--- /dev/null
+From 1fa6535faf055cd71311ab887e94fc234f04ee18 Mon Sep 17 00:00:00 2001
+From: Henrik Rydberg <rydberg@euromail.se>
+Date: Sat, 25 Aug 2012 19:28:06 +0200
+Subject: Bluetooth: Add support for Apple vendor-specific devices
+
+From: Henrik Rydberg <rydberg@euromail.se>
+
+commit 1fa6535faf055cd71311ab887e94fc234f04ee18 upstream.
+
+As pointed out by Gustavo and Marcel, all Apple-specific Broadcom
+devices seen so far have the same interface class, subclass and
+protocol numbers. This patch adds an entry which matches all of them,
+using the new USB_VENDOR_AND_INTERFACE_INFO() macro.
+
+In particular, this patch adds support for the MacBook Pro Retina
+(05ac:8286), which is not in the present list.
+
+Signed-off-by: Henrik Rydberg <rydberg@euromail.se>
+Tested-by: Shea Levy <shea@shealevy.com>
+Acked-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -60,6 +60,9 @@ static struct usb_device_id btusb_table[
+ /* Generic Bluetooth USB device */
+ { USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
+
++ /* Apple-specific (Broadcom) devices */
++ { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) },
++
+ /* Broadcom SoftSailing reporting vendor specific */
+ { USB_DEVICE(0x0a5c, 0x21e1) },
+
--- /dev/null
+From 61c964ba1748e984cb232b431582815899bf10fe Mon Sep 17 00:00:00 2001
+From: Manoj Iyer <manoj.iyer@canonical.com>
+Date: Tue, 10 Jul 2012 14:07:38 -0500
+Subject: Bluetooth: btusb: Add vendor specific ID (0a5c:21f4) BCM20702A0
+
+From: Manoj Iyer <manoj.iyer@canonical.com>
+
+commit 61c964ba1748e984cb232b431582815899bf10fe upstream.
+
+Patch adds support for BCM20702A0 device id (0a5c:21f4).
+
+usb-devices after patch was applied:
+T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
+D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0a5c ProdID=21f4 Rev=01.12
+S: Manufacturer=Broadcom Corp
+S: Product=BCM20702A0
+S: SerialNumber=E4D53DF154D6
+C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
+
+usb-devices before patch was applied:
+T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
+D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0a5c ProdID=21f4 Rev=01.12
+S: Manufacturer=Broadcom Corp
+S: Product=BCM20702A0
+S: SerialNumber=E4D53DF154D6
+C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
+I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
+I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
+
+Signed-off-by: Manoj Iyer <manoj.iyer@canonical.com>
+Tested-by: Chris Gagnon <chris.gagnon@canonical.com>
+Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -106,6 +106,7 @@ static struct usb_device_id btusb_table[
+ { USB_DEVICE(0x0a5c, 0x21e6) },
+ { USB_DEVICE(0x0a5c, 0x21e8) },
+ { USB_DEVICE(0x0a5c, 0x21f3) },
++ { USB_DEVICE(0x0a5c, 0x21f4) },
+ { USB_DEVICE(0x413c, 0x8197) },
+
+ /* Foxconn - Hon Hai */
--- /dev/null
+From cc110922da7e902b62d18641a370fec01a9fa794 Mon Sep 17 00:00:00 2001
+From: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
+Date: Thu, 23 Aug 2012 21:32:43 -0300
+Subject: Bluetooth: Change signature of smp_conn_security()
+
+From: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
+
+commit cc110922da7e902b62d18641a370fec01a9fa794 upstream.
+
+To make it clear that it may be called from contexts that may not have
+any knowledge of L2CAP, we change the connection parameter, to receive
+a hci_conn.
+
+This also makes it clear that it is checking the security of the link.
