From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 27 Dec 2024 15:27:15 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v6.1.123~54
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8516959a496b128fd8419124a23762c82c6a0129;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch
---

diff --git a/queue-5.10/mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch b/queue-5.10/mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch
new file mode 100644
index 00000000000..1fbef7a4a87
--- /dev/null
+++ b/queue-5.10/mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch
@@ -0,0 +1,34 @@
+From 9b458e8be0d13e81ed03fffa23f8f9b528bbd786 Mon Sep 17 00:00:00 2001
+From: Zichen Xie <zichenxie0106@gmail.com>
+Date: Wed, 23 Oct 2024 16:13:10 -0500
+Subject: mtd: diskonchip: Cast an operand to prevent potential overflow
+
+From: Zichen Xie <zichenxie0106@gmail.com>
+
+commit 9b458e8be0d13e81ed03fffa23f8f9b528bbd786 upstream.
+
+There may be a potential integer overflow issue in inftl_partscan().
+parts[0].size is defined as "uint64_t"  while mtd->erasesize and
+ip->firstUnit are defined as 32-bit unsigned integer. The result of
+the calculation will be limited to 32 bits without correct casting.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/diskonchip.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/raw/diskonchip.c
++++ b/drivers/mtd/nand/raw/diskonchip.c
+@@ -1098,7 +1098,7 @@ static inline int __init inftl_partscan(
+ 		    (i == 0) && (ip->firstUnit > 0)) {
+ 			parts[0].name = " DiskOnChip IPL / Media Header partition";
+ 			parts[0].offset = 0;
+-			parts[0].size = mtd->erasesize * ip->firstUnit;
++			parts[0].size = (uint64_t)mtd->erasesize * ip->firstUnit;
+ 			numparts = 1;
+ 		}
+ 
diff --git a/queue-5.10/series b/queue-5.10/series
index 0106ea347cc..9e641457230 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -46,3 +46,4 @@ mm-vmstat-fix-a-w-1-clang-compiler-warning.patch
 tcp_bpf-charge-receive-socket-buffer-in-bpf_tcp_ingr.patch
 bpf-check-negative-offsets-in-__bpf_skb_min_len.patch
 nfsd-restore-callback-functionality-for-nfsv4.0.patch
+mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch