3.4-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 18 Nov 2013 18:32:19 +0000 (10:32 -0800)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 18 Nov 2013 18:32:19 +0000 (10:32 -0800)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 18 Nov 2013 18:32:19 +0000 (10:32 -0800)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 18 Nov 2013 18:32:19 +0000 (10:32 -0800)
diff --git a/queue-3.4/series b/queue-3.4/series

index e5391e35877827603d42ab1577754f49d32d4770..9a0b50cff30017626809e70f280817c20ccdd748 100644 (file)
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -9,3 +9,4 @@ tracing-fix-potential-out-of-bounds-in-trace_get_user.patch
  arm-7668-1-fix-memset-related-crashes-caused-by-recent-gcc-4.7.2-optimizations.patch
  arm-7670-1-fix-the-memset-fix.patch
  pci-pm-clear-state_saved-during-suspend.patch
+usb-fix-cleanup-after-failure-in-hub_configure.patch
diff --git a/queue-3.4/usb-fix-cleanup-after-failure-in-hub_configure.patch b/queue-3.4/usb-fix-cleanup-after-failure-in-hub_configure.patch

new file mode 100644 (file)

index 0000000..5a03c90
--- /dev/null
+++ b/queue-3.4/usb-fix-cleanup-after-failure-in-hub_configure.patch
@@ -0,0 +1,34 @@
+From d0308d4b6b02597f39fc31a9bddf7bb3faad5622 Mon Sep 17 00:00:00 2001
+From: Krzysztof Mazur <krzysiek@podlesie.net>
+Date: Thu, 22 Aug 2013 14:49:38 +0200
+Subject: usb: fix cleanup after failure in hub_configure()
+
+From: Krzysztof Mazur <krzysiek@podlesie.net>
+
+commit d0308d4b6b02597f39fc31a9bddf7bb3faad5622 upstream.
+
+If the hub_configure() fails after setting the hdev->maxchild
+the hub->ports might be NULL or point to uninitialized kzallocated
+memory causing NULL pointer dereference in hub_quiesce() during cleanup.
+
+Now after such error the hdev->maxchild is set to 0 to avoid cleanup
+of uninitialized ports.
+
+Signed-off-by: Krzysztof Mazur <krzysiek@podlesie.net>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1335,6 +1335,7 @@ static int hub_configure(struct usb_hub
+       return 0;
+ 
+ fail:
++      hdev->maxchild = 0;
+       dev_err (hub_dev, "config failed, %s (err %d)\n",
+                       message, ret);
+       /* hub_disconnect() frees urb and descriptor */
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 18 Nov 2013 18:32:19 +0000 (10:32 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 18 Nov 2013 18:32:19 +0000 (10:32 -0800)
queue-3.4/series		patch \| blob \| blame \| history
queue-3.4/usb-fix-cleanup-after-failure-in-hub_configure.patch	[new file with mode: 0644]	patch \| blob