+
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
+Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/bluetooth/smp.h | 2 +-
+ net/bluetooth/l2cap_core.c | 11 ++++++-----
+ net/bluetooth/l2cap_sock.c | 2 +-
+ net/bluetooth/smp.c | 4 ++--
+ 4 files changed, 10 insertions(+), 9 deletions(-)
+
+--- a/include/net/bluetooth/smp.h
++++ b/include/net/bluetooth/smp.h
+@@ -136,7 +136,7 @@ struct smp_chan {
+ };
+
+ /* SMP Commands */
+-int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level);
++int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
+ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb);
+ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force);
+ int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey);
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -937,14 +937,15 @@ static void l2cap_chan_ready(struct l2ca
+ static void l2cap_conn_ready(struct l2cap_conn *conn)
+ {
+ struct l2cap_chan *chan;
++ struct hci_conn *hcon = conn->hcon;
+
+ BT_DBG("conn %p", conn);
+
+- if (!conn->hcon->out && conn->hcon->type == LE_LINK)
++ if (!hcon->out && hcon->type == LE_LINK)
+ l2cap_le_conn_ready(conn);
+
+- if (conn->hcon->out && conn->hcon->type == LE_LINK)
+- smp_conn_security(conn, conn->hcon->pending_sec_level);
++ if (hcon->out && hcon->type == LE_LINK)
++ smp_conn_security(hcon, hcon->pending_sec_level);
+
+ mutex_lock(&conn->chan_lock);
+
+@@ -952,8 +953,8 @@ static void l2cap_conn_ready(struct l2ca
+
+ l2cap_chan_lock(chan);
+
+- if (conn->hcon->type == LE_LINK) {
+- if (smp_conn_security(conn, chan->sec_level))
++ if (hcon->type == LE_LINK) {
++ if (smp_conn_security(hcon, chan->sec_level))
+ l2cap_chan_ready(chan);
+
+ } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -588,7 +588,7 @@ static int l2cap_sock_setsockopt(struct
+ break;
+ }
+
+- if (smp_conn_security(conn, sec.level))
++ if (smp_conn_security(conn->hcon, sec.level))
+ break;
+ sk->sk_state = BT_CONFIG;
+ chan->state = BT_CONFIG;
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -753,9 +753,9 @@ static u8 smp_cmd_security_req(struct l2
+ return 0;
+ }
+
+-int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
++int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
+ {
+- struct hci_conn *hcon = conn->hcon;
++ struct l2cap_conn *conn = hcon->l2cap_data;
+ struct smp_chan *smp = conn->smp_chan;
+ __u8 authreq;
+
--- /dev/null
+From d8343f125710fb596f7a88cd756679f14f4e77b9 Mon Sep 17 00:00:00 2001
+From: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
+Date: Thu, 23 Aug 2012 21:32:44 -0300
+Subject: Bluetooth: Fix sending a HCI Authorization Request over LE links
+
+From: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
+
+commit d8343f125710fb596f7a88cd756679f14f4e77b9 upstream.
+
+In the case that the link is already in the connected state and a
+Pairing request arrives from the mgmt interface, hci_conn_security()
+would be called but it was not considering LE links.
+
+Reported-by: João Paulo Rechi Vita <jprvita@openbossa.org>
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
+Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_conn.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -42,6 +42,7 @@
+
+ #include <net/bluetooth/bluetooth.h>
+ #include <net/bluetooth/hci_core.h>
++#include <net/bluetooth/smp.h>
+
+ static void hci_le_connect(struct hci_conn *conn)
+ {
+@@ -661,6 +662,9 @@ int hci_conn_security(struct hci_conn *c
+ {
+ BT_DBG("conn %p", conn);
+
++ if (conn->type == LE_LINK)
++ return smp_conn_security(conn, sec_level);
++
+ /* For sdp we don't need the link key. */
+ if (sec_level == BT_SECURITY_SDP)
+ return 1;
--- /dev/null
+From 61a0cfb008f57ecf7eb28ee762952fb42dc15d15 Mon Sep 17 00:00:00 2001
+From: Andre Guedes <andre.guedes@openbossa.org>
+Date: Wed, 1 Aug 2012 20:34:15 -0300
+Subject: Bluetooth: Fix use-after-free bug in SMP
+
+From: Andre Guedes <andre.guedes@openbossa.org>
+
+commit 61a0cfb008f57ecf7eb28ee762952fb42dc15d15 upstream.
