From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 23 Jul 2014 00:20:24 +0000 (-0700)
Subject: 3.10-stable patches
X-Git-Tag: v3.4.100~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=007dad2d20bdfc87fadf8424da1929b5d7330884;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	bluetooth-ignore-h5-non-link-packets-in-non-active-state.patch
	drivers-hv-util-fix-a-bug-in-the-kvp-code.patch
	fuse-handle-large-user-and-group-id.patch
---

diff --git a/queue-3.10/bluetooth-ignore-h5-non-link-packets-in-non-active-state.patch b/queue-3.10/bluetooth-ignore-h5-non-link-packets-in-non-active-state.patch
new file mode 100644
index 00000000000..8b038982bd4
--- /dev/null
+++ b/queue-3.10/bluetooth-ignore-h5-non-link-packets-in-non-active-state.patch
@@ -0,0 +1,31 @@
+From 48439d501e3d9e8634bdc0c418e066870039599d Mon Sep 17 00:00:00 2001
+From: Loic Poulain <loic.poulain@intel.com>
+Date: Mon, 23 Jun 2014 17:42:44 +0200
+Subject: Bluetooth: Ignore H5 non-link packets in non-active state
+
+From: Loic Poulain <loic.poulain@intel.com>
+
+commit 48439d501e3d9e8634bdc0c418e066870039599d upstream.
+
+When detecting a non-link packet, h5_reset_rx() frees the Rx skb.
+Not returning after that will cause the upcoming h5_rx_payload()
+call to dereference a now NULL Rx skb and trigger a kernel oops.
+
+Signed-off-by: Loic Poulain <loic.poulain@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_h5.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bluetooth/hci_h5.c
++++ b/drivers/bluetooth/hci_h5.c
+@@ -406,6 +406,7 @@ static int h5_rx_3wire_hdr(struct hci_ua
+ 	    H5_HDR_PKT_TYPE(hdr) != HCI_3WIRE_LINK_PKT) {
+ 		BT_ERR("Non-link packet received in non-active state");
+ 		h5_reset_rx(h5);
++		return 0;
+ 	}
+ 
+ 	h5->rx_func = h5_rx_payload;
diff --git a/queue-3.10/drivers-hv-util-fix-a-bug-in-the-kvp-code.patch b/queue-3.10/drivers-hv-util-fix-a-bug-in-the-kvp-code.patch
new file mode 100644
index 00000000000..f22c42b2b4a
--- /dev/null
+++ b/queue-3.10/drivers-hv-util-fix-a-bug-in-the-kvp-code.patch
@@ -0,0 +1,76 @@
+From 9bd2d0dfe4714dd5d7c09a93a5c9ea9e14ceb3fc Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Mon, 7 Jul 2014 16:34:25 -0700
+Subject: Drivers: hv: util: Fix a bug in the KVP code
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit 9bd2d0dfe4714dd5d7c09a93a5c9ea9e14ceb3fc upstream.
+
+Add code to poll the channel since we process only one message
+at a time and the host may not interrupt us. Also increase the
+receive buffer size since some KVP messages are close to 8K bytes in size.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_kvp.c  |   14 ++++++++++++--
+ drivers/hv/hv_util.c |    2 +-
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/hv/hv_kvp.c
++++ b/drivers/hv/hv_kvp.c
+@@ -111,6 +111,15 @@ kvp_work_func(struct work_struct *dummy)
+ 	kvp_respond_to_host(NULL, HV_E_FAIL);
+ }
+ 
++static void poll_channel(struct vmbus_channel *channel)
++{
++	unsigned long flags;
++
++	spin_lock_irqsave(&channel->inbound_lock, flags);
++	hv_kvp_onchannelcallback(channel);
++	spin_unlock_irqrestore(&channel->inbound_lock, flags);
++}
++
+ static int kvp_handle_handshake(struct hv_kvp_msg *msg)
+ {
+ 	int ret = 1;
+@@ -139,7 +148,7 @@ static int kvp_handle_handshake(struct h
+ 		kvp_register(dm_reg_value);
+ 		kvp_transaction.active = false;
+ 		if (kvp_transaction.kvp_context)
+-			hv_kvp_onchannelcallback(kvp_transaction.kvp_context);
