--- /dev/null
+From foo@baz Thu Jul 5 20:19:50 CEST 2018
+From: Ivan Bornyakov <brnkv.i1@gmail.com>
+Date: Fri, 25 May 2018 20:49:52 +0300
+Subject: atm: zatm: fix memcmp casting
+
+From: Ivan Bornyakov <brnkv.i1@gmail.com>
+
+[ Upstream commit f9c6442a8f0b1dde9e755eb4ff6fa22bcce4eabc ]
+
+memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One
+can lose significant bits and get 0 from non-0 value returned by the
+memcmp().
+
+Signed-off-by: Ivan Bornyakov <brnkv.i1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/zatm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/atm/zatm.c
++++ b/drivers/atm/zatm.c
+@@ -1148,8 +1148,8 @@ static void eprom_get_byte(struct zatm_d
+ }
+
+
+-static unsigned char eprom_try_esi(struct atm_dev *dev, unsigned short cmd,
+- int offset, int swap)
++static int eprom_try_esi(struct atm_dev *dev, unsigned short cmd, int offset,
++ int swap)
+ {
+ unsigned char buf[ZEPROM_SIZE];
+ struct zatm_dev *zatm_dev;
--- /dev/null
+From foo@baz Thu Jul 5 20:19:50 CEST 2018
+From: Josh Hill <josh@joshuajhill.com>
+Date: Sun, 27 May 2018 20:10:41 -0400
+Subject: net: qmi_wwan: Add Netgear Aircard 779S
+
+From: Josh Hill <josh@joshuajhill.com>
+
+[ Upstream commit 2415f3bd059fe050eb98aedf93664d000ceb4e92 ]
+
+Add support for Netgear Aircard 779S
+
+Signed-off-by: Josh Hill <josh@joshuajhill.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -677,6 +677,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
++ {QMI_FIXED_INTF(0x0846, 0x68d3, 8)}, /* Netgear Aircard 779S */
+ {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */
+ {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */
+ {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */
--- /dev/null
+From foo@baz Thu Jul 5 20:19:50 CEST 2018
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Wed, 30 May 2018 13:03:51 +1000
+Subject: net/sonic: Use dma_mapping_error()
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 26de0b76d9ba3200f09c6cb9d9618bda338be5f7 ]
+
+With CONFIG_DMA_API_DEBUG=y, calling sonic_open() produces the
+message, "DMA-API: device driver failed to check map error".
+Add the missing dma_mapping_error() call.
+
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/natsemi/sonic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/natsemi/sonic.c
++++ b/drivers/net/ethernet/natsemi/sonic.c
+@@ -71,7 +71,7 @@ static int sonic_open(struct net_device
+ for (i = 0; i < SONIC_NUM_RRS; i++) {
+ dma_addr_t laddr = dma_map_single(lp->device, skb_put(lp->rx_skb[i], SONIC_RBSIZE),
+ SONIC_RBSIZE, DMA_FROM_DEVICE);
+- if (!laddr) {
++ if (dma_mapping_error(lp->device, laddr)) {
+ while(i > 0) { /* free any that were mapped successfully */
+ i--;
+ dma_unmap_single(lp->device, lp->rx_laddr[i], SONIC_RBSIZE, DMA_FROM_DEVICE);
--- /dev/null
+From foo@baz Thu Jul 5 20:19:50 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 27 Apr 2018 10:45:31 +0200
+Subject: netfilter: ebtables: handle string from userspace with care
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 94c752f99954797da583a84c4907ff19e92550a4 ]
+
+strlcpy() can't be safely used on a user-space provided string,
+as it can try to read beyond the buffer's end, if the latter is
+not NULL terminated.
+
+Leveraging the above, syzbot has been able to trigger the following
+splat:
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
+[inline]
+BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
+net/bridge/netfilter/ebtables.c:1957 [inline]
+BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
+net/bridge/netfilter/ebtables.c:2059 [inline]
+BUG: KASAN: stack-out-of-bounds in size_entry_mwt
+net/bridge/netfilter/ebtables.c:2155 [inline]
+BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
+net/bridge/netfilter/ebtables.c:2194
+Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
+
+CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
+ ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
+ size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
+ compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
+ compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
+ compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
+ compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
+ compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
+ compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
+ inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
+ compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
+ compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
+ __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
+ __do_compat_sys_setsockopt net/compat.c:416 [inline]
+ __se_compat_sys_setsockopt net/compat.c:413 [inline]
+ __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
+ do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
+ do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
+ entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7fb3cb9
+RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
+RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+The buggy address belongs to the page:
+page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x2fffc0000000000()
+raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
+raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
+page dumped because: kasan: bad access detected
+
+Fix the issue replacing the unsafe function with strscpy() and
+taking care of possible errors.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/netfilter/ebtables.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1910,7 +1910,8 @@ static int compat_mtw_from_user(struct c
+ int off, pad = 0;
+ unsigned int size_kern, match_size = mwt->match_size;
+
+- strlcpy(name, mwt->u.name, sizeof(name));
++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
++ return -EINVAL;
+
+ if (state->buf_kern_start)
+ dst = state->buf_kern_start + state->buf_kern_offset;
n_tty-fix-stall-at-n_tty_receive_char_special.patch
staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch
x86-boot-fix-early-command-line-parsing-when-matching-at-end.patch
+ubi-fastmap-correctly-handle-interrupted-erasures-in-eba.patch
+netfilter-ebtables-handle-string-from-userspace-with-care.patch
+atm-zatm-fix-memcmp-casting.patch
+net-qmi_wwan-add-netgear-aircard-779s.patch
+net-sonic-use-dma_mapping_error.patch
--- /dev/null
+From 781932375ffc6411713ee0926ccae8596ed0261c Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Mon, 28 May 2018 22:04:32 +0200
+Subject: ubi: fastmap: Correctly handle interrupted erasures in EBA
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 781932375ffc6411713ee0926ccae8596ed0261c upstream.
