From 6797a3efaed636c6d6befb4c89347ed24fc7aa42 Mon Sep 17 00:00:00 2001
From: Dave Jones <davej@redhat.com>
Date: Mar 23 2012 16:18:34 +0000
Subject: Apply patches that should solve the bluetooth use-after-free oopses. (rhbz 806033)


---

diff --git a/bluetooth-use-after-free.patch b/bluetooth-use-after-free.patch
new file mode 100644
index 0000000..0d21cad
--- /dev/null
+++ b/bluetooth-use-after-free.patch
@@ -0,0 +1,105 @@
+From 2a5a5ec620a29d4ba07743c3151cdf0a417c8f8c Mon Sep 17 00:00:00 2001
+From: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
+Date: Thu, 2 Feb 2012 10:32:18 +0200
+Subject: [PATCH] Bluetooth: Use list _safe deleting from conn chan_list
+
+Fixes possible bug when deleting element from the list in
+function hci_chan_list_flush. list_for_each_entry_rcu is used
+and after deleting element from the list we also free pointer
+and then list_entry_rcu is taken from freed pointer.
+
+Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
+Acked-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+---
+ net/bluetooth/hci_conn.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index b074bd6..b4ecdde 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -975,10 +975,10 @@ int hci_chan_del(struct hci_chan *chan)
+ 
+ void hci_chan_list_flush(struct hci_conn *conn)
+ {
+-	struct hci_chan *chan;
++	struct hci_chan *chan, *n;
+ 
+ 	BT_DBG("conn %p", conn);
+ 
+-	list_for_each_entry_rcu(chan, &conn->chan_list, list)
++	list_for_each_entry_safe(chan, n, &conn->chan_list, list)
+ 		hci_chan_del(chan);
+ }
+-- 
+1.7.6.5
+
+From 3c4e0df028935618d052235ba85bc7079be13394 Mon Sep 17 00:00:00 2001
+From: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
+Date: Thu, 2 Feb 2012 10:32:17 +0200
+Subject: [PATCH] Bluetooth: Use list _safe deleting from conn_hash_list
+
+Use list_for_each_entry_safe which is safe version against removal
+of list entry. Otherwise we remove hci_conn element and reference
+next element which result in accessing LIST_POISON.
+
+[   95.571834] Bluetooth: unknown link type 127
+[   95.578349] BUG: unable to handle kernel paging request at 20002000
+[   95.580236] IP: [<20002000>] 0x20001fff
+[   95.580763] *pde = 00000000
+[   95.581196] Oops: 0000 [#1] SMP
+...
+[   95.582298] Pid: 3355, comm: hciconfig Tainted: G   O 3.2.0-VirttualBox
+[   95.582298] EIP: 0060:[<20002000>] EFLAGS: 00210206 CPU: 0
+[   95.582298] EIP is at 0x20002000
+...
+[   95.582298] Call Trace:
+[   95.582298]  [<f8231ab6>] ? hci_conn_hash_flush+0x76/0xf0 [bluetooth]
+[   95.582298]  [<f822bcb1>] hci_dev_do_close+0xc1/0x2e0 [bluetooth]
+[   95.582298]  [<f822d679>] ? hci_dev_get+0x69/0xb0 [bluetooth]
+[   95.582298]  [<f822e1da>] hci_dev_close+0x2a/0x50 [bluetooth]
+[   95.582298]  [<f824102f>] hci_sock_ioctl+0x1af/0x3f0 [bluetooth]
+[   95.582298]  [<c11153ea>] ? handle_pte_fault+0x8a/0x8f0
+[   95.582298]  [<c146becf>] sock_ioctl+0x5f/0x260
+[   95.582298]  [<c146be70>] ? sock_fasync+0x90/0x90
+[   95.582298]  [<c1152b33>] do_vfs_ioctl+0x83/0x5b0
+[   95.582298]  [<c1563f87>] ? do_page_fault+0x297/0x500
+[   95.582298]  [<c1563cf0>] ? spurious_fault+0xd0/0xd0
+[   95.582298]  [<c107165b>] ? up_read+0x1b/0x30
+[   95.582298]  [<c1563f87>] ? do_page_fault+0x297/0x500
+[   95.582298]  [<c100aa9f>] ? init_fpu+0xef/0x160
+[   95.582298]  [<c15617c0>] ? do_debug+0x180/0x180
+[   95.582298]  [<c100a958>] ? fpu_finit+0x28/0x80
+[   95.582298]  [<c11530e7>] sys_ioctl+0x87/0x90
+[   95.582298]  [<c156795f>] sysenter_do_call+0x12/0x38
+...
+
+Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
+Acked-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+---
+ net/bluetooth/hci_conn.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index aca71c0..b074bd6 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -795,11 +795,11 @@ timer:
+ void hci_conn_hash_flush(struct hci_dev *hdev)
+ {
+ 	struct hci_conn_hash *h = &hdev->conn_hash;
+-	struct hci_conn *c;
++	struct hci_conn *c, *n;
+ 
+ 	BT_DBG("hdev %s", hdev->name);
+ 
+-	list_for_each_entry_rcu(c, &h->list, list) {
++	list_for_each_entry_safe(c, n, &h->list, list) {
+ 		c->state = BT_CLOSED;
+ 
+ 		hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
+-- 
+1.7.6.5
+
diff --git a/kernel.spec b/kernel.spec
index 486bb61..1d5433a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -717,6 +717,8 @@ Patch14000: hibernate-freeze-filesystems.patch
 
 Patch14010: lis3-improve-handling-of-null-rate.patch
 
+Patch15000: bluetooth-use-after-free.patch
+
 Patch19000: ips-noirq.patch
 
 Patch20000: utrace.patch
@@ -1441,6 +1443,8 @@ ApplyPatch hibernate-freeze-filesystems.patch
 
 ApplyPatch lis3-improve-handling-of-null-rate.patch
 
+ApplyPatch bluetooth-use-after-free.patch
+
 ApplyPatch ips-noirq.patch
 
 # utrace.
@@ -2330,6 +2334,9 @@ fi
 #    '-'      |  |
 #              '-'
 %changelog
+* Fri Mar 23 2012 Dave Jones <davej@redhat.com>
+- Apply patches that should solve the bluetooth use-after-free oopses. (rhbz 806033)
+
 * Wed Mar 21 2012 Josh Boyer <jwboyer@redhat.com>
 - Ship hmac file for vmlinuz for FIPS-140 (rhbz 805538)