diff options
author | Florian Fainelli <florian@openwrt.org> | 2014-02-28 20:30:08 +0000 |
---|---|---|
committer | Florian Fainelli <florian@openwrt.org> | 2014-02-28 20:30:08 +0000 |
commit | 800930b924c19a56b3a6e94ad351cd0715fb410d (patch) | |
tree | 70158d97f68604d69da8da779507469cf930bf07 /target/linux/brcm2708/patches-3.10/0053-dwc_otg-fix-potential-use-after-free-case-in-interru.patch | |
parent | 68c939ba0b0a0dda84e7a2ae370155be9a5593bc (diff) | |
download | upstream-800930b924c19a56b3a6e94ad351cd0715fb410d.tar.gz upstream-800930b924c19a56b3a6e94ad351cd0715fb410d.tar.bz2 upstream-800930b924c19a56b3a6e94ad351cd0715fb410d.zip |
brcm2708: update against latest rpi-3.10.y branch
Update our copies of the brcm2708 patches to the latest rpi-3.10-y
rebased against linux-3.10.y stable (3.10.32). This should hopefully
make it easier for us in the future to leverage the raspberry/rpi-*
branches.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39770 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'target/linux/brcm2708/patches-3.10/0053-dwc_otg-fix-potential-use-after-free-case-in-interru.patch')
-rw-r--r-- | target/linux/brcm2708/patches-3.10/0053-dwc_otg-fix-potential-use-after-free-case-in-interru.patch | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/target/linux/brcm2708/patches-3.10/0053-dwc_otg-fix-potential-use-after-free-case-in-interru.patch b/target/linux/brcm2708/patches-3.10/0053-dwc_otg-fix-potential-use-after-free-case-in-interru.patch new file mode 100644 index 0000000000..fb4a53d22f --- /dev/null +++ b/target/linux/brcm2708/patches-3.10/0053-dwc_otg-fix-potential-use-after-free-case-in-interru.patch @@ -0,0 +1,29 @@ +From 51d7ae6f936ea32dedbe423fab97e3281994fe82 Mon Sep 17 00:00:00 2001 +From: P33M <P33M@github.com> +Date: Thu, 28 Feb 2013 16:52:51 +0000 +Subject: [PATCH 053/174] dwc_otg: fix potential use-after-free case in + interrupt handler + +If a transaction had previously aborted, certain interrupts are +enabled to track error counts and reset where necessary. On IN +endpoints the host generates an ACK interrupt near-simultaneously +with completion of transfer. In the case where this transfer had +previously had an error, this results in a use-after-free on +the QTD memory space with a 1-byte length being overwritten to +0x00. +--- + drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c ++++ b/drivers/usb/host/dwc_otg/dwc_otg_hcd_intr.c +@@ -2223,7 +2223,8 @@ int32_t dwc_otg_hcd_handle_hc_n_intr(dwc + retval |= handle_hc_nak_intr(dwc_otg_hcd, hc, hc_regs, qtd); + } + if (hcint.b.ack) { +- retval |= handle_hc_ack_intr(dwc_otg_hcd, hc, hc_regs, qtd); ++ if(!hcint.b.chhltd) ++ retval |= handle_hc_ack_intr(dwc_otg_hcd, hc, hc_regs, qtd); + } + if (hcint.b.nyet) { + retval |= handle_hc_nyet_intr(dwc_otg_hcd, hc, hc_regs, qtd); |