--- /dev/null
+From 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 18 Apr 2018 12:51:31 +0300
+Subject: cdrom: information leak in cdrom_ioctl_media_changed()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 upstream.
+
+This cast is wrong. "cdi->capacity" is an int and "arg" is an unsigned
+long. The way the check is written now, if one of the high 32 bits is
+set then we could read outside the info->slots[] array.
+
+This bug is pretty old and it predates git.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cdrom/cdrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2358,7 +2358,7 @@ static int cdrom_ioctl_media_changed(str
+ if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT)
+ return media_changed(cdi, 1);
+
+- if ((unsigned int)arg >= cdi->capacity)
++ if (arg >= cdi->capacity)
+ return -EINVAL;
+
+ info = kmalloc(sizeof(*info), GFP_KERNEL);
--- /dev/null
+From af2e460ade0b0180d0f3812ca4f4f59cc9597f3e Mon Sep 17 00:00:00 2001
+From: Sebastian Ott <sebott@linux.ibm.com>
+Date: Wed, 11 Apr 2018 11:21:17 +0200
+Subject: s390/cio: update chpid descriptor after resource accessibility event
+
+From: Sebastian Ott <sebott@linux.ibm.com>
+
+commit af2e460ade0b0180d0f3812ca4f4f59cc9597f3e upstream.
+
+Channel path descriptors have been seen as something stable (as
+long as the chpid is configured). Recent tests have shown that the
+descriptor can also be altered when the link state of a channel path
+changes. Thus it is necessary to update the descriptor during
+handling of resource accessibility events.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Sebastian Ott <sebott@linux.ibm.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/chsc.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/s390/cio/chsc.c
++++ b/drivers/s390/cio/chsc.c
+@@ -451,6 +451,7 @@ static void chsc_process_sei_link_incide
+
+ static void chsc_process_sei_res_acc(struct chsc_sei_nt0_area *sei_area)
+ {
++ struct channel_path *chp;
+ struct chp_link link;
+ struct chp_id chpid;
+ int status;
+@@ -463,10 +464,17 @@ static void chsc_process_sei_res_acc(str
+ chpid.id = sei_area->rsid;
+ /* allocate a new channel path structure, if needed */
+ status = chp_get_status(chpid);
+- if (status < 0)
+- chp_new(chpid);
+- else if (!status)
++ if (!status)
+ return;
++
++ if (status < 0) {
++ chp_new(chpid);
++ } else {
++ chp = chpid_to_chp(chpid);
++ mutex_lock(&chp->lock);
++ chp_update_desc(chp);
++ mutex_unlock(&chp->lock);
++ }
+ memset(&link, 0, sizeof(struct chp_link));
+ link.chpid = chpid;
+ if ((sei_area->vf & 0xc0) != 0) {
--- /dev/null
+From 783c3b53b9506db3e05daacfe34e0287eebb09d8 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Mon, 16 Apr 2018 12:22:24 +0200
+Subject: s390/uprobes: implement arch_uretprobe_is_alive()
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit 783c3b53b9506db3e05daacfe34e0287eebb09d8 upstream.
+
+Implement s390 specific arch_uretprobe_is_alive() to avoid SIGSEGVs
+observed with uretprobes in combination with setjmp/longjmp.
+
+See commit 2dea1d9c38e4 ("powerpc/uprobes: Implement
+arch_uretprobe_is_alive()") for more details.
+
+With this implemented all test cases referenced in the above commit
+pass.
+
+Reported-by: Ziqian SUN <zsun@redhat.com>
+Cc: <stable@vger.kernel.org> # v4.3+
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/uprobes.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/s390/kernel/uprobes.c
++++ b/arch/s390/kernel/uprobes.c
+@@ -147,6 +147,15 @@ unsigned long arch_uretprobe_hijack_retu
+ return orig;
+ }
+
++bool arch_uretprobe_is_alive(struct return_instance *ret, enum rp_check ctx,
++ struct pt_regs *regs)
++{
++ if (ctx == RP_CHECK_CHAIN_CALL)
++ return user_stack_pointer(regs) <= ret->stack;
++ else
++ return user_stack_pointer(regs) < ret->stack;
++}
++
+ /* Instruction Emulation */
+
+ static void adjust_psw_addr(psw_t *psw, unsigned long len)
--- /dev/null
+From 94e5395d2403c8bc2504a7cbe4c4caaacb7b8b84 Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Wed, 18 Apr 2018 22:54:59 -0400
+Subject: scsi: mptsas: Disable WRITE SAME
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+commit 94e5395d2403c8bc2504a7cbe4c4caaacb7b8b84 upstream.
+
+First generation MPT Fusion controllers can not translate WRITE SAME
+when the attached device is a SATA drive. Disable WRITE SAME support.
+
+Reported-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/message/fusion/mptsas.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/message/fusion/mptsas.c
++++ b/drivers/message/fusion/mptsas.c
+@@ -1994,6 +1994,7 @@ static struct scsi_host_template mptsas_
+ .cmd_per_lun = 7,
+ .use_clustering = ENABLE_CLUSTERING,
+ .shost_attrs = mptscsih_host_attrs,
++ .no_write_same = 1,
+ };
+
+ static int mptsas_get_linkerrors(struct sas_phy *phy)
tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch
net-af_packet-fix-race-in-packet_-r-t-x_ring.patch
ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch
+scsi-mptsas-disable-write-same.patch
+cdrom-information-leak-in-cdrom_ioctl_media_changed.patch
+s390-cio-update-chpid-descriptor-after-resource-accessibility-event.patch
+s390-uprobes-implement-arch_uretprobe_is_alive.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
