Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.14.78 2018-05-25T14:17:47+00:00 2018-05-25T14:17:47+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-01-25T14:27:27+00:00 urn:sha1:62d16de3109f8dff76f97b58d66ce502970b2f3f [ Upstream commit a7043e9529f3c367cc4d82997e00be034cbe57ca ] My static checker complains about an out of bounds read: drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo() error: buffer overflow 'hd->sel_timeout' 255 <= u32max. It's true that we probably should have a bounds check here. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-12-24T19:46:01+00:00 Linus Torvalds torvalds@linux-foundation.org 2016-12-24T19:46:01+00:00 urn:sha1:7c0f6ba682b9c7632072ffbedf8d328c8f3c42ba This was entirely automated, using the script by Al: PATT='^[[:blank:]]*#[[:blank:]]*include[[:blank:]]*<asm/uaccess.h>' sed -i -e "s!$PATT!#include <linux/uaccess.h>!" \ $(git grep -l "$PATT"|grep -v ^include/linux/uaccess.h) to do the replacement at the end of the merge window. Requested-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-11-12T01:58:06+00:00 Dan Carpenter dan.carpenter@oracle.com 2015-11-10T22:15:24+00:00 urn:sha1:491212014ec3ab6c477e7368405c5ae028b05ceb There is a static checker warning here because "bytes" is controlled by the user and we cap the upper bound with min() but allow negatives. Negative bytes will result in some nasty warning messages but are not super harmful. Anyway, no one needs negative bytes so let's just check for it and return NULL. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2015-08-26T14:11:45+00:00 Dan Carpenter dan.carpenter@oracle.com 2015-07-03T08:53:03+00:00 urn:sha1:e819cdb198319cccf4af4fc12ac4d796109d8c23 These are signed values the come from the user, we put a cap on the upper bounds but not on the lower bounds. We use "karg.dataSgeOffset" to calculate "sz". We verify "sz" and proceed as if that means that "karg.dataSgeOffset" is correct but this fails to consider that the "sz" calculations can have integer overflows. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: James Bottomley <JBottomley@Odin.com> 2014-09-16T16:09:43+00:00 Rasmus Villemoes linux@rasmusvillemoes.dk 2014-07-01T12:56:20+00:00 urn:sha1:f6e495a2b317fd7f3693d7c9217abfe943cbb3c6 Rounding up to a multiple of 4 should be done using the ALIGN macro. As a bonus, this also makes the generated code smaller. In GetIocFacts(), sz is assigned to a few lines below without being read in the meantime, so it is ok that it doesn't end up with the same value as facts->FWImageSize. Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Reviewed-by: Joe Lawrence <joe.lawrence@stratus.com> Signed-off-by: Christoph Hellwig <hch@lst.de> 2014-07-25T21:16:57+00:00 Joe Lawrence joe.lawrence@stratus.com 2014-06-25T21:06:12+00:00 urn:sha1:3e67c459d0ac945ac09639d85de299e65317aefe Let memdup_user handle the kmalloc, copy_from_user and error checking kfree code. Spotted by the following smatch (false positive) warning: drivers/message/fusion/mptctl.c:1369 mptctl_getiocinfo() warn: possible info leak 'karg' Signed-off-by: Joe Lawrence <joe.lawrence@stratus.com> Acked-by: Sreekanth Reddy <Sreekanth.Reddy@avagotech.com> Signed-off-by: Christoph Hellwig <hch@lst.de> 2014-05-28T16:14:16+00:00 Tomas Henzl thenzl@redhat.com 2014-05-28T16:04:20+00:00 urn:sha1:73d02c200b0e43762eae7a81e7f36d14adb26a37 Hi, without this patch the istwiRWRequest->MsgContext is always set to zero, this patch saves the MsgContext in a msgcontext variable and then restores the value. Thanks to David Jeffery who found the issue and did the analysis. Signed-off-by: Tomas Henzl <thenzl@redhat.com> Acked-by: Desai, Kashyap <Kashyap.Desai@lsi.com> Signed-off-by: Christoph Hellwig <hch@lst.de> 2013-04-29T19:41:44+00:00 Al Viro viro@zeniv.linux.org.uk 2013-04-15T14:28:20+00:00 urn:sha1:f0689f05371c6a7a33b4a4b85ecb6d1c79e2a371 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-06-01T00:49:26+00:00 Sergei Shtylyov sshtylyov@ru.mvista.com 2012-05-31T23:26:06+00:00 urn:sha1:9ceb5c16f5aa1021e9ef8f5e6c41feba288f963b This driver uses PCI_CLASS_REVISION instead of PCI_REVISION_ID, so it wasn't converted by 44c10138fd4bbc ("PCI: Change all drivers to use pci_device->revision"). In one case, it even reads PCI revision ID without using it -- that code is now removed... Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Acked-by: "Nandigama, Nagalakshmi" <Nagalakshmi.Nandigama@lsi.com> Cc: Eric Moore <eric.moore@lsi.com> Acked-by: Auke Kok <auke-jan.h.kok@intel.com> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2011-03-31T14:26:23+00:00 Lucas De Marchi lucas.demarchi@profusion.mobi 2011-03-31T01:57:33+00:00 urn:sha1:25985edcedea6396277003854657b5f3cb31a628 Fixes generated by 'codespell' and manually reviewed. Signed-off-by: Lucas De Marchi <lucas.demarchi@profusion.mobi>