From 20c917c71cc4088beee38cbf362c56486582fea1 Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Thu, 22 May 2025 17:47:17 +0300 Subject: [PATCH] release 6.14.8 --- debian/bin/genpatch-pfkernel | 2 +- debian/changelog | 7 + ...ftdep-declarations-for-hard-coded-cr.patch | 2 +- ...-raid5-6-being-experimental-at-mount.patch | 2 +- ...compiler-version-comparison-optional.patch | 2 +- ...ice_write_prof_mask_reg-as-noinline.patch} | 0 ...sk-TPM-RC-in-tpm2_start_auth_session.patch | 99 --------- ...-scan-before-removing-link-interfac.patch} | 0 ...ch-CONFIG_SYSFS_SYCALL-default-to-n.patch} | 0 ...4-update-tpm2_start_auth_session-fix.patch | 76 ------- ...minated-string-initialization-just-.patch} | 0 ...nterminated-string-initialization-e.patch} | 0 ...11-mark-copy_mesh_setup-as-noinline.patch} | 0 ...t-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch} | 0 ...re-write_iter-for-writable-files-in-.patch | 34 ++++ ...emory-leak-during-error-handling-for.patch | 35 ---- ...fault-to-maximum-amount-of-ASLR-bits.patch | 33 --- ...skip-simpledrm-if-nvidia-drm.modese.patch} | 0 ...ent-Fix-not-using-key-encryption-siz.patch | 191 ++++++++++++++++++ debian/patches/series | 24 +-- 20 files changed, 247 insertions(+), 260 deletions(-) rename debian/patches/patchset-pf/fixes/{0004-ice-mark-ice_write_prof_mask_reg-as-noinline.patch => 0003-ice-mark-ice_write_prof_mask_reg-as-noinline.patch} (100%) delete mode 100644 debian/patches/patchset-pf/fixes/0003-tpm-Mask-TPM-RC-in-tpm2_start_auth_session.patch rename debian/patches/patchset-pf/fixes/{0006-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch => 0004-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch} (100%) rename debian/patches/patchset-pf/fixes/{0007-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch => 0005-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch} (100%) delete mode 100644 debian/patches/patchset-pf/fixes/0005-fixes-6.14-update-tpm2_start_auth_session-fix.patch rename debian/patches/patchset-pf/fixes/{0008-gcc-15-make-unterminated-string-initialization-just-.patch => 0006-gcc-15-make-unterminated-string-initialization-just-.patch} (100%) rename debian/patches/patchset-pf/fixes/{0009-gcc-15-disable-Wunterminated-string-initialization-e.patch => 0007-gcc-15-disable-Wunterminated-string-initialization-e.patch} (100%) rename debian/patches/patchset-pf/fixes/{0010-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch => 0008-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch} (100%) rename debian/patches/patchset-pf/fixes/{0011-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch => 0009-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch} (100%) create mode 100644 debian/patches/patchset-pf/fixes/0010-loop-don-t-require-write_iter-for-writable-files-in-.patch delete mode 100644 debian/patches/patchset-pf/smb/0001-smb-client-fix-memory-leak-during-error-handling-for.patch delete mode 100644 debian/patches/patchset-zen/fixes/0001-arch-Kconfig-Default-to-maximum-amount-of-ASLR-bits.patch rename debian/patches/patchset-zen/fixes/{0002-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch => 0001-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch} (100%) create mode 100644 debian/patches/patchset-zen/fixes/0002-Bluetooth-hci_event-Fix-not-using-key-encryption-siz.patch diff --git a/debian/bin/genpatch-pfkernel b/debian/bin/genpatch-pfkernel index 87fa53d..dfe1fcf 100755 --- a/debian/bin/genpatch-pfkernel +++ b/debian/bin/genpatch-pfkernel @@ -7,7 +7,7 @@ w=$(git rev-parse --path-format=absolute --show-toplevel) ; : "${w:?