<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/bluetooth, branch linux-3.9.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Bluetooth: Fix invalid length check in l2cap_information_rsp()</title>
<updated>2013-07-03T17:55:20+00:00</updated>
<author>
<name>Jaganath Kanakkassery</name>
<email>jaganath.k@samsung.com</email>
</author>
<published>2013-06-21T14:25:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b6afd2b6028d419c3743da88fd7c78ef2a6b0c20'/>
<id>b6afd2b6028d419c3743da88fd7c78ef2a6b0c20</id>
<content type='text'>
commit 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 upstream.

The length check is invalid since the length varies with type of
info response.

This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888

Because of this, l2cap info rsp is not handled and command reject is sent.

&gt; ACL data: handle 11 flags 0x02 dlen 16
        L2CAP(s): Info rsp: type 2 result 0
          Extended feature mask 0x00b8
            Enhanced Retransmission mode
            Streaming mode
            FCS Option
            Fixed Channels
&lt; ACL data: handle 11 flags 0x00 dlen 10
        L2CAP(s): Command rej: reason 0
          Command not understood

Signed-off-by: Jaganath Kanakkassery &lt;jaganath.k@samsung.com&gt;
Signed-off-by: Chan-Yeol Park &lt;chanyeol.park@samsung.com&gt;
Acked-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 upstream.

The length check is invalid since the length varies with type of
info response.

This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888

Because of this, l2cap info rsp is not handled and command reject is sent.

&gt; ACL data: handle 11 flags 0x02 dlen 16
        L2CAP(s): Info rsp: type 2 result 0
          Extended feature mask 0x00b8
            Enhanced Retransmission mode
            Streaming mode
            FCS Option
            Fixed Channels
&lt; ACL data: handle 11 flags 0x00 dlen 10
        L2CAP(s): Command rej: reason 0
          Command not understood

Signed-off-by: Jaganath Kanakkassery &lt;jaganath.k@samsung.com&gt;
Signed-off-by: Chan-Yeol Park &lt;chanyeol.park@samsung.com&gt;
Acked-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix crash in l2cap_build_cmd() with small MTU</title>
<updated>2013-07-03T17:55:20+00:00</updated>
<author>
<name>Anderson Lizardo</name>
<email>anderson.lizardo@openbossa.org</email>
</author>
<published>2013-06-02T20:30:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c86b176a359383b729fe9740705a6cd0fc0b88a9'/>
<id>c86b176a359383b729fe9740705a6cd0fc0b88a9</id>
<content type='text'>
commit 300b962e5244a1ea010df7e88595faa0085b461d upstream.

If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
controller, memory corruption happens due to a memcpy() call with
negative length.

Fix this crash on either incoming or outgoing connections with a MTU
smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:

