--- /dev/null
+From 1309d7afbed112f0e8e90be9af975550caa0076b Mon Sep 17 00:00:00 2001
+From: Peter Huewe <huewe.external.infineon@googlemail.com>
+Date: Tue, 29 Mar 2011 13:31:25 +0200
+Subject: char/tpm: Fix unitialized usage of data buffer
+
+From: Peter Huewe <huewe.external.infineon@googlemail.com>
+
+commit 1309d7afbed112f0e8e90be9af975550caa0076b upstream.
+
+This patch fixes information leakage to the userspace by initializing
+the data buffer to zero.
+
+Reported-by: Peter Huewe <huewe.external@infineon.com>
+Signed-off-by: Peter Huewe <huewe.external@infineon.com>
+Signed-off-by: Marcel Selhorst <m.selhorst@sirrix.com>
+[ Also removed the silly "* sizeof(u8)". If that isn't 1, we have way
+ deeper problems than a simple multiplication can fix. - Linus ]
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/tpm/tpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm.c
++++ b/drivers/char/tpm/tpm.c
+@@ -980,7 +980,7 @@ int tpm_open(struct inode *inode, struct
+ return -EBUSY;
+ }
+
+- chip->data_buffer = kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL);
++ chip->data_buffer = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
+ if (chip->data_buffer == NULL) {
+ clear_bit(0, &chip->is_open);
+ put_device(chip->dev);
--- /dev/null
+From 67d1da79b25c05d9a38b820bb5b5d89c91070ab2 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Tue, 22 Mar 2011 16:30:19 -0700
+Subject: drivers/leds/leds-lp5521.c: world-writable sysfs engine* files
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 67d1da79b25c05d9a38b820bb5b5d89c91070ab2 upstream.
+
+Don't allow everybody to change LED settings.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Cc: Richard Purdie <rpurdie@rpsys.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/leds/leds-lp5521.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/leds/leds-lp5521.c
++++ b/drivers/leds/leds-lp5521.c
+@@ -534,7 +534,7 @@ static ssize_t lp5521_selftest(struct de
+ }
+
+ /* led class device attributes */
+-static DEVICE_ATTR(led_current, S_IRUGO | S_IWUGO, show_current, store_current);
++static DEVICE_ATTR(led_current, S_IRUGO | S_IWUSR, show_current, store_current);
+ static DEVICE_ATTR(max_current, S_IRUGO , show_max_current, NULL);
+
+ static struct attribute *lp5521_led_attributes[] = {
+@@ -548,15 +548,15 @@ static struct attribute_group lp5521_led
+ };
+
+ /* device attributes */
+-static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUGO,
++static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUSR,
+ show_engine1_mode, store_engine1_mode);
+-static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUGO,
++static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUSR,
+ show_engine2_mode, store_engine2_mode);
+-static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUGO,
++static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUSR,
+ show_engine3_mode, store_engine3_mode);
+-static DEVICE_ATTR(engine1_load, S_IWUGO, NULL, store_engine1_load);
+-static DEVICE_ATTR(engine2_load, S_IWUGO, NULL, store_engine2_load);
+-static DEVICE_ATTR(engine3_load, S_IWUGO, NULL, store_engine3_load);
++static DEVICE_ATTR(engine1_load, S_IWUSR, NULL, store_engine1_load);
++static DEVICE_ATTR(engine2_load, S_IWUSR, NULL, store_engine2_load);
++static DEVICE_ATTR(engine3_load, S_IWUSR, NULL, store_engine3_load);
+ static DEVICE_ATTR(selftest, S_IRUGO, lp5521_selftest, NULL);
+
+ static struct attribute *lp5521_attributes[] = {
--- /dev/null
+From ccd7510fd8dea5b4b2af87fb2aef2ebd6b23b76b Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Tue, 22 Mar 2011 16:30:20 -0700
+Subject: drivers/leds/leds-lp5523.c: world-writable engine* sysfs files
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit ccd7510fd8dea5b4b2af87fb2aef2ebd6b23b76b upstream.
