--- /dev/null
+From 28c971d82fb58ef7cba22e5308be6d2d2590473d Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Wed, 10 Feb 2016 00:49:11 +0300
+Subject: Bluetooth: Add new AR3012 ID 0489:e095
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit 28c971d82fb58ef7cba22e5308be6d2d2590473d upstream.
+
+T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 3 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0489 ProdID=e095 Rev=00.01
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+This device requires ar3k/AthrBT_0x31010100.dfu and
+ar3k/ramps_0x31010100_40.dfu firmware files that are not in
+linux-firmware yet.
+
+BugLink: https://bugs.launchpad.net/bugs/1542944
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/ath3k.c | 2 ++
+ drivers/bluetooth/btusb.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -82,6 +82,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x0489, 0xe05f) },
+ { USB_DEVICE(0x0489, 0xe076) },
+ { USB_DEVICE(0x0489, 0xe078) },
++ { USB_DEVICE(0x0489, 0xe095) },
+ { USB_DEVICE(0x04c5, 0x1330) },
+ { USB_DEVICE(0x04CA, 0x3004) },
+ { USB_DEVICE(0x04CA, 0x3005) },
+@@ -147,6 +148,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -196,6 +196,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
--- /dev/null
+From 6a0e78072c2ae7b20b14e0249d8108441ea928d2 Mon Sep 17 00:00:00 2001
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Fri, 11 Mar 2016 09:56:33 +0200
+Subject: Bluetooth: Fix potential buffer overflow with Add Advertising
+
+From: Johan Hedberg <johan.hedberg@intel.com>
+
+commit 6a0e78072c2ae7b20b14e0249d8108441ea928d2 upstream.
+
+The Add Advertising command handler does the appropriate checks for
+the AD and Scan Response data, however fails to take into account the
+general length of the mgmt command itself, which could lead to
+potential buffer overflows. This patch adds the necessary check that
+the mgmt command length is consistent with the given ad and scan_rsp
+lengths.
+
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/mgmt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -7155,6 +7155,10 @@ static int add_advertising(struct sock *
+ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
+ status);
+
++ if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
++ MGMT_STATUS_INVALID_PARAMS);
++
+ flags = __le32_to_cpu(cp->flags);
+ timeout = __le16_to_cpu(cp->timeout);
+ duration = __le16_to_cpu(cp->duration);
--- /dev/null
+From 2b021cbf3cb6208f0d40fd2f1869f237934340ed Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Tue, 15 Mar 2016 20:43:04 -0400
+Subject: cgroup: ignore css_sets associated with dead cgroups during migration
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 2b021cbf3cb6208f0d40fd2f1869f237934340ed upstream.
+
+Before 2e91fa7f6d45 ("cgroup: keep zombies associated with their
+original cgroups"), all dead tasks were associated with init_css_set.
+If a zombie task is requested for migration, while migration prep
+operations would still be performed on init_css_set, the actual
+migration would ignore zombie tasks. As init_css_set is always valid,
+this worked fine.
+
+However, after 2e91fa7f6d45, zombie tasks stay with the css_set it was
+associated with at the time of death. Let's say a task T associated
+with cgroup A on hierarchy H-1 and cgroup B on hiearchy H-2. After T
+becomes a zombie, it would still remain associated with A and B. If A
+only contains zombie tasks, it can be removed. On removal, A gets
+marked offline but stays pinned until all zombies are drained. At
+this point, if migration is initiated on T to a cgroup C on hierarchy
+H-2, migration path would try to prepare T's css_set for migration and
+trigger the following.
+
+ WARNING: CPU: 0 PID: 1576 at kernel/cgroup.c:474 cgroup_get+0x121/0x160()
+ CPU: 0 PID: 1576 Comm: bash Not tainted 4.4.0-work+ #289
+ ...
