | + */ | ||
| 104 | +#define FTDI_FALCONIA_JTAG_BUF_PID 0x7150 | ||
| 105 | +#define FTDI_FALCONIA_JTAG_UNBUF_PID 0x7151 | ||
| 106 | + | ||
| 107 | /* Sienna Serial Interface by Secyourit GmbH */ | ||
| 108 | #define FTDI_SIENNA_PID 0x8348 | ||
| 109 | |||
| 110 | diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c | ||
| 111 | index 8cff50ef4fd14..5017d37afe392 100644 | ||
| 112 | --- a/drivers/usb/serial/option.c | ||
| 113 | +++ b/drivers/usb/serial/option.c | ||
| 114 | @@ -529,6 +529,7 @@ static void option_instat_callback(struct urb *urb); | ||
| 115 | /* Cellient products */ | ||
| 116 | #define CELLIENT_VENDOR_ID 0x2692 | ||
| 117 | #define CELLIENT_PRODUCT_MEN200 0x9005 | ||
| 118 | +#define CELLIENT_PRODUCT_MPL200 0x9025 | ||
| 119 | |||
| 120 | /* Hyundai Petatel Inc. products */ | ||
| 121 | #define PETATEL_VENDOR_ID 0x1ff4 | ||
| 122 | @@ -1171,6 +1172,8 @@ static const struct usb_device_id option_ids[] = { | ||
| 123 | .driver_info = NCTRL(2) | RSVD(3) }, | ||
| 124 | { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1053, 0xff), /* Telit FN980 (ECM) */ | ||
| 125 | .driver_info = NCTRL(0) | RSVD(1) }, | ||
| 126 | + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1054, 0xff), /* Telit FT980-KS */ | ||
| 127 | + .driver_info = NCTRL(2) | RSVD(3) }, | ||
| 128 | { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), | ||
| 129 | .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, | ||
| 130 | { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), | ||
| 131 | @@ -1967,6 +1970,8 @@ static const struct usb_device_id option_ids[] = { | ||
| 132 | { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x02, 0x01) }, | ||
| 133 | { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x00, 0x00) }, | ||
| 134 | { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) }, | ||
| 135 | + { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MPL200), | ||
| 136 | + .driver_info = RSVD(1) | RSVD(4) }, | ||
| 137 | { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600A) }, | ||
| 138 | { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) }, | ||
| 139 | { USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, TPLINK_PRODUCT_LTE, 0xff, 0x00, 0x00) }, /* TP-Link LTE Module */ | ||
| 140 | diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c | ||
| 141 | index 4fcded2971d1d..bf5533d6d83bd 100644 | ||
| 142 | --- a/drivers/usb/serial/pl2303.c | ||
| 143 | +++ b/drivers/usb/serial/pl2303.c | ||
| 144 | @@ -89,6 +89,7 @@ static const struct usb_device_id id_table[] = { | ||
| 145 | { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) }, | ||
| 146 | { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) }, | ||
| 147 | { USB_DEVICE(HP_VENDOR_ID, HP_LD381_PRODUCT_ID) }, | ||
| 148 | + { USB_DEVICE(HP_VENDOR_ID, HP_LD381GC_PRODUCT_ID) }, | ||
| 149 | { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) }, | ||
| 150 | { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) }, | ||
| 151 | { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) }, | ||
| 152 | diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h | ||
| 153 | index 54d2fb974a418..9d27c076f477e 100644 | ||
