[thirdparty/kernel/stable-queue.git] / releases / 3.6.8 / bluetooth-fix-having-bogus-entries-in-mgmt_read_index_list-reply.patch

From 476e44cb19f1fbf2d5883dddcc0ce31b33b45915 Mon Sep 17 00:00:00 2001
From: Johan Hedberg <johan.hedberg@intel.com>
Date: Fri, 19 Oct 2012 20:10:46 +0300
Subject: Bluetooth: Fix having bogus entries in mgmt_read_index_list reply

From: Johan Hedberg <johan.hedberg@intel.com>

commit 476e44cb19f1fbf2d5883dddcc0ce31b33b45915 upstream.

The mgmt_read_index_list uses one loop to calculate the max needed size
of its response with the help of an upper-bound of the controller count.
The second loop is more strict as it checks for HCI_SETUP (which might
have gotten set after the first loop) and could result in some indexes
being skipped. Because of this the function needs to readjust the event
length and index count after filling in the response array.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/mgmt.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -321,7 +321,7 @@ static int read_index_list(struct sock *
 	struct hci_dev *d;
 	size_t rp_len;
 	u16 count;
-	int i, err;
+	int err;
 
 	BT_DBG("sock %p", sk);
 
@@ -339,17 +339,18 @@ static int read_index_list(struct sock *
 		return -ENOMEM;
 	}
 
-	rp->num_controllers = cpu_to_le16(count);
-
-	i = 0;
+	count = 0;
 	list_for_each_entry(d, &hci_dev_list, list) {
 		if (test_bit(HCI_SETUP, &d->dev_flags))
 			continue;
 
-		rp->index[i++] = cpu_to_le16(d->id);
+		rp->index[count++] = cpu_to_le16(d->id);
 		BT_DBG("Added hci%u", d->id);
 	}
 
+	rp->num_controllers = cpu_to_le16(count);
+	rp_len = sizeof(*rp) + (2 * count);
+
 	read_unlock(&hci_dev_list_lock);
 
 	err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, 0, rp,
Commit	Line	Data
1df8150e GKH	1	From 476e44cb19f1fbf2d5883dddcc0ce31b33b45915 Mon Sep 17 00:00:00 2001
	2	From: Johan Hedberg <johan.hedberg@intel.com>
	3	Date: Fri, 19 Oct 2012 20:10:46 +0300
	4	Subject: Bluetooth: Fix having bogus entries in mgmt_read_index_list reply
	5
	6	From: Johan Hedberg <johan.hedberg@intel.com>
	7
	8	commit 476e44cb19f1fbf2d5883dddcc0ce31b33b45915 upstream.
	9
	10	The mgmt_read_index_list uses one loop to calculate the max needed size
	11	of its response with the help of an upper-bound of the controller count.
	12	The second loop is more strict as it checks for HCI_SETUP (which might
	13	have gotten set after the first loop) and could result in some indexes
	14	being skipped. Because of this the function needs to readjust the event
	15	length and index count after filling in the response array.
	16
	17	Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
	18	Acked-by: Marcel Holtmann <marcel@holtmann.org>
	19	Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21
	22	---
	23	net/bluetooth/mgmt.c \| 11 ++++++-----
	24	1 file changed, 6 insertions(+), 5 deletions(-)
	25
	26	--- a/net/bluetooth/mgmt.c
	27	+++ b/net/bluetooth/mgmt.c
	28	@@ -321,7 +321,7 @@ static int read_index_list(struct sock *
	29	struct hci_dev *d;
	30	size_t rp_len;
	31	u16 count;
	32	- int i, err;
	33	+ int err;
	34
	35	BT_DBG("sock %p", sk);
	36
	37	@@ -339,17 +339,18 @@ static int read_index_list(struct sock *
	38	return -ENOMEM;
	39	}
	40
	41	- rp->num_controllers = cpu_to_le16(count);
	42	-
	43	- i = 0;
	44	+ count = 0;
	45	list_for_each_entry(d, &hci_dev_list, list) {
	46	if (test_bit(HCI_SETUP, &d->dev_flags))
	47	continue;
	48
	49	- rp->index[i++] = cpu_to_le16(d->id);
	50	+ rp->index[count++] = cpu_to_le16(d->id);
	51	BT_DBG("Added hci%u", d->id);
	52	}
	53
	54	+ rp->num_controllers = cpu_to_le16(count);
	55	+ rp_len = sizeof(rp) + (2 count);
	56	+
	57	read_unlock(&hci_dev_list_lock);
	58
	59	err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, 0, rp,