+++ /dev/null
-From 36fe9b4e51156ceded27c42255b18cf5a48d82b7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 7 Jan 2019 15:02:34 +0800
-Subject: f2fs: check if file namelen exceeds max value
-
-From: Sheng Yong <shengyong1@huawei.com>
-
-[ Upstream commit 720db068634c91553a8e1d9a0fcd8c7050e06d2b ]
-
-Dentry bitmap is not enough to detect incorrect dentries. So this patch
-also checks the namelen value of a dentry.
-
-Signed-off-by: Gong Chen <gongchen4@huawei.com>
-Signed-off-by: Sheng Yong <shengyong1@huawei.com>
-Reviewed-by: Chao Yu <yuchao0@huawei.com>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/f2fs/dir.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
-index 9e85e2d7a1b3c..f019bbf6f52ff 100644
---- a/fs/f2fs/dir.c
-+++ b/fs/f2fs/dir.c
-@@ -819,7 +819,8 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
-
- /* check memory boundary before moving forward */
- bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
-- if (unlikely(bit_pos > d->max)) {
-+ if (unlikely(bit_pos > d->max ||
-+ le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) {
- f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
- "%s: corrupted namelen=%d, run fsck to fix.",
- __func__, le16_to_cpu(de->name_len));
---
-2.25.1
-
+++ /dev/null
-From eca1eba41a2efa42abb1c7dcc7e169fb691de90c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 14 Nov 2018 12:40:30 -0800
-Subject: f2fs: check memory boundary by insane namelen
-
-From: Jaegeuk Kim <jaegeuk@kernel.org>
-
-[ Upstream commit 4e240d1bab1ead280ddf5eb05058dba6bbd57d10 ]
-
-If namelen is corrupted to have very long value, fill_dentries can copy
-wrong memory area.
-
-Reviewed-by: Chao Yu <yuchao0@huawei.com>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/f2fs/dir.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
-index 4abefd841b6c7..9e85e2d7a1b3c 100644
---- a/fs/f2fs/dir.c
-+++ b/fs/f2fs/dir.c
-@@ -817,6 +817,16 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
- de_name.name = d->filename[bit_pos];
- de_name.len = le16_to_cpu(de->name_len);
-
-+ /* check memory boundary before moving forward */
-+ bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
-+ if (unlikely(bit_pos > d->max)) {
-+ f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
-+ "%s: corrupted namelen=%d, run fsck to fix.",
-+ __func__, le16_to_cpu(de->name_len));
-+ set_sbi_flag(sbi, SBI_NEED_FSCK);
-+ return -EINVAL;
-+ }
-+
- if (f2fs_encrypted_inode(d->inode)) {
- int save_len = fstr->len;
- int err;
-@@ -835,7 +845,6 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
- le32_to_cpu(de->ino), d_type))
- return 1;
-
-- bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
- ctx->pos = start_pos + bit_pos;
- }
- return 0;
---
-2.25.1
-
ath9k_htc-release-allocated-buffer-if-timed-out.patch
ath9k-release-allocated-buffer-if-timed-out.patch
x86-kvm-be-careful-not-to-clear-kvm_vcpu_flush_tlb-b.patch
-f2fs-check-memory-boundary-by-insane-namelen.patch
-f2fs-check-if-file-namelen-exceeds-max-value.patch
+pci-aspm-disable-aspm-on-asmedia-asm1083-1085-pcie-to-pci-bridge.patch
btrfs-inode-verify-inode-mode-to-avoid-null-pointer-.patch
sctp-implement-memory-accounting-on-tx-path.patch
btrfs-fix-selftests-failure-due-to-uninitialized-i_m.patch
+pci-aspm-disable-aspm-on-asmedia-asm1083-1085-pcie-to-pci-bridge.patch
+++ /dev/null
-From 8a6e5910b2a0014ada5510bd21a838ccce6e4a7f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 7 Jan 2019 15:02:34 +0800
-Subject: f2fs: check if file namelen exceeds max value
-
-From: Sheng Yong <shengyong1@huawei.com>
-
-[ Upstream commit 720db068634c91553a8e1d9a0fcd8c7050e06d2b ]
-
-Dentry bitmap is not enough to detect incorrect dentries. So this patch
-also checks the namelen value of a dentry.
