--- /dev/null
+From 94324962066231a938564bebad0f941cd2d06bb2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Thu, 15 Mar 2012 14:48:41 +0100
+Subject: Bluetooth: hci_core: fix NULL-pointer dereference at unregister
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 94324962066231a938564bebad0f941cd2d06bb2 upstream.
+
+Make sure hci_dev_open returns immediately if hci_dev_unregister has
+been called.
+
+This fixes a race between hci_dev_open and hci_dev_unregister which can
+lead to a NULL-pointer dereference.
+
+Bug is 100% reproducible using hciattach and a disconnected serial port:
+
+0. # hciattach -n /dev/ttyO1 any noflow
+
+1. hci_dev_open called from hci_power_on grabs req lock
+2. hci_init_req executes but device fails to initialise (times out
+ eventually)
+3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
+4. hci_uart_tty_close calls hci_dev_unregister and sleeps on req lock in
+ hci_dev_do_close
+5. hci_dev_open (1) releases req lock
+6. hci_dev_do_close grabs req lock and returns as device is not up
+7. hci_dev_unregister sleeps in destroy_workqueue
+8. hci_dev_open (3) grabs req lock, calls hci_init_req and eventually sleeps
+9. hci_dev_unregister finishes, while hci_dev_open is still running...
+
+[ 79.627136] INFO: trying to register non-static key.
+[ 79.632354] the code is fine but needs lockdep annotation.
+[ 79.638122] turning off the locking correctness validator.
+[ 79.643920] [<c00188bc>] (unwind_backtrace+0x0/0xf8) from [<c00729c4>] (__lock_acquire+0x1590/0x1ab0)
+[ 79.653594] [<c00729c4>] (__lock_acquire+0x1590/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
+[ 79.663085] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0040a88>] (run_timer_softirq+0x150/0x3ac)
+[ 79.672668] [<c0040a88>] (run_timer_softirq+0x150/0x3ac) from [<c003a3b8>] (__do_softirq+0xd4/0x22c)
+[ 79.682281] [<c003a3b8>] (__do_softirq+0xd4/0x22c) from [<c003a924>] (irq_exit+0x8c/0x94)
+[ 79.690856] [<c003a924>] (irq_exit+0x8c/0x94) from [<c0013a50>] (handle_IRQ+0x34/0x84)
+[ 79.699157] [<c0013a50>] (handle_IRQ+0x34/0x84) from [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c)
+[ 79.708648] [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c) from [<c037499c>] (__irq_usr+0x3c/0x60)
+[ 79.718048] Exception stack(0xcf281fb0 to 0xcf281ff8)
+[ 79.723358] 1fa0: 0001e6a0 be8dab00 0001e698 00036698
+[ 79.731933] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
+[ 79.740509] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff
+[ 79.747497] Unable to handle kernel NULL pointer dereference at virtual address 00000000
+[ 79.756011] pgd = cf3b4000
+[ 79.758850] [00000000] *pgd=8f0c7831, *pte=00000000, *ppte=00000000
+[ 79.765502] Internal error: Oops: 80000007 [#1]
+[ 79.770294] Modules linked in:
+[ 79.773529] CPU: 0 Tainted: G W (3.3.0-rc6-00002-gb5d5c87 #421)
+[ 79.781066] PC is at 0x0
+[ 79.783721] LR is at run_timer_softirq+0x16c/0x3ac
+[ 79.788787] pc : [<00000000>] lr : [<c0040aa4>] psr: 60000113
+[ 79.788787] sp : cf281ee0 ip : 00000000 fp : cf280000
+[ 79.800903] r10: 00000004 r9 : 00000100 r8 : b6f234d0
+[ 79.806427] r7 : c0519c28 r6 : cf093488 r5 : c0561a00 r4 : 00000000
+[ 79.813323] r3 : 00000000 r2 : c054eee0 r1 : 00000001 r0 : 00000000
+[ 79.820190] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+[ 79.827728] Control: 10c5387d Table: 8f3b4019 DAC: 00000015
