pci-fix-size-checks-for-mmap-on-proc-bus-pci-files.patch
pci-fix-offset-check-for-sysfs-mmapped-files.patch
efifb-check-that-the-base-address-is-plausible-on-pci-systems.patch
+usb-gadget-at91-fix-typo-in-atmel_usba_udc-driver.patch
+usb-ftdi_sio-add-device-ids-for-milkymist-one-jtag-serial.patch
+usb-option-fix-when-the-driver-is-loaded-incorrectly-for-some-huawei-devices.patch
+usb-misc-sisusbvga-fix-information-leak-to-userland.patch
+usb-misc-iowarrior-fix-information-leak-to-userland.patch
+usb-core-fix-information-leak-to-userland.patch
+usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch
+usb-storage-sierra_ms-fix-sysfs-file-attribute.patch
--- /dev/null
+From 886ccd4520064408ce5876cfe00554ce52ecf4a7 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Sat, 6 Nov 2010 17:41:28 +0300
+Subject: usb: core: fix information leak to userland
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream.
+
+Structure usbdevfs_connectinfo is copied to userland with padding byted
+after "slow" field uninitialized. It leads to leaking of contents of
+kernel stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/devio.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -946,10 +946,11 @@ static int proc_getdriver(struct dev_sta
+
+ static int proc_connectinfo(struct dev_state *ps, void __user *arg)
+ {
+- struct usbdevfs_connectinfo ci;
++ struct usbdevfs_connectinfo ci = {
++ .devnum = ps->dev->devnum,
++ .slow = ps->dev->speed == USB_SPEED_LOW
++ };
+
+- ci.devnum = ps->dev->devnum;
+- ci.slow = ps->dev->speed == USB_SPEED_LOW;
+ if (copy_to_user(arg, &ci, sizeof(ci)))
+ return -EFAULT;
+ return 0;
--- /dev/null
+From 02e2c51ba3e80acde600721ea784c3ef84da5ea1 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 16 Nov 2010 10:57:37 -0500
+Subject: USB: EHCI: fix obscure race in ehci_endpoint_disable
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream.
+
+This patch (as1435) fixes an obscure and unlikely race in ehci-hcd.
+When an async URB is unlinked, the corresponding QH is removed from
+the async list. If the QH's endpoint is then disabled while the URB
+is being given back, ehci_endpoint_disable() won't find the QH on the
+async list, causing it to believe that the QH has been lost. This
+will lead to a memory leak at best and quite possibly to an oops.
+
+The solution is to trust usbcore not to lose track of endpoints. If
+the QH isn't on the async list then it doesn't need to be taken off
+the list, but the driver should still wait for the QH to become IDLE
+before disabling it.
+
+In theory this fixes Bugzilla #20182. In fact the race is so rare
+that it's not possible to tell whether the bug is still present.
+However, adding delays and making other changes to force the race
+seems to show that the patch works.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+CC: David Brownell <david-b@pacbell.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-hcd.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/host/ehci-hcd.c
++++ b/drivers/usb/host/ehci-hcd.c
+@@ -1008,10 +1008,11 @@ rescan:
+ tmp && tmp != qh;
+ tmp = tmp->qh_next.qh)
+ continue;
+- /* periodic qh self-unlinks on empty */
+- if (!tmp)
+- goto nogood;
+- unlink_async (ehci, qh);
++ /* periodic qh self-unlinks on empty, and a COMPLETING qh
++ * may already be unlinked.
++ */
++ if (tmp)
++ unlink_async(ehci, qh);
+ /* FALL THROUGH */
+ case QH_STATE_UNLINK: /* wait for hw to finish? */
+ case QH_STATE_UNLINK_WAIT:
+@@ -1028,7 +1029,6 @@ idle_timeout:
+ }
+ /* else FALL THROUGH */
+ default:
+-nogood:
+ /* caller was supposed to have unlinked any requests;
+ * that's not our job. just leak this memory.
+ */
--- /dev/null
+From 7fea0f714ffb3f303d4b66933af2df2f5584c9bf Mon Sep 17 00:00:00 2001
+From: Sebastien Bourdeauducq <sebastien@milkymist.org>
+Date: Wed, 3 Nov 2010 11:54:12 +0100
+Subject: USB: ftdi_sio: add device IDs for Milkymist One JTAG/serial
+
+From: Sebastien Bourdeauducq <sebastien@milkymist.org>
+
+commit 7fea0f714ffb3f303d4b66933af2df2f5584c9bf upstream.
+
+Add the USB IDs for the Milkymist One FTDI-based JTAG/serial adapter
+(http://projects.qi-hardware.com/index.php/p/mmone-jtag-serial-cable/)
+to the ftdi_sio driver and disable the first serial channel (used as
+JTAG from userspace).
