--- /dev/null
+From 300b962e5244a1ea010df7e88595faa0085b461d Mon Sep 17 00:00:00 2001
+From: Anderson Lizardo <anderson.lizardo@openbossa.org>
+Date: Sun, 2 Jun 2013 16:30:40 -0400
+Subject: Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
+
+From: Anderson Lizardo <anderson.lizardo@openbossa.org>
+
+commit 300b962e5244a1ea010df7e88595faa0085b461d upstream.
+
+If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
+controller, memory corruption happens due to a memcpy() call with
+negative length.
+
+Fix this crash on either incoming or outgoing connections with a MTU
+smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
+
+[ 46.885433] BUG: unable to handle kernel paging request at f56ad000
+[ 46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
+[ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
+[ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
+[ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
+[ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
+[ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
+[ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
+[ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
+[ 46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
+[ 46.888037] EIP is at memcpy+0x1d/0x40
+[ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
+[ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
+[ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+[ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
+[ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
+[ 46.888037] DR6: ffff0ff0 DR7: 00000400
+[ 46.888037] Stack:
+[ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
+[ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
+[ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
+[ 46.888037] Call Trace:
+[ 46.888037] [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
+[ 46.888037] [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
+[ 46.888037] [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
+[ 46.888037] [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
+[ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
+[ 46.888037] [<c064ad20>] ? mutex_lock_nested+0x280/0x360
+[ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
+[ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
+[ 46.888037] [<c064ad08>] ? mutex_lock_nested+0x268/0x360
+[ 46.888037] [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
+[ 46.888037] [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
+[ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
+[ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
+[ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
+[ 46.888037] [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
+[ 46.888037] [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
+[ 46.888037] [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
+[ 46.888037] [<c0158979>] process_one_work+0x1a9/0x600
+[ 46.888037] [<c01588fb>] ? process_one_work+0x12b/0x600
+[ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
+[ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
+[ 46.888037] [<c0159187>] worker_thread+0xf7/0x320
+[ 46.888037] [<c0159090>] ? rescuer_thread+0x290/0x290
+[ 46.888037] [<c01602f8>] kthread+0xa8/0xb0
+[ 46.888037] [<c0656777>] ret_from_kernel_thread+0x1b/0x28
+[ 46.888037] [<c0160250>] ? flush_kthread_worker+0x120/0x120
+[ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
+[ 46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
+[ 46.888037] CR2: 00000000f56ad000
+[ 46.888037] ---[ end trace 0217c1f4d78714a9 ]---
+
+Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
+Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/l2cap_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -1514,6 +1514,9 @@ static struct sk_buff *l2cap_build_cmd(s
+ BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
+ conn, code, ident, dlen);
+
++ if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
++ return NULL;
++
+ len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
+ count = min_t(unsigned int, conn->mtu, len);
+
--- /dev/null
+From 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 Mon Sep 17 00:00:00 2001
+From: Zefan Li <lizefan@huawei.com>
+Date: Wed, 26 Jun 2013 15:29:54 +0800
+Subject: dlci: acquire rtnl_lock before calling __dev_get_by_name()
+
+From: Zefan Li <lizefan@huawei.com>
+
+commit 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 upstream.
+
+Otherwise the net device returned can be freed at anytime.
+
+Signed-off-by: Li Zefan <lizefan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wan/dlci.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wan/dlci.c
++++ b/drivers/net/wan/dlci.c
+@@ -378,20 +378,24 @@ static int dlci_del(struct dlci_add *dlc
+ struct net_device *master, *slave;
+ int err;
+
++ rtnl_lock();
++
+ /* validate slave device */
+ master = __dev_get_by_name(&init_net, dlci->devname);
+- if (!master)
+- return -ENODEV;
++ if (!master) {
++ err = -ENODEV;
++ goto out;
++ }
+
+ if (netif_running(master)) {
+- return -EBUSY;
++ err = -EBUSY;
++ goto out;
+ }
+
+ dlp = netdev_priv(master);
+ slave = dlp->slave;
+ flp = netdev_priv(slave);
+
+- rtnl_lock();
+ err = (*flp->deassoc)(slave, master);
+ if (!err) {
+ list_del(&dlp->list);
+@@ -400,8 +404,8 @@ static int dlci_del(struct dlci_add *dlc
+
+ dev_put(slave);
+ }
++out:
+ rtnl_unlock();
+-
+ return err;
+ }
+
--- /dev/null
+From 578a1310f2592ba90c5674bca21c1dbd1adf3f0a Mon Sep 17 00:00:00 2001
+From: Zefan Li <lizefan@huawei.com>
+Date: Wed, 26 Jun 2013 15:31:58 +0800
+Subject: dlci: validate the net device in dlci_del()
+
+From: Zefan Li <lizefan@huawei.com>
+
+commit 578a1310f2592ba90c5674bca21c1dbd1adf3f0a upstream.
