From 8da558334791c01b12a2f7dfcb735a915c55816c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 3 Aug 2017 12:38:57 -0700 Subject: [PATCH] 3.18-stable patches added patches: bluetooth-bnep-bnep_add_connection-should-verify-that-it-s-dealing-with-l2cap-socket.patch bluetooth-fix-potential-null-dereference.patch staging-comedi-comedi_fops-avoid-orphaned-proc-entry.patch --- ...-that-it-s-dealing-with-l2cap-socket.patch | 31 ++++++++++++++ ...tooth-fix-potential-null-dereference.patch | 42 +++++++++++++++++++ queue-3.18/series | 3 ++ ...omedi_fops-avoid-orphaned-proc-entry.patch | 42 +++++++++++++++++++ 4 files changed, 118 insertions(+) create mode 100644 queue-3.18/bluetooth-bnep-bnep_add_connection-should-verify-that-it-s-dealing-with-l2cap-socket.patch create mode 100644 queue-3.18/bluetooth-fix-potential-null-dereference.patch create mode 100644 queue-3.18/staging-comedi-comedi_fops-avoid-orphaned-proc-entry.patch diff --git a/queue-3.18/bluetooth-bnep-bnep_add_connection-should-verify-that-it-s-dealing-with-l2cap-socket.patch b/queue-3.18/bluetooth-bnep-bnep_add_connection-should-verify-that-it-s-dealing-with-l2cap-socket.patch new file mode 100644 index 00000000000..ffaf8e31cb6 --- /dev/null +++ b/queue-3.18/bluetooth-bnep-bnep_add_connection-should-verify-that-it-s-dealing-with-l2cap-socket.patch @@ -0,0 +1,31 @@ +From 71bb99a02b32b4cc4265118e85f6035ca72923f0 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 19 Dec 2014 06:20:59 +0000 +Subject: Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket + +From: Al Viro + +commit 71bb99a02b32b4cc4265118e85f6035ca72923f0 upstream. + +same story as cmtp + +Signed-off-by: Al Viro +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/bnep/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/bnep/core.c ++++ b/net/bluetooth/bnep/core.c +@@ -533,6 +533,9 @@ int bnep_add_connection(struct bnep_conn + + BT_DBG(""); + ++ if (!l2cap_is_socket(sock)) ++ return -EBADFD; ++ + baswap((void *) dst, &l2cap_pi(sock->sk)->chan->dst); + baswap((void *) src, &l2cap_pi(sock->sk)->chan->src); + diff --git a/queue-3.18/bluetooth-fix-potential-null-dereference.patch b/queue-3.18/bluetooth-fix-potential-null-dereference.patch new file mode 100644 index 00000000000..aad96dec038 --- /dev/null +++ b/queue-3.18/bluetooth-fix-potential-null-dereference.patch @@ -0,0 +1,42 @@ +From 88d9077c27d0c1a7c022d9dc987640beecf23560 Mon Sep 17 00:00:00 2001 +From: Johan Hedberg +Date: Tue, 3 Feb 2015 10:01:13 +0200 +Subject: Bluetooth: Fix potential NULL dereference + +From: Johan Hedberg + +commit 88d9077c27d0c1a7c022d9dc987640beecf23560 upstream. + +The bnep_get_device function may be triggered by an ioctl just after a +connection has gone down. In such a case the respective L2CAP chan->conn +pointer will get set to NULL (by l2cap_chan_del). This patch adds a +missing NULL check for this case in the bnep_get_device() function. + +Reported-by: Patrik Flykt +Signed-off-by: Johan Hedberg +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/bnep/core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/net/bluetooth/bnep/core.c ++++ b/net/bluetooth/bnep/core.c +@@ -511,13 +511,12 @@ static int bnep_session(void *arg) + + static struct device *bnep_get_device(struct bnep_session *session) + { +- struct hci_conn *conn; ++ struct l2cap_conn *conn = l2cap_pi(session->sock->sk)->chan->conn; + +- conn = l2cap_pi(session->sock->sk)->chan->conn->hcon; +- if (!conn) ++ if (!conn || !conn->hcon) + return NULL; + +- return &conn->dev; ++ return &conn->hcon->dev; + } + + static struct device_type bnep_type = { diff --git a/queue-3.18/series b/queue-3.18/series index f7cba9ffa0f..dc6974bd76a 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -8,3 +8,6 @@ kvm-ppc-book3s-hv-restore-critical-sprs-to-host-values-on-guest-exit.patch kvm-ppc-book3s-hv-reload-htm-registers-explicitly.patch kvm-ppc-book3s-hv-save-restore-host-values-of-debug-registers.patch revert-powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch +staging-comedi-comedi_fops-avoid-orphaned-proc-entry.patch +bluetooth-bnep-bnep_add_connection-should-verify-that-it-s-dealing-with-l2cap-socket.patch +bluetooth-fix-potential-null-dereference.patch diff --git a/queue-3.18/staging-comedi-comedi_fops-avoid-orphaned-proc-entry.patch b/queue-3.18/staging-comedi-comedi_fops-avoid-orphaned-proc-entry.patch new file mode 100644 index 00000000000..cc7cc354717 --- /dev/null +++ b/queue-3.18/staging-comedi-comedi_fops-avoid-orphaned-proc-entry.patch @@ -0,0 +1,42 @@ +From bf279ece37d2a3eaaa9813fcd7a1d8a81eb29c20 Mon Sep 17 00:00:00 2001 +From: Cheah Kok Cheong +Date: Fri, 30 Dec 2016 19:25:52 +0800 +Subject: Staging: comedi: comedi_fops: Avoid orphaned proc entry + +From: Cheah Kok Cheong + +commit bf279ece37d2a3eaaa9813fcd7a1d8a81eb29c20 upstream. + +Move comedi_proc_init to the end to avoid orphaned proc entry +if module loading failed. + +Signed-off-by: Cheah Kok Cheong +Reviewed-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -2590,9 +2590,6 @@ static int __init comedi_init(void) + + comedi_class->dev_groups = comedi_dev_groups; + +- /* XXX requires /proc interface */ +- comedi_proc_init(); +- + /* create devices files for legacy/manual use */ + for (i = 0; i < comedi_num_legacy_minors; i++) { + struct comedi_device *dev; +@@ -2610,6 +2607,9 @@ static int __init comedi_init(void) + mutex_unlock(&dev->mutex); + } + ++ /* XXX requires /proc interface */ ++ comedi_proc_init(); ++ + return 0; + } + module_init(comedi_init); -- 2.47.3