+
+Signed-off-by: Sebastien Bourdeauducq <sebastien@milkymist.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 2 ++
+ drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -800,6 +800,8 @@ static struct usb_device_id id_table_com
+ { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LOGBOOKML_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) },
++ { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID),
++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { }, /* Optional parameter entry */
+ { } /* Terminating entry */
+ };
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -1107,3 +1107,10 @@
+ #define FTDI_SCIENCESCOPE_LOGBOOKML_PID 0xFF18
+ #define FTDI_SCIENCESCOPE_LS_LOGBOOK_PID 0xFF1C
+ #define FTDI_SCIENCESCOPE_HS_LOGBOOK_PID 0xFF1D
++
++/*
++ * Milkymist One JTAG/Serial
++ */
++#define QIHARDWARE_VID 0x20B7
++#define MILKYMISTONE_JTAGSERIAL_PID 0x0713
++
--- /dev/null
+From b48809518631880207796b4aab0fc39c2f036754 Mon Sep 17 00:00:00 2001
+From: Josh Wu <josh.wu@atmel.com>
+Date: Tue, 16 Nov 2010 11:51:32 +0100
+Subject: USB: gadget: AT91: fix typo in atmel_usba_udc driver
+
+From: Josh Wu <josh.wu@atmel.com>
+
+commit b48809518631880207796b4aab0fc39c2f036754 upstream.
+
+compile fix for bug introduced by 969affff547027)
+
+Signed-off-by: Josh Wu <josh.wu@atmel.com>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/gadget/atmel_usba_udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/atmel_usba_udc.c
++++ b/drivers/usb/gadget/atmel_usba_udc.c
+@@ -2015,7 +2015,7 @@ static int __init usba_udc_probe(struct
+ }
+ } else {
+ /* gpio_request fail so use -EINVAL for gpio_is_valid */
+- ubc->vbus_pin = -EINVAL;
++ udc->vbus_pin = -EINVAL;
+ }
+ }
+
--- /dev/null
+From eca67aaeebd6e5d22b0d991af1dd0424dc703bfb Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Sat, 6 Nov 2010 17:41:31 +0300
+Subject: usb: misc: iowarrior: fix information leak to userland
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream.
+
+Structure iowarrior_info is copied to userland with padding byted
+between "serial" and "revision" fields uninitialized. It leads to
+leaking of contents of kernel stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Acked-by: Kees Cook <kees.cook@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/misc/iowarrior.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -552,6 +552,7 @@ static long iowarrior_ioctl(struct file
+ /* needed for power consumption */
+ struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc;
+
++ memset(&info, 0, sizeof(info));
+ /* directly from the descriptor */
+ info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor);
+ info.product = dev->product_id;
--- /dev/null
+From 5dc92cf1d0b4b0debbd2e333b83f9746c103533d Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Sat, 6 Nov 2010 17:41:35 +0300
+Subject: usb: misc: sisusbvga: fix information leak to userland
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream.
+
+Structure sisusb_info is copied to userland with "sisusb_reserved" field
+uninitialized. It leads to leaking of contents of kernel stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/misc/sisusbvga/sisusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/sisusbvga/sisusb.c
++++ b/drivers/usb/misc/sisusbvga/sisusb.c
+@@ -3008,6 +3008,7 @@ sisusb_ioctl(struct file *file, unsigned
+ #else
+ x.sisusb_conactive = 0;
+ #endif
++ memset(x.sisusb_reserved, 0, sizeof(x.sisusb_reserved));
+
+ if (copy_to_user((void __user *)arg, &x, sizeof(x)))
+ retval = -EFAULT;
--- /dev/null
+From 58c0d9d70109bd7e82bdb9517007311a48499960 Mon Sep 17 00:00:00 2001
+From: ma rui <m00150988@huawei.com>
+Date: Mon, 1 Nov 2010 11:32:18 +0800
+Subject: USB: option: fix when the driver is loaded incorrectly for some Huawei devices.
+
+From: ma rui <m00150988@huawei.com>
+
+commit 58c0d9d70109bd7e82bdb9517007311a48499960 upstream.
+
+When huawei datacard with PID 0x14AC is insterted into Linux system, the
+present kernel will load the "option" driver to all the interfaces. But
+actually, some interfaces run as other function and do not need "option"
+driver.
+
+In this path, we modify the id_tables, when the PID is 0x14ac ,VID is
+0x12d1, Only when the interface's Class is 0xff,Subclass is 0xff, Pro is
+0xff, it does need "option" driver.
+
+Signed-off-by: ma rui <m00150988@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/option.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -479,7 +479,7 @@ static struct usb_device_id option_ids[]
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K3765, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_ETS1220, 0xff, 0xff, 0xff) },
+- { USB_DEVICE(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E14AC) },
++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E14AC, 0xff, 0xff, 0xff) },
+ { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_9508) },
+ { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V640) }, /* Novatel Merlin V640/XV620 */
+ { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V620) }, /* Novatel Merlin V620/S620 */
--- /dev/null
+From d9624e75f6ad94d8a0718c1fafa89186d271a78c Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Mon, 15 Nov 2010 11:17:52 -0800
+Subject: USB: storage: sierra_ms: fix sysfs file attribute
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+commit d9624e75f6ad94d8a0718c1fafa89186d271a78c upstream.
+
+A non-writable sysfs file shouldn't have writable attributes.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Kevin Lloyd <klloyd@sierrawireless.com>
+Cc: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/storage/sierra_ms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/sierra_ms.c
++++ b/drivers/usb/storage/sierra_ms.c
+@@ -120,7 +120,7 @@ static ssize_t show_truinst(struct devic
+ }
+ return result;
+ }
+-static DEVICE_ATTR(truinst, S_IWUGO | S_IRUGO, show_truinst, NULL);
++static DEVICE_ATTR(truinst, S_IRUGO, show_truinst, NULL);
+
+ int sierra_ms_init(struct us_data *us)
+ {
projects / thirdparty / kernel / stable-queue.git / commitdiff
