From: Greg Kroah-Hartman Date: Thu, 21 Jan 2010 21:32:57 +0000 (-0800) Subject: more .27 patches X-Git-Tag: v2.6.32.5~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=745475ebae63256a092a1b829428d6c2cf42fbec;p=thirdparty%2Fkernel%2Fstable-queue.git more .27 patches --- diff --git a/queue-2.6.27/ecryptfs-initialize-private-persistent-file-before-dereferencing-pointer.patch b/queue-2.6.27/ecryptfs-initialize-private-persistent-file-before-dereferencing-pointer.patch new file mode 100644 index 00000000000..3a1c0dedffd --- /dev/null +++ b/queue-2.6.27/ecryptfs-initialize-private-persistent-file-before-dereferencing-pointer.patch @@ -0,0 +1,55 @@ +From e27759d7a333d1f25d628c4f7caf845c51be51c2 Mon Sep 17 00:00:00 2001 +From: Erez Zadok +Date: Thu, 3 Dec 2009 13:35:27 -0500 +Subject: ecryptfs: initialize private persistent file before dereferencing pointer + +From: Erez Zadok + +commit e27759d7a333d1f25d628c4f7caf845c51be51c2 upstream. + +Ecryptfs_open dereferences a pointer to the private lower file (the one +stored in the ecryptfs inode), without checking if the pointer is NULL. +Right afterward, it initializes that pointer if it is NULL. Swap order of +statements to first initialize. Bug discovered by Duckjin Kang. + +Signed-off-by: Duckjin Kang +Signed-off-by: Erez Zadok +Cc: Dustin Kirkland +Cc: Al Viro +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/file.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/ecryptfs/file.c ++++ b/fs/ecryptfs/file.c +@@ -192,13 +192,6 @@ static int ecryptfs_open(struct inode *i + | ECRYPTFS_ENCRYPTED); + } + mutex_unlock(&crypt_stat->cs_mutex); +- if ((ecryptfs_inode_to_private(inode)->lower_file->f_flags & O_RDONLY) +- && !(file->f_flags & O_RDONLY)) { +- rc = -EPERM; +- printk(KERN_WARNING "%s: Lower persistent file is RO; eCryptfs " +- "file must hence be opened RO\n", __func__); +- goto out; +- } + if (!ecryptfs_inode_to_private(inode)->lower_file) { + rc = ecryptfs_init_persistent_file(ecryptfs_dentry); + if (rc) { +@@ -209,6 +202,13 @@ static int ecryptfs_open(struct inode *i + goto out; + } + } ++ if ((ecryptfs_inode_to_private(inode)->lower_file->f_flags & O_RDONLY) ++ && !(file->f_flags & O_RDONLY)) { ++ rc = -EPERM; ++ printk(KERN_WARNING "%s: Lower persistent file is RO; eCryptfs " ++ "file must hence be opened RO\n", __func__); ++ goto out; ++ } + ecryptfs_set_file_lower( + file, ecryptfs_inode_to_private(inode)->lower_file); + if (S_ISDIR(ecryptfs_dentry->d_inode->i_mode)) { diff --git a/queue-2.6.27/ecryptfs-use-after-free.patch b/queue-2.6.27/ecryptfs-use-after-free.patch new file mode 100644 index 00000000000..1409ccc5154 --- /dev/null +++ b/queue-2.6.27/ecryptfs-use-after-free.patch @@ -0,0 +1,47 @@ +From ece550f51ba175c14ec3ec047815927d7386ea1f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 19 Jan 2010 12:34:32 +0300 +Subject: ecryptfs: use after free + +From: Dan Carpenter + +commit ece550f51ba175c14ec3ec047815927d7386ea1f upstream. + +The "full_alg_name" variable is used on a couple error paths, so we +shouldn't free it until the end. + +Signed-off-by: Dan Carpenter +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -1733,7 +1733,7 @@ ecryptfs_process_key_cipher(struct crypt + char *cipher_name, size_t *key_size) + { + char dummy_key[ECRYPTFS_MAX_KEY_BYTES]; +- char *full_alg_name; ++ char *full_alg_name = NULL; + int rc; + + *key_tfm = NULL; +@@ -1748,7 +1748,6 @@ ecryptfs_process_key_cipher(struct crypt + if (rc) + goto out; + *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC); +- kfree(full_alg_name); + if (IS_ERR(*key_tfm)) { + rc = PTR_ERR(*key_tfm); + printk(KERN_ERR "Unable to allocate crypto cipher with name " +@@ -1770,6 +1769,7 @@ ecryptfs_process_key_cipher(struct crypt + goto out; + } + out: ++ kfree(full_alg_name); + return rc; + } + diff --git a/queue-2.6.27/series b/queue-2.6.27/series index 465ee51e6e1..f3258bd56e8 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -1,3 +1,9 @@ edac-i5000_edac-critical-fix-panic-out-of-bounds.patch megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-permissions.patch reiserfs-truncate-blocks-not-used-by-a-write.patch +ecryptfs-initialize-private-persistent-file-before-dereferencing-pointer.patch +ecryptfs-use-after-free.patch +tty-fix-race-in-tty_fasync.patch +usb-add-missing-delay-during-remote-wakeup.patch +usb-ehci-fix-handling-of-unusual-interrupt-intervals.patch +usb-ehci-uhci-fix-race-between-root-hub-suspend-and-port-resume.patch diff --git a/queue-2.6.27/tty-fix-race-in-tty_fasync.patch b/queue-2.6.27/tty-fix-race-in-tty_fasync.patch new file mode 100644 index 00000000000..66121fd718d --- /dev/null +++ b/queue-2.6.27/tty-fix-race-in-tty_fasync.patch @@ -0,0 +1,41 @@ +From 703625118069f9f8960d356676662d3db5a9d116 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 17 Dec 2009 07:07:19 -0800 +Subject: tty: fix race in tty_fasync + +From: Greg Kroah-Hartman + +commit 703625118069f9f8960d356676662d3db5a9d116 upstream. + +We need to keep the lock held over the call to __f_setown() to +prevent a PID race. + +Thanks to Al Viro for pointing out the problem, and to Travis for +making us look here in the first place. + +Cc: Eric W. Biederman +Cc: Al Viro +Cc: Alan Cox +Cc: Linus Torvalds +Cc: Tavis Ormandy +Cc: Jeff Dike +Cc: Julien Tinnes +Cc: Matt Mackall +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tty_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tty_io.c ++++ b/drivers/char/tty_io.c +@@ -2437,8 +2437,8 @@ static int tty_fasync(int fd, struct fil + pid = task_pid(current); + type = PIDTYPE_PID; + } +- spin_unlock_irqrestore(&tty->ctrl_lock, flags); + retval = __f_setown(filp, pid, type, 0); ++ spin_unlock_irqrestore(&tty->ctrl_lock, flags); + if (retval) + goto out; + } else { diff --git a/queue-2.6.27/usb-add-missing-delay-during-remote-wakeup.patch b/queue-2.6.27/usb-add-missing-delay-during-remote-wakeup.patch new file mode 100644 index 00000000000..6d267e301e7 --- /dev/null +++ b/queue-2.6.27/usb-add-missing-delay-during-remote-wakeup.patch @@ -0,0 +1,74 @@ +From 49d0f078f494b9d81e820a13dd8093a9bfb0b6b1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 8 Jan 2010 11:18:38 -0500 +Subject: USB: add missing delay during remote wakeup + +From: Alan Stern + +commit 49d0f078f494b9d81e820a13dd8093a9bfb0b6b1 upstream. + +This patch (as1330) fixes a bug in khbud's handling of remote +wakeups. When a device sends a remote-wakeup request, the parent hub +(or the host controller driver, for directly attached devices) begins +the resume sequence and notifies khubd when the sequence finishes. At +this point the port's SUSPEND feature is automatically turned off. + +However the device needs an additional 10-ms resume-recovery time +(TRSMRCY in the USB spec). Khubd does not wait for this delay if the +SUSPEND feature is off, and as a result some devices fail to behave +properly following a remote wakeup. This patch adds the missing +delay to the remote-wakeup path. + +It also extends the resume-signalling delay used by ehci-hcd and +uhci-hcd