This is a note to let you know that I've just added the patch titled
USB: gadget: zero allocate endpoint 0 buffers
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
usb-gadget-zero-allocate-endpoint-0-buffers.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 9 Dec 2021 19:02:15 +0100
Subject: USB: gadget: zero allocate endpoint 0 buffers
From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
commit 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 upstream.
Under some conditions, USB gadget devices can show allocated buffer
contents to a host. Fix this up by zero-allocating them so that any
extra data will all just be zeros.
Reported-by: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
Tested-by: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/gadget/composite.c | 2 +-
drivers/usb/gadget/legacy/dbgp.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2221,7 +2221,7 @@ int composite_dev_prepare(struct usb_com
if (!cdev->req)
return -ENOMEM;
- cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
+ cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
if (!cdev->req->buf)
goto fail;
--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
@@ -137,7 +137,7 @@ static int dbgp_enable_ep_req(struct usb
goto fail_1;
}
- req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL);
+ req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL);
if (!req->buf) {
err = -ENOMEM;
stp = 2;
Patches currently in stable-queue which might be from gregkh@xxxxxxxxxxxxxxxxxxx are
queue-5.15/usb-gadget-detect-too-big-endpoint-0-requests.patch
queue-5.15/irqchip-armada-370-xp-fix-return-value-of-armada_370_xp_msi_alloc.patch
queue-5.15/libata-add-horkage-for-asmedia-1092.patch
queue-5.15/documentation-locking-locktypes-update-migrate_disable-bits.patch
queue-5.15/hid-wacom-fix-problems-when-device-is-not-a-valid-usb-device.patch
queue-5.15/ib-hfi1-insure-use-of-smp_processor_id-is-preempt-disabled.patch
queue-5.15/hwmon-dell-smm-fix-warning-on-proc-i8k-creation-error.patch
queue-5.15/iio-adc-axp20x_adc-fix-charging-current-reporting-on-axp22x.patch
queue-5.15/alsa-hda-realtek-fix-quirk-for-tongfang-phxtxx1.patch
queue-5.15/can-m_can-pci-fix-incorrect-reference-clock-rate.patch
queue-5.15/clk-imx-use-module_platform_driver.patch
queue-5.15/asoc-rt5682-fix-crash-due-to-out-of-scope-stack-vars.patch
queue-5.15/alsa-hda-realtek-add-headset-mic-support-for-lenovo-alc897-platform.patch
queue-5.15/udp-using-datalen-to-cap-max-gso-segments.patch
queue-5.15/asoc-codecs-wcd934x-handle-channel-mappping-list-correctly.patch
queue-5.15/net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch
queue-5.15/alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch
queue-5.15/mmc-renesas_sdhi-initialize-variable-properly-when-tuning.patch
queue-5.15/mtd-rawnand-fsmc-fix-timing-computation.patch
queue-5.15/iio-trigger-fix-reference-counting.patch
queue-5.15/can-pch_can-pch_can_rx_normal-fix-use-after-free.patch
queue-5.15/clocksource-drivers-dw_apb_timer_of-fix-probe-failure.patch
queue-5.15/iio-at91-sama5d2-fix-incorrect-sign-extension.patch
queue-5.15/iavf-restore-msi-state-on-reset.patch
queue-5.15/csky-fix-typo-of-fpu-config-macro.patch
queue-5.15/net-bcm4908-handle-dma_set_coherent_mask-error-codes.patch
queue-5.15/platform-x86-amd-pmc-fix-s2idle-failures-on-certain-amd-laptops.patch