}" ; cd "$w" dst='debian/patches/pf-tmp' src='../linux-extras' -branches='amd-pstate cpuidle crypto fixes invlpgb kbuild smb zstd' +branches='amd-pstate cpuidle crypto fixes invlpgb kbuild nfs smb zstd' if [ -d "${dst}" ] ; then rm -rf "${dst}" ; fi mkdir -p "${dst}" diff --git a/debian/changelog b/debian/changelog index dcd934d..2b2121d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +linux (6.14.8-1) sid; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.14.8 + + -- Konstantin Demin Thu, 22 May 2025 17:02:41 +0300 + linux (6.14.7-1) sid; urgency=medium * New upstream stable update: diff --git a/debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch b/debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch index 22ee870..dc75c7c 100644 --- a/debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch +++ b/debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch @@ -18,7 +18,7 @@ Signed-off-by: Ben Hutchings --- a/fs/btrfs/super.c +++ b/fs/btrfs/super.c -@@ -2626,7 +2626,7 @@ module_exit(exit_btrfs_fs) +@@ -2630,7 +2630,7 @@ module_exit(exit_btrfs_fs) MODULE_DESCRIPTION("B-Tree File System (BTRFS)"); MODULE_LICENSE("GPL"); diff --git a/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch b/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch index 7d96c3b..a2ce424 100644 --- a/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch +++ b/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch @@ -22,7 +22,7 @@ implementation went from disk-io.c to super.c; forwarded the issue] --- a/fs/btrfs/super.c +++ b/fs/btrfs/super.c -@@ -765,6 +765,18 @@ static void set_device_specific_options( +@@ -769,6 +769,18 @@ static void set_device_specific_options( btrfs_set_opt(fs_info->mount_opt, SSD); /* diff --git a/debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch b/debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch index 5784354..0e6ece7 100644 --- a/debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch +++ b/debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch @@ -20,7 +20,7 @@ is non-empty. --- --- a/Makefile +++ b/Makefile -@@ -1876,7 +1876,7 @@ PHONY += prepare +@@ -1875,7 +1875,7 @@ PHONY += prepare # now expand this into a simple variable to reduce the cost of shell evaluations prepare: CC_VERSION_TEXT := $(CC_VERSION_TEXT) prepare: diff --git a/debian/patches/patchset-pf/fixes/0004-ice-mark-ice_write_prof_mask_reg-as-noinline.patch b/debian/patches/patchset-pf/fixes/0003-ice-mark-ice_write_prof_mask_reg-as-noinline.patch similarity index 100% rename from debian/patches/patchset-pf/fixes/0004-ice-mark-ice_write_prof_mask_reg-as-noinline.patch rename to debian/patches/patchset-pf/fixes/0003-ice-mark-ice_write_prof_mask_reg-as-noinline.patch diff --git a/debian/patches/patchset-pf/fixes/0003-tpm-Mask-TPM-RC-in-tpm2_start_auth_session.patch b/debian/patches/patchset-pf/fixes/0003-tpm-Mask-TPM-RC-in-tpm2_start_auth_session.patch deleted file mode 100644 index b254ac5..0000000 --- a/debian/patches/patchset-pf/fixes/0003-tpm-Mask-TPM-RC-in-tpm2_start_auth_session.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 762de1df7e501e019c3ae273c7e5e2d4c04b303c Mon Sep 17 00:00:00 2001 -From: Jarkko Sakkinen -Date: Mon, 7 Apr 2025 15:28:05 +0300 -Subject: tpm: Mask TPM RC in tpm2_start_auth_session() - -tpm2_start_auth_session() does not mask TPM RC correctly from the callers: - -[ 28.766528] tpm tpm0: A TPM error (2307) occurred start auth session - -Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX -error codes. - -Cc: stable@vger.kernel.org # v6.10+ -Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") -Reported-by: Herbert Xu -Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au/ -Signed-off-by: Jarkko Sakkinen ---- - drivers/char/tpm/tpm2-sessions.c | 20 ++++++-------------- - include/linux/tpm.h | 21 +++++++++++++++++++++ - 2 files changed, 27 insertions(+), 14 deletions(-) - ---- a/drivers/char/tpm/tpm2-sessions.c -+++ b/drivers/char/tpm/tpm2-sessions.c -@@ -40,11 +40,6 @@ - * - * These are the usage functions: - * -- * tpm2_start_auth_session() which allocates the opaque auth structure -- * and gets a session from the TPM. This must be called before -- * any of the following functions. The session is protected by a -- * session_key which is derived from a random salt value -- * encrypted to the NULL seed. - * tpm2_end_auth_session() kills the session and frees the resources. - * Under normal operation this function is done by - * tpm_buf_check_hmac_response(), so this is only to be used on -@@ -963,16 +958,13 @@ err: - } - - /** -- * tpm2_start_auth_session() - create a HMAC authentication session with the TPM -- * @chip: the TPM chip structure to create the session with -+ * tpm2_start_auth_session() - Create an a HMAC authentication session -+ * @chip: A TPM chip - * -- * This function loads the NULL seed from its saved context and starts -- * an authentication session on the null seed, fills in the -- * @chip->auth structure to contain all the session details necessary -- * for performing the HMAC, encrypt and decrypt operations and -- * returns. The NULL seed is flushed before this function returns. -+ * Loads the ephemeral key (null seed), and starts an HMAC authenticated -+ * session. The null seed is flushed before the return. - * -- * Return: zero on success or actual error encountered. -+ * Returns zero on success, or a POSIX error code. - */ - int tpm2_start_auth_session(struct tpm_chip *chip) - { -@@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_c - /* hash algorithm for session */ - tpm_buf_append_u16(&buf, TPM_ALG_SHA256); - -- rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session"); -+ rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession")); - tpm2_flush_context(chip, null_key); - - if (rc == TPM2_RC_SUCCESS) ---- a/include/linux/tpm.h -+++ b/include/linux/tpm.h -@@ -257,8 +257,29 @@ enum tpm2_return_codes { - TPM2_RC_TESTING = 0x090A, /* RC_WARN */ - TPM2_RC_REFERENCE_H0 = 0x0910, - TPM2_RC_RETRY = 0x0922, -+ TPM2_RC_SESSION_MEMORY = 0x0903, - }; - -+/* -+ * Convert a return value from tpm_transmit_cmd() to a POSIX return value. The -+ * fallback return value is -EFAULT. -+ */ -+static inline ssize_t tpm_to_ret(ssize_t ret) -+{ -+ /* Already a POSIX error: */ -+ if (ret < 0) -+ return ret; -+ -+ switch (ret) { -+ case TPM2_RC_SUCCESS: -+ return 0; -+ case TPM2_RC_SESSION_MEMORY: -+ return -ENOMEM; -+ default: -+ return -EFAULT; -+ } -+} -+ - enum tpm2_command_codes { - TPM2_CC_FIRST = 0x011F, - TPM2_CC_HIERARCHY_CONTROL = 0x0121, diff --git a/debian/patches/patchset-pf/fixes/0006-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch b/debian/patches/patchset-pf/fixes/0004-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch similarity index 100% rename from debian/patches/patchset-pf/fixes/0006-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch rename to debian/patches/patchset-pf/fixes/0004-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch diff --git a/debian/patches/patchset-pf/fixes/0007-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch b/debian/patches/patchset-pf/fixes/0005-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch similarity index 100% rename from debian/patches/patchset-pf/fixes/0007-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch rename to debian/patches/patchset-pf/fixes/0005-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch diff --git a/debian/patches/patchset-pf/fixes/0005-fixes-6.14-update-tpm2_start_auth_session-fix.patch b/debian/patches/patchset-pf/fixes/0005-fixes-6.14-update-tpm2_start_auth_session-fix.patch deleted file mode 100644 index 6143403..0000000 --- a/debian/patches/patchset-pf/fixes/0005-fixes-6.14-update-tpm2_start_auth_session-fix.