From 6afaec71dbae2c5452c232f82d0fdcccfe08e54f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 27 Dec 2024 16:27:42 +0100
Subject: [PATCH] 6.1-stable patches

added patches:
	mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch
---
 ...perand-to-prevent-potential-overflow.patch | 34 +++++++++++++++++++
 queue-6.1/series                              |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 queue-6.1/mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch

diff --git a/queue-6.1/mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch b/queue-6.1/mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch
new file mode 100644
index 00000000000..1fbef7a4a87
--- /dev/null
+++ b/queue-6.1/mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch
@@ -0,0 +1,34 @@
+From 9b458e8be0d13e81ed03fffa23f8f9b528bbd786 Mon Sep 17 00:00:00 2001
+From: Zichen Xie <zichenxie0106@gmail.com>
+Date: Wed, 23 Oct 2024 16:13:10 -0500
+Subject: mtd: diskonchip: Cast an operand to prevent potential overflow
+
+From: Zichen Xie <zichenxie0106@gmail.com>
+
+commit 9b458e8be0d13e81ed03fffa23f8f9b528bbd786 upstream.
+
+There may be a potential integer overflow issue in inftl_partscan().
+parts[0].size is defined as "uint64_t"  while mtd->erasesize and
+ip->firstUnit are defined as 32-bit unsigned integer. The result of
+the calculation will be limited to 32 bits without correct casting.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/diskonchip.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/raw/diskonchip.c
++++ b/drivers/mtd/nand/raw/diskonchip.c
+@@ -1098,7 +1098,7 @@ static inline int __init inftl_partscan(
+ 		    (i == 0) && (ip->firstUnit > 0)) {
+ 			parts[0].name = " DiskOnChip IPL / Media Header partition";
+ 			parts[0].offset = 0;
+-			parts[0].size = mtd->erasesize * ip->firstUnit;
++			parts[0].size = (uint64_t)mtd->erasesize * ip->firstUnit;
+ 			numparts = 1;
+ 		}
+ 
diff --git a/queue-6.1/series b/queue-6.1/series
index 165392bafc7..d4f4f0f76b2 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -4,3 +4,4 @@ tcp_bpf-charge-receive-socket-buffer-in-bpf_tcp_ingr.patch
 tcp_bpf-add-sk_rmem_alloc-related-logic-for-tcp_bpf-.patch
 bpf-check-negative-offsets-in-__bpf_skb_min_len.patch
 nfsd-restore-callback-functionality-for-nfsv4.0.patch
+mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch
-- 
2.47.2