from 20 ms (the value in the spec) to 25 ms (the value we use +for non-remote-wakeup resumes). The extra time appears to help some +devices. + +Signed-off-by: Alan Stern +Cc: Rickard Bellini +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 3 +++ + drivers/usb/host/ehci-hcd.c | 5 +++-- + drivers/usb/host/uhci-hub.c | 2 +- + 3 files changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3015,6 +3015,9 @@ static void hub_events(void) + USB_PORT_FEAT_C_SUSPEND); + udev = hdev->children[i-1]; + if (udev) { ++ /* TRSMRCY = 10 msec */ ++ msleep(10); ++ + usb_lock_device(udev); + ret = remote_wakeup(hdev-> + children[i-1]); +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -723,9 +723,10 @@ static irqreturn_t ehci_irq (struct usb_ + + /* start 20 msec resume signaling from this port, + * and make khubd collect PORT_STAT_C_SUSPEND to +- * stop that signaling. ++ * stop that signaling. Use 5 ms extra for safety, ++ * like usb_port_resume() does. + */ +- ehci->reset_done [i] = jiffies + msecs_to_jiffies (20); ++ ehci->reset_done[i] = jiffies + msecs_to_jiffies(25); + ehci_dbg (ehci, "port %d remote wakeup\n", i + 1); + mod_timer(&hcd->rh_timer, ehci->reset_done[i]); + } +--- a/drivers/usb/host/uhci-hub.c ++++ b/drivers/usb/host/uhci-hub.c +@@ -167,7 +167,7 @@ static void uhci_check_ports(struct uhci + /* Port received a wakeup request */ + set_bit(port, &uhci->resuming_ports); + uhci->ports_timeout = jiffies + +- msecs_to_jiffies(20); ++ msecs_to_jiffies(25); + + /* Make sure we see the port again + * after the resuming period is over. */ diff --git a/queue-2.6.27/usb-ehci-fix-handling-of-unusual-interrupt-intervals.patch b/queue-2.6.27/usb-ehci-fix-handling-of-unusual-interrupt-intervals.patch new file mode 100644 index 00000000000..7e85cebb612 --- /dev/null +++ b/queue-2.6.27/usb-ehci-fix-handling-of-unusual-interrupt-intervals.patch @@ -0,0 +1,61 @@ +From 1b9a38bfa6e664ff02511314f5586d711c83cc91 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 8 Jan 2010 11:17:55 -0500 +Subject: USB: EHCI: fix handling of unusual interrupt intervals + +From: Alan Stern + +commit 1b9a38bfa6e664ff02511314f5586d711c83cc91 upstream. + +This patch (as1320) fixes two problems related to interrupt-URB +scheduling in ehci-hcd. + + URBs with an interval of 2 or 4 microframes aren't handled. + For the time being, the patch reduces to interval to 1 uframe. + + URBs are constrained to have an interval no larger than 1024 + frames by usb_submit_urb(). But some EHCI controllers allow + use of a schedule as short as 256 frames; for these + controllers we may have to decrease the interval to the + actual schedule length. + +The second problem isn't very significant since few devices expose +interrupt endpoints with an interval larger than 256 frames. But the +first problem is critical; it will prevent the kernel from working +with devices having interrupt intervals of 2 or 4 uframes. + +Signed-off-by: Alan Stern +Tested-by: Glynn Farrow +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-q.