+
+Don't allow everybody to change LED settings.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Cc: Richard Purdie <rpurdie@rpsys.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/leds/leds-lp5523.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/leds/leds-lp5523.c
++++ b/drivers/leds/leds-lp5523.c
+@@ -713,7 +713,7 @@ static ssize_t store_current(struct devi
+ }
+
+ /* led class device attributes */
+-static DEVICE_ATTR(led_current, S_IRUGO | S_IWUGO, show_current, store_current);
++static DEVICE_ATTR(led_current, S_IRUGO | S_IWUSR, show_current, store_current);
+ static DEVICE_ATTR(max_current, S_IRUGO , show_max_current, NULL);
+
+ static struct attribute *lp5523_led_attributes[] = {
+@@ -727,21 +727,21 @@ static struct attribute_group lp5523_led
+ };
+
+ /* device attributes */
+-static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUGO,
++static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUSR,
+ show_engine1_mode, store_engine1_mode);
+-static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUGO,
++static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUSR,
+ show_engine2_mode, store_engine2_mode);
+-static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUGO,
++static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUSR,
+ show_engine3_mode, store_engine3_mode);
+-static DEVICE_ATTR(engine1_leds, S_IRUGO | S_IWUGO,
++static DEVICE_ATTR(engine1_leds, S_IRUGO | S_IWUSR,
+ show_engine1_leds, store_engine1_leds);
+-static DEVICE_ATTR(engine2_leds, S_IRUGO | S_IWUGO,
++static DEVICE_ATTR(engine2_leds, S_IRUGO | S_IWUSR,
+ show_engine2_leds, store_engine2_leds);
+-static DEVICE_ATTR(engine3_leds, S_IRUGO | S_IWUGO,
++static DEVICE_ATTR(engine3_leds, S_IRUGO | S_IWUSR,
+ show_engine3_leds, store_engine3_leds);
+-static DEVICE_ATTR(engine1_load, S_IWUGO, NULL, store_engine1_load);
+-static DEVICE_ATTR(engine2_load, S_IWUGO, NULL, store_engine2_load);
+-static DEVICE_ATTR(engine3_load, S_IWUGO, NULL, store_engine3_load);
++static DEVICE_ATTR(engine1_load, S_IWUSR, NULL, store_engine1_load);
++static DEVICE_ATTR(engine2_load, S_IWUSR, NULL, store_engine2_load);
++static DEVICE_ATTR(engine3_load, S_IWUSR, NULL, store_engine3_load);
+ static DEVICE_ATTR(selftest, S_IRUGO, lp5523_selftest, NULL);
+
+ static struct attribute *lp5523_attributes[] = {
--- /dev/null
+From a07500ef690fcbec76e879ee2093d7ca69883825 Mon Sep 17 00:00:00 2001
+From: Alexander Strakh <cromlehg@gmail.com>
+Date: Tue, 25 Jan 2011 18:00:13 -0300
+Subject: [media] drivers/media/video/tlg2300/pd-video.c: Remove second mutex_unlock in pd_vidioc_s_fmt
+
+From: Alexander Strakh <cromlehg@gmail.com>
+
+commit a07500ef690fcbec76e879ee2093d7ca69883825 upstream.
+
+Error path in file drivers/media/video/tlg2300/pd-video.c:
+1. First mutex_unlock on &pd->lock in line 767 (in function that
+ called from line 805)
+2. Second in line 806
+
+ 805 pd_vidioc_s_fmt(pd, &f->fmt.pix);
+ 806 mutex_unlock(&pd->lock);
+
+Found by Linux Device Drivers Verification Project
+
+Signed-off-by: Alexander Strakh <strakh@ispras.ru>
+Acked-by: Huang Shijie <shijie8@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/tlg2300/pd-video.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/media/video/tlg2300/pd-video.c
++++ b/drivers/media/video/tlg2300/pd-video.c
+@@ -764,10 +764,8 @@ static int pd_vidioc_s_fmt(struct poseid
+ }
+ ret |= send_set_req(pd, VIDEO_ROSOLU_SEL,
+ vid_resol, &cmd_status);
+- if (ret || cmd_status) {
+- mutex_unlock(&pd->lock);
++ if (ret || cmd_status)
+ return -EBUSY;
+- }
+
+ pix_def->pixelformat = pix->pixelformat; /* save it */
+ pix->height = (context->tvnormid & V4L2_STD_525_60) ? 480 : 576;
--- /dev/null
+From deb187e72470b0382d4f0cb859e76e1ebc3a1082 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Tue, 22 Mar 2011 16:34:01 -0700
+Subject: drivers/misc/ep93xx_pwm.c: world-writable sysfs files
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit deb187e72470b0382d4f0cb859e76e1ebc3a1082 upstream.
