From c56aab283ea3314ee7892ccc5481bafe1ffb0567 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 6 Dec 2010 13:19:08 -0800 Subject: [PATCH] .32 patches --- queue-2.6.32/series | 8 +++ ...ore-fix-information-leak-to-userland.patch | 37 +++++++++++ ...bscure-race-in-ehci_endpoint_disable.patch | 61 +++++++++++++++++++ ...ce-ids-for-milkymist-one-jtag-serial.patch | 46 ++++++++++++++ ...91-fix-typo-in-atmel_usba_udc-driver.patch | 30 +++++++++ ...ior-fix-information-leak-to-userland.patch | 31 ++++++++++ ...vga-fix-information-leak-to-userland.patch | 29 +++++++++ ...-incorrectly-for-some-huawei-devices.patch | 36 +++++++++++ ...e-sierra_ms-fix-sysfs-file-attribute.patch | 31 ++++++++++ 9 files changed, 309 insertions(+) create mode 100644 queue-2.6.32/usb-core-fix-information-leak-to-userland.patch create mode 100644 queue-2.6.32/usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch create mode 100644 queue-2.6.32/usb-ftdi_sio-add-device-ids-for-milkymist-one-jtag-serial.patch create mode 100644 queue-2.6.32/usb-gadget-at91-fix-typo-in-atmel_usba_udc-driver.patch create mode 100644 queue-2.6.32/usb-misc-iowarrior-fix-information-leak-to-userland.patch create mode 100644 queue-2.6.32/usb-misc-sisusbvga-fix-information-leak-to-userland.patch create mode 100644 queue-2.6.32/usb-option-fix-when-the-driver-is-loaded-incorrectly-for-some-huawei-devices.patch create mode 100644 queue-2.6.32/usb-storage-sierra_ms-fix-sysfs-file-attribute.patch diff --git a/queue-2.6.32/series b/queue-2.6.32/series index 465180539c6..9aae6846d64 100644 --- a/queue-2.6.32/series +++ b/queue-2.6.32/series @@ -62,3 +62,11 @@ libata-fix-null-sdev-dereference-race-in-atapi_qc_complete.patch pci-fix-size-checks-for-mmap-on-proc-bus-pci-files.patch pci-fix-offset-check-for-sysfs-mmapped-files.patch efifb-check-that-the-base-address-is-plausible-on-pci-systems.patch +usb-gadget-at91-fix-typo-in-atmel_usba_udc-driver.patch +usb-ftdi_sio-add-device-ids-for-milkymist-one-jtag-serial.patch +usb-option-fix-when-the-driver-is-loaded-incorrectly-for-some-huawei-devices.patch +usb-misc-sisusbvga-fix-information-leak-to-userland.patch +usb-misc-iowarrior-fix-information-leak-to-userland.patch +usb-core-fix-information-leak-to-userland.patch +usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch +usb-storage-sierra_ms-fix-sysfs-file-attribute.patch diff --git a/queue-2.6.32/usb-core-fix-information-leak-to-userland.patch b/queue-2.6.32/usb-core-fix-information-leak-to-userland.patch new file mode 100644 index 00000000000..71f99f20a4e --- /dev/null +++ b/queue-2.6.32/usb-core-fix-information-leak-to-userland.patch @@ -0,0 +1,37 @@ +From 886ccd4520064408ce5876cfe00554ce52ecf4a7 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Sat, 6 Nov 2010 17:41:28 +0300 +Subject: usb: core: fix information leak to userland + +From: Vasiliy Kulikov + +commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream. + +Structure usbdevfs_connectinfo is copied to userland with padding byted +after "slow" field uninitialized. It leads to leaking of contents of +kernel stack memory. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -946,10 +946,11 @@ static int proc_getdriver(struct dev_sta + + static int proc_connectinfo(struct dev_state *ps, void __user *arg) + { +- struct usbdevfs_connectinfo ci; ++ struct usbdevfs_connectinfo ci = { ++ .devnum = ps->dev->devnum, ++ .slow = ps->dev->speed == USB_SPEED_LOW ++ }; + +- ci.devnum = ps->dev->devnum; +- ci.slow = ps->dev->speed == USB_SPEED_LOW; + if (copy_to_user(arg, &ci, sizeof(ci))) + return -EFAULT; + return 0; diff --git a/queue-2.6.32/usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch b/queue-2.6.32/usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch new file mode 100644 index 00000000000..94b9d44cd32 --- /dev/null +++ b/queue-2.6.32/usb-ehci-fix-obscure-race-in-ehci_endpoint_disable.patch @@ -0,0 +1,61 @@ +From 02e2c51ba3e80acde600721ea784c3ef84da5ea1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Tue, 16 Nov 2010 10:57:37 -0500 +Subject: USB: EHCI: fix obscure race in ehci_endpoint_disable + +From: Alan Stern + +commit 02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream. + +This patch (as1435) fixes an obscure and unlikely race in ehci-hcd. +When an async URB is unlinked, the corresponding QH is removed from +the async list. If the QH's endpoint is then disabled while the URB +is being given back, ehci_endpoint_disable() won't find the QH on the +async list, causing it to believe that the QH has been lost. This +will lead to a memory leak at best and quite possibly to an oops. + +The solution is to trust usbcore not to lose track of endpoints. If +the QH isn't on the async list then it doesn't need to be taken off +the list, but the driver should still wait for the QH to become IDLE +before disabling it. + +In theory this fixes Bugzilla #20182. In fact the race is so rare +that it's not possible to tell whether the bug is still present. +However, adding delays and making other changes to force the race +seems to show that the patch works. + +Signed-off-by: Alan Stern +Reported-by: Stefan Richter +CC: David Brownell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-hcd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -1008,10 +1008,11 @@ rescan: + tmp && tmp != qh; + tmp = tmp->qh_next.qh) + continue; +- /* periodic qh self-unlinks on empty */ +- if (!tmp) +- goto nogood; +- unlink_async (ehci, qh); ++ /* periodic qh self-unlinks on empty, and a COMPLETING qh ++ * may already be unlinked. ++ */ ++ if (tmp) ++ unlink_async(ehci, qh); + /* FALL THROUGH */ + case QH_STATE_UNLINK: /* wait for hw to finish? */ + case QH_STATE_UNLINK_WAIT: +@@ -1028,7 +1029,6 @@ idle_timeout: + } + /* else FALL THROUGH */ + default: +-nogood: + /* caller was supposed to have unlinked any requests; + * that's not our job. just leak this memory. + */ diff --git a/queue-2.6.32/usb-ftdi_sio-add-device-ids-for-milkymist-one-jtag-serial.patch b/queue-2.6.32/usb-ftdi_sio-add-device-ids-for-milkymist-one-jtag-serial.patch new file mode 100644 index 00000000000..52297f2303a --- /dev/null +++ b/queue-2.6.32/usb-ftdi_sio-add-device-ids-for-milkymist-one-jtag-serial.patch @@ -0,0 +1,46 @@ +From 7fea0f714ffb3f303d4b66933af2df2f5584c9bf Mon Sep 17 00:00:00 2001 +From: Sebastien Bourdeauducq +Date: Wed, 3 Nov 2010 11:54:12 +0100 +Subject: USB: ftdi_sio: add device IDs for Milkymist One JTAG/serial + +From: Sebastien Bourdeauducq + +commit 7fea0f714ffb3f303d4b66933af2df2f5584c9bf upstream. + +Add the USB IDs for the Milkymist One FTDI-based JTAG/serial adapter +(http://projects.qi-hardware.com/index.php/p/mmone-jtag-serial-cable/) +to the ftdi_sio driver and disable the first serial channel (used as +JTAG from userspace). + +Signed-off-by: Sebastien Bourdeauducq +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -800,6 +800,8 @@ static struct usb_device_id id_table_com + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LOGBOOKML_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) }, ++ { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID), ++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { }, /* Optional parameter entry */ + { } /* Terminating entry */ + }; +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1107,3 +1107,10 @@ + #define FTDI_SCIENCESCOPE_LOGBOOKML_PID 0xFF18 + #define FTDI_SCIENCESCOPE_LS_LOGBOOK_PID 0xFF1C + #define FTDI_SCIENCESCOPE_HS_LOGBOOK_PID 0xFF1D ++ ++/* ++ * Milkymist One JTAG/Serial ++ */ ++#define QIHARDWARE_VID 0x20B7 ++#define MILKYMISTONE_JTAGSERIAL_PID 0x0713 ++ diff --git a/queue-2.6.32/usb-gadget-at91-fix-typo-in-atmel_usba_udc-driver.patch b/queue-2.6.32/usb-gadget-at91-fix-typo-in-atmel_usba_udc-driver.patch new file mode 100644 index 00000000000..6a9b832405f --- /dev/null +++ b/queue-2.6.32/usb-gadget-at91-fix-typo-in-atmel_usba_udc-driver.patch @@ -0,0 +1,30 @@ +From b48809518631880207796b4aab0fc39c2f036754 Mon Sep 17 00:00:00 2001 +From: Josh Wu +Date: Tue, 16 Nov 2010 11:51:32 +0100 +Subject: USB: gadget: AT91: fix typo in atmel_usba_udc driver + +From: Josh Wu + +commit b48809518631880207796b4aab0fc39c2f036754 upstream. + +compile fix for bug introduced by 969affff547027) + +Signed-off-by: Josh Wu +Cc: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/atmel_usba_udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/atmel_usba_udc.c ++++ b/drivers/usb/gadget/atmel_usba_udc.c +@@ -2015,7 +2015,7 @@ static int __init usba_udc_probe(struct + } + } else { + /* gpio_request fail so use -EINVAL for gpio_is_valid */ +- ubc->vbus_pin = -EINVAL; ++ udc->vbus_pin = -EINVAL; + } + } + diff --git a/queue-2.6.32/usb-misc-iowarrior-fix-information-leak-to-userland.patch b/queue-2.6.32/usb-misc-iowarrior-fix-information-leak-to-userland.patch new file mode 100644 index 00000000000..2991f99554c --- /dev/null +++ b/queue-2.6.32/usb-misc-iowarrior-fix-information-leak-to-userland.patch @@ -0,0 +1,31 @@ +From eca67aaeebd6e5d22b0d991af1dd0424dc703bfb Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Sat, 6 Nov 2010 17:41:31 +0300 +Subject: usb: misc: iowarrior: fix information leak to userland + +From: Vasiliy Kulikov + +commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream. + +Structure iowarrior_info is copied to userland with padding byted +between "serial" and "revision" fields uninitialized. It leads to +leaking of contents of kernel stack memory. + +Signed-off-by: Vasiliy Kulikov +Acked-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -552,6 +552,7 @@ static long iowarrior_ioctl(struct file + /* needed for power consumption */ + struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc; + ++ memset(&info, 0, sizeof(info)); + /* directly from the descriptor */ + info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor); + info.product = dev->product_id; diff --git a/queue-2.6.32/usb-misc-sisusbvga-fix-information-leak-to-userland.patch b/queue-2.6.32/usb-misc-sisusbvga-fix-information-leak-to-userland.patch new file mode 100644 index 00000000000..874921184bc --- /dev/null +++ b/queue-2.6.32/usb-misc-sisusbvga-fix-information-leak-to-userland.patch @@ -0,0 +1,29 @@ +From 5dc92cf1d0b4b0debbd2e333b83f9746c103533d Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Sat, 6 Nov 2010 17:41:35 +0300 +Subject: usb: misc: sisusbvga: fix information leak to userland + +From: Vasiliy Kulikov + +commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream. + +Structure sisusb_info is copied to userland with "sisusb_reserved" field +uninitialized. It leads to leaking of contents of kernel stack memory. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/sisusbvga/sisusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/misc/sisusbvga/sisusb.c ++++ b/drivers/usb/misc/sisusbvga/sisusb.c +@@ -3008,6 +3008,7 @@ sisusb_ioctl(struct file *file, unsigned + #else + x.sisusb_conactive = 0; + #endif ++ memset(x.sisusb_reserved, 0, sizeof(x.sisusb_reserved)); + + if (copy_to_user((void __user *)arg, &x, sizeof(x))) + retval = -EFAULT; diff --git a/queue-2.6.32/usb-option-fix-when-the-driver-is-loaded-incorrectly-for-some-huawei-devices.patch b/queue-2.6.32/usb-option-fix-when-the-driver-is-loaded-incorrectly-for-some-huawei-devices.patch new file mode 100644 index 00000000000..72ebdd215ff --- /dev/null +++ b/queue-2.6.32/usb-option-fix-when-the-driver-is-loaded-incorrectly-for-some-huawei-devices.patch @@ -0,0 +1,36 @@ +From 58c0d9d70109bd7e82bdb9517007311a48499960 Mon Sep 17 00:00:00 2001 +From: ma rui +Date: Mon, 1 Nov 2010 11:32:18 +0800 +Subject: USB: option: fix when the driver is loaded incorrectly for some Huawei devices. + +From: ma rui + +commit 58c0d9d70109bd7e82bdb9517007311a48499960 upstream. + +When huawei datacard with PID 0x14AC is insterted into Linux system, the +present kernel will load the "option" driver to all the interfaces. But +actually, some interfaces run as other function and do not need "option" +driver. + +In this path, we modify the id_tables, when the PID is 0x14ac ,VID is +0x12d1, Only when the interface's Class is 0xff,Subclass is 0xff, Pro is +0xff, it does need "option" driver. + +Signed-off-by: ma rui +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -479,7 +479,7 @@ static struct usb_device_id option_ids[] + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K3765, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_ETS1220, 0xff, 0xff, 0xff) }, +- { USB_DEVICE(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E14AC) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E14AC, 0xff, 0xff, 0xff) }, + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_9508) }, + { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V640) }, /* Novatel Merlin V640/XV620 */ + { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V620) }, /* Novatel Merlin V620/S620 */ diff --git a/queue-2.6.32/usb-storage-sierra_ms-fix-sysfs-file-attribute.patch b/queue-2.6.32/usb-storage-sierra_ms-fix-sysfs-file-attribute.patch new file mode 100644 index 00000000000..10c221e5593 --- /dev/null +++ b/queue-2.6.32/usb-storage-sierra_ms-fix-sysfs-file-attribute.patch @@ -0,0 +1,31 @@ +From d9624e75f6ad94d8a0718c1fafa89186d271a78c Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 15 Nov 2010 11:17:52 -0800 +Subject: USB: storage: sierra_ms: fix sysfs file attribute + +From: Greg Kroah-Hartman + +commit d9624e75f6ad94d8a0718c1fafa89186d271a78c upstream. + +A non-writable sysfs file shouldn't have writable attributes. + +Reported-by: Linus Torvalds +Cc: Kevin Lloyd +Cc: Matthew Dharm +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/sierra_ms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/sierra_ms.c ++++ b/drivers/usb/storage/sierra_ms.c +@@ -120,7 +120,7 @@ static ssize_t show_truinst(struct devic + } + return result; + } +-static DEVICE_ATTR(truinst, S_IWUGO | S_IRUGO, show_truinst, NULL); ++static DEVICE_ATTR(truinst, S_IRUGO, show_truinst, NULL); + + int sierra_ms_init(struct us_data *us) + { -- 2.47.3