From fc1dae5be797f54d45f5a61ae17fe548e108dd0d Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Thu, 20 Jun 2019 23:42:38 +0200
Subject: [PATCH] brcm2708: Revert "staging: vc04_services: prevent integer
 overflow in create_pagelist()"

The bump to 4.9.181 broke build for bcm2708 and bcm2709. Revert the
offending patch.

The same revert is also queued for the next upstream 4.9.y release.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
---
 ...-integer-overflow-in-create_pagelist.patch | 45 +++++++++++++++++++
 ...vert-to-current-get_user_pages-argum.patch |  2 +-
 ...ate-for-rename-of-page_cache_release.patch |  4 +-
 3 files changed, 48 insertions(+), 3 deletions(-)
 create mode 100644 target/linux/brcm2708/patches-4.9/010-revert-staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch

diff --git a/target/linux/brcm2708/patches-4.9/010-revert-staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch b/target/linux/brcm2708/patches-4.9/010-revert-staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch
new file mode 100644
index 0000000000..15ec7d3d3f
--- /dev/null
+++ b/target/linux/brcm2708/patches-4.9/010-revert-staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch
@@ -0,0 +1,45 @@
+From 9a0c16060094eab93f6d928e72f7e8c1cd67a9f8 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 19 Jun 2019 19:15:29 +0200
+Subject: Revert "staging: vc04_services: prevent integer overflow in create_pagelist()"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit cf07331c8827c9e9e0b4274c9b60204c18592241 which was
+commit ca641bae6da977d638458e78cd1487b6160a2718 upstream.
+
+Martin writes:
+	This commit breaks the kernel build because the vchiq_pagelist_info
+	struct is not defined in v4.9.182.
+
+	It was only added in v4.10, in commit
+	4807f2c0e684e907c501cb96049809d7a957dbc2.
+
+Reported-by: Martin Weinelt <martin@linuxlounge.net>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c |    9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
+@@ -381,18 +381,9 @@ create_pagelist(char __user *buf, size_t
+ 	int run, addridx, actual_pages;
+         unsigned long *need_release;
+ 
+-	if (count >= INT_MAX - PAGE_SIZE)
+-		return NULL;
+-
+ 	offset = (unsigned int)buf & (PAGE_SIZE - 1);
+ 	num_pages = (count + offset + PAGE_SIZE - 1) / PAGE_SIZE;
+ 
+-	if (num_pages > (SIZE_MAX - sizeof(PAGELIST_T) -
+-			 sizeof(struct vchiq_pagelist_info)) /
+-			(sizeof(u32) + sizeof(pages[0]) +
+-			 sizeof(struct scatterlist)))
+-		return NULL;
+-
+ 	*ppagelist = NULL;
+ 
+ 	/* Allocate enough storage to hold the page pointers and the page
diff --git a/target/linux/brcm2708/patches-4.9/950-0100-staging-vchi-Convert-to-current-get_user_pages-argum.patch b/target/linux/brcm2708/patches-4.9/950-0100-staging-vchi-Convert-to-current-get_user_pages-argum.patch
index 358febbb0b..e5038ab647 100644
--- a/target/linux/brcm2708/patches-4.9/950-0100-staging-vchi-Convert-to-current-get_user_pages-argum.patch
+++ b/target/linux/brcm2708/patches-4.9/950-0100-staging-vchi-Convert-to-current-get_user_pages-argum.patch
@@ -11,7 +11,7 @@ Signed-off-by: Eric Anholt <eric@anholt.net>
 
 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
 +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
-@@ -435,7 +435,7 @@ create_pagelist(char __user *buf, size_t
+@@ -426,7 +426,7 @@ create_pagelist(char __user *buf, size_t
  		*need_release = 0; /* do not try and release vmalloc pages */
  	} else {
  		down_read(&task->mm->mmap_sem);
diff --git a/target/linux/brcm2708/patches-4.9/950-0101-staging-vchi-Update-for-rename-of-page_cache_release.patch b/target/linux/brcm2708/patches-4.9/950-0101-staging-vchi-Update-for-rename-of-page_cache_release.patch
index 6626e7fbe5..5cc5ff1651 100644
--- a/target/linux/brcm2708/patches-4.9/950-0101-staging-vchi-Update-for-rename-of-page_cache_release.patch
+++ b/target/linux/brcm2708/patches-4.9/950-0101-staging-vchi-Update-for-rename-of-page_cache_release.patch
@@ -12,7 +12,7 @@ Signed-off-by: Eric Anholt <eric@anholt.net>
 
 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
 +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
-@@ -453,7 +453,7 @@ create_pagelist(char __user *buf, size_t
+@@ -444,7 +444,7 @@ create_pagelist(char __user *buf, size_t
  			while (actual_pages > 0)
  			{
  				actual_pages--;
@@ -21,7 +21,7 @@ Signed-off-by: Eric Anholt <eric@anholt.net>
  			}
  			kfree(pagelist);
  			if (actual_pages == 0)
-@@ -594,7 +594,7 @@ free_pagelist(PAGELIST_T *pagelist, int
+@@ -585,7 +585,7 @@ free_pagelist(PAGELIST_T *pagelist, int
  				offset = 0;
  				set_page_dirty(pg);
  			}
-- 
2.30.2