From 0d6eb6d6c864d0e7b93173c1e04948c1c55a2faa Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 8 Aug 2017 09:23:37 -0700
Subject: [PATCH] 3.18-stable patches

added patches:
	f2fs-sanity-check-checkpoint-segno-and-blkoff.patch
---
 ...ty-check-checkpoint-segno-and-blkoff.patch | 54 +++++++++++++++++++
 queue-3.18/series                             |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 queue-3.18/f2fs-sanity-check-checkpoint-segno-and-blkoff.patch

diff --git a/queue-3.18/f2fs-sanity-check-checkpoint-segno-and-blkoff.patch b/queue-3.18/f2fs-sanity-check-checkpoint-segno-and-blkoff.patch
new file mode 100644
index 00000000000..a409258e8a2
--- /dev/null
+++ b/queue-3.18/f2fs-sanity-check-checkpoint-segno-and-blkoff.patch
@@ -0,0 +1,54 @@
+From 15d3042a937c13f5d9244241c7a9c8416ff6e82a Mon Sep 17 00:00:00 2001
+From: Jin Qian <jinqian@google.com>
+Date: Mon, 15 May 2017 10:45:08 -0700
+Subject: f2fs: sanity check checkpoint segno and blkoff
+
+From: Jin Qian <jinqian@google.com>
+
+commit 15d3042a937c13f5d9244241c7a9c8416ff6e82a upstream.
+
+Make sure segno and blkoff read from raw image are valid.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jin Qian <jinqian@google.com>
+[Jaegeuk Kim: adjust minor coding style]
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[AmitP: Found in Android Security bulletin for Aug'17, fixes CVE-2017-10663]
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c |   16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -932,6 +932,8 @@ static int sanity_check_ckpt(struct f2fs
+ 	unsigned int total, fsmeta;
+ 	struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi);
+ 	struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
++	unsigned int main_segs, blocks_per_seg;
++	int i;
+ 
+ 	total = le32_to_cpu(raw_super->segment_count);
+ 	fsmeta = le32_to_cpu(raw_super->segment_count_ckpt);
+@@ -943,6 +945,20 @@ static int sanity_check_ckpt(struct f2fs
+ 	if (unlikely(fsmeta >= total))
+ 		return 1;
+ 
++	main_segs = le32_to_cpu(raw_super->segment_count_main);
++	blocks_per_seg = sbi->blocks_per_seg;
++
++	for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) {
++		if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs ||
++			le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg)
++			return 1;
++	}
++	for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) {
++		if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs ||
++			le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg)
++			return 1;
++	}
++
+ 	if (unlikely(f2fs_cp_error(sbi))) {
+ 		f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck");
+ 		return 1;
diff --git a/queue-3.18/series b/queue-3.18/series
index 47975a8e73e..4480b2ebd59 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -67,3 +67,4 @@ iscsi-target-always-wait-for-kthread_should_stop-before-kthread-exit.patch
 iscsi-target-fix-early-sk_data_ready-login_flags_ready-race.patch
 iscsi-target-fix-initial-login-pdu-asynchronous-socket-close-oops.patch
 iscsi-target-fix-delayed-logout-processing-greater-than-seconds_for_logout_comp.patch
+f2fs-sanity-check-checkpoint-segno-and-blkoff.patch
-- 
2.47.3