--- /dev/null
+From 85e123c27d5cbc22cfdc01de1e2ca1d9003a02d0 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Thu, 16 Jun 2022 13:28:57 -0400
+Subject: dm mirror log: round up region bitmap size to BITS_PER_LONG
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 85e123c27d5cbc22cfdc01de1e2ca1d9003a02d0 upstream.
+
+The code in dm-log rounds up bitset_size to 32 bits. It then uses
+find_next_zero_bit_le on the allocated region. find_next_zero_bit_le
+accesses the bitmap using unsigned long pointers. So, on 64-bit
+architectures, it may access 4 bytes beyond the allocated size.
+
+Fix this bug by rounding up bitset_size to BITS_PER_LONG.
+
+This bug was found by running the lvm2 testsuite with kasan.
+
+Fixes: 29121bd0b00e ("[PATCH] dm mirror log: bitset_size fix")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-log.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/md/dm-log.c
++++ b/drivers/md/dm-log.c
+@@ -415,8 +415,7 @@ static int create_log_context(struct dm_
+ /*
+ * Work out how many "unsigned long"s we need to hold the bitset.
+ */
+- bitset_size = dm_round_up(region_count,
+- sizeof(*lc->clean_bits) << BYTE_SHIFT);
++ bitset_size = dm_round_up(region_count, BITS_PER_LONG);
+ bitset_size >>= BYTE_SHIFT;
+
+ lc->bitset_uint32_count = bitset_size / sizeof(*lc->clean_bits);
--- /dev/null
+From b55c3cd102a6f48b90e61c44f7f3dda8c290c694 Mon Sep 17 00:00:00 2001
+From: Zhang Yi <yi.zhang@huawei.com>
+Date: Wed, 1 Jun 2022 17:27:17 +0800
+Subject: ext4: add reserved GDT blocks check
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+commit b55c3cd102a6f48b90e61c44f7f3dda8c290c694 upstream.
+
+We capture a NULL pointer issue when resizing a corrupt ext4 image which
+is freshly clear resize_inode feature (not run e2fsck). It could be
+simply reproduced by following steps. The problem is because of the
+resize_inode feature was cleared, and it will convert the filesystem to
+meta_bg mode in ext4_resize_fs(), but the es->s_reserved_gdt_blocks was
+not reduced to zero, so could we mistakenly call reserve_backup_gdb()
+and passing an uninitialized resize_inode to it when adding new group
+descriptors.
+
+ mkfs.ext4 /dev/sda 3G
+ tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck
+ mount /dev/sda /mnt
+ resize2fs /dev/sda 8G
+
+ ========
+ BUG: kernel NULL pointer dereference, address: 0000000000000028
+ CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748
+ ...
+ RIP: 0010:ext4_flex_group_add+0xe08/0x2570
+ ...
+ Call Trace:
+ <TASK>
+ ext4_resize_fs+0xbec/0x1660
+ __ext4_ioctl+0x1749/0x24e0
+ ext4_ioctl+0x12/0x20
+ __x64_sys_ioctl+0xa6/0x110
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ RIP: 0033:0x7f2dd739617b
+ ========
+
+The fix is simple, add a check in ext4_resize_begin() to make sure that
+the es->s_reserved_gdt_blocks is zero when the resize_inode feature is
+disabled.
+
+Cc: stable@kernel.org
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220601092717.763694-1-yi.zhang@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/resize.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -53,6 +53,16 @@ int ext4_resize_begin(struct super_block
+ return -EPERM;
+
+ /*
++ * If the reserved GDT blocks is non-zero, the resize_inode feature
++ * should always be set.
++ */
++ if (EXT4_SB(sb)->s_es->s_reserved_gdt_blocks &&
++ !ext4_has_feature_resize_inode(sb)) {
++ ext4_error(sb, "resize_inode disabled but reserved GDT blocks non-zero");
++ return -EFSCORRUPTED;
++ }
++
++ /*
+ * If we are not using the primary superblock/GDT copy don't resize,
+ * because the user tools have no way of handling this. Probably a
+ * bad time to do it anyways.
--- /dev/null
+From a08f789d2ab5242c07e716baf9a835725046be89 Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Sat, 28 May 2022 19:00:15 +0800
+Subject: ext4: fix bug_on ext4_mb_use_inode_pa
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit a08f789d2ab5242c07e716baf9a835725046be89 upstream.
+
+Hulk Robot reported a BUG_ON:
+==================================================================
+kernel BUG at fs/ext4/mballoc.c:3211!
+[...]
+RIP: 0010:ext4_mb_mark_diskspace_used.cold+0x85/0x136f
+[...]