+
+Don't allow everybody to change device settings.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Acked-by: Hartley Sweeten <hartleys@visionengravers.com>
+Cc: Matthieu Crapet <mcrapet@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/misc/ep93xx_pwm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/misc/ep93xx_pwm.c
++++ b/drivers/misc/ep93xx_pwm.c
+@@ -249,11 +249,11 @@ static ssize_t ep93xx_pwm_set_invert(str
+
+ static DEVICE_ATTR(min_freq, S_IRUGO, ep93xx_pwm_get_min_freq, NULL);
+ static DEVICE_ATTR(max_freq, S_IRUGO, ep93xx_pwm_get_max_freq, NULL);
+-static DEVICE_ATTR(freq, S_IWUGO | S_IRUGO,
++static DEVICE_ATTR(freq, S_IWUSR | S_IRUGO,
+ ep93xx_pwm_get_freq, ep93xx_pwm_set_freq);
+-static DEVICE_ATTR(duty_percent, S_IWUGO | S_IRUGO,
++static DEVICE_ATTR(duty_percent, S_IWUSR | S_IRUGO,
+ ep93xx_pwm_get_duty_percent, ep93xx_pwm_set_duty_percent);
+-static DEVICE_ATTR(invert, S_IWUGO | S_IRUGO,
++static DEVICE_ATTR(invert, S_IWUSR | S_IRUGO,
+ ep93xx_pwm_get_invert, ep93xx_pwm_set_invert);
+
+ static struct attribute *ep93xx_pwm_attrs[] = {
--- /dev/null
+From 49d50fb1c28738ef6bad0c2b87d5355a1653fed5 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Tue, 22 Mar 2011 16:34:53 -0700
+Subject: drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 49d50fb1c28738ef6bad0c2b87d5355a1653fed5 upstream.
+
+Don't allow everybogy to write to NVRAM.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Cc: Andy Sharp <andy.sharp@onstor.com>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/rtc/rtc-ds1511.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-ds1511.c
++++ b/drivers/rtc/rtc-ds1511.c
+@@ -485,7 +485,7 @@ ds1511_nvram_write(struct file *filp, st
+ static struct bin_attribute ds1511_nvram_attr = {
+ .attr = {
+ .name = "nvram",
+- .mode = S_IRUGO | S_IWUGO,
++ .mode = S_IRUGO | S_IWUSR,
+ },
+ .size = DS1511_RAM_MAX,
+ .read = ds1511_nvram_read,
--- /dev/null
+From 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Thu, 17 Mar 2011 01:40:10 +0000
+Subject: econet: 4 byte infoleak to the network
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e upstream.
+
+struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
+x86_64. These bytes are not initialized in the variable 'ah' before
+sending 'ah' to the network. This leads to 4 bytes kernel stack
+infoleak.
+
+This bug was introduced before the git epoch.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Acked-by: Phil Blundell <philb@gnu.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb *
+ udpdest.sin_addr.s_addr = htonl(network | addr.station);
+ }
+
++ memset(&ah, 0, sizeof(ah));
+ ah.port = port;
+ ah.cb = cb & 0x7f;
+ ah.code = 2; /* magic */
+- ah.pad = 0;
+
+ /* tack our header on the front of the iovec */
+ size = sizeof(struct aunhdr);
--- /dev/null
+From 6a8ab060779779de8aea92ce3337ca348f973f54 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Tue, 15 Mar 2011 13:37:13 +0100
+Subject: ipv6: netfilter: ip6_tables: fix infoleak to userspace
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 6a8ab060779779de8aea92ce3337ca348f973f54 upstream.
+
+Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
+copied from userspace. Fields of these structs that are
+zero-terminated strings are not checked. When they are used as argument
+to a format string containing "%s" in request_module(), some sensitive
+information is leaked to userspace via argument of spawned modprobe
+process.
+
+The first bug was introduced before the git epoch; the second was
+introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by
+6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
+CAP_NET_ADMIN.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/netfilter/ip6_tables.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1274,6 +1274,7 @@ do_replace(struct net *net, const void _
+ /* overflow check */
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -1820,6 +1821,7 @@ compat_do_replace(struct net *net, void
+ return -ENOMEM;
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -2049,6 +2051,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd
+ ret = -EFAULT;
+ break;
+ }
++ rev.name[sizeof(rev.name)-1] = 0;
+
+ if (cmd == IP6T_SO_GET_REVISION_TARGET)
+ target = 1;
--- /dev/null
+From f8a0697722d12a201588225999cfc8bfcbc82781 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Fri, 4 Feb 2011 15:23:36 +0300
+Subject: mfd: ab3100: world-writable debugfs *_priv files
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit f8a0697722d12a201588225999cfc8bfcbc82781 upstream.
