From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 11 May 2018 13:24:40 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.109~30
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c71f0d3c311ae9776d82c3a060216791bc380282;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch
---

diff --git a/queue-4.4/f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch b/queue-4.4/f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch
new file mode 100644
index 00000000000..cf02c00acfd
--- /dev/null
+++ b/queue-4.4/f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch
@@ -0,0 +1,52 @@
+From b86e33075ed1909d8002745b56ecf73b833db143 Mon Sep 17 00:00:00 2001
+From: Wei Fang <fangwei1@huawei.com>
+Date: Sun, 22 Jan 2017 12:21:02 +0800
+Subject: f2fs: fix a dead loop in f2fs_fiemap()
+
+From: Wei Fang <fangwei1@huawei.com>
+
+commit b86e33075ed1909d8002745b56ecf73b833db143 upstream.
+
+A dead loop can be triggered in f2fs_fiemap() using the test case
+as below:
+
+	...
+	fd = open();
+	fallocate(fd, 0, 0, 4294967296);
+	ioctl(fd, FS_IOC_FIEMAP, fiemap_buf);
+	...
+
+It's caused by an overflow in __get_data_block():
+	...
+	bh->b_size = map.m_len << inode->i_blkbits;
+	...
+map.m_len is an unsigned int, and bh->b_size is a size_t which is 64 bits
+on 64 bits archtecture, type conversion from an unsigned int to a size_t
+will result in an overflow.
+
+In the above-mentioned case, bh->b_size will be zero, and f2fs_fiemap()
+will call get_data_block() at block 0 again an again.
+
+Fix this by adding a force conversion before left shift.
+
+Signed-off-by: Wei Fang <fangwei1@huawei.com>
+Acked-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/data.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -721,7 +721,7 @@ static int __get_data_block(struct inode
+ 	if (!ret) {
+ 		map_bh(bh, inode->i_sb, map.m_pblk);
+ 		bh->b_state = (bh->b_state & ~F2FS_MAP_FLAGS) | map.m_flags;
+-		bh->b_size = map.m_len << inode->i_blkbits;
++		bh->b_size = (u64)map.m_len << inode->i_blkbits;
+ 	}
+ 	return ret;
+ }
diff --git a/queue-4.4/series b/queue-4.4/series
index 4d77cec4e3b..7c8d2cff99c 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -40,3 +40,4 @@ soreuseport-initialise-timewait-reuseport-field.patch
 perf-remove-superfluous-allocation-error-check.patch
 tcp-fix-tcp_repair_queue-bound-checking.patch
 bdi-fix-oops-in-wb_workfn.patch
+f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch