From cb9069b500e8333c68084e5320bf3323d4550f68 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 7 Jul 2014 11:59:51 -0700
Subject: [PATCH] 3.14-stable patches

added patches:
	bluetooth-allow-change-security-level-on-att_cid-in-slave-role.patch
	bluetooth-fix-locking-of-hdev-when-calling-into-smp-code.patch
---
 ...urity-level-on-att_cid-in-slave-role.patch | 35 ++++++++++++++++
 ...g-of-hdev-when-calling-into-smp-code.patch | 40 +++++++++++++++++++
 queue-3.14/series                             |  2 +
 3 files changed, 77 insertions(+)
 create mode 100644 queue-3.14/bluetooth-allow-change-security-level-on-att_cid-in-slave-role.patch
 create mode 100644 queue-3.14/bluetooth-fix-locking-of-hdev-when-calling-into-smp-code.patch

diff --git a/queue-3.14/bluetooth-allow-change-security-level-on-att_cid-in-slave-role.patch b/queue-3.14/bluetooth-allow-change-security-level-on-att_cid-in-slave-role.patch
new file mode 100644
index 00000000000..e2a2f19b4cd
--- /dev/null
+++ b/queue-3.14/bluetooth-allow-change-security-level-on-att_cid-in-slave-role.patch
@@ -0,0 +1,35 @@
+From 92d1372e1a9fec00e146b74e8b9ad7a385b9b37f Mon Sep 17 00:00:00 2001
+From: Marcin Kraglak <marcin.kraglak@tieto.com>
+Date: Fri, 13 Jun 2014 14:08:22 +0200
+Subject: Bluetooth: Allow change security level on ATT_CID in slave role
+
+From: Marcin Kraglak <marcin.kraglak@tieto.com>
+
+commit 92d1372e1a9fec00e146b74e8b9ad7a385b9b37f upstream.
+
+Kernel supports SMP Security Request so don't block increasing security
+when we are slave.
+
+Signed-off-by: Marcin Kraglak <marcin.kraglak@tieto.com>
+Acked-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/l2cap_sock.c |    5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -778,11 +778,6 @@ static int l2cap_sock_setsockopt(struct
+ 
+ 		/*change security for LE channels */
+ 		if (chan->scid == L2CAP_CID_ATT) {
+-			if (!conn->hcon->out) {
+-				err = -EINVAL;
+-				break;
+-			}
+-
+ 			if (smp_conn_security(conn->hcon, sec.level))
+ 				break;
+ 			sk->sk_state = BT_CONFIG;
diff --git a/queue-3.14/bluetooth-fix-locking-of-hdev-when-calling-into-smp-code.patch b/queue-3.14/bluetooth-fix-locking-of-hdev-when-calling-into-smp-code.patch
new file mode 100644
index 00000000000..19e3ff3fb0d
--- /dev/null
+++ b/queue-3.14/bluetooth-fix-locking-of-hdev-when-calling-into-smp-code.patch
@@ -0,0 +1,40 @@
+From c73f94b8c093a615ce80eabbde0ac6eb9abfe31a Mon Sep 17 00:00:00 2001
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Fri, 13 Jun 2014 10:22:28 +0300
+Subject: Bluetooth: Fix locking of hdev when calling into SMP code
+
+From: Johan Hedberg <johan.hedberg@intel.com>
+
+commit c73f94b8c093a615ce80eabbde0ac6eb9abfe31a upstream.
+
+The SMP code expects hdev to be unlocked since e.g. crypto functions
+will try to (re)lock it. Therefore, we need to release the lock before
+calling into smp.c from mgmt.c. Without this we risk a deadlock whenever
+the smp_user_confirm_reply() function is called.
+
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Tested-by: Lukasz Rymanowski <lukasz.rymanowski@tieto.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/mgmt.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2826,8 +2826,13 @@ static int user_pairing_resp(struct sock
+ 	}
+ 
+ 	if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
+-		/* Continue with pairing via SMP */
++		/* Continue with pairing via SMP. The hdev lock must be
++		 * released as SMP may try to recquire it for crypto
++		 * purposes.
++		 */
++		hci_dev_unlock(hdev);
+ 		err = smp_user_confirm_reply(conn, mgmt_op, passkey);
++		hci_dev_lock(hdev);
+ 
+ 		if (!err)
+ 			err = cmd_complete(sk, hdev->id, mgmt_op,
diff --git a/queue-3.14/series b/queue-3.14/series
index e47cb570025..8433997a41b 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -40,3 +40,5 @@ drm-vmwgfx-fix-incorrect-write-to-read-only-register-v2.patch
 bluetooth-fix-ssp-acceptor-just-works-confirmation-without-mitm.patch
 bluetooth-fix-check-for-connection-encryption.patch
 bluetooth-fix-indicating-discovery-state-when-canceling-inquiry.patch
+bluetooth-fix-locking-of-hdev-when-calling-into-smp-code.patch
+bluetooth-allow-change-security-level-on-att_cid-in-slave-role.patch
-- 
2.47.3