From: Greg Kroah-Hartman Date: Thu, 27 Sep 2012 17:31:58 +0000 (-0700) Subject: 3.5-stable patches X-Git-Tag: v3.0.44~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=74bcab122d183ab66ceec8ef7ba913f09de87083;p=thirdparty%2Fkernel%2Fstable-queue.git 3.5-stable patches added patches: bluetooth-add-support-for-apple-vendor-specific-devices.patch bluetooth-add-support-for-atheros-0489-e057.patch bluetooth-add-support-for-sony-vaio-t-series.patch bluetooth-btusb-add-vendor-specific-id-0a5c-21f4-bcm20702a0.patch bluetooth-change-signature-of-smp_conn_security.patch bluetooth-fix-sending-a-hci-authorization-request-over-le-links.patch bluetooth-fix-use-after-free-bug-in-smp.patch bluetooth-use-usb_vendor_and_interface-for-broadcom-devices.patch --- diff --git a/queue-3.5/bluetooth-add-support-for-apple-vendor-specific-devices.patch b/queue-3.5/bluetooth-add-support-for-apple-vendor-specific-devices.patch new file mode 100644 index 00000000000..a4d0c5b7736 --- /dev/null +++ b/queue-3.5/bluetooth-add-support-for-apple-vendor-specific-devices.patch @@ -0,0 +1,39 @@ +From 1fa6535faf055cd71311ab887e94fc234f04ee18 Mon Sep 17 00:00:00 2001 +From: Henrik Rydberg +Date: Sat, 25 Aug 2012 19:28:06 +0200 +Subject: Bluetooth: Add support for Apple vendor-specific devices + +From: Henrik Rydberg + +commit 1fa6535faf055cd71311ab887e94fc234f04ee18 upstream. + +As pointed out by Gustavo and Marcel, all Apple-specific Broadcom +devices seen so far have the same interface class, subclass and +protocol numbers. This patch adds an entry which matches all of them, +using the new USB_VENDOR_AND_INTERFACE_INFO() macro. + +In particular, this patch adds support for the MacBook Pro Retina +(05ac:8286), which is not in the present list. + +Signed-off-by: Henrik Rydberg +Tested-by: Shea Levy +Acked-by: Marcel Holtmann +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -60,6 +60,9 @@ static struct usb_device_id btusb_table[ + /* Generic Bluetooth USB device */ + { USB_DEVICE_INFO(0xe0, 0x01, 0x01) }, + ++ /* Apple-specific (Broadcom) devices */ ++ { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) }, ++ + /* Broadcom SoftSailing reporting vendor specific */ + { USB_DEVICE(0x0a5c, 0x21e1) }, + diff --git a/queue-3.5/bluetooth-add-support-for-atheros-0489-e057.patch b/queue-3.5/bluetooth-add-support-for-atheros-0489-e057.patch new file mode 100644 index 00000000000..a1c3905caf7 --- /dev/null +++ b/queue-3.5/bluetooth-add-support-for-atheros-0489-e057.patch @@ -0,0 +1,77 @@ +From 2096ae6ca647302d50a68aa36cb66a00e7dfac70 Mon Sep 17 00:00:00 2001 +From: Peng Chen +Date: Wed, 1 Aug 2012 10:11:59 +0800 +Subject: Bluetooth: add support for atheros 0489:e057 + +From: Peng Chen + +commit 2096ae6ca647302d50a68aa36cb66a00e7dfac70 upstream. + + Add support for the AR3012 chip found on Fioxconn. + + usb-devices shows: + + T: Bus=06 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 44 Spd=12 MxCh= 0 + D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 + P: Vendor=0489 ProdID=e057 Rev= 0.02 + C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA + I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms + E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms + E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms + I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms + I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms + I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms + I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms + I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms + I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Peng Chen +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 2 ++ + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -79,6 +79,7 @@ static struct usb_device_id ath3k_table[ + { USB_DEVICE(0x13d3, 0x3362) }, + { USB_DEVICE(0x0CF3, 0xE004) }, + { USB_DEVICE(0x0930, 0x0219) }, ++ { USB_DEVICE(0x0489, 0xe057) }, + + /* Atheros AR5BBU12 with sflash firmware */ + { USB_DEVICE(0x0489, 0xE02C) }, +@@ -104,6 +105,7 @@ static struct usb_device_id ath3k_blist_ + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, + + /* Atheros AR5BBU22 with sflash firmware */ + { USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 }, +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -142,6 +142,7 @@ static struct usb_device_id blacklist_ta + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, + + /* Atheros AR5BBU12 with sflash firmware */ + { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE }, diff --git a/queue-3.5/bluetooth-add-support-for-sony-vaio-t-series.patch b/queue-3.5/bluetooth-add-support-for-sony-vaio-t-series.patch new file mode 100644 index 00000000000..27e2ffa08b0 --- /dev/null +++ b/queue-3.5/bluetooth-add-support-for-sony-vaio-t-series.patch @@ -0,0 +1,83 @@ +From bc21fde2d549d1cb1ebef04016eb7affa43bb5c1 Mon Sep 17 00:00:00 2001 +From: Yevgeniy Melnichuk +Date: Tue, 7 Aug 2012 19:48:10 +0530 +Subject: Bluetooth: Add support for Sony Vaio T-Series + +From: Yevgeniy Melnichuk + +commit bc21fde2d549d1cb1ebef04016eb7affa43bb5c1 upstream. + +Add Sony Vaio T-Series Bluetooth Module( 0x489:0xE036) to +the blacklist of btusb module and add it to the ath3k module. + +output of cat /sys/kernel/debug/usb/devices + +T: Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 5 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e036 Rev= 0.02 +S: Manufacturer=Atheros Communications +S: Product=Bluetooth USB Host Controller +S: SerialNumber=Alaska Day 2006 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Yevgeniy Melnichuk +Signed-off-by: Mohammed Shafi Shajakhan +Acked-by: Marcel Holtmann +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 2 ++ + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -86,6 +86,7 @@ static struct usb_device_id ath3k_table[ + + /* Atheros AR5BBU22 with sflash firmware */ + { USB_DEVICE(0x0489, 0xE03C) }, ++ { USB_DEVICE(0x0489, 0xE036) }, + + { } /* Terminating entry */ + }; +@@ -109,6 +110,7 @@ static struct usb_device_id ath3k_blist_ + + /* Atheros AR5BBU22 with sflash firmware */ + { USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 }, + + { } /* Terminating entry */ + }; +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -149,6 +149,7 @@ static struct usb_device_id blacklist_ta + + /* Atheros AR5BBU12 with sflash firmware */ + { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 }, + + /* Broadcom BCM2035 */ + { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU }, diff --git a/queue-3.5/bluetooth-btusb-add-vendor-specific-id-0a5c-21f4-bcm20702a0.patch b/queue-3.5/bluetooth-btusb-add-vendor-specific-id-0a5c-21f4-bcm20702a0.patch new file mode 100644 index 00000000000..48127676663 --- /dev/null +++ b/queue-3.5/bluetooth-btusb-add-vendor-specific-id-0a5c-21f4-bcm20702a0.patch @@ -0,0 +1,56 @@ +From 61c964ba1748e984cb232b431582815899bf10fe Mon Sep 17 00:00:00 2001 +From: Manoj Iyer +Date: Tue, 10 Jul 2012 14:07:38 -0500 +Subject: Bluetooth: btusb: Add vendor specific ID (0a5c:21f4) BCM20702A0 + +From: Manoj Iyer + +commit 61c964ba1748e984cb232b431582815899bf10fe upstream. + +Patch adds support for BCM20702A0 device id (0a5c:21f4). + +usb-devices after patch was applied: +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0a5c ProdID=21f4 Rev=01.12 +S: Manufacturer=Broadcom Corp +S: Product=BCM20702A0 +S: SerialNumber=E4D53DF154D6 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) + +usb-devices before patch was applied: +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0a5c ProdID=21f4 Rev=01.12 +S: Manufacturer=Broadcom Corp +S: Product=BCM20702A0 +S: SerialNumber=E4D53DF154D6 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none) +I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none) +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) + +Signed-off-by: Manoj Iyer +Tested-by: Chris Gagnon +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -106,6 +106,7 @@ static struct usb_device_id btusb_table[ + { USB_DEVICE(0x0a5c, 0x21e6) }, + { USB_DEVICE(0x0a5c, 0x21e8) }, + { USB_DEVICE(0x0a5c, 0x21f3) }, ++ { USB_DEVICE(0x0a5c, 0x21f4) }, + { USB_DEVICE(0x413c, 0x8197) }, + + /* Foxconn - Hon Hai */ diff --git a/queue-3.5/bluetooth-change-signature-of-smp_conn_security.patch b/queue-3.5/bluetooth-change-signature-of-smp_conn_security.patch new file mode 100644 index 00000000000..85557b7165c --- /dev/null +++ b/queue-3.5/bluetooth-change-signature-of-smp_conn_security.patch @@ -0,0 +1,94 @@ +From cc110922da7e902b62d18641a370fec01a9fa794 Mon Sep 17 00:00:00 2001 +From: Vinicius Costa Gomes +Date: Thu, 23 Aug 2012 21:32:43 -0300 +Subject: Bluetooth: Change signature of smp_conn_security() + +From: Vinicius Costa Gomes + +commit cc110922da7e902b62d18641a370fec01a9fa794 upstream. + +To make it clear that it may be called from contexts that may not have +any knowledge of L2CAP, we change the connection parameter, to receive +a hci_conn. + +This also makes it clear that it is checking the security of the link. + +Signed-off-by: Vinicius Costa Gomes +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/bluetooth/smp.h | 2 +- + net/bluetooth/l2cap_core.c | 11 ++++++----- + net/bluetooth/l2cap_sock.c | 2 +- + net/bluetooth/smp.c | 4 ++-- + 4 files changed, 10 insertions(+), 9 deletions(-) + +--- a/include/net/bluetooth/smp.h ++++ b/include/net/bluetooth/smp.h +@@ -136,7 +136,7 @@ struct smp_chan { + }; + + /* SMP Commands */ +-int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level); ++int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); + int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb); + int smp_distribute_keys(struct l2cap_conn *conn, __u8 force); + int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey); +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -1184,14 +1184,15 @@ clean: + static void l2cap_conn_ready(struct l2cap_conn *conn) + { + struct l2cap_chan *chan; ++ struct hci_conn *hcon = conn->hcon; + + BT_DBG("conn %p", conn); + +- if (!conn->hcon->out && conn->hcon->type == LE_LINK) ++ if (!hcon->out && hcon->type == LE_LINK) + l2cap_le_conn_ready(conn); + +- if (conn->hcon->out && conn->hcon->type == LE_LINK) +- smp_conn_security(conn, conn->hcon->pending_sec_level); ++ if (hcon->out && hcon->type == LE_LINK) ++ smp_conn_security(hcon, hcon->pending_sec_level); + + mutex_lock(&conn->chan_lock); + +@@ -1199,8 +1200,8 @@ static void l2cap_conn_ready(struct l2ca + + l2cap_chan_lock(chan); + +- if (conn->hcon->type == LE_LINK) { +- if (smp_conn_security(conn, chan->sec_level)) ++ if (hcon->type == LE_LINK) { ++ if (smp_conn_security(hcon, chan->sec_level)) + l2cap_chan_ready(chan); + + } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -596,7 +596,7 @@ static int l2cap_sock_setsockopt(struct + break; + } + +- if (smp_conn_security(conn, sec.level)) ++ if (smp_conn_security(conn->hcon, sec.level)) + break; + sk->sk_state = BT_CONFIG; + chan->state = BT_CONFIG; +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -756,9 +756,9 @@ static u8 smp_cmd_security_req(struct l2 + return 0; + } + +-int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level) ++int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) + { +- struct hci_conn *hcon = conn->hcon; ++ struct l2cap_conn *conn = hcon->l2cap_data; + struct smp_chan *smp = conn->smp_chan; + __u8 authreq; + diff --git a/queue-3.5/bluetooth-fix-sending-a-hci-authorization-request-over-le-links.patch b/queue-3.5/bluetooth-fix-sending-a-hci-authorization-request-over-le-links.patch new file mode 100644 index 00000000000..9fb0ef98971 --- /dev/null +++ b/queue-3.5/bluetooth-fix-sending-a-hci-authorization-request-over-le-links.patch @@ -0,0 +1,42 @@ +From d8343f125710fb596f7a88cd756679f14f4e77b9 Mon Sep 17 00:00:00 2001 +From: Vinicius Costa Gomes +Date: Thu, 23 Aug 2012 21:32:44 -0300 +Subject: Bluetooth: Fix sending a HCI Authorization Request over LE links + +From: Vinicius Costa Gomes + +commit d8343f125710fb596f7a88cd756679f14f4e77b9 upstream. + +In the case that the link is already in the connected state and a +Pairing request arrives from the mgmt interface, hci_conn_security() +would be called but it was not considering LE links. + +Reported-by: João Paulo Rechi Vita +Signed-off-by: Vinicius Costa Gomes +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_conn.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -42,6 +42,7 @@ + + #include + #include ++#include + + static void hci_le_connect(struct hci_conn *conn) + { +@@ -627,6 +628,9 @@ int hci_conn_security(struct hci_conn *c + { + BT_DBG("conn %p", conn); + ++ if (conn->type == LE_LINK) ++ return smp_conn_security(conn, sec_level); ++ + /* For sdp we don't need the link key. */ + if (sec_level == BT_SECURITY_SDP) + return 1; diff --git a/queue-3.5/bluetooth-fix-use-after-free-bug-in-smp.patch b/queue-3.5/bluetooth-fix-use-after-free-bug-in-smp.patch new file mode 100644 index 00000000000..8685ea40f0b --- /dev/null +++ b/queue-3.5/bluetooth-fix-use-after-free-bug-in-smp.patch @@ -0,0 +1,76 @@ +From 61a0cfb008f57ecf7eb28ee762952fb42dc15d15 Mon Sep 17 00:00:00 2001 +From: Andre Guedes +Date: Wed, 1 Aug 2012 20:34:15 -0300 +Subject: Bluetooth: Fix use-after-free bug in SMP + +From: Andre Guedes + +commit 61a0cfb008f57ecf7eb28ee762952fb42dc15d15 upstream. + +If SMP fails, we should always cancel security_timer delayed work. +Otherwise, security_timer function may run after l2cap_conn object +has been freed. + +This patch fixes the following warning reported by ODEBUG: + +WARNING: at lib/debugobjects.c:261 debug_print_object+0x7c/0x8d() +Hardware name: Bochs +ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x27 +Modules linked in: btusb bluetooth +Pid: 440, comm: kworker/u:2 Not tainted 3.5.0-rc1+ #4 +Call Trace: + [] ? free_obj_work+0x4a/0x7f + [] warn_slowpath_common+0x7e/0x97 + [] warn_slowpath_fmt+0x41/0x43 + [] debug_print_object+0x7c/0x8d + [] ? __queue_work+0x241/0x241 + [] debug_check_no_obj_freed+0x92/0x159 + [] slab_free_hook+0x6f/0x77 + [] ? l2cap_conn_del+0x148/0x157 [bluetooth] + [] kfree+0x59/0xac + [] l2cap_conn_del+0x148/0x157 [bluetooth] + [] l2cap_recv_frame+0xa77/0xfa4 [bluetooth] + [] ? trace_hardirqs_on_caller+0x112/0x1ad + [] l2cap_recv_acldata+0xe2/0x264 [bluetooth] + [] hci_rx_work+0x235/0x33c [bluetooth] + [] ? process_one_work+0x126/0x2fe + [] process_one_work+0x185/0x2fe + [] ? process_one_work+0x126/0x2fe + [] ? lock_acquired+0x1b5/0x1cf + [] ? le_scan_work+0x11d/0x11d [bluetooth] + [] ? spin_lock_irq+0x9/0xb + [] worker_thread+0xcf/0x175 + [] ? rescuer_thread+0x175/0x175 + [] kthread+0x95/0x9d + [] kernel_threadi_helper+0x4/0x10 + [] ? retint_restore_args+0x13/0x13 + [] ? flush_kthread_worker+0xdb/0xdb + [] ? gs_change+0x13/0x13 + +This bug can be reproduced using hctool lecc or l2test tools and +bluetoothd not running. + +Signed-off-by: Andre Guedes +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/smp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -266,10 +266,10 @@ static void smp_failure(struct l2cap_con + mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type, + hcon->dst_type, reason); + +- if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) { +- cancel_delayed_work_sync(&conn->security_timer); ++ cancel_delayed_work_sync(&conn->security_timer); ++ ++ if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) + smp_chan_destroy(conn); +- } + } + + #define JUST_WORKS 0x00 diff --git a/queue-3.5/bluetooth-use-usb_vendor_and_interface-for-broadcom-devices.patch b/queue-3.5/bluetooth-use-usb_vendor_and_interface-for-broadcom-devices.patch new file mode 100644 index 00000000000..7344383ef62 --- /dev/null +++ b/queue-3.5/bluetooth-use-usb_vendor_and_interface-for-broadcom-devices.patch @@ -0,0 +1,44 @@ +From 92c385f46b30f4954e9dd2d2005c12d233b479ea Mon Sep 17 00:00:00 2001 +From: Gustavo Padovan +Date: Mon, 6 Aug 2012 15:36:49 -0300 +Subject: Bluetooth: Use USB_VENDOR_AND_INTERFACE() for Broadcom devices + +From: Gustavo Padovan + +commit 92c385f46b30f4954e9dd2d2005c12d233b479ea upstream. + +Many Broadcom devices has a vendor specific devices class, with this rule +we match all existent and future controllers with this behavior. + +We also remove old rules to that matches product id for Broadcom devices. + +Tested-by: John Hommel +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -102,16 +102,14 @@ static struct usb_device_id btusb_table[ + + /* Broadcom BCM20702A0 */ + { USB_DEVICE(0x0489, 0xe042) }, +- { USB_DEVICE(0x0a5c, 0x21e3) }, +- { USB_DEVICE(0x0a5c, 0x21e6) }, +- { USB_DEVICE(0x0a5c, 0x21e8) }, +- { USB_DEVICE(0x0a5c, 0x21f3) }, +- { USB_DEVICE(0x0a5c, 0x21f4) }, + { USB_DEVICE(0x413c, 0x8197) }, + + /* Foxconn - Hon Hai */ + { USB_DEVICE(0x0489, 0xe033) }, + ++ /*Broadcom devices with vendor specific id */ ++ { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01) }, ++ + { } /* Terminating entry */ + }; + diff --git a/queue-3.5/series b/queue-3.5/series index 5704fff13f3..195650d8147 100644 --- a/queue-3.5/series +++ b/queue-3.5/series @@ -214,3 +214,11 @@ gianfar-fix-phc-index-build-failure.patch workqueue-unbound-rebind-morphing-in-rebind_workers-should-be-atomic.patch input-wacom-add-support-to-cintiq-22hd.patch input-wacom-rearrange-type-enum.patch +bluetooth-btusb-add-vendor-specific-id-0a5c-21f4-bcm20702a0.patch +bluetooth-add-support-for-atheros-0489-e057.patch +bluetooth-add-support-for-sony-vaio-t-series.patch +bluetooth-use-usb_vendor_and_interface-for-broadcom-devices.patch +bluetooth-add-support-for-apple-vendor-specific-devices.patch +bluetooth-fix-use-after-free-bug-in-smp.patch +bluetooth-change-signature-of-smp_conn_security.patch +bluetooth-fix-sending-a-hci-authorization-request-over-le-links.patch