6 files changed, 18 insertions, 11 deletions

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index b4265aa7d45e..487ff672b104 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -30,6 +30,8 @@
  *  Revision history
  *    22.12.1999   0.1   Initial release (split from proc_usb.c)
  *    04.01.2000   0.2   Turned into its own filesystem
+ *    30.09.2005   0.3   Fix user-triggerable oops in async URB delivery
+ *                       (CAN-2005-3055)
  */
 
 /*****************************************************************************/
@@ -58,7 +60,8 @@ static struct class *usb_device_class;
 struct async {
         struct list_head asynclist;
         struct dev_state *ps;
-        struct task_struct *task;
+        pid_t pid;
+        uid_t uid, euid;
         unsigned int signr;
         unsigned int ifnum;
         void __user *userbuffer;
@@ -290,7 +293,8 @@ static void async_completed(struct urb *urb, struct pt_regs *regs)
                 sinfo.si_errno = as->urb->status;
                 sinfo.si_code = SI_ASYNCIO;
                 sinfo.si_addr = as->userurb;
-                send_sig_info(as->signr, &sinfo, as->task);
+                kill_proc_info_as_uid(as->signr, &sinfo, as->pid, as->uid, 
+                                      as->euid);
         }
         wake_up(&ps->wait);
 }
@@ -526,7 +530,9 @@ static int usbdev_open(struct inode *inode, struct file *file)
         INIT_LIST_HEAD(&ps->async_completed);
         init_waitqueue_head(&ps->wait);
         ps->discsignr = 0;
-        ps->disctask = current;
+        ps->disc_pid = current->pid;
+        ps->disc_uid = current->uid;
+        ps->disc_euid = current->euid;
         ps->disccontext = NULL;
         ps->ifclaimed = 0;
         wmb();
@@ -988,7 +994,9 @@ static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
                 as->userbuffer = NULL;
         as->signr = uurb->signr;
         as->ifnum = ifnum;
-        as->task = current;
+        as->pid = current->pid;
+        as->uid = current->uid;
+        as->euid = current->euid;
         if (!(uurb->endpoint & USB_DIR_IN)) {
                 if (copy_from_user(as->urb->transfer_buffer, uurb->buffer, as->urb->transfer_buffer_length)) {
                         free_async(as);
diff --git a/drivers/usb/core/inode.c b/drivers/usb/core/inode.c
index 640f41e47029..d07bba01995b 100644
--- a/drivers/usb/core/inode.c
+++ b/drivers/usb/core/inode.c
@@ -713,7 +713,7 @@ void usbfs_remove_device(struct usb_device *dev)
                         sinfo.si_errno = EPIPE;
                         sinfo.si_code = SI_ASYNCIO;
                         sinfo.si_addr = ds->disccontext;
-                        send_sig_info(ds->discsignr, &sinfo, ds->disctask);
+                        kill_proc_info_as_uid(ds->discsignr, &sinfo, ds->disc_pid, ds->disc_uid, ds->disc_euid);
                 }
         }
         usbfs_update_special();
diff --git a/drivers/usb/core/usb.h b/drivers/usb/core/usb.h
index 83d48c8133af..e6504f3370ad 100644
--- a/drivers/usb/core/usb.h
+++ b/drivers/usb/core/usb.h
@@ -52,7 +52,8 @@ struct dev_state {
         struct list_head async_completed;
         wait_queue_head_t wait;     /* wake up if a request completed */
         unsigned int discsignr;
-        struct task_struct *disctask;
+        pid_t disc_pid;
+        uid_t disc_uid, disc_euid;
         void __user *disccontext;
         unsigned long ifclaimed;
 };
diff --git a/drivers/usb/host/isp116x-hcd.c b/drivers/usb/host/isp116x-hcd.c
index 41bbae83fc71..e142056b0d2c 100644
--- a/drivers/usb/host/isp116x-hcd.c
+++ b/drivers/usb/host/isp116x-hcd.c
@@ -326,7 +326,8 @@ static void postproc_atl_queue(struct isp116x *isp116x)
                                         usb_settoggle(udev, ep->epnum,
                                                       ep->nextpid ==
                                                       USB_PID_OUT,
-                                                      PTD_GET_TOGGLE(ptd) ^ 1);
+                                                      PTD_GET_TOGGLE(ptd));
+                                urb->actual_length += PTD_GET_COUNT(ptd);
                                 urb->status = cc_to_error[TD_DATAUNDERRUN];
                                 spin_unlock(&urb->lock);
                                 continue;
diff --git a/drivers/usb/input/hid-core.c b/drivers/usb/input/hid-core.c
index a99865c689c5..41f92b924761 100644
--- a/drivers/usb/input/hid-core.c
+++ b/drivers/usb/input/hid-core.c
@@ -1702,10 +1702,7 @@ static struct hid_device *usb_hid_configure(struct usb_interface *intf)
                 if ((endpoint->bmAttributes & 3) != 3)          /* Not an interrupt endpoint */
                         continue;
 
-                /* handle potential highspeed HID correctly */
                 interval = endpoint->bInterval;
-                if (dev->speed == USB_SPEED_HIGH)
-                        interval = 1 << (interval - 1);
 
                 /* Change the polling interval of mice. */
                 if (hid->collection->usage == HID_GD_MOUSE && hid_mousepoll_interval > 0)
diff --git a/drivers/usb/serial/generic.c b/drivers/usb/serial/generic.c
index ddde5fb13f6b..5f7d3193d355 100644
--- a/drivers/usb/serial/generic.c
+++ b/drivers/usb/serial/generic.c
@@ -223,7 +223,7 @@ int usb_serial_generic_write_room (struct usb_serial_port *port)
         dbg("%s - port %d", __FUNCTION__, port->number);
 
         if (serial->num_bulk_out) {
-                if (port->write_urb_busy)
+                if (!(port->write_urb_busy))
                         room = port->bulk_out_size;
         }