From 1e535efb3afe3a037b744ddefa58c416a6e31bc5 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Jul 2020 09:25:42 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	regmap-debugfs-check-count-when-read-regmap-file.patch
	xfs-set-format-back-to-extents-if-xfs_bmap_extents_to_btree.patch
---
 ...fs-check-count-when-read-regmap-file.patch | 50 +++++++++++++++++++
 queue-4.9/series                              |  2 +
 ...extents-if-xfs_bmap_extents_to_btree.patch | 47 +++++++++++++++++
 3 files changed, 99 insertions(+)
 create mode 100644 queue-4.9/regmap-debugfs-check-count-when-read-regmap-file.patch
 create mode 100644 queue-4.9/xfs-set-format-back-to-extents-if-xfs_bmap_extents_to_btree.patch

diff --git a/queue-4.9/regmap-debugfs-check-count-when-read-regmap-file.patch b/queue-4.9/regmap-debugfs-check-count-when-read-regmap-file.patch
new file mode 100644
index 00000000000..c725f014e53
--- /dev/null
+++ b/queue-4.9/regmap-debugfs-check-count-when-read-regmap-file.patch
@@ -0,0 +1,50 @@
+From 74edd08a4fbf51d65fd8f4c7d8289cd0f392bd91 Mon Sep 17 00:00:00 2001
+From: Peng Fan <peng.fan@nxp.com>
+Date: Fri, 13 Mar 2020 09:58:07 +0800
+Subject: regmap: debugfs: check count when read regmap file
+
+From: Peng Fan <peng.fan@nxp.com>
+
+commit 74edd08a4fbf51d65fd8f4c7d8289cd0f392bd91 upstream.
+
+When executing the following command, we met kernel dump.
+dmesg -c > /dev/null; cd /sys;
+for i in `ls /sys/kernel/debug/regmap/* -d`; do
+	echo "Checking regmap in $i";
+	cat $i/registers;
+done && grep -ri "0x02d0" *;
+
+It is because the count value is too big, and kmalloc fails. So add an
+upper bound check to allow max size `PAGE_SIZE << (MAX_ORDER - 1)`.
+
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/1584064687-12964-1-git-send-email-peng.fan@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -204,6 +204,9 @@ static ssize_t regmap_read_debugfs(struc
+ 	if (*ppos < 0 || !count)
+ 		return -EINVAL;
+ 
++	if (count > (PAGE_SIZE << (MAX_ORDER - 1)))
++		count = PAGE_SIZE << (MAX_ORDER - 1);
++
+ 	buf = kmalloc(count, GFP_KERNEL);
+ 	if (!buf)
+ 		return -ENOMEM;
+@@ -352,6 +355,9 @@ static ssize_t regmap_reg_ranges_read_fi
+ 	if (*ppos < 0 || !count)
+ 		return -EINVAL;
+ 
++	if (count > (PAGE_SIZE << (MAX_ORDER - 1)))
++		count = PAGE_SIZE << (MAX_ORDER - 1);
++
+ 	buf = kmalloc(count, GFP_KERNEL);
+ 	if (!buf)
+ 		return -ENOMEM;
diff --git a/queue-4.9/series b/queue-4.9/series
index f8f371dc289..391822914b2 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -53,3 +53,5 @@ ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch
 tcp-allow-at-most-one-tlp-probe-per-flight.patch
 ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch
 drivers-net-wan-x25_asy-fix-to-make-it-work.patch
+regmap-debugfs-check-count-when-read-regmap-file.patch
+xfs-set-format-back-to-extents-if-xfs_bmap_extents_to_btree.patch
diff --git a/queue-4.9/xfs-set-format-back-to-extents-if-xfs_bmap_extents_to_btree.patch b/queue-4.9/xfs-set-format-back-to-extents-if-xfs_bmap_extents_to_btree.patch
new file mode 100644
index 00000000000..548ee073636
--- /dev/null
+++ b/queue-4.9/xfs-set-format-back-to-extents-if-xfs_bmap_extents_to_btree.patch
@@ -0,0 +1,47 @@
+From 2c4306f719b083d17df2963bc761777576b8ad1b Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Mon, 16 Apr 2018 23:07:27 -0700
+Subject: xfs: set format back to extents if xfs_bmap_extents_to_btree
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit 2c4306f719b083d17df2963bc761777576b8ad1b upstream.
+
+If xfs_bmap_extents_to_btree fails in a mode where we call
+xfs_iroot_realloc(-1) to de-allocate the root, set the
+format back to extents.
+
+Otherwise we can assume we can dereference ifp->if_broot
+based on the XFS_DINODE_FMT_BTREE format, and crash.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/libxfs/xfs_bmap.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -781,6 +781,8 @@ try_another_ag:
+ 	*logflagsp = 0;
+ 	if ((error = xfs_alloc_vextent(&args))) {
+ 		xfs_iroot_realloc(ip, -1, whichfork);
++		ASSERT(ifp->if_broot == NULL);
++		XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
+ 		xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
+ 		return error;
+ 	}
+@@ -801,6 +803,8 @@ try_another_ag:
+ 	}
+ 	if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {
+ 		xfs_iroot_realloc(ip, -1, whichfork);
++		ASSERT(ifp->if_broot == NULL);
++		XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
+ 		xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
+ 		return -ENOSPC;
+ 	}
-- 
2.47.3