--- /dev/null
+From 860f01e96981a68553f3ca49f574ff14fe955e72 Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <Valentin.Vidic@CARNet.hr>
+Date: Fri, 5 May 2017 21:07:33 +0200
+Subject: ipmi/watchdog: fix watchdog timeout set on reboot
+
+From: Valentin Vidic <Valentin.Vidic@CARNet.hr>
+
+commit 860f01e96981a68553f3ca49f574ff14fe955e72 upstream.
+
+systemd by default starts watchdog on reboot and sets the timer to
+ShutdownWatchdogSec=10min. Reboot handler in ipmi_watchdog than reduces
+the timer to 120s which is not enough time to boot a Xen machine with
+a lot of RAM. As a result the machine is rebooted the second time
+during the long run of (XEN) Scrubbing Free RAM.....
+
+Fix this by setting the timer to 120s only if it was previously
+set to a low value.
+
+Signed-off-by: Valentin Vidic <Valentin.Vidic@CARNet.hr>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_watchdog.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_watchdog.c
++++ b/drivers/char/ipmi/ipmi_watchdog.c
+@@ -1163,10 +1163,11 @@ static int wdog_reboot_handler(struct no
+ ipmi_watchdog_state = WDOG_TIMEOUT_NONE;
+ ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB);
+ } else if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) {
+- /* Set a long timer to let the reboot happens, but
+- reboot if it hangs, but only if the watchdog
++ /* Set a long timer to let the reboot happen or
++ reset if it hangs, but only if the watchdog
+ timer was already running. */
+- timeout = 120;
++ if (timeout < 120)
++ timeout = 120;
+ pretimeout = 0;
+ ipmi_watchdog_state = WDOG_TIMEOUT_RESET;
+ ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB);
--- /dev/null
+From 9f5af546e6acc30f075828cb58c7f09665033967 Mon Sep 17 00:00:00 2001
+From: Annie Cherkaev <annie.cherk@gmail.com>
+Date: Sat, 15 Jul 2017 15:08:58 -0600
+Subject: isdn/i4l: fix buffer overflow
+
+From: Annie Cherkaev <annie.cherk@gmail.com>
+
+commit 9f5af546e6acc30f075828cb58c7f09665033967 upstream.
+
+This fixes a potential buffer overflow in isdn_net.c caused by an
+unbounded strcpy.
+
+[ ISDN seems to be effectively unmaintained, and the I4L driver in
+ particular is long deprecated, but in case somebody uses this..
+ - Linus ]
+
+Signed-off-by: Jiten Thakkar <jitenmt@gmail.com>
+Signed-off-by: Annie Cherkaev <annie.cherk@gmail.com>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/i4l/isdn_common.c | 1 +
+ drivers/isdn/i4l/isdn_net.c | 5 ++---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1379,6 +1379,7 @@ isdn_ioctl(struct file *file, uint cmd,
+ if (arg) {
+ if (copy_from_user(bname, argp, sizeof(bname) - 1))
+ return -EFAULT;
++ bname[sizeof(bname)-1] = 0;
+ } else
+ return -EINVAL;
+ ret = mutex_lock_interruptible(&dev->mtx);
+--- a/drivers/isdn/i4l/isdn_net.c
++++ b/drivers/isdn/i4l/isdn_net.c
+@@ -2611,10 +2611,9 @@ isdn_net_newslave(char *parm)
+ char newname[10];
+
+ if (p) {
+- /* Slave-Name MUST not be empty */
+- if (!strlen(p + 1))
++ /* Slave-Name MUST not be empty or overflow 'newname' */
++ if (strscpy(newname, p + 1, sizeof(newname)) <= 0)
+ return NULL;
+- strcpy(newname, p + 1);
+ *p = 0;
+ /* Master must already exist */
+ if (!(n = isdn_net_findif(parm)))
projects / thirdparty / kernel / stable-queue.git / commitdiff
