From: Greg Kroah-Hartman Date: Fri, 26 Oct 2012 20:00:38 +0000 (-0700) Subject: 3.6-stable patches X-Git-Tag: v3.0.49~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=71b913ba912b72a4e182bc852c8bc6b375e082e1;p=thirdparty%2Fkernel%2Fstable-queue.git 3.6-stable patches added patches: sysfs-sysfs_pathname-sysfs_add_one-use-strlcat-instead-of-strcat.patch xhci-endianness-xhci_calculate_intel_u2_timeout.patch xhci-fix-integer-overflow.patch xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch --- diff --git a/queue-3.6/series b/queue-3.6/series index 6cbbd4e244b..da7defcd7ac 100644 --- a/queue-3.6/series +++ b/queue-3.6/series @@ -18,3 +18,7 @@ revert-sunrpc-ensure-we-close-the-socket-on-epipe-errors-too.patch lockd-fix-races-in-nsm_client_get.patch sunrpc-prevent-races-in-xs_abort_connection.patch lockd-clear-ln-nsm_clnt-only-when-ln-nsm_users-is-zero.patch +xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch +xhci-fix-integer-overflow.patch +xhci-endianness-xhci_calculate_intel_u2_timeout.patch +sysfs-sysfs_pathname-sysfs_add_one-use-strlcat-instead-of-strcat.patch diff --git a/queue-3.6/sysfs-sysfs_pathname-sysfs_add_one-use-strlcat-instead-of-strcat.patch b/queue-3.6/sysfs-sysfs_pathname-sysfs_add_one-use-strlcat-instead-of-strcat.patch new file mode 100644 index 00000000000..c175b897f8a --- /dev/null +++ b/queue-3.6/sysfs-sysfs_pathname-sysfs_add_one-use-strlcat-instead-of-strcat.patch @@ -0,0 +1,66 @@ +From 66081a72517a131430dcf986775f3268aafcb546 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Sat, 29 Sep 2012 22:23:19 +0200 +Subject: sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat() + +From: Geert Uytterhoeven + +commit 66081a72517a131430dcf986775f3268aafcb546 upstream. + +The warning check for duplicate sysfs entries can cause a buffer overflow +when printing the warning, as strcat() doesn't check buffer sizes. +Use strlcat() instead. + +Since strlcat() doesn't return a pointer to the passed buffer, unlike +strcat(), I had to convert the nested concatenation in sysfs_add_one() to +an admittedly more obscure comma operator construct, to avoid emitting code +for the concatenation if CONFIG_BUG is disabled. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman + +--- + fs/sysfs/dir.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/sysfs/dir.c ++++ b/fs/sysfs/dir.c +@@ -485,20 +485,18 @@ int __sysfs_add_one(struct sysfs_addrm_c + /** + * sysfs_pathname - return full path to sysfs dirent + * @sd: sysfs_dirent whose path we want +- * @path: caller allocated buffer ++ * @path: caller allocated buffer of size PATH_MAX + * + * Gives the name "/" to the sysfs_root entry; any path returned + * is relative to wherever sysfs is mounted. +- * +- * XXX: does no error checking on @path size + */ + static char *sysfs_pathname(struct sysfs_dirent *sd, char *path) + { + if (sd->s_parent) { + sysfs_pathname(sd->s_parent, path); +- strcat(path, "/"); ++ strlcat(path, "/", PATH_MAX); + } +- strcat(path, sd->s_name); ++ strlcat(path, sd->s_name, PATH_MAX); + return path; + } + +@@ -531,9 +529,11 @@ int sysfs_add_one(struct sysfs_addrm_cxt + char *path = kzalloc(PATH_MAX, GFP_KERNEL); + WARN(1, KERN_WARNING + "sysfs: cannot create duplicate filename '%s'\n", +- (path == NULL) ? sd->s_name : +- strcat(strcat(sysfs_pathname(acxt->parent_sd, path), "/"), +- sd->s_name)); ++ (path == NULL) ? sd->s_name ++ : (sysfs_pathname(acxt->parent_sd, path), ++ strlcat(path, "/", PATH_MAX), ++ strlcat(path, sd->s_name, PATH_MAX), ++ path)); + kfree(path); + } + diff --git a/queue-3.6/xhci-endianness-xhci_calculate_intel_u2_timeout.patch b/queue-3.6/xhci-endianness-xhci_calculate_intel_u2_timeout.patch new file mode 100644 index 00000000000..92fd86ae967 --- /dev/null +++ b/queue-3.6/xhci-endianness-xhci_calculate_intel_u2_timeout.patch @@ -0,0 +1,34 @@ +From 966e7a854177097083683176ced871558b631a12 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 17 Oct 2012 12:17:50 +0200 +Subject: xhci: endianness xhci_calculate_intel_u2_timeout + +From: Oliver Neukum + +commit 966e7a854177097083683176ced871558b631a12 upstream. + +An le16 is accessed without conversion. + +This patch should be backported to kernels as old as 3.5, that contain +the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel +U1/U2 timeout policy." + +Signed-off-by: Oliver Neukum +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4140,7 +4140,7 @@ static u16 xhci_calculate_intel_u2_timeo + (xhci_service_interval_to_ns(desc) > timeout_ns)) + timeout_ns = xhci_service_interval_to_ns(desc); + +- u2_del_ns = udev->bos->ss_cap->bU2DevExitLat * 1000; ++ u2_del_ns = le16_to_cpu(udev->bos->ss_cap->bU2DevExitLat) * 1000ULL; + if (u2_del_ns > timeout_ns) + timeout_ns = u2_del_ns; + diff --git a/queue-3.6/xhci-fix-integer-overflow.patch b/queue-3.6/xhci-fix-integer-overflow.patch new file mode 100644 index 00000000000..1d0bda5e6d4 --- /dev/null +++ b/queue-3.6/xhci-fix-integer-overflow.patch @@ -0,0 +1,36 @@ +From 16b45fdf9c4e82f5d3bc53aa70737650e7c8d5ed Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 17 Oct 2012 10:16:16 +0200 +Subject: xhci: fix integer overflow + +From: Oliver Neukum + +commit 16b45fdf9c4e82f5d3bc53aa70737650e7c8d5ed upstream. + +xhci_service_interval_to_ns() returns long long +to avoid an overflow. However, the type cast happens +too late. The fix is to force ULL from the beginning. + +This patch should be backported to kernels as old as 3.5, that contain +the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel +U1/U2 timeout policy." + +Signed-off-by: Oliver Neukum +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4019,7 +4019,7 @@ int xhci_update_device(struct usb_hcd *h + static unsigned long long xhci_service_interval_to_ns( + struct usb_endpoint_descriptor *desc) + { +- return (1 << (desc->bInterval - 1)) * 125 * 1000; ++ return (1ULL << (desc->bInterval - 1)) * 125 * 1000; + } + + static u16 xhci_get_timeout_no_hub_lpm(struct usb_device *udev, diff --git a/queue-3.6/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch b/queue-3.6/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch new file mode 100644 index 00000000000..6e4942e01cc --- /dev/null +++ b/queue-3.6/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch @@ -0,0 +1,46 @@ +From 43a09f7fb01fa1e091416a2aa49b6c666458c1ee Mon Sep 17 00:00:00 2001 +From: Sarah Sharp +Date: Tue, 16 Oct 2012 13:17:43 -0700 +Subject: xhci: Fix potential NULL ptr deref in command cancellation. + +From: Sarah Sharp + +commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream. + +The command cancellation code doesn't check whether find_trb_seg() +couldn't find the segment that contains the TRB to be canceled. This +could cause a NULL pointer deference later in the function when next_trb +is called. It's unlikely to happen unless something is wrong with the +command ring pointers, so add some debugging in case it happens. + +This patch should be backported to stable kernels as old as 3.0, that +contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI: +handle command after aborting the command ring". + +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1228,6 +1228,17 @@ static void xhci_cmd_to_noop(struct xhci + cur_seg = find_trb_seg(xhci->cmd_ring->first_seg, + xhci->cmd_ring->dequeue, &cycle_state); + ++ if (!cur_seg) { ++ xhci_warn(xhci, "Command ring mismatch, dequeue = %p %llx (dma)\n", ++ xhci->cmd_ring->dequeue, ++ (unsigned long long) ++ xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg, ++ xhci->cmd_ring->dequeue)); ++ xhci_debug_ring(xhci, xhci->cmd_ring); ++ xhci_dbg_ring_ptrs(xhci, xhci->cmd_ring); ++ return; ++ } ++ + /* find the command trb matched by cd from command ring */ + for (cmd_trb = xhci->cmd_ring->dequeue; + cmd_trb != xhci->cmd_ring->enqueue;