lockd-fix-races-in-nsm_client_get.patch
sunrpc-prevent-races-in-xs_abort_connection.patch
lockd-clear-ln-nsm_clnt-only-when-ln-nsm_users-is-zero.patch
+xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch
+xhci-fix-integer-overflow.patch
+xhci-endianness-xhci_calculate_intel_u2_timeout.patch
+sysfs-sysfs_pathname-sysfs_add_one-use-strlcat-instead-of-strcat.patch
--- /dev/null
+From 66081a72517a131430dcf986775f3268aafcb546 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Sat, 29 Sep 2012 22:23:19 +0200
+Subject: sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat()
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+commit 66081a72517a131430dcf986775f3268aafcb546 upstream.
+
+The warning check for duplicate sysfs entries can cause a buffer overflow
+when printing the warning, as strcat() doesn't check buffer sizes.
+Use strlcat() instead.
+
+Since strlcat() doesn't return a pointer to the passed buffer, unlike
+strcat(), I had to convert the nested concatenation in sysfs_add_one() to
+an admittedly more obscure comma operator construct, to avoid emitting code
+for the concatenation if CONFIG_BUG is disabled.
+
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/sysfs/dir.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/sysfs/dir.c
++++ b/fs/sysfs/dir.c
+@@ -485,20 +485,18 @@ int __sysfs_add_one(struct sysfs_addrm_c
+ /**
+ * sysfs_pathname - return full path to sysfs dirent
+ * @sd: sysfs_dirent whose path we want
+- * @path: caller allocated buffer
++ * @path: caller allocated buffer of size PATH_MAX
+ *
+ * Gives the name "/" to the sysfs_root entry; any path returned
+ * is relative to wherever sysfs is mounted.
+- *
+- * XXX: does no error checking on @path size
+ */
+ static char *sysfs_pathname(struct sysfs_dirent *sd, char *path)
+ {
+ if (sd->s_parent) {
+ sysfs_pathname(sd->s_parent, path);
+- strcat(path, "/");
++ strlcat(path, "/", PATH_MAX);
+ }
+- strcat(path, sd->s_name);
++ strlcat(path, sd->s_name, PATH_MAX);
+ return path;
+ }
+
+@@ -531,9 +529,11 @@ int sysfs_add_one(struct sysfs_addrm_cxt
+ char *path = kzalloc(PATH_MAX, GFP_KERNEL);
+ WARN(1, KERN_WARNING
+ "sysfs: cannot create duplicate filename '%s'\n",
+- (path == NULL) ? sd->s_name :
+- strcat(strcat(sysfs_pathname(acxt->parent_sd, path), "/"),
+- sd->s_name));
++ (path == NULL) ? sd->s_name
++ : (sysfs_pathname(acxt->parent_sd, path),
++ strlcat(path, "/", PATH_MAX),
++ strlcat(path, sd->s_name, PATH_MAX),
++ path));
+ kfree(path);
+ }
+
--- /dev/null
+From 966e7a854177097083683176ced871558b631a12 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oliver@neukum.org>
+Date: Wed, 17 Oct 2012 12:17:50 +0200
+Subject: xhci: endianness xhci_calculate_intel_u2_timeout
+
+From: Oliver Neukum <oliver@neukum.org>
+
+commit 966e7a854177097083683176ced871558b631a12 upstream.
+
+An le16 is accessed without conversion.
+
+This patch should be backported to kernels as old as 3.5, that contain
+the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel
+U1/U2 timeout policy."
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -4140,7 +4140,7 @@ static u16 xhci_calculate_intel_u2_timeo
+ (xhci_service_interval_to_ns(desc) > timeout_ns))
+ timeout_ns = xhci_service_interval_to_ns(desc);
+
+- u2_del_ns = udev->bos->ss_cap->bU2DevExitLat * 1000;
++ u2_del_ns = le16_to_cpu(udev->bos->ss_cap->bU2DevExitLat) * 1000ULL;
+ if (u2_del_ns > timeout_ns)
+ timeout_ns = u2_del_ns;
+
--- /dev/null
+From 16b45fdf9c4e82f5d3bc53aa70737650e7c8d5ed Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oliver@neukum.org>
+Date: Wed, 17 Oct 2012 10:16:16 +0200
+Subject: xhci: fix integer overflow
+
+From: Oliver Neukum <oliver@neukum.org>
+
+commit 16b45fdf9c4e82f5d3bc53aa70737650e7c8d5ed upstream.
+
+xhci_service_interval_to_ns() returns long long
+to avoid an overflow. However, the type cast happens
+too late. The fix is to force ULL from the beginning.
+
+This patch should be backported to kernels as old as 3.5, that contain
+the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel
+U1/U2 timeout policy."
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -4019,7 +4019,7 @@ int xhci_update_device(struct usb_hcd *h
+ static unsigned long long xhci_service_interval_to_ns(
+ struct usb_endpoint_descriptor *desc)
+ {
+- return (1 << (desc->bInterval - 1)) * 125 * 1000;
++ return (1ULL << (desc->bInterval - 1)) * 125 * 1000;
+ }
+
+ static u16 xhci_get_timeout_no_hub_lpm(struct usb_device *udev,
--- /dev/null
+From 43a09f7fb01fa1e091416a2aa49b6c666458c1ee Mon Sep 17 00:00:00 2001
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Date: Tue, 16 Oct 2012 13:17:43 -0700
+Subject: xhci: Fix potential NULL ptr deref in command cancellation.
+
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+
+commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream.
+
+The command cancellation code doesn't check whether find_trb_seg()
+couldn't find the segment that contains the TRB to be canceled. This
+could cause a NULL pointer deference later in the function when next_trb
+is called. It's unlikely to happen unless something is wrong with the
+command ring pointers, so add some debugging in case it happens.
+
+This patch should be backported to stable kernels as old as 3.0, that
+contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI:
+handle command after aborting the command ring".
+
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1228,6 +1228,17 @@ static void xhci_cmd_to_noop(struct xhci
+ cur_seg = find_trb_seg(xhci->cmd_ring->first_seg,
+ xhci->cmd_ring->dequeue, &cycle_state);
+
++ if (!cur_seg) {
++ xhci_warn(xhci, "Command ring mismatch, dequeue = %p %llx (dma)\n",
++ xhci->cmd_ring->dequeue,
++ (unsigned long long)
++ xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg,
++ xhci->cmd_ring->dequeue));
++ xhci_debug_ring(xhci, xhci->cmd_ring);
++ xhci_dbg_ring_ptrs(xhci, xhci->cmd_ring);
++ return;
++ }
++
+ /* find the command trb matched by cd from command ring */
+ for (cmd_trb = xhci->cmd_ring->dequeue;
+ cmd_trb != xhci->cmd_ring->enqueue;
projects / thirdparty / kernel / stable-queue.git / commitdiff