+[ 79.833801] Process gpsd (pid: 1265, stack limit = 0xcf2802e8)
+[ 79.839965] Stack: (0xcf281ee0 to 0xcf282000)
+[ 79.844573] 1ee0: 00000002 00000000 c0040a24 00000000 00000002 cf281f08 00200200 00000000
+[ 79.853210] 1f00: 00000000 cf281f18 cf281f08 00000000 00000000 00000000 cf281f18 cf281f18
+[ 79.861816] 1f20: 00000000 00000001 c056184c 00000000 00000001 b6f234d0 c0561848 00000004
+[ 79.870452] 1f40: cf280000 c003a3b8 c051e79c 00000001 00000000 00000100 3fa9e7b8 0000000a
+[ 79.879089] 1f60: 00000025 cf280000 00000025 00000000 00000000 b6f234d0 00000000 00000004
+[ 79.887756] 1f80: 00000000 c003a924 c053ad38 c0013a50 fa200000 cf281fb0 ffffffff c0008530
+[ 79.896362] 1fa0: 0001e6a0 0000aab8 80000010 c037499c 0001e6a0 be8dab00 0001e698 00036698
+[ 79.904998] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
+[ 79.913665] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff 00fbf700 04ffff00
+[ 79.922302] [<c0040aa4>] (run_timer_softirq+0x16c/0x3ac) from [<c003a3b8>] (__do_softirq+0xd4/0x22c)
+[ 79.931945] [<c003a3b8>] (__do_softirq+0xd4/0x22c) from [<c003a924>] (irq_exit+0x8c/0x94)
+[ 79.940582] [<c003a924>] (irq_exit+0x8c/0x94) from [<c0013a50>] (handle_IRQ+0x34/0x84)
+[ 79.948913] [<c0013a50>] (handle_IRQ+0x34/0x84) from [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c)
+[ 79.958404] [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c) from [<c037499c>] (__irq_usr+0x3c/0x60)
+[ 79.967773] Exception stack(0xcf281fb0 to 0xcf281ff8)
+[ 79.973083] 1fa0: 0001e6a0 be8dab00 0001e698 00036698
+[ 79.981658] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
+[ 79.990234] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff
+[ 79.997161] Code: bad PC value
+[ 80.000396] ---[ end trace 6f6739840475f9ee ]---
+[ 80.005279] Kernel panic - not syncing: Fatal exception in interrupt
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Acked-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/bluetooth/hci.h | 1 +
+ net/bluetooth/hci_core.c | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -84,6 +84,7 @@ enum {
+ HCI_SERVICE_CACHE,
+ HCI_LINK_KEYS,
+ HCI_DEBUG_KEYS,
++ HCI_UNREGISTER,
+
+ HCI_RESET,
+ };
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -525,6 +525,11 @@ int hci_dev_open(__u16 dev)
+
+ hci_req_lock(hdev);
+
++ if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
++ ret = -ENODEV;
++ goto done;
++ }
++
+ if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
+ ret = -ERFKILL;
+ goto done;
+@@ -1577,6 +1582,8 @@ void hci_unregister_dev(struct hci_dev *
+
+ BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
+
++ set_bit(HCI_UNREGISTER, &hdev->dev_flags);
++
+ write_lock(&hci_dev_list_lock);
+ list_del(&hdev->list);
+ write_unlock(&hci_dev_list_lock);
--- /dev/null
+From 33b69bf80a3704d45341928e4ff68b6ebd470686 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Thu, 15 Mar 2012 14:48:40 +0100
+Subject: Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 33b69bf80a3704d45341928e4ff68b6ebd470686 upstream.
+
+Do not close protocol driver until device has been unregistered.
+
+This fixes a race between tty_close and hci_dev_open which can result in
+a NULL-pointer dereference.
+
+The line discipline closes the protocol driver while we may still have
+hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
+dereference when lock is acquired and hci_init_req called.
