From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 17 Oct 2015 21:34:55 +0000 (-0700)
Subject: 3.10-stable patches
X-Git-Tag: v3.10.91~37
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6c948d5ec0625715d5440edd877a5ab531c8183e;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch
	regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch
	security-fix-typo-in-security_task_prctl.patch
	udf-check-length-of-extended-attributes-and-allocation-descriptors.patch
---

diff --git a/queue-3.10/regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch b/queue-3.10/regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch
new file mode 100644
index 00000000000..2e84804d4c6
--- /dev/null
+++ b/queue-3.10/regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch
@@ -0,0 +1,35 @@
+From 176fc2d5770a0990eebff903ba680d2edd32e718 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Sat, 19 Sep 2015 07:12:34 -0700
+Subject: regmap: debugfs: Don't bother actually printing when calculating max length
+
+From: Mark Brown <broonie@kernel.org>
+
+commit 176fc2d5770a0990eebff903ba680d2edd32e718 upstream.
+
+The in kernel snprintf() will conveniently return the actual length of
+the printed string even if not given an output beffer at all so just do
+that rather than relying on the user to pass in a suitable buffer,
+ensuring that we don't need to worry if the buffer was truncated due to
+the size of the buffer passed in.
+
+Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -23,8 +23,7 @@ static struct dentry *regmap_debugfs_roo
+ /* Calculate the length of a fixed format  */
+ static size_t regmap_calc_reg_len(int max_val, char *buf, size_t buf_size)
+ {
+-	snprintf(buf, buf_size, "%x", max_val);
+-	return strlen(buf);
++	return snprintf(NULL, 0, "%x", max_val);
+ }
+ 
+ static ssize_t regmap_name_read_file(struct file *file,
diff --git a/queue-3.10/regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch b/queue-3.10/regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch
new file mode 100644
index 00000000000..cdce2a1b6e3
--- /dev/null
+++ b/queue-3.10/regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch
@@ -0,0 +1,34 @@
+From b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Sat, 19 Sep 2015 07:00:18 -0700
+Subject: regmap: debugfs: Ensure we don't underflow when printing access masks
+
+From: Mark Brown <broonie@kernel.org>
+
+commit b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 upstream.
+
+If a read is attempted which is smaller than the line length then we may
+underflow the subtraction we're doing with the unsigned size_t type so
+move some of the calculation to be additions on the right hand side
+instead in order to avoid this.
+
+Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -419,7 +419,7 @@ static ssize_t regmap_access_read_file(s
+ 		/* If we're in the region the user is trying to read */
+ 		if (p >= *ppos) {
+ 			/* ...but not beyond it */
+-			if (buf_pos >= count - 1 - tot_len)
++			if (buf_pos + tot_len + 1 >= count)
+ 				break;
+ 
+ 			/* Format the register */
diff --git a/queue-3.10/security-fix-typo-in-security_task_prctl.patch b/queue-3.10/security-fix-typo-in-security_task_prctl.patch
new file mode 100644
index 00000000000..f92ad7cebc3
--- /dev/null
+++ b/queue-3.10/security-fix-typo-in-security_task_prctl.patch
@@ -0,0 +1,29 @@
+From b7f76ea2ef6739ee484a165ffbac98deb855d3d3 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jann@thejh.net>
+Date: Fri, 18 Sep 2015 23:41:23 +0200
+Subject: security: fix typo in security_task_prctl
+
+From: Jann Horn <jann@thejh.net>
+
+commit b7f76ea2ef6739ee484a165ffbac98deb855d3d3 upstream.
+
+Signed-off-by: Jann Horn <jann@thejh.net>
+Reviewed-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/security.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -2394,7 +2394,7 @@ static inline int security_task_prctl(in
+ 				      unsigned long arg4,
+ 				      unsigned long arg5)
+ {
+-	return cap_task_prctl(option, arg2, arg3, arg3, arg5);
++	return cap_task_prctl(option, arg2, arg3, arg4, arg5);
+ }
+ 
+ static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
diff --git a/queue-3.10/series b/queue-3.10/series
index 2329f71c269..7f4fdf92507 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -28,3 +28,7 @@ usb-xhci-add-support-for-urb_zero_packet-to-bulk-sg-transfers.patch
 initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch
 ipvs-do-not-use-random-local-source-address-for-tunnels.patch
 ipvs-fix-crash-with-sync-protocol-v0-and-ftp.patch
+udf-check-length-of-extended-attributes-and-allocation-descriptors.patch
+regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch
+regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch
+security-fix-typo-in-security_task_prctl.patch
diff --git a/queue-3.10/udf-check-length-of-extended-attributes-and-allocation-descriptors.patch b/queue-3.10/udf-check-length-of-extended-attributes-and-allocation-descriptors.patch
new file mode 100644
index 00000000000..cde0be55f88
--- /dev/null
+++ b/queue-3.10/udf-check-length-of-extended-attributes-and-allocation-descriptors.patch
@@ -0,0 +1,45 @@
+From 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 7 Jan 2015 13:49:08 +0100
+Subject: udf: Check length of extended attributes and allocation descriptors
+
+From: Jan Kara <jack@suse.cz>
+
+commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
+
+Check length of extended attributes and allocation descriptors when
+loading inodes from disk. Otherwise corrupted filesystems could confuse
+the code and make the kernel oops.
+
+Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+[Jan and Jiri fixed it in 3.12 stable, i ported it to 3.10 stable,
+ replaced bs by inode->i_sb->s_blocksize]
+Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/inode.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1495,6 +1495,16 @@ static void udf_fill_inode(struct inode
+ 		iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
+ 	}
+ 
++	/*
++	 * Sanity check length of allocation descriptors and extended attrs to
++	 * avoid integer overflows
++	 */
++	if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize || iinfo->i_lenAlloc > inode->i_sb->s_blocksize)
++		return;
++	/* Now do exact checks */
++	if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > inode->i_sb->s_blocksize)
++		return;
++
+ 	switch (fe->icbTag.fileType) {
+ 	case ICBTAG_FILE_TYPE_DIRECTORY:
+ 		inode->i_op = &udf_dir_inode_operations;