queue-5.15/selftests-netfilter-add-a-vrf-conntrack-testcase.patch
queue-5.15/asoc-codecs-wcd934x-return-correct-value-from-mixer-put.patch
queue-5.15/bpf-sockmap-re-evaluate-proto-ops-when-psock-is-removed-from-sockmap.patch
queue-5.15/usb-core-config-fix-validation-of-wmaxpacketvalue-entries.patch
queue-5.15/hid-add-usb_hid-dependancy-to-hid-prodikeys.patch
queue-5.15/ethtool-do-not-perform-operations-on-net-devices-being-unregistered.patch
queue-5.15/clk-qcom-clk-alpha-pll-don-t-reconfigure-running-trion.patch
queue-5.15/hid-ignore-battery-for-elan-touchscreen-on-asus-ux550ve.patch
queue-5.15/md-fix-update-super-1.0-on-rdev-size-change.patch
queue-5.15/iio-itg3200-call-iio_trigger_notify_done-on-error.patch
queue-5.15/mm-bdi-initialize-bdi_min_ratio-when-bdi-is-unregistered.patch
queue-5.15/nfsd-fix-use-after-free-due-to-delegation-race.patch
queue-5.15/binder-use-wake_up_pollfree.patch
queue-5.15/iio-accel-kxcjk-1013-fix-possible-memory-leak-in-probe-and-remove.patch
queue-5.15/usb-gadget-uvc-fix-multiple-opens.patch
queue-5.15/hid-add-usb_hid-dependancy-to-hid-chicony.patch
queue-5.15/can-m_can-pci-fix-iomap_read_fifo-and-iomap_write_fifo.patch
queue-5.15/drm-syncobj-deal-with-signalled-fences-in-drm_syncobj_find_fence.patch
queue-5.15/i40e-fix-null-pointer-dereference-in-i40e_dbg_dump_desc.patch
queue-5.15/ice-ignore-dropped-packets-during-init.patch
queue-5.15/net-cdc_ncm-allow-for-dwntboutmaxsize-to-be-unset-or-zero.patch
queue-5.15/block-fix-ioprio_get-ioprio_who_pgrp-vs-setuid-2.patch
queue-5.15/mtd-rawnand-fsmc-take-instruction-delay-into-account.patch
queue-5.15/dt-bindings-net-reintroduce-phy-no-lane-swap-binding.patch
queue-5.15/hwmon-pwm-fan-ensure-the-fan-going-on-in-.probe.patch
queue-5.15/can-kvaser_usb-get-can-clock-frequency-from-device.patch
queue-5.15/perf-intel-pt-fix-some-pge-packet-generation-enable-control-flow-packets-usage.patch
queue-5.15/rdma-hns-do-not-destroy-qp-resources-in-the-hw-resetting-phase.patch
queue-5.15/usb-gadget-zero-allocate-endpoint-0-buffers.patch
queue-5.15/perf-intel-pt-fix-intel_pt_fup_event-assumptions-about-setting-state-type.patch
queue-5.15/i40e-fix-failed-opcode-appearing-if-handling-messages-from-vf.patch
queue-5.15/alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch
queue-5.15/wait-add-wake_up_pollfree.patch
queue-5.15/bpf-make-sure-bpf_disable_instrumentation-is-safe-vs-preemption.patch
queue-5.15/timers-implement-usleep_idle_range.patch
queue-5.15/aio-keep-poll-requests-on-waitqueue-until-completed.patch
queue-5.15/misc-fastrpc-fix-improper-packet-size-calculation.patch
queue-5.15/asoc-qdsp6-q6routing-fix-return-value-from-msm_routing_put_audio_mixer.patch
queue-5.15/can-kvaser_pciefd-kvaser_pciefd_rx_error_frame-increase-correct-stats-rx-tx-_errors-counter.patch
queue-5.15/iio-ad7768-1-call-iio_trigger_notify_done-on-error.patch
queue-5.15/iio-dln2-check-return-value-of-devm_iio_trigger_register.patch
queue-5.15/mmc-spi-add-device-tree-spi-ids.patch
queue-5.15/bpf-fix-the-off-by-two-error-in-range-markings.patch
queue-5.15/hid-add-hid_is_usb-function-to-make-it-simpler-for-usb-detection.patch
queue-5.15/platform-x86-intel-hid-add-quirk-to-support-surface-go-3.patch
queue-5.15/selftests-kvm-avoid-failures-due-to-reserved-hypertransport-region.patch
queue-5.15/mtd-dataflash-add-device-tree-spi-ids.patch
queue-5.15/perf-tools-fix-smt-detection-fast-read-path.patch
queue-5.15/netfilter-conntrack-annotate-data-races-around-ct-timeout.patch
queue-5.15/bpf-x86-fix-no-previous-prototype-warning.patch
queue-5.15/misc-rtsx-avoid-mangling-irq-during-runtime-pm.patch
queue-5.15/alsa-pcm-oss-limit-the-period-size-to-16mb.patch
queue-5.15/net-sched-fq_pie-prevent-dismantle-issue.patch
queue-5.15/devlink-fix-netns-refcount-leak-in-devlink_nl_cmd_reload.patch
queue-5.15/hid-add-usb_hid-dependancy-on-some-usb-hid-drivers.patch
queue-5.15/hid-check-for-valid-usb-device-for-many-hid-drivers.patch
queue-5.15/io_uring-ensure-task_work-gets-run-as-part-of-cancelations.patch
queue-5.15/iio-stk3310-don-t-return-error-code-in-interrupt-handler.patch
queue-5.15/mm-damon-core-fix-fake-load-reports-due-to-uninterruptible-sleeps.patch
queue-5.15/perf-intel-pt-fix-next-err-value-walking-trace.patch
queue-5.15/perf-intel-pt-fix-error-timestamp-setting-on-the-decoder-error-path.patch
queue-5.15/tools-build-remove-needless-libpython-version-feature-check-that-breaks-test-all-fast-path.patch
queue-5.15/btrfs-replace-the-bug_on-in-btrfs_del_root_ref-with-proper-error-handling.patch
queue-5.15/cifs-fix-crash-on-unload-of-cifs_arc4.ko.patch
queue-5.15/kvm-x86-ignore-sparse-banks-size-for-an-all-cpus-non-sparse-ipi-req.patch
queue-5.15/btrfs-fix-re-dirty-process-of-tree-log-nodes.patch
queue-5.15/perf-intel-pt-fix-state-setting-when-receiving-overflow-ovf-packet.patch
queue-5.15/asoc-codecs-wsa881x-fix-return-values-from-kcontrol-put.patch
queue-5.15/scsi-scsi_debug-fix-buffer-size-of-report-zones-command.patch
queue-5.15/can-sja1000-fix-use-after-free-in-ems_pcmcia_add_card.patch
queue-5.15/clk-qcom-regmap-mux-fix-parent-clock-lookup.patch
queue-5.15/alsa-pcm-oss-fix-negative-period-buffer-sizes.patch
queue-5.15/irqchip-aspeed-scu-replace-update_bits-with-write_bits.patch
queue-5.15/nfp-fix-memory-leak-in-nfp_cpp_area_cache_add.patch
queue-5.15/revert-pci-aardvark-fix-support-for-pci_rom_address1-on-emulated-bridge.patch
queue-5.15/iio-dln2-adc-fix-lockdep-complaint.patch
queue-5.15/vrf-don-t-run-conntrack-on-vrf-with-dflt-qdisc.patch
queue-5.15/perf-intel-pt-fix-sync-state-when-a-psb-synchronization-packet-is-found.patch
queue-5.15/bpf-sockmap-attach-map-progs-to-psock-early-for-feature-probes.patch
queue-5.15/kvm-x86-don-t-warn-if-userspace-mucks-with-rcx-during-string-i-o-exit.patch
queue-5.15/irqchip-armada-370-xp-fix-support-for-multi-msi-interrupts.patch
queue-5.15/ib-hfi1-fix-early-init-panic.patch
queue-5.15/bus-mhi-pci_generic-fix-device-recovery-failed-issue.patch
queue-5.15/btrfs-free-exchange-changeset-on-failures.patch
queue-5.15/net-mvpp2-fix-xdp-rx-queues-registering.patch
queue-5.15/iio-mma8452-fix-trigger-reference-couting.patch
queue-5.15/i2c-mpc-use-atomic-read-and-fix-break-condition.patch
queue-5.15/iavf-fix-reporting-when-setting-descriptor-count.patch
queue-5.15/net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch
queue-5.15/btrfs-clear-extent-buffer-uptodate-when-we-fail-to-write-it.patch
queue-5.15/ib-hfi1-correct-guard-on-eager-buffer-deallocation.patch
queue-5.15/qede-validate-non-lso-skb-length.patch
queue-5.15/nvmem-eeprom-at25-fix-fram-byte_len.patch
queue-5.15/pm-runtime-fix-pm_runtime_active-kerneldoc-comment.patch
queue-5.15/revert-usb-dwc3-dwc3-qcom-enable-tx-fifo-resize-property-by-default.patch
