--- /dev/null
+From 0633da48f0793aeba27f82d30605624416723a91 Mon Sep 17 00:00:00 2001
+From: Ian Kent <raven@themaw.net>
+Date: Tue, 21 Aug 2018 21:51:45 -0700
+Subject: autofs: fix autofs_sbi() does not check super block type
+
+From: Ian Kent <raven@themaw.net>
+
+commit 0633da48f0793aeba27f82d30605624416723a91 upstream.
+
+autofs_sbi() does not check the superblock magic number to verify it has
+been given an autofs super block.
+
+Backport Note: autofs4 has been renamed to autofs upstream. As a result
+the upstream patch does not apply cleanly onto 4.14.y.
+
+Link: http://lkml.kernel.org/r/153475422934.17131.7563724552005298277.stgit@pluto.themaw.net
+Reported-by: <syzbot+87c3c541582e56943277@syzkaller.appspotmail.com>
+Signed-off-by: Ian Kent <raven@themaw.net>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/autofs4/autofs_i.h | 4 +++-
+ fs/autofs4/inode.c | 1 -
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/autofs4/autofs_i.h
++++ b/fs/autofs4/autofs_i.h
+@@ -14,6 +14,7 @@
+ #include <linux/mutex.h>
+ #include <linux/spinlock.h>
+ #include <linux/list.h>
++#include <linux/magic.h>
+
+ /* This is the range of ioctl() numbers we claim as ours */
+ #define AUTOFS_IOC_FIRST AUTOFS_IOC_READY
+@@ -123,7 +124,8 @@ struct autofs_sb_info {
+
+ static inline struct autofs_sb_info *autofs4_sbi(struct super_block *sb)
+ {
+- return (struct autofs_sb_info *)(sb->s_fs_info);
++ return sb->s_magic != AUTOFS_SUPER_MAGIC ?
++ NULL : (struct autofs_sb_info *)(sb->s_fs_info);
+ }
+
+ static inline struct autofs_info *autofs4_dentry_ino(struct dentry *dentry)
+--- a/fs/autofs4/inode.c
++++ b/fs/autofs4/inode.c
+@@ -14,7 +14,6 @@
+ #include <linux/pagemap.h>
+ #include <linux/parser.h>
+ #include <linux/bitops.h>
+-#include <linux/magic.h>
+ #include "autofs_i.h"
+ #include <linux/module.h>
+
--- /dev/null
+From 7233982ade15eeac05c6f351e8d347406e6bcd2f Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Thu, 18 Jan 2018 14:05:05 +0000
+Subject: mtd: ubi: wl: Fix error return code in ubi_wl_init()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 7233982ade15eeac05c6f351e8d347406e6bcd2f upstream.
+
+Fix to return error code -ENOMEM from the kmem_cache_alloc() error
+handling case instead of 0, as done elsewhere in this function.
+
+Fixes: f78e5623f45b ("ubi: fastmap: Erase outdated anchor PEBs during
+attach")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/wl.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -1615,8 +1615,10 @@ int ubi_wl_init(struct ubi_device *ubi,
+ cond_resched();
+
+ e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
+- if (!e)
++ if (!e) {
++ err = -ENOMEM;
+ goto out_free;
++ }
+
+ e->pnum = aeb->pnum;
+ e->ec = aeb->ec;
+@@ -1635,8 +1637,10 @@ int ubi_wl_init(struct ubi_device *ubi,
+ cond_resched();
+
+ e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
+- if (!e)
++ if (!e) {
++ err = -ENOMEM;
+ goto out_free;
++ }
+
+ e->pnum = aeb->pnum;
+ e->ec = aeb->ec;
--- /dev/null
+From e466af75c074e76107ae1cd5a2823e9c61894ffb Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Oct 2017 02:50:07 -0700
+Subject: netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit e466af75c074e76107ae1cd5a2823e9c61894ffb upstream.
+
+syzkaller reports an out of bound read in strlcpy(), triggered
+by xt_copy_counters_from_user()
+
+Fix this by using memcpy(), then forcing a zero byte at the last position
+of the destination, as Florian did for the non COMPAT code.
+
+Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use xt_copy_counters_from_user")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/x_tables.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -877,7 +877,7 @@ void *xt_copy_counters_from_user(const v
+ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
+ return ERR_PTR(-EFAULT);
+
+- strlcpy(info->name, compat_tmp.name, sizeof(info->name));
++ memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
+ info->num_counters = compat_tmp.num_counters;
+ user += sizeof(compat_tmp);
+ } else
+@@ -890,9 +890,9 @@ void *xt_copy_counters_from_user(const v
+ if (copy_from_user(info, user, sizeof(*info)) != 0)
+ return ERR_PTR(-EFAULT);
+
+- info->name[sizeof(info->name) - 1] = '\0';
+ user += sizeof(*info);
+ }
++ info->name[sizeof(info->name) - 1] = '\0';
+
+ size = sizeof(struct xt_counters);
+ size *= info->num_counters;
nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch
mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch
rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch
+xhci-fix-use-after-free-in-xhci_free_virt_device.patch
+netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch
+mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch
+autofs-fix-autofs_sbi-does-not-check-super-block-type.patch
--- /dev/null
+From 44a182b9d17765514fa2b1cc911e4e65134eef93 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 3 May 2018 17:30:07 +0300
+Subject: xhci: Fix use-after-free in xhci_free_virt_device
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream.
+
+KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
+where xhci_free_virt_device() sets slot id to 0 if udev exists:
+if (dev->udev && dev->udev->slot_id)
+ dev->udev->slot_id = 0;
+
+dev->udev will be true even if udev is freed because dev->udev is
+not set to NULL.
+
+set dev->udev pointer to NULL in xhci_free_dev()
+
+The original patch went to stable so this fix needs to be applied
+there as well.
+
+Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot")
+Cc: <stable@vger.kernel.org>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3656,6 +3656,9 @@ void xhci_free_dev(struct usb_hcd *hcd,
+ }
+
+ spin_lock_irqsave(&xhci->lock, flags);
++
++ virt_dev->udev = NULL;
++
+ /* Don't disable the slot if the host controller is dead. */
+ state = readl(&xhci->op_regs->status);
+ if (state == 0xffffffff || (xhci->xhc_state & XHCI_STATE_DYING) ||
projects / thirdparty / kernel / stable-queue.git / commitdiff
