From: Greg Kroah-Hartman Date: Fri, 26 Oct 2012 19:50:39 +0000 (-0700) Subject: delay-3.0 - patches to commit after the next release, before the cycle after that X-Git-Tag: v3.0.49~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd6c87686b0d6046cb5c5b00e8e762cff95a9e9d;p=thirdparty%2Fkernel%2Fstable-queue.git delay-3.0 - patches to commit after the next release, before the cycle after that --- diff --git a/delay-3.0/series b/delay-3.0/series new file mode 100644 index 00000000000..59ac97a61ed --- /dev/null +++ b/delay-3.0/series @@ -0,0 +1 @@ +xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch diff --git a/delay-3.0/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch b/delay-3.0/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch new file mode 100644 index 00000000000..28e5008b6c8 --- /dev/null +++ b/delay-3.0/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch @@ -0,0 +1,42 @@ +From 43a09f7fb01fa1e091416a2aa49b6c666458c1ee Mon Sep 17 00:00:00 2001 +From: Sarah Sharp +Date: Tue, 16 Oct 2012 13:17:43 -0700 +Subject: xhci: Fix potential NULL ptr deref in command cancellation. + +From: Sarah Sharp + +commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream. + +The command cancellation code doesn't check whether find_trb_seg() +couldn't find the segment that contains the TRB to be canceled. This +could cause a NULL pointer deference later in the function when next_trb +is called. It's unlikely to happen unless something is wrong with the +command ring pointers, so add some debugging in case it happens. + +This patch should be backported to stable kernels as old as 3.0, that +contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI: +handle command after aborting the command ring". + +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1228,6 +1228,17 @@ static void xhci_cmd_to_noop(struct xhci_hcd *xhci, struct xhci_cd *cur_cd) + cur_seg = find_trb_seg(xhci->cmd_ring->first_seg, + xhci->cmd_ring->dequeue, &cycle_state); + ++ if (!cur_seg) { ++ xhci_warn(xhci, "Command ring mismatch, dequeue = %p %llx (dma)\n", ++ xhci->cmd_ring->dequeue, ++ (unsigned long long) ++ xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg, ++ xhci->cmd_ring->dequeue)); ++ xhci_debug_ring(xhci, xhci->cmd_ring); ++ xhci_dbg_ring_ptrs(xhci, xhci->cmd_ring); ++ return; ++ } ++ + /* find the command trb matched by cd from command ring */ + for (cmd_trb = xhci->cmd_ring->dequeue; + cmd_trb != xhci->cmd_ring->enqueue;