From: Greg Kroah-Hartman Date: Mon, 27 Aug 2012 20:35:47 +0000 (-0700) Subject: 3.5-stable patches X-Git-Tag: v3.5.4~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bc1f86877db106ff3cfab98fbe29d284126fe915;p=thirdparty%2Fkernel%2Fstable-queue.git 3.5-stable patches added patches: bluetooth-fix-legacy-pairing-with-some-devices.patch bluetooth-fix-using-a-null-inquiry-cache-entry.patch bluetooth-fix-using-null-inquiry-entry.patch bluetooth-set-name_state-to-unknown-when-entry-name-is-empty.patch ubifs-fix-complaints-about-too-small-debug-buffer-size.patch ubifs-fix-crash-on-error-path.patch --- diff --git a/queue-3.5/bluetooth-fix-legacy-pairing-with-some-devices.patch b/queue-3.5/bluetooth-fix-legacy-pairing-with-some-devices.patch new file mode 100644 index 00000000000..74a3ebc2eef --- /dev/null +++ b/queue-3.5/bluetooth-fix-legacy-pairing-with-some-devices.patch @@ -0,0 +1,118 @@ +From a9ea3ed9b71cc3271dd59e76f65748adcaa76422 Mon Sep 17 00:00:00 2001 +From: Szymon Janc +Date: Thu, 19 Jul 2012 14:46:08 +0200 +Subject: Bluetooth: Fix legacy pairing with some devices + +From: Szymon Janc + +commit a9ea3ed9b71cc3271dd59e76f65748adcaa76422 upstream. + +Some devices e.g. some Android based phones don't do SDP search before +pairing and cancel legacy pairing when ACL is disconnected. + +PIN Code Request event which changes ACL timeout to HCI_PAIRING_TIMEOUT +is only received after remote user entered PIN. + +In that case no L2CAP is connected so default HCI_DISCONN_TIMEOUT +(2 seconds) is being used to timeout ACL connection. This results in +problems with legacy pairing as remote user has only few seconds to +enter PIN before ACL is disconnected. + +Increase disconnect timeout for incomming connection to +HCI_PAIRING_TIMEOUT if SSP is disabled and no linkey exists. + +To avoid keeping ACL alive for too long after SDP search set ACL +timeout back to HCI_DISCONN_TIMEOUT when L2CAP is connected. + +2012-07-19 13:24:43.413521 < HCI Command: Create Connection (0x01|0x0005) plen 13 + bdaddr 00:02:72:D6:6A:3F ptype 0xcc18 rswitch 0x01 clkoffset 0x0000 + Packet type: DM1 DM3 DM5 DH1 DH3 DH5 +2012-07-19 13:24:43.425224 > HCI Event: Command Status (0x0f) plen 4 + Create Connection (0x01|0x0005) status 0x00 ncmd 1 +2012-07-19 13:24:43.885222 > HCI Event: Role Change (0x12) plen 8 + status 0x00 bdaddr 00:02:72:D6:6A:3F role 0x01 + Role: Slave +2012-07-19 13:24:44.054221 > HCI Event: Connect Complete (0x03) plen 11 + status 0x00 handle 42 bdaddr 00:02:72:D6:6A:3F type ACL encrypt 0x00 +2012-07-19 13:24:44.054313 < HCI Command: Read Remote Supported Features (0x01|0x001b) plen 2 + handle 42 +2012-07-19 13:24:44.055176 > HCI Event: Page Scan Repetition Mode Change (0x20) plen 7 + bdaddr 00:02:72:D6:6A:3F mode 0 +2012-07-19 13:24:44.056217 > HCI Event: Max Slots Change (0x1b) plen 3 + handle 42 slots 5 +2012-07-19 13:24:44.059218 > HCI Event: Command Status (0x0f) plen 4 + Read Remote Supported Features (0x01|0x001b) status 0x00 ncmd 0 +2012-07-19 13:24:44.062192 > HCI Event: Command Status (0x0f) plen 4 + Unknown (0x00|0x0000) status 0x00 ncmd 1 +2012-07-19 13:24:44.067219 > HCI Event: Read Remote Supported Features (0x0b) plen 11 + status 0x00 handle 42 + Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87 +2012-07-19 13:24:44.067248 < HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3 + handle 42 page 1 +2012-07-19 13:24:44.071217 > HCI Event: Command Status (0x0f) plen 4 + Read Remote Extended Features (0x01|0x001c) status 0x00 ncmd 1 +2012-07-19 13:24:44.076218 > HCI Event: Read Remote Extended Features (0x23) plen 13 + status 0x00 handle 42 page 1 max 1 + Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 +2012-07-19 13:24:44.076249 < HCI Command: Remote Name Request (0x01|0x0019) plen 10 + bdaddr 00:02:72:D6:6A:3F mode 2 clkoffset 0x0000 +2012-07-19 13:24:44.081218 > HCI Event: Command Status (0x0f) plen 4 + Remote Name Request (0x01|0x0019) status 0x00 ncmd 1 +2012-07-19 13:24:44.105214 > HCI Event: Remote Name Req Complete (0x07) plen 255 + status 0x00 bdaddr 00:02:72:D6:6A:3F name 'uw000951-0' +2012-07-19 13:24:44.105284 < HCI Command: Authentication Requested (0x01|0x0011) plen 2 + handle 42 +2012-07-19 13:24:44.111207 > HCI Event: Command Status (0x0f) plen 4 + Authentication Requested (0x01|0x0011) status 0x00 ncmd 1 +2012-07-19 13:24:44.112220 > HCI Event: Link Key Request (0x17) plen 6 + bdaddr 00:02:72:D6:6A:3F +2012-07-19 13:24:44.112249 < HCI Command: Link Key Request Negative Reply (0x01|0x000c) plen 6 + bdaddr 00:02:72:D6:6A:3F +2012-07-19 13:24:44.115215 > HCI Event: Command Complete (0x0e) plen 10 + Link Key Request Negative Reply (0x01|0x000c) ncmd 1 + status 0x00 bdaddr 00:02:72:D6:6A:3F +2012-07-19 13:24:44.116215 > HCI Event: PIN Code Request (0x16) plen 6 + bdaddr 00:02:72:D6:6A:3F +2012-07-19 13:24:48.099184 > HCI Event: Auth Complete (0x06) plen 3 + status 0x13 handle 42 + Error: Remote User Terminated Connection +2012-07-19 13:24:48.179182 > HCI Event: Disconn Complete (0x05) plen 4 + status 0x00 handle 42 reason 0x13 + Reason: Remote User Terminated Connection + +Signed-off-by: Szymon Janc +Acked-by: Johan Hedberg +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 7 ++++++- + net/bluetooth/l2cap_core.c | 1 + + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1783,7 +1783,12 @@ static inline void hci_conn_complete_evt + if (conn->type == ACL_LINK) { + conn->state = BT_CONFIG; + hci_conn_hold(conn); +- conn->disc_timeout = HCI_DISCONN_TIMEOUT; ++ ++ if (!conn->out && !hci_conn_ssp_enabled(conn) && ++ !hci_find_link_key(hdev, &ev->bdaddr)) ++ conn->disc_timeout = HCI_PAIRING_TIMEOUT; ++ else ++ conn->disc_timeout = HCI_DISCONN_TIMEOUT; + } else + conn->state = BT_CONNECTED; + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -1163,6 +1163,7 @@ static void l2cap_le_conn_ready(struct l + sk = chan->sk; + + hci_conn_hold(conn->hcon); ++ conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT; + + bacpy(&bt_sk(sk)->src, conn->src); + bacpy(&bt_sk(sk)->dst, conn->dst); diff --git a/queue-3.5/bluetooth-fix-using-a-null-inquiry-cache-entry.patch b/queue-3.5/bluetooth-fix-using-a-null-inquiry-cache-entry.patch new file mode 100644 index 00000000000..19088f92399 --- /dev/null +++ b/queue-3.5/bluetooth-fix-using-a-null-inquiry-cache-entry.patch @@ -0,0 +1,51 @@ +From 7cc8380eb10347016d95bf6f9d842c2ae6d12932 Mon Sep 17 00:00:00 2001 +From: Ram Malovany +Date: Thu, 19 Jul 2012 10:26:10 +0300 +Subject: Bluetooth: Fix using a NULL inquiry cache entry + +From: Ram Malovany + +commit 7cc8380eb10347016d95bf6f9d842c2ae6d12932 upstream. + +If the device was not found in a list of found devices names of which +are pending.This may happen in a case when HCI Remote Name Request +was sent as a part of incoming connection establishment procedure. +Hence there is no need to continue resolving a next