ecryptfs-clear-lookup_open-flag-when-creating-lower-file.patch
bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
libata-fix-null-sdev-dereference-race-in-atapi_qc_complete.patch
+usb-misc-sisusbvga-fix-information-leak-to-userland.patch
+usb-misc-iowarrior-fix-information-leak-to-userland.patch
+usb-core-fix-information-leak-to-userland.patch
+usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch
+usb-storage-sierra_ms-fix-sysfs-file-attribute.patch
--- /dev/null
+From 886ccd4520064408ce5876cfe00554ce52ecf4a7 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Sat, 6 Nov 2010 17:41:28 +0300
+Subject: usb: core: fix information leak to userland
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream.
+
+Structure usbdevfs_connectinfo is copied to userland with padding byted
+after "slow" field uninitialized. It leads to leaking of contents of
+kernel stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/devio.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -883,10 +883,11 @@ static int proc_getdriver(struct dev_sta
+
+ static int proc_connectinfo(struct dev_state *ps, void __user *arg)
+ {
+- struct usbdevfs_connectinfo ci;
++ struct usbdevfs_connectinfo ci = {
++ .devnum = ps->dev->devnum,
++ .slow = ps->dev->speed == USB_SPEED_LOW
++ };
+
+- ci.devnum = ps->dev->devnum;
+- ci.slow = ps->dev->speed == USB_SPEED_LOW;
+ if (copy_to_user(arg, &ci, sizeof(ci)))
+ return -EFAULT;
+ return 0;
--- /dev/null
+From 02e2c51ba3e80acde600721ea784c3ef84da5ea1 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 16 Nov 2010 10:57:37 -0500
+Subject: USB: EHCI: fix obscure race in ehci_endpoint_disable
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream.
+
+This patch (as1435) fixes an obscure and unlikely race in ehci-hcd.
+When an async URB is unlinked, the corresponding QH is removed from
+the async list. If the QH's endpoint is then disabled while the URB
+is being given back, ehci_endpoint_disable() won't find the QH on the
+async list, causing it to believe that the QH has been lost. This
+will lead to a memory leak at best and quite possibly to an oops.
+
+The solution is to trust usbcore not to lose track of endpoints. If
+the QH isn't on the async list then it doesn't need to be taken off
+the list, but the driver should still wait for the QH to become IDLE
+before disabling it.
+
+In theory this fixes Bugzilla #20182. In fact the race is so rare
+that it's not possible to tell whether the bug is still present.
+However, adding delays and making other changes to force the race
+seems to show that the patch works.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+CC: David Brownell <david-b@pacbell.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-hcd.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/host/ehci-hcd.c
++++ b/drivers/usb/host/ehci-hcd.c
+@@ -954,10 +954,11 @@ rescan:
+ tmp && tmp != qh;
+ tmp = tmp->qh_next.qh)
+ continue;
+- /* periodic qh self-unlinks on empty */
+- if (!tmp)
+- goto nogood;
+- unlink_async (ehci, qh);
++ /* periodic qh self-unlinks on empty, and a COMPLETING qh
++ * may already be unlinked.
++ */
++ if (tmp)
++ unlink_async(ehci, qh);
+ /* FALL THROUGH */
+ case QH_STATE_UNLINK: /* wait for hw to finish? */
+ case QH_STATE_UNLINK_WAIT:
+@@ -972,7 +973,6 @@ idle_timeout:
+ }
+ /* else FALL THROUGH */
+ default:
+-nogood:
+ /* caller was supposed to have unlinked any requests;
+ * that's not our job. just leak this memory.
+ */
--- /dev/null
+From eca67aaeebd6e5d22b0d991af1dd0424dc703bfb Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Sat, 6 Nov 2010 17:41:31 +0300
+Subject: usb: misc: iowarrior: fix information leak to userland
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream.
+
+Structure iowarrior_info is copied to userland with padding byted
+between "serial" and "revision" fields uninitialized. It leads to
+leaking of contents of kernel stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Acked-by: Kees Cook <kees.cook@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/misc/iowarrior.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -551,6 +551,7 @@ static long iowarrior_ioctl(struct file
+ /* needed for power consumption */
+ struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc;
+
++ memset(&info, 0, sizeof(info));
+ /* directly from the descriptor */
+ info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor);
+ info.product = dev->product_id;
--- /dev/null
+From 5dc92cf1d0b4b0debbd2e333b83f9746c103533d Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Sat, 6 Nov 2010 17:41:35 +0300
+Subject: usb: misc: sisusbvga: fix information leak to userland
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream.
+
+Structure sisusb_info is copied to userland with "sisusb_reserved" field
+uninitialized. It leads to leaking of contents of kernel stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/misc/sisusbvga/sisusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/sisusbvga/sisusb.c
++++ b/drivers/usb/misc/sisusbvga/sisusb.c
+@@ -3031,6 +3031,7 @@ sisusb_ioctl(struct file *file, unsigned
+ #else
+ x.sisusb_conactive = 0;
+ #endif
++ memset(x.sisusb_reserved, 0, sizeof(x.sisusb_reserved));
+
+ if (copy_to_user((void __user *)arg, &x, sizeof(x)))
+ retval = -EFAULT;
--- /dev/null
+From d9624e75f6ad94d8a0718c1fafa89186d271a78c Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Mon, 15 Nov 2010 11:17:52 -0800
+Subject: USB: storage: sierra_ms: fix sysfs file attribute
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+commit d9624e75f6ad94d8a0718c1fafa89186d271a78c upstream.
+
+A non-writable sysfs file shouldn't have writable attributes.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Kevin Lloyd <klloyd@sierrawireless.com>
+Cc: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/storage/sierra_ms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/sierra_ms.c
++++ b/drivers/usb/storage/sierra_ms.c
+@@ -120,7 +120,7 @@ static ssize_t show_truinst(struct devic
+ }
+ return result;
+ }
+-static DEVICE_ATTR(truinst, S_IWUGO | S_IRUGO, show_truinst, NULL);
++static DEVICE_ATTR(truinst, S_IRUGO, show_truinst, NULL);
+
+ int sierra_ms_init(struct us_data *us)
+ {
projects / thirdparty / kernel / stable-queue.git / commitdiff
