From: Greg Kroah-Hartman Date: Sun, 1 Jul 2018 14:13:10 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.114~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0ea29e545b1cc589af8548f7dfb1b4836a8b052f;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: backlight-as3711_bl-fix-device-tree-node-lookup.patch backlight-max8925_bl-fix-device-tree-node-lookup.patch backlight-tps65217_bl-fix-device-tree-node-lookup.patch media-cx231xx-add-support-for-avermedia-dvd-ezmaker-7.patch media-dvb_frontend-fix-locking-issues-at-dvb_frontend_get_event.patch media-v4l2-compat-ioctl32-prevent-go-past-max-size.patch nfsd-restrict-rd_maxcount-to-svc_max_payload-in-nfsd_encode_readdir.patch scsi-qla2xxx-fix-setting-lower-transfer-speed-if-gpsc-fails.patch ubifs-fix-potential-integer-overflow-in-allocation.patch udf-detect-incorrect-directory-size.patch video-uvesafb-fix-integer-overflow-in-allocation.patch xen-remove-unnecessary-bug_on-from-__unbind_from_irq.patch --- diff --git a/queue-3.18/backlight-as3711_bl-fix-device-tree-node-lookup.patch b/queue-3.18/backlight-as3711_bl-fix-device-tree-node-lookup.patch new file mode 100644 index 00000000000..3870f18e5d4 --- /dev/null +++ b/queue-3.18/backlight-as3711_bl-fix-device-tree-node-lookup.patch @@ -0,0 +1,108 @@ +From 4a9c8bb2aca5b5a2a15744333729745dd9903562 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 20 Nov 2017 11:45:44 +0100 +Subject: backlight: as3711_bl: Fix Device Tree node lookup + +From: Johan Hovold + +commit 4a9c8bb2aca5b5a2a15744333729745dd9903562 upstream. + +Fix child-node lookup during probe, which ended up searching the whole +device tree depth-first starting at the parent rather than just matching +on its children. + +To make things worse, the parent mfd node was also prematurely freed. + +Cc: stable # 3.10 +Fixes: 59eb2b5e57ea ("drivers/video/backlight/as3711_bl.c: add OF support") +Signed-off-by: Johan Hovold +Acked-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/backlight/as3711_bl.c | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +--- a/drivers/video/backlight/as3711_bl.c ++++ b/drivers/video/backlight/as3711_bl.c +@@ -262,10 +262,10 @@ static int as3711_bl_register(struct pla + static int as3711_backlight_parse_dt(struct device *dev) + { + struct as3711_bl_pdata *pdata = dev_get_platdata(dev); +- struct device_node *bl = +- of_find_node_by_name(dev->parent->of_node, "backlight"), *fb; ++ struct device_node *bl, *fb; + int ret; + ++ bl = of_get_child_by_name(dev->parent->of_node, "backlight"); + if (!bl) { + dev_dbg(dev, "backlight node not found\n"); + return -ENODEV; +@@ -279,7 +279,7 @@ static int as3711_backlight_parse_dt(str + if (pdata->su1_max_uA <= 0) + ret = -EINVAL; + if (ret < 0) +- return ret; ++ goto err_put_bl; + } + + fb = of_parse_phandle(bl, "su2-dev", 0); +@@ -292,7 +292,7 @@ static int as3711_backlight_parse_dt(str + if (pdata->su2_max_uA <= 0) + ret = -EINVAL; + if (ret < 0) +- return ret; ++ goto err_put_bl; + + if (of_find_property(bl, "su2-feedback-voltage", NULL)) { + pdata->su2_feedback = AS3711_SU2_VOLTAGE; +@@ -314,8 +314,10 @@ static int as3711_backlight_parse_dt(str + pdata->su2_feedback = AS3711_SU2_CURR_AUTO; + count++; + } +- if (count != 1) +- return -EINVAL; ++ if (count != 1) { ++ ret = -EINVAL; ++ goto err_put_bl; ++ } + + count = 0; + if (of_find_property(bl, "su2-fbprot-lx-sd4", NULL)) { +@@ -334,8 +336,10 @@ static int as3711_backlight_parse_dt(str + pdata->su2_fbprot = AS3711_SU2_GPIO4; + count++; + } +- if (count != 1) +- return -EINVAL; ++ if (count != 1) { ++ ret = -EINVAL; ++ goto err_put_bl; ++ } + + count = 0; + if (of_find_property(bl, "su2-auto-curr1", NULL)) { +@@ -355,11 +359,20 @@ static int