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 74c95e079dc8b3c53ade90b2070458c0c69f3fdf Mon Sep 17 00:00:00 2001 -From: Oleksandr Natalenko -Date: Tue, 8 Apr 2025 19:51:44 +0200 -Subject: fixes-6.14: update tpm2_start_auth_session() fix - -Signed-off-by: Oleksandr Natalenko ---- - drivers/char/tpm/tpm2-sessions.c | 2 +- - include/linux/tpm.h | 38 +++++++++++++++----------------- - 2 files changed, 19 insertions(+), 21 deletions(-) - ---- a/drivers/char/tpm/tpm2-sessions.c -+++ b/drivers/char/tpm/tpm2-sessions.c -@@ -1016,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_c - /* hash algorithm for session */ - tpm_buf_append_u16(&buf, TPM_ALG_SHA256); - -- rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession")); -+ rc = tpm_ret_to_err(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession")); - tpm2_flush_context(chip, null_key); - - if (rc == TPM2_RC_SUCCESS) ---- a/include/linux/tpm.h -+++ b/include/linux/tpm.h -@@ -260,26 +260,6 @@ enum tpm2_return_codes { - TPM2_RC_SESSION_MEMORY = 0x0903, - }; - --/* -- * Convert a return value from tpm_transmit_cmd() to a POSIX return value. The -- * fallback return value is -EFAULT. -- */ --static inline ssize_t tpm_to_ret(ssize_t ret) --{ -- /* Already a POSIX error: */ -- if (ret < 0) -- return ret; -- -- switch (ret) { -- case TPM2_RC_SUCCESS: -- return 0; -- case TPM2_RC_SESSION_MEMORY: -- return -ENOMEM; -- default: -- return -EFAULT; -- } --} -- - enum tpm2_command_codes { - TPM2_CC_FIRST = 0x011F, - TPM2_CC_HIERARCHY_CONTROL = 0x0121, -@@ -458,6 +438,24 @@ static inline u32 tpm2_rc_value(u32 rc) - return (rc & BIT(7)) ? rc & 0xbf : rc; - } - -+/* -+ * Convert a return value from tpm_transmit_cmd() to POSIX error code. -+ */ -+static inline ssize_t tpm_ret_to_err(ssize_t ret) -+{ -+ if (ret < 0) -+ return ret; -+ -+ switch (tpm2_rc_value(ret)) { -+ case TPM2_RC_SUCCESS: -+ return 0; -+ case TPM2_RC_SESSION_MEMORY: -+ return -ENOMEM; -+ default: -+ return -EFAULT; -+ } -+} -+ - #if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE) - - extern int tpm_is_tpm2(struct tpm_chip *chip); diff --git a/debian/patches/patchset-pf/fixes/0008-gcc-15-make-unterminated-string-initialization-just-.patch b/debian/patches/patchset-pf/fixes/0006-gcc-15-make-unterminated-string-initialization-just-.patch similarity index 100% rename from debian/patches/patchset-pf/fixes/0008-gcc-15-make-unterminated-string-initialization-just-.patch rename to debian/patches/patchset-pf/fixes/0006-gcc-15-make-unterminated-string-initialization-just-.patch diff --git a/debian/patches/patchset-pf/fixes/0009-gcc-15-disable-Wunterminated-string-initialization-e.patch b/debian/patches/patchset-pf/fixes/0007-gcc-15-disable-Wunterminated-string-initialization-e.patch similarity index 100% rename from debian/patches/patchset-pf/fixes/0009-gcc-15-disable-Wunterminated-string-initialization-e.patch rename to debian/patches/patchset-pf/fixes/0007-gcc-15-disable-Wunterminated-string-initialization-e.patch diff --git a/debian/patches/patchset-pf/fixes/0010-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch b/debian/patches/patchset-pf/fixes/0008-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch similarity index 100% rename from debian/patches/patchset-pf/fixes/0010-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch rename to debian/patches/patchset-pf/fixes/0008-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch diff --git a/debian/patches/patchset-pf/fixes/0011-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch b/debian/patches/patchset-pf/fixes/0009-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch similarity index 100% rename from