From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 7 Jul 2014 18:59:48 +0000 (-0700)
Subject: 3.10-stable patches
X-Git-Tag: v3.4.98~44
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=06ec26aa0476834f66dbc73a7b6380b7f136ab4e;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	bluetooth-fix-locking-of-hdev-when-calling-into-smp-code.patch
---

diff --git a/queue-3.10/bluetooth-fix-locking-of-hdev-when-calling-into-smp-code.patch b/queue-3.10/bluetooth-fix-locking-of-hdev-when-calling-into-smp-code.patch
new file mode 100644
index 00000000000..dc127d1c91f
--- /dev/null
+++ b/queue-3.10/bluetooth-fix-locking-of-hdev-when-calling-into-smp-code.patch
@@ -0,0 +1,40 @@
+From c73f94b8c093a615ce80eabbde0ac6eb9abfe31a Mon Sep 17 00:00:00 2001
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Fri, 13 Jun 2014 10:22:28 +0300
+Subject: Bluetooth: Fix locking of hdev when calling into SMP code
+
+From: Johan Hedberg <johan.hedberg@intel.com>
+
+commit c73f94b8c093a615ce80eabbde0ac6eb9abfe31a upstream.
+
+The SMP code expects hdev to be unlocked since e.g. crypto functions
+will try to (re)lock it. Therefore, we need to release the lock before
+calling into smp.c from mgmt.c. Without this we risk a deadlock whenever
+the smp_user_confirm_reply() function is called.
+
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Tested-by: Lukasz Rymanowski <lukasz.rymanowski@tieto.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/mgmt.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2333,8 +2333,13 @@ static int user_pairing_resp(struct sock
+ 	}
+ 
+ 	if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
+-		/* Continue with pairing via SMP */
++		/* Continue with pairing via SMP. The hdev lock must be
++		 * released as SMP may try to recquire it for crypto
++		 * purposes.
++		 */
++		hci_dev_unlock(hdev);
+ 		err = smp_user_confirm_reply(conn, mgmt_op, passkey);
++		hci_dev_lock(hdev);
+ 
+ 		if (!err)
+ 			err = cmd_complete(sk, hdev->id, mgmt_op,
diff --git a/queue-3.10/series b/queue-3.10/series
index 7f945f37441..70b2431aa61 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -20,3 +20,4 @@ drm-radeon-don-t-allow-radeon_gem_domain_cpu-for-command-submission.patch
 drm-vmwgfx-fix-incorrect-write-to-read-only-register-v2.patch
 bluetooth-fix-ssp-acceptor-just-works-confirmation-without-mitm.patch
 bluetooth-fix-check-for-connection-encryption.patch
+bluetooth-fix-locking-of-hdev-when-calling-into-smp-code.patch