[   46.885433] BUG: unable to handle kernel paging request at f56ad000
[   46.888037] IP: [&lt;c03d94cd&gt;] memcpy+0x1d/0x40
[   46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
[   46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[   46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
[   46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
[   46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[   46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
[   46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
[   46.888037] EIP: 0060:[&lt;c03d94cd&gt;] EFLAGS: 00010212 CPU: 0
[   46.888037] EIP is at memcpy+0x1d/0x40
[   46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
[   46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
[   46.888037]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[   46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
[   46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[   46.888037] DR6: ffff0ff0 DR7: 00000400
[   46.888037] Stack:
[   46.888037]  fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
[   46.888037]  f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
[   46.888037]  f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
[   46.888037] Call Trace:
[   46.888037]  [&lt;f8c6a54c&gt;] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
[   46.888037]  [&lt;f8c69eb2&gt;] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
[   46.888037]  [&lt;f8c6f4c7&gt;] l2cap_connect+0x3f7/0x540 [bluetooth]
[   46.888037]  [&lt;c019b37b&gt;] ? trace_hardirqs_off+0xb/0x10
[   46.888037]  [&lt;c01a0ff8&gt;] ? mark_held_locks+0x68/0x110
[   46.888037]  [&lt;c064ad20&gt;] ? mutex_lock_nested+0x280/0x360
[   46.888037]  [&lt;c064b9d9&gt;] ? __mutex_unlock_slowpath+0xa9/0x150
[   46.888037]  [&lt;c01a118c&gt;] ? trace_hardirqs_on_caller+0xec/0x1b0
[   46.888037]  [&lt;c064ad08&gt;] ? mutex_lock_nested+0x268/0x360
[   46.888037]  [&lt;c01a125b&gt;] ? trace_hardirqs_on+0xb/0x10
[   46.888037]  [&lt;f8c72f8d&gt;] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
[   46.888037]  [&lt;c01a0ff8&gt;] ? mark_held_locks+0x68/0x110
[   46.888037]  [&lt;c064b9d9&gt;] ? __mutex_unlock_slowpath+0xa9/0x150
[   46.888037]  [&lt;c01a118c&gt;] ? trace_hardirqs_on_caller+0xec/0x1b0
[   46.888037]  [&lt;f8c754f1&gt;] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
[   46.888037]  [&lt;f8c491d8&gt;] hci_rx_work+0x518/0x810 [bluetooth]
[   46.888037]  [&lt;f8c48df2&gt;] ? hci_rx_work+0x132/0x810 [bluetooth]
[   46.888037]  [&lt;c0158979&gt;] process_one_work+0x1a9/0x600
[   46.888037]  [&lt;c01588fb&gt;] ? process_one_work+0x12b/0x600
[   46.888037]  [&lt;c015922e&gt;] ? worker_thread+0x19e/0x320
[   46.888037]  [&lt;c015922e&gt;] ? worker_thread+0x19e/0x320
[   46.888037]  [&lt;c0159187&gt;] worker_thread+0xf7/0x320
[   46.888037]  [&lt;c0159090&gt;] ? rescuer_thread+0x290/0x290
[   46.888037]  [&lt;c01602f8&gt;] kthread+0xa8/0xb0
[   46.888037]  [&lt;c0656777&gt;] ret_from_kernel_thread+0x1b/0x28
[   46.888037]  [&lt;c0160250&gt;] ? flush_kthread_worker+0x120/0x120
[   46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 &lt;f3&gt; a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
[   46.888037] EIP: [&lt;c03d94cd&gt;] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
[   46.888037] CR2: 00000000f56ad000
[   46.888037] ---[ end trace 0217c1f4d78714a9 ]---

Signed-off-by: Anderson Lizardo &lt;anderson.lizardo@openbossa.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 300b962e5244a1ea010df7e88595faa0085b461d upstream.

If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
