3.18-stable patches

added patches:
	bluetooth-bnep-bnep_add_connection-should-verify-that-it-s-dealing-with-l2cap-socket.patch
	bluetooth-fix-potential-null-dereference.patch
	staging-comedi-comedi_fops-avoid-orphaned-proc-entry.patch

diff --git a/queue-3.18/bluetooth-bnep-bnep_add_connection-should-verify-that-it-s-dealing-with-l2cap-socket.patch b/queue-3.18/bluetooth-bnep-bnep_add_connection-should-verify-that-it-s-dealing-with-l2cap-socket.patch
new file mode 100644 (file)
index 0000000..ffaf8e3
--- /dev/null
+++ b/queue-3.18/bluetooth-bnep-bnep_add_connection-should-verify-that-it-s-dealing-with-l2cap-socket.patch
@@ -0,0 +1,31 @@
+From 71bb99a02b32b4cc4265118e85f6035ca72923f0 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 19 Dec 2014 06:20:59 +0000
+Subject: Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 71bb99a02b32b4cc4265118e85f6035ca72923f0 upstream.
+
+same story as cmtp
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/bnep/core.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -533,6 +533,9 @@ int bnep_add_connection(struct bnep_conn
+ 
+       BT_DBG("");
+ 
++      if (!l2cap_is_socket(sock))
++              return -EBADFD;
++
+       baswap((void *) dst, &l2cap_pi(sock->sk)->chan->dst);
+       baswap((void *) src, &l2cap_pi(sock->sk)->chan->src);
+ 

diff --git a/queue-3.18/bluetooth-fix-potential-null-dereference.patch b/queue-3.18/bluetooth-fix-potential-null-dereference.patch
new file mode 100644 (file)
index 0000000..aad96de
--- /dev/null
+++ b/queue-3.18/bluetooth-fix-potential-null-dereference.patch
@@ -0,0 +1,42 @@
+From 88d9077c27d0c1a7c022d9dc987640beecf23560 Mon Sep 17 00:00:00 2001
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Tue, 3 Feb 2015 10:01:13 +0200
+Subject: Bluetooth: Fix potential NULL dereference
+
+From: Johan Hedberg <johan.hedberg@intel.com>
+
+commit 88d9077c27d0c1a7c022d9dc987640beecf23560 upstream.
+
+The bnep_get_device function may be triggered by an ioctl just after a
+connection has gone down. In such a case the respective L2CAP chan->conn
+pointer will get set to NULL (by l2cap_chan_del). This patch adds a
+missing NULL check for this case in the bnep_get_device() function.
+
+Reported-by: Patrik Flykt <patrik.flykt@linux.intel.com>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/bnep/core.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -511,13 +511,12 @@ static int bnep_session(void *arg)
+ 
+ static struct device *bnep_get_device(struct bnep_session *session)
+ {
+-      struct hci_conn *conn;
++      struct l2cap_conn *conn = l2cap_pi(session->sock->sk)->chan->conn;
+ 
+-      conn = l2cap_pi(session->sock->sk)->chan->conn->hcon;
+-      if (!conn)
++      if (!conn || !conn->hcon)
+               return NULL;
+ 
+-      return &conn->dev;
++      return &conn->hcon->dev;
+ }
+ 
+ static struct device_type bnep_type = {

diff --git a/queue-3.18/series b/queue-3.18/series
index f7cba9ffa0ffd5ccd210a731f0839b9c15bd3637..dc6974bd76a0a8ef6a2b49fb267fecfc6dd52757 100644 (file)
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -8,3 +8,6 @@ kvm-ppc-book3s-hv-restore-critical-sprs-to-host-values-on-guest-exit.patch
 kvm-ppc-book3s-hv-reload-htm-registers-explicitly.patch
 kvm-ppc-book3s-hv-save-restore-host-values-of-debug-registers.patch
 revert-powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch
+staging-comedi-comedi_fops-avoid-orphaned-proc-entry.patch
+bluetooth-bnep-bnep_add_connection-should-verify-that-it-s-dealing-with-l2cap-socket.patch
+bluetooth-fix-potential-null-dereference.patch

diff --git a/queue-3.18/staging-comedi-comedi_fops-avoid-orphaned-proc-entry.patch b/queue-3.18/staging-comedi-comedi_fops-avoid-orphaned-proc-entry.patch
new file mode 100644 (file)
index 0000000..cc7cc35
--- /dev/null
+++ b/queue-3.18/staging-comedi-comedi_fops-avoid-orphaned-proc-entry.patch
@@ -0,0 +1,42 @@
+From bf279ece37d2a3eaaa9813fcd7a1d8a81eb29c20 Mon Sep 17 00:00:00 2001
+From: Cheah Kok Cheong <thrust73@gmail.com>
+Date: Fri, 30 Dec 2016 19:25:52 +0800
+Subject: Staging: comedi: comedi_fops: Avoid orphaned proc entry
+
+From: Cheah Kok Cheong <thrust73@gmail.com>
+
+commit bf279ece37d2a3eaaa9813fcd7a1d8a81eb29c20 upstream.
+
+Move comedi_proc_init to the end to avoid orphaned proc entry
+if module loading failed.
+
+Signed-off-by: Cheah Kok Cheong <thrust73@gmail.com>
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/comedi_fops.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/comedi/comedi_fops.c
++++ b/drivers/staging/comedi/comedi_fops.c
+@@ -2590,9 +2590,6 @@ static int __init comedi_init(void)
+ 
+       comedi_class->dev_groups = comedi_dev_groups;
+ 
+-      /* XXX requires /proc interface */
+-      comedi_proc_init();
+-
+       /* create devices files for legacy/manual use */
+       for (i = 0; i < comedi_num_legacy_minors; i++) {
+               struct comedi_device *dev;
+@@ -2610,6 +2607,9 @@ static int __init comedi_init(void)
+               mutex_unlock(&dev->mutex);
+       }
+ 
++      /* XXX requires /proc interface */
++      comedi_proc_init();
++
+       return 0;
+ }
+ module_init(comedi_init);