From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 3 Aug 2017 22:44:12 +0000 (-0700)
Subject: 4.12-stable patches
X-Git-Tag: v4.12.5~29
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e4131b069b5161d981327423d819698b3c24a1a3;p=thirdparty%2Fkernel%2Fstable-queue.git

4.12-stable patches

added patches:
	ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch
	isdn-i4l-fix-buffer-overflow.patch
---

diff --git a/queue-4.12/ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch b/queue-4.12/ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch
new file mode 100644
index 00000000000..5417e8122c8
--- /dev/null
+++ b/queue-4.12/ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch
@@ -0,0 +1,43 @@
+From 860f01e96981a68553f3ca49f574ff14fe955e72 Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <Valentin.Vidic@CARNet.hr>
+Date: Fri, 5 May 2017 21:07:33 +0200
+Subject: ipmi/watchdog: fix watchdog timeout set on reboot
+
+From: Valentin Vidic <Valentin.Vidic@CARNet.hr>
+
+commit 860f01e96981a68553f3ca49f574ff14fe955e72 upstream.
+
+systemd by default starts watchdog on reboot and sets the timer to
+ShutdownWatchdogSec=10min.  Reboot handler in ipmi_watchdog than reduces
+the timer to 120s which is not enough time to boot a Xen machine with
+a lot of RAM.  As a result the machine is rebooted the second time
+during the long run of (XEN) Scrubbing Free RAM.....
+
+Fix this by setting the timer to 120s only if it was previously
+set to a low value.
+
+Signed-off-by: Valentin Vidic <Valentin.Vidic@CARNet.hr>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_watchdog.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_watchdog.c
++++ b/drivers/char/ipmi/ipmi_watchdog.c
+@@ -1163,10 +1163,11 @@ static int wdog_reboot_handler(struct no
+ 			ipmi_watchdog_state = WDOG_TIMEOUT_NONE;
+ 			ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB);
+ 		} else if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) {
+-			/* Set a long timer to let the reboot happens, but
+-			   reboot if it hangs, but only if the watchdog
++			/* Set a long timer to let the reboot happen or
++			   reset if it hangs, but only if the watchdog
+ 			   timer was already running. */
+-			timeout = 120;
++			if (timeout < 120)
++				timeout = 120;
+ 			pretimeout = 0;
+ 			ipmi_watchdog_state = WDOG_TIMEOUT_RESET;
+ 			ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB);
diff --git a/queue-4.12/isdn-i4l-fix-buffer-overflow.patch b/queue-4.12/isdn-i4l-fix-buffer-overflow.patch
new file mode 100644
index 00000000000..a7c00cc1522
--- /dev/null
+++ b/queue-4.12/isdn-i4l-fix-buffer-overflow.patch
@@ -0,0 +1,53 @@
+From 9f5af546e6acc30f075828cb58c7f09665033967 Mon Sep 17 00:00:00 2001
+From: Annie Cherkaev <annie.cherk@gmail.com>
+Date: Sat, 15 Jul 2017 15:08:58 -0600
+Subject: isdn/i4l: fix buffer overflow
+
+From: Annie Cherkaev <annie.cherk@gmail.com>
+
+commit 9f5af546e6acc30f075828cb58c7f09665033967 upstream.
+
+This fixes a potential buffer overflow in isdn_net.c caused by an
+unbounded strcpy.
+
+[ ISDN seems to be effectively unmaintained, and the I4L driver in
+  particular is long deprecated, but in case somebody uses this..
+    - Linus ]
+
+Signed-off-by: Jiten Thakkar <jitenmt@gmail.com>
+Signed-off-by: Annie Cherkaev <annie.cherk@gmail.com>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/i4l/isdn_common.c |    1 +
+ drivers/isdn/i4l/isdn_net.c    |    5 ++---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1379,6 +1379,7 @@ isdn_ioctl(struct file *file, uint cmd,
+ 			if (arg) {
+ 				if (copy_from_user(bname, argp, sizeof(bname) - 1))
+ 					return -EFAULT;
++				bname[sizeof(bname)-1] = 0;
+ 			} else
+ 				return -EINVAL;
+ 			ret = mutex_lock_interruptible(&dev->mtx);
+--- a/drivers/isdn/i4l/isdn_net.c
++++ b/drivers/isdn/i4l/isdn_net.c
+@@ -2611,10 +2611,9 @@ isdn_net_newslave(char *parm)
+ 	char newname[10];
+ 
+ 	if (p) {
+-		/* Slave-Name MUST not be empty */
+-		if (!strlen(p + 1))
++		/* Slave-Name MUST not be empty or overflow 'newname' */
++		if (strscpy(newname, p + 1, sizeof(newname)) <= 0)
+ 			return NULL;
+-		strcpy(newname, p + 1);
+ 		*p = 0;
+ 		/* Master must already exist */
+ 		if (!(n = isdn_net_findif(parm)))
diff --git a/queue-4.12/series b/queue-4.12/series
index 6d676c61e3d..958483e7c6d 100644
--- a/queue-4.12/series
+++ b/queue-4.12/series
@@ -25,3 +25,5 @@ drm-vmwgfx-limit-max-desktop-dimensions-to-8kx8k.patch
 drm-nouveau-disp-nv50-bump-max-chans-to-21.patch
 drm-nouveau-bar-gf100-fix-access-to-upper-half-of-bar2.patch
 drm-i915-fix-scaler-init-during-crtc-hw-state-readout.patch
+isdn-i4l-fix-buffer-overflow.patch
+ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch