From 9e8201acadbfd7fa3da1053513ec412342e69c2c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 10 May 2013 10:14:56 -0700 Subject: [PATCH] 3.4-stable patches added patches: acpica-fix-possible-buffer-overflow-during-a-field-unit-read-operation.patch alsa-hda-fix-oops-caused-by-dereference-null-pointer.patch asoc-wm8994-missing-break-in-wm8994_aif3_hw_params.patch --- ...w-during-a-field-unit-read-operation.patch | 47 +++++++++++++++++++ ...s-caused-by-dereference-null-pointer.patch | 42 +++++++++++++++++ ...ssing-break-in-wm8994_aif3_hw_params.patch | 30 ++++++++++++ queue-3.4/series | 3 ++ 4 files changed, 122 insertions(+) create mode 100644 queue-3.4/acpica-fix-possible-buffer-overflow-during-a-field-unit-read-operation.patch create mode 100644 queue-3.4/alsa-hda-fix-oops-caused-by-dereference-null-pointer.patch create mode 100644 queue-3.4/asoc-wm8994-missing-break-in-wm8994_aif3_hw_params.patch diff --git a/queue-3.4/acpica-fix-possible-buffer-overflow-during-a-field-unit-read-operation.patch b/queue-3.4/acpica-fix-possible-buffer-overflow-during-a-field-unit-read-operation.patch new file mode 100644 index 00000000000..3c9e0d85756 --- /dev/null +++ b/queue-3.4/acpica-fix-possible-buffer-overflow-during-a-field-unit-read-operation.patch @@ -0,0 +1,47 @@ +From 61388f9e5d93053cf399a356414f31f9b4814c6d Mon Sep 17 00:00:00 2001 +From: Bob Moore +Date: Wed, 8 May 2013 04:01:15 +0000 +Subject: ACPICA: Fix possible buffer overflow during a field unit read operation + +From: Bob Moore + +commit 61388f9e5d93053cf399a356414f31f9b4814c6d upstream. + +Can only happen under these conditions: 1) The DSDT version is 1, +meaning integers are 32-bits. 2) The field is between 33 and 64 +bits long. + +It applies cleanly back to ACPICA 20100806+ (Linux v2.6.37+). + +Signed-off-by: Bob Moore +Signed-off-by: Lv Zheng +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpica/exfldio.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/acpica/exfldio.c ++++ b/drivers/acpi/acpica/exfldio.c +@@ -722,7 +722,19 @@ acpi_ex_extract_from_field(union acpi_op + + if ((obj_desc->common_field.start_field_bit_offset == 0) && + (obj_desc->common_field.bit_length == access_bit_width)) { +- status = acpi_ex_field_datum_io(obj_desc, 0, buffer, ACPI_READ); ++ if (buffer_length >= sizeof(u64)) { ++ status = ++ acpi_ex_field_datum_io(obj_desc, 0, buffer, ++ ACPI_READ); ++ } else { ++ /* Use raw_datum (u64) to handle buffers < 64 bits */ ++ ++ status = ++ acpi_ex_field_datum_io(obj_desc, 0, &raw_datum, ++ ACPI_READ); ++ ACPI_MEMCPY(buffer, &raw_datum, buffer_length); ++ } ++ + return_ACPI_STATUS(status); + } + diff --git a/queue-3.4/alsa-hda-fix-oops-caused-by-dereference-null-pointer.patch b/queue-3.4/alsa-hda-fix-oops-caused-by-dereference-null-pointer.patch new file mode 100644 index 00000000000..51198f3be12 --- /dev/null +++ b/queue-3.4/alsa-hda-fix-oops-caused-by-dereference-null-pointer.patch @@ -0,0 +1,42 @@ +From 2195b063f6609e4c6268f291683902f25eaf9aa6 Mon Sep 17 00:00:00 2001 +From: Wang YanQing +Date: Tue, 7 May 2013 11:27:33 +0800 +Subject: ALSA: HDA: Fix Oops caused by dereference NULL pointer + +From: Wang YanQing + +commit 2195b063f6609e4c6268f291683902f25eaf9aa6 upstream. + +The interrupt handler azx_interrupt will call azx_update_rirb, +which may call snd_hda_queue_unsol_event, snd_hda_queue_unsol_event +will dereference chip->bus pointer. + +The problem is we alloc chip->bus in azx_codec_create +which will be called after we enable IRQ and enable unsolicited +event in azx_probe. + +This will cause Oops due dereference NULL pointer. I meet it, good luck:) + +[Rearranged the NULL check before the tracepoint and added another + NULL check of bus->workq -- tiwai] + +Signed-off-by: Wang YanQing +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_codec.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -617,6 +617,9 @@ int snd_hda_queue_unsol_event(struct hda + struct hda_bus_unsolicited *unsol; + unsigned int wp; + ++ if (!bus || !bus->workq) ++ return 0; ++ + trace_hda_unsol_event(bus, res, res_ex); + unsol = bus->unsol; + if (!unsol) diff --git a/queue-3.4/asoc-wm8994-missing-break-in-wm8994_aif3_hw_params.patch b/queue-3.4/asoc-wm8994-missing-break-in-wm8994_aif3_hw_params.patch new file mode 100644 index 00000000000..28af4fe21bb --- /dev/null +++ b/queue-3.4/asoc-wm8994-missing-break-in-wm8994_aif3_hw_params.patch @@ -0,0 +1,30 @@ +From 4495e46fe18f198366961bb2b324a694ef8a9b44 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 30 Apr 2013 10:24:41 +0300 +Subject: ASoC: wm8994: missing break in wm8994_aif3_hw_params() + +From: Dan Carpenter + +commit 4495e46fe18f198366961bb2b324a694ef8a9b44 upstream. + +The missing break here means that we always return early and the +function is a no-op. + +Signed-off-by: Dan Carpenter +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8994.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/codecs/wm8994.c ++++ b/sound/soc/codecs/wm8994.c +@@ -2824,6 +2824,7 @@ static int wm8994_aif3_hw_params(struct + default: + return 0; + } ++ break; + default: + return 0; + } diff --git a/queue-3.4/series b/queue-3.4/series index 71d53758f26..c3080673112 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -1,2 +1,5 @@ kvm-vmx-fix-halt-emulation-while-emulating-invalid-guest-sate.patch arm-omap-rx-51-change-probe-order-of-touchscreen-and-panel-spi-devices.patch +asoc-wm8994-missing-break-in-wm8994_aif3_hw_params.patch +acpica-fix-possible-buffer-overflow-during-a-field-unit-read-operation.patch +alsa-hda-fix-oops-caused-by-dereference-null-pointer.patch -- 2.47.3