+
+Don't allow everybody to change device hardware registers.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Acked-by: Linus Walleij <linus.walleij@stericsson.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mfd/ab3100-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mfd/ab3100-core.c
++++ b/drivers/mfd/ab3100-core.c
+@@ -613,7 +613,7 @@ static void ab3100_setup_debugfs(struct
+ ab3100_get_priv.ab3100 = ab3100;
+ ab3100_get_priv.mode = false;
+ ab3100_get_reg_file = debugfs_create_file("get_reg",
+- S_IWUGO, ab3100_dir, &ab3100_get_priv,
++ S_IWUSR, ab3100_dir, &ab3100_get_priv,
+ &ab3100_get_set_reg_fops);
+ if (!ab3100_get_reg_file) {
+ err = -ENOMEM;
+@@ -623,7 +623,7 @@ static void ab3100_setup_debugfs(struct
+ ab3100_set_priv.ab3100 = ab3100;
+ ab3100_set_priv.mode = true;
+ ab3100_set_reg_file = debugfs_create_file("set_reg",
+- S_IWUGO, ab3100_dir, &ab3100_set_priv,
++ S_IWUSR, ab3100_dir, &ab3100_set_priv,
+ &ab3100_get_set_reg_fops);
+ if (!ab3100_set_reg_file) {
+ err = -ENOMEM;
--- /dev/null
+From 90c861c2a83d974684974441093ff8a50e6b430b Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Fri, 4 Feb 2011 15:23:39 +0300
+Subject: mfd: ab3500: world-writable debugfs register-* files
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 90c861c2a83d974684974441093ff8a50e6b430b upstream.
+
+Don't allow everybody to interact with hardware registers.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Acked-by: Linus Walleij <linus.walleij@stericsson.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mfd/ab3550-core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mfd/ab3550-core.c
++++ b/drivers/mfd/ab3550-core.c
+@@ -1053,17 +1053,17 @@ static inline void ab3550_setup_debugfs(
+ goto exit_destroy_dir;
+
+ ab3550_bank_file = debugfs_create_file("register-bank",
+- (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_bank_fops);
++ (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_bank_fops);
+ if (!ab3550_bank_file)
+ goto exit_destroy_reg;
+
+ ab3550_address_file = debugfs_create_file("register-address",
+- (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_address_fops);
++ (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_address_fops);
+ if (!ab3550_address_file)
+ goto exit_destroy_bank;
+
+ ab3550_val_file = debugfs_create_file("register-value",
+- (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_val_fops);
++ (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_val_fops);
+ if (!ab3550_val_file)
+ goto exit_destroy_address;
+
--- /dev/null
+From 44bdcb54df2714da18c4a0c6f711a350ab4ed93c Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Fri, 4 Feb 2011 15:23:43 +0300
+Subject: mfd: ab8500: world-writable debugfs register-* files
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 44bdcb54df2714da18c4a0c6f711a350ab4ed93c upstream.
+
+Don't allow everybody to interact with hardware registers.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Acked-by: Linus Walleij <linus.walleij@stericsson.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mfd/ab8500-debugfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mfd/ab8500-debugfs.c
++++ b/drivers/mfd/ab8500-debugfs.c
+@@ -585,18 +585,18 @@ static int __devinit ab8500_debug_probe(
+ goto exit_destroy_dir;
+
+ ab8500_bank_file = debugfs_create_file("register-bank",
+- (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev, &ab8500_bank_fops);
++ (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev, &ab8500_bank_fops);
+ if (!ab8500_bank_file)
+ goto exit_destroy_reg;
+
+ ab8500_address_file = debugfs_create_file("register-address",
+- (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev,
++ (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev,
+ &ab8500_address_fops);
+ if (!ab8500_address_file)
+ goto exit_destroy_bank;
+
+ ab8500_val_file = debugfs_create_file("register-value",
+- (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev, &ab8500_val_fops);
++ (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev, &ab8500_val_fops);
+ if (!ab8500_val_file)
+ goto exit_destroy_address;
+
--- /dev/null
+From 42eab94fff18cb1091d3501cd284d6bd6cc9c143 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Tue, 15 Mar 2011 13:35:21 +0100
+Subject: netfilter: arp_tables: fix infoleak to userspace
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143 upstream.