+
+If SMP fails, we should always cancel security_timer delayed work.
+Otherwise, security_timer function may run after l2cap_conn object
+has been freed.
+
+This patch fixes the following warning reported by ODEBUG:
+
+WARNING: at lib/debugobjects.c:261 debug_print_object+0x7c/0x8d()
+Hardware name: Bochs
+ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x27
+Modules linked in: btusb bluetooth
+Pid: 440, comm: kworker/u:2 Not tainted 3.5.0-rc1+ #4
+Call Trace:
+ [<ffffffff81174600>] ? free_obj_work+0x4a/0x7f
+ [<ffffffff81023eb8>] warn_slowpath_common+0x7e/0x97
+ [<ffffffff81023f65>] warn_slowpath_fmt+0x41/0x43
+ [<ffffffff811746b1>] debug_print_object+0x7c/0x8d
+ [<ffffffff810394f0>] ? __queue_work+0x241/0x241
+ [<ffffffff81174fdd>] debug_check_no_obj_freed+0x92/0x159
+ [<ffffffff810ac08e>] slab_free_hook+0x6f/0x77
+ [<ffffffffa0019145>] ? l2cap_conn_del+0x148/0x157 [bluetooth]
+ [<ffffffff810ae408>] kfree+0x59/0xac
+ [<ffffffffa0019145>] l2cap_conn_del+0x148/0x157 [bluetooth]
+ [<ffffffffa001b9a2>] l2cap_recv_frame+0xa77/0xfa4 [bluetooth]
+ [<ffffffff810592f9>] ? trace_hardirqs_on_caller+0x112/0x1ad
+ [<ffffffffa001c86c>] l2cap_recv_acldata+0xe2/0x264 [bluetooth]
+ [<ffffffffa0002b2f>] hci_rx_work+0x235/0x33c [bluetooth]
+ [<ffffffff81038dc3>] ? process_one_work+0x126/0x2fe
+ [<ffffffff81038e22>] process_one_work+0x185/0x2fe
+ [<ffffffff81038dc3>] ? process_one_work+0x126/0x2fe
+ [<ffffffff81059f2e>] ? lock_acquired+0x1b5/0x1cf
+ [<ffffffffa00028fa>] ? le_scan_work+0x11d/0x11d [bluetooth]
+ [<ffffffff81036fb6>] ? spin_lock_irq+0x9/0xb
+ [<ffffffff81039209>] worker_thread+0xcf/0x175
+ [<ffffffff8103913a>] ? rescuer_thread+0x175/0x175
+ [<ffffffff8103cfe0>] kthread+0x95/0x9d
+ [<ffffffff812c5054>] kernel_threadi_helper+0x4/0x10
+ [<ffffffff812c36b0>] ? retint_restore_args+0x13/0x13
+ [<ffffffff8103cf4b>] ? flush_kthread_worker+0xdb/0xdb
+ [<ffffffff812c5050>] ? gs_change+0x13/0x13
+
+This bug can be reproduced using hctool lecc or l2test tools and
+bluetoothd not running.
+
+Signed-off-by: Andre Guedes <andre.guedes@openbossa.org>
+Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/smp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -266,10 +266,10 @@ static void smp_failure(struct l2cap_con
+ mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type,
+ hcon->dst_type, reason);
+
+- if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
+- cancel_delayed_work_sync(&conn->security_timer);
++ cancel_delayed_work_sync(&conn->security_timer);
++
++ if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
+ smp_chan_destroy(conn);
+- }
+ }
+
+ #define JUST_WORKS 0x00
--- /dev/null
+From 92c385f46b30f4954e9dd2d2005c12d233b479ea Mon Sep 17 00:00:00 2001
+From: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Date: Mon, 6 Aug 2012 15:36:49 -0300
+Subject: Bluetooth: Use USB_VENDOR_AND_INTERFACE() for Broadcom devices
+
+From: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+
+commit 92c385f46b30f4954e9dd2d2005c12d233b479ea upstream.