+
+Fastmap cannot track the LEB unmap operation, therefore it can
+happen that after an interrupted erasure the mapping still looks
+good from Fastmap's point of view, while reading from the PEB will
+cause an ECC error and confuses the upper layer.
+
+Instead of teaching users of UBI how to deal with that, we read back
+the VID header and check for errors. If the PEB is empty or shows ECC
+errors we fixup the mapping and schedule the PEB for erasure.
+
+Fixes: dbb7d2a88d2a ("UBI: Add fastmap core")
+Cc: <stable@vger.kernel.org>
+Reported-by: martin bayern <Martinbayern@outlook.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/mtd/ubi/eba.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 91 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/ubi/eba.c
++++ b/drivers/mtd/ubi/eba.c
+@@ -350,6 +350,82 @@ out_unlock:
+ return err;
+ }
+
++#ifdef CONFIG_MTD_UBI_FASTMAP
++/**
++ * check_mapping - check and fixup a mapping
++ * @ubi: UBI device description object
++ * @vol: volume description object
++ * @lnum: logical eraseblock number
++ * @pnum: physical eraseblock number
++ *
++ * Checks whether a given mapping is valid. Fastmap cannot track LEB unmap
++ * operations, if such an operation is interrupted the mapping still looks
++ * good, but upon first read an ECC is reported to the upper layer.
++ * Normaly during the full-scan at attach time this is fixed, for Fastmap
++ * we have to deal with it while reading.
++ * If the PEB behind a LEB shows this symthom we change the mapping to
++ * %UBI_LEB_UNMAPPED and schedule the PEB for erasure.
++ *
++ * Returns 0 on success, negative error code in case of failure.
++ */
++static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
++ int *pnum)
++{
++ int err;
++ struct ubi_vid_hdr *vid_hdr;
++
++ if (!ubi->fast_attach)
++ return 0;
++
++ vid_hdr = ubi_zalloc_vid_hdr(ubi, GFP_NOFS);
++ if (!vid_hdr)
++ return -ENOMEM;
++
++ err = ubi_io_read_vid_hdr(ubi, *pnum, vid_hdr, 0);
++ if (err > 0 && err != UBI_IO_BITFLIPS) {
++ int torture = 0;
++
++ switch (err) {
++ case UBI_IO_FF:
++ case UBI_IO_FF_BITFLIPS:
++ case UBI_IO_BAD_HDR:
++ case UBI_IO_BAD_HDR_EBADMSG:
++ break;
++ default:
++ ubi_assert(0);
++ }
++
++ if (err == UBI_IO_BAD_HDR_EBADMSG || err == UBI_IO_FF_BITFLIPS)
++ torture = 1;
++
++ down_read(&ubi->fm_sem);
++ vol->eba_tbl[lnum] = UBI_LEB_UNMAPPED;
++ up_read(&ubi->fm_sem);
++ ubi_wl_put_peb(ubi, vol->vol_id, lnum, *pnum, torture);
++
++ *pnum = UBI_LEB_UNMAPPED;
++ } else if (err < 0) {
++ ubi_err("unable to read VID header back from PEB %i: %i",
++ *pnum, err);
++
++ goto out_free;
++ }
++
++ err = 0;
++
++out_free:
++ ubi_free_vid_hdr(ubi, vid_hdr);
++
++ return err;
++}
++#else
++static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
++ int *pnum)
++{
++ return 0;
++}
++#endif
++
+ /**
+ * ubi_eba_read_leb - read data.
+ * @ubi: UBI device description object
+@@ -381,7 +457,13 @@ int ubi_eba_read_leb(struct ubi_device *
+ return err;
+
+ pnum = vol->eba_tbl[lnum];
+- if (pnum < 0) {
++ if (pnum >= 0) {
++ err = check_mapping(ubi, vol, lnum, &pnum);
++ if (err < 0)
++ goto out_unlock;
++ }
++
++ if (pnum == UBI_LEB_UNMAPPED) {
+ /*
+ * The logical eraseblock is not mapped, fill the whole buffer
+ * with 0xFF bytes. The exception is static volumes for which
+@@ -627,6 +709,14 @@ int ubi_eba_write_leb(struct ubi_device
+
+ pnum = vol->eba_tbl[lnum];
+ if (pnum >= 0) {
++ err = check_mapping(ubi, vol, lnum, &pnum);
++ if (err < 0) {
++ leb_write_unlock(ubi, vol_id, lnum);
++ return err;
++ }
++ }
++
++ if (pnum >= 0) {
+ dbg_eba("write %d bytes at offset %d of LEB %d:%d, PEB %d",
+ len, offset, vol_id, lnum, pnum);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
