From: Greg Kroah-Hartman Date: Sun, 28 Oct 2012 17:08:10 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.4.16~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b0cad8706b4dac7a9ef48fdebc8acd25bf876e7;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch --- diff --git a/queue-3.0/series b/queue-3.0/series index 9c43004cae7..cba6802f5e7 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -22,3 +22,4 @@ usb-mos7840-fix-urb-leak-at-release.patch usb-mos7840-fix-port-device-leak-in-error-path.patch usb-mos7840-remove-null-urb-submission.patch usb-mos7840-remove-invalid-disconnect-handling.patch +xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch diff --git a/queue-3.0/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch b/queue-3.0/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch new file mode 100644 index 00000000000..4a1533d1c47 --- /dev/null +++ b/queue-3.0/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch @@ -0,0 +1,46 @@ +From 43a09f7fb01fa1e091416a2aa49b6c666458c1ee Mon Sep 17 00:00:00 2001 +From: Sarah Sharp +Date: Tue, 16 Oct 2012 13:17:43 -0700 +Subject: xhci: Fix potential NULL ptr deref in command cancellation. + +From: Sarah Sharp + +commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream. + +The command cancellation code doesn't check whether find_trb_seg() +couldn't find the segment that contains the TRB to be canceled. This +could cause a NULL pointer deference later in the function when next_trb +is called. It's unlikely to happen unless something is wrong with the +command ring pointers, so add some debugging in case it happens. + +This patch should be backported to stable kernels as old as 3.0, that +contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI: +handle command after aborting the command ring". + +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1215,6 +1215,17 @@ static void xhci_cmd_to_noop(struct xhci + cur_seg = find_trb_seg(xhci->cmd_ring->first_seg, + xhci->cmd_ring->dequeue, &cycle_state); + ++ if (!cur_seg) { ++ xhci_warn(xhci, "Command ring mismatch, dequeue = %p %llx (dma)\n", ++ xhci->cmd_ring->dequeue, ++ (unsigned long long) ++ xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg, ++ xhci->cmd_ring->dequeue)); ++ xhci_debug_ring(xhci, xhci->cmd_ring); ++ xhci_dbg_ring_ptrs(xhci, xhci->cmd_ring); ++ return; ++ } ++ + /* find the command trb matched by cd from command ring */ + for (cmd_trb = xhci->cmd_ring->dequeue; + cmd_trb != xhci->cmd_ring->enqueue;