From: Greg Kroah-Hartman Date: Fri, 27 Apr 2018 12:19:31 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.107~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=169ee8e4064413689c2d2c7edc46d32002fbb6f4;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: cdrom-information-leak-in-cdrom_ioctl_media_changed.patch scsi-mptsas-disable-write-same.patch --- diff --git a/queue-3.18/cdrom-information-leak-in-cdrom_ioctl_media_changed.patch b/queue-3.18/cdrom-information-leak-in-cdrom_ioctl_media_changed.patch new file mode 100644 index 00000000000..fe415a51969 --- /dev/null +++ b/queue-3.18/cdrom-information-leak-in-cdrom_ioctl_media_changed.patch @@ -0,0 +1,36 @@ +From 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 18 Apr 2018 12:51:31 +0300 +Subject: cdrom: information leak in cdrom_ioctl_media_changed() + +From: Dan Carpenter + +commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 upstream. + +This cast is wrong. "cdi->capacity" is an int and "arg" is an unsigned +long. The way the check is written now, if one of the high 32 bits is +set then we could read outside the info->slots[] array. + +This bug is pretty old and it predates git. + +Reviewed-by: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2357,7 +2357,7 @@ static int cdrom_ioctl_media_changed(str + if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT) + return media_changed(cdi, 1); + +- if ((unsigned int)arg >= cdi->capacity) ++ if (arg >= cdi->capacity) + return -EINVAL; + + info = kmalloc(sizeof(*info), GFP_KERNEL); diff --git a/queue-3.18/scsi-mptsas-disable-write-same.patch b/queue-3.18/scsi-mptsas-disable-write-same.patch new file mode 100644 index 00000000000..dc6a51393bc --- /dev/null +++ b/queue-3.18/scsi-mptsas-disable-write-same.patch @@ -0,0 +1,31 @@ +From 94e5395d2403c8bc2504a7cbe4c4caaacb7b8b84 Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" +Date: Wed, 18 Apr 2018 22:54:59 -0400 +Subject: scsi: mptsas: Disable WRITE SAME + +From: Martin K. Petersen + +commit 94e5395d2403c8bc2504a7cbe4c4caaacb7b8b84 upstream. + +First generation MPT Fusion controllers can not translate WRITE SAME +when the attached device is a SATA drive. Disable WRITE SAME support. + +Reported-by: Nikola Ciprich +Cc: +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/message/fusion/mptsas.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/message/fusion/mptsas.c ++++ b/drivers/message/fusion/mptsas.c +@@ -1994,6 +1994,7 @@ static struct scsi_host_template mptsas_ + .cmd_per_lun = 7, + .use_clustering = ENABLE_CLUSTERING, + .shost_attrs = mptscsih_host_attrs, ++ .no_write_same = 1, + }; + + static int mptsas_get_linkerrors(struct sas_phy *phy) diff --git a/queue-3.18/series b/queue-3.18/series index 6ef1e471f2b..b6df8d5eb16 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -20,3 +20,5 @@ tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch net-af_packet-fix-race-in-packet_-r-t-x_ring.patch llc-delete-timers-synchronously-in-llc_sk_free.patch ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch +scsi-mptsas-disable-write-same.patch +cdrom-information-leak-in-cdrom_ioctl_media_changed.patch