as3711_backlight_parse_dt(str + * At least one su2-auto-curr* must be specified iff + * AS3711_SU2_CURR_AUTO is used + */ +- if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO)) +- return -EINVAL; ++ if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO)) { ++ ret = -EINVAL; ++ goto err_put_bl; ++ } + } + ++ of_node_put(bl); ++ + return 0; ++ ++err_put_bl: ++ of_node_put(bl); ++ ++ return ret; + } + + static int as3711_backlight_probe(struct platform_device *pdev) diff --git a/queue-3.18/backlight-max8925_bl-fix-device-tree-node-lookup.patch b/queue-3.18/backlight-max8925_bl-fix-device-tree-node-lookup.patch new file mode 100644 index 00000000000..c7f8b46f394 --- /dev/null +++ b/queue-3.18/backlight-max8925_bl-fix-device-tree-node-lookup.patch @@ -0,0 +1,47 @@ +From d1cc0ec3da23e44c23712579515494b374f111c9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 20 Nov 2017 11:45:45 +0100 +Subject: backlight: max8925_bl: Fix Device Tree node lookup + +From: Johan Hovold + +commit d1cc0ec3da23e44c23712579515494b374f111c9 upstream. + +Fix child-node lookup during probe, which ended up searching the whole +device tree depth-first starting at the parent rather than just matching +on its children. + +To make things worse, the parent mfd node was also prematurely freed, +while the child backlight node was leaked. + +Cc: stable # 3.9 +Fixes: 47ec340cb8e2 ("mfd: max8925: Support dt for backlight") +Signed-off-by: Johan Hovold +Acked-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/backlight/max8925_bl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/video/backlight/max8925_bl.c ++++ b/drivers/video/backlight/max8925_bl.c +@@ -116,7 +116,7 @@ static void max8925_backlight_dt_init(st + if (!pdata) + return; + +- np = of_find_node_by_name(nproot, "backlight"); ++ np = of_get_child_by_name(nproot, "backlight"); + if (!np) { + dev_err(&pdev->dev, "failed to find backlight node\n"); + return; +@@ -125,6 +125,8 @@ static void max8925_backlight_dt_init(st + if (!of_property_read_u32(np, "maxim,max8925-dual-string", &val)) + pdata->dual_string = val; + ++ of_node_put(np); ++ + pdev->dev.platform_data = pdata; + } + diff --git a/queue-3.18/backlight-tps65217_bl-fix-device-tree-node-lookup.patch b/queue-3.18/backlight-tps65217_bl-fix-device-tree-node-lookup.patch new file mode 100644 index 00000000000..035b6d26280 --- /dev/null +++ b/queue-3.18/backlight-tps65217_bl-fix-device-tree-node-lookup.patch @@ -0,0 +1,43 @@ +From 2b12dfa124dbadf391cb9a616aaa6b056823bf75 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 20 Nov 2017 11:45:46 +0100 +Subject: backlight: tps65217_bl: Fix Device Tree node lookup + +From: Johan Hovold + +commit 2b12dfa124dbadf391cb9a616aaa6b056823bf75 upstream. + +Fix child-node lookup during probe, which ended up searching the whole +device tree depth-first starting at the parent rather than just matching +on its children. + +This would only cause trouble if the child node is missing while there +is an unrelated node named "backlight" elsewhere in the tree. + +Cc: stable # 3.7 +Fixes: eebfdc17cc6c ("backlight: Add TPS65217 WLED driver") +Signed-off-by: Johan Hovold +Acked-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/backlight/tps65217_bl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/video/backlight/tps65217_bl.c ++++ b/drivers/video/backlight/tps65217_bl.c +@@ -184,11 +184,11 @@ static struct tps65217_bl_pdata * + tps65217_bl_parse_dt(struct platform_device *pdev) + { + struct tps65217 *tps = dev_get_drvdata(pdev->dev.parent); +- struct device_node *node = of_node_get(tps->dev->of_node); ++ struct device_node *node; + struct tps65217_bl_pdata *pdata, *err; + u32 val; + +- node = of_find_node_by_name(node, "backlight"); ++ node = of_get_child_by_name(tps->dev->of_node, "backlight"); + if (!node) + return ERR_PTR(-ENODEV); + diff --git a/queue-3.18/media-cx231xx-add-support-for-avermedia-dvd-ezmaker-7.patch b/queue-3.18/media-cx231xx-add-support-for-avermedia-dvd-ezmaker-7.patch new file mode 100644 index 00000000000..6da08ec0418 --- /dev/null +++ b/queue-3.18/media-cx231xx-add-support-for-avermedia-dvd-ezmaker-7.patch @@ -0,0 +1,36 @@ +From 29e61d6ef061b012d320327af7dbb3990e75be45 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Mon, 26 Mar 2018 02:06:16 -0400 +Subject: media: cx231xx: Add support for AverMedia DVD EZMaker 7 + +From: Kai-Heng Feng + +commit 29e61d6ef061b012d320327af7dbb3990e75be45 upstream. + +User reports AverMedia DVD EZMaker 7 can be driven by VIDEO_GRABBER. +Add the device to the id_table to make it work. + +BugLink: https://bugs.launchpad.net/bugs/1620762 + +Cc: stable@vger.kernel.org +Signed-off-by: Kai-Heng Feng +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cx231xx/cx231xx-cards.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -805,6 +805,9 @@ struct usb_device_id cx231xx_id_table[] + .driver_info = CX231XX_BOARD_CNXT_RDE_250}, + {USB_DEVICE(0x0572, 0x58A0), + .driver_info = CX231XX_BOARD_CNXT_RDU_250}, ++ /* AverMedia DVD EZMaker 7 */ ++ {USB_DEVICE(0x07ca, 0xc039), ++ .driver_info = CX231XX_BOARD_CNXT_VIDEO_GRABBER}, + {USB_DEVICE(0x2040, 0xb110), + .driver_info = CX231XX_BOARD_HAUPPAUGE_USB2_FM_PAL}, + {USB_DEVICE(0x2040, 0xb111), diff --git a/queue-3.18/media-dvb_frontend-fix-locking-issues-at-dvb_frontend_get_event.patch b/queue-3.18/media-dvb_frontend-fix-locking-issues-at-dvb_frontend_get_event.patch new file mode 100644 index 00000000000..6c4522eb4f4 --- /dev/null +++ b/queue-3.18/media-dvb_frontend-fix-locking-issues-at-dvb_frontend_get_event.patch @@ -0,0 +1,73 @@ +From 76d81243a487c09619822ef8e7201a756e58a87d Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Thu, 5 Apr 2018 05:30:52 -0400 +Subject: media: dvb_frontend: fix locking issues at dvb_frontend_get_event() + +From: Mauro Carvalho Chehab + +commit 76d81243a487c09619822ef8e7201a756e58a87d upstream. + +As warned by smatch: + drivers/media/dvb-core/dvb_frontend.c:314 dvb_frontend_get_event() warn: inconsistent returns 'sem:&fepriv->sem'. + Locked on: line 288 + line 295 + line 306 + line 314 + Unlocked on: line 303 + +The lock implementation for get event is wrong, as, if an +interrupt occurs, down_interruptible() will fail, and the +routine will call up() twice when userspace calls the ioctl +again. + +The bad code is there since when Linux migrated to git, in +2005. + +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-core/dvb_frontend.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -224,8 +224,20 @@ static void dvb_frontend_add_event(struc + wake_up_interruptible (&events->wait_queue); + } + ++static int dvb_frontend_test_event(struct dvb_frontend_private *fepriv, ++ struct dvb_fe_events *events) ++{ ++ int ret; ++ ++ up(&fepriv->sem); ++ ret = events->eventw != events->eventr; ++ down(&fepriv->sem); ++ ++ return ret; ++} ++ + static int dvb_frontend_get_event(struct dvb_frontend *fe, +- struct dvb_frontend_event *event, int flags) ++ struct dvb_frontend_event *event, int flags) + { + struct dvb_frontend_private *fepriv = fe->frontend_priv; + struct dvb_fe_events *events = &fepriv->events; +@@ -243,13 +255,8 @@ static int dvb_frontend_get_event(struct + if (flags & O_NONBLOCK) + return -EWOULDBLOCK; + +- up(&fepriv->sem); +- +- ret = wait_event_interruptible (events->wait_queue, +- events->eventw != events->eventr); +- +- if (down_interruptible (&fepriv->sem)) +- return -ERESTARTSYS; ++ ret = wait_event_interruptible(events->wait_queue, ++ dvb_frontend_test_event(fepriv, events)); + + if (ret < 0) + return ret; diff --git a/queue-3.18/media-v4l2-compat-ioctl32-prevent-go-past-max-size.patch b/queue-3.18/media-v4l2-compat-ioctl32-prevent-go-past-max-size.patch new file mode 100644 index 00000000000..6ceeaffed3b --- /dev/null +++ b/queue-3.18/media-v4l2-compat-ioctl32-prevent-go-past-max-size.patch @@ -0,0 +1,33 @@ +From ea72fbf588ac9c017224dcdaa2019ff52ca56fee Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Wed, 11 Apr 2018 11:47:32 -0400 +Subject: media: v4l2-compat-ioctl32: prevent go past max size + +From: Mauro Carvalho Chehab + +commit ea72fbf588ac9c017224dcdaa2019ff52ca56fee upstream. + +As warned by smatch: + drivers/media/v4l2-core/v4l2-compat-ioctl32.c:879 put_v4l2_ext_controls32() warn: check for integer overflow 'count' + +The access_ok() logic should check for too big arrays too. + +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -856,7 +856,7 @@ static int put_v4l2_ext_controls32(struc + get_user(kcontrols, &kp->controls)) + return -EFAULT; + +- if (!count) ++ if (!count || count > (U32_MAX/sizeof(*ucontrols))) + return 0; + if (get_user(p, &up->controls)) + return -EFAULT; diff --git a/queue-3.18/nfsd-restrict-rd_maxcount-to-svc_max_payload-in-nfsd_encode_readdir.patch b/queue-3.18/nfsd-restrict-rd_maxcount-to-svc_max_payload-in-nfsd_encode_readdir.patch new file mode 100644 index 00000000000..10cad0a9655 --- /dev/null +++ b/queue-3.18/nfsd-restrict-rd_maxcount-to-svc_max_payload-in-nfsd_encode_readdir.patch @@ -0,0 +1,47 @@ +From 9c2ece6ef67e9d376f32823086169b489c422ed0 Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Mon, 7 May 2018 09:01:08 -0400 +Subject: nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir + +From: Scott Mayhew + +commit 9c2ece6ef67e9d376f32823086169b489c422ed0 upstream. + +nfsd4_readdir_rsize restricts rd_maxcount to svc_max_payload when +estimating the size of the readdir reply, but nfsd_encode_readdir +restricts it to INT_MAX when encoding the reply. This can result in log +messages like "kernel: RPC request reserved 32896 but used 1049444". + +Restrict rd_dircount similarly (no reason it should be larger than +svc_max_payload). + +Signed-off-by: Scott Mayhew +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4xdr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3358,7 +3358,8 @@ nfsd4_encode_readdir(struct nfsd4_compou + nfserr = nfserr_resource; + goto err_no_verf; + } +- maxcount = min_t(u32, readdir->rd_maxcount, INT_MAX); ++ maxcount = svc_max_payload(resp->rqstp); ++ maxcount = min_t(u32, readdir->rd_maxcount, maxcount); + /* + * Note the rfc defines rd_maxcount as the size of the + * READDIR4resok structure, which includes the verifier above +@@ -3372,7 +3373,7 @@ nfsd4_encode_readdir(struct nfsd4_compou + + /* RFC 3530 14.2.24 allows us to ignore dircount when it's 0: */ + if (!readdir->rd_dircount) +- readdir->rd_dircount = INT_MAX; ++ readdir->rd_dircount = svc_max_payload(resp->rqstp); + + readdir->xdr = xdr; + readdir->rd_maxcount = maxcount; diff --git a/queue-3.18/scsi-qla2xxx-fix-setting-lower-transfer-speed-if-gpsc-fails.patch b/queue-3.18/scsi-qla2xxx-fix-setting-lower-transfer-speed-if-gpsc-fails.patch new file mode 100644 index 00000000000..f524d0718ba --- /dev/null +++ b/queue-3.18/scsi-qla2xxx-fix-setting-lower-transfer-speed-if-gpsc-fails.patch @@ -0,0 +1,42 @@ +From 413c2f33489b134e3cc65d9c3ff7861e8fdfe899 Mon Sep 17 00:00:00 2001 +From: Himanshu Madhani +Date: Sun, 3 Jun 2018 22:09:53 -0700 +Subject: scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails + +From: Himanshu Madhani + +commit 413c2f33489b134e3cc65d9c3ff7861e8fdfe899 