--- /dev/null
+From 5f521494cc73520ffac18ede0758883b9aedd018 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Wed, 27 Sep 2023 10:43:15 +0930
+Subject: btrfs: reject unknown mount options early
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 5f521494cc73520ffac18ede0758883b9aedd018 upstream.
+
+[BUG]
+The following script would allow invalid mount options to be specified
+(although such invalid options would just be ignored):
+
+ # mkfs.btrfs -f $dev
+ # mount $dev $mnt1 <<< Successful mount expected
+ # mount $dev $mnt2 -o junk <<< Failed mount expected
+ # echo $?
+ 0
+
+[CAUSE]
+For the 2nd mount, since the fs is already mounted, we won't go through
+open_ctree() thus no btrfs_parse_options(), but only through
+btrfs_parse_subvol_options().
+
+However we do not treat unrecognized options from valid but irrelevant
+options, thus those invalid options would just be ignored by
+btrfs_parse_subvol_options().
+
+[FIX]
+Add the handling for Opt_err to handle invalid options and error out,
+while still ignore other valid options inside btrfs_parse_subvol_options().
+
+Reported-by: Anand Jain <anand.jain@oracle.com>
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -929,6 +929,10 @@ static int btrfs_parse_early_options(con
+ if (error)
+ goto out;
+ break;
++ case Opt_err:
++ btrfs_err(NULL, "unrecognized mount option '%s'", p);
++ error = -EINVAL;
++ goto out;
+ default:
+ break;
+ }
--- /dev/null
+From b481f644d9174670b385c3a699617052cd2a79d3 Mon Sep 17 00:00:00 2001
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Date: Sat, 23 Sep 2023 18:37:23 +0800
+Subject: scsi: zfcp: Fix a double put in zfcp_port_enqueue()
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+commit b481f644d9174670b385c3a699617052cd2a79d3 upstream.
+
+When device_register() fails, zfcp_port_release() will be called after
+put_device(). As a result, zfcp_ccw_adapter_put() will be called twice: one
+in zfcp_port_release() and one in the error path after device_register().
+So the reference on the adapter object is doubly put, which may lead to a
+premature free. Fix this by adjusting the error tag after
+device_register().
+
+Fixes: f3450c7b9172 ("[SCSI] zfcp: Replace local reference counting with common kref")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Link: https://lore.kernel.org/r/20230923103723.10320-1-dinghao.liu@zju.edu.cn
+Acked-by: Benjamin Block <bblock@linux.ibm.com>
+Cc: stable@vger.kernel.org # v2.6.33+
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/scsi/zfcp_aux.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_aux.c
++++ b/drivers/s390/scsi/zfcp_aux.c
+@@ -492,12 +492,12 @@ struct zfcp_port *zfcp_port_enqueue(stru
+ if (port) {
+ put_device(&port->dev);
+ retval = -EEXIST;
+- goto err_out;
++ goto err_put;
+ }
+
+ port = kzalloc(sizeof(struct zfcp_port), GFP_KERNEL);
+ if (!port)
+- goto err_out;
++ goto err_put;
+
+ rwlock_init(&port->unit_list_lock);
+ INIT_LIST_HEAD(&port->unit_list);
+@@ -520,7 +520,7 @@ struct zfcp_port *zfcp_port_enqueue(stru
+
+ if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) {
+ kfree(port);
+- goto err_out;
++ goto err_put;
+ }
+ retval = -EINVAL;
+
+@@ -537,8 +537,9 @@ struct zfcp_port *zfcp_port_enqueue(stru
+
+ return port;
+
+-err_out:
++err_put:
+ zfcp_ccw_adapter_put(adapter);
++err_out:
+ return ERR_PTR(retval);
+ }
+
--- /dev/null
+From eec679e4ac5f47507774956fb3479c206e761af7 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Thu, 24 Aug 2023 21:06:51 -0600
+Subject: wifi: mwifiex: Fix tlv_buf_left calculation
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit eec679e4ac5f47507774956fb3479c206e761af7 upstream.
