From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 6 Dec 2010 21:19:23 +0000 (-0800)
Subject: .27 patches
X-Git-Tag: v2.6.27.57~35
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2560e030ccebbf672326e687cbbb3bce4d3d3c22;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patches
---

diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index f02c9847c69..dc465c9107c 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -13,3 +13,8 @@ drivers-char-vt_ioctl.c-fix-vt_openqry-error-value.patch
 ecryptfs-clear-lookup_open-flag-when-creating-lower-file.patch
 bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
 libata-fix-null-sdev-dereference-race-in-atapi_qc_complete.patch
+usb-misc-sisusbvga-fix-information-leak-to-userland.patch
+usb-misc-iowarrior-fix-information-leak-to-userland.patch
+usb-core-fix-information-leak-to-userland.patch
+usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch
+usb-storage-sierra_ms-fix-sysfs-file-attribute.patch
diff --git a/queue-2.6.27/usb-core-fix-information-leak-to-userland.patch b/queue-2.6.27/usb-core-fix-information-leak-to-userland.patch
new file mode 100644
index 00000000000..4c71a1de821
--- /dev/null
+++ b/queue-2.6.27/usb-core-fix-information-leak-to-userland.patch
@@ -0,0 +1,37 @@
+From 886ccd4520064408ce5876cfe00554ce52ecf4a7 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Sat, 6 Nov 2010 17:41:28 +0300
+Subject: usb: core: fix information leak to userland
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream.
+
+Structure usbdevfs_connectinfo is copied to userland with padding byted
+after "slow" field uninitialized.  It leads to leaking of contents of
+kernel stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/devio.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -883,10 +883,11 @@ static int proc_getdriver(struct dev_sta
+ 
+ static int proc_connectinfo(struct dev_state *ps, void __user *arg)
+ {
+-	struct usbdevfs_connectinfo ci;
++	struct usbdevfs_connectinfo ci = {
++		.devnum = ps->dev->devnum,
++		.slow = ps->dev->speed == USB_SPEED_LOW
++	};
+ 
+-	ci.devnum = ps->dev->devnum;
+-	ci.slow = ps->dev->speed == USB_SPEED_LOW;
+ 	if (copy_to_user(arg, &ci, sizeof(ci)))
+ 		return -EFAULT;
+ 	return 0;
diff --git a/queue-2.6.27/usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch b/queue-2.6.27/usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch
new file mode 100644
index 00000000000..14292af94e3
--- /dev/null
+++ b/queue-2.6.27/usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch
@@ -0,0 +1,61 @@
+From 02e2c51ba3e80acde600721ea784c3ef84da5ea1 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 16 Nov 2010 10:57:37 -0500
+Subject: USB: EHCI: fix obscure race in ehci_endpoint_disable
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream.
+
+This patch (as1435) fixes an obscure and unlikely race in ehci-hcd.
+When an async URB is unlinked, the corresponding QH is removed from
+the async list.  If the QH's endpoint is then disabled while the URB
+is being given back, ehci_endpoint_disable() won't find the QH on the
+async list, causing it to believe that the QH has been lost.  This
+will lead to a memory leak at best and quite possibly to an oops.
+
+The solution is to trust usbcore not to lose track of endpoints.  If
+the QH isn't on the async list then it doesn't need to be taken off
+the list, but the driver should still wait for the QH to become IDLE
+before disabling it.
+
+In theory this fixes Bugzilla #20182.  In fact the race is so rare
+that it's not possible to tell whether the bug is still present.
+However, adding delays and making other changes to force the race
+seems to show that the patch works.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+CC: David Brownell <david-b@pacbell.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-hcd.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/host/ehci-hcd.c
++++ b/drivers/usb/host/ehci-hcd.c
+@@ -954,10 +954,11 @@ rescan:
+ 				tmp && tmp != qh;
+ 				tmp = tmp->qh_next.qh)
+ 			continue;
+-		/* periodic qh self-unlinks on empty */
+-		if (!tmp)
+-			goto nogood;
+-		unlink_async (ehci, qh);
++		/* periodic qh self-unlinks on empty, and a COMPLETING qh
++		 * may already be unlinked.
