From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 30 Apr 2017 05:40:14 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v4.4.66~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=29568627236c27fe36180f3a04c4d85f5987459f;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	f2fs-do-more-integrity-verification-for-superblock.patch
	xc2028-unlock-on-error-in-xc2028_set_config.patch
---

diff --git a/queue-3.18/f2fs-do-more-integrity-verification-for-superblock.patch b/queue-3.18/f2fs-do-more-integrity-verification-for-superblock.patch
new file mode 100644
index 00000000000..aa9907a0493
--- /dev/null
+++ b/queue-3.18/f2fs-do-more-integrity-verification-for-superblock.patch
@@ -0,0 +1,140 @@
+From 9a59b62fd88196844cee5fff851bee2cfd7afb6e Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao2.yu@samsung.com>
+Date: Tue, 15 Dec 2015 09:58:18 +0800
+Subject: f2fs: do more integrity verification for superblock
+
+From: Chao Yu <chao2.yu@samsung.com>
+
+commit 9a59b62fd88196844cee5fff851bee2cfd7afb6e upstream.
+
+Do more sanity check for superblock during ->mount.
+
+Signed-off-by: Chao Yu <chao2.yu@samsung.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/super.c |   98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 98 insertions(+)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -772,6 +772,79 @@ static loff_t max_file_size(unsigned bit
+ 	return result;
+ }
+ 
++static inline bool sanity_check_area_boundary(struct super_block *sb,
++					struct f2fs_super_block *raw_super)
++{
++	u32 segment0_blkaddr = le32_to_cpu(raw_super->segment0_blkaddr);
++	u32 cp_blkaddr = le32_to_cpu(raw_super->cp_blkaddr);
++	u32 sit_blkaddr = le32_to_cpu(raw_super->sit_blkaddr);
++	u32 nat_blkaddr = le32_to_cpu(raw_super->nat_blkaddr);
++	u32 ssa_blkaddr = le32_to_cpu(raw_super->ssa_blkaddr);
++	u32 main_blkaddr = le32_to_cpu(raw_super->main_blkaddr);
++	u32 segment_count_ckpt = le32_to_cpu(raw_super->segment_count_ckpt);
++	u32 segment_count_sit = le32_to_cpu(raw_super->segment_count_sit);
++	u32 segment_count_nat = le32_to_cpu(raw_super->segment_count_nat);
++	u32 segment_count_ssa = le32_to_cpu(raw_super->segment_count_ssa);
++	u32 segment_count_main = le32_to_cpu(raw_super->segment_count_main);
++	u32 segment_count = le32_to_cpu(raw_super->segment_count);
++	u32 log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg);
++
++	if (segment0_blkaddr != cp_blkaddr) {
++		f2fs_msg(sb, KERN_INFO,
++			"Mismatch start address, segment0(%u) cp_blkaddr(%u)",
++			segment0_blkaddr, cp_blkaddr);
++		return true;
++	}
++
++	if (cp_blkaddr + (segment_count_ckpt << log_blocks_per_seg) !=
++							sit_blkaddr) {
++		f2fs_msg(sb, KERN_INFO,
++			"Wrong CP boundary, start(%u) end(%u) blocks(%u)",
++			cp_blkaddr, sit_blkaddr,
++			segment_count_ckpt << log_blocks_per_seg);
++		return true;
++	}
++
++	if (sit_blkaddr + (segment_count_sit << log_blocks_per_seg) !=
++							nat_blkaddr) {
++		f2fs_msg(sb, KERN_INFO,
++			"Wrong SIT boundary, start(%u) end(%u) blocks(%u)",
++			sit_blkaddr, nat_blkaddr,
++			segment_count_sit << log_blocks_per_seg);
++		return true;
++	}
++
++	if (nat_blkaddr + (segment_count_nat << log_blocks_per_seg) !=
++							ssa_blkaddr) {
++		f2fs_msg(sb, KERN_INFO,
++			"Wrong NAT boundary, start(%u) end(%u) blocks(%u)",
++			nat_blkaddr, ssa_blkaddr,
++			segment_count_nat << log_blocks_per_seg);
++		return true;
++	}
++
++	if (ssa_blkaddr + (segment_count_ssa << log_blocks_per_seg) !=
++							main_blkaddr) {
++		f2fs_msg(sb, KERN_INFO,
++			"Wrong SSA boundary, start(%u) end(%u) blocks(%u)",
