From: Greg Kroah-Hartman Date: Thu, 19 Apr 2018 15:29:32 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.9.95~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e985014005bf9c464122a00e7c63847c9b5ec17a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: fs-reiserfs-journal.c-add-missing-resierfs_warning-arg.patch resource-fix-integer-overflow-at-reallocation.patch ubi-fix-error-for-write-access.patch ubi-reject-mlc-nand.patch ubifs-check-ubifs_wbuf_sync-return-code.patch usb-musb-gadget-misplaced-out-of-bounds-check.patch --- diff --git a/queue-3.18/fs-reiserfs-journal.c-add-missing-resierfs_warning-arg.patch b/queue-3.18/fs-reiserfs-journal.c-add-missing-resierfs_warning-arg.patch new file mode 100644 index 00000000000..f913b37bba2 --- /dev/null +++ b/queue-3.18/fs-reiserfs-journal.c-add-missing-resierfs_warning-arg.patch @@ -0,0 +1,52 @@ +From 9ad553abe66f8be3f4755e9fa0a6ba137ce76341 Mon Sep 17 00:00:00 2001 +From: Andrew Morton +Date: Tue, 10 Apr 2018 16:34:41 -0700 +Subject: fs/reiserfs/journal.c: add missing resierfs_warning() arg + +From: Andrew Morton + +commit 9ad553abe66f8be3f4755e9fa0a6ba137ce76341 upstream. + +One use of the reiserfs_warning() macro in journal_init_dev() is missing +a parameter, causing the following warning: + + REISERFS warning (device loop0): journal_init_dev: Cannot open '%s': %i journal_init_dev: + +This also causes a WARN_ONCE() warning in the vsprintf code, and then a +panic if panic_on_warn is set. + + Please remove unsupported %/ in format string + WARNING: CPU: 1 PID: 4480 at lib/vsprintf.c:2138 format_decode+0x77f/0x830 lib/vsprintf.c:2138 + Kernel panic - not syncing: panic_on_warn set ... + +Just add another string argument to the macro invocation. + +Addresses https://syzkaller.appspot.com/bug?id=0627d4551fdc39bf1ef5d82cd9eef587047f7718 + +Link: http://lkml.kernel.org/r/d678ebe1-6f54-8090-df4c-b9affad62293@infradead.org +Signed-off-by: Randy Dunlap +Reported-by: +Tested-by: Randy Dunlap +Acked-by: Jeff Mahoney +Cc: Alexander Viro +Cc: Jan Kara +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/journal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/reiserfs/journal.c ++++ b/fs/reiserfs/journal.c +@@ -2643,7 +2643,7 @@ static int journal_init_dev(struct super + if (IS_ERR(journal->j_dev_bd)) { + result = PTR_ERR(journal->j_dev_bd); + journal->j_dev_bd = NULL; +- reiserfs_warning(super, ++ reiserfs_warning(super, "sh-457", + "journal_init_dev: Cannot open '%s': %i", + jdev_name, result); + return result; diff --git a/queue-3.18/resource-fix-integer-overflow-at-reallocation.patch b/queue-3.18/resource-fix-integer-overflow-at-reallocation.patch new file mode 100644 index 00000000000..abc3a340346 --- /dev/null +++ b/queue-3.18/resource-fix-integer-overflow-at-reallocation.patch @@ -0,0 +1,55 @@ +From 60bb83b81169820c691fbfa33a6a4aef32aa4b0b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 13 Apr 2018 15:35:13 -0700 +Subject: resource: fix integer overflow at reallocation + +From: Takashi Iwai + +commit 60bb83b81169820c691fbfa33a6a4aef32aa4b0b upstream. + +We've got a bug report indicating a kernel panic at booting on an x86-32 +system, and it turned out to be the invalid PCI resource assigned after +reallocation. __find_resource() first aligns the resource start address +and resets the end address with start+size-1 accordingly, then checks +whether it's contained. Here the end address may overflow the integer, +although resource_contains() still returns true because the function +validates only start and end address. So this ends up with returning an +invalid resource (start > end). + +There was already an attempt to cover such a problem in the commit +47ea91b4052d ("Resource: fix wrong resource window calculation"), but +this case is an overseen one. + +This patch adds the validity check of the newly calculated resource for +avoiding the integer overflow problem. + +Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739 +Link: http://lkml.kernel.org/r/s5hpo37d5l8.wl-tiwai@suse.de +Fixes: 23c570a67448 ("resource: ability to resize an allocated resource") +Signed-off-by: Takashi Iwai +Reported-by: Michael Henders +Tested-by: Michael Henders +Reviewed-by: Andrew Morton +Cc: Ram Pai +Cc: Bjorn Helgaas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/resource.