From: Greg Kroah-Hartman Date: Mon, 6 Dec 2010 21:19:34 +0000 (-0800) Subject: .33 patches X-Git-Tag: v2.6.27.57~34 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=69093fbb4a7910649cbd05fd7de8144f8e3e8a6c;p=thirdparty%2Fkernel%2Fstable-queue.git .33 patches --- diff --git a/queue-2.6.33/series b/queue-2.6.33/series index f4211ef6b72..5d5fe556176 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -148,3 +148,10 @@ libata-fix-null-sdev-dereference-race-in-atapi_qc_complete.patch pci-fix-size-checks-for-mmap-on-proc-bus-pci-files.patch pci-fix-offset-check-for-sysfs-mmapped-files.patch efifb-check-that-the-base-address-is-plausible-on-pci-systems.patch +usb-option-fix-when-the-driver-is-loaded-incorrectly-for-some-huawei-devices.patch +usb-misc-sisusbvga-fix-information-leak-to-userland.patch +usb-misc-iowarrior-fix-information-leak-to-userland.patch +usb-core-fix-information-leak-to-userland.patch +staging-rt2870-add-usb-id-for-buffalo-airstation-wli-uc-gn.patch +usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch +usb-storage-sierra_ms-fix-sysfs-file-attribute.patch diff --git a/queue-2.6.33/staging-rt2870-add-usb-id-for-buffalo-airstation-wli-uc-gn.patch b/queue-2.6.33/staging-rt2870-add-usb-id-for-buffalo-airstation-wli-uc-gn.patch new file mode 100644 index 00000000000..241ae4a5721 --- /dev/null +++ b/queue-2.6.33/staging-rt2870-add-usb-id-for-buffalo-airstation-wli-uc-gn.patch @@ -0,0 +1,31 @@ +From 251d380034c6c34efe75ffb89d863558ba68ec6a Mon Sep 17 00:00:00 2001 +From: John Tapsell +Date: Thu, 25 Mar 2010 13:30:45 +0000 +Subject: Staging: rt2870: Add USB ID for Buffalo Airstation WLI-UC-GN + +From: John Tapsell + +commit 251d380034c6c34efe75ffb89d863558ba68ec6a upstream. + +BugLink: http://bugs.launchpad.net/bugs/441990 + +This was tested to successfully enable the hardware. + +Signed-off-by: John Tapsell +Signed-off-by: Stefan Bader +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rt2860/usb_main_dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rt2860/usb_main_dev.c ++++ b/drivers/staging/rt2860/usb_main_dev.c +@@ -141,6 +141,7 @@ struct usb_device_id rtusb_usb_id[] = { + {USB_DEVICE(0x2001, 0x3C09)}, /* D-Link */ + {USB_DEVICE(0x2001, 0x3C0A)}, /* D-Link 3072 */ + {USB_DEVICE(0x2019, 0xED14)}, /* Planex Communications, Inc. */ ++ {USB_DEVICE(0x0411, 0x015D)}, /* Buffalo Airstation WLI-UC-GN */ + {} /* Terminating entry */ + }; + diff --git a/queue-2.6.33/usb-core-fix-information-leak-to-userland.patch b/queue-2.6.33/usb-core-fix-information-leak-to-userland.patch new file mode 100644 index 00000000000..71f99f20a4e --- /dev/null +++ b/queue-2.6.33/usb-core-fix-information-leak-to-userland.patch @@ -0,0 +1,37 @@ +From 886ccd4520064408ce5876cfe00554ce52ecf4a7 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Sat, 6 Nov 2010 17:41:28 +0300 +Subject: usb: core: fix information leak to userland + +From: Vasiliy Kulikov + +commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream. + +Structure usbdevfs_connectinfo is copied to userland with padding byted +after "slow" field uninitialized. It leads to leaking of contents of +kernel stack memory. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -946,10 +946,11 @@ static int proc_getdriver(struct dev_sta + + static int proc_connectinfo(struct dev_state *ps, void __user *arg) + { +- struct usbdevfs_connectinfo ci; ++ struct usbdevfs_connectinfo ci = { ++ .devnum = ps->dev->devnum, ++ .slow = ps->dev->speed == USB_SPEED_LOW ++ }; + +- ci.devnum = ps->dev->devnum; +- ci.slow = ps->dev->speed == USB_SPEED_LOW; + if (copy_to_user(arg, &ci, sizeof(ci))) + return -EFAULT; + return 0; diff --git a/queue-2.6.33/usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch b/queue-2.6.33/usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch new file mode 100644 index 00000000000..88cef48876a --- /dev/null +++ b/queue-2.6.33/usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch @@ -0,0 +1,61 @@ +From 02e2c51ba3e80acde600721ea784c3ef84da5ea1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Tue, 16 Nov 2010 10:57:37 -0500 +Subject: USB: EHCI: fix obscure race in ehci_endpoint_disable + +From: Alan Stern + +commit 02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream. + +This patch (as1435) fixes an obscure and unlikely race in ehci-hcd. +When an async URB is unlinked, the corresponding QH is removed from +the async list. If the QH's endpoint is then disabled while the URB +is being given back, ehci_endpoint_disable() won't find the QH on the +async list, causing it to believe that the QH has been lost. This +will lead to a memory leak at best and quite possibly to an oops. + +The solution is to trust usbcore not to lose track of endpoints. If +the QH isn't on the async list then it doesn't need to be taken off +the list, but the driver should still wait for the QH to become IDLE +before disabling it. + +In theory this fixes Bugzilla #20182. In fact the race is so rare +that it's not possible to tell whether the bug is still present. +However, adding delays and making other changes to force the race +seems to show that the patch works. + +Signed-off-by: Alan Stern +Reported-by: Stefan Richter +CC: David Brownell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-hcd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -1010,10 +1010,11 @@ rescan: + tmp && tmp != qh; + tmp = tmp->qh_next.qh) + continue; +- /* periodic qh self-unlinks on empty */ +- if (!tmp) +- goto nogood; +- unlink_async (ehci, qh); ++ /* periodic qh self-unlinks on empty, and a COMPLETING qh ++ * may already be unlinked. ++ */ ++ if (tmp) ++ unlink_async(ehci, qh); + /* FALL THROUGH */ + case QH_STATE_UNLINK: /* wait for hw to finish? */ + case QH_STATE_UNLINK_WAIT: +@@ -1030,7 +1031,6 @@ idle_timeout: + } + /* else FALL THROUGH */ + default: +-nogood: + /* caller was supposed to have unlinked any requests; + * that's not our job. just leak this memory. + */ diff --git a/queue-2.6.33/usb-misc-iowarrior-fix-information-leak-to-userland.patch b/queue-2.6.33/usb-misc-iowarrior-fix-information-leak-to-userland.patch new file mode 100644 index 00000000000..2991f99554c --- /dev/null +++ b/queue-2.6.33/usb-misc-iowarrior-fix-information-leak-to-userland.patch @@ -0,0 +1,31 @@ +From eca67aaeebd6e5d22b0d991af1dd0424dc703bfb Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Sat, 6 Nov 2010 17:41:31 +0300 +Subject: usb: misc: iowarrior: fix information leak to userland + +From: Vasiliy Kulikov + +commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream. + +Structure iowarrior_info is copied to userland with padding byted +between "serial" and "revision" fields uninitialized. It leads to +leaking of contents of kernel stack memory. + +Signed-off-by: Vasiliy Kulikov +Acked-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -552,6 +552,7 @@ static long iowarrior_ioctl(struct file + /* needed for power consumption */ + struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc; + ++ memset(&info, 0, sizeof(info)); + /* directly from the descriptor */ + info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor); + info.product = dev->product_id; diff --git a/queue-2.6.33/usb-misc-sisusbvga-fix-information-leak-to-userland.patch b/queue-2.6.33/usb-misc-sisusbvga-fix-information-leak-to-userland.patch new file mode 100644 index 00000000000..874921184bc --- /dev/null +++ b/queue-2.6.33/usb-misc-sisusbvga-fix-information-leak-to-userland.patch @@ -0,0 +1,29 @@ +From 5dc92cf1d0b4b0debbd2e333b83f9746c103533d Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Sat, 6 Nov 2010 17:41:35 +0300 +Subject: usb: misc: sisusbvga: fix information leak to userland + +From: Vasiliy Kulikov + +commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream. + +Structure sisusb_info is copied to userland with "sisusb_reserved" field +uninitialized. It leads to leaking of contents of kernel stack memory. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/sisusbvga/sisusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/misc/sisusbvga/sisusb.c ++++ b/drivers/usb/misc/sisusbvga/sisusb.c +@@ -3008,6 +3008,7 @@ sisusb_ioctl(struct file *file, unsigned + #else + x.sisusb_conactive = 0; + #endif ++ memset(x.sisusb_reserved, 0, sizeof(x.sisusb_reserved)); + + if (copy_to_user((void __user *)arg, &x, sizeof(x))) + retval = -EFAULT; diff --git a/queue-2.6.33/usb-option-fix-when-the-driver-is-loaded-incorrectly-for-some-huawei-devices.patch b/queue-2.6.33/usb-option-fix-when-the-driver-is-loaded-incorrectly-for-some-huawei-devices.patch new file mode 100644 index 00000000000..7c9fdda6abd --- /dev/null +++ b/queue-2.6.33/usb-option-fix-when-the-driver-is-loaded-incorrectly-for-some-huawei-devices.patch @@ -0,0 +1,36 @@ +From 58c0d9d70109bd7e82bdb9517007311a48499960 Mon Sep 17 00:00:00 2001 +From: ma rui +Date: Mon, 1 Nov 2010 11:32:18 +0800 +Subject: USB: option: fix when the driver is loaded incorrectly for some Huawei devices. + +From: ma rui + +commit 58c0d9d70109bd7e82bdb9517007311a48499960 upstream. + +When huawei datacard with PID 0x14AC is insterted into Linux system, the +present kernel will load the "option" driver to all the interfaces. But +actually, some interfaces run as other function and do not need "option" +driver. + +In this path, we modify the id_tables, when the PID is 0x14ac ,VID is +0x12d1, Only when the interface's Class is 0xff,Subclass is 0xff, Pro is +0xff, it does need "option" driver. + +Signed-off-by: ma rui +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -469,7 +469,7 @@ static struct usb_device_id option_ids[] + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143D, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143E, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143F, 0xff, 0xff, 0xff) }, +- { USB_DEVICE(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E14AC) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E14AC, 0xff, 0xff, 0xff) }, + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_9508) }, + { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V640) }, /* Novatel Merlin V640/XV620 */ + { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V620) }, /* Novatel Merlin V620/S620 */ diff --git a/queue-2.6.33/usb-storage-sierra_ms-fix-sysfs-file-attribute.patch b/queue-2.6.33/usb-storage-sierra_ms-fix-sysfs-file-attribute.patch new file mode 100644 index 00000000000..10c221e5593 --- /dev/null +++ b/queue-2.6.33/usb-storage-sierra_ms-fix-sysfs-file-attribute.patch @@ -0,0 +1,31 @@ +From d9624e75f6ad94d8a0718c1fafa89186d271a78c Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 15 Nov 2010 11:17:52 -0800 +Subject: USB: storage: sierra_ms: fix sysfs file attribute + +From: Greg Kroah-Hartman + +commit d9624e75f6ad94d8a0718c1fafa89186d271a78c upstream. + +A non-writable sysfs file shouldn't have writable attributes. + +Reported-by: Linus Torvalds +Cc: Kevin Lloyd +Cc: Matthew Dharm +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/sierra_ms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/sierra_ms.c ++++ b/drivers/usb/storage/sierra_ms.c +@@ -120,7 +120,7 @@ static ssize_t show_truinst(struct devic + } + return result; + } +-static DEVICE_ATTR(truinst, S_IWUGO | S_IRUGO, show_truinst, NULL); ++static DEVICE_ATTR(truinst, S_IRUGO, show_truinst, NULL); + + int sierra_ms_init(struct us_data *us) + {