From a46b41c4910bb6873f5dcfafa6c2f1f0627f195c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 20 Jun 2022 11:55:05 +0200
Subject: [PATCH] 4.14-stable patches

added patches:
	dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch
	ext4-add-reserved-gdt-blocks-check.patch
	ext4-fix-bug_on-ext4_mb_use_inode_pa.patch
	ext4-make-variable-count-signed.patch
---
 ...-region-bitmap-size-to-bits_per_long.patch | 39 ++++++++
 .../ext4-add-reserved-gdt-blocks-check.patch  | 74 ++++++++++++++
 ...ext4-fix-bug_on-ext4_mb_use_inode_pa.patch | 97 +++++++++++++++++++
 .../ext4-make-variable-count-signed.patch     | 35 +++++++
 queue-4.14/series                             |  4 +
 5 files changed, 249 insertions(+)
 create mode 100644 queue-4.14/dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch
 create mode 100644 queue-4.14/ext4-add-reserved-gdt-blocks-check.patch
 create mode 100644 queue-4.14/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch
 create mode 100644 queue-4.14/ext4-make-variable-count-signed.patch

diff --git a/queue-4.14/dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch b/queue-4.14/dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch
new file mode 100644
index 00000000000..a9552a7bd19
--- /dev/null
+++ b/queue-4.14/dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch
@@ -0,0 +1,39 @@
+From 85e123c27d5cbc22cfdc01de1e2ca1d9003a02d0 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Thu, 16 Jun 2022 13:28:57 -0400
+Subject: dm mirror log: round up region bitmap size to BITS_PER_LONG
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 85e123c27d5cbc22cfdc01de1e2ca1d9003a02d0 upstream.
+
+The code in dm-log rounds up bitset_size to 32 bits. It then uses
+find_next_zero_bit_le on the allocated region. find_next_zero_bit_le
+accesses the bitmap using unsigned long pointers. So, on 64-bit
+architectures, it may access 4 bytes beyond the allocated size.
+
+Fix this bug by rounding up bitset_size to BITS_PER_LONG.
+
+This bug was found by running the lvm2 testsuite with kasan.
+
+Fixes: 29121bd0b00e ("[PATCH] dm mirror log: bitset_size fix")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-log.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/md/dm-log.c
++++ b/drivers/md/dm-log.c
+@@ -415,8 +415,7 @@ static int create_log_context(struct dm_
+ 	/*
+ 	 * Work out how many "unsigned long"s we need to hold the bitset.
+ 	 */
+-	bitset_size = dm_round_up(region_count,
+-				  sizeof(*lc->clean_bits) << BYTE_SHIFT);
++	bitset_size = dm_round_up(region_count, BITS_PER_LONG);
+ 	bitset_size >>= BYTE_SHIFT;
+ 
+ 	lc->bitset_uint32_count = bitset_size / sizeof(*lc->clean_bits);
diff --git a/queue-4.14/ext4-add-reserved-gdt-blocks-check.patch b/queue-4.14/ext4-add-reserved-gdt-blocks-check.patch
new file mode 100644
index 00000000000..9a77582a077
--- /dev/null
+++ b/queue-4.14/ext4-add-reserved-gdt-blocks-check.patch
@@ -0,0 +1,74 @@
+From b55c3cd102a6f48b90e61c44f7f3dda8c290c694 Mon Sep 17 00:00:00 2001
+From: Zhang Yi <yi.zhang@huawei.com>
+Date: Wed, 1 Jun 2022 17:27:17 +0800
+Subject: ext4: add reserved GDT blocks check
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+commit b55c3cd102a6f48b90e61c44f7f3dda8c290c694 upstream.
+
+We capture a NULL pointer issue when resizing a corrupt ext4 image which
+is freshly clear resize_inode feature (not run e2fsck). It could be
+simply reproduced by following steps. The problem is because of the
+resize_inode feature was cleared, and it will convert the filesystem to
+meta_bg mode in ext4_resize_fs(), but the es->s_reserved_gdt_blocks was
+not reduced to zero, so could we mistakenly call reserve_backup_gdb()
+and passing an uninitialized resize_inode to it when adding new group
+descriptors.
+
+ mkfs.ext4 /dev/sda 3G
+ tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck
+ mount /dev/sda /mnt
+ resize2fs /dev/sda 8G
+
+ ========
+ BUG: kernel NULL pointer dereference, address: 0000000000000028
+ CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748
+ ...
+ RIP: 0010:ext4_flex_group_add+0xe08/0x2570
+ ...
+ Call Trace:
+  <TASK>
+  ext4_resize_fs+0xbec/0x1660
+  __