+
+Many Broadcom devices has a vendor specific devices class, with this rule
+we match all existent and future controllers with this behavior.
+
+We also remove old rules to that matches product id for Broadcom devices.
+
+Tested-by: John Hommel <john.hommel@hp.com>
+Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btusb.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -102,16 +102,14 @@ static struct usb_device_id btusb_table[
+
+ /* Broadcom BCM20702A0 */
+ { USB_DEVICE(0x0489, 0xe042) },
+- { USB_DEVICE(0x0a5c, 0x21e3) },
+- { USB_DEVICE(0x0a5c, 0x21e6) },
+- { USB_DEVICE(0x0a5c, 0x21e8) },
+- { USB_DEVICE(0x0a5c, 0x21f3) },
+- { USB_DEVICE(0x0a5c, 0x21f4) },
+ { USB_DEVICE(0x413c, 0x8197) },
+
+ /* Foxconn - Hon Hai */
+ { USB_DEVICE(0x0489, 0xe033) },
+
++ /*Broadcom devices with vendor specific id */
++ { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01) },
++
+ { } /* Terminating entry */
+ };
+
--- /dev/null
+From 3afc9621f15701c557e60f61eba9242bac2771dd Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 2 May 2012 11:41:30 +0800
+Subject: macvtap: zerocopy: fix offset calculation when building skb
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 3afc9621f15701c557e60f61eba9242bac2771dd upstream.
+
+This patch fixes the offset calculation when building skb:
+
+- offset1 were used as skb data offset not vector offset
+- reset offset to zero only when we advance to next vector
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/macvtap.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -506,10 +506,11 @@ static int zerocopy_sg_from_iovec(struct
+ if (copy > size) {
+ ++from;
+ --count;
+- }
++ offset = 0;
++ } else
++ offset += size;
+ copy -= size;
+ offset1 += size;
+- offset = 0;
+ }
+
+ if (len == offset1)
+@@ -520,13 +521,13 @@ static int zerocopy_sg_from_iovec(struct
+ int num_pages;
+ unsigned long base;
+
+- len = from->iov_len - offset1;
++ len = from->iov_len - offset;
+ if (!len) {
+- offset1 = 0;
++ offset = 0;
+ ++from;
+ continue;
+ }
+- base = (unsigned long)from->iov_base + offset1;
++ base = (unsigned long)from->iov_base + offset;
+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT;
+ if (i + size > MAX_SKB_FRAGS)
+ return -EMSGSIZE;
+@@ -548,7 +549,7 @@ static int zerocopy_sg_from_iovec(struct
+ len -= size;
+ i++;
+ }
+- offset1 = 0;
++ offset = 0;
+ ++from;
+ }
+ return 0;
--- /dev/null
+From 4ef67ebedffa44ed9939b34708ac2fee06d2f65f Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 2 May 2012 11:41:44 +0800
+Subject: macvtap: zerocopy: fix truesize underestimation
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 4ef67ebedffa44ed9939b34708ac2fee06d2f65f upstream.
+
+As the skb fragment were pinned/built from user pages, we should
+account the page instead of length for truesize.
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/macvtap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -520,6 +520,7 @@ static int zerocopy_sg_from_iovec(struct
+ struct page *page[MAX_SKB_FRAGS];
+ int num_pages;
+ unsigned long base;
++ unsigned long truesize;
+
+ len = from->iov_len - offset;
+ if (!len) {
+@@ -535,10 +536,11 @@ static int zerocopy_sg_from_iovec(struct
+ if (num_pages != size)
+ /* put_page is in skb free */
+ return -EFAULT;
++ truesize = size * PAGE_SIZE;
+ skb->data_len += len;
+ skb->len += len;
+- skb->truesize += len;
+- atomic_add(len, &skb->sk->sk_wmem_alloc);
++ skb->truesize += truesize;
++ atomic_add(truesize, &skb->sk->sk_wmem_alloc);
+ while (len) {
+ int off = base & ~PAGE_MASK;
+ int size = min_t(int, len, PAGE_SIZE - off);
--- /dev/null
+From 02ce04bb3d28c3333231f43bca677228dbc686fe Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 2 May 2012 11:41:58 +0800
+Subject: macvtap: zerocopy: put page when fail to get all requested user pages
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 02ce04bb3d28c3333231f43bca677228dbc686fe upstream.
