/* Ask for all the pages supported by this device */
result = scsi_vpd_inquiry(sdev, buf, 0, buf_len);
if (result)
-commit 4d0ed18277cc6f07513ee0b04475f19cd69e75ef
-Author: Peter Hurley <peter@hurleysoftware.com>
-Date: Tue Dec 10 17:12:02 2013 -0500
-
- n_tty: Fix buffer overruns with larger-than-4k pastes
-
- readline() inadvertently triggers an error recovery path when
- pastes larger than 4k overrun the line discipline buffer. The
- error recovery path discards input when the line discipline buffer
- is full and operating in canonical mode and no newline has been
- received. Because readline() changes the termios to non-canonical
- mode to read the line char-by-char, the line discipline buffer
- can become full, and then when readline() restores termios back
- to canonical mode for the caller, the now-full line discipline
- buffer triggers the error recovery.
-
- When changing termios from non-canon to canon mode and the read
- buffer contains data, simulate an EOF push _without_ the
- DISABLED_CHAR in the read buffer.
-
- Importantly for the readline() problem, the termios can be
- changed back to non-canonical mode without changes to the read
- buffer occurring; ie., as if the previous termios change had not
- happened (as long as no intervening read took place).
-
- Preserve existing userspace behavior which allows '\0's already
- received in non-canon mode to be read as '\0's in canon mode
- (rather than trigger add'l EOF pushes or an actual EOF).
-
- Patch based on original proposal and discussion here
- https://bugzilla.kernel.org/show_bug.cgi?id=55991
- by Stas Sergeev <stsp@users.sourceforge.net>
-
- Reported-by: Margarita Manterola <margamanterola@gmail.com>
- Cc: Maximiliano Curia <maxy@gnuservers.com.ar>
- Cc: Pavel Machek <pavel@ucw.cz>
- Cc: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
- Acked-by: Stas Sergeev <stsp@users.sourceforge.net>
- Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index fdc2ecd..961e6a9 100644
---- a/drivers/tty/n_tty.c
-+++ b/drivers/tty/n_tty.c
-@@ -104,6 +104,7 @@ struct n_tty_data {
-
- /* must hold exclusive termios_rwsem to reset these */
- unsigned char lnext:1, erasing:1, raw:1, real_raw:1, icanon:1;
-+ unsigned char push:1;
-
- /* shared by producer and consumer */
- char read_buf[N_TTY_BUF_SIZE];
-@@ -341,6 +342,7 @@ static void reset_buffer_flags(struct n_tty_data *ldata)
-
- ldata->erasing = 0;
- bitmap_zero(ldata->read_flags, N_TTY_BUF_SIZE);
-+ ldata->push = 0;
- }
-
- static void n_tty_packet_mode_flush(struct tty_struct *tty)
-@@ -1745,7 +1747,16 @@ static void n_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
-
- if (!old || (old->c_lflag ^ tty->termios.c_lflag) & ICANON) {
- bitmap_zero(ldata->read_flags, N_TTY_BUF_SIZE);
-- ldata->line_start = ldata->canon_head = ldata->read_tail;
-+ ldata->line_start = ldata->read_tail;
-+ if (!L_ICANON(tty) || !read_cnt(ldata)) {
-+ ldata->canon_head = ldata->read_tail;
-+ ldata->push = 0;
-+ } else {
-+ set_bit((ldata->read_head - 1) & (N_TTY_BUF_SIZE - 1),
-+ ldata->read_flags);
-+ ldata->canon_head = ldata->read_head;
-+ ldata->push = 1;
-+ }
- ldata->erasing = 0;
- ldata->lnext = 0;
+
+From 1e2ee49f7f1b79f0b14884fe6a602f0411b39552 Mon Sep 17 00:00:00 2001
+From: Will Woods <wwoods@redhat.com>
+Date: Tue, 6 May 2014 12:50:10 -0700
+Subject: fanotify: fix -EOVERFLOW with large files on 64-bit
+
+On 64-bit systems, O_LARGEFILE is automatically added to flags inside
+the open() syscall (also openat(), blkdev_open(), etc). Userspace
+therefore defines O_LARGEFILE to be 0 - you can use it, but it's a
+no-op. Everything should be O_LARGEFILE by default.
+
+But: when fanotify does create_fd() it uses dentry_open(), which skips
+all that. And userspace can't set O_LARGEFILE in fanotify_init()
+because it's defined to 0. So if fanotify gets an event regarding a
+large file, the read() will just fail with -EOVERFLOW.
+
+This patch adds O_LARGEFILE to fanotify_init()'s event_f_flags on 64-bit
+systems, using the same test as open()/openat()/etc.