+
+Bug is 100% reproducible using hciattach and a disconnected serial port:
+
+0. # hciattach -n ttyO1 any noflow
+
+1. hci_dev_open called from hci_power_on grabs req lock
+2. hci_init_req executes but device fails to initialise (times out
+ eventually)
+3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
+4. hci_uart_tty_close detaches protocol driver and cancels init req
+5. hci_dev_open (1) releases req lock
+6. hci_dev_open (3) grabs req lock, calls hci_init_req, which triggers oops
+ when request is prepared in hci_uart_send_frame
+
+[ 137.201263] Unable to handle kernel NULL pointer dereference at virtual address 00000028
+[ 137.209838] pgd = c0004000
+[ 137.212677] [00000028] *pgd=00000000
+[ 137.216430] Internal error: Oops: 17 [#1]
+[ 137.220642] Modules linked in:
+[ 137.223846] CPU: 0 Tainted: G W (3.3.0-rc6-dirty #406)
+[ 137.230529] PC is at __lock_acquire+0x5c/0x1ab0
+[ 137.235290] LR is at lock_acquire+0x9c/0x128
+[ 137.239776] pc : [<c0071490>] lr : [<c00733f8>] psr: 20000093
+[ 137.239776] sp : cf869dd8 ip : c0529554 fp : c051c730
+[ 137.251800] r10: 00000000 r9 : cf8673c0 r8 : 00000080
+[ 137.257293] r7 : 00000028 r6 : 00000002 r5 : 00000000 r4 : c053fd70
+[ 137.264129] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : 00000001
+[ 137.270965] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
+[ 137.278717] Control: 10c5387d Table: 8f0f4019 DAC: 00000015
+[ 137.284729] Process kworker/u:1 (pid: 7, stack limit = 0xcf8682e8)
+[ 137.291229] Stack: (0xcf869dd8 to 0xcf86a000)
+[ 137.295776] 9dc0: c0529554 00000000
+[ 137.304351] 9de0: cf8673c0 cf868000 d03ea1ef cf868000 000001ef 00000470 00000000 00000002
+[ 137.312927] 9e00: cf8673c0 00000001 c051c730 c00716ec 0000000c 00000440 c0529554 00000001
+[ 137.321533] 9e20: c051c730 cf868000 d03ea1f3 00000000 c053b978 00000000 00000028 cf868000
+[ 137.330078] 9e40: 00000000 00000000 00000002 00000000 00000000 c00733f8 00000002 00000080
+[ 137.338684] 9e60: 00000000 c02a1d50 00000000 00000001 60000013 c0969a1c 60000093 c053b96c
+[ 137.347259] 9e80: 00000002 00000018 20000013 c02a1d50 cf0ac000 00000000 00000002 cf868000
+[ 137.355834] 9ea0: 00000089 c0374130 00000002 00000000 c02a1d50 cf0ac000 0000000c cf0fc540
+[ 137.364410] 9ec0: 00000018 c02a1d50 cf0fc540 00000000 cf0fc540 c0282238 c028220c cf178d80
+[ 137.372985] 9ee0: 127525d8 c02821cc 9a1fa451 c032727c 9a1fa451 127525d8 cf0fc540 cf0ac4ec
+[ 137.381561] 9f00: cf0ac000 cf0fc540 cf0ac584 c03285f4 c0328580 cf0ac4ec cf85c740 c05510cc
+[ 137.390136] 9f20: ce825400 c004c914 00000002 00000000 c004c884 ce8254f5 cf869f48 00000000
+[ 137.398712] 9f40: c0328580 ce825415 c0a7f914 c061af64 00000000 c048cf3c cf8673c0 cf85c740
+[ 137.407287] 9f60: c05510cc c051a66c c05510ec c05510c4 cf85c750 cf868000 00000089 c004d6ac
+[ 137.415863] 9f80: 00000000 c0073d14 00000001 cf853ed8 cf85c740 c004d558 00000013 00000000
+[ 137.424438] 9fa0: 00000000 00000000 00000000 c00516b0 00000000 00000000 cf85c740 00000000
+[ 137.433013] 9fc0: 00000001 dead4ead ffffffff ffffffff c0551674 00000000 00000000 c0450aa4
+[ 137.441589] 9fe0: cf869fe0 cf869fe0 cf853ed8 c005162c c0013b30 c0013b30 00ffff00 00ffff00
+[ 137.450164] [<c0071490>] (__lock_acquire+0x5c/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
+[ 137.459503] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58)
+[ 137.469360] [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58) from [<c02a1d50>] (skb_queue_tail+0x18/0x48)
+[ 137.479339] [<c02a1d50>] (skb_queue_tail+0x18/0x48) from [<c0282238>] (h4_enqueue+0x2c/0x34)
+[ 137.488189] [<c0282238>] (h4_enqueue+0x2c/0x34) from [<c02821cc>] (hci_uart_send_frame+0x34/0x68)
+[ 137.497497] [<c02821cc>] (hci_uart_send_frame+0x34/0x68) from [<c032727c>] (hci_send_frame+0x50/0x88)
+[ 137.507171] [<c032727c>] (hci_send_frame+0x50/0x88) from [<c03285f4>] (hci_cmd_work+0x74/0xd4)
+[ 137.516204] [<c03285f4>] (hci_cmd_work+0x74/0xd4) from [<c004c914>] (process_one_work+0x1a0/0x4ec)
+[ 137.525604] [<c004c914>] (process_one_work+0x1a0/0x4ec) from [<c004d6ac>] (worker_thread+0x154/0x344)
+[ 137.535278] [<c004d6ac>] (worker_thread+0x154/0x344) from [<c00516b0>] (kthread+0x84/0x90)
+[ 137.543975] [<c00516b0>] (kthread+0x84/0x90) from [<c0013b30>] (kernel_thread_exit+0x0/0x8)
+[ 137.552734] Code: e59f4e5c e5941000 e3510000 0a000031 (e5971000)
+[ 137.559234] ---[ end trace 1b75b31a2719ed1e ]---
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Acked-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_ldisc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -310,11 +310,11 @@ static void hci_uart_tty_close(struct tt
+ hci_uart_close(hdev);
+
+ if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
+- hu->proto->close(hu);
+ if (hdev) {
+ hci_unregister_dev(hdev);
+ hci_free_dev(hdev);
+ }
++ hu->proto->close(hu);
+ }
+ }
+ }
--- /dev/null
+From e72acc13c770a82b4ce4a07e9716f29320eae0f8 Mon Sep 17 00:00:00 2001
+From: Andre Guedes <andre.guedes@openbossa.org>
+Date: Fri, 27 Jan 2012 19:42:03 -0300
+Subject: Bluetooth: Remove unneeded locking
+
+From: Andre Guedes <andre.guedes@openbossa.org>
+
+commit e72acc13c770a82b4ce4a07e9716f29320eae0f8 upstream.