| 154 | --- a/drivers/usb/serial/pl2303.h | ||
| 155 | +++ b/drivers/usb/serial/pl2303.h | ||
| 156 | @@ -125,6 +125,7 @@ | ||
| 157 | |||
| 158 | /* Hewlett-Packard POS Pole Displays */ | ||
| 159 | #define HP_VENDOR_ID 0x03f0 | ||
| 160 | +#define HP_LD381GC_PRODUCT_ID 0x0183 | ||
| 161 | #define HP_LM920_PRODUCT_ID 0x026b | ||
| 162 | #define HP_TD620_PRODUCT_ID 0x0956 | ||
| 163 | #define HP_LD960_PRODUCT_ID 0x0b39 | ||
| 164 | diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c | ||
| 165 | index 9531b6c18ac7b..897154e993800 100644 | ||
| 166 | --- a/fs/reiserfs/inode.c | ||
| 167 | +++ b/fs/reiserfs/inode.c | ||
| 168 | @@ -1554,11 +1554,7 @@ void reiserfs_read_locked_inode(struct inode *inode, | ||
| 169 | * set version 1, version 2 could be used too, because stat data | ||
| 170 | * key is the same in both versions | ||
| 171 | */ | ||
| 172 | - key.version = KEY_FORMAT_3_5; | ||
| 173 | - key.on_disk_key.k_dir_id = dirino; | ||
| 174 | - key.on_disk_key.k_objectid = inode->i_ino; | ||
| 175 | - key.on_disk_key.k_offset = 0; | ||
| 176 | - key.on_disk_key.k_type = 0; | ||
| 177 | + _make_cpu_key(&key, KEY_FORMAT_3_5, dirino, inode->i_ino, 0, 0, 3); | ||
| 178 | |||
| 179 | /* look for the object's stat data */ | ||
| 180 | retval = search_item(inode->i_sb, &key, &path_to_sd); | ||
| 181 | diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c | ||
| 182 | index 07900105523f0..645ee1bbd0255 100644 | ||
| 183 | --- a/fs/reiserfs/xattr.c | ||
| 184 | +++ b/fs/reiserfs/xattr.c | ||
| 185 | @@ -664,6 +664,13 @@ reiserfs_xattr_get(struct inode *inode, const char *name, void *buffer, | ||
| 186 | if (get_inode_sd_version(inode) == STAT_DATA_V1) | ||
| 187 | return -EOPNOTSUPP; | ||
| 188 | |||
| 189 | + /* | ||
| 190 | + * priv_root needn't be initialized during mount so allow initial | ||
| 191 | + * lookups to succeed. | ||
| 192 | + */ | ||
| 193 | + if (!REISERFS_SB(inode->i_sb)->priv_root) | ||
| 194 | + return 0; | ||
| 195 | + | ||
| 196 | dentry = xattr_lookup(inode, name, XATTR_REPLACE); | ||
| 197 | if (IS_ERR(dentry)) { | ||
| 198 | err = PTR_ERR(dentry); | ||
| 199 | diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h | ||
| 200 | index 57a7dba49d298..52b5352e8fe08 100644 | ||
| 201 | --- a/include/net/bluetooth/hci_core.h | ||
| 202 | +++ b/include/net/bluetooth/hci_core.h | ||
| 203 | @@ -1250,16 +1250,34 @@ static inline void hci_auth_cfm(struct hci_conn *conn, __u8 status) | ||
| 204 | conn->security_cfm_cb(conn, status); | ||
| 205 | } | ||
| 206 | |||
| 207 | -static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status, | ||
| 208 | - __u8 encrypt) | ||
| 209 | +static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status) | ||
| 210 | { | ||
| 211 | struct hci_cb *cb; | ||
| 212 | + __u8 encrypt; | ||
| 213 | + | ||
| 214 | + if (conn->state == BT_CONFIG) { | ||
| 215 | + if (!status) | ||
| 216 | + conn->state = BT_CONNECTED; | ||
| 217 | |||
| 218 | - if (conn->sec_level == BT_SECURITY_SDP) | ||
| 219 | - conn->sec_level = BT_SECURITY_LOW; | ||
| 220 | + hci_connect_cfm(conn, status); | ||
| 221 | + hci_conn_drop(conn); | ||
| 222 | + return; | ||
| 223 | + } | ||
| 224 | |||
| 225 | - if (conn->pending_sec_level > conn->sec_level) | ||
| 226 | - conn->sec_level = conn->pending_sec_level; | ||
| 227 | + if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) | ||
| 228 | + encrypt = 0x00; | ||
| 229 | + else if (test_bit(HCI_CONN_AES_CCM, &conn->flags)) | ||
| 230 | + encrypt = 0x02; | ||
| 231 | + else | ||
| 232 | + encrypt = 0x01; | ||
| 233 | + | ||
| 234 | + if (!status) { | ||
| 235 | + if (conn->sec_level == BT_SECURITY_SDP) | ||
| 236 | + conn->sec_level = BT_SECURITY_LOW; | ||
| 237 | + | ||
| 238 | + if (conn->pending_sec_level > conn->sec_level) | ||
| 239 | + conn->sec_level = conn->pending_sec_level; | ||
| 240 | + } | ||
| 241 | |||
| 242 | mutex_lock(&hci_cb_list_lock); | ||
| 243 | list_for_each_entry(cb, &hci_cb_list, list) { | ||
| 244 | diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h | ||
| 245 | index 5ee3c689c8637..9c50d458ee83b 100644 | ||
| 246 | --- a/include/net/bluetooth/l2cap.h | ||
| 247 | +++ b/include/net/bluetooth/l2cap.h | ||
| 248 | @@ -619,6 +619,8 @@ struct l2cap_ops { | ||
| 249 | struct sk_buff *(*alloc_skb) (struct l2cap_chan *chan, | ||
| 250 | unsigned long hdr_len, | ||
| 251 | unsigned long len, int nb); | ||
| 252 | + int (*filter) (struct l2cap_chan * chan, | ||
| 253 | + struct sk_buff *skb); | ||
| 254 | }; | ||
| 255 | |||
| 256 | struct l2cap_conn { | ||
| 257 | diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c | ||
| 258 | index 5f123c3320a7b..8f918155685db 100644 | ||
| 259 | --- a/net/bluetooth/a2mp.c | ||
| 260 | +++ b/net/bluetooth/a2mp.c | ||
| 261 | @@ -233,6 +233,9 @@ static int a2mp_discover_rsp(struct amp_mgr *mgr, struct sk_buff *skb, | ||
| 262 | struct a2mp_info_req req; | ||
| 263 | |||
| 264 | found = true; | ||
| 265 | + | ||
| 266 | + memset(&req, 0, sizeof(req)); | ||
| 267 | + | ||
| 268 | req.id = cl->id; | ||
| 269 | a2mp_send(mgr, A2MP_GETINFO_REQ, __next_ident(mgr), | ||
| 270 | sizeof(req), &req); | ||
| 271 | @@ -312,6 +315,8 @@ static int a2mp_getinfo_req(struct amp_mgr *mgr, struct sk_buff *skb, | ||
| 272 | if (!hdev || hdev->dev_type != HCI_AMP) { | ||
| 273 | struct a2mp_info_rsp rsp; | ||
| 274 | |||
| 275 | + memset(&rsp, 0, sizeof(rsp)); | ||
| 276 | + | ||
| 277 | rsp.id = req->id; | ||
| 278 | rsp.status = A2MP_STATUS_INVALID_CTRL_ID; | ||
| 279 | |||
| 280 | @@ -355,6 +360,8 @@ static int a2mp_getinfo_rsp(struct amp_mgr *mgr, struct sk_buff *skb, | ||
| 281 | if (!ctrl) | ||
| 282 | return -ENOMEM; | ||
| 283 | |||
| 284 | + memset(&req, 0, sizeof(req)); | ||
| 285 | + | ||
| 286 | req.id = rsp->id; | ||
| 287 | a2mp_send(mgr, A2MP_GETAMPASSOC_REQ, __next_ident(mgr), sizeof(req), | ||
| 288 | &req); | ||
| 289 | @@ -383,6 +390,8 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb, | ||
| 290 | struct a2mp_amp_assoc_rsp rsp; | ||
| 291 | rsp.id = req->id; | ||
| 292 | |||
| 293 | + memset(&rsp, 0, sizeof(rsp)); | ||
| 294 | + | ||
| 295 | if (tmp) { | ||
| 296 | rsp.status = A2MP_STATUS_COLLISION_OCCURED; | ||
| 297 | amp_mgr_put(tmp); | ||
| 298 | @@ -471,7 +480,6 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, | ||