+ Call Trace:
+ [<ffffffff8127e63c>] dump_stack+0x4e/0x82
+ [<ffffffff810445e8>] warn_slowpath_common+0x78/0xb0
+ [<ffffffff810446d5>] warn_slowpath_null+0x15/0x20
+ [<ffffffff810c33e1>] cgroup_get+0x121/0x160
+ [<ffffffff810c349b>] link_css_set+0x7b/0x90
+ [<ffffffff810c4fbc>] find_css_set+0x3bc/0x5e0
+ [<ffffffff810c5269>] cgroup_migrate_prepare_dst+0x89/0x1f0
+ [<ffffffff810c7547>] cgroup_attach_task+0x157/0x230
+ [<ffffffff810c7a17>] __cgroup_procs_write+0x2b7/0x470
+ [<ffffffff810c7bdc>] cgroup_tasks_write+0xc/0x10
+ [<ffffffff810c4790>] cgroup_file_write+0x30/0x1b0
+ [<ffffffff811c68fc>] kernfs_fop_write+0x13c/0x180
+ [<ffffffff81151673>] __vfs_write+0x23/0xe0
+ [<ffffffff81152494>] vfs_write+0xa4/0x1a0
+ [<ffffffff811532d4>] SyS_write+0x44/0xa0
+ [<ffffffff814af2d7>] entry_SYSCALL_64_fastpath+0x12/0x6f
+
+It doesn't make sense to prepare migration for css_sets pointing to
+dead cgroups as they are guaranteed to contain only zombies which are
+ignored later during migration. This patch makes cgroup destruction
+path mark all affected css_sets as dead and updates the migration path
+to ignore them during preparation.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: 2e91fa7f6d45 ("cgroup: keep zombies associated with their original cgroups")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/cgroup-defs.h | 3 +++
+ kernel/cgroup.c | 20 ++++++++++++++++++--
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+--- a/include/linux/cgroup-defs.h
++++ b/include/linux/cgroup-defs.h
+@@ -216,6 +216,9 @@ struct css_set {
+ /* all css_task_iters currently walking this cset */
+ struct list_head task_iters;
+
++ /* dead and being drained, ignore for migration */
++ bool dead;
++
+ /* For RCU-protected deletion */
+ struct rcu_head rcu_head;
+ };
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -2498,6 +2498,14 @@ static void cgroup_migrate_add_src(struc
+ lockdep_assert_held(&cgroup_mutex);
+ lockdep_assert_held(&css_set_lock);
+
++ /*
++ * If ->dead, @src_set is associated with one or more dead cgroups
++ * and doesn't contain any migratable tasks. Ignore it early so
++ * that the rest of migration path doesn't get confused by it.
++ */
++ if (src_cset->dead)
++ return;
++
+ src_cgrp = cset_cgroup_from_root(src_cset, dst_cgrp->root);
+
+ if (!list_empty(&src_cset->mg_preload_node))
+@@ -5131,6 +5139,7 @@ static int cgroup_destroy_locked(struct
+ __releases(&cgroup_mutex) __acquires(&cgroup_mutex)
+ {
+ struct cgroup_subsys_state *css;
++ struct cgrp_cset_link *link;
+ int ssid;
+
+ lockdep_assert_held(&cgroup_mutex);
+@@ -5151,11 +5160,18 @@ static int cgroup_destroy_locked(struct
+ return -EBUSY;
+
+ /*
+- * Mark @cgrp dead. This prevents further task migration and child
+- * creation by disabling cgroup_lock_live_group().
++ * Mark @cgrp and the associated csets dead. The former prevents
++ * further task migration and child creation by disabling
++ * cgroup_lock_live_group(). The latter makes the csets ignored by
++ * the migration path.
+ */
+ cgrp->self.flags &= ~CSS_ONLINE;
+
++ spin_lock_bh(&css_set_lock);
++ list_for_each_entry(link, &cgrp->cset_links, cset_link)
++ link->cset->dead = true;
++ spin_unlock_bh(&css_set_lock);
++
+ /* initiate massacre of all css's */
+ for_each_css(css, ssid, cgrp)
+ kill_css(css);
ia64-define-ioremap_uc.patch
watchdog-don-t-run-proc_watchdog_update-if-new-value-is-same-as-old.patch
watchdog-rc32434_wdt-fix-ioctl-error-handling.patch
+bluetooth-add-new-ar3012-id-0489-e095.patch
+bluetooth-fix-potential-buffer-overflow-with-add-advertising.patch
+cgroup-ignore-css_sets-associated-with-dead-cgroups-during-migration.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