queue-5.15/net-dsa-mv88e6xxx-error-handling-for-serdes_power-functions.patch
queue-5.15/seg6-fix-the-iif-in-the-ipv6-socket-control-block.patch
queue-5.15/aio-fix-incorrect-usage-of-eventfd_signal_allowed.patch
queue-5.15/iio-kxsd9-don-t-return-error-code-in-trigger-handler.patch
queue-5.15/can-m_can-m_can_read_fifo-fix-memory-leak-in-error-branch.patch
queue-5.15/signalfd-use-wake_up_pollfree.patch
queue-5.15/net-dsa-mv88e6xxx-fix-don-t-use-phy_detect-on-internal-phy-s.patch
queue-5.15/i40e-fix-pre-set-max-number-of-queues-for-vf.patch
queue-5.15/iio-trigger-stm32-timer-fix-module_alias.patch
queue-5.15/irqchip-irq-gic-v3-its.c-force-synchronisation-when-issuing-invall.patch
queue-5.15/nft_set_pipapo-fix-bucket-load-in-avx2-lookup-routine-for-six-8-bit-groups.patch
queue-5.15/nfsd-fix-nsfd-startup-race-again.patch
queue-5.15/xhci-avoid-race-between-disable-slot-command-and-host-runtime-suspend.patch
queue-5.15/bus-mhi-core-add-support-for-forced-pm-resume.patch
queue-5.15/irqchip-nvic-fix-offset-for-interrupt-priority-offsets.patch
queue-5.15/can-m_can-disable-and-ignore-elo-interrupt.patch
queue-5.15/hid-sony-fix-error-path-in-probe.patch
queue-5.15/iio-ltr501-don-t-return-error-code-in-trigger-handler.patch
queue-5.15/hid-intel-ish-hid-ipc-only-enable-irq-wakeup-when-requested.patch
queue-5.15/tracefs-set-all-files-to-the-same-group-ownership-as-the-mount-option.patch
queue-5.15/x86-sme-explicitly-map-new-efi-memmap-table-as-encrypted.patch
queue-5.15/hid-google-add-eel-usb-id.patch
queue-5.15/net-dsa-mv88e6xxx-allow-use-of-phys-on-cpu-and-dsa-ports.patch
queue-5.15/scsi-qla2xxx-format-log-strings-only-if-needed.patch
queue-5.15/rdma-hns-do-not-halt-commands-during-reset-until-later.patch
queue-5.15/hid-quirks-add-quirk-for-the-microsoft-surface-3-type-cover.patch
queue-5.15/nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch
queue-5.15/mm-slub-fix-endianness-bug-for-alloc-free_traces-attributes.patch
queue-5.15/net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch
queue-5.15/ib-hfi1-fix-leak-of-rcvhdrtail_dummy_kvaddr.patch
queue-5.15/net-dsa-felix-fix-memory-leak-in-felix_setup_mmio_filtering.patch
queue-5.15/xhci-remove-config_usb_default_persist-to-prevent-xhci-from-runtime-suspending.patch
queue-5.15/iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch
queue-5.15/alsa-usb-audio-reorder-snd_djm_devices-entries.patch
queue-5.15/scsi-pm80xx-do-not-call-scsi_remove_host-in-pm8001_alloc.patch
queue-5.15/tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch
queue-5.15/iio-gyro-adxrs290-fix-data-signedness.patch
queue-5.15/net-altera-set-a-couple-error-code-in-probe.patch
queue-5.15/selftests-fib_tests-rework-fib_rp_filter_test.patch
queue-5.15/thermal-int340x-fix-vcoreflow-mmio-bit-offset-for-tgl.patch
queue-5.15/kvm-x86-wait-for-ipis-to-be-delivered-when-handling-hyper-v-tlb-flush-hypercall.patch
queue-5.15/aio-fix-use-after-free-due-to-missing-pollfree-handling.patch
queue-5.15/netfilter-nft_exthdr-break-evaluation-if-setting-tcp-option-fails.patch
queue-5.15/drm-amd-display-fix-dpia-outbox-timeout-after-s3-s4-reset.patch
queue-5.15/hid-bigbenff-prevent-null-pointer-dereference.patch
queue-5.15/bonding-make-tx_rebalance_counter-an-atomic.patch
queue-5.15/perf-intel-pt-fix-missing-instruction-events-with-q-option.patch
queue-5.15/usb-core-config-using-bit-mask-instead-of-individual-bits.patch