| 299 | struct a2mp_cmd *hdr) | ||
| 300 | { | ||
| 301 | struct a2mp_physlink_req *req = (void *) skb->data; | ||
| 302 | - | ||
| 303 | struct a2mp_physlink_rsp rsp; | ||
| 304 | struct hci_dev *hdev; | ||
| 305 | struct hci_conn *hcon; | ||
| 306 | @@ -482,6 +490,8 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, | ||
| 307 | |||
| 308 | BT_DBG("local_id %d, remote_id %d", req->local_id, req->remote_id); | ||
| 309 | |||
| 310 | + memset(&rsp, 0, sizeof(rsp)); | ||
| 311 | + | ||
| 312 | rsp.local_id = req->remote_id; | ||
| 313 | rsp.remote_id = req->local_id; | ||
| 314 | |||
| 315 | @@ -560,6 +570,8 @@ static int a2mp_discphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, | ||
| 316 | |||
| 317 | BT_DBG("local_id %d remote_id %d", req->local_id, req->remote_id); | ||
| 318 | |||
| 319 | + memset(&rsp, 0, sizeof(rsp)); | ||
| 320 | + | ||
| 321 | rsp.local_id = req->remote_id; | ||
| 322 | rsp.remote_id = req->local_id; | ||
| 323 | rsp.status = A2MP_STATUS_SUCCESS; | ||
| 324 | @@ -682,6 +694,8 @@ static int a2mp_chan_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) | ||
| 325 | if (err) { | ||
| 326 | struct a2mp_cmd_rej rej; | ||
| 327 | |||
| 328 | + memset(&rej, 0, sizeof(rej)); | ||
| 329 | + | ||
| 330 | rej.reason = cpu_to_le16(0); | ||
| 331 | hdr = (void *) skb->data; | ||
| 332 | |||
| 333 | @@ -905,6 +919,8 @@ void a2mp_send_getinfo_rsp(struct hci_dev *hdev) | ||
| 334 | |||
| 335 | BT_DBG("%s mgr %p", hdev->name, mgr); | ||
| 336 | |||
| 337 | + memset(&rsp, 0, sizeof(rsp)); | ||
| 338 | + | ||
| 339 | rsp.id = hdev->id; | ||
| 340 | rsp.status = A2MP_STATUS_INVALID_CTRL_ID; | ||
| 341 | |||
| 342 | @@ -1002,6 +1018,8 @@ void a2mp_send_create_phy_link_rsp(struct hci_dev *hdev, u8 status) | ||
| 343 | if (!mgr) | ||
| 344 | return; | ||
| 345 | |||
| 346 | + memset(&rsp, 0, sizeof(rsp)); | ||
| 347 | + | ||
| 348 | hs_hcon = hci_conn_hash_lookup_state(hdev, AMP_LINK, BT_CONNECT); | ||
| 349 | if (!hs_hcon) { | ||
| 350 | rsp.status = A2MP_STATUS_UNABLE_START_LINK_CREATION; | ||
| 351 | @@ -1034,6 +1052,8 @@ void a2mp_discover_amp(struct l2cap_chan *chan) | ||
| 352 | |||
| 353 | mgr->bredr_chan = chan; | ||
| 354 | |||
| 355 | + memset(&req, 0, sizeof(req)); | ||
| 356 | + | ||
| 357 | req.mtu = cpu_to_le16(L2CAP_A2MP_DEFAULT_MTU); | ||
| 358 | req.ext_feat = 0; | ||
| 359 | a2mp_send(mgr, A2MP_DISCOVER_REQ, 1, sizeof(req), &req); | ||
| 360 | diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c | ||
| 361 | index 1d085eed72d0c..e3cd81ce2a7bb 100644 | ||
| 362 | --- a/net/bluetooth/hci_conn.c | ||
| 363 | +++ b/net/bluetooth/hci_conn.c | ||
| 364 | @@ -1163,6 +1163,23 @@ int hci_conn_check_link_mode(struct hci_conn *conn) | ||
| 365 | return 0; | ||
| 366 | } | ||
| 367 | |||
| 368 | + /* AES encryption is required for Level 4: | ||
| 369 | + * | ||
| 370 | + * BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C | ||
| 371 | + * page 1319: | ||
| 372 | + * | ||
| 373 | + * 128-bit equivalent strength for link and encryption keys | ||
| 374 | + * required using FIPS approved algorithms (E0 not allowed, | ||
