From 1e96b3e00cd83331b46fb7c434d7d05e4438a991 Mon Sep 17 00:00:00 2001 From: Greg Rose Date: Tue, 28 Jan 2025 10:50:40 -0800 Subject: [PATCH 1/2] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm jira VULN-211 cve CVE-2022-42896 commit-author Luiz Augusto von Dentz commit f937b758a188d6fd328a81367087eddbb2fce50f l2cap_global_chan_by_psm shall not return fixed channels as they are not meant to be connected by (S)PSM. Signed-off-by: Luiz Augusto von Dentz Reviewed-by: Tedd Ho-Jeong An (cherry picked from commit f937b758a188d6fd328a81367087eddbb2fce50f) Signed-off-by: Greg Rose --- net/bluetooth/l2cap_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index cc4f3f7a4c536..dd037c78c93bd 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -1984,7 +1984,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, if (link_type == LE_LINK && c->src_type == BDADDR_BREDR) continue; - if (c->psm == psm) { + if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) { int src_match, dst_match; int src_any, dst_any; From 61eb857d7be3d9e0a04a67cbe195d71dc69f8bc9 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Thu, 16 Jan 2025 12:59:07 -0500 Subject: [PATCH 2/2] github actions: Make Builds on Merge Request Work Since we need to make sure external contributors code actually compiles prior to merging. To get access to the forked repos merge request we need to switch over our push/pull_request to pull_request_target. In addition we're fixing up some Naming Conventions, adding aarch64 to this branch and fixing the naming so that we can quickly identify if the CI is for x86_64 or aarch64. Removes pull request checker it is being rewritten and doesn't work as intented for fork merges. --- ...ck_aarch64.yml => build-check_aarch64.yml} | 7 +-- ...heck_x86_64.yml => build-check_x86_64.yml} | 7 +-- .github/workflows/process-pull-request.yml | 54 ------------------- 3 files changed, 8 insertions(+), 60 deletions(-) rename .github/workflows/{push-check_aarch64.yml => build-check_aarch64.yml} (87%) rename .github/workflows/{push-check_x86_64.yml => build-check_x86_64.yml} (87%) delete mode 100644 .github/workflows/process-pull-request.yml diff --git a/.github/workflows/push-check_aarch64.yml b/.github/workflows/build-check_aarch64.yml similarity index 87% rename from .github/workflows/push-check_aarch64.yml rename to .github/workflows/build-check_aarch64.yml index de372fd5ce48b..9bcb0587db44c 100644 --- a/.github/workflows/push-check_aarch64.yml +++ b/.github/workflows/build-check_aarch64.yml @@ -1,6 +1,6 @@ -name: CI +name: aarch64 CI on: - push: + pull_request: branches: - '**' - '!mainline' @@ -24,10 +24,11 @@ jobs: - name: Checkout code uses: actions/checkout@v4 with: + ref: "${{ github.event.pull_request.head.sha }}" fetch-depth: 0 - name: Build the Kernel run: | - git config --global --add safe.directory /__w/kernel-src-git/kernel-src-git + git config --global --add safe.directory /__w/kernel-src-tree/kernel-src-tree cp configs/kernel-5.14.0-aarch64.config .config make olddefconfig make -j8 diff --git a/.github/workflows/push-check_x86_64.yml b/.github/workflows/build-check_x86_64.yml similarity index 87% rename from .github/workflows/push-check_x86_64.yml rename to .github/workflows/build-check_x86_64.yml index 28a9ed0ee219c..2bf53a9f70f6e 100644 --- a/.github/workflows/push-check_x86_64.yml +++ b/.github/workflows/build-check_x86_64.yml @@ -1,6 +1,6 @@ -name: CI +name: x86_64 CI on: - push: + pull_request: branches: - '**' - '!mainline' @@ -24,10 +24,11 @@ jobs: - name: Checkout code uses: actions/checkout@v4 with: + ref: "${{ github.event.pull_request.head.sha }}" fetch-depth: 0 - name: Build the Kernel run: | - git config --global --add safe.directory /__w/kernel-src-git/kernel-src-git + git config --global --add safe.directory /__w/kernel-src-tree/kernel-src-tree cp configs/kernel-5.14.0-x86_64.config .config make olddefconfig make -j8 diff --git a/.github/workflows/process-pull-request.yml b/.github/workflows/process-pull-request.yml deleted file mode 100644 index 5764537bed632..0000000000000 --- a/.github/workflows/process-pull-request.yml +++ /dev/null @@ -1,54 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: Pull Request Checker - -on: - pull_request: - branches: - - '**' - - '!mainline' - -permissions: - contents: read - -jobs: - test: - - runs-on: ubuntu-latest - strategy: - matrix: - ruby-version: ['3.0'] - - steps: - - uses: actions/checkout@v4 - - name: Set up Ruby - # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, - # change this to (see https://github.com/ruby/setup-ruby#versioning): - uses: ruby/setup-ruby@v1 - # uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 - with: - ruby-version: ${{ matrix.ruby-version }} - bundler-cache: true # runs 'bundle install' and caches installed gems automatically - - name: Set up Python - uses: actions/setup-python@v5 - - name: Run tests - run: | - /usr/bin/pip3 install gitPython - python -c "import sys; import git; print(sys.version)" - git fetch origin ${{ github.base_ref }} - git fetch origin ${{ github.head_ref }} - git remote add linux https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git - git fetch --shallow-since="3 years ago" linux - echo "Will run process-git-request.rb with:" - echo "fname = ${{ github.run_id }}" - echo "target_branch = ${{ github.base_ref }}" - echo "source_branch = ${{ github.head_ref }}" - echo "prj_dir = ${{ github.workspace }}" - echo "pull_request = ${{ github.ref }}" - echo "requestor = ${{ github.actor }}" - cd ${{ github.workspace }} - /usr/bin/ruby .github/workflows/process-git-request.rb ${{ github.run_id }} ${{ github.base_ref }} \ - ${{ github.head_ref }} ${{ github.workspace }} ${{ github.ref }} ${{ github.actor }}