From: Greg Kroah-Hartman Date: Fri, 26 Oct 2012 19:51:26 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.49~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2939acbaeb2ad1985c62443df569850f5e4295f8;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch --- diff --git a/queue-3.4/series b/queue-3.4/series index a60076de1f6..49956a21be3 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -12,3 +12,4 @@ sunrpc-get-rid-of-the-xs_error_report-socket-callback.patch sunrpc-clear-the-connect-flag-when-socket-state-is-tcp_close_wait.patch revert-sunrpc-ensure-we-close-the-socket-on-epipe-errors-too.patch sunrpc-prevent-races-in-xs_abort_connection.patch +xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch diff --git a/queue-3.4/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch b/queue-3.4/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch new file mode 100644 index 00000000000..6e4942e01cc --- /dev/null +++ b/queue-3.4/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch @@ -0,0 +1,46 @@ +From 43a09f7fb01fa1e091416a2aa49b6c666458c1ee Mon Sep 17 00:00:00 2001 +From: Sarah Sharp +Date: Tue, 16 Oct 2012 13:17:43 -0700 +Subject: xhci: Fix potential NULL ptr deref in command cancellation. + +From: Sarah Sharp + +commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream. + +The command cancellation code doesn't check whether find_trb_seg() +couldn't find the segment that contains the TRB to be canceled. This +could cause a NULL pointer deference later in the function when next_trb +is called. It's unlikely to happen unless something is wrong with the +command ring pointers, so add some debugging in case it happens. + +This patch should be backported to stable kernels as old as 3.0, that +contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI: +handle command after aborting the command ring". + +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1228,6 +1228,17 @@ static void xhci_cmd_to_noop(struct xhci + cur_seg = find_trb_seg(xhci->cmd_ring->first_seg, + xhci->cmd_ring->dequeue, &cycle_state); + ++ if (!cur_seg) { ++ xhci_warn(xhci, "Command ring mismatch, dequeue = %p %llx (dma)\n", ++ xhci->cmd_ring->dequeue, ++ (unsigned long long) ++ xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg, ++ xhci->cmd_ring->dequeue)); ++ xhci_debug_ring(xhci, xhci->cmd_ring); ++ xhci_dbg_ring_ptrs(xhci, xhci->cmd_ring); ++ return; ++ } ++ + /* find the command trb matched by cd from command ring */ + for (cmd_trb = xhci->cmd_ring->dequeue; + cmd_trb != xhci->cmd_ring->enqueue;