name as it will +be done upon receiving another Remote Name Request Complete Event. +This will fix a kernel crash when trying to use this entry to resolve +the next name. + +Signed-off-by: Ram Malovany +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1406,12 +1406,18 @@ static void hci_check_pending_name(struc + return; + + e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); +- if (e) { ++ /* If the device was not found in a list of found devices names of which ++ * are pending. there is no need to continue resolving a next name as it ++ * will be done upon receiving another Remote Name Request Complete ++ * Event */ ++ if (!e) ++ return; ++ ++ list_del(&e->list); ++ if (name) { + e->name_state = NAME_KNOWN; +- list_del(&e->list); +- if (name) +- mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, +- e->data.rssi, name, name_len); ++ mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, ++ e->data.rssi, name, name_len); + } + + if (hci_resolve_next_name(hdev)) diff --git a/queue-3.5/bluetooth-fix-using-null-inquiry-entry.patch b/queue-3.5/bluetooth-fix-using-null-inquiry-entry.patch new file mode 100644 index 00000000000..223e8df2ebd --- /dev/null +++ b/queue-3.5/bluetooth-fix-using-null-inquiry-entry.patch @@ -0,0 +1,33 @@ +From c810089c27e48b816181b454fcc493d19fdbc2ba Mon Sep 17 00:00:00 2001 +From: Ram Malovany +Date: Thu, 19 Jul 2012 10:26:09 +0300 +Subject: Bluetooth: Fix using NULL inquiry entry + +From: Ram Malovany + +commit c810089c27e48b816181b454fcc493d19fdbc2ba upstream. + +If entry wasn't found in the hci_inquiry_cache_lookup_resolve do not +resolve the name.This will fix a kernel crash when trying to use NULL +pointer. + +Signed-off-by: Ram Malovany +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1375,6 +1375,9 @@ static bool hci_resolve_next_name(struct + return false; + + e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); ++ if (!e) ++ return false; ++ + if (hci_resolve_name(hdev, e) == 0) { + e->name_state = NAME_PENDING; + return true; diff --git a/queue-3.5/bluetooth-set-name_state-to-unknown-when-entry-name-is-empty.patch b/queue-3.5/bluetooth-set-name_state-to-unknown-when-entry-name-is-empty.patch new file mode 100644 index 00000000000..698c59d0cf8 --- /dev/null +++ b/queue-3.5/bluetooth-set-name_state-to-unknown-when-entry-name-is-empty.patch @@ -0,0 +1,31 @@ +From c3e7c0d90b14a3e7ac091d24cef09efb516d587b Mon Sep 17 00:00:00 2001 +From: Ram Malovany +Date: Thu, 19 Jul 2012 10:26:11 +0300 +Subject: Bluetooth: Set name_state to unknown when entry name is empty + +From: Ram Malovany + +commit c3e7c0d90b14a3e7ac091d24cef09efb516d587b upstream. + +When the name of the given entry is empty , the state needs to be +updated accordingly. + +Signed-off-by: Ram Malovany +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1418,6 +1418,8 @@ static void hci_check_pending_name(struc + e->name_state = NAME_KNOWN; + mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, + e->data.rssi, name, name_len); ++ } else { ++ e->name_state = NAME_NOT_KNOWN; + } + + if (hci_resolve_next_name(hdev)) diff --git a/queue-3.5/series b/queue-3.5/series index daca5a88281..ab2943fe944 100644 --- a/queue-3.5/series +++ b/queue-3.5/series @@ -33,3 +33,9 @@ nfsv4.1-remove-a-bogus-bug_on-in-nfs4_layoutreturn_done.patch nfs-clear-key-construction-data-if-the-idmap-upcall-fails.patch nfs-return-enokey-when-the-upcall-fails-to-map-the-name.patch