-
-Signed-off-by: Gong Chen <gongchen4@huawei.com>
-Signed-off-by: Sheng Yong <shengyong1@huawei.com>
-Reviewed-by: Chao Yu <yuchao0@huawei.com>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/f2fs/dir.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
-index 437ec6e38d41d..b40681e91ebe2 100644
---- a/fs/f2fs/dir.c
-+++ b/fs/f2fs/dir.c
-@@ -807,7 +807,8 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
-
- /* check memory boundary before moving forward */
- bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
-- if (unlikely(bit_pos > d->max)) {
-+ if (unlikely(bit_pos > d->max ||
-+ le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) {
- f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
- "%s: corrupted namelen=%d, run fsck to fix.",
- __func__, le16_to_cpu(de->name_len));
---
-2.25.1
-
+++ /dev/null
-From 830774f263ff218d0acf94f448289c871d76e8ea Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 14 Nov 2018 12:40:30 -0800
-Subject: f2fs: check memory boundary by insane namelen
-
-From: Jaegeuk Kim <jaegeuk@kernel.org>
-
-[ Upstream commit 4e240d1bab1ead280ddf5eb05058dba6bbd57d10 ]
-
-If namelen is corrupted to have very long value, fill_dentries can copy
-wrong memory area.
-
-Reviewed-by: Chao Yu <yuchao0@huawei.com>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/f2fs/dir.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
-index 92a240616f520..437ec6e38d41d 100644
---- a/fs/f2fs/dir.c
-+++ b/fs/f2fs/dir.c
-@@ -805,6 +805,16 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
- de_name.name = d->filename[bit_pos];
- de_name.len = le16_to_cpu(de->name_len);
-
-+ /* check memory boundary before moving forward */
-+ bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
-+ if (unlikely(bit_pos > d->max)) {
-+ f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
-+ "%s: corrupted namelen=%d, run fsck to fix.",
-+ __func__, le16_to_cpu(de->name_len));
-+ set_sbi_flag(sbi, SBI_NEED_FSCK);
-+ return -EINVAL;
-+ }
-+
- if (f2fs_encrypted_inode(d->inode)) {
- int save_len = fstr->len;
- int ret;
-@@ -829,7 +839,6 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
- le32_to_cpu(de->ino), d_type))
- return true;
-
-- bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
- ctx->pos = start_pos + bit_pos;
- }
- return false;
---
-2.25.1
-
media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch
ath9k_htc-release-allocated-buffer-if-timed-out.patch
ath9k-release-allocated-buffer-if-timed-out.patch
-f2fs-check-memory-boundary-by-insane-namelen.patch
-f2fs-check-if-file-namelen-exceeds-max-value.patch
nfs-move-call-to-security_inode_listsecurity-into-nf.patch
scsi-libsas-direct-call-probe-and-destruct.patch
+pci-aspm-disable-aspm-on-asmedia-asm1083-1085-pcie-to-pci-bridge.patch
+++ /dev/null
-From bbb65221d2ea643cc8f5237a19a488d10e455498 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 7 Jan 2019 15:02:34 +0800
-Subject: f2fs: check if file namelen exceeds max value
-
-From: Sheng Yong <shengyong1@huawei.com>
-
-[ Upstream commit 720db068634c91553a8e1d9a0fcd8c7050e06d2b ]
-
-Dentry bitmap is not enough to detect incorrect dentries. So this patch
-also checks the namelen value of a dentry.
-
-Signed-off-by: Gong Chen <gongchen4@huawei.com>
-Signed-off-by: Sheng Yong <shengyong1@huawei.com>
-Reviewed-by: Chao Yu <yuchao0@huawei.com>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/f2fs/dir.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
-index c452069b5e644..8dd83f024cf26 100644
---- a/fs/f2fs/dir.c
-+++ b/fs/f2fs/dir.c
-@@ -845,7 +845,8 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
-
- /* check memory boundary before moving forward */
- bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
-- if (unlikely(bit_pos > d->max)) {
-+ if (unlikely(bit_pos > d->max ||
-+ le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) {
- f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
- "%s: corrupted namelen=%d, run fsck to fix.",
- __func__, le16_to_cpu(de->name_len));
---
-2.25.1
-
+++ /dev/null
-From 0d565aa43ac4df4d3bf3f0106cec18c108b601e8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 14 Nov 2018 12:40:30 -0800
-Subject: f2fs: check memory boundary by insane namelen
-
-From: Jaegeuk Kim <jaegeuk@kernel.org>
-
-[ Upstream commit 4e240d1bab1ead280ddf5eb05058dba6bbd57d10 ]
-
-If namelen is corrupted to have very long value, fill_dentries can copy
-wrong memory area.
