From 3c4def688b8462239e590772107f5640f98fb02c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 18 Jun 2020 18:45:27 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	ext4-fix-ext_max_extent-index-to-check-for-zeroed-eh_max.patch
	ima-fix-ima-digest-hash-table-key-calculation.patch
---
 ...idle-fix-three-reference-count-leaks.patch | 13 ++---
 ...ent-index-to-check-for-zeroed-eh_max.patch | 45 ++++++++++++++++
 ...ma-digest-hash-table-key-calculation.patch | 54 +++++++++++++++++++
 queue-4.4/series                              |  2 +
 4 files changed, 105 insertions(+), 9 deletions(-)
 create mode 100644 queue-4.4/ext4-fix-ext_max_extent-index-to-check-for-zeroed-eh_max.patch
 create mode 100644 queue-4.4/ima-fix-ima-digest-hash-table-key-calculation.patch

diff --git a/queue-4.4/cpuidle-fix-three-reference-count-leaks.patch b/queue-4.4/cpuidle-fix-three-reference-count-leaks.patch
index 511e18b3e7c..277912a303e 100644
--- a/queue-4.4/cpuidle-fix-three-reference-count-leaks.patch
+++ b/queue-4.4/cpuidle-fix-three-reference-count-leaks.patch
@@ -18,14 +18,12 @@ Signed-off-by: Qiushi Wu <wu000273@umn.edu>
 Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- drivers/cpuidle/sysfs.c | 6 +++---
+ drivers/cpuidle/sysfs.c |    6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)
 
-diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c
-index 9e98a5fbbc1d..e7e92ed34f0c 100644
 --- a/drivers/cpuidle/sysfs.c
 +++ b/drivers/cpuidle/sysfs.c
-@@ -412,7 +412,7 @@ static int cpuidle_add_state_sysfs(struct cpuidle_device *device)
+@@ -412,7 +412,7 @@ static int cpuidle_add_state_sysfs(struc
  		ret = kobject_init_and_add(&kobj->kobj, &ktype_state_cpuidle,
  					   &kdev->kobj, "state%d", i);
  		if (ret) {
@@ -34,7 +32,7 @@ index 9e98a5fbbc1d..e7e92ed34f0c 100644
  			goto error_state;
  		}
  		kobject_uevent(&kobj->kobj, KOBJ_ADD);
-@@ -542,7 +542,7 @@ static int cpuidle_add_driver_sysfs(struct cpuidle_device *dev)
+@@ -542,7 +542,7 @@ static int cpuidle_add_driver_sysfs(stru
  	ret = kobject_init_and_add(&kdrv->kobj, &ktype_driver_cpuidle,
  				   &kdev->kobj, "driver");
  	if (ret) {
@@ -43,7 +41,7 @@ index 9e98a5fbbc1d..e7e92ed34f0c 100644
  		return ret;
  	}
  
-@@ -636,7 +636,7 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev)
+@@ -636,7 +636,7 @@ int cpuidle_add_sysfs(struct cpuidle_dev
  	error = kobject_init_and_add(&kdev->kobj, &ktype_cpuidle, &cpu_dev->kobj,
  				   "cpuidle");
  	if (error) {
@@ -52,6 +50,3 @@ index 9e98a5fbbc1d..e7e92ed34f0c 100644
  		return error;
  	}
  
