From ba0a058ac46c778302f1a28f2984f13eee8887e5 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 24 Apr 2020 12:13:14 +0200
Subject: [PATCH] 5.4-stable patches

added patches:
	f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch
	net-ip_tunnel-fix-interface-lookup-with-no-key.patch
---
 ...oid-memory-leakage-in-f2fs_listxattr.patch | 62 +++++++++++++++++++
 ...nel-fix-interface-lookup-with-no-key.patch | 55 ++++++++++++++++
 queue-5.4/series                              |  2 +
 3 files changed, 119 insertions(+)
 create mode 100644 queue-5.4/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch
 create mode 100644 queue-5.4/net-ip_tunnel-fix-interface-lookup-with-no-key.patch

diff --git a/queue-5.4/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch b/queue-5.4/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch
new file mode 100644
index 00000000000..14257fa55e5
--- /dev/null
+++ b/queue-5.4/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch
@@ -0,0 +1,62 @@
+From 688078e7f36c293dae25b338ddc9e0a2790f6e06 Mon Sep 17 00:00:00 2001
+From: Randall Huang <huangrandall@google.com>
+Date: Fri, 18 Oct 2019 14:56:22 +0800
+Subject: f2fs: fix to avoid memory leakage in f2fs_listxattr
+
+From: Randall Huang <huangrandall@google.com>
+
+commit 688078e7f36c293dae25b338ddc9e0a2790f6e06 upstream.
+
+In f2fs_listxattr, there is no boundary check before
+memcpy e_name to buffer.
+If the e_name_len is corrupted,
+unexpected memory contents may be returned to the buffer.
+
+Signed-off-by: Randall Huang <huangrandall@google.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/xattr.c |   14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -539,8 +539,9 @@ out:
+ ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)
+ {
+ 	struct inode *inode = d_inode(dentry);
++	nid_t xnid = F2FS_I(inode)->i_xattr_nid;
+ 	struct f2fs_xattr_entry *entry;
+-	void *base_addr;
++	void *base_addr, *last_base_addr;
+ 	int error = 0;
+ 	size_t rest = buffer_size;
+ 
+@@ -550,6 +551,8 @@ ssize_t f2fs_listxattr(struct dentry *de
+ 	if (error)
+ 		return error;
+ 
++	last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode);
++
+ 	list_for_each_xattr(entry, base_addr) {
+ 		const struct xattr_handler *handler =
+ 			f2fs_xattr_handler(entry->e_name_index);
+@@ -557,6 +560,15 @@ ssize_t f2fs_listxattr(struct dentry *de
+ 		size_t prefix_len;
+ 		size_t size;
+ 
++		if ((void *)(entry) + sizeof(__u32) > last_base_addr ||
++			(void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) {
++			f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr",
++						inode->i_ino);
++			set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
++			error = -EFSCORRUPTED;
++			goto cleanup;
++		}
++
+ 		if (!handler || (handler->list && !handler->list(dentry)))
+ 			continue;
+ 
diff --git a/queue-5.4/net-ip_tunnel-fix-interface-lookup-with-no-key.patch b/queue-5.4/net-ip_tunnel-fix-interface-lookup-with-no-key.patch
new file mode 100644
index 00000000000..bb67897b82f
--- /dev/null
+++ b/queue-5.4/net-ip_tunnel-fix-interface-lookup-with-no-key.patch
@@ -0,0 +1,55 @@
+From 25629fdaff2ff509dd0b3f5ff93d70a75e79e0a1 Mon Sep 17 00:00:00 2001
+From: William Dauchy <w.dauchy@criteo.com>
+Date: Fri, 27 Mar 2020 19:56:39 +0100
+Subject: net, ip_tunnel: fix interface lookup with no key
+
+From: William Dauchy <w.dauchy@criteo.com>
+
+commit 25629fdaff2ff509dd0b3f5ff93d70a75e79e0a1 upstream.
+
+when creating a new ipip interface with no local/remote configuration,
+the lookup is done with TUNNEL_NO_KEY flag, making it impossible to
+match the new interface (only possible match being fallback or metada
+case interface); e.g: `ip link add tunl1 type ipip dev eth0`
+
+To fix this case, adding a flag check before the key comparison so we
+permit to match an interface with no local/remote config; it also avoids
+breaking possible userland tools relying on TUNNEL_NO_KEY flag and
+uninitialised key.
+
+context being on my side, I'm creating an extra ipip interface attached
+to the physical one, and moving it to a dedicated namespace.
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Signed-off-by: William Dauchy <w.dauchy@criteo.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/ip_tunnel.c |    6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -142,11 +142,8 @@ struct ip_tunnel *ip_tunnel_lookup(struc
+ 			cand = t;
+ 	}
+ 
+-	if (flags & TUNNEL_NO_KEY)
+-		goto skip_key_lookup;
+-
+ 	hlist_for_each_entry_rcu(t, head, hash_node) {
+-		if (t->parms.i_key != key ||
++		if ((!(flags & TUNNEL_NO_KEY) && t->parms.i_key != key) ||
+ 		    t->parms.iph.saddr != 0 ||
+ 		    t->parms.iph.daddr != 0 ||
+ 		    !(t->dev->flags & IFF_UP))
+@@ -158,7 +155,6 @@ struct ip_tunnel *ip_tunnel_lookup(struc
+ 			cand = t;
+ 	}
+ 
+-skip_key_lookup:
+ 	if (cand)
+ 		return cand;
+ 
diff --git a/queue-5.4/series b/queue-5.4/series
index cb481c941cb..58475073521 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -1 +1,3 @@
 ext4-fix-extent_status-fragmentation-for-plain-files.patch
+f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch
+net-ip_tunnel-fix-interface-lookup-with-no-key.patch
-- 
2.47.3