From: Greg Kroah-Hartman Date: Sun, 10 Apr 2016 01:05:01 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v4.5.1~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c6567acfe192d35f1e49694ae95496fc77a87b2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: bluetooth-add-new-ar3012-id-0489-e095.patch bluetooth-fix-potential-buffer-overflow-with-add-advertising.patch cgroup-ignore-css_sets-associated-with-dead-cgroups-during-migration.patch --- diff --git a/queue-4.4/bluetooth-add-new-ar3012-id-0489-e095.patch b/queue-4.4/bluetooth-add-new-ar3012-id-0489-e095.patch new file mode 100644 index 00000000000..819649ba6f7 --- /dev/null +++ b/queue-4.4/bluetooth-add-new-ar3012-id-0489-e095.patch @@ -0,0 +1,59 @@ +From 28c971d82fb58ef7cba22e5308be6d2d2590473d Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Wed, 10 Feb 2016 00:49:11 +0300 +Subject: Bluetooth: Add new AR3012 ID 0489:e095 + +From: Dmitry Tunin + +commit 28c971d82fb58ef7cba22e5308be6d2d2590473d upstream. + +T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e095 Rev=00.01 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +This device requires ar3k/AthrBT_0x31010100.dfu and +ar3k/ramps_0x31010100_40.dfu firmware files that are not in +linux-firmware yet. + +BugLink: https://bugs.launchpad.net/bugs/1542944 + +Signed-off-by: Dmitry Tunin +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 2 ++ + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -82,6 +82,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x0489, 0xe05f) }, + { USB_DEVICE(0x0489, 0xe076) }, + { USB_DEVICE(0x0489, 0xe078) }, ++ { USB_DEVICE(0x0489, 0xe095) }, + { USB_DEVICE(0x04c5, 0x1330) }, + { USB_DEVICE(0x04CA, 0x3004) }, + { USB_DEVICE(0x04CA, 0x3005) }, +@@ -147,6 +148,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -196,6 +196,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, diff --git a/queue-4.4/bluetooth-fix-potential-buffer-overflow-with-add-advertising.patch b/queue-4.4/bluetooth-fix-potential-buffer-overflow-with-add-advertising.patch new file mode 100644 index 00000000000..82c6e287423 --- /dev/null +++ b/queue-4.4/bluetooth-fix-potential-buffer-overflow-with-add-advertising.patch @@ -0,0 +1,37 @@ +From 6a0e78072c2ae7b20b14e0249d8108441ea928d2 Mon Sep 17 00:00:00 2001 +From: Johan Hedberg +Date: Fri, 11 Mar 2016 09:56:33 +0200 +Subject: Bluetooth: Fix potential buffer overflow with Add Advertising + +From: Johan Hedberg + +commit 6a0e78072c2ae7b20b14e0249d8108441ea928d2 upstream. + +The Add Advertising command handler does the appropriate checks for +the AD and Scan Response data, however fails to take into account the +general length of the mgmt command itself, which could lead to +potential buffer overflows. This patch adds the necessary check that +the mgmt command length is consistent with the given ad and scan_rsp +lengths. + +Signed-off-by: Johan Hedberg +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/mgmt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -7155,6 +7155,10 @@ static int add_advertising(struct sock * + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING, + status); + ++ if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len) ++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING, ++ MGMT_STATUS_INVALID_PARAMS); ++ + flags = __le32_to_cpu(cp->flags); + timeout = __le16_to_cpu(cp->timeout); + duration = __le16_to_cpu(cp->duration); diff --git a/queue-4.4/cgroup-ignore-css_sets-associated-with-dead-cgroups-during-migration.patch b/queue-4.4/cgroup-ignore-css_sets-associated-with-dead-cgroups-during-migration.patch new file mode 100644 index 00000000000..8ada635a57d --- /dev/null +++ b/queue-4.4/cgroup-ignore-css_sets-associated-with-dead-cgroups-during-migration.patch @@ -0,0 +1,120 @@ +From 2b021cbf3cb6208f0d40fd2f1869f237934340ed Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 15 Mar 2016 20:43:04 -0400 +Subject: cgroup: ignore css_sets associated with dead cgroups during migration + +From: Tejun Heo + +commit 2b021cbf3cb6208f0d40fd2f1869f237934340ed upstream. + +Before 2e91fa7f6d45 ("cgroup: keep zombies associated with their +original cgroups"), all dead tasks were associated with init_css_set. +If a zombie task is requested for migration, while migration prep +operations would still be performed on init_css_set, the actual +migration would ignore zombie