--- /dev/null
+From 43a09f7fb01fa1e091416a2aa49b6c666458c1ee Mon Sep 17 00:00:00 2001
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Date: Tue, 16 Oct 2012 13:17:43 -0700
+Subject: xhci: Fix potential NULL ptr deref in command cancellation.
+
+From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+
+commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream.
+
+The command cancellation code doesn't check whether find_trb_seg()
+couldn't find the segment that contains the TRB to be canceled. This
+could cause a NULL pointer deference later in the function when next_trb
+is called. It's unlikely to happen unless something is wrong with the
+command ring pointers, so add some debugging in case it happens.
+
+This patch should be backported to stable kernels as old as 3.0, that
+contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI:
+handle command after aborting the command ring".
+
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1228,6 +1228,17 @@ static void xhci_cmd_to_noop(struct xhci_hcd *xhci, struct xhci_cd *cur_cd)
+ cur_seg = find_trb_seg(xhci->cmd_ring->first_seg,
+ xhci->cmd_ring->dequeue, &cycle_state);
+
++ if (!cur_seg) {
++ xhci_warn(xhci, "Command ring mismatch, dequeue = %p %llx (dma)\n",
++ xhci->cmd_ring->dequeue,
++ (unsigned long long)
++ xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg,
++ xhci->cmd_ring->dequeue));
++ xhci_debug_ring(xhci, xhci->cmd_ring);
++ xhci_dbg_ring_ptrs(xhci, xhci->cmd_ring);
++ return;
++ }
++
+ /* find the command trb matched by cd from command ring */
+ for (cmd_trb = xhci->cmd_ring->dequeue;
+ cmd_trb != xhci->cmd_ring->enqueue;
projects / thirdparty / kernel / stable-queue.git / commitdiff