| 375 | + * SAFER+ not allowed, and P-192 not allowed; encryption key | ||
| 376 | + * not shortened) | ||
| 377 | + */ | ||
| 378 | + if (conn->sec_level == BT_SECURITY_FIPS && | ||
| 379 | + !test_bit(HCI_CONN_AES_CCM, &conn->flags)) { | ||
| 380 | + bt_dev_err(conn->hdev, | ||
| 381 | + "Invalid security: Missing AES-CCM usage"); | ||
| 382 | + return 0; | ||
| 383 | + } | ||
| 384 | + | ||
| 385 | if (hci_conn_ssp_enabled(conn) && | ||
| 386 | !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) | ||
| 387 | return 0; | ||
| 388 | diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c | ||
| 389 | index d6da119f5082e..1f5c48d1493c9 100644 | ||
| 390 | --- a/net/bluetooth/hci_event.c | ||
| 391 | +++ b/net/bluetooth/hci_event.c | ||
| 392 | @@ -1133,6 +1133,9 @@ static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, | ||
| 393 | { | ||
| 394 | struct discovery_state *d = &hdev->discovery; | ||
| 395 | |||
| 396 | + if (len > HCI_MAX_AD_LENGTH) | ||
| 397 | + return; | ||
| 398 | + | ||
| 399 | bacpy(&d->last_adv_addr, bdaddr); | ||
| 400 | d->last_adv_addr_type = bdaddr_type; | ||
| 401 | d->last_adv_rssi = rssi; | ||
| 402 | @@ -2490,7 +2493,7 @@ static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) | ||
| 403 | &cp); | ||
| 404 | } else { | ||
| 405 | clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); | ||
| 406 | - hci_encrypt_cfm(conn, ev->status, 0x00); | ||
| 407 | + hci_encrypt_cfm(conn, ev->status); | ||
| 408 | } | ||
| 409 | } | ||
| 410 | |||
| 411 | @@ -2576,22 +2579,7 @@ static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, | ||
| 412 | conn->enc_key_size = rp->key_size; | ||
| 413 | } | ||
| 414 | |||
| 415 | - if (conn->state == BT_CONFIG) { | ||
| 416 | - conn->state = BT_CONNECTED; | ||
| 417 | - hci_connect_cfm(conn, 0); | ||
| 418 | - hci_conn_drop(conn); | ||
| 419 | - } else { | ||
| 420 | - u8 encrypt; | ||
| 421 | - | ||
| 422 | - if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) | ||
| 423 | - encrypt = 0x00; | ||
| 424 | - else if (test_bit(HCI_CONN_AES_CCM, &conn->flags)) | ||
| 425 | - encrypt = 0x02; | ||
| 426 | - else | ||
| 427 | - encrypt = 0x01; | ||
| 428 | - | ||
| 429 | - hci_encrypt_cfm(conn, 0, encrypt); | ||
| 430 | - } | ||
| 431 | + hci_encrypt_cfm(conn, 0); | ||
| 432 | |||
| 433 | unlock: | ||
| 434 | hci_dev_unlock(hdev); | ||
| 435 | @@ -2638,27 +2626,23 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) | ||
| 436 | |||
| 437 | clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); | ||
| 438 | |||
| 439 | + /* Check link security requirements are met */ | ||
| 440 | + if (!hci_conn_check_link_mode(conn)) | ||
| 441 | + ev->status = HCI_ERROR_AUTH_FAILURE; | ||
| 442 | + | ||
| 443 | if (ev->status && conn->state == BT_CONNECTED) { | ||
| 444 | if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) | ||
| 445 | set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); | ||
| 446 | |||
| 447 | + /* Notify upper layers so they can cleanup before | ||
| 448 | + * disconnecting. | ||
| 449 | + */ | ||
| 450 | + hci_encrypt_cfm(conn, ev->status); | ||
| 451 | hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); | ||