+
+Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
+copied from userspace. Fields of these structs that are
+zero-terminated strings are not checked. When they are used as argument
+to a format string containing "%s" in request_module(), some sensitive
+information is leaked to userspace via argument of spawned modprobe
+process.
+
+The first bug was introduced before the git epoch; the second is
+introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by
+6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
+CAP_NET_ADMIN.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/arp_tables.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1065,6 +1065,7 @@ static int do_replace(struct net *net, c
+ /* overflow check */
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -1486,6 +1487,7 @@ static int compat_do_replace(struct net
+ return -ENOMEM;
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -1738,6 +1740,7 @@ static int do_arpt_get_ctl(struct sock *
+ ret = -EFAULT;
+ break;
+ }
++ rev.name[sizeof(rev.name)-1] = 0;
+
+ try_then_request_module(xt_find_revision(NFPROTO_ARP, rev.name,
+ rev.revision, 1, &ret),
--- /dev/null
+From b4232a22776aa5d063f890d21ca69870dbbe431b Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.cz>
+Date: Mon, 4 Apr 2011 15:21:02 +0200
+Subject: netfilter: h323: bug in parsing of ASN1 SEQOF field
+
+From: David Sterba <dsterba@suse.cz>
+
+commit b4232a22776aa5d063f890d21ca69870dbbe431b upstream.
+
+Static analyzer of clang found a dead store which appears to be a bug in
+reading count of items in SEQOF field, only the lower byte of word is
+stored. This may lead to corrupted read and communication shutdown.
+
+The bug has been in the module since it's first inclusion into linux
+kernel.
+
+[Patrick: the bug is real, but without practical consequence since the
+ largest amount of sequence-of members we parse is 30.]
+
+Signed-off-by: David Sterba <dsterba@suse.cz>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -631,7 +631,7 @@ static int decode_seqof(bitstr_t *bs, co
+ CHECK_BOUND(bs, 2);
+ count = *bs->cur++;
+ count <<= 8;
+- count = *bs->cur++;
++ count += *bs->cur++;
+ break;
+ case SEMI:
+ BYTE_ALIGN(bs);
--- /dev/null
+From 78b79876761b86653df89c48a7010b5cbd41a84a Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Tue, 15 Mar 2011 13:36:05 +0100
+Subject: netfilter: ip_tables: fix infoleak to userspace
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 78b79876761b86653df89c48a7010b5cbd41a84a upstream.
+
+Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
+copied from userspace. Fields of these structs that are
+zero-terminated strings are not checked. When they are used as argument
+to a format string containing "%s" in request_module(), some sensitive
+information is leaked to userspace via argument of spawned modprobe
+process.
+
+The first and the third bugs were introduced before the git epoch; the
+second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug
+one should have CAP_NET_ADMIN.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/ip_tables.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1261,6 +1261,7 @@ do_replace(struct net *net, const void _
+ /* overflow check */
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -1805,6 +1806,7 @@ compat_do_replace(struct net *net, void
+ return -ENOMEM;
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -2034,6 +2036,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd,
+ ret = -EFAULT;
+ break;
+ }
++ rev.name[sizeof(rev.name)-1] = 0;
+
+ if (cmd == IPT_SO_GET_REVISION_TARGET)
+ target = 1;
--- /dev/null
+From 961ed183a9fd080cf306c659b8736007e44065a5 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Sun, 20 Mar 2011 15:42:52 +0100
+Subject: netfilter: ipt_CLUSTERIP: fix buffer overflow
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream.
+
+'buffer' string is copied from userspace. It is not checked whether it is
+zero terminated. This may lead to overflow inside of simple_strtoul().
+Changli Gao suggested to copy not more than user supplied 'size' bytes.
+
+It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
+root writable only by default, however, on some setups permissions might be
+relaxed to e.g. network admin user.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Acked-by: Changli Gao <xiaosuo@gmail.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+@@ -669,8 +669,11 @@ static ssize_t clusterip_proc_write(stru
+ char buffer[PROC_WRITELEN+1];
+ unsigned long nodenum;
+
+- if (copy_from_user(buffer, input, PROC_WRITELEN))
++ if (size > PROC_WRITELEN)
++ return -EIO;
++ if (copy_from_user(buffer, input, size))
+ return -EFAULT;
++ buffer[size] = 0;
+
+ if (*buffer == '+') {
+ nodenum = simple_strtoul(buffer+1, NULL, 10);
--- /dev/null
+From db856674ac69e31946e56085239757cca3f7655f Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sun, 20 Mar 2011 15:40:06 +0100
+Subject: netfilter: xtables: fix reentrancy
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit db856674ac69e31946e56085239757cca3f7655f upstream.
+
+commit f3c5c1bfd4308 (make ip_tables reentrant) introduced a race in
+handling the stackptr restore, at the end of ipt_do_table()
+
+We should do it before the call to xt_info_rdunlock_bh(), or we allow
+cpu preemption and another cpu overwrites stackptr of original one.
+
+A second fix is to change the underflow test to check the origptr value
+instead of 0 to detect underflow, or else we allow a jump from different
+hooks.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Jan Engelhardt <jengelh@medozas.de>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/ip_tables.c | 4 ++--
+ net/ipv6/netfilter/ip6_tables.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -387,7 +387,7 @@ ipt_do_table(struct sk_buff *skb,
+ verdict = (unsigned)(-v) - 1;
+ break;
+ }
+- if (*stackptr == 0) {
++ if (*stackptr <= origptr) {
+ e = get_entry(table_base,
+ private->underflow[hook]);
+ pr_debug("Underflow (this is normal) "
+@@ -427,10 +427,10 @@ ipt_do_table(struct sk_buff *skb,
+ /* Verdict */
+ break;
+ } while (!acpar.hotdrop);
+- xt_info_rdunlock_bh();
+ pr_debug("Exiting %s; resetting sp from %u to %u\n",
+ __func__, *stackptr, origptr);
+ *stackptr = origptr;
++ xt_info_rdunlock_bh();
+ #ifdef DEBUG_ALLOW_ALL
+ return NF_ACCEPT;
+ #else
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -410,7 +410,7 @@ ip6t_do_table(struct sk_buff *skb,
+ verdict = (unsigned)(-v) - 1;
+ break;
+ }
+- if (*stackptr == 0)
++ if (*stackptr <= origptr)
+ e = get_entry(table_base,
+ private->underflow[hook]);
+ else
+@@ -441,8 +441,8 @@ ip6t_do_table(struct sk_buff *skb,
+ break;
+ } while (!acpar.hotdrop);
+
+- xt_info_rdunlock_bh();
+ *stackptr = origptr;
++ xt_info_rdunlock_bh();
+
+ #ifdef DEBUG_ALLOW_ALL
+ return NF_ACCEPT;
--- /dev/null
+From 523f3c80bc41d663d5b35c0cd6ce0fad7f3e7188 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Fri, 4 Feb 2011 15:24:14 +0300
+Subject: [SCSI] scsi_transport_iscsi: make priv_sess file writeable only by root
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 523f3c80bc41d663d5b35c0cd6ce0fad7f3e7188 upstream.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Acked-by: Mike Christie <michaelc@cs.wisc.edu>
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/scsi_transport_iscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -1847,7 +1847,7 @@ store_priv_session_##field(struct device
+ #define iscsi_priv_session_rw_attr(field, format) \
+ iscsi_priv_session_attr_show(field, format) \
+ iscsi_priv_session_attr_store(field) \
+-static ISCSI_CLASS_ATTR(priv_sess, field, S_IRUGO | S_IWUGO, \
++static ISCSI_CLASS_ATTR(priv_sess, field, S_IRUGO | S_IWUSR, \
+ show_priv_session_##field, \
+ store_priv_session_##field)
+ iscsi_priv_session_rw_attr(recovery_tmo, "%d");
bridge-netfilter-fix-information-leak.patch
bluetooth-bnep-fix-buffer-overflow.patch
bluetooth-add-support-for-apple-macbook-pro-8-2.patch