debian/patches/patchset-pf/fixes/0011-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch rename to debian/patches/patchset-pf/fixes/0009-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch diff --git a/debian/patches/patchset-pf/fixes/0010-loop-don-t-require-write_iter-for-writable-files-in-.patch b/debian/patches/patchset-pf/fixes/0010-loop-don-t-require-write_iter-for-writable-files-in-.patch new file mode 100644 index 0000000..741b557 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0010-loop-don-t-require-write_iter-for-writable-files-in-.patch @@ -0,0 +1,34 @@ +From c3781ee15fb846bc6ad09a09baa2ced404e74e47 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 20 May 2025 15:54:20 +0200 +Subject: loop: don't require ->write_iter for writable files in loop_configure + +Block devices can be opened read-write even if they can't be written to +for historic reasons. Remove the check requiring file->f_op->write_iter +when the block devices was opened in loop_configure. The call to +loop_check_backing_file just below ensures the ->write_iter is present +for backing files opened for writing, which is the only check that is +actually needed. + +Fixes: f5c84eff634b ("loop: Add sanity check for read/write_iter") +Reported-by: Christian Hesse +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250520135420.1177312-1-hch@lst.de +Signed-off-by: Jens Axboe +Cherry-picked-for: https://lore.kernel.org/r/20250519175640.2fcac001@leda.eworm.net +--- + drivers/block/loop.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -972,9 +972,6 @@ static int loop_configure(struct loop_de + if (!file) + return -EBADF; + +- if ((mode & BLK_OPEN_WRITE) && !file->f_op->write_iter) +- return -EINVAL; +- + error = loop_check_backing_file(file); + if (error) + return error; diff --git a/debian/patches/patchset-pf/smb/0001-smb-client-fix-memory-leak-during-error-handling-for.patch b/debian/patches/patchset-pf/smb/0001-smb-client-fix-memory-leak-during-error-handling-for.patch deleted file mode 100644 index b6be507..0000000 --- a/debian/patches/patchset-pf/smb/0001-smb-client-fix-memory-leak-during-error-handling-for.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 8ef14a884df5aaf48cf5f7ce6c91e7318cb07d4e Mon Sep 17 00:00:00 2001 -From: Jethro Donaldson -Date: Thu, 15 May 2025 01:23:23 +1200 -Subject: smb: client: fix memory leak during error handling for POSIX mkdir - -The response buffer for the CREATE request handled by smb311_posix_mkdir() -is leaked on the error path (goto err_free_rsp_buf) because the structure -pointer *rsp passed to free_rsp_buf() is not assigned until *after* the -error condition is checked. - -As *rsp is initialised to NULL, free_rsp_buf() becomes a no-op and the leak -is instead reported by __kmem_cache_shutdown() upon subsequent rmmod of -cifs.ko if (and only if) the error path has been hit. - -Pass rsp_iov.iov_base to free_rsp_buf() instead, similar to the code in -other functions in smb2pdu.c for which *rsp is assigned late. - -Cc: stable@vger.kernel.org -Signed-off-by: Jethro Donaldson -Signed-off-by: Steve French ---- - fs/smb/client/smb2pdu.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/smb/client/smb2pdu.c -+++ b/fs/smb/client/smb2pdu.c -@@ -2967,7 +2967,7 @@ replay_again: - /* Eventually save off posix specific response info and timestamps */ - - err_free_rsp_buf: -- free_rsp_buf(resp_buftype, rsp); -+ free_rsp_buf(resp_buftype, rsp_iov.iov_base); - kfree(pc_buf); - err_free_req: - cifs_small_buf_release(req); diff --git a/debian/patches/patchset-zen/fixes/0001-arch-Kconfig-Default-to-maximum-amount-of-ASLR-bits.patch b/debian/patches/patchset-zen/fixes/0001-arch-Kconfig-Default-to-maximum-amount-of-ASLR-bits.patch deleted file mode 100644 index fcb0b83..0000000 --- a/debian/patches/patchset-zen/fixes/0001-arch-Kconfig-Default-to-maximum-amount-of-ASLR-bits.