From e0a359364ade8ca5231673c0132d090304ff589b Mon Sep 17 00:00:00 2001
From: Brett Mastbergen <bmastbergen@ciq.com>
Date: Thu, 16 Jan 2025 23:26:36 +0100
Subject: [PATCH 1/2] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm

jira VULN-8772
cve CVE-2022-42896
commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit f937b758a188d6fd328a81367087eddbb2fce50f

l2cap_global_chan_by_psm shall not return fixed channels as they are not
meant to be connected by (S)PSM.

	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>
(cherry picked from commit f937b758a188d6fd328a81367087eddbb2fce50f)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
---
 net/bluetooth/l2cap_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index e1bea969f94b5..8ee8cf0e96338 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1960,7 +1960,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
 		if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
 			continue;
 
-		if (c->psm == psm) {
+		if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
 			int src_match, dst_match;
 			int src_any, dst_any;
 

From ff4b1559581ba4fe751e39fc33e3db818e24aacc Mon Sep 17 00:00:00 2001
From: Jonathan Maple <jmaple@ciq.com>
Date: Tue, 14 Jan 2025 12:19:54 -0500
Subject: [PATCH 2/2] github actions: Make builds on Merge Request

Since we need to make sure external contributors code actually compiles
prior to merging. To get access to the forked repos merge request we
need to switch over our push to pull_request. In addition we're fixing up
some Naming Conventions, adding aarch64 to this branch and fixing the naming
so that we can quickly identify if the CI is for x86_64.

Also disable the process-pull-request until the `utf-8` situation is
resolved.
---
 ...heck_x86_64.yml => build-check_x86_64.yml} |  7 ++-
 .github/workflows/github-actions-demo.yml     | 26 ---------
 .github/workflows/process-pull-request.yml    | 55 -------------------
 .github/workflows/push-check_aarch64.yml      | 33 -----------
 4 files changed, 4 insertions(+), 117 deletions(-)
 rename .github/workflows/{push-check_x86_64.yml => build-check_x86_64.yml} (87%)
 delete mode 100644 .github/workflows/github-actions-demo.yml
 delete mode 100644 .github/workflows/process-pull-request.yml
 delete mode 100644 .github/workflows/push-check_aarch64.yml

diff --git a/.github/workflows/push-check_x86_64.yml b/.github/workflows/build-check_x86_64.yml
similarity index 87%
rename from .github/workflows/push-check_x86_64.yml
rename to .github/workflows/build-check_x86_64.yml
index 2aa1eb2ed4f18..a1d16685ec22a 100644
--- a/.github/workflows/push-check_x86_64.yml
+++ b/.github/workflows/build-check_x86_64.yml
@@ -1,6 +1,6 @@
-name: CI
+name: x86_64 CI
 on:
-  push:
+  pull_request:
     branches:
       - '**'
       - '!mainline'
@@ -24,10 +24,11 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
+          ref: "${{ github.event.pull_request.head.sha }}"
           fetch-depth: 0
       - name: Build the Kernel
         run: |
-          git config --global --add safe.directory /__w/kernel-src-git/kernel-src-git
+          git config --global --add safe.directory /__w/kernel-src-tree/kernel-src-tree
           cp configs/kernel-4.18.0-x86_64.config .config
           make olddefconfig
           make -j8
diff --git a/.github/workflows/github-actions-demo.yml b/.github/workflows/github-actions-demo.yml
deleted file mode 100644
index de3dbc4d34b9b..0000000000000
--- a/.github/workflows/github-actions-demo.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: GitHub Actions Sanity Check
-run-name: ${{ github.actor }} is running actions - this runs as a sanity check 🚀
-on:
-  push:
-    branches:
-      - '**'
-      - '!mainline'
-
-jobs:
-  Explore-GitHub-Actions:
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
-      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by GitHub!"
-      - run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
-      - name: Check out repository code        
-        uses: actions/checkout@v4
-      - run: echo "💡 The ${{ github.repository }} repository has been cloned to the runner."
-      - run: echo "🖥️ The workflow is now ready to test your code on the runner."
-      - name: List files in the repository
-        run: |
-          ls ${{ github.workspace }}
-          df .
-          df /
-          pwd
-      - run: echo "🍏 This job's status is ${{ job.status }}."
diff --git a/.github/workflows/process-pull-request.yml b/.github/workflows/process-pull-request.yml
deleted file mode 100644
index a4f9f43fa425e..0000000000000
--- a/.github/workflows/process-pull-request.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-name: Pull Request Checker
-
-on:
-  pull_request:
-    branches:
-      - '**'
-      - '!mainline'    
-
-permissions:
-  contents: read
-
-jobs:
-  test:
-
-    runs-on:
-      labels: kernel-build
-    strategy:
-      matrix:
-        ruby-version: ['3.0']
-
-    steps:
-    - uses: actions/checkout@v4
-    - name: Set up Ruby
-    # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
-    # change this to (see https://github.com/ruby/setup-ruby#versioning):
-      uses: ruby/setup-ruby@v1
-    # uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
-      with:
-        ruby-version: ${{ matrix.ruby-version }}
-        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-    - name: Set up Python
-      uses: actions/setup-python@v5
-    - name: Run tests
-      run: |
-        /usr/bin/pip3 install gitPython
-        python -c "import sys; import git; print(sys.version)"
-        git fetch origin ${{ github.base_ref }}
-        git fetch origin ${{ github.head_ref }}
-        git remote add linux https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
-        git fetch --shallow-since="3 years ago" linux
-        echo "Will run process-git-request.rb with:"
-        echo "fname = ${{ github.run_id }}"
-        echo "target_branch = ${{ github.base_ref }}"
-        echo "source_branch = ${{ github.head_ref }}"
-        echo "prj_dir = ${{ github.workspace }}"
-        echo "pull_request = ${{ github.ref }}"
-        echo "requestor = ${{ github.actor }}"
-        cd ${{ github.workspace }}
-        /usr/bin/ruby .github/workflows/process-git-request.rb ${{ github.run_id }} ${{ github.base_ref }} \
-        ${{ github.head_ref }} ${{ github.workspace }} ${{ github.ref }} ${{ github.actor }} 
diff --git a/.github/workflows/push-check_aarch64.yml b/.github/workflows/push-check_aarch64.yml
deleted file mode 100644
index 2dda81c43aa79..0000000000000
--- a/.github/workflows/push-check_aarch64.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-name: CI
-on:
-  push:
-    branches:
-      - '**'
-      - '!mainline'
-
-jobs:
-  kernel-build-job:
-    runs-on:
-      labels: kernel-build-arm64
-    container:
-      image: rockylinux:8
-      env:
-        ROCKY_ENV: rocky8
-      ports:
-        - 80
-      options: --cpus 8
-    steps:
-      - name: Install tools and Libraries
-        run: |
-          dnf groupinstall 'Development Tools' -y
-          dnf install --enablerepo=devel bc dwarves kernel-devel openssl-devel elfutils-libelf-devel -y
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Build the Kernel
-        run: |
-          git config --global --add safe.directory /__w/kernel-src-git/kernel-src-git
-          cp configs/kernel-4.18.0-aarch64.config .config
-          make olddefconfig
-          make -j8