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -748,9 +748,10 @@ qh_make ( + * But interval 1 scheduling is simpler, and + * includes high bandwidth. + */ +- dbg ("intr period %d uframes, NYET!", +- urb->interval); +- goto done; ++ urb->interval = 1; ++ } else if (qh->period > ehci->periodic_size) { ++ qh->period = ehci->periodic_size; ++ urb->interval = qh->period << 3; + } + } else { + int think_time; +@@ -773,6 +774,10 @@ qh_make ( + usb_calc_bus_time (urb->dev->speed, + is_input, 0, max_packet (maxp))); + qh->period = urb->interval; ++ if (qh->period > ehci->periodic_size) { ++ qh->period = ehci->periodic_size; ++ urb->interval = qh->period; ++ } + } + } + diff --git a/queue-2.6.27/usb-ehci-uhci-fix-race-between-root-hub-suspend-and-port-resume.patch b/queue-2.6.27/usb-ehci-uhci-fix-race-between-root-hub-suspend-and-port-resume.patch new file mode 100644 index 00000000000..08451f93439 --- /dev/null +++ b/queue-2.6.27/usb-ehci-uhci-fix-race-between-root-hub-suspend-and-port-resume.patch @@ -0,0 +1,87 @@ +From cec3a53c7fe794237b582e8e77fc0e48465e65ee Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 8 Jan 2010 11:18:20 -0500 +Subject: USB: EHCI & UHCI: fix race between root-hub suspend and port resume + +From: Alan Stern + +commit cec3a53c7fe794237b582e8e77fc0e48465e65ee upstream. + +This patch (as1321) fixes a problem with EHCI and UHCI root-hub +suspends: If the suspend occurs while a port is trying to resume, the +resume doesn't finish and simply gets lost. When remote wakeup is +enabled, this is undesirable behavior. + +The patch checks first to see if any port resumes are in progress, and +if they are then it fails the root-hub suspend with -EBUSY. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-hub.c | 20 +++++++++++++++++++- + drivers/usb/host/uhci-hcd.c | 15 ++++++++++++++- + 2 files changed, 33 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/ehci-hub.c ++++ b/drivers/usb/host/ehci-hub.c +@@ -119,9 +119,26 @@ static int ehci_bus_suspend (struct usb_ + del_timer_sync(&ehci->watchdog); + del_timer_sync(&ehci->iaa_watchdog); + +- port = HCS_N_PORTS (ehci->hcs_params); + spin_lock_irq (&ehci->lock); + ++ /* Once the controller is stopped, port resumes that are already ++ * in progress won't complete. Hence if remote wakeup is enabled ++ * for the root hub and any ports are in the middle of a resume or ++ * remote wakeup, we must fail the suspend. ++ */ ++ if (hcd->self.root_hub->do_remote_wakeup) { ++ port = HCS_N_PORTS(ehci->hcs_params); ++ while (port--) { ++ if (ehci->reset_done[port] != 0) { ++ spin_unlock_irq(&ehci->lock); ++ ehci_dbg(ehci, "suspend failed because " ++ "port %d is resuming\n", ++ port + 1); ++ return -EBUSY; ++ } ++ } ++ } ++ + /* stop schedules, clean any completed work */ + if (HC_IS_RUNNING(hcd->state)) { + ehci_quiesce (ehci); +@@ -137,6 +154,7 @@ static int ehci_bus_suspend (struct usb_ + */ + ehci->bus_suspended = 0; + ehci->owned_ports = 0; ++ port = HCS_N_PORTS(ehci->hcs_params); + while (port--) { + u32 __iomem *reg = &ehci->regs->port_status [port]; + u32 t1 = ehci_readl(ehci, reg) & ~PORT_RWC_BITS; +--- a/drivers/usb/host/uhci-hcd.c ++++ b/drivers/usb/host/uhci-hcd.c +@@ -750,7 +750,20 @@ static int uhci_rh_suspend(struct usb_hc + spin_lock_irq(&uhci->lock); + if (!test_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags)) + rc = -ESHUTDOWN; +- else if (!uhci->dead) ++ else if (uhci->dead) ++ ; /* Dead controllers tell no tales */ ++ ++ /* Once the controller is stopped, port resumes that are already ++ * in progress won't complete. Hence if remote wakeup is enabled ++ * for the root hub and any ports are in the middle of a resume or ++ * remote wakeup, we must fail the suspend. ++ */ ++ else if (hcd->self.root_hub->do_remote_wakeup && ++ uhci->resuming_ports) { ++ dev_dbg(uhci_dev(uhci), "suspend failed because a port " ++ "is resuming\n"); ++ rc = -EBUSY; ++ } else + suspend_rh(uhci, UHCI_RH_SUSPENDED); + spin_unlock_irq(&uhci->lock); + return rc;