From: Greg Kroah-Hartman Date: Fri, 6 Dec 2013 17:48:35 +0000 (-0800) Subject: 3.4-stable patches X-Git-Tag: v3.4.73~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a78b5aebad2b3945b246a48d9503826a1f013c5e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: hid-picolcd_core-validate-output-report-details.patch mmc-block-fix-a-bug-of-error-handling-in-mmc-driver.patch --- diff --git a/queue-3.4/hid-picolcd_core-validate-output-report-details.patch b/queue-3.4/hid-picolcd_core-validate-output-report-details.patch new file mode 100644 index 00000000000..1b411a5eff1 --- /dev/null +++ b/queue-3.4/hid-picolcd_core-validate-output-report-details.patch @@ -0,0 +1,48 @@ +From 1e87a2456b0227ca4ab881e19a11bb99d164e792 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:31:52 +0200 +Subject: HID: picolcd_core: validate output report details + +From: Kees Cook + +commit 1e87a2456b0227ca4ab881e19a11bb99d164e792 upstream. + +A HID device could send a malicious output report that would cause the +picolcd HID driver to trigger a NULL dereference during attr file writing. + +[jkosina@suse.cz: changed + + report->maxfield < 1 + +to + + report->maxfield != 1 + +as suggested by Bruno]. + +CVE-2013-2899 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Reviewed-by: Bruno Prémont +Acked-by: Bruno Prémont +Signed-off-by: Jiri Kosina +[Kefeng: backported to stable 3.4: adjust filename] +Signed-off-by: Kefeng Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-picolcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-picolcd.c ++++ b/drivers/hid/hid-picolcd.c +@@ -1424,7 +1424,7 @@ static ssize_t picolcd_operation_mode_st + buf += 10; + cnt -= 10; + } +- if (!report) ++ if (!report || report->maxfield != 1) + return -EINVAL; + + while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) diff --git a/queue-3.4/mmc-block-fix-a-bug-of-error-handling-in-mmc-driver.patch b/queue-3.4/mmc-block-fix-a-bug-of-error-handling-in-mmc-driver.patch new file mode 100644 index 00000000000..11e33ea4cc5 --- /dev/null +++ b/queue-3.4/mmc-block-fix-a-bug-of-error-handling-in-mmc-driver.patch @@ -0,0 +1,137 @@ +From c8760069627ad3b0dbbea170f0c4c58b16e18d3d Mon Sep 17 00:00:00 2001 +From: KOBAYASHI Yoshitake +Date: Sun, 7 Jul 2013 07:35:45 +0900 +Subject: mmc: block: fix a bug of error handling in MMC driver + +From: KOBAYASHI Yoshitake + +commit c8760069627ad3b0dbbea170f0c4c58b16e18d3d upstream. + +Current MMC driver doesn't handle generic error (bit19 of device +status) in write sequence. As a result, write data gets lost when +generic error occurs. For example, a generic error when updating a +filesystem management information causes a loss of write data and +corrupts the filesystem. In the worst case, the system will never +boot. + +This patch includes the following functionality: + 1. To enable error checking for the response of CMD12 and CMD13 + in write command sequence + 2. To retry write sequence when a generic error occurs + +Messages are added for v2 to show what occurs. + +Signed-off-by: KOBAYASHI Yoshitake +Signed-off-by: Chris Ball +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/mmc/card/block.c | 47 ++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 44 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -701,7 +701,7 @@ static int mmc_blk_cmd_error(struct requ + * Otherwise we don't understand what happened, so abort. + */ + static int mmc_blk_cmd_recovery(struct mmc_card *card, struct request *req, +- struct mmc_blk_request *brq, int *ecc_err) ++ struct mmc_blk_request *brq, int *ecc_err, int *gen_err) + { + bool prev_cmd_status_valid = true; + u32 status, stop_status = 0; +@@ -739,6 +739,16 @@ static int mmc_blk_cmd_recovery(struct m + (brq->cmd.resp[0] & R1_CARD_ECC_FAILED)) + *ecc_err = 1; + ++ /* Flag General errors */ ++ if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ) ++ if ((status & R1_ERROR) || ++ (brq->stop.resp[0] & R1_ERROR)) { ++ pr_err("%s: %s: general error sending stop or status command, stop cmd response %#x, card status %#x\n", ++ req->rq_disk->disk_name, __func__, ++ brq->stop.resp[0], status); ++ *gen_err = 1; ++ } ++ + /* + * Check the current card state. If it is in some data transfer + * mode, tell it to stop (and hopefully transition back to TRAN.) +@@ -758,6 +768,13 @@ static int mmc_blk_cmd_recovery(struct m + return ERR_ABORT; + if (stop_status & R1_CARD_ECC_FAILED) + *ecc_err = 1; ++ if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ) ++ if (stop_status & R1_ERROR) { ++ pr_err("%s: %s: general error sending stop command, stop cmd response %#x\n", ++ req->rq_disk->disk_name, __func__, ++ stop_status); ++ *gen_err = 1; ++ } + } + + /* Check for set block count errors */ +@@ -1007,7 +1024,7 @@ static int mmc_blk_err_check(struct mmc_ + mmc_active); + struct mmc_blk_request *brq = &mq_mrq->brq; + struct request *req = mq_mrq->req; +- int ecc_err = 0; ++ int ecc_err = 0, gen_err = 0; + + /* + * sbc.error indicates a problem with the set block count +@@ -1021,7 +1038,7 @@ static int mmc_blk_err_check(struct mmc_ + */ + if (brq->sbc.error || brq->cmd.error || brq->stop.error || + brq->data.error) { +- switch (mmc_blk_cmd_recovery(card, req, brq, &ecc_err)) { ++ switch (mmc_blk_cmd_recovery(card, req, brq, &ecc_err, &gen_err)) { + case ERR_RETRY: + return MMC_BLK_RETRY; + case ERR_ABORT: +@@ -1051,6 +1068,15 @@ static int mmc_blk_err_check(struct mmc_ + */ + if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ) { + u32 status; ++ ++ /* Check stop command response */ ++ if (brq->stop.resp[0] & R1_ERROR) { ++ pr_err("%s: %s: general error sending stop command, stop cmd response %#x\n", ++ req->rq_disk->disk_name, __func__, ++ brq->stop.resp[0]); ++ gen_err = 1; ++ } ++ + do { + int err = get_card_status(card, &status, 5); + if (err) { +@@ -1058,6 +1084,14 @@ static int mmc_blk_err_check(struct mmc_ + req->rq_disk->disk_name, err); + return MMC_BLK_CMD_ERR; + } ++ ++ if (status & R1_ERROR) { ++ pr_err("%s: %s: general error sending status command, card status %#x\n", ++ req->rq_disk->disk_name, __func__, ++ status); ++ gen_err = 1; ++ } ++ + /* + * Some cards mishandle the status bits, + * so make sure to check both the busy +@@ -1067,6 +1101,13 @@ static int mmc_blk_err_check(struct mmc_ + (R1_CURRENT_STATE(status) == R1_STATE_PRG)); + } + ++ /* if general error occurs, retry the write operation. */ ++ if (gen_err) { ++ pr_warning("%s: retrying write for general error\n", ++ req->rq_disk->disk_name); ++ return MMC_BLK_RETRY; ++ } ++ + if (brq->data.error) { + pr_err("%s: error %d transferring data, sector %u, nr %u, cmd response %#x, card status %#x\n", + req->rq_disk->disk_name, brq->data.error, diff --git a/queue-3.4/series b/queue-3.4/series index b0365b64111..c2dfa6859f9 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -22,3 +22,5 @@ net-update-consumers-of-msg_more-to-recognize-msg_sendpage_notlast.patch inet-fix-possible-seqlock-deadlocks.patch ipv6-fix-possible-seqlock-deadlock-in-ip6_finish_output2.patch pktgen-xfrm-update-ipv4-header-total-len-and-checksum-after-tranformation.patch +hid-picolcd_core-validate-output-report-details.patch +mmc-block-fix-a-bug-of-error-handling-in-mmc-driver.patch