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 6dada600ab3579296c9b2b57cf41b95792f021ed Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" -Date: Sat, 13 Jan 2024 15:29:25 +0100 -Subject: arch/Kconfig: Default to maximum amount of ASLR bits - -To mitigate CVE-2024-26621 and improve randomization quality further. Do -this with a patch to avoid having to enable `CONFIG_EXPERT`. - -Cherry-picked-for: https://zolutal.github.io/aslrnt/ ---- - arch/Kconfig | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/Kconfig -+++ b/arch/Kconfig -@@ -1137,7 +1137,7 @@ config ARCH_MMAP_RND_BITS - int "Number of bits to use for ASLR of mmap base address" if EXPERT - range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX - default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT -- default ARCH_MMAP_RND_BITS_MIN -+ default ARCH_MMAP_RND_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_BITS - help - This value can be used to select the number of bits to use to -@@ -1171,7 +1171,7 @@ config ARCH_MMAP_RND_COMPAT_BITS - int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT - range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX - default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT -- default ARCH_MMAP_RND_COMPAT_BITS_MIN -+ default ARCH_MMAP_RND_COMPAT_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS - help - This value can be used to select the number of bits to use to diff --git a/debian/patches/patchset-zen/fixes/0002-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch b/debian/patches/patchset-zen/fixes/0001-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch similarity index 100% rename from debian/patches/patchset-zen/fixes/0002-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch rename to debian/patches/patchset-zen/fixes/0001-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch diff --git a/debian/patches/patchset-zen/fixes/0002-Bluetooth-hci_event-Fix-not-using-key-encryption-siz.patch b/debian/patches/patchset-zen/fixes/0002-Bluetooth-hci_event-Fix-not-using-key-encryption-siz.patch new file mode 100644 index 0000000..987ebf0 --- /dev/null +++ b/debian/patches/patchset-zen/fixes/0002-Bluetooth-hci_event-Fix-not-using-key-encryption-siz.patch @@ -0,0 +1,191 @@ +From 1d8e5829e40e6547e10a5f479e2a6fea0d412132 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Wed, 30 Apr 2025 15:07:03 -0400 +Subject: Bluetooth: hci_event: Fix not using key encryption size when its + known + +This fixes the regression introduced by 50c1241e6a8a ("Bluetooth: l2cap: +Check encryption key size on incoming connection") introduced a check for +l2cap_check_enc_key_size which checks for hcon->enc_key_size which may +not be initialized if HCI_OP_READ_ENC_KEY_SIZE is still pending. + +If the key encryption size is known, due previously reading it using +HCI_OP_READ_ENC_KEY_SIZE, then store it as part of link_key/smp_ltk +structures so the next time the encryption is changed their values are +used as conn->enc_key_size thus avoiding the racing against +HCI_OP_READ_ENC_KEY_SIZE. + +Now that the enc_size is stored as part of key the information the code +then attempts to check that there is no downgrade of security if +HCI_OP_READ_ENC_KEY_SIZE returns a value smaller than what has been +previously stored. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220061 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220063 +Fixes: 522e9ed157e3 ("Bluetooth: l2cap: Check encryption key size on incoming connection") +Signed-off-by: Luiz Augusto von Dentz +Cherry-picked-for: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/137 +--- + include/net/bluetooth/hci_core.h | 1 + + net/bluetooth/hci_conn.c | 24 +++++++++++ + net/bluetooth/hci_event.c | 73 ++++++++++++++++++-------------- + 3 files changed, 67 insertions(+), 31 deletions(-) + +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -1778,6 +1778,7 @@ struct hci_conn_params *hci_pend_le_acti + void hci_uuids_clear(struct hci_dev *hdev); + + void hci_link_keys_clear(struct hci_dev *hdev); ++u8 *hci_conn_key_enc_size(struct hci_conn *conn); + struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr); + struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, + bdaddr_t *bdaddr, u8 *val, u8 type, +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -2897,3 +2897,27 @@ int hci_abort_conn(struct hci_conn *conn + */ + return hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL); + } ++ ++u8 *hci_conn_key_enc_size(struct hci_conn *conn) ++{ ++ if (conn->type == ACL_LINK) { ++ struct link_key *key; ++ ++ key = hci_find_link_key(conn->hdev, &conn->dst); ++ if (!key) ++ return NULL; ++ ++ return &key->pin_len; ++ } else if (conn->type == LE_LINK) { ++ struct smp_ltk *ltk; ++ ++ ltk = hci_find_ltk(conn->hdev, &conn->dst, conn->dst_type, ++ conn->role); ++ if (!ltk) ++ return NULL; ++ ++ return <k->enc_size; ++ } ++ ++ return NULL; ++} +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -739,10 +739,17 @@ static u8 hci_cc_read_enc_key_size(struc + handle); + conn->enc_key_size = 0; + } else { ++ u8 *key_enc_size = hci_conn_key_enc_size(conn); ++ + conn->enc_key_size = rp->key_size; + status = 0; + +- if (conn->enc_key_size < hdev->min_enc_key_size) { ++ /* Attempt to check if the key size is too small or if it has ++ * been downgraded from the last time it was stored as part of ++ * the link_key. ++ */ ++ if (conn->enc_key_size < hdev->min_enc_key_size || ++ (key_enc_size && conn->enc_key_size < *key_enc_size)) { + /* As slave role, the conn->state has been set to + * BT_CONNECTED and l2cap conn req might not be received + * yet, at this moment the l2cap layer almost does +@@ -755,6 +762,10 @@ static u8 hci_cc_read_enc_key_size(struc + clear_bit(HCI_CONN_ENCRYPT, &conn->flags); + clear_bit(HCI_CONN_AES_CCM, &conn->flags); + } ++ ++ /* Update the key encryption size with the connection one */ ++ if (key_enc_size && *key_enc_size != conn->enc_key_size) ++ *key_enc_size = conn->enc_key_size; + } + + hci_encrypt_cfm(conn, status); +@@ -3062,6 +3073,34 @@ static void hci_inquiry_result_evt(struc + hci_dev_unlock(hdev); + } + ++static int hci_read_enc_key_size(struct hci_dev *hdev, struct hci_conn *conn) ++{ ++ struct hci_cp_read_enc_key_size cp; ++ u8 *key_enc_size = hci_conn_key_enc_size(conn); ++ ++ if (!read_key_size_capable(hdev)) { ++ conn->enc_key_size = HCI_LINK_KEY_SIZE; ++ return -EOPNOTSUPP; ++ } ++ ++ bt_dev_dbg(hdev, "hcon %p", conn); ++ ++ memset(&cp, 0, sizeof(cp)); ++ cp.handle = cpu_to_le16(conn->handle); ++ ++ /* If the key enc_size is already known, use it as conn->enc_key_size, ++ * otherwise use hdev->min_enc_key_size so the likes of ++ * l2cap_check_enc_key_size don't fail while waiting for ++ * HCI_OP_READ_ENC_KEY_SIZE response. ++ */ ++ if (key_enc_size && *key_enc_size) ++ conn->enc_key_size = *key_enc_size; ++ else ++ conn->enc_key_size = hdev->min_enc_key_size; ++ ++ return hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp); ++} ++ + static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, + struct sk_buff *skb) + { +@@ -3154,23 +3193,11 @@ static void hci_conn_complete_evt(struct + if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) && + ev->link_type == ACL_LINK) { + struct link_key *key; +- struct hci_cp_read_enc_key_size cp; + + key = hci_find_link_key(hdev, &ev->bdaddr); + if (key) { + set_bit(HCI_CONN_ENCRYPT, &conn->flags); +- +- if (!read_key_size_capable(hdev)) { +- conn->enc_key_size = HCI_LINK_KEY_SIZE; +- } else { +- cp.handle = cpu_to_le16(conn->handle); +- if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, +- sizeof(cp), &cp)) { +- bt_dev_err(hdev, "sending read key size failed"); +- conn->enc_key_size = HCI_LINK_KEY_SIZE; +- } +- } +- ++ hci_read_enc_key_size(hdev, conn); + hci_encrypt_cfm(conn, ev->status); + } + } +@@ -3609,24 +3636,8 @@ static void hci_encrypt_change_evt(struc + + /* Try reading the encryption key size for encrypted ACL links */ + if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { +- struct hci_cp_read_enc_key_size cp; +- +- /* Only send HCI_Read_Encryption_Key_Size if the +- * controller really supports it. If it doesn't, assume +- * the default size (16). +- */ +- if (!read_key_size_capable(hdev)) { +- conn->enc_key_size = HCI_LINK_KEY_SIZE; ++ if (hci_read_enc_key_size(hdev, conn)) + goto notify; +- } +- +- cp.handle = cpu_to_le16(conn->handle); +- if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, +- sizeof(cp), &cp)) { +- bt_dev_err(hdev, "sending read key size failed"); +- conn->enc_key_size = HCI_LINK_KEY_SIZE; +- goto notify; +- } + + goto unlock; + } diff --git a/debian/patches/series b/debian/patches/series index ec4f176..58f2fbd 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -172,8 +172,6 @@ patchset-pf/invlpgb/0013-x86-mm-Always-set-the-ASID-valid-bit-for-the-INVLPGB.pa patchset-pf/invlpgb/0014-x86-mm-Only-do-broadcast-flush-from-reclaim-if-pages.patch patchset-pf/invlpgb/0015-x86-mm-Eliminate-window-where-TLB-flushes-may-be-ina.patch -patchset-pf/smb/0001-smb-client-fix-memory-leak-during-error-handling-for.patch - patchset-pf/zstd/0001-zstd-import-upstream-v1.5.7.patch patchset-pf/zstd/0002-lib-zstd-Refactor-intentional-wrap-around-test.patch @@ -263,15 +261,15 @@ patchset-zen/sauce/0023-ZEN-INTERACTIVE-Document-PDS-BMQ-configuration.patch patchset-pf/fixes/0001-Kunit-to-check-the-longest-symbol-length.patch patchset-pf/fixes/0002-x86-tools-Drop-duplicate-unlikely-definition-in-insn.patch -patchset-pf/fixes/0003-tpm-Mask-TPM-RC-in-tpm2_start_auth_session.patch -patchset-pf/fixes/0004-ice-mark-ice_write_prof_mask_reg-as-noinline.patch -patchset-pf/fixes/0005-fixes-6.14-update-tpm2_start_auth_session-fix.patch -patchset-pf/fixes/0006-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch -patchset-pf/fixes/0007-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch -patchset-pf/fixes/0008-gcc-15-make-unterminated-string-initialization-just-.patch -patchset-pf/fixes/0009-gcc-15-disable-Wunterminated-string-initialization-e.patch -patchset-pf/fixes/0010-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch -patchset-pf/fixes/0011-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch +patchset-pf/fixes/0003-ice-mark-ice_write_prof_mask_reg-as-noinline.patch +patchset-pf/fixes/0004-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch +patchset-pf/fixes/0005-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch +patchset-pf/fixes/0006-gcc-15-make-unterminated-string-initialization-just-.patch +patchset-pf/fixes/0007-gcc-15-disable-Wunterminated-string-initialization-e.patch +patchset-pf/fixes/0008-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch +patchset-pf/fixes/0009-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch +patchset-pf/fixes/0010-loop-don-t-require-write_iter-for-writable-files-in-.patch + +patchset-zen/fixes/0001-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch +patchset-zen/fixes/0002-Bluetooth-hci_event-Fix-not-using-key-encryption-siz.patch -patchset-zen/fixes/0001-arch-Kconfig-Default-to-maximum-amount-of-ASLR-bits.patch -patchset-zen/fixes/0002-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch