Patch "xhci: Fix potential NULL ptr deref in command cancellation." has been added to the 3.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    xhci: Fix potential NULL ptr deref in command cancellation.

to the 3.4-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch
and it can be found in the queue-3.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 43a09f7fb01fa1e091416a2aa49b6c666458c1ee Mon Sep 17 00:00:00 2001
From: Sarah Sharp <sarah.a.sh...@linux.intel.com>
Date: Tue, 16 Oct 2012 13:17:43 -0700
Subject: xhci: Fix potential NULL ptr deref in command cancellation.

From: Sarah Sharp <sarah.a.sh...@linux.intel.com>

commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream.

The command cancellation code doesn't check whether find_trb_seg()
couldn't find the segment that contains the TRB to be canceled.  This
could cause a NULL pointer deference later in the function when next_trb
is called.  It's unlikely to happen unless something is wrong with the
command ring pointers, so add some debugging in case it happens.

This patch should be backported to stable kernels as old as 3.0, that
contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI:
handle command after aborting the command ring".

Signed-off-by: Sarah Sharp <sarah.a.sh...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 drivers/usb/host/xhci-ring.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1228,6 +1228,17 @@ static void xhci_cmd_to_noop(struct xhci
        cur_seg = find_trb_seg(xhci->cmd_ring->first_seg,
                        xhci->cmd_ring->dequeue, &cycle_state);
 
+       if (!cur_seg) {
+               xhci_warn(xhci, "Command ring mismatch, dequeue = %p %llx 
(dma)\n",
+                               xhci->cmd_ring->dequeue,
+                               (unsigned long long)
+                               xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg,
+                                       xhci->cmd_ring->dequeue));
+               xhci_debug_ring(xhci, xhci->cmd_ring);
+               xhci_dbg_ring_ptrs(xhci, xhci->cmd_ring);
+               return;
+       }
+
        /* find the command trb matched by cd from command ring */
        for (cmd_trb = xhci->cmd_ring->dequeue;
                        cmd_trb != xhci->cmd_ring->enqueue;


Patches currently in stable-queue which might be from 
sarah.a.sh...@linux.intel.com are

queue-3.4/xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html