+
+We don't need locking hdev in hci_conn_timeout() since it doesn't
+access any hdev's shared resources, it basically queues HCI commands.
+
+Signed-off-by: Andre Guedes <andre.guedes@openbossa.org>
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
+Reviewed-by: Ulisses Furquim <ulisses@profusion.mobi>
+Acked-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Tested-by: Alexander Holler <holler@ahsoftware.de>
+[reported to fix lockups on battery-powered bluetooth devices - gregkh]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_conn.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -279,7 +279,6 @@ static void hci_conn_timeout(struct work
+ {
+ struct hci_conn *conn = container_of(work, struct hci_conn,
+ disc_work.work);
+- struct hci_dev *hdev = conn->hdev;
+ __u8 reason;
+
+ BT_DBG("conn %p state %d", conn, conn->state);
+@@ -287,8 +286,6 @@ static void hci_conn_timeout(struct work
+ if (atomic_read(&conn->refcnt))
+ return;
+
+- hci_dev_lock(hdev);
+-
+ switch (conn->state) {
+ case BT_CONNECT:
+ case BT_CONNECT2:
+@@ -308,8 +305,6 @@ static void hci_conn_timeout(struct work
+ conn->state = BT_CLOSED;
+ break;
+ }
+-
+- hci_dev_unlock(hdev);
+ }
+
+ /* Enter sniff mode */
--- /dev/null
+From 8e62c2de6e23e5c1fee04f59de51b54cc2868ca5 Mon Sep 17 00:00:00 2001
+From: Chris Mason <chris.mason@oracle.com>
+Date: Thu, 12 Apr 2012 13:46:48 -0400
+Subject: Revert "Btrfs: increase the global block reserve estimates"
+
+From: Chris Mason <chris.mason@oracle.com>
+
+commit 8e62c2de6e23e5c1fee04f59de51b54cc2868ca5 upstream.
+
+This reverts commit 5500cdbe14d7435e04f66ff3cfb8ecd8b8e44ebf.
+
+We've had a number of complaints of early enospc that bisect down
+to this patch. We'll hae to fix the reservations differently.
+
+Signed-off-by: Chris Mason <chris.mason@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -4110,7 +4110,7 @@ static u64 calc_global_metadata_size(str
+ num_bytes += div64_u64(data_used + meta_used, 50);
+
+ if (num_bytes * 3 > meta_used)
+- num_bytes = div64_u64(meta_used, 3) * 2;
++ num_bytes = div64_u64(meta_used, 3);
+
+ return ALIGN(num_bytes, fs_info->extent_root->leafsize << 10);
+ }
arm-7384-1-thumbee-disable-userspace-teehbr-access-for-config_arm_thumbee.patch
md-raid1-raid10-fix-calculation-of-vcnt-when-processing-error-recovery.patch
md-bitmap-prevent-bitmap_daemon_work-running-while-initialising-bitmap.patch
+bluetooth-hci_ldisc-fix-null-pointer-dereference-on-tty_close.patch
+bluetooth-hci_core-fix-null-pointer-dereference-at-unregister.patch
+bluetooth-remove-unneeded-locking.patch
+revert-btrfs-increase-the-global-block-reserve-estimates.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