+Call Trace:
+ ext4_mb_new_blocks+0x9df/0x5d30
+ ext4_ext_map_blocks+0x1803/0x4d80
+ ext4_map_blocks+0x3a4/0x1a10
+ ext4_writepages+0x126d/0x2c30
+ do_writepages+0x7f/0x1b0
+ __filemap_fdatawrite_range+0x285/0x3b0
+ file_write_and_wait_range+0xb1/0x140
+ ext4_sync_file+0x1aa/0xca0
+ vfs_fsync_range+0xfb/0x260
+ do_fsync+0x48/0xa0
+[...]
+==================================================================
+
+Above issue may happen as follows:
+-------------------------------------
+do_fsync
+ vfs_fsync_range
+ ext4_sync_file
+ file_write_and_wait_range
+ __filemap_fdatawrite_range
+ do_writepages
+ ext4_writepages
+ mpage_map_and_submit_extent
+ mpage_map_one_extent
+ ext4_map_blocks
+ ext4_mb_new_blocks
+ ext4_mb_normalize_request
+ >>> start + size <= ac->ac_o_ex.fe_logical
+ ext4_mb_regular_allocator
+ ext4_mb_simple_scan_group
+ ext4_mb_use_best_found
+ ext4_mb_new_preallocation
+ ext4_mb_new_inode_pa
+ ext4_mb_use_inode_pa
+ >>> set ac->ac_b_ex.fe_len <= 0
+ ext4_mb_mark_diskspace_used
+ >>> BUG_ON(ac->ac_b_ex.fe_len <= 0);
+
+we can easily reproduce this problem with the following commands:
+ `fallocate -l100M disk`
+ `mkfs.ext4 -b 1024 -g 256 disk`
+ `mount disk /mnt`
+ `fsstress -d /mnt -l 0 -n 1000 -p 1`
+
+The size must be smaller than or equal to EXT4_BLOCKS_PER_GROUP.
+Therefore, "start + size <= ac->ac_o_ex.fe_logical" may occur
+when the size is truncated. So start should be the start position of
+the group where ac_o_ex.fe_logical is located after alignment.
+In addition, when the value of fe_logical or EXT4_BLOCKS_PER_GROUP
+is very large, the value calculated by start_off is more accurate.
+
+Cc: stable@kernel.org
+Fixes: cd648b8a8fd5 ("ext4: trim allocation requests to group size")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com>
+Link: https://lore.kernel.org/r/20220528110017.354175-2-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/mballoc.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -3172,6 +3172,15 @@ ext4_mb_normalize_request(struct ext4_al
+ size = size >> bsbits;
+ start = start_off >> bsbits;
+
++ /*
++ * For tiny groups (smaller than 8MB) the chosen allocation
++ * alignment may be larger than group size. Make sure the
++ * alignment does not move allocation to a different group which
++ * makes mballoc fail assertions later.
++ */
++ start = max(start, rounddown(ac->ac_o_ex.fe_logical,
++ (ext4_lblk_t)EXT4_BLOCKS_PER_GROUP(ac->ac_sb)));
++
+ /* don't cover already allocated blocks in selected range */
+ if (ar->pleft && start <= ar->lleft) {
+ size -= ar->lleft + 1 - start;
--- /dev/null
+From bc75a6eb856cb1507fa907bf6c1eda91b3fef52f Mon Sep 17 00:00:00 2001
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Date: Mon, 30 May 2022 18:00:47 +0800
+Subject: ext4: make variable "count" signed
+
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+
+commit bc75a6eb856cb1507fa907bf6c1eda91b3fef52f upstream.
+
+Since dx_make_map() may return -EFSCORRUPTED now, so change "count" to
+be a signed integer so we can correctly check for an error code returned
+by dx_make_map().
+
+Fixes: 46c116b920eb ("ext4: verify dir block before splitting it")
+Cc: stable@kernel.org
+Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Link: https://lore.kernel.org/r/20220530100047.537598-1-dingxiang@cmss.chinamobile.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/namei.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1836,7 +1836,8 @@ static struct ext4_dir_entry_2 *do_split
+ struct dx_hash_info *hinfo)
+ {
+ unsigned blocksize = dir->i_sb->s_blocksize;
+- unsigned count, continued;
++ unsigned continued;
++ int count;
+ struct buffer_head *bh2;
+ ext4_lblk_t newblock;
+ u32 hash2;
usb-dwc2-fix-memory-leak-in-dwc2_hcd_init.patch
usb-gadget-lpc32xx_udc-fix-refcount-leak-in-lpc32xx_udc_probe.patch
serial-8250-store-to-lsr_save_flags-after-lsr-read.patch
+dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch
+ext4-fix-bug_on-ext4_mb_use_inode_pa.patch
+ext4-make-variable-count-signed.patch
+ext4-add-reserved-gdt-blocks-check.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