tasks. As init_css_set is always valid, +this worked fine. + +However, after 2e91fa7f6d45, zombie tasks stay with the css_set it was +associated with at the time of death. Let's say a task T associated +with cgroup A on hierarchy H-1 and cgroup B on hiearchy H-2. After T +becomes a zombie, it would still remain associated with A and B. If A +only contains zombie tasks, it can be removed. On removal, A gets +marked offline but stays pinned until all zombies are drained. At +this point, if migration is initiated on T to a cgroup C on hierarchy +H-2, migration path would try to prepare T's css_set for migration and +trigger the following. + + WARNING: CPU: 0 PID: 1576 at kernel/cgroup.c:474 cgroup_get+0x121/0x160() + CPU: 0 PID: 1576 Comm: bash Not tainted 4.4.0-work+ #289 + ... + Call Trace: + [] dump_stack+0x4e/0x82 + [] warn_slowpath_common+0x78/0xb0 + [] warn_slowpath_null+0x15/0x20 + [] cgroup_get+0x121/0x160 + [] link_css_set+0x7b/0x90 + [] find_css_set+0x3bc/0x5e0 + [] cgroup_migrate_prepare_dst+0x89/0x1f0 + [] cgroup_attach_task+0x157/0x230 + [] __cgroup_procs_write+0x2b7/0x470 + [] cgroup_tasks_write+0xc/0x10 + [] cgroup_file_write+0x30/0x1b0 + [] kernfs_fop_write+0x13c/0x180 + [] __vfs_write+0x23/0xe0 + [] vfs_write+0xa4/0x1a0 + [] SyS_write+0x44/0xa0 + [] entry_SYSCALL_64_fastpath+0x12/0x6f + +It doesn't make sense to prepare migration for css_sets pointing to +dead cgroups as they are guaranteed to contain only zombies which are +ignored later during migration. This patch makes cgroup destruction +path mark all affected css_sets as dead and updates the migration path +to ignore them during preparation. + +Signed-off-by: Tejun Heo +Fixes: 2e91fa7f6d45 ("cgroup: keep zombies associated with their original cgroups") +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/cgroup-defs.h | 3 +++ + kernel/cgroup.c | 20 ++++++++++++++++++-- + 2 files changed, 21 insertions(+), 2 deletions(-) + +--- a/include/linux/cgroup-defs.h ++++ b/include/linux/cgroup-defs.h +@@ -216,6 +216,9 @@ struct css_set { + /* all css_task_iters currently walking this cset */ + struct list_head task_iters; + ++ /* dead and being drained, ignore for migration */ ++ bool dead; ++ + /* For RCU-protected deletion */ + struct rcu_head rcu_head; + }; +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -2498,6 +2498,14 @@ static void cgroup_migrate_add_src(struc + lockdep_assert_held(&cgroup_mutex); + lockdep_assert_held(&css_set_lock); + ++ /* ++ * If ->dead, @src_set is associated with one or more dead cgroups ++ * and doesn't contain any migratable tasks. Ignore it early so ++ * that the rest of migration path doesn't get confused by it. ++ */ ++ if (src_cset->dead) ++ return; ++ + src_cgrp = cset_cgroup_from_root(src_cset, dst_cgrp->root); + + if (!list_empty(&src_cset->mg_preload_node)) +@@ -5131,6 +5139,7 @@ static int cgroup_destroy_locked(struct + __releases(&cgroup_mutex) __acquires(&cgroup_mutex) + { + struct cgroup_subsys_state *css; ++ struct cgrp_cset_link *link; + int ssid; + + lockdep_assert_held(&cgroup_mutex); +@@ -5151,11 +5160,18 @@ static int cgroup_destroy_locked(struct + return -EBUSY; + + /* +- * Mark @cgrp dead. This prevents further task migration and child +- * creation by disabling cgroup_lock_live_group(). ++ * Mark @cgrp and the associated csets dead. The former prevents ++ * further task migration and child creation by disabling ++ * cgroup_lock_live_group(). The latter makes the csets ignored by ++ * the migration path. + */ + cgrp->self.flags &= ~CSS_ONLINE; + ++ spin_lock_bh(&css_set_lock); ++ list_for_each_entry(link, &cgrp->cset_links, cset_link) ++ link->cset->dead = true; ++ spin_unlock_bh(&css_set_lock); ++ + /* initiate massacre of all css's */ + for_each_css(css, ssid, cgrp) + kill_css(css); diff --git a/queue-4.4/series b/queue-4.4/series index 2ace8bcbc06..2dd88cc02e2 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -127,3 +127,6 @@ mm-memcontrol-reclaim-and-oom-kill-when-shrinking-memory.max-below-usage.patch ia64-define-ioremap_uc.patch watchdog-don-t-run-proc_watchdog_update-if-new-value-is-same-as-old.patch watchdog-rc32434_wdt-fix-ioctl-error-handling.patch +bluetooth-add-new-ar3012-id-0489-e095.patch +bluetooth-fix-potential-buffer-overflow-with-add-advertising.patch +cgroup-ignore-css_sets-associated-with-dead-cgroups-during-migration.patch