From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Jul 2020 07:25:27 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.232~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=23ffbca9d799d2120f01afdd379a54cccdaa73c9;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	regmap-debugfs-check-count-when-read-regmap-file.patch
	xfs-set-format-back-to-extents-if-xfs_bmap_extents_to_btree.patch
---

diff --git a/queue-4.4/regmap-debugfs-check-count-when-read-regmap-file.patch b/queue-4.4/regmap-debugfs-check-count-when-read-regmap-file.patch
new file mode 100644
index 00000000000..39ce5af15b3
--- /dev/null
+++ b/queue-4.4/regmap-debugfs-check-count-when-read-regmap-file.patch
@@ -0,0 +1,50 @@
+From 74edd08a4fbf51d65fd8f4c7d8289cd0f392bd91 Mon Sep 17 00:00:00 2001
+From: Peng Fan <peng.fan@nxp.com>
+Date: Fri, 13 Mar 2020 09:58:07 +0800
+Subject: regmap: debugfs: check count when read regmap file
+
+From: Peng Fan <peng.fan@nxp.com>
+
+commit 74edd08a4fbf51d65fd8f4c7d8289cd0f392bd91 upstream.
+
+When executing the following command, we met kernel dump.
+dmesg -c > /dev/null; cd /sys;
+for i in `ls /sys/kernel/debug/regmap/* -d`; do
+	echo "Checking regmap in $i";
+	cat $i/registers;
+done && grep -ri "0x02d0" *;
+
+It is because the count value is too big, and kmalloc fails. So add an
+upper bound check to allow max size `PAGE_SIZE << (MAX_ORDER - 1)`.
+
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/1584064687-12964-1-git-send-email-peng.fan@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -194,6 +194,9 @@ static ssize_t regmap_read_debugfs(struc
+ 	if (*ppos < 0 || !count)
+ 		return -EINVAL;
+ 
++	if (count > (PAGE_SIZE << (MAX_ORDER - 1)))
++		count = PAGE_SIZE << (MAX_ORDER - 1);
++
+ 	buf = kmalloc(count, GFP_KERNEL);
+ 	if (!buf)
+ 		return -ENOMEM;
+@@ -342,6 +345,9 @@ static ssize_t regmap_reg_ranges_read_fi
+ 	if (*ppos < 0 || !count)
+ 		return -EINVAL;
+ 
++	if (count > (PAGE_SIZE << (MAX_ORDER - 1)))
++		count = PAGE_SIZE << (MAX_ORDER - 1);
++
+ 	buf = kmalloc(count, GFP_KERNEL);
+ 	if (!buf)
+ 		return -ENOMEM;
diff --git a/queue-4.4/series b/queue-4.4/series
index 8bac81a4d0d..6d8985cb1d5 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -45,3 +45,5 @@ rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch
 ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch
 drivers-net-wan-x25_asy-fix-to-make-it-work.patch
 makefile-fix-gcc_toolchain_dir-prefix-for-clang-cross-compilation.patch
+regmap-debugfs-check-count-when-read-regmap-file.patch
+xfs-set-format-back-to-extents-if-xfs_bmap_extents_to_btree.patch
diff --git a/queue-4.4/xfs-set-format-back-to-extents-if-xfs_bmap_extents_to_btree.patch b/queue-4.4/xfs-set-format-back-to-extents-if-xfs_bmap_extents_to_btree.patch
new file mode 100644
index 00000000000..4f8df8ab5bf
--- /dev/null
+++ b/queue-4.4/xfs-set-format-back-to-extents-if-xfs_bmap_extents_to_btree.patch
@@ -0,0 +1,39 @@
+From 2c4306f719b083d17df2963bc761777576b8ad1b Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Mon, 16 Apr 2018 23:07:27 -0700
+Subject: xfs: set format back to extents if xfs_bmap_extents_to_btree
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit 2c4306f719b083d17df2963bc761777576b8ad1b upstream.
+
+If xfs_bmap_extents_to_btree fails in a mode where we call
+xfs_iroot_realloc(-1) to de-allocate the root, set the
+format back to extents.
+
+Otherwise we can assume we can dereference ifp->if_broot
+based on the XFS_DINODE_FMT_BTREE format, and crash.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+[iwamatsu: backported to 4.4.y]
+Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/libxfs/xfs_bmap.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -793,6 +793,8 @@ xfs_bmap_extents_to_btree(
+ 	*logflagsp = 0;
+ 	if ((error = xfs_alloc_vextent(&args))) {
+ 		xfs_iroot_realloc(ip, -1, whichfork);
++		ASSERT(ifp->if_broot == NULL);
++		XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
+ 		xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
+ 		return error;
+ 	}