--- /dev/null
+From 176fc2d5770a0990eebff903ba680d2edd32e718 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Sat, 19 Sep 2015 07:12:34 -0700
+Subject: regmap: debugfs: Don't bother actually printing when calculating max length
+
+From: Mark Brown <broonie@kernel.org>
+
+commit 176fc2d5770a0990eebff903ba680d2edd32e718 upstream.
+
+The in kernel snprintf() will conveniently return the actual length of
+the printed string even if not given an output beffer at all so just do
+that rather than relying on the user to pass in a suitable buffer,
+ensuring that we don't need to worry if the buffer was truncated due to
+the size of the buffer passed in.
+
+Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -23,8 +23,7 @@ static struct dentry *regmap_debugfs_roo
+ /* Calculate the length of a fixed format */
+ static size_t regmap_calc_reg_len(int max_val, char *buf, size_t buf_size)
+ {
+- snprintf(buf, buf_size, "%x", max_val);
+- return strlen(buf);
++ return snprintf(NULL, 0, "%x", max_val);
+ }
+
+ static ssize_t regmap_name_read_file(struct file *file,
--- /dev/null
+From b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Sat, 19 Sep 2015 07:00:18 -0700
+Subject: regmap: debugfs: Ensure we don't underflow when printing access masks
+
+From: Mark Brown <broonie@kernel.org>
+
+commit b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 upstream.
+
+If a read is attempted which is smaller than the line length then we may
+underflow the subtraction we're doing with the unsigned size_t type so
+move some of the calculation to be additions on the right hand side
+instead in order to avoid this.
+
+Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -419,7 +419,7 @@ static ssize_t regmap_access_read_file(s
+ /* If we're in the region the user is trying to read */
+ if (p >= *ppos) {
+ /* ...but not beyond it */
+- if (buf_pos >= count - 1 - tot_len)
++ if (buf_pos + tot_len + 1 >= count)
+ break;
+
+ /* Format the register */
--- /dev/null
+From b7f76ea2ef6739ee484a165ffbac98deb855d3d3 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jann@thejh.net>
+Date: Fri, 18 Sep 2015 23:41:23 +0200
+Subject: security: fix typo in security_task_prctl
+
+From: Jann Horn <jann@thejh.net>
+
+commit b7f76ea2ef6739ee484a165ffbac98deb855d3d3 upstream.
+
+Signed-off-by: Jann Horn <jann@thejh.net>
+Reviewed-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/security.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -2394,7 +2394,7 @@ static inline int security_task_prctl(in
+ unsigned long arg4,
+ unsigned long arg5)
+ {
+- return cap_task_prctl(option, arg2, arg3, arg3, arg5);
++ return cap_task_prctl(option, arg2, arg3, arg4, arg5);
+ }
+
+ static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch
ipvs-do-not-use-random-local-source-address-for-tunnels.patch
ipvs-fix-crash-with-sync-protocol-v0-and-ftp.patch
+udf-check-length-of-extended-attributes-and-allocation-descriptors.patch
+regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch
+regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch
+security-fix-typo-in-security_task_prctl.patch
--- /dev/null
+From 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 7 Jan 2015 13:49:08 +0100
+Subject: udf: Check length of extended attributes and allocation descriptors
+
+From: Jan Kara <jack@suse.cz>
+
+commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
+
+Check length of extended attributes and allocation descriptors when
+loading inodes from disk. Otherwise corrupted filesystems could confuse
+the code and make the kernel oops.
+
+Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+[Jan and Jiri fixed it in 3.12 stable, i ported it to 3.10 stable,
+ replaced bs by inode->i_sb->s_blocksize]
+Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/inode.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1495,6 +1495,16 @@ static void udf_fill_inode(struct inode
+ iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
+ }
+
++ /*
++ * Sanity check length of allocation descriptors and extended attrs to
++ * avoid integer overflows
++ */
++ if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize || iinfo->i_lenAlloc > inode->i_sb->s_blocksize)
++ return;
++ /* Now do exact checks */
++ if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > inode->i_sb->s_blocksize)
++ return;
++
+ switch (fe->icbTag.fileType) {
+ case ICBTAG_FILE_TYPE_DIRECTORY:
+ inode->i_op = &udf_dir_inode_operations;
projects / thirdparty / kernel / stable-queue.git / commitdiff
