From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 29 Mar 2010 20:09:29 +0000 (-0700)
Subject: .27 patch
X-Git-Tag: v2.6.27.46~28
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bbc77fb3b1ab52f3efa2c79b78c8902bc853c0ed;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patch
---

diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index 736dc1dd853..65a1f2ffc10 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -42,3 +42,4 @@ tmpfs-mpol-bind-0-don-t-cause-mount-error.patch
 tmpfs-handle-mpol_local-mount-option-properly.patch
 doc-add-the-documentation-for-mpol-local.patch
 tmpfs-cleanup-mpol_parse_str.patch
+usb-fix-usbfs-regression.patch
diff --git a/queue-2.6.27/usb-fix-usbfs-regression.patch b/queue-2.6.27/usb-fix-usbfs-regression.patch
new file mode 100644
index 00000000000..770ed7e4196
--- /dev/null
+++ b/queue-2.6.27/usb-fix-usbfs-regression.patch
@@ -0,0 +1,56 @@
+From 7152b592593b9d48b33f8997b1dfd6df9143f7ec Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Sat, 6 Mar 2010 15:04:03 -0500
+Subject: USB: fix usbfs regression
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 7152b592593b9d48b33f8997b1dfd6df9143f7ec upstream.
+
+This patch (as1352) fixes a bug in the way isochronous input data is
+returned to userspace for usbfs transfers.  The entire buffer must be
+copied, not just the first actual_length bytes, because the individual
+packets will be discontiguous if any of them are short.
+
+Reported-by: Markus Rechberger <mrechberger@gmail.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/devio.c |   17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1123,6 +1123,13 @@ static int proc_do_submiturb(struct dev_
+ 			free_async(as);
+ 			return -ENOMEM;
+ 		}
++		/* Isochronous input data may end up being discontiguous
++		 * if some of the packets are short.  Clear the buffer so
++		 * that the gaps don't leak kernel data to userspace.
++		 */
++		if (is_in && uurb->type == USBDEVFS_URB_TYPE_ISO)
++			memset(as->urb->transfer_buffer, 0,
++					uurb->buffer_length);
+ 	}
+ 	as->urb->dev = ps->dev;
+ 	as->urb->pipe = (uurb->type << 30) |
+@@ -1224,10 +1231,14 @@ static int processcompl(struct async *as
+ 	void __user *addr = as->userurb;
+ 	unsigned int i;
+ 
+-	if (as->userbuffer && urb->actual_length)
+-		if (copy_to_user(as->userbuffer, urb->transfer_buffer,
+-				 urb->actual_length))
++	if (as->userbuffer && urb->actual_length) {
++		if (urb->number_of_packets > 0)		/* Isochronous */
++			i = urb->transfer_buffer_length;
++		else					/* Non-Isoc */
++			i = urb->actual_length;
++		if (copy_to_user(as->userbuffer, urb->transfer_buffer, i))
+ 			goto err_out;
++	}
+ 	if (put_user(as->status, &userurb->status))
+ 		goto err_out;
+ 	if (put_user(urb->actual_length, &userurb->actual_length))