-
-Reviewed-by: Chao Yu <yuchao0@huawei.com>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/f2fs/dir.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
-index b414892be08b7..c452069b5e644 100644
---- a/fs/f2fs/dir.c
-+++ b/fs/f2fs/dir.c
-@@ -843,6 +843,16 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
- de_name.name = d->filename[bit_pos];
- de_name.len = le16_to_cpu(de->name_len);
-
-+ /* check memory boundary before moving forward */
-+ bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
-+ if (unlikely(bit_pos > d->max)) {
-+ f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
-+ "%s: corrupted namelen=%d, run fsck to fix.",
-+ __func__, le16_to_cpu(de->name_len));
-+ set_sbi_flag(sbi, SBI_NEED_FSCK);
-+ return -EINVAL;
-+ }
-+
- if (f2fs_encrypted_inode(d->inode)) {
- int save_len = fstr->len;
- int err;
-@@ -861,7 +871,6 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
- le32_to_cpu(de->ino), d_type))
- return true;
-
-- bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
- ctx->pos = start_pos + bit_pos;
- }
- return false;
---
-2.25.1
-
+++ /dev/null
-From bb2b2d2daae30ce2b40049e92bf9331b1fada4a4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 18 Oct 2019 14:56:22 +0800
-Subject: f2fs: fix to avoid memory leakage in f2fs_listxattr
-
-From: Randall Huang <huangrandall@google.com>
-
-[ Upstream commit 688078e7f36c293dae25b338ddc9e0a2790f6e06 ]
-
-In f2fs_listxattr, there is no boundary check before
-memcpy e_name to buffer.
-If the e_name_len is corrupted,
-unexpected memory contents may be returned to the buffer.
-
-Signed-off-by: Randall Huang <huangrandall@google.com>
-Reviewed-by: Chao Yu <yuchao0@huawei.com>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/f2fs/xattr.c | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
-index 3e1c0280f8661..50fe6840d593a 100644
---- a/fs/f2fs/xattr.c
-+++ b/fs/f2fs/xattr.c
-@@ -404,8 +404,9 @@ cleanup:
- ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)
- {
- struct inode *inode = d_inode(dentry);
-+ nid_t xnid = F2FS_I(inode)->i_xattr_nid;
- struct f2fs_xattr_entry *entry;
-- void *base_addr;
-+ void *base_addr, *last_base_addr;
- int error = 0;
- size_t rest = buffer_size;
-
-@@ -413,6 +414,8 @@ ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)
- if (error)
- return error;
-
-+ last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode);
-+
- list_for_each_xattr(entry, base_addr) {
- const struct xattr_handler *handler =
- f2fs_xattr_handler(entry->e_name_index);
-@@ -420,6 +423,15 @@ ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)
- size_t prefix_len;
- size_t size;
-
-+ if ((void *)(entry) + sizeof(__u32) > last_base_addr ||
-+ (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) {
-+ f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr",
-+ inode->i_ino);
-+ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
-+ error = -EFSCORRUPTED;
-+ goto cleanup;
-+ }
-+
- if (!handler || (handler->list && !handler->list(dentry)))
- continue;
-
---
-2.25.1
-
media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch
ath9k_htc-release-allocated-buffer-if-timed-out.patch
ath9k-release-allocated-buffer-if-timed-out.patch
-f2fs-check-memory-boundary-by-insane-namelen.patch
-f2fs-check-if-file-namelen-exceeds-max-value.patch
-f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch
scsi-libsas-direct-call-probe-and-destruct.patch
+pci-aspm-disable-aspm-on-asmedia-asm1083-1085-pcie-to-pci-bridge.patch
media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch
sunrpc-check-that-domain-table-is-empty-at-module-un.patch
ath10k-enable-transmit-data-ack-rssi-for-qca9884.patch
+pci-aspm-disable-aspm-on-asmedia-asm1083-1085-pcie-to-pci-bridge.patch
sunrpc-check-that-domain-table-is-empty-at-module-un.patch
+pci-aspm-disable-aspm-on-asmedia-asm1083-1085-pcie-to-pci-bridge.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