upstream. + +This patch prevents driver from setting lower default speed of 1 GB/sec, +if the switch does not support Get Port Speed Capabilities (GPSC) +command. Setting this default speed results into much lower write +performance for large sequential WRITE. This patch modifies driver to +check for gpsc_supported flags and prevents driver from issuing +MBC_SET_PORT_PARAM (001Ah) to set default speed of 1 GB/sec. If driver +does not send this mailbox command, firmware assumes maximum supported +link speed and will operate at the max speed. + +Cc: stable@vger.kernel.org +Signed-off-by: Himanshu Madhani +Reported-by: Eda Zhou +Reviewed-by: Ewan D. Milne +Tested-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_init.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -3212,7 +3212,8 @@ qla2x00_iidma_fcport(scsi_qla_host_t *vh + return; + + if (fcport->fp_speed == PORT_SPEED_UNKNOWN || +- fcport->fp_speed > ha->link_data_rate) ++ fcport->fp_speed > ha->link_data_rate || ++ !ha->flags.gpsc_supported) + return; + + rval = qla2x00_set_idma_speed(vha, fcport->loop_id, fcport->fp_speed, diff --git a/queue-3.18/series b/queue-3.18/series index 6a9a77ac8c1..212a6888b1c 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -69,3 +69,15 @@ mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch mips-io-add-barrier-after-register-read-in-inx.patch time-make-sure-jiffies_to_msecs-preserves-non-zero-time-periods.patch +scsi-qla2xxx-fix-setting-lower-transfer-speed-if-gpsc-fails.patch +ubifs-fix-potential-integer-overflow-in-allocation.patch +backlight-as3711_bl-fix-device-tree-node-lookup.patch +backlight-max8925_bl-fix-device-tree-node-lookup.patch +backlight-tps65217_bl-fix-device-tree-node-lookup.patch +media-v4l2-compat-ioctl32-prevent-go-past-max-size.patch +media-cx231xx-add-support-for-avermedia-dvd-ezmaker-7.patch +media-dvb_frontend-fix-locking-issues-at-dvb_frontend_get_event.patch +nfsd-restrict-rd_maxcount-to-svc_max_payload-in-nfsd_encode_readdir.patch +video-uvesafb-fix-integer-overflow-in-allocation.patch +xen-remove-unnecessary-bug_on-from-__unbind_from_irq.patch +udf-detect-incorrect-directory-size.patch diff --git a/queue-3.18/ubifs-fix-potential-integer-overflow-in-allocation.patch b/queue-3.18/ubifs-fix-potential-integer-overflow-in-allocation.patch new file mode 100644 index 00000000000..bcfea2f66a9 --- /dev/null +++ b/queue-3.18/ubifs-fix-potential-integer-overflow-in-allocation.patch @@ -0,0 +1,35 @@ +From 353748a359f1821ee934afc579cf04572406b420 Mon Sep 17 00:00:00 2001 +From: Silvio Cesare +Date: Fri, 4 May 2018 13:44:02 +1000 +Subject: UBIFS: Fix potential integer overflow in allocation + +From: Silvio Cesare + +commit 353748a359f1821ee934afc579cf04572406b420 upstream. + +There is potential for the size and len fields in ubifs_data_node to be +too large causing either a negative value for the length fields or an +integer overflow leading to an incorrect memory allocation. Likewise, +when the len field is small, an integer underflow may occur. + +Signed-off-by: Silvio Cesare +Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/journal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -1101,7 +1101,7 @@ static int recomp_data_node(struct ubifs + int err, len, compr_type, out_len; + + out_len = le32_to_cpu(dn->size); +- buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS); ++ buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS); + if (!buf) + return -ENOMEM; + diff --git a/queue-3.18/udf-detect-incorrect-directory-size.patch b/queue-3.18/udf-detect-incorrect-directory-size.patch new file mode 100644 index 00000000000..806d8d3c0a3 --- /dev/null +++ b/queue-3.18/udf-detect-incorrect-directory-size.patch @@ -0,0 +1,36 @@ +From fa65653e575fbd958bdf5fb9c4a71a324e39510d Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 13 Jun 2018 12:09:22 +0200 +Subject: udf: Detect incorrect directory size + +From: Jan Kara + +commit fa65653e575fbd958bdf5fb9c4a71a324e39510d upstream. + +Detect when a directory entry is (possibly partially) beyond directory +size and return EIO in that case since it means the filesystem is +corrupted. Otherwise directory operations can further corrupt the +directory and possibly also oops the kernel. + +CC: Anatoly Trosinenko +CC: stable@vger.kernel.org +Reported-and-tested-by: Anatoly Trosinenko +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/directory.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/udf/directory.c ++++ b/fs/udf/directory.c +@@ -151,6 +151,9 @@ struct fileIdentDesc *udf_fileident_read + sizeof(struct fileIdentDesc)); + } + } ++ /* Got last entry outside of dir size - fs is corrupted! */ ++ if (*nf_pos > dir->i_size) ++ return NULL; + return fi; + } + diff --git a/queue-3.18/video-uvesafb-fix-integer-overflow-in-allocation.patch b/queue-3.18/video-uvesafb-fix-integer-overflow-in-allocation.patch new file mode 100644 index 00000000000..537d645d2a4 --- /dev/null +++ b/queue-3.18/video-uvesafb-fix-integer-overflow-in-allocation.patch @@ -0,0 +1,34 @@ +From 9f645bcc566a1e9f921bdae7528a01ced5bc3713 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 11 May 2018 18:24:12 +1000 +Subject: video: uvesafb: Fix integer overflow in allocation + +From: Kees Cook + +commit 9f645bcc566a1e9f921bdae7528a01ced5bc3713 upstream. + +cmap->len can get close to INT_MAX/2, allowing for an integer overflow in +allocation. This uses kmalloc_array() instead to catch the condition. + +Reported-by: Dr Silvio Cesare of InfoSect +Fixes: 8bdb3a2d7df48 ("uvesafb: the driver core") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/uvesafb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/uvesafb.c ++++ b/drivers/video/fbdev/uvesafb.c +@@ -1059,7 +1059,8 @@ static int uvesafb_setcmap(struct fb_cma + info->cmap.len || cmap->start < info->cmap.start) + return -EINVAL; + +- entries = kmalloc(sizeof(*entries) * cmap->len, GFP_KERNEL); ++ entries = kmalloc_array(cmap->len, sizeof(*entries), ++ GFP_KERNEL); + if (!entries) + return -ENOMEM; + diff --git a/queue-3.18/xen-remove-unnecessary-bug_on-from-__unbind_from_irq.patch b/queue-3.18/xen-remove-unnecessary-bug_on-from-__unbind_from_irq.patch new file mode 100644 index 00000000000..22f28afd299 --- /dev/null +++ b/queue-3.18/xen-remove-unnecessary-bug_on-from-__unbind_from_irq.patch @@ -0,0 +1,40 @@ +From eef04c7b3786ff0c9cb1019278b6c6c2ea0ad4ff Mon Sep 17 00:00:00 2001 +From: Boris Ostrovsky +Date: Thu, 21 Jun 2018 13:29:44 -0400 +Subject: xen: Remove unnecessary BUG_ON from __unbind_from_irq() + +From: Boris Ostrovsky + +commit eef04c7b3786ff0c9cb1019278b6c6c2ea0ad4ff upstream. + +Commit 910f8befdf5b ("xen/pirq: fix error path cleanup when binding +MSIs") fixed a couple of errors in error cleanup path of +xen_bind_pirq_msi_to_irq(). This cleanup allowed a call to +__unbind_from_irq() with an unbound irq, which would result in +triggering the BUG_ON there. + +Since there is really no reason for the BUG_ON (xen_free_irq() can +operate on unbound irqs) we can remove it. + +Reported-by: Ben Hutchings +Signed-off-by: Boris Ostrovsky +Cc: stable@vger.kernel.org +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/events/events_base.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -636,8 +636,6 @@ static void __unbind_from_irq(unsigned i + xen_irq_info_cleanup(info); + } + +- BUG_ON(info_for_irq(irq)->type == IRQT_UNBOUND); +- + xen_free_irq(irq); + } +