++		 */
++		if (tmp)
++			unlink_async(ehci, qh);
+ 		/* FALL THROUGH */
+ 	case QH_STATE_UNLINK:		/* wait for hw to finish? */
+ 	case QH_STATE_UNLINK_WAIT:
+@@ -972,7 +973,6 @@ idle_timeout:
+ 		}
+ 		/* else FALL THROUGH */
+ 	default:
+-nogood:
+ 		/* caller was supposed to have unlinked any requests;
+ 		 * that's not our job.  just leak this memory.
+ 		 */
diff --git a/queue-2.6.27/usb-misc-iowarrior-fix-information-leak-to-userland.patch b/queue-2.6.27/usb-misc-iowarrior-fix-information-leak-to-userland.patch
new file mode 100644
index 00000000000..56c0f7514ec
--- /dev/null
+++ b/queue-2.6.27/usb-misc-iowarrior-fix-information-leak-to-userland.patch
@@ -0,0 +1,31 @@
+From eca67aaeebd6e5d22b0d991af1dd0424dc703bfb Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Sat, 6 Nov 2010 17:41:31 +0300
+Subject: usb: misc: iowarrior: fix information leak to userland
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream.
+
+Structure iowarrior_info is copied to userland with padding byted
+between "serial" and "revision" fields uninitialized.  It leads to
+leaking of contents of kernel stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Acked-by: Kees Cook <kees.cook@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/misc/iowarrior.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -551,6 +551,7 @@ static long iowarrior_ioctl(struct file
+ 			/* needed for power consumption */
+ 			struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc;
+ 
++			memset(&info, 0, sizeof(info));
+ 			/* directly from the descriptor */
+ 			info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor);
+ 			info.product = dev->product_id;
diff --git a/queue-2.6.27/usb-misc-sisusbvga-fix-information-leak-to-userland.patch b/queue-2.6.27/usb-misc-sisusbvga-fix-information-leak-to-userland.patch
new file mode 100644
index 00000000000..205cd44d1c6
--- /dev/null
+++ b/queue-2.6.27/usb-misc-sisusbvga-fix-information-leak-to-userland.patch
@@ -0,0 +1,29 @@
+From 5dc92cf1d0b4b0debbd2e333b83f9746c103533d Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Sat, 6 Nov 2010 17:41:35 +0300
+Subject: usb: misc: sisusbvga: fix information leak to userland
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream.
+
+Structure sisusb_info is copied to userland with "sisusb_reserved" field
+uninitialized.  It leads to leaking of contents of kernel stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/misc/sisusbvga/sisusb.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/sisusbvga/sisusb.c
++++ b/drivers/usb/misc/sisusbvga/sisusb.c
+@@ -3031,6 +3031,7 @@ sisusb_ioctl(struct file *file, unsigned
+ #else
+ 			x.sisusb_conactive  = 0;
+ #endif
++			memset(x.sisusb_reserved, 0, sizeof(x.sisusb_reserved));
+ 
+ 			if (copy_to_user((void __user *)arg, &x, sizeof(x)))
+ 				retval = -EFAULT;
diff --git a/queue-2.6.27/usb-storage-sierra_ms-fix-sysfs-file-attribute.patch b/queue-2.6.27/usb-storage-sierra_ms-fix-sysfs-file-attribute.patch
new file mode 100644
index 00000000000..10c221e5593
--- /dev/null
+++ b/queue-2.6.27/usb-storage-sierra_ms-fix-sysfs-file-attribute.patch
@@ -0,0 +1,31 @@
+From d9624e75f6ad94d8a0718c1fafa89186d271a78c Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Mon, 15 Nov 2010 11:17:52 -0800
+Subject: USB: storage: sierra_ms: fix sysfs file attribute
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+commit d9624e75f6ad94d8a0718c1fafa89186d271a78c upstream.
+
+A non-writable sysfs file shouldn't have writable attributes.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Kevin Lloyd <klloyd@sierrawireless.com>
+Cc: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/storage/sierra_ms.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/sierra_ms.c
++++ b/drivers/usb/storage/sierra_ms.c
+@@ -120,7 +120,7 @@ static ssize_t show_truinst(struct devic
+ 	}
+ 	return result;
+ }
+-static DEVICE_ATTR(truinst, S_IWUGO | S_IRUGO, show_truinst, NULL);
++static DEVICE_ATTR(truinst, S_IRUGO, show_truinst, NULL);
+ 
+ int sierra_ms_init(struct us_data *us)
+ {