+
+We triggered an oops while running trinity with 3.4 kernel:
+
+BUG: unable to handle kernel paging request at 0000000100000d07
+IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
+PGD 640c0d067 PUD 0
+Oops: 0000 [#1] PREEMPT SMP
+CPU 3
+...
+Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA
+RIP: 0010:[<ffffffffa0109738>] [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
+...
+Call Trace:
+ [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
+ [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
+ [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
+ [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
+ [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
+...
+
+It's because the net device is not a dlci device.
+
+Reported-by: Li Jinyue <lijinyue@huawei.com>
+Signed-off-by: Li Zefan <lizefan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wan/dlci.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/net/wan/dlci.c
++++ b/drivers/net/wan/dlci.c
+@@ -377,6 +377,7 @@ static int dlci_del(struct dlci_add *dlc
+ struct frad_local *flp;
+ struct net_device *master, *slave;
+ int err;
++ bool found = false;
+
+ rtnl_lock();
+
+@@ -386,6 +387,17 @@ static int dlci_del(struct dlci_add *dlc
+ err = -ENODEV;
+ goto out;
+ }
++
++ list_for_each_entry(dlp, &dlci_devs, list) {
++ if (dlp->master == master) {
++ found = true;
++ break;
++ }
++ }
++ if (!found) {
++ err = -ENODEV;
++ goto out;
++ }
+
+ if (netif_running(master)) {
+ err = -EBUSY;
--- /dev/null
+From c790b0ad23f427c7522ffed264706238c57c007e Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Thu, 20 Jun 2013 17:50:09 +0200
+Subject: hw_breakpoint: Use cpu_possible_mask in {reserve,release}_bp_slot()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit c790b0ad23f427c7522ffed264706238c57c007e upstream.
+
+fetch_bp_busy_slots() and toggle_bp_slot() use
+for_each_online_cpu(), this is obviously wrong wrt cpu_up() or
+cpu_down(), we can over/under account the per-cpu numbers.
+
+For example:
+
+ # echo 0 >> /sys/devices/system/cpu/cpu1/online
+ # perf record -e mem:0x10 -p 1 &
+ # echo 1 >> /sys/devices/system/cpu/cpu1/online
+ # perf record -e mem:0x10,mem:0x10,mem:0x10,mem:0x10 -C1 -a &
+ # taskset -p 0x2 1
+
+triggers the same WARN_ONCE("Can't find any breakpoint slot") in
+arch_install_hw_breakpoint().
+
+Reported-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Frederic Weisbecker <fweisbec@gmail.com>
+Link: http://lkml.kernel.org/r/20130620155009.GA6327@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/hw_breakpoint.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/events/hw_breakpoint.c
++++ b/kernel/events/hw_breakpoint.c
+@@ -147,7 +147,7 @@ fetch_bp_busy_slots(struct bp_busy_slots
+ return;
+ }
+
+- for_each_online_cpu(cpu) {
++ for_each_possible_cpu(cpu) {
+ unsigned int nr;
+
+ nr = per_cpu(nr_cpu_bp_pinned[type], cpu);
+@@ -233,7 +233,7 @@ toggle_bp_slot(struct perf_event *bp, bo
+ if (cpu >= 0) {
+ toggle_bp_task_slot(bp, cpu, enable, type, weight);
+ } else {
+- for_each_online_cpu(cpu)
++ for_each_possible_cpu(cpu)
+ toggle_bp_task_slot(bp, cpu, enable, type, weight);
+ }
+
--- /dev/null
+bluetooth-fix-crash-in-l2cap_build_cmd-with-small-mtu.patch
+hw_breakpoint-use-cpu_possible_mask-in-reserve-release-_bp_slot.patch
+dlci-acquire-rtnl_lock-before-calling-__dev_get_by_name.patch
+dlci-validate-the-net-device-in-dlci_del.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
