--- /dev/null
+From 9ad553abe66f8be3f4755e9fa0a6ba137ce76341 Mon Sep 17 00:00:00 2001
+From: Andrew Morton <akpm@linux-foundation.org>
+Date: Tue, 10 Apr 2018 16:34:41 -0700
+Subject: fs/reiserfs/journal.c: add missing resierfs_warning() arg
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+commit 9ad553abe66f8be3f4755e9fa0a6ba137ce76341 upstream.
+
+One use of the reiserfs_warning() macro in journal_init_dev() is missing
+a parameter, causing the following warning:
+
+ REISERFS warning (device loop0): journal_init_dev: Cannot open '%s': %i journal_init_dev:
+
+This also causes a WARN_ONCE() warning in the vsprintf code, and then a
+panic if panic_on_warn is set.
+
+ Please remove unsupported %/ in format string
+ WARNING: CPU: 1 PID: 4480 at lib/vsprintf.c:2138 format_decode+0x77f/0x830 lib/vsprintf.c:2138
+ Kernel panic - not syncing: panic_on_warn set ...
+
+Just add another string argument to the macro invocation.
+
+Addresses https://syzkaller.appspot.com/bug?id=0627d4551fdc39bf1ef5d82cd9eef587047f7718
+
+Link: http://lkml.kernel.org/r/d678ebe1-6f54-8090-df4c-b9affad62293@infradead.org
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: <syzbot+6bd77b88c1977c03f584@syzkaller.appspotmail.com>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Jan Kara <jack@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/journal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/reiserfs/journal.c
++++ b/fs/reiserfs/journal.c
+@@ -2643,7 +2643,7 @@ static int journal_init_dev(struct super
+ if (IS_ERR(journal->j_dev_bd)) {
+ result = PTR_ERR(journal->j_dev_bd);
+ journal->j_dev_bd = NULL;
+- reiserfs_warning(super,
++ reiserfs_warning(super, "sh-457",
+ "journal_init_dev: Cannot open '%s': %i",
+ jdev_name, result);
+ return result;
--- /dev/null
+From 60bb83b81169820c691fbfa33a6a4aef32aa4b0b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 13 Apr 2018 15:35:13 -0700
+Subject: resource: fix integer overflow at reallocation
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 60bb83b81169820c691fbfa33a6a4aef32aa4b0b upstream.
+
+We've got a bug report indicating a kernel panic at booting on an x86-32
+system, and it turned out to be the invalid PCI resource assigned after
+reallocation. __find_resource() first aligns the resource start address
+and resets the end address with start+size-1 accordingly, then checks
+whether it's contained. Here the end address may overflow the integer,
+although resource_contains() still returns true because the function
+validates only start and end address. So this ends up with returning an
+invalid resource (start > end).
+
+There was already an attempt to cover such a problem in the commit
+47ea91b4052d ("Resource: fix wrong resource window calculation"), but
+this case is an overseen one.
+
+This patch adds the validity check of the newly calculated resource for
+avoiding the integer overflow problem.
+
+Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739
+Link: http://lkml.kernel.org/r/s5hpo37d5l8.wl-tiwai@suse.de
+Fixes: 23c570a67448 ("resource: ability to resize an allocated resource")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Reported-by: Michael Henders <hendersm@shaw.ca>
+Tested-by: Michael Henders <hendersm@shaw.ca>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/resource.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/resource.c
++++ b/kernel/resource.c
+@@ -590,7 +590,8 @@ static int __find_resource(struct resour
+ alloc.start = constraint->alignf(constraint->alignf_data, &avail,
+ size, constraint->align);
+ alloc.end = alloc.start + size - 1;
+- if (resource_contains(&avail, &alloc)) {
++ if (alloc.start <= alloc.end &&
++ resource_contains(&avail, &alloc)) {
+ new->start = alloc.start;
+ new->end = alloc.end;
+ return 0;
s390-qdio-don-t-merge-error-output-buffers.patch
s390-ipl-ensure-loadparm-valid-flag-is-set.patch
slip-check-if-rstate-is-initialized-before-uncompressing.patch
+ubifs-check-ubifs_wbuf_sync-return-code.patch
+ubi-fix-error-for-write-access.patch
+ubi-reject-mlc-nand.patch
+fs-reiserfs-journal.c-add-missing-resierfs_warning-arg.patch
+resource-fix-integer-overflow-at-reallocation.patch
+usb-musb-gadget-misplaced-out-of-bounds-check.patch
--- /dev/null
+From 78a8dfbabbece22bee58ac4cb26cab10e7a19c5d Mon Sep 17 00:00:00 2001
+From: Romain Izard <romain.izard.pro@gmail.com>
+Date: Mon, 29 Jan 2018 11:18:20 +0100
+Subject: ubi: Fix error for write access
+
+From: Romain Izard <romain.izard.pro@gmail.com>
+
+commit 78a8dfbabbece22bee58ac4cb26cab10e7a19c5d upstream.
+
+When opening a device with write access, ubiblock_open returns an error
+code. Currently, this error code is -EPERM, but this is not the right
+value.
+
+The open function for other block devices returns -EROFS when opening
+read-only devices with FMODE_WRITE set. When used with dm-verity, the
+veritysetup userspace tool is expecting EROFS, and refuses to use the
+ubiblock device.
+
+Use -EROFS for ubiblock as well. As a result, veritysetup accepts the
+ubiblock device as valid.
+
+Cc: stable@vger.kernel.org
+Fixes: 9d54c8a33eec (UBI: R/O block driver on top of UBI volumes)
+Signed-off-by: Romain Izard <romain.izard.pro@gmail.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/block.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/ubi/block.c
++++ b/drivers/mtd/ubi/block.c
+@@ -322,7 +322,7 @@ static int ubiblock_open(struct block_de
+ * in any case.
+ */
+ if (mode & FMODE_WRITE) {
+- ret = -EPERM;
++ ret = -EROFS;
+ goto out_unlock;
+ }
+
--- /dev/null
+From b5094b7f135be34630e3ea8a98fa215715d0f29d Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Sat, 3 Mar 2018 11:45:54 +0100
+Subject: ubi: Reject MLC NAND
+
+From: Richard Weinberger <richard@nod.at>
+
+commit b5094b7f135be34630e3ea8a98fa215715d0f29d upstream.
+
+While UBI and UBIFS seem to work at first sight with MLC NAND, you will
+most likely lose all your data upon a power-cut or due to read/write
+disturb.
+In order to protect users from bad surprises, refuse to attach to MLC
+NAND.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Acked-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Acked-by: Artem Bityutskiy <dedekind1@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/build.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/mtd/ubi/build.c
++++ b/drivers/mtd/ubi/build.c
+@@ -905,6 +905,17 @@ int ubi_attach_mtd_dev(struct mtd_info *
+ return -EINVAL;
+ }
+
++ /*
++ * Both UBI and UBIFS have been designed for SLC NAND and NOR flashes.
++ * MLC NAND is different and needs special care, otherwise UBI or UBIFS
++ * will die soon and you will lose all your data.
++ */
++ if (mtd->type == MTD_MLCNANDFLASH) {
++ pr_err("ubi: refuse attaching mtd%d - MLC NAND is not supported\n",
++ mtd->index);
++ return -EINVAL;
++ }
++
+ if (ubi_num == UBI_DEV_NUM_AUTO) {
+ /* Search for an empty slot in the @ubi_devices array */
+ for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++)
--- /dev/null
+From aac17948a7ce01fb60b9ee6cf902967a47b3ce26 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Wed, 17 Jan 2018 19:12:42 +0100
+Subject: ubifs: Check ubifs_wbuf_sync() return code
+
+From: Richard Weinberger <richard@nod.at>
+
+commit aac17948a7ce01fb60b9ee6cf902967a47b3ce26 upstream.
+
+If ubifs_wbuf_sync() fails we must not write a master node with the
+dirty marker cleared.
+Otherwise it is possible that in case of an IO error while syncing we
+mark the filesystem as clean and UBIFS refuses to recover upon next
+mount.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/super.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/ubifs/super.c
++++ b/fs/ubifs/super.c
+@@ -1726,8 +1726,11 @@ static void ubifs_remount_ro(struct ubif
+
+ dbg_save_space_info(c);
+
+- for (i = 0; i < c->jhead_cnt; i++)
+- ubifs_wbuf_sync(&c->jheads[i].wbuf);
++ for (i = 0; i < c->jhead_cnt; i++) {
++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf);
++ if (err)
++ ubifs_ro_mode(c, err);
++ }
+
+ c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_DIRTY);
+ c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS);
+@@ -1794,8 +1797,11 @@ static void ubifs_put_super(struct super
+ int err;
+
+ /* Synchronize write-buffers */
+- for (i = 0; i < c->jhead_cnt; i++)
+- ubifs_wbuf_sync(&c->jheads[i].wbuf);
++ for (i = 0; i < c->jhead_cnt; i++) {
++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf);
++ if (err)
++ ubifs_ro_mode(c, err);
++ }
+
+ /*
+ * We are being cleanly unmounted which means the
--- /dev/null
+From af6f8529098aeb0e56a68671b450cf74e7a64fcd Mon Sep 17 00:00:00 2001
+From: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Date: Thu, 29 Mar 2018 10:48:28 -0500
+Subject: usb: musb: gadget: misplaced out of bounds check
+
+From: Heinrich Schuchardt <xypron.glpk@gmx.de>
+
+commit af6f8529098aeb0e56a68671b450cf74e7a64fcd upstream.
+
+musb->endpoints[] has array size MUSB_C_NUM_EPS.
+We must check array bounds before accessing the array and not afterwards.
+
+Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musb_gadget_ep0.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/musb/musb_gadget_ep0.c
++++ b/drivers/usb/musb/musb_gadget_ep0.c
+@@ -114,15 +114,19 @@ static int service_tx_status_request(
+ }
+
+ is_in = epnum & USB_DIR_IN;
+- if (is_in) {
+- epnum &= 0x0f;
++ epnum &= 0x0f;
++ if (epnum >= MUSB_C_NUM_EPS) {
++ handled = -EINVAL;
++ break;
++ }
++
++ if (is_in)
+ ep = &musb->endpoints[epnum].ep_in;
+- } else {
++ else
+ ep = &musb->endpoints[epnum].ep_out;
+- }
+ regs = musb->endpoints[epnum].regs;
+
+- if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
++ if (!ep->desc) {
+ handled = -EINVAL;
+ break;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
