From: Greg Kroah-Hartman Date: Mon, 1 Apr 2013 19:54:42 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.8.6~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=41546f716bed54747e78781ef656a449ea00646b;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: bluetooth-fix-not-closing-sco-sockets-in-the-bt_connect2-state.patch --- diff --git a/queue-3.0/bluetooth-fix-not-closing-sco-sockets-in-the-bt_connect2-state.patch b/queue-3.0/bluetooth-fix-not-closing-sco-sockets-in-the-bt_connect2-state.patch new file mode 100644 index 00000000000..546b741a7d6 --- /dev/null +++ b/queue-3.0/bluetooth-fix-not-closing-sco-sockets-in-the-bt_connect2-state.patch @@ -0,0 +1,96 @@ +From eb20ff9c91ddcb2d55c1849a87d3db85af5e88a9 Mon Sep 17 00:00:00 2001 +From: Vinicius Costa Gomes +Date: Wed, 13 Mar 2013 19:46:20 -0300 +Subject: Bluetooth: Fix not closing SCO sockets in the BT_CONNECT2 state + +From: Vinicius Costa Gomes + +commit eb20ff9c91ddcb2d55c1849a87d3db85af5e88a9 upstream. + +With deferred setup for SCO, it is possible that userspace closes the +socket when it is in the BT_CONNECT2 state, after the Connect Request is +received but before the Accept Synchonous Connection is sent. + +If this happens the following crash was observed, when the connection is +terminated: + +[ +0.000003] hci_sync_conn_complete_evt: hci0 status 0x10 +[ +0.000005] sco_connect_cfm: hcon ffff88003d1bd800 bdaddr 40:98:4e:32:d7:39 status 16 +[ +0.000003] sco_conn_del: hcon ffff88003d1bd800 conn ffff88003cc8e300, err 110 +[ +0.000015] BUG: unable to handle kernel NULL pointer dereference at 0000000000000199 +[ +0.000906] IP: [] __lock_acquire+0xed/0xe82 +[ +0.000000] PGD 3d21f067 PUD 3d291067 PMD 0 +[ +0.000000] Oops: 0002 [#1] SMP +[ +0.000000] Modules linked in: rfcomm bnep btusb bluetooth +[ +0.000000] CPU 0 +[ +0.000000] Pid: 1481, comm: kworker/u:2H Not tainted 3.9.0-rc1-25019-gad82cdd #1 Bochs Bochs +[ +0.000000] RIP: 0010:[] [] __lock_acquire+0xed/0xe82 +[ +0.000000] RSP: 0018:ffff88003c3c19d8 EFLAGS: 00010002 +[ +0.000000] RAX: 0000000000000001 RBX: 0000000000000246 RCX: 0000000000000000 +[ +0.000000] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003d1be868 +[ +0.000000] RBP: ffff88003c3c1a98 R08: 0000000000000002 R09: 0000000000000000 +[ +0.000000] R10: ffff88003d1be868 R11: ffff88003e20b000 R12: 0000000000000002 +[ +0.000000] R13: ffff88003aaa8000 R14: 000000000000006e R15: ffff88003d1be850 +[ +0.000000] FS: 0000000000000000(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000 +[ +0.000000] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ +0.000000] CR2: 0000000000000199 CR3: 000000003c1cb000 CR4: 00000000000006b0 +[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ +0.000000] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ +0.000000] Process kworker/u:2H (pid: 1481, threadinfo ffff88003c3c0000, task ffff88003aaa8000) +[ +0.000000] Stack: +[ +0.000000] ffffffff81b16342 0000000000000000 0000000000000000 ffff88003d1be868 +[ +0.000000] ffffffff00000000 00018c0c7863e367 000000003c3c1a28 ffffffff8101efbd +[ +0.000000] 0000000000000000 ffff88003e3d2400 ffff88003c3c1a38 ffffffff81007c7a +[ +0.000000] Call Trace: +[ +0.000000] [] ? kvm_clock_read+0x34/0x3b +[ +0.000000] [] ? paravirt_sched_clock+0x9/0xd +[ +0.000000] [] ? sched_clock+0x9/0xb +[ +0.000000] [] ? sched_clock_local+0x12/0x75 +[ +0.000000] [] lock_acquire+0x93/0xb1 +[ +0.000000] [] ? spin_lock+0x9/0xb [bluetooth] +[ +0.000000] [] ? lock_release_holdtime.part.22+0x4e/0x55 +[ +0.000000] [] _raw_spin_lock+0x40/0x74 +[ +0.000000] [] ? spin_lock+0x9/0xb [bluetooth] +[ +0.000000] [] ? _raw_spin_unlock+0x23/0x36 +[ +0.000000] [] spin_lock+0x9/0xb [bluetooth] +[ +0.000000] [] sco_conn_del+0x76/0xbb [bluetooth] +[ +0.000000] [] sco_connect_cfm+0x2da/0x2e9 [bluetooth] +[ +0.000000] [] hci_proto_connect_cfm+0x38/0x65 [bluetooth] +[ +0.000000] [] hci_sync_conn_complete_evt.isra.79+0x11a/0x13e [bluetooth] +[ +0.000000] [] hci_event_packet+0x153b/0x239d [bluetooth] +[ +0.000000] [] ? _raw_spin_unlock_irqrestore+0x48/0x5c +[ +0.000000] [] hci_rx_work+0xf3/0x2e3 [bluetooth] +[ +0.000000] [] process_one_work+0x1dc/0x30b +[ +0.000000] [] ? process_one_work+0x172/0x30b +[ +0.000000] [] ? spin_lock_irq+0x9/0xb +[ +0.000000] [] worker_thread+0x123/0x1d2 +[ +0.000000] [] ? manage_workers+0x240/0x240 +[ +0.000000] [] kthread+0x9d/0xa5 +[ +0.000000] [] ? __kthread_parkme+0x60/0x60 +[ +0.000000] [] ret_from_fork+0x7c/0xb0 +[ +0.000000] [] ? __kthread_parkme+0x60/0x60 +[ +0.000000] Code: d7 44 89 8d 50 ff ff ff 4c 89 95 58 ff ff ff e8 44 fc ff ff 44 8b 8d 50 ff ff ff 48 85 c0 4c 8b 95 58 ff ff ff 0f 84 7a 04 00 00 ff 80 98 01 00 00 83 3d 25 41 a7 00 00 45 8b b5 e8 05 00 00 +[ +0.000000] RIP [] __lock_acquire+0xed/0xe82 +[ +0.000000] RSP +[ +0.000000] CR2: 0000000000000199 +[ +0.000000] ---[ end trace e73cd3b52352dd34 ]--- + +Signed-off-by: Vinicius Costa Gomes +Tested-by: Frederic Dalleau +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/sco.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -378,6 +378,7 @@ static void __sco_sock_close(struct sock + sco_chan_del(sk, ECONNRESET); + break; + ++ case BT_CONNECT2: + case BT_CONNECT: + case BT_DISCONN: + sco_chan_del(sk, ECONNRESET); diff --git a/queue-3.0/series b/queue-3.0/series index 01bb4205604..c5461d42d94 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -1 +1,2 @@ sunrpc-add-barriers-to-ensure-read-ordering-in-rpc_wake_up_task_queue_locked.patch +bluetooth-fix-not-closing-sco-sockets-in-the-bt_connect2-state.patch