--- /dev/null
+From 48439d501e3d9e8634bdc0c418e066870039599d Mon Sep 17 00:00:00 2001
+From: Loic Poulain <loic.poulain@intel.com>
+Date: Mon, 23 Jun 2014 17:42:44 +0200
+Subject: Bluetooth: Ignore H5 non-link packets in non-active state
+
+From: Loic Poulain <loic.poulain@intel.com>
+
+commit 48439d501e3d9e8634bdc0c418e066870039599d upstream.
+
+When detecting a non-link packet, h5_reset_rx() frees the Rx skb.
+Not returning after that will cause the upcoming h5_rx_payload()
+call to dereference a now NULL Rx skb and trigger a kernel oops.
+
+Signed-off-by: Loic Poulain <loic.poulain@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_h5.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bluetooth/hci_h5.c
++++ b/drivers/bluetooth/hci_h5.c
+@@ -406,6 +406,7 @@ static int h5_rx_3wire_hdr(struct hci_ua
+ H5_HDR_PKT_TYPE(hdr) != HCI_3WIRE_LINK_PKT) {
+ BT_ERR("Non-link packet received in non-active state");
+ h5_reset_rx(h5);
++ return 0;
+ }
+
+ h5->rx_func = h5_rx_payload;
--- /dev/null
+From 9bd2d0dfe4714dd5d7c09a93a5c9ea9e14ceb3fc Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Mon, 7 Jul 2014 16:34:25 -0700
+Subject: Drivers: hv: util: Fix a bug in the KVP code
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit 9bd2d0dfe4714dd5d7c09a93a5c9ea9e14ceb3fc upstream.
+
+Add code to poll the channel since we process only one message
+at a time and the host may not interrupt us. Also increase the
+receive buffer size since some KVP messages are close to 8K bytes in size.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_kvp.c | 14 ++++++++++++--
+ drivers/hv/hv_util.c | 2 +-
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/hv/hv_kvp.c
++++ b/drivers/hv/hv_kvp.c
+@@ -111,6 +111,15 @@ kvp_work_func(struct work_struct *dummy)
+ kvp_respond_to_host(NULL, HV_E_FAIL);
+ }
+
++static void poll_channel(struct vmbus_channel *channel)
++{
++ unsigned long flags;
++
++ spin_lock_irqsave(&channel->inbound_lock, flags);
++ hv_kvp_onchannelcallback(channel);
++ spin_unlock_irqrestore(&channel->inbound_lock, flags);
++}
++
+ static int kvp_handle_handshake(struct hv_kvp_msg *msg)
+ {
+ int ret = 1;
+@@ -139,7 +148,7 @@ static int kvp_handle_handshake(struct h
+ kvp_register(dm_reg_value);
+ kvp_transaction.active = false;
+ if (kvp_transaction.kvp_context)
+- hv_kvp_onchannelcallback(kvp_transaction.kvp_context);
++ poll_channel(kvp_transaction.kvp_context);
+ }
+ return ret;
+ }
+@@ -552,6 +561,7 @@ response_done:
+
+ vmbus_sendpacket(channel, recv_buffer, buf_len, req_id,
+ VM_PKT_DATA_INBAND, 0);
++ poll_channel(channel);
+
+ }
+
+@@ -585,7 +595,7 @@ void hv_kvp_onchannelcallback(void *cont
+ return;
+ }
+
+- vmbus_recvpacket(channel, recv_buffer, PAGE_SIZE * 2, &recvlen,
++ vmbus_recvpacket(channel, recv_buffer, PAGE_SIZE * 4, &recvlen,
+ &requestid);
+
+ if (recvlen > 0) {
+--- a/drivers/hv/hv_util.c
++++ b/drivers/hv/hv_util.c
+@@ -279,7 +279,7 @@ static int util_probe(struct hv_device *
+ (struct hv_util_service *)dev_id->driver_data;
+ int ret;
+
+- srv->recv_buffer = kmalloc(PAGE_SIZE * 2, GFP_KERNEL);
++ srv->recv_buffer = kmalloc(PAGE_SIZE * 4, GFP_KERNEL);
+ if (!srv->recv_buffer)
+ return -ENOMEM;
+ if (srv->util_init) {
--- /dev/null
+From 233a01fa9c4c7c41238537e8db8434667ff28a2f Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Mon, 7 Jul 2014 15:28:51 +0200
+Subject: fuse: handle large user and group ID
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+commit 233a01fa9c4c7c41238537e8db8434667ff28a2f upstream.
+
+If the number in "user_id=N" or "group_id=N" mount options was larger than
+INT_MAX then fuse returned EINVAL.
+
+Fix this to handle all valid uid/gid values.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/inode.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -461,6 +461,17 @@ static const match_table_t tokens = {
+ {OPT_ERR, NULL}
+ };
+
++static int fuse_match_uint(substring_t *s, unsigned int *res)
++{
++ int err = -ENOMEM;
++ char *buf = match_strdup(s);
++ if (buf) {
++ err = kstrtouint(buf, 10, res);
++ kfree(buf);
++ }
++ return err;
++}
++
+ static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev)
+ {
+ char *p;
+@@ -471,6 +482,7 @@ static int parse_fuse_opt(char *opt, str
+ while ((p = strsep(&opt, ",")) != NULL) {
+ int token;
+ int value;
++ unsigned uv;
+ substring_t args[MAX_OPT_ARGS];
+ if (!*p)
+ continue;
+@@ -494,18 +506,18 @@ static int parse_fuse_opt(char *opt, str
+ break;
+
+ case OPT_USER_ID:
+- if (match_int(&args[0], &value))
++ if (fuse_match_uint(&args[0], &uv))
+ return 0;
+- d->user_id = make_kuid(current_user_ns(), value);
++ d->user_id = make_kuid(current_user_ns(), uv);
+ if (!uid_valid(d->user_id))
+ return 0;
+ d->user_id_present = 1;
+ break;
+
+ case OPT_GROUP_ID:
+- if (match_int(&args[0], &value))
++ if (fuse_match_uint(&args[0], &uv))
+ return 0;
+- d->group_id = make_kgid(current_user_ns(), value);
++ d->group_id = make_kgid(current_user_ns(), uv);
+ if (!gid_valid(d->group_id))
+ return 0;
+ d->group_id_present = 1;
usb-check-if-port-status-is-equal-to-rxdetect.patch
media-gspca_pac7302-add-new-usb-id-for-genius-i-look-317.patch
+drivers-hv-util-fix-a-bug-in-the-kvp-code.patch
+bluetooth-ignore-h5-non-link-packets-in-non-active-state.patch
+fuse-handle-large-user-and-group-id.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