+treat-writes-as-new-when-holes-span-across-page-boundaries.patch
+char-tpm-fix-unitialized-usage-of-data-buffer.patch
+netfilter-ip_tables-fix-infoleak-to-userspace.patch
+netfilter-xtables-fix-reentrancy.patch
+netfilter-arp_tables-fix-infoleak-to-userspace.patch
+netfilter-ipt_clusterip-fix-buffer-overflow.patch
+ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
+scsi_transport_iscsi-make-priv_sess-file-writeable-only-by-root.patch
+mfd-ab8500-world-writable-debugfs-register-files.patch
+mfd-ab3500-world-writable-debugfs-register-files.patch
+mfd-ab3100-world-writable-debugfs-_priv-files.patch
+drivers-rtc-rtc-ds1511.c-world-writable-sysfs-nvram-file.patch
+drivers-misc-ep93xx_pwm.c-world-writable-sysfs-files.patch
+drivers-leds-leds-lp5523.c-world-writable-engine-sysfs-files.patch
+drivers-leds-leds-lp5521.c-world-writable-sysfs-engine-files.patch
+econet-4-byte-infoleak-to-the-network.patch
+netfilter-h323-bug-in-parsing-of-asn1-seqof-field.patch
+sound-oss-remove-offset-from-load_patch-callbacks.patch
+drivers-media-video-tlg2300-pd-video.c-remove-second-mutex_unlock-in-pd_vidioc_s_fmt.patch
--- /dev/null
+From b769f49463711205d57286e64cf535ed4daf59e9 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Wed, 23 Mar 2011 10:53:41 -0400
+Subject: sound/oss: remove offset from load_patch callbacks
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit b769f49463711205d57286e64cf535ed4daf59e9 upstream.
+
+Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of
+uninitialized value, and signedness issue
+
+The offset passed to midi_synth_load_patch() can be essentially
+arbitrary. If it's greater than the header length, this will result in
+a copy_from_user(dst, src, negative_val). While this will just return
+-EFAULT on x86, on other architectures this may cause memory corruption.
+Additionally, the length field of the sysex_info structure may not be
+initialized prior to its use. Finally, a signed comparison may result
+in an unintentionally large loop.
+
+On suggestion by Takashi Iwai, version two removes the offset argument
+from the load_patch callbacks entirely, which also resolves similar
+issues in opl3. Compile tested only.
+
+v3 adjusts comments and hopefully gets copy offsets right.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/oss/dev_table.h | 2 +-
+ sound/oss/midi_synth.c | 30 +++++++++++++-----------------
+ sound/oss/midi_synth.h | 2 +-
+ sound/oss/opl3.c | 8 ++------
+ sound/oss/sequencer.c | 2 +-
+ 5 files changed, 18 insertions(+), 26 deletions(-)
+
+--- a/sound/oss/dev_table.h
++++ b/sound/oss/dev_table.h
+@@ -271,7 +271,7 @@ struct synth_operations
+ void (*reset) (int dev);
+ void (*hw_control) (int dev, unsigned char *event);
+ int (*load_patch) (int dev, int format, const char __user *addr,
+- int offs, int count, int pmgr_flag);
++ int count, int pmgr_flag);
+ void (*aftertouch) (int dev, int voice, int pressure);
+ void (*controller) (int dev, int voice, int ctrl_num, int value);
+ void (*panning) (int dev, int voice, int value);
+--- a/sound/oss/midi_synth.c
++++ b/sound/oss/midi_synth.c
+@@ -476,7 +476,7 @@ EXPORT_SYMBOL(midi_synth_hw_control);
+
+ int
+ midi_synth_load_patch(int dev, int format, const char __user *addr,
+- int offs, int count, int pmgr_flag)
++ int count, int pmgr_flag)
+ {
+ int orig_dev = synth_devs[dev]->midi_dev;
+
+@@ -491,33 +491,29 @@ midi_synth_load_patch(int dev, int forma
+ if (!prefix_cmd(orig_dev, 0xf0))
+ return 0;
+
++ /* Invalid patch format */
+ if (format != SYSEX_PATCH)
+- {
+-/* printk("MIDI Error: Invalid patch format (key) 0x%x\n", format);*/
+ return -EINVAL;
+- }
++
++ /* Patch header too short */
+ if (count < hdr_size)
+- {
+-/* printk("MIDI Error: Patch header too short\n");*/
+ return -EINVAL;
+- }
++
+ count -= hdr_size;
+
+ /*
+- * Copy the header from user space but ignore the first bytes which have
+- * been transferred already.
++ * Copy the header from user space
+ */
+
+- if(copy_from_user(&((char *) &sysex)[offs], &(addr)[offs], hdr_size - offs))
++ if (copy_from_user(&sysex, addr, hdr_size))
+ return -EFAULT;
+-
+- if (count < sysex.len)
+- {
+-/* printk(KERN_WARNING "MIDI Warning: Sysex record too short (%d<%d)\n", count, (int) sysex.len);*/
++
++ /* Sysex record too short */
++ if ((unsigned)count < (unsigned)sysex.len)
+ sysex.len = count;
+- }
+- left = sysex.len;
+- src_offs = 0;
++
++ left = sysex.len;
++ src_offs = 0;
+
+ for (i = 0; i < left && !signal_pending(current); i++)
+ {
+--- a/sound/oss/midi_synth.h
++++ b/sound/oss/midi_synth.h
+@@ -8,7 +8,7 @@ int midi_synth_open (int dev, int mode);
+ void midi_synth_close (int dev);
+ void midi_synth_hw_control (int dev, unsigned char *event);
+ int midi_synth_load_patch (int dev, int format, const char __user * addr,
+- int offs, int count, int pmgr_flag);
++ int count, int pmgr_flag);
+ void midi_synth_panning (int dev, int channel, int pressure);
+ void midi_synth_aftertouch (int dev, int channel, int pressure);
+ void midi_synth_controller (int dev, int channel, int ctrl_num, int value);
+--- a/sound/oss/opl3.c
++++ b/sound/oss/opl3.c
+@@ -820,7 +820,7 @@ static void opl3_hw_control(int dev, uns
+ }
+
+ static int opl3_load_patch(int dev, int format, const char __user *addr,
+- int offs, int count, int pmgr_flag)
++ int count, int pmgr_flag)
+ {
+ struct sbi_instrument ins;
+
+@@ -830,11 +830,7 @@ static int opl3_load_patch(int dev, int
+ return -EINVAL;
+ }
+
+- /*
+- * What the fuck is going on here? We leave junk in the beginning
+- * of ins and then check the field pretty close to that beginning?
+- */
+- if(copy_from_user(&((char *) &ins)[offs], addr + offs, sizeof(ins) - offs))
++ if (copy_from_user(&ins, addr, sizeof(ins)))
+ return -EFAULT;
+
+ if (ins.channel < 0 || ins.channel >= SBFM_MAXINSTR)
+--- a/sound/oss/sequencer.c
++++ b/sound/oss/sequencer.c
+@@ -241,7 +241,7 @@ int sequencer_write(int dev, struct file
+ return -ENXIO;
+
+ fmt = (*(short *) &event_rec[0]) & 0xffff;
+- err = synth_devs[dev]->load_patch(dev, fmt, buf, p + 4, c, 0);
++ err = synth_devs[dev]->load_patch(dev, fmt, buf + p, c, 0);
+ if (err < 0)
+ return err;
+
--- /dev/null
+From 272b62c1f0f6f742046e45b50b6fec98860208a0 Mon Sep 17 00:00:00 2001
+From: Goldwyn Rodrigues <rgoldwyn@gmail.com>
+Date: Thu, 17 Feb 2011 09:44:40 -0600
+Subject: Treat writes as new when holes span across page boundaries
+
+From: Goldwyn Rodrigues <rgoldwyn@gmail.com>
+
+commit 272b62c1f0f6f742046e45b50b6fec98860208a0 upstream.
+
+When a hole spans across page boundaries, the next write forces
+a read of the block. This could end up reading existing garbage
+data from the disk in ocfs2_map_page_blocks. This leads to
+non-zero holes. In order to avoid this, mark the writes as new
+when the holes span across page boundaries.
+
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.de>
+Signed-off-by: jlbec <jlbec@evilplan.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ocfs2/aops.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -1026,6 +1026,12 @@ static int ocfs2_prepare_page_for_write(
+ ocfs2_figure_cluster_boundaries(OCFS2_SB(inode->i_sb), cpos,
+ &cluster_start, &cluster_end);
+
++ /* treat the write as new if the a hole/lseek spanned across
++ * the page boundary.
++ */
++ new = new | ((i_size_read(inode) <= page_offset(page)) &&
++ (page_offset(page) <= user_pos));
++
+ if (page == wc->w_target_page) {
+ map_from = user_pos & (PAGE_CACHE_SIZE - 1);
+ map_to = map_from + user_len;
projects / thirdparty / kernel / stable-queue.git / commitdiff
