From 31cce96bc5d35af24f8976de7357d84183fe728c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 14 Nov 2019 13:49:20 +0800
Subject: [PATCH] 4.9-stable patches

added patches:
	bluetooth-hci_ldisc-postpone-hci_uart_proto_ready-bit-set-in-hci_uart_set_proto.patch
---
 ..._ready-bit-set-in-hci_uart_set_proto.patch | 58 +++++++++++++++++++
 ...ad-pdptes-when-paging-is-not-enabled.patch | 11 +---
 queue-4.9/series                              |  1 +
 3 files changed, 62 insertions(+), 8 deletions(-)
 create mode 100644 queue-4.9/bluetooth-hci_ldisc-postpone-hci_uart_proto_ready-bit-set-in-hci_uart_set_proto.patch

diff --git a/queue-4.9/bluetooth-hci_ldisc-postpone-hci_uart_proto_ready-bit-set-in-hci_uart_set_proto.patch b/queue-4.9/bluetooth-hci_ldisc-postpone-hci_uart_proto_ready-bit-set-in-hci_uart_set_proto.patch
new file mode 100644
index 00000000000..83caa85638b
--- /dev/null
+++ b/queue-4.9/bluetooth-hci_ldisc-postpone-hci_uart_proto_ready-bit-set-in-hci_uart_set_proto.patch
@@ -0,0 +1,58 @@
+From 56897b217a1d0a91c9920cb418d6b3fe922f590a Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Sat, 23 Feb 2019 12:33:27 +0800
+Subject: Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()
+
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+
+commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream.
+
+task A:                                task B:
+hci_uart_set_proto                     flush_to_ldisc
+ - p->open(hu) -> h5_open  //alloc h5  - receive_buf
+ - set_bit HCI_UART_PROTO_READY         - tty_port_default_receive_buf
+ - hci_uart_register_dev                 - tty_ldisc_receive_buf
+                                          - hci_uart_tty_receive
+				           - test_bit HCI_UART_PROTO_READY
+				            - h5_recv
+ - clear_bit HCI_UART_PROTO_READY             while() {
+ - p->open(hu) -> h5_close //free h5
+				              - h5_rx_3wire_hdr
+				               - h5_reset()  //use-after-free
+                                              }
+
+It could use ioctl to set hci uart proto, but there is
+a use-after-free issue when hci_uart_register_dev() fail in
+hci_uart_set_proto(), see stack above, fix this by setting
+HCI_UART_PROTO_READY bit only when hci_uart_register_dev()
+return success.
+
+Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reviewed-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_ldisc.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -653,15 +653,14 @@ static int hci_uart_set_proto(struct hci
+ 		return err;
+ 
+ 	hu->proto = p;
+-	set_bit(HCI_UART_PROTO_READY, &hu->flags);
+ 
+ 	err = hci_uart_register_dev(hu);
+ 	if (err) {
+-		clear_bit(HCI_UART_PROTO_READY, &hu->flags);
+ 		p->close(hu);
+ 		return err;
+ 	}
+ 
++	set_bit(HCI_UART_PROTO_READY, &hu->flags);
+ 	return 0;
+ }
+ 
diff --git a/queue-4.9/kvm-mmu-don-t-read-pdptes-when-paging-is-not-enabled.patch b/queue-4.9/kvm-mmu-don-t-read-pdptes-when-paging-is-not-enabled.patch
index 835e8948c20..108740f1b1b 100644
--- a/queue-4.9/kvm-mmu-don-t-read-pdptes-when-paging-is-not-enabled.patch
+++ b/queue-4.9/kvm-mmu-don-t-read-pdptes-when-paging-is-not-enabled.patch
@@ -15,14 +15,12 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- arch/x86/kvm/x86.c | 4 ++--
+ arch/x86/kvm/x86.c |    4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 0b6517f5821be..384127a00328d 100644
 --- a/arch/x86/kvm/x86.c
 +++ b/arch/x86/kvm/x86.c
-@@ -587,7 +587,7 @@ static bool pdptrs_changed(struct kvm_vcpu *vcpu)
+@@ -587,7 +587,7 @@ static bool pdptrs_changed(struct kvm_vc
  	gfn_t gfn;
  	int r;
  
@@ -31,7 +29,7 @@ index 0b6517f5821be..384127a00328d 100644
  		return false;
  
  	if (!test_bit(VCPU_EXREG_PDPTR,
-@@ -7491,7 +7491,7 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
+@@ -7491,7 +7491,7 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct
  		kvm_update_cpuid(vcpu);
  
  	idx = srcu_read_lock(&vcpu->kvm->srcu);
@@ -40,6 +38,3 @@ index 0b6517f5821be..384127a00328d 100644
  		load_pdptrs(vcpu, vcpu->arch.walk_mmu, kvm_read_cr3(vcpu));
  		mmu_reset_needed = 1;
  	}
--- 
-2.20.1
-
diff --git a/queue-4.9/series b/queue-4.9/series
index 684d9cc5ec5..1efe59d4615 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1 +1,2 @@
 kvm-mmu-don-t-read-pdptes-when-paging-is-not-enabled.patch
+bluetooth-hci_ldisc-postpone-hci_uart_proto_ready-bit-set-in-hci_uart_set_proto.patch
-- 
2.47.3