+
+Addresses https://bugzilla.redhat.com/show_bug.cgi?id=696821
+
+Signed-off-by: Will Woods <wwoods@redhat.com>
+Acked-by: Eric Paris <eparis@redhat.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
+index 4e565c8..732648b 100644
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -698,6 +698,8 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
}
-@@ -1951,6 +1962,12 @@ static int copy_from_read_buf(struct tty_struct *tty,
- * it copies one line of input up to and including the line-delimiting
- * character into the user-space buffer.
- *
-+ * NB: When termios is changed from non-canonical to canonical mode and
-+ * the read buffer contains data, n_tty_set_termios() simulates an EOF
-+ * push (as if C-d were input) _without_ the DISABLED_CHAR in the buffer.
-+ * This causes data already processed as input to be immediately available
-+ * as input although a newline has not been received.
-+ *
- * Called under the atomic_read_lock mutex
- *
- * n_tty_read()/consumer path:
-@@ -1997,7 +2014,7 @@ static int canon_copy_from_read_buf(struct tty_struct *tty,
- n += found;
- c = n;
+ group->overflow_event = &oevent->fse;
-- if (found && read_buf(ldata, eol) == __DISABLED_CHAR) {
-+ if (found && !ldata->push && read_buf(ldata, eol) == __DISABLED_CHAR) {
- n--;
- eof_push = !n && ldata->read_tail != ldata->line_start;
- }
-@@ -2024,7 +2041,10 @@ static int canon_copy_from_read_buf(struct tty_struct *tty,
- ldata->read_tail += c;
++ if (force_o_largefile())
++ event_f_flags |= O_LARGEFILE;
+ group->fanotify_data.f_flags = event_f_flags;
+ #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+ spin_lock_init(&group->fanotify_data.access_lock);
+--
+cgit v0.10.1
+From 29183a70b0b828500816bd794b3fe192fce89f73 Mon Sep 17 00:00:00 2001
+From: John Stultz <john.stultz@linaro.org>
+Date: Mon, 9 Feb 2015 23:30:36 -0800
+Subject: ntp: Fixup adjtimex freq validation on 32-bit systems
+
+Additional validation of adjtimex freq values to avoid
+potential multiplication overflows were added in commit
+5e5aeb4367b (time: adjtimex: Validate the ADJ_FREQUENCY values)
+
+Unfortunately the patch used LONG_MAX/MIN instead of
+LLONG_MAX/MIN, which was fine on 64-bit systems, but being
+much smaller on 32-bit systems caused false positives
+resulting in most direct frequency adjustments to fail w/
+EINVAL.
+
+ntpd only does direct frequency adjustments at startup, so
+the issue was not as easily observed there, but other time
+sync applications like ptpd and chrony were more effected by
+the bug.
+
+See bugs:
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=92481
+ https://bugzilla.redhat.com/show_bug.cgi?id=1188074
+
+This patch changes the checks to use LLONG_MAX for
+clarity, and additionally the checks are disabled
+on 32-bit systems since LLONG_MAX/PPM_SCALE is always
+larger then the 32-bit long freq value, so multiplication
+overflows aren't possible there.
+
+Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
+Reported-by: George Joseph <george.joseph@fairview5.com>
+Tested-by: George Joseph <george.joseph@fairview5.com>
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <stable@vger.kernel.org> # v3.19+
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Link: http://lkml.kernel.org/r/1423553436-29747-1-git-send-email-john.stultz@linaro.org
+[ Prettified the changelog and the comments a bit. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
+index 4b585e0..0f60b08 100644
+--- a/kernel/time/ntp.c
++++ b/kernel/time/ntp.c
+@@ -633,10 +633,14 @@ int ntp_validate_timex(struct timex *txc)
+ if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME)))
+ return -EPERM;
- if (found) {
-- ldata->line_start = ldata->read_tail;
-+ if (!ldata->push)
-+ ldata->line_start = ldata->read_tail;
-+ else
-+ ldata->push = 0;
- tty_audit_push(tty);
+- if (txc->modes & ADJ_FREQUENCY) {
+- if (LONG_MIN / PPM_SCALE > txc->freq)
++ /*
++ * Check for potential multiplication overflows that can
++ * only happen on 64-bit systems:
++ */
++ if ((txc->modes & ADJ_FREQUENCY) && (BITS_PER_LONG == 64)) {
++ if (LLONG_MIN / PPM_SCALE > txc->freq)
+ return -EINVAL;
+- if (LONG_MAX / PPM_SCALE < txc->freq)
++ if (LLONG_MAX / PPM_SCALE < txc->freq)
+ return -EINVAL;
}
- return eof_push ? -EAGAIN : 0;
+
+--
+cgit v0.10.2
+