nfsd4-fix-security-flavor-of-nfsv4.0-callback.patch +ubifs-fix-crash-on-error-path.patch +ubifs-fix-complaints-about-too-small-debug-buffer-size.patch +bluetooth-fix-using-null-inquiry-entry.patch +bluetooth-fix-using-a-null-inquiry-cache-entry.patch +bluetooth-set-name_state-to-unknown-when-entry-name-is-empty.patch +bluetooth-fix-legacy-pairing-with-some-devices.patch diff --git a/queue-3.5/ubifs-fix-complaints-about-too-small-debug-buffer-size.patch b/queue-3.5/ubifs-fix-complaints-about-too-small-debug-buffer-size.patch new file mode 100644 index 00000000000..3107f72e793 --- /dev/null +++ b/queue-3.5/ubifs-fix-complaints-about-too-small-debug-buffer-size.patch @@ -0,0 +1,41 @@ +From 65b455b123c7e2b835a0b7148f9bae584f95000e Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy +Date: Tue, 21 Aug 2012 21:50:58 +0300 +Subject: UBIFS: fix complaints about too small debug buffer size + +From: Artem Bityutskiy + +commit 65b455b123c7e2b835a0b7148f9bae584f95000e upstream. + +When debugging is enabled, we use a temporary on-stack buffer for formatting +the key strings like "(11368871, direntry, 0xcd0750)". The buffer size is +32 bytes and sometimes it is not enough to fit the key string - e.g., when +inode numbers are high. This is not fatal, but the key strings are incomplete +and UBIFS complains like this: + + UBIFS assert failed in dbg_snprintf_key at 137 (pid 1) + +This is a regression caused by "515315a UBIFS: fix key printing". + +Fix the issue by increasing the buffer to 48 bytes. + +Reported-by: Michael Hench +Signed-off-by: Artem Bityutskiy +Tested-by: Michael Hench +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/debug.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ubifs/debug.h ++++ b/fs/ubifs/debug.h +@@ -162,7 +162,7 @@ struct ubifs_global_debug_info { + #define ubifs_dbg_msg(type, fmt, ...) \ + pr_debug("UBIFS DBG " type ": " fmt "\n", ##__VA_ARGS__) + +-#define DBG_KEY_BUF_LEN 32 ++#define DBG_KEY_BUF_LEN 48 + #define ubifs_dbg_msg_key(type, key, fmt, ...) do { \ + char __tmp_key_buf[DBG_KEY_BUF_LEN]; \ + pr_debug("UBIFS DBG " type ": " fmt "%s\n", ##__VA_ARGS__, \ diff --git a/queue-3.5/ubifs-fix-crash-on-error-path.patch b/queue-3.5/ubifs-fix-crash-on-error-path.patch new file mode 100644 index 00000000000..eb01981e34c --- /dev/null +++ b/queue-3.5/ubifs-fix-crash-on-error-path.patch @@ -0,0 +1,38 @@ +From 11e3be0be2a1314e0861304857e7efcaed5d3e54 Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy +Date: Mon, 20 Aug 2012 15:16:24 +0300 +Subject: UBIFS: fix crash on error path + +From: Artem Bityutskiy + +commit 11e3be0be2a1314e0861304857e7efcaed5d3e54 upstream. + +This patch fixes a regression introduced by +"4994297 UBIFS: make ubifs_lpt_init clean-up in case of failure" which +I've hit while running the 'integck -p' test. When remount the file-system +from R/O mode to R/W mode and 'lpt_init_wr()' fails, we free _all_ LPT +resources by calling 'ubifs_lpt_free(c, 0)', even those needed for R/O +mode. This leads to subsequent crashes, e.g., if we try to unmount +the file-system. + +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/lpt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/ubifs/lpt.c ++++ b/fs/ubifs/lpt.c +@@ -1749,7 +1749,10 @@ int ubifs_lpt_init(struct ubifs_info *c, + return 0; + + out_err: +- ubifs_lpt_free(c, 0); ++ if (wr) ++ ubifs_lpt_free(c, 1); ++ if (rd) ++ ubifs_lpt_free(c, 0); + return err; + } +