| 452 | hci_conn_drop(conn); | ||
| 453 | goto unlock; | ||
| 454 | } | ||
| 455 | |||
| 456 | - /* In Secure Connections Only mode, do not allow any connections | ||
| 457 | - * that are not encrypted with AES-CCM using a P-256 authenticated | ||
| 458 | - * combination key. | ||
| 459 | - */ | ||
| 460 | - if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && | ||
| 461 | - (!test_bit(HCI_CONN_AES_CCM, &conn->flags) || | ||
| 462 | - conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) { | ||
| 463 | - hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE); | ||
| 464 | - hci_conn_drop(conn); | ||
| 465 | - goto unlock; | ||
| 466 | - } | ||
| 467 | - | ||
| 468 | /* Try reading the encryption key size for encrypted ACL links */ | ||
| 469 | if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { | ||
| 470 | struct hci_cp_read_enc_key_size cp; | ||
| 471 | @@ -2688,14 +2672,7 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) | ||
| 472 | } | ||
| 473 | |||
| 474 | notify: | ||
| 475 | - if (conn->state == BT_CONFIG) { | ||
| 476 | - if (!ev->status) | ||
| 477 | - conn->state = BT_CONNECTED; | ||
| 478 | - | ||
| 479 | - hci_connect_cfm(conn, ev->status); | ||
| 480 | - hci_conn_drop(conn); | ||
| 481 | - } else | ||
| 482 | - hci_encrypt_cfm(conn, ev->status, ev->encrypt); | ||
| 483 | + hci_encrypt_cfm(conn, ev->status); | ||
| 484 | |||
| 485 | unlock: | ||
| 486 | hci_dev_unlock(hdev); | ||
| 487 | @@ -4779,6 +4756,11 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, | ||
| 488 | return; | ||
| 489 | } | ||
| 490 | |||
| 491 | + if (len > HCI_MAX_AD_LENGTH) { | ||
| 492 | + pr_err_ratelimited("legacy adv larger than 31 bytes"); | ||
| 493 | + return; | ||
| 494 | + } | ||
| 495 | + | ||
| 496 | /* Find the end of the data in case the report contains padded zero | ||
| 497 | * bytes at the end causing an invalid length value. | ||
| 498 | * | ||
| 499 | @@ -4839,7 +4821,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, | ||
| 500 | */ | ||
| 501 | conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, | ||
| 502 | direct_addr); | ||
| 503 | - if (conn && type == LE_ADV_IND) { | ||
| 504 | + if (conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) { | ||
| 505 | /* Store report for later inclusion by | ||
| 506 | * mgmt_device_connected | ||
| 507 | */ | ||
| 508 | @@ -4964,10 +4946,14 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) | ||
| 509 | struct hci_ev_le_advertising_info *ev = ptr; | ||
| 510 | s8 rssi; | ||
| 511 | |||
| 512 | - rssi = ev->data[ev->length]; | ||
| 513 | - process_adv_report(hdev, ev->evt_type, &ev->bdaddr, | ||
| 514 | - ev->bdaddr_type, NULL, 0, rssi, | ||
| 515 | - ev->data, ev->length); | ||
| 516 | + if (ev->length <= HCI_MAX_AD_LENGTH) { | ||
| 517 | + rssi = ev->data[ev->length]; | ||
| 518 | + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, | ||
| 519 | + ev->bdaddr_type, NULL, 0, rssi, | ||
| 520 | + ev->data, ev->length); | ||
| 521 | + } else { | ||
| 522 | + bt_dev_err(hdev, "Dropping invalid advertising data"); | ||
| 523 | + } | ||
| 524 | |||
| 525 | ptr += sizeof(*ev) + ev->length + 1; | ||
| 526 | } | ||
| 527 | diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c | ||
| 528 | index 5e3f5c1ba07d6..b96818cda12da 100644 | ||
| 529 | --- a/net/bluetooth/l2cap_core.c | ||
| 530 | +++ b/net/bluetooth/l2cap_core.c | ||
| 531 | @@ -6675,9 +6675,10 @@ static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) | ||
| 532 | goto drop; | ||
| 533 | } | ||
| 534 | |||
| 535 | - if ((chan->mode == L2CAP_MODE_ERTM || | ||
| 536 | - chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb)) | ||
| 537 | - goto drop; | ||
| 538 | + if (chan->ops->filter) { | ||
| 539 | + if (chan->ops->filter(chan, skb)) | ||
| 540 | + goto drop; | ||
| 541 | + } | ||
| 542 | |||
| 543 | if (!control->sframe) { | ||
| 544 | int err; | ||
| 545 | diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c | ||
| 546 | index bbf08c6092f4a..ab6b1788dbfc3 100644 | ||
| 547 | --- a/net/bluetooth/l2cap_sock.c | ||
| 548 | +++ b/net/bluetooth/l2cap_sock.c | ||
| 549 | @@ -1475,6 +1475,19 @@ static void l2cap_sock_suspend_cb(struct l2cap_chan *chan) | ||
| 550 | sk->sk_state_change(sk); | ||
| 551 | } | ||
| 552 | |||
| 553 | +static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb) | ||
| 554 | +{ | ||
| 555 | + struct sock *sk = chan->data; | ||
| 556 | + | ||
| 557 | + switch (chan->mode) { | ||
| 558 | + case L2CAP_MODE_ERTM: | ||
| 559 | + case L2CAP_MODE_STREAMING: | ||
| 560 | + return sk_filter(sk, skb); | ||
| 561 | + } | ||
| 562 | + | ||
| 563 | + return 0; | ||
| 564 | +} | ||
| 565 | + | ||
| 566 | static const struct l2cap_ops l2cap_chan_ops = { | ||
| 567 | .name = "L2CAP Socket Interface", | ||
| 568 | .new_connection = l2cap_sock_new_connection_cb, | ||
| 569 | @@ -1489,6 +1502,7 @@ static const struct l2cap_ops l2cap_chan_ops = { | ||
| 570 | .set_shutdown = l2cap_sock_set_shutdown_cb, | ||
| 571 | .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, | ||
| 572 | .alloc_skb = l2cap_sock_alloc_skb_cb, | ||
| 573 | + .filter = l2cap_sock_filter, | ||
| 574 | }; | ||
| 575 | |||
| 576 | static void l2cap_sock_destruct(struct sock *sk) | ||
| 577 | diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c | ||
| 578 | index ba24f613c0fc1..bca1408f815ff 100644 | ||
| 579 | --- a/net/bluetooth/mgmt.c | ||
| 580 | +++ b/net/bluetooth/mgmt.c | ||
| 581 | @@ -635,7 +635,8 @@ static u32 get_supported_settings(struct hci_dev *hdev) | ||
| 582 | |||
| 583 | if (lmp_ssp_capable(hdev)) { | ||
| 584 | settings |= MGMT_SETTING_SSP; | ||
| 585 | - settings |= MGMT_SETTING_HS; | ||
| 586 | + if (IS_ENABLED(CONFIG_BT_HS)) | ||
| 587 | + settings |= MGMT_SETTING_HS; | ||
| 588 | } | ||
| 589 | |||
| 590 | if (lmp_sc_capable(hdev)) | ||
| 591 | @@ -1645,6 +1646,10 @@ static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len) | ||
| 592 | |||
| 593 | BT_DBG("request for %s", hdev->name); | ||
| 594 | |||
| 595 | + if (!IS_ENABLED(CONFIG_BT_HS)) | ||
| 596 | + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, | ||
| 597 | + MGMT_STATUS_NOT_SUPPORTED); | ||
| 598 | + | ||
| 599 | status = mgmt_bredr_support(hdev); | ||
| 600 | if (status) | ||
| 601 | return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status); |