--- 
-2.25.1
-
diff --git a/queue-4.4/ext4-fix-ext_max_extent-index-to-check-for-zeroed-eh_max.patch b/queue-4.4/ext4-fix-ext_max_extent-index-to-check-for-zeroed-eh_max.patch
new file mode 100644
index 00000000000..d2c057f7524
--- /dev/null
+++ b/queue-4.4/ext4-fix-ext_max_extent-index-to-check-for-zeroed-eh_max.patch
@@ -0,0 +1,45 @@
+From c36a71b4e35ab35340facdd6964a00956b9fef0a Mon Sep 17 00:00:00 2001
+From: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
+Date: Mon, 20 Apr 2020 19:39:59 -0700
+Subject: ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max
+
+From: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
+
+commit c36a71b4e35ab35340facdd6964a00956b9fef0a upstream.
+
+If eh->eh_max is 0, EXT_MAX_EXTENT/INDEX would evaluate to unsigned
+(-1) resulting in illegal memory accesses. Although there is no
+consistent repro, we see that generic/019 sometimes crashes because of
+this bug.
+
+Ran gce-xfstests smoke and verified that there were no regressions.
+
+Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
+Link: https://lore.kernel.org/r/20200421023959.20879-2-harshadshirwadkar@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4_extents.h |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/ext4_extents.h
++++ b/fs/ext4/ext4_extents.h
+@@ -169,10 +169,13 @@ struct ext4_ext_path {
+ 	(EXT_FIRST_EXTENT((__hdr__)) + le16_to_cpu((__hdr__)->eh_entries) - 1)
+ #define EXT_LAST_INDEX(__hdr__) \
+ 	(EXT_FIRST_INDEX((__hdr__)) + le16_to_cpu((__hdr__)->eh_entries) - 1)
+-#define EXT_MAX_EXTENT(__hdr__) \
+-	(EXT_FIRST_EXTENT((__hdr__)) + le16_to_cpu((__hdr__)->eh_max) - 1)
++#define EXT_MAX_EXTENT(__hdr__)	\
++	((le16_to_cpu((__hdr__)->eh_max)) ? \
++	((EXT_FIRST_EXTENT((__hdr__)) + le16_to_cpu((__hdr__)->eh_max) - 1)) \
++					: 0)
+ #define EXT_MAX_INDEX(__hdr__) \
+-	(EXT_FIRST_INDEX((__hdr__)) + le16_to_cpu((__hdr__)->eh_max) - 1)
++	((le16_to_cpu((__hdr__)->eh_max)) ? \
++	((EXT_FIRST_INDEX((__hdr__)) + le16_to_cpu((__hdr__)->eh_max) - 1)) : 0)
+ 
+ static inline struct ext4_extent_header *ext_inode_hdr(struct inode *inode)
+ {
diff --git a/queue-4.4/ima-fix-ima-digest-hash-table-key-calculation.patch b/queue-4.4/ima-fix-ima-digest-hash-table-key-calculation.patch
new file mode 100644
index 00000000000..42ecaaf4a3b
--- /dev/null
+++ b/queue-4.4/ima-fix-ima-digest-hash-table-key-calculation.patch
@@ -0,0 +1,54 @@
+From 1129d31b55d509f15e72dc68e4b5c3a4d7b4da8d Mon Sep 17 00:00:00 2001
+From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Date: Tue, 28 Apr 2020 09:30:10 +0200
+Subject: ima: Fix ima digest hash table key calculation
+
+From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+
+commit 1129d31b55d509f15e72dc68e4b5c3a4d7b4da8d upstream.
+
+Function hash_long() accepts unsigned long, while currently only one byte
+is passed from ima_hash_key(), which calculates a key for ima_htable.
+
+Given that hashing the digest does not give clear benefits compared to
+using the digest itself, remove hash_long() and return the modulus
+calculated on the first two bytes of the digest with the number of slots.
+Also reduce the depth of the hash table by doubling the number of slots.
+
+Cc: stable@vger.kernel.org
+Fixes: 3323eec921ef ("integrity: IMA as an integrity service provider")
+Co-developed-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Acked-by: David.Laight@aculab.com (big endian system concerns)
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima.h |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -34,7 +34,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 =
+ #define IMA_DIGEST_SIZE		SHA1_DIGEST_SIZE
+ #define IMA_EVENT_NAME_LEN_MAX	255
+ 
+-#define IMA_HASH_BITS 9
++#define IMA_HASH_BITS 10
+ #define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
+ 
+ #define IMA_TEMPLATE_FIELD_ID_MAX_LEN	16
+@@ -131,9 +131,10 @@ struct ima_h_table {
+ };
+ extern struct ima_h_table ima_htable;
+ 
+-static inline unsigned long ima_hash_key(u8 *digest)
++static inline unsigned int ima_hash_key(u8 *digest)
+ {
+-	return hash_long(*digest, IMA_HASH_BITS);
++	/* there is no point in taking a hash of part of a digest */
++	return (digest[0] | digest[1] << 8) % IMA_MEASURE_HTABLE_SIZE;
+ }
+ 
+ /* LIM API function definitions */
diff --git a/queue-4.4/series b/queue-4.4/series
index 3219c7859a4..39a1934341e 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -73,3 +73,5 @@ mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch
 ixgbe-fix-signed-integer-overflow-warning.patch
 spi-dw-return-any-value-retrieved-from-the-dma_trans.patch
 cpuidle-fix-three-reference-count-leaks.patch
+ima-fix-ima-digest-hash-table-key-calculation.patch
+ext4-fix-ext_max_extent-index-to-check-for-zeroed-eh_max.patch
-- 
2.47.3