++			poll_channel(kvp_transaction.kvp_context);
+ 	}
+ 	return ret;
+ }
+@@ -552,6 +561,7 @@ response_done:
+ 
+ 	vmbus_sendpacket(channel, recv_buffer, buf_len, req_id,
+ 				VM_PKT_DATA_INBAND, 0);
++	poll_channel(channel);
+ 
+ }
+ 
+@@ -585,7 +595,7 @@ void hv_kvp_onchannelcallback(void *cont
+ 		return;
+ 	}
+ 
+-	vmbus_recvpacket(channel, recv_buffer, PAGE_SIZE * 2, &recvlen,
++	vmbus_recvpacket(channel, recv_buffer, PAGE_SIZE * 4, &recvlen,
+ 			 &requestid);
+ 
+ 	if (recvlen > 0) {
+--- a/drivers/hv/hv_util.c
++++ b/drivers/hv/hv_util.c
+@@ -279,7 +279,7 @@ static int util_probe(struct hv_device *
+ 		(struct hv_util_service *)dev_id->driver_data;
+ 	int ret;
+ 
+-	srv->recv_buffer = kmalloc(PAGE_SIZE * 2, GFP_KERNEL);
++	srv->recv_buffer = kmalloc(PAGE_SIZE * 4, GFP_KERNEL);
+ 	if (!srv->recv_buffer)
+ 		return -ENOMEM;
+ 	if (srv->util_init) {
diff --git a/queue-3.10/fuse-handle-large-user-and-group-id.patch b/queue-3.10/fuse-handle-large-user-and-group-id.patch
new file mode 100644
index 00000000000..1793c932220
--- /dev/null
+++ b/queue-3.10/fuse-handle-large-user-and-group-id.patch
@@ -0,0 +1,72 @@
+From 233a01fa9c4c7c41238537e8db8434667ff28a2f Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Mon, 7 Jul 2014 15:28:51 +0200
+Subject: fuse: handle large user and group ID
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+commit 233a01fa9c4c7c41238537e8db8434667ff28a2f upstream.
+
+If the number in "user_id=N" or "group_id=N" mount options was larger than
+INT_MAX then fuse returned EINVAL.
+
+Fix this to handle all valid uid/gid values.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/inode.c |   20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -461,6 +461,17 @@ static const match_table_t tokens = {
+ 	{OPT_ERR,			NULL}
+ };
+ 
++static int fuse_match_uint(substring_t *s, unsigned int *res)
++{
++	int err = -ENOMEM;
++	char *buf = match_strdup(s);
++	if (buf) {
++		err = kstrtouint(buf, 10, res);
++		kfree(buf);
++	}
++	return err;
++}
++
+ static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev)
+ {
+ 	char *p;
+@@ -471,6 +482,7 @@ static int parse_fuse_opt(char *opt, str
+ 	while ((p = strsep(&opt, ",")) != NULL) {
+ 		int token;
+ 		int value;
++		unsigned uv;
+ 		substring_t args[MAX_OPT_ARGS];
+ 		if (!*p)
+ 			continue;
+@@ -494,18 +506,18 @@ static int parse_fuse_opt(char *opt, str
+ 			break;
+ 
+ 		case OPT_USER_ID:
+-			if (match_int(&args[0], &value))
++			if (fuse_match_uint(&args[0], &uv))
+ 				return 0;
+-			d->user_id = make_kuid(current_user_ns(), value);
++			d->user_id = make_kuid(current_user_ns(), uv);
+ 			if (!uid_valid(d->user_id))
+ 				return 0;
+ 			d->user_id_present = 1;
+ 			break;
+ 
+ 		case OPT_GROUP_ID:
+-			if (match_int(&args[0], &value))
++			if (fuse_match_uint(&args[0], &uv))
+ 				return 0;
+-			d->group_id = make_kgid(current_user_ns(), value);
++			d->group_id = make_kgid(current_user_ns(), uv);
+ 			if (!gid_valid(d->group_id))
+ 				return 0;
+ 			d->group_id_present = 1;
diff --git a/queue-3.10/series b/queue-3.10/series
index 66f264eb261..fcd67f8e36e 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -1,2 +1,5 @@
 usb-check-if-port-status-is-equal-to-rxdetect.patch
 media-gspca_pac7302-add-new-usb-id-for-genius-i-look-317.patch
+drivers-hv-util-fix-a-bug-in-the-kvp-code.patch
+bluetooth-ignore-h5-non-link-packets-in-non-active-state.patch
+fuse-handle-large-user-and-group-id.patch