+
+When get_user_pages_fast() fails to get all requested pages, we could not use
+kfree_skb() to free it as it has not been put in the skb fragments. So we need
+to call put_page() instead.
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/macvtap.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -533,9 +533,10 @@ static int zerocopy_sg_from_iovec(struct
+ if (i + size > MAX_SKB_FRAGS)
+ return -EMSGSIZE;
+ num_pages = get_user_pages_fast(base, size, 0, &page[i]);
+- if (num_pages != size)
+- /* put_page is in skb free */
+- return -EFAULT;
++ if (num_pages != size) {
++ for (i = 0; i < num_pages; i++)
++ put_page(page[i]);
++ }
+ truesize = size * PAGE_SIZE;
+ skb->data_len += len;
+ skb->len += len;
--- /dev/null
+From 01d6657b388438def19c8baaea28e742b6ed32ec Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 2 May 2012 11:42:06 +0800
+Subject: macvtap: zerocopy: set SKBTX_DEV_ZEROCOPY only when skb is built successfully
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 01d6657b388438def19c8baaea28e742b6ed32ec upstream.
+
+Current the SKBTX_DEV_ZEROCOPY is set unconditionally after
+zerocopy_sg_from_iovec(), this would lead NULL pointer when macvtap
+fails to build zerocopy skb because destructor_arg was not
+initialized. Solve this by set this flag after the skb were built
+successfully.
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/macvtap.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -716,10 +716,9 @@ static ssize_t macvtap_get_user(struct m
+ if (!skb)
+ goto err;
+
+- if (zerocopy) {
++ if (zerocopy)
+ err = zerocopy_sg_from_iovec(skb, iv, vnet_hdr_len, count);
+- skb_shinfo(skb)->tx_flags |= SKBTX_DEV_ZEROCOPY;
+- } else
++ else
+ err = skb_copy_datagram_from_iovec(skb, 0, iv, vnet_hdr_len,
+ len);
+ if (err)
+@@ -738,8 +737,10 @@ static ssize_t macvtap_get_user(struct m
+ rcu_read_lock_bh();
+ vlan = rcu_dereference_bh(q->vlan);
+ /* copy skb_ubuf_info for callback when skb has no error */
+- if (zerocopy)
++ if (zerocopy) {
+ skb_shinfo(skb)->destructor_arg = m->msg_control;
++ skb_shinfo(skb)->tx_flags |= SKBTX_DEV_ZEROCOPY;
++ }
+ if (vlan)
+ macvlan_start_xmit(skb, vlan->dev);
+ else
md-raid10-fix-problem-with-on-stack-allocation-of-r10bio-structure.patch
workqueue-unbound-rebind-morphing-in-rebind_workers-should-be-atomic.patch
x86-fix-boot-on-twinhead-h12y.patch
+macvtap-zerocopy-fix-offset-calculation-when-building-skb.patch
+macvtap-zerocopy-fix-truesize-underestimation.patch
+macvtap-zerocopy-put-page-when-fail-to-get-all-requested-user-pages.patch
+macvtap-zerocopy-set-skbtx_dev_zerocopy-only-when-skb-is-built-successfully.patch
+bluetooth-btusb-add-vendor-specific-id-0a5c-21f4-bcm20702a0.patch
+bluetooth-use-usb_vendor_and_interface-for-broadcom-devices.patch
+bluetooth-add-support-for-apple-vendor-specific-devices.patch
+bluetooth-fix-use-after-free-bug-in-smp.patch
+bluetooth-change-signature-of-smp_conn_security.patch
+bluetooth-fix-sending-a-hci-authorization-request-over-le-links.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
