From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 18 Nov 2013 18:32:19 +0000 (-0800)
Subject: 3.4-stable patches
X-Git-Tag: v3.4.70~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b04199776bd378d962e43c666bc695c3b52b776;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	usb-fix-cleanup-after-failure-in-hub_configure.patch
---

diff --git a/queue-3.4/series b/queue-3.4/series
index e5391e35877..9a0b50cff30 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -9,3 +9,4 @@ tracing-fix-potential-out-of-bounds-in-trace_get_user.patch
 arm-7668-1-fix-memset-related-crashes-caused-by-recent-gcc-4.7.2-optimizations.patch
 arm-7670-1-fix-the-memset-fix.patch
 pci-pm-clear-state_saved-during-suspend.patch
+usb-fix-cleanup-after-failure-in-hub_configure.patch
diff --git a/queue-3.4/usb-fix-cleanup-after-failure-in-hub_configure.patch b/queue-3.4/usb-fix-cleanup-after-failure-in-hub_configure.patch
new file mode 100644
index 00000000000..5a03c908a09
--- /dev/null
+++ b/queue-3.4/usb-fix-cleanup-after-failure-in-hub_configure.patch
@@ -0,0 +1,34 @@
+From d0308d4b6b02597f39fc31a9bddf7bb3faad5622 Mon Sep 17 00:00:00 2001
+From: Krzysztof Mazur <krzysiek@podlesie.net>
+Date: Thu, 22 Aug 2013 14:49:38 +0200
+Subject: usb: fix cleanup after failure in hub_configure()
+
+From: Krzysztof Mazur <krzysiek@podlesie.net>
+
+commit d0308d4b6b02597f39fc31a9bddf7bb3faad5622 upstream.
+
+If the hub_configure() fails after setting the hdev->maxchild
+the hub->ports might be NULL or point to uninitialized kzallocated
+memory causing NULL pointer dereference in hub_quiesce() during cleanup.
+
+Now after such error the hdev->maxchild is set to 0 to avoid cleanup
+of uninitialized ports.
+
+Signed-off-by: Krzysztof Mazur <krzysiek@podlesie.net>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1335,6 +1335,7 @@ static int hub_configure(struct usb_hub
+ 	return 0;
+ 
+ fail:
++	hdev->maxchild = 0;
+ 	dev_err (hub_dev, "config failed, %s (err %d)\n",
+ 			message, ret);
+ 	/* hub_disconnect() frees urb and descriptor */