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -590,7 +590,8 @@ static int __find_resource(struct resour + alloc.start = constraint->alignf(constraint->alignf_data, &avail, + size, constraint->align); + alloc.end = alloc.start + size - 1; +- if (resource_contains(&avail, &alloc)) { ++ if (alloc.start <= alloc.end && ++ resource_contains(&avail, &alloc)) { + new->start = alloc.start; + new->end = alloc.end; + return 0; diff --git a/queue-3.18/series b/queue-3.18/series index 09bfd9ab205..8aaa3d77bba 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -4,3 +4,9 @@ s390-qdio-don-t-retry-eqbs-after-ccq-96.patch s390-qdio-don-t-merge-error-output-buffers.patch s390-ipl-ensure-loadparm-valid-flag-is-set.patch slip-check-if-rstate-is-initialized-before-uncompressing.patch +ubifs-check-ubifs_wbuf_sync-return-code.patch +ubi-fix-error-for-write-access.patch +ubi-reject-mlc-nand.patch +fs-reiserfs-journal.c-add-missing-resierfs_warning-arg.patch +resource-fix-integer-overflow-at-reallocation.patch +usb-musb-gadget-misplaced-out-of-bounds-check.patch diff --git a/queue-3.18/ubi-fix-error-for-write-access.patch b/queue-3.18/ubi-fix-error-for-write-access.patch new file mode 100644 index 00000000000..2376225f186 --- /dev/null +++ b/queue-3.18/ubi-fix-error-for-write-access.patch @@ -0,0 +1,42 @@ +From 78a8dfbabbece22bee58ac4cb26cab10e7a19c5d Mon Sep 17 00:00:00 2001 +From: Romain Izard +Date: Mon, 29 Jan 2018 11:18:20 +0100 +Subject: ubi: Fix error for write access + +From: Romain Izard + +commit 78a8dfbabbece22bee58ac4cb26cab10e7a19c5d upstream. + +When opening a device with write access, ubiblock_open returns an error +code. Currently, this error code is -EPERM, but this is not the right +value. + +The open function for other block devices returns -EROFS when opening +read-only devices with FMODE_WRITE set. When used with dm-verity, the +veritysetup userspace tool is expecting EROFS, and refuses to use the +ubiblock device. + +Use -EROFS for ubiblock as well. As a result, veritysetup accepts the +ubiblock device as valid. + +Cc: stable@vger.kernel.org +Fixes: 9d54c8a33eec (UBI: R/O block driver on top of UBI volumes) +Signed-off-by: Romain Izard +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/ubi/block.c ++++ b/drivers/mtd/ubi/block.c +@@ -322,7 +322,7 @@ static int ubiblock_open(struct block_de + * in any case. + */ + if (mode & FMODE_WRITE) { +- ret = -EPERM; ++ ret = -EROFS; + goto out_unlock; + } + diff --git a/queue-3.18/ubi-reject-mlc-nand.patch b/queue-3.18/ubi-reject-mlc-nand.patch new file mode 100644 index 00000000000..c6731cf50b8 --- /dev/null +++ b/queue-3.18/ubi-reject-mlc-nand.patch @@ -0,0 +1,45 @@ +From b5094b7f135be34630e3ea8a98fa215715d0f29d Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Sat, 3 Mar 2018 11:45:54 +0100 +Subject: ubi: Reject MLC NAND + +From: Richard Weinberger + +commit b5094b7f135be34630e3ea8a98fa215715d0f29d upstream. + +While UBI and UBIFS seem to work at first sight with MLC NAND, you will +most likely lose all your data upon a power-cut or due to read/write +disturb. +In order to protect users from bad surprises, refuse to attach to MLC +NAND. + +Cc: stable@vger.kernel.org +Signed-off-by: Richard Weinberger +Acked-by: Boris Brezillon +Acked-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/build.