+
+In a TLV encoding scheme, the Length part represents the length after
+the header containing the values for type and length. In this case,
+`tlv_len` should be:
+
+tlv_len == (sizeof(*tlv_rxba) - 1) - sizeof(tlv_rxba->header) + tlv_bitmap_len
+
+Notice that the `- 1` accounts for the one-element array `bitmap`, which
+1-byte size is already included in `sizeof(*tlv_rxba)`.
+
+So, if the above is correct, there is a double-counting of some members
+in `struct mwifiex_ie_types_rxba_sync`, when `tlv_buf_left` and `tmp`
+are calculated:
+
+968 tlv_buf_left -= (sizeof(*tlv_rxba) + tlv_len);
+969 tmp = (u8 *)tlv_rxba + tlv_len + sizeof(*tlv_rxba);
+
+in specific, members:
+
+drivers/net/wireless/marvell/mwifiex/fw.h:777
+ 777 u8 mac[ETH_ALEN];
+ 778 u8 tid;
+ 779 u8 reserved;
+ 780 __le16 seq_num;
+ 781 __le16 bitmap_len;
+
+This is clearly wrong, and affects the subsequent decoding of data in
+`event_buf` through `tlv_rxba`:
+
+970 tlv_rxba = (struct mwifiex_ie_types_rxba_sync *)tmp;
+
+Fix this by using `sizeof(tlv_rxba->header)` instead of `sizeof(*tlv_rxba)`
+in the calculation of `tlv_buf_left` and `tmp`.
+
+This results in the following binary differences before/after changes:
+
+| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.o
+| @@ -4698,11 +4698,11 @@
+| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c:968
+| tlv_buf_left -= (sizeof(tlv_rxba->header) + tlv_len);
+| - 1da7: lea -0x11(%rbx),%edx
+| + 1da7: lea -0x4(%rbx),%edx
+| 1daa: movzwl %bp,%eax
+| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c:969
+| tmp = (u8 *)tlv_rxba + sizeof(tlv_rxba->header) + tlv_len;
+| - 1dad: lea 0x11(%r15,%rbp,1),%r15
+| + 1dad: lea 0x4(%r15,%rbp,1),%r15
+
+The above reflects the desired change: avoid counting 13 too many bytes;
+which is the total size of the double-counted members in
+`struct mwifiex_ie_types_rxba_sync`:
+
+$ pahole -C mwifiex_ie_types_rxba_sync drivers/net/wireless/marvell/mwifiex/11n_rxreorder.o
+struct mwifiex_ie_types_rxba_sync {
+ struct mwifiex_ie_types_header header; /* 0 4 */
+
+ |-----------------------------------------------------------------------
+ | u8 mac[6]; /* 4 6 */ |
+ | u8 tid; /* 10 1 */ |
+ | u8 reserved; /* 11 1 */ |
+ | __le16 seq_num; /* 12 2 */ |
+ | __le16 bitmap_len; /* 14 2 */ |
+ | u8 bitmap[1]; /* 16 1 */ |
+ |----------------------------------------------------------------------|
+ | 13 bytes|
+ -----------
+
+ /* size: 17, cachelines: 1, members: 7 */
+ /* last cacheline: 17 bytes */
+} __attribute__((__packed__));
+
+Fixes: 99ffe72cdae4 ("mwifiex: process rxba_sync event")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/06668edd68e7a26bbfeebd1201ae077a2a7a8bce.1692931954.git.gustavoars@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
++++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+@@ -992,8 +992,8 @@ void mwifiex_11n_rxba_sync_event(struct
+ }
+ }
+
+- tlv_buf_left -= (sizeof(*tlv_rxba) + tlv_len);
+- tmp = (u8 *)tlv_rxba + tlv_len + sizeof(*tlv_rxba);
++ tlv_buf_left -= (sizeof(tlv_rxba->header) + tlv_len);
++ tmp = (u8 *)tlv_rxba + sizeof(tlv_rxba->header) + tlv_len;
+ tlv_rxba = (struct mwifiex_ie_types_rxba_sync *)tmp;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