++			ssa_blkaddr, main_blkaddr,
++			segment_count_ssa << log_blocks_per_seg);
++		return true;
++	}
++
++	if (main_blkaddr + (segment_count_main << log_blocks_per_seg) !=
++		segment0_blkaddr + (segment_count << log_blocks_per_seg)) {
++		f2fs_msg(sb, KERN_INFO,
++			"Wrong MAIN_AREA boundary, start(%u) end(%u) blocks(%u)",
++			main_blkaddr,
++			segment0_blkaddr + (segment_count << log_blocks_per_seg),
++			segment_count_main << log_blocks_per_seg);
++		return true;
++	}
++
++	return false;
++}
++
+ static int sanity_check_raw_super(struct super_block *sb,
+ 			struct f2fs_super_block *raw_super)
+ {
+@@ -801,6 +874,14 @@ static int sanity_check_raw_super(struct
+ 		return 1;
+ 	}
+ 
++	/* check log blocks per segment */
++	if (le32_to_cpu(raw_super->log_blocks_per_seg) != 9) {
++		f2fs_msg(sb, KERN_INFO,
++			"Invalid log blocks per segment (%u)\n",
++			le32_to_cpu(raw_super->log_blocks_per_seg));
++		return 1;
++	}
++
+ 	/* Currently, support 512/1024/2048/4096 bytes sector size */
+ 	if (le32_to_cpu(raw_super->log_sectorsize) >
+ 				F2FS_MAX_LOG_SECTOR_SIZE ||
+@@ -819,6 +900,23 @@ static int sanity_check_raw_super(struct
+ 			le32_to_cpu(raw_super->log_sectorsize));
+ 		return 1;
+ 	}
++
++	/* check reserved ino info */
++	if (le32_to_cpu(raw_super->node_ino) != 1 ||
++		le32_to_cpu(raw_super->meta_ino) != 2 ||
++		le32_to_cpu(raw_super->root_ino) != 3) {
++		f2fs_msg(sb, KERN_INFO,
++			"Invalid Fs Meta Ino: node(%u) meta(%u) root(%u)",
++			le32_to_cpu(raw_super->node_ino),
++			le32_to_cpu(raw_super->meta_ino),
++			le32_to_cpu(raw_super->root_ino));
++		return 1;
++	}
++
++	/* check CP/SIT/NAT/SSA/MAIN_AREA area boundary */
++	if (sanity_check_area_boundary(sb, raw_super))
++		return 1;
++
+ 	return 0;
+ }
+ 
diff --git a/queue-3.18/series b/queue-3.18/series
new file mode 100644
index 00000000000..d5dd8c2d477
--- /dev/null
+++ b/queue-3.18/series
@@ -0,0 +1,2 @@
+f2fs-do-more-integrity-verification-for-superblock.patch
+xc2028-unlock-on-error-in-xc2028_set_config.patch
diff --git a/queue-3.18/xc2028-unlock-on-error-in-xc2028_set_config.patch b/queue-3.18/xc2028-unlock-on-error-in-xc2028_set_config.patch
new file mode 100644
index 00000000000..d55360c8b6c
--- /dev/null
+++ b/queue-3.18/xc2028-unlock-on-error-in-xc2028_set_config.patch
@@ -0,0 +1,44 @@
+From 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 3 Feb 2016 13:34:00 -0200
+Subject: [media] xc2028: unlock on error in xc2028_set_config()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d upstream.
+
+We have to unlock before returning -ENOMEM.
+
+Fixes: 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/tuners/tuner-xc2028.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/tuners/tuner-xc2028.c
++++ b/drivers/media/tuners/tuner-xc2028.c
+@@ -1407,8 +1407,10 @@ static int xc2028_set_config(struct dvb_
+ 	memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
+ 	if (p->fname) {
+ 		priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
+-		if (priv->ctrl.fname == NULL)
+-			return -ENOMEM;
++		if (priv->ctrl.fname == NULL) {
++			rc = -ENOMEM;
++			goto unlock;
++		}
+ 	}
+ 
+ 	/*
+@@ -1440,6 +1442,7 @@ static int xc2028_set_config(struct dvb_
+ 		} else
+ 			priv->state = XC2028_WAITING_FIRMWARE;
+ 	}
++unlock:
+ 	mutex_unlock(&priv->lock);
+ 
+ 	return rc;
diff --git a/queue-4.4/series b/queue-4.4/series
new file mode 100644
index 00000000000..d5dd8c2d477
--- /dev/null
+++ b/queue-4.4/series
@@ -0,0 +1,2 @@
+f2fs-do-more-integrity-verification-for-superblock.patch
+xc2028-unlock-on-error-in-xc2028_set_config.patch