controller, memory corruption happens due to a memcpy() call with
negative length.

Fix this crash on either incoming or outgoing connections with a MTU
smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:

[   46.885433] BUG: unable to handle kernel paging request at f56ad000
[   46.888037] IP: [&lt;c03d94cd&gt;] memcpy+0x1d/0x40
[   46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
[   46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[   46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
[   46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
[   46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[   46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
[   46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
[   46.888037] EIP: 0060:[&lt;c03d94cd&gt;] EFLAGS: 00010212 CPU: 0
[   46.888037] EIP is at memcpy+0x1d/0x40
[   46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
[   46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
[   46.888037]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[   46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
[   46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[   46.888037] DR6: ffff0ff0 DR7: 00000400
[   46.888037] Stack:
[   46.888037]  fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
[   46.888037]  f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
[   46.888037]  f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
[   46.888037] Call Trace:
[   46.888037]  [&lt;f8c6a54c&gt;] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
[   46.888037]  [&lt;f8c69eb2&gt;] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
[   46.888037]  [&lt;f8c6f4c7&gt;] l2cap_connect+0x3f7/0x540 [bluetooth]
[   46.888037]  [&lt;c019b37b&gt;] ? trace_hardirqs_off+0xb/0x10
[   46.888037]  [&lt;c01a0ff8&gt;] ? mark_held_locks+0x68/0x110
[   46.888037]  [&lt;c064ad20&gt;] ? mutex_lock_nested+0x280/0x360
[   46.888037]  [&lt;c064b9d9&gt;] ? __mutex_unlock_slowpath+0xa9/0x150
[   46.888037]  [&lt;c01a118c&gt;] ? trace_hardirqs_on_caller+0xec/0x1b0
[   46.888037]  [&lt;c064ad08&gt;] ? mutex_lock_nested+0x268/0x360
[   46.888037]  [&lt;c01a125b&gt;] ? trace_hardirqs_on+0xb/0x10
[   46.888037]  [&lt;f8c72f8d&gt;] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
[   46.888037]  [&lt;c01a0ff8&gt;] ? mark_held_locks+0x68/0x110
[   46.888037]  [&lt;c064b9d9&gt;] ? __mutex_unlock_slowpath+0xa9/0x150
[   46.888037]  [&lt;c01a118c&gt;] ? trace_hardirqs_on_caller+0xec/0x1b0
[   46.888037]  [&lt;f8c754f1&gt;] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
[   46.888037]  [&lt;f8c491d8&gt;] hci_rx_work+0x518/0x810 [bluetooth]
[   46.888037]  [&lt;f8c48df2&gt;] ? hci_rx_work+0x132/0x810 [bluetooth]
[   46.888037]  [&lt;c0158979&gt;] process_one_work+0x1a9/0x600
[   46.888037]  [&lt;c01588fb&gt;] ? process_one_work+0x12b/0x600
[   46.888037]  [&lt;c015922e&gt;] ? worker_thread+0x19e/0x320
[   46.888037]  [&lt;c015922e&gt;] ? worker_thread+0x19e/0x320
[   46.888037]  [&lt;c0159187&gt;] worker_thread+0xf7/0x320
[   46.888037]  [&lt;c0159090&gt;] ? rescuer_thread+0x290/0x290
[   46.888037]  [&lt;c01602f8&gt;] kthread+0xa8/0xb0
[   46.888037]  [&lt;c0656777&gt;] ret_from_kernel_thread+0x1b/0x28
[   46.888037]  [&lt;c0160250&gt;] ? flush_kthread_worker+0x120/0x120
[   46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 &lt;f3&gt; a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
[   46.888037] EIP: [&lt;c03d94cd&gt;] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
[   46.888037] CR2: 00000000f56ad000
[   46.888037] ---[ end trace 0217c1f4d78714a9 ]---

Signed-off-by: Anderson Lizardo &lt;anderson.lizardo@openbossa.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix mgmt handling of power on failures</title>
<updated>2013-06-20T19:01:28+00:00</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@intel.com</email>
</author>
<published>2013-05-29T06:51:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=15794d484f6404b4794867a0da892c01b20ccf24'/>
<id>15794d484f6404b4794867a0da892c01b20ccf24</id>
<content type='text'>
commit 96570ffcca0b872dc8626e97569d2697f374d868 upstream.

If hci_dev_open fails we need to ensure that the corresponding
mgmt_set_powered command gets an appropriate response. This patch fixes
the missing response by adding a new mgmt_set_powered_failed function
that's used to indicate a power on failure to mgmt. Since a situation
with the device being rfkilled may require special handling in user
space the patch uses a new dedicated mgmt status code for this.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 96570ffcca0b872dc8626e97569d2697f374d868 upstream.

If hci_dev_open fails we need to ensure that the corresponding
mgmt_set_powered command gets an appropriate response. This patch fixes
the missing response by adding a new mgmt_set_powered_failed function
that's used to indicate a power on failure to mgmt. Since a situation
with the device being rfkilled may require special handling in user
space the patch uses a new dedicated mgmt status code for this.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix missing length checks for L2CAP signalling PDUs</title>
<updated>2013-06-20T19:01:28+00:00</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@intel.com</email>
</author>
<published>2013-05-28T10:46:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=22b74ee1ace2536bb4889c33f1de932d2814376a'/>
<id>22b74ee1ace2536bb4889c33f1de932d2814376a</id>
<content type='text'>
commit cb3b3152b2f5939d67005cff841a1ca748b19888 upstream.

There has been code in place to check that the L2CAP length header
matches the amount of data received, but many PDU handlers have not been
checking that the data received actually matches that expected by the
specific PDU. This patch adds passing the length header to the specific
handler functions and ensures that those functions fail cleanly in the
case of an incorrect amount of data.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cb3b3152b2f5939d67005cff841a1ca748b19888 upstream.

There has been code in place to check that the L2CAP length header
matches the amount of data received, but many PDU handlers have not been
checking that the data received actually matches that expected by the
specific PDU. This patch adds passing the length header to the specific
handler functions and ensures that those functions fail cleanly in the
case of an incorrect amount of data.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg()</title>
<updated>2013-04-07T20:28:01+00:00</updated>
<author>
<name>Mathias Krause</name>
<email>minipli@googlemail.com</email>
</author>
<published>2013-04-07T01:51:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c8c499175f7d295ef867335bceb9a76a2c3cdc38'/>
<id>c8c499175f7d295ef867335bceb9a76a2c3cdc38</id>
<content type='text'>
If the socket is in state BT_CONNECT2 and BT_SK_DEFER_SETUP is set in
the flags, sco_sock_recvmsg() returns early with 0 without updating the
possibly set msg_namelen member. This, in turn, leads to a 128 byte
kernel stack leak in net/socket.c.

Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_recvmsg().

Cc: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Gustavo Padovan &lt;gustavo@padovan.org&gt;
Cc: Johan Hedberg &lt;johan.hedberg@gmail.com&gt;
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If the socket is in state BT_CONNECT2 and BT_SK_DEFER_SETUP is set in
the flags, sco_sock_recvmsg() returns early with 0 without updating the
possibly set msg_namelen member. This, in turn, leads to a 128 byte
kernel stack leak in net/socket.c.

Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_recvmsg().

Cc: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Gustavo Padovan &lt;gustavo@padovan.org&gt;
Cc: Johan Hedberg &lt;johan.hedberg@gmail.com&gt;
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()</title>
<updated>2013-04-07T20:28:00+00:00</updated>
<author>
<name>Mathias Krause</name>
<email>minipli@googlemail.com</email>
</author>
<published>2013-04-07T01:51:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e11e0455c0d7d3d62276a0c55d9dfbc16779d691'/>
<id>e11e0455c0d7d3d62276a0c55d9dfbc16779d691</id>
<content type='text'>
If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
early with 0 without updating the possibly set msg_namelen member. This,
in turn, leads to a 128 byte kernel stack leak in net/socket.c.

Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_stream_recvmsg().

Cc: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Gustavo Padovan &lt;gustavo@padovan.org&gt;
Cc: Johan Hedberg &lt;johan.hedberg@gmail.com&gt;
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
early with 0 without updating the possibly set msg_namelen member. This,
in turn, leads to a 128 byte kernel stack leak in net/socket.c.

Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_stream_recvmsg().

Cc: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Gustavo Padovan &lt;gustavo@padovan.org&gt;
Cc: Johan Hedberg &lt;johan.hedberg@gmail.com&gt;
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: fix possible info leak in bt_sock_recvmsg()</title>
<updated>2013-04-07T20:28:00+00:00</updated>
<author>
<name>Mathias Krause</name>
<email>minipli@googlemail.com</email>
</author>
<published>2013-04-07T01:51:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4683f42fde3977bdb4e8a09622788cc8b5313778'/>
<id>4683f42fde3977bdb4e8a09622788cc8b5313778</id>
<content type='text'>
In case the socket is already shutting down, bt_sock_recvmsg() returns
with 0 without updating msg_namelen leading to net/socket.c leaking the
local, uninitialized sockaddr_storage variable to userland -- 128 bytes
of kernel stack memory.

Fix this by moving the msg_namelen assignment in front of the shutdown
test.

Cc: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Gustavo Padovan &lt;gustavo@padovan.org&gt;
Cc: Johan Hedberg &lt;johan.hedberg@gmail.com&gt;
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In case the socket is already shutting down, bt_sock_recvmsg() returns
with 0 without updating msg_namelen leading to net/socket.c leaking the
local, uninitialized sockaddr_storage variable to userland -- 128 bytes
of kernel stack memory.

Fix this by moving the msg_namelen assignment in front of the shutdown
test.

Cc: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: Gustavo Padovan &lt;gustavo@padovan.org&gt;
Cc: Johan Hedberg &lt;johan.hedberg@gmail.com&gt;
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth</title>
<updated>2013-03-18T19:17:11+00:00</updated>
<author>
<name>John W. Linville</name>
<email>linville@tuxdriver.com</email>
</author>
<published>2013-03-18T19:17:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8fa48cbdfb0b7c2e39a8f2a46f987afe9b9c0579'/>
<id>8fa48cbdfb0b7c2e39a8f2a46f987afe9b9c0579</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix not closing SCO sockets in the BT_CONNECT2 state</title>
<updated>2013-03-14T16:14:21+00:00</updated>
<author>
<name>Vinicius Costa Gomes</name>
<email>vinicius.gomes@openbossa.org</email>
</author>
<published>2013-03-13T22:46:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=eb20ff9c91ddcb2d55c1849a87d3db85af5e88a9'/>
<id>eb20ff9c91ddcb2d55c1849a87d3db85af5e88a9</id>
<content type='text'>
With deferred setup for SCO, it is possible that userspace closes the
socket when it is in the BT_CONNECT2 state, after the Connect Request is
received but before the Accept Synchonous Connection is sent.

If this happens the following crash was observed, when the connection is
terminated:

[  +0.000003] hci_sync_conn_complete_evt: hci0 status 0x10
[  +0.000005] sco_connect_cfm: hcon ffff88003d1bd800 bdaddr 40:98:4e:32:d7:39 status 16
[  +0.000003] sco_conn_del: hcon ffff88003d1bd800 conn ffff88003cc8e300, err 110
[  +0.000015] BUG: unable to handle kernel NULL pointer dereference at 0000000000000199
[  +0.000906] IP: [&lt;ffffffff810620dd&gt;] __lock_acquire+0xed/0xe82
[  +0.000000] PGD 3d21f067 PUD 3d291067 PMD 0
[  +0.000000] Oops: 0002 [#1] SMP
[  +0.000000] Modules linked in: rfcomm bnep btusb bluetooth
[  +0.000000] CPU 0
[  +0.000000] Pid: 1481, comm: kworker/u:2H Not tainted 3.9.0-rc1-25019-gad82cdd #1 Bochs Bochs
[  +0.000000] RIP: 0010:[&lt;ffffffff810620dd&gt;]  [&lt;ffffffff810620dd&gt;] __lock_acquire+0xed/0xe82
[  +0.000000] RSP: 0018:ffff88003c3c19d8  EFLAGS: 00010002
[  +0.000000] RAX: 0000000000000001 RBX: 0000000000000246 RCX: 0000000000000000
[  +0.000000] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003d1be868
[  +0.000000] RBP: ffff88003c3c1a98 R08: 0000000000000002 R09: 0000000000000000
[  +0.000000] R10: ffff88003d1be868 R11: ffff88003e20b000 R12: 0000000000000002
[  +0.000000] R13: ffff88003aaa8000 R14: 000000000000006e R15: ffff88003d1be850
[  +0.000000] FS:  0000000000000000(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000
[  +0.000000] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  +0.000000] CR2: 0000000000000199 CR3: 000000003c1cb000 CR4: 00000000000006b0
[  +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  +0.000000] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  +0.000000] Process kworker/u:2H (pid: 1481, threadinfo ffff88003c3c0000, task ffff88003aaa8000)
[  +0.000000] Stack:
[  +0.000000]  ffffffff81b16342 0000000000000000 0000000000000000 ffff88003d1be868
[  +0.000000]  ffffffff00000000 00018c0c7863e367 000000003c3c1a28 ffffffff8101efbd
[  +0.000000]  0000000000000000 ffff88003e3d2400 ffff88003c3c1a38 ffffffff81007c7a
[  +0.000000] Call Trace:
[  +0.000000]  [&lt;ffffffff8101efbd&gt;] ? kvm_clock_read+0x34/0x3b
[  +0.000000]  [&lt;ffffffff81007c7a&gt;] ? paravirt_sched_clock+0x9/0xd
[  +0.000000]  [&lt;ffffffff81007fd4&gt;] ? sched_clock+0x9/0xb
[  +0.000000]  [&lt;ffffffff8104fd7a&gt;] ? sched_clock_local+0x12/0x75
[  +0.000000]  [&lt;ffffffff810632d1&gt;] lock_acquire+0x93/0xb1
[  +0.000000]  [&lt;ffffffffa0022339&gt;] ? spin_lock+0x9/0xb [bluetooth]
[  +0.000000]  [&lt;ffffffff8105f3d8&gt;] ? lock_release_holdtime.part.22+0x4e/0x55
[  +0.000000]  [&lt;ffffffff814f6038&gt;] _raw_spin_lock+0x40/0x74
[  +0.000000]  [&lt;ffffffffa0022339&gt;] ? spin_lock+0x9/0xb [bluetooth]
[  +0.000000]  [&lt;ffffffff814f6936&gt;] ? _raw_spin_unlock+0x23/0x36
[  +0.000000]  [&lt;ffffffffa0022339&gt;] spin_lock+0x9/0xb [bluetooth]
[  +0.000000]  [&lt;ffffffffa00230cc&gt;] sco_conn_del+0x76/0xbb [bluetooth]
[  +0.000000]  [&lt;ffffffffa002391d&gt;] sco_connect_cfm+0x2da/0x2e9 [bluetooth]
[  +0.000000]  [&lt;ffffffffa000862a&gt;] hci_proto_connect_cfm+0x38/0x65 [bluetooth]
[  +0.000000]  [&lt;ffffffffa0008d30&gt;] hci_sync_conn_complete_evt.isra.79+0x11a/0x13e [bluetooth]
[  +0.000000]  [&lt;ffffffffa000cd96&gt;] hci_event_packet+0x153b/0x239d [bluetooth]
[  +0.000000]  [&lt;ffffffff814f68ff&gt;] ? _raw_spin_unlock_irqrestore+0x48/0x5c
[  +0.000000]  [&lt;ffffffffa00025f6&gt;] hci_rx_work+0xf3/0x2e3 [bluetooth]
[  +0.000000]  [&lt;ffffffff8103efed&gt;] process_one_work+0x1dc/0x30b
[  +0.000000]  [&lt;ffffffff8103ef83&gt;] ? process_one_work+0x172/0x30b
[  +0.000000]  [&lt;ffffffff8103e07f&gt;] ? spin_lock_irq+0x9/0xb
[  +0.000000]  [&lt;ffffffff8103fc8d&gt;] worker_thread+0x123/0x1d2
[  +0.000000]  [&lt;ffffffff8103fb6a&gt;] ? manage_workers+0x240/0x240
[  +0.000000]  [&lt;ffffffff81044211&gt;] kthread+0x9d/0xa5
[  +0.000000]  [&lt;ffffffff81044174&gt;] ? __kthread_parkme+0x60/0x60
[  +0.000000]  [&lt;ffffffff814f75bc&gt;] ret_from_fork+0x7c/0xb0
[  +0.000000]  [&lt;ffffffff81044174&gt;] ? __kthread_parkme+0x60/0x60
[  +0.000000] Code: d7 44 89 8d 50 ff ff ff 4c 89 95 58 ff ff ff e8 44 fc ff ff 44 8b 8d 50 ff ff ff 48 85 c0 4c 8b 95 58 ff ff ff 0f 84 7a 04 00 00 &lt;f0&gt; ff 80 98 01 00 00 83 3d 25 41 a7 00 00 45 8b b5 e8 05 00 00
[  +0.000000] RIP  [&lt;ffffffff810620dd&gt;] __lock_acquire+0xed/0xe82
[  +0.000000]  RSP &lt;ffff88003c3c19d8&gt;
[  +0.000000] CR2: 0000000000000199
[  +0.000000] ---[ end trace e73cd3b52352dd34 ]---

