hid-usbhid-fix-inconsistent-reset-resume-reset-resume-behavior.patch
revert-bad-backport-of-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_new.patch
0001-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_.patch
-usbvision-fix-overflow-of-interfaces-array.patch
usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch
usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch
revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
-@@ -1546,9 +1546,23 @@ static int usbvision_probe(struct usb_in
+@@ -1539,9 +1539,23 @@ static int usbvision_probe(struct usb_in
if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
}
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].model_string);
-@@ -1553,18 +1554,21 @@ static int usbvision_probe(struct usb_in
+@@ -1546,18 +1547,21 @@ static int usbvision_probe(struct usb_in
__func__, ifnum);
dev_err(&intf->dev, "%s: Endpoint attributes %d",
__func__, endpoint->bmAttributes);
}
if (dev->descriptor.bNumConfigurations > 1)
-@@ -1583,8 +1587,8 @@ static int usbvision_probe(struct usb_in
+@@ -1576,8 +1580,8 @@ static int usbvision_probe(struct usb_in
usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL);
if (usbvision->alt_max_pkt_size == NULL) {
dev_err(&intf->dev, "usbvision: out of memory!\n");
}
for (i = 0; i < usbvision->num_alt; i++) {
-@@ -1619,6 +1623,12 @@ static int usbvision_probe(struct usb_in
+@@ -1612,6 +1616,12 @@ static int usbvision_probe(struct usb_in
PDEBUG(DBG_PROBE, "success");
return 0;
+++ /dev/null
-From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Tue, 27 Oct 2015 09:51:34 -0200
-Subject: [media] usbvision fix overflow of interfaces array
-
-From: Oliver Neukum <oneukum@suse.com>
-
-commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream.
-
-This fixes the crash reported in:
-http://seclists.org/bugtraq/2015/Oct/35
-The interface number needs a sanity check.
-
-Signed-off-by: Oliver Neukum <oneukum@suse.com>
-Cc: Vladis Dronov <vdronov@redhat.com>
-Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/media/usb/usbvision/usbvision-video.c
-+++ b/drivers/media/usb/usbvision/usbvision-video.c
-@@ -1536,6 +1536,13 @@ static int usbvision_probe(struct usb_in
- printk(KERN_INFO "%s: %s found\n", __func__,
- usbvision_device_data[model].model_string);
-
-+ /*
-+ * this is a security check.
-+ * an exploit using an incorrect bInterfaceNumber is known
-+ */
-+ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
-+ return -ENODEV;
-+
- if (usbvision_device_data[model].interface >= 0)
- interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
- else
revert-pci-add-helpers-to-manage-pci_dev-irq-and-pci_dev-irq_managed.patch
revert-pci-x86-implement-pcibios_alloc_irq-and-pcibios_free_irq.patch
staging-android-ion-set-the-length-of-the-dma-sg-entries-in-buffer.patch
-usbvision-fix-overflow-of-interfaces-array.patch
usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch
revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
-@@ -1470,9 +1470,23 @@ static int usbvision_probe(struct usb_in
+@@ -1463,9 +1463,23 @@ static int usbvision_probe(struct usb_in
if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
+++ /dev/null
-From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Tue, 27 Oct 2015 09:51:34 -0200
-Subject: [media] usbvision fix overflow of interfaces array
-
-From: Oliver Neukum <oneukum@suse.com>
-
-commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream.
-
-This fixes the crash reported in:
-http://seclists.org/bugtraq/2015/Oct/35
-The interface number needs a sanity check.
-
-Signed-off-by: Oliver Neukum <oneukum@suse.com>
-Cc: Vladis Dronov <vdronov@redhat.com>
-Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/media/usb/usbvision/usbvision-video.c
-+++ b/drivers/media/usb/usbvision/usbvision-video.c
-@@ -1461,6 +1461,13 @@ static int usbvision_probe(struct usb_in
- printk(KERN_INFO "%s: %s found\n", __func__,
- usbvision_device_data[model].model_string);
-
-+ /*
-+ * this is a security check.
-+ * an exploit using an incorrect bInterfaceNumber is known
-+ */
-+ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
-+ return -ENODEV;
-+
- if (usbvision_device_data[model].interface >= 0)
- interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
- else
projects / thirdparty / kernel / stable-queue.git / commitdiff
