From 57d8d154e0f10ab59e77cbeb6f16714f73983c4e Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Wed, 1 Dec 2021 10:54:52 -0800 Subject: [PATCH 1/3] skbuff: introduce skb_pull_data mainline inclusion from mainline-v5.17-rc1 commit 13244cccc2b61ec715f0ac583d3037497004d4a5 category: bugfix issue: #ICETC2 CVE: CVE-2024-56590 Signed-off-by: Tengda Wu --------------------------------------- Like skb_pull but returns the original data pointer before pulling the data after performing a check against sbk->len. This allows to change code that does "struct foo *p = (void *)skb->data;" which is hard to audit and error prone, to: p = skb_pull_data(skb, sizeof(*p)); if (!p) return; Which is both safer and cleaner. Acked-by: Jakub Kicinski Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Dan Carpenter Signed-off-by: Marcel Holtmann --- include/linux/skbuff.h | 2 ++ net/core/skbuff.c | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index a210f1995862..4e9b638f7587 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2319,6 +2319,8 @@ static inline void *skb_pull_inline(struct sk_buff *skb, unsigned int len) return unlikely(len > skb->len) ? NULL : __skb_pull(skb, len); } +void *skb_pull_data(struct sk_buff *skb, size_t len); + void *__pskb_pull_tail(struct sk_buff *skb, int delta); static inline void *__pskb_pull(struct sk_buff *skb, unsigned int len) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index fd53b66f2ca1..fca5e663f6b8 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1922,6 +1922,30 @@ void *skb_pull(struct sk_buff *skb, unsigned int len) } EXPORT_SYMBOL(skb_pull); +/** + * skb_pull_data - remove data from the start of a buffer returning its + * original position. + * @skb: buffer to use + * @len: amount of data to remove + * + * This function removes data from the start of a buffer, returning + * the memory to the headroom. A pointer to the original data in the buffer + * is returned after checking if there is enough data to pull. Once the + * data has been pulled future pushes will overwrite the old data. + */ +void *skb_pull_data(struct sk_buff *skb, size_t len) +{ + void *data = skb->data; + + if (skb->len < len) + return NULL; + + skb_pull(skb, len); + + return data; +} +EXPORT_SYMBOL(skb_pull_data); + /** * skb_trim - remove end from a buffer * @skb: buffer to alter -- Gitee From 8e20e1a7d88a1486b73e7c51435886ee7332fb1b Mon Sep 17 00:00:00 2001 From: Tengda Wu Date: Thu, 12 Jun 2025 20:44:21 +0800 Subject: [PATCH 2/3] Revert "Bluetooth: hci_conn: Use disable_delayed_work_sync" ohos inclusion category: bugfix issue: #ICETC2 CVE: NA Signed-off-by: Tengda Wu --------------------------------------- This reverts commit dfbef0fa8b62eb23aa4d509ffba9065155478471. The disable_delayed_work_sync relies on the workqueue mechanism. Due to compatibility challenges with the latest workqueue patches in the current version, revert this commit. Fixes: dfbef0fa8b62 ("Bluetooth: hci_conn: Use disable_delayed_work_sync") Signed-off-by: Tengda Wu --- net/bluetooth/hci_conn.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index ca65afaad1a3..52e512f41da3 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -606,9 +606,9 @@ int hci_conn_del(struct hci_conn *conn) BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle); - disable_delayed_work_sync(&conn->disc_work); - disable_delayed_work_sync(&conn->auto_accept_work); - disable_delayed_work_sync(&conn->idle_work); + cancel_delayed_work_sync(&conn->disc_work); + cancel_delayed_work_sync(&conn->auto_accept_work); + cancel_delayed_work_sync(&conn->idle_work); if (conn->type == ACL_LINK) { struct hci_conn *sco = conn->link; -- Gitee From aee9d1e9da0cc7a26ffcc1c98a4a81f016f140c8 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Fri, 10 Jun 2022 15:02:18 +0300 Subject: [PATCH 3/3] driver core: Introduce device_find_any_child() helper stable inclusion from stable-v5.10.231 commit 49de4ac804275fadd93b0b58e73e7491ef833bcd category: bugfix issue: #ICETC2 CVE: CVE-2024-53237 Signed-off-by: Tengda Wu --------------------------------------- [ Upstream commit 82b070beae1ef55b0049768c8dc91d87565bb191 ] There are several places in the kernel where this kind of functionality is being used. Provide a generic helper for such cases. Reviewed-by: Rafael J. Wysocki Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220610120219.18988-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Stable-dep-of: 27aabf27fd01 ("Bluetooth: fix use-after-free in device_for_each_child()") Signed-off-by: Sasha Levin --- drivers/base/core.c | 20 ++++++++++++++++++++ include/linux/device.h | 2 ++ 2 files changed, 22 insertions(+) diff --git a/drivers/base/core.c b/drivers/base/core.c index ec294440dc78..1525b8784cac 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -3407,6 +3407,26 @@ struct device *device_find_child_by_name(struct device *parent, } EXPORT_SYMBOL_GPL(device_find_child_by_name); +static int match_any(struct device *dev, void *unused) +{ + return 1; +} + +/** + * device_find_any_child - device iterator for locating a child device, if any. + * @parent: parent struct device + * + * This is similar to the device_find_child() function above, but it + * returns a reference to a child device, if any. + * + * NOTE: you will need to drop the reference with put_device() after use. + */ +struct device *device_find_any_child(struct device *parent) +{ + return device_find_child(parent, NULL, match_any); +} +EXPORT_SYMBOL_GPL(device_find_any_child); + int __init devices_init(void) { devices_kset = kset_create_and_add("devices", &device_uevent_ops, NULL); diff --git a/include/linux/device.h b/include/linux/device.h index 6394c4b70a09..c93d4c9f45bd 100644 --- a/include/linux/device.h +++ b/include/linux/device.h @@ -834,6 +834,8 @@ struct device *device_find_child(struct device *dev, void *data, int (*match)(struct device *dev, void *data)); struct device *device_find_child_by_name(struct device *parent, const char *name); +struct device *device_find_any_child(struct device *parent); + int device_rename(struct device *dev, const char *new_name); int device_move(struct device *dev, struct device *new_parent, enum dpm_order dpm_order); -- Gitee