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -905,6 +905,17 @@ int ubi_attach_mtd_dev(struct mtd_info * + return -EINVAL; + } + ++ /* ++ * Both UBI and UBIFS have been designed for SLC NAND and NOR flashes. ++ * MLC NAND is different and needs special care, otherwise UBI or UBIFS ++ * will die soon and you will lose all your data. ++ */ ++ if (mtd->type == MTD_MLCNANDFLASH) { ++ pr_err("ubi: refuse attaching mtd%d - MLC NAND is not supported\n", ++ mtd->index); ++ return -EINVAL; ++ } ++ + if (ubi_num == UBI_DEV_NUM_AUTO) { + /* Search for an empty slot in the @ubi_devices array */ + for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++) diff --git a/queue-3.18/ubifs-check-ubifs_wbuf_sync-return-code.patch b/queue-3.18/ubifs-check-ubifs_wbuf_sync-return-code.patch new file mode 100644 index 00000000000..d85e2432a3f --- /dev/null +++ b/queue-3.18/ubifs-check-ubifs_wbuf_sync-return-code.patch @@ -0,0 +1,54 @@ +From aac17948a7ce01fb60b9ee6cf902967a47b3ce26 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Wed, 17 Jan 2018 19:12:42 +0100 +Subject: ubifs: Check ubifs_wbuf_sync() return code + +From: Richard Weinberger + +commit aac17948a7ce01fb60b9ee6cf902967a47b3ce26 upstream. + +If ubifs_wbuf_sync() fails we must not write a master node with the +dirty marker cleared. +Otherwise it is possible that in case of an IO error while syncing we +mark the filesystem as clean and UBIFS refuses to recover upon next +mount. + +Cc: +Fixes: 1e51764a3c2a ("UBIFS: add new flash file system") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/super.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -1726,8 +1726,11 @@ static void ubifs_remount_ro(struct ubif + + dbg_save_space_info(c); + +- for (i = 0; i < c->jhead_cnt; i++) +- ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ for (i = 0; i < c->jhead_cnt; i++) { ++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ if (err) ++ ubifs_ro_mode(c, err); ++ } + + c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_DIRTY); + c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS); +@@ -1794,8 +1797,11 @@ static void ubifs_put_super(struct super + int err; + + /* Synchronize write-buffers */ +- for (i = 0; i < c->jhead_cnt; i++) +- ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ for (i = 0; i < c->jhead_cnt; i++) { ++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ if (err) ++ ubifs_ro_mode(c, err); ++ } + + /* + * We are being cleanly unmounted which means the diff --git a/queue-3.18/usb-musb-gadget-misplaced-out-of-bounds-check.patch b/queue-3.18/usb-musb-gadget-misplaced-out-of-bounds-check.patch new file mode 100644 index 00000000000..f0c9448dafe --- /dev/null +++ b/queue-3.18/usb-musb-gadget-misplaced-out-of-bounds-check.patch @@ -0,0 +1,48 @@ +From af6f8529098aeb0e56a68671b450cf74e7a64fcd Mon Sep 17 00:00:00 2001 +From: Heinrich Schuchardt +Date: Thu, 29 Mar 2018 10:48:28 -0500 +Subject: usb: musb: gadget: misplaced out of bounds check + +From: Heinrich Schuchardt + +commit af6f8529098aeb0e56a68671b450cf74e7a64fcd upstream. + +musb->endpoints[] has array size MUSB_C_NUM_EPS. +We must check array bounds before accessing the array and not afterwards. + +Signed-off-by: Heinrich Schuchardt +Signed-off-by: Bin Liu +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_gadget_ep0.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/usb/musb/musb_gadget_ep0.c ++++ b/drivers/usb/musb/musb_gadget_ep0.c +@@ -114,15 +114,19 @@ static int service_tx_status_request( + } + + is_in = epnum & USB_DIR_IN; +- if (is_in) { +- epnum &= 0x0f; ++ epnum &= 0x0f; ++ if (epnum >= MUSB_C_NUM_EPS) { ++ handled = -EINVAL; ++ break; ++ } ++ ++ if (is_in) + ep = &musb->endpoints[epnum].ep_in; +- } else { ++ else + ep = &musb->endpoints[epnum].ep_out; +- } + regs = musb->endpoints[epnum].regs; + +- if (epnum >= MUSB_C_NUM_EPS || !ep->desc) { ++ if (!ep->desc) { + handled = -EINVAL; + break; + }