Cc: stable@vger.kernel.org [3.8]
Signed-off-by: Vinicius Costa Gomes &lt;vinicius.gomes@openbossa.org&gt;
Tested-by: Frederic Dalleau &lt;frederic.dalleau@intel.com&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
With deferred setup for SCO, it is possible that userspace closes the
socket when it is in the BT_CONNECT2 state, after the Connect Request is
received but before the Accept Synchonous Connection is sent.

If this happens the following crash was observed, when the connection is
terminated:

[  +0.000003] hci_sync_conn_complete_evt: hci0 status 0x10
[  +0.000005] sco_connect_cfm: hcon ffff88003d1bd800 bdaddr 40:98:4e:32:d7:39 status 16
[  +0.000003] sco_conn_del: hcon ffff88003d1bd800 conn ffff88003cc8e300, err 110
[  +0.000015] BUG: unable to handle kernel NULL pointer dereference at 0000000000000199
[  +0.000906] IP: [&lt;ffffffff810620dd&gt;] __lock_acquire+0xed/0xe82
[  +0.000000] PGD 3d21f067 PUD 3d291067 PMD 0
[  +0.000000] Oops: 0002 [#1] SMP
[  +0.000000] Modules linked in: rfcomm bnep btusb bluetooth
[  +0.000000] CPU 0
[  +0.000000] Pid: 1481, comm: kworker/u:2H Not tainted 3.9.0-rc1-25019-gad82cdd #1 Bochs Bochs
[  +0.000000] RIP: 0010:[&lt;ffffffff810620dd&gt;]  [&lt;ffffffff810620dd&gt;] __lock_acquire+0xed/0xe82
[  +0.000000] RSP: 0018:ffff88003c3c19d8  EFLAGS: 00010002
[  +0.000000] RAX: 0000000000000001 RBX: 0000000000000246 RCX: 0000000000000000
[  +0.000000] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003d1be868
[  +0.000000] RBP: ffff88003c3c1a98 R08: 0000000000000002 R09: 0000000000000000
[  +0.000000] R10: ffff88003d1be868 R11: ffff88003e20b000 R12: 0000000000000002
[  +0.000000] R13: ffff88003aaa8000 R14: 000000000000006e R15: ffff88003d1be850
[  +0.000000] FS:  0000000000000000(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000
[  +0.000000] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  +0.000000] CR2: 0000000000000199 CR3: 000000003c1cb000 CR4: 00000000000006b0
[  +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  +0.000000] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  +0.000000] Process kworker/u:2H (pid: 1481, threadinfo ffff88003c3c0000, task ffff88003aaa8000)
[  +0.000000] Stack:
[  +0.000000]  ffffffff81b16342 0000000000000000 0000000000000000 ffff88003d1be868
[  +0.000000]  ffffffff00000000 00018c0c7863e367 000000003c3c1a28 ffffffff8101efbd
[  +0.000000]  0000000000000000 ffff88003e3d2400 ffff88003c3c1a38 ffffffff81007c7a
[  +0.000000] Call Trace:
[  +0.000000]  [&lt;ffffffff8101efbd&gt;] ? kvm_clock_read+0x34/0x3b
[  +0.000000]  [&lt;ffffffff81007c7a&gt;] ? paravirt_sched_clock+0x9/0xd
[  +0.000000]  [&lt;ffffffff81007fd4&gt;] ? sched_clock+0x9/0xb
[  +0.000000]  [&lt;ffffffff8104fd7a&gt;] ? sched_clock_local+0x12/0x75
[  +0.000000]  [&lt;ffffffff810632d1&gt;] lock_acquire+0x93/0xb1
[  +0.000000]  [&lt;ffffffffa0022339&gt;] ? spin_lock+0x9/0xb [bluetooth]
[  +0.000000]  [&lt;ffffffff8105f3d8&gt;] ? lock_release_holdtime.part.22+0x4e/0x55
[  +0.000000]  [&lt;ffffffff814f6038&gt;] _raw_spin_lock+0x40/0x74
[  +0.000000]  [&lt;ffffffffa0022339&gt;] ? spin_lock+0x9/0xb [bluetooth]
[  +0.000000]  [&lt;ffffffff814f6936&gt;] ? _raw_spin_unlock+0x23/0x36
[  +0.000000]  [&lt;ffffffffa0022339&gt;] spin_lock+0x9/0xb [bluetooth]
[  +0.000000]  [&lt;ffffffffa00230cc&gt;] sco_conn_del+0x76/0xbb [bluetooth]
[  +0.000000]  [&lt;ffffffffa002391d&gt;] sco_connect_cfm+0x2da/0x2e9 [bluetooth]
[  +0.000000]  [&lt;ffffffffa000862a&gt;] hci_proto_connect_cfm+0x38/0x65 [bluetooth]
[  +0.000000]  [&lt;ffffffffa0008d30&gt;] hci_sync_conn_complete_evt.isra.79+0x11a/0x13e [bluetooth]
[  +0.000000]  [&lt;ffffffffa000cd96&gt;] hci_event_packet+0x153b/0x239d [bluetooth]
[  +0.000000]  [&lt;ffffffff814f68ff&gt;] ? _raw_spin_unlock_irqrestore+0x48/0x5c
[  +0.000000]  [&lt;ffffffffa00025f6&gt;] hci_rx_work+0xf3/0x2e3 [bluetooth]
[  +0.000000]  [&lt;ffffffff8103efed&gt;] process_one_work+0x1dc/0x30b
[  +0.000000]  [&lt;ffffffff8103ef83&gt;] ? process_one_work+0x172/0x30b
[  +0.000000]  [&lt;ffffffff8103e07f&gt;] ? spin_lock_irq+0x9/0xb
[  +0.000000]  [&lt;ffffffff8103fc8d&gt;] worker_thread+0x123/0x1d2
[  +0.000000]  [&lt;ffffffff8103fb6a&gt;] ? manage_workers+0x240/0x240
[  +0.000000]  [&lt;ffffffff81044211&gt;] kthread+0x9d/0xa5
[  +0.000000]  [&lt;ffffffff81044174&gt;] ? __kthread_parkme+0x60/0x60
[  +0.000000]  [&lt;ffffffff814f75bc&gt;] ret_from_fork+0x7c/0xb0
[  +0.000000]  [&lt;ffffffff81044174&gt;] ? __kthread_parkme+0x60/0x60
[  +0.000000] Code: d7 44 89 8d 50 ff ff ff 4c 89 95 58 ff ff ff e8 44 fc ff ff 44 8b 8d 50 ff ff ff 48 85 c0 4c 8b 95 58 ff ff ff 0f 84 7a 04 00 00 &lt;f0&gt; ff 80 98 01 00 00 83 3d 25 41 a7 00 00 45 8b b5 e8 05 00 00
[  +0.000000] RIP  [&lt;ffffffff810620dd&gt;] __lock_acquire+0xed/0xe82
[  +0.000000]  RSP &lt;ffff88003c3c19d8&gt;
[  +0.000000] CR2: 0000000000000199
[  +0.000000] ---[ end trace e73cd3b52352dd34 ]---

Cc: stable@vger.kernel.org [3.8]
Signed-off-by: Vinicius Costa Gomes &lt;vinicius.gomes@openbossa.org&gt;
Tested-by: Frederic Dalleau &lt;frederic.dalleau@intel.com&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>hlist: drop the node parameter from iterators</title>
<updated>2013-02-28T03:10:24+00:00</updated>
<author>
<name>Sasha Levin</name>
<email>sasha.levin@oracle.com</email>
</author>
<published>2013-02-28T01:06:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b67bfe0d42cac56c512dd5da4b1b347a23f4b70a'/>
<id>b67bfe0d42cac56c512dd5da4b1b347a23f4b70a</id>
<content type='text'>
I'm not sure why, but the hlist for each entry iterators were conceived

        list_for_each_entry(pos, head, member)

The hlist ones were greedy and wanted an extra parameter:

        hlist_for_each_entry(tpos, pos, head, member)

Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.

Besides the semantic patch, there was some manual work required:

 - Fix up the actual hlist iterators in linux/list.h
 - Fix up the declaration of other iterators based on the hlist ones.
 - A very small amount of places were using the 'node' parameter, this
 was modified to use 'obj-&gt;member' instead.
 - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
 properly, so those had to be fixed up manually.

The semantic patch which is mostly the work of Peter Senna Tschudin is here:

@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

type T;
expression a,c,d,e;
identifier b;
statement S;
@@

-T b;
    &lt;+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
    ...+&gt;

[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin &lt;peter.senna@gmail.com&gt;
Acked-by: Paul E. McKenney &lt;paulmck@linux.vnet.ibm.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
Cc: Wu Fengguang &lt;fengguang.wu@intel.com&gt;
Cc: Marcelo Tosatti &lt;mtosatti@redhat.com&gt;
Cc: Gleb Natapov &lt;gleb@redhat.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
I'm not sure why, but the hlist for each entry iterators were conceived

        list_for_each_entry(pos, head, member)

The hlist ones were greedy and wanted an extra parameter:

        hlist_for_each_entry(tpos, pos, head, member)

Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.

Besides the semantic patch, there was some manual work required:

 - Fix up the actual hlist iterators in linux/list.h
 - Fix up the declaration of other iterators based on the hlist ones.
 - A very small amount of places were using the 'node' parameter, this
 was modified to use 'obj-&gt;member' instead.
 - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
 properly, so those had to be fixed up manually.

The semantic patch which is mostly the work of Peter Senna Tschudin is here:

@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

type T;
expression a,c,d,e;
identifier b;
statement S;
@@

-T b;
    &lt;+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
    ...+&gt;

[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin &lt;peter.senna@gmail.com&gt;
Acked-by: Paul E. McKenney &lt;paulmck@linux.vnet.ibm.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
Cc: Wu Fengguang &lt;fengguang.wu@intel.com&gt;
Cc: Marcelo Tosatti &lt;mtosatti@redhat.com&gt;
Cc: Gleb Natapov &lt;gleb@redhat.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
