From b116add06274103b923c090d09f4598c6b34ab85 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 22 Mar 2012 14:59:26 -0700
Subject: [PATCH] 3.2-stable patches

added patches:
	tpm-zero-buffer-whole-after-copying-to-userspace.patch
---
 queue-3.2/series                              |  1 +
 ...fer-whole-after-copying-to-userspace.patch | 44 +++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 queue-3.2/tpm-zero-buffer-whole-after-copying-to-userspace.patch

diff --git a/queue-3.2/series b/queue-3.2/series
index c5beee2e2b8..6b477b86dd0 100644
--- a/queue-3.2/series
+++ b/queue-3.2/series
@@ -53,3 +53,4 @@ ib-iser-post-initial-receive-buffers-before-sending-the-final-login-request.patc
 ima-fix-kconfig-dependencies.patch
 x86-ioapic-add-register-level-checks-to-detect-bogus-io-apic-entries.patch
 mm-thp-fix-pmd_bad-triggering-in-code-paths-holding-mmap_sem-read-mode.patch
+tpm-zero-buffer-whole-after-copying-to-userspace.patch
diff --git a/queue-3.2/tpm-zero-buffer-whole-after-copying-to-userspace.patch b/queue-3.2/tpm-zero-buffer-whole-after-copying-to-userspace.patch
new file mode 100644
index 00000000000..145975e8014
--- /dev/null
+++ b/queue-3.2/tpm-zero-buffer-whole-after-copying-to-userspace.patch
@@ -0,0 +1,44 @@
+From 3ab1aff89477dafb1aaeafe8c8669114a02b7226 Mon Sep 17 00:00:00 2001
+From: Tim Gardner <tim.gardner@canonical.com>
+Date: Tue, 6 Dec 2011 11:29:20 -0700
+Subject: TPM: Zero buffer whole after copying to userspace
+
+From: Tim Gardner <tim.gardner@canonical.com>
+
+commit 3ab1aff89477dafb1aaeafe8c8669114a02b7226 upstream.
+
+Commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 correctly clears the TPM
+buffer if the user specified read length is >= the TPM buffer length. However,
+if the user specified read length is < the TPM buffer length, then part of the
+TPM buffer is left uncleared.
+
+Reported-by: Seth Forshee <seth.forshee@canonical.com>
+Cc: Debora Velarde <debora@linux.vnet.ibm.com>
+Cc: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
+Cc: Marcel Selhorst <m.selhorst@sirrix.com>
+Cc: tpmdd-devel@lists.sourceforge.net
+Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm.c
++++ b/drivers/char/tpm/tpm.c
+@@ -1115,12 +1115,13 @@ ssize_t tpm_read(struct file *file, char
+ 	ret_size = atomic_read(&chip->data_pending);
+ 	atomic_set(&chip->data_pending, 0);
+ 	if (ret_size > 0) {	/* relay data */
++		ssize_t orig_ret_size = ret_size;
+ 		if (size < ret_size)
+ 			ret_size = size;
+ 
+ 		mutex_lock(&chip->buffer_mutex);
+ 		rc = copy_to_user(buf, chip->data_buffer, ret_size);
+-		memset(chip->data_buffer, 0, ret_size);
++		memset(chip->data_buffer, 0, orig_ret_size);
+ 		if (rc)
+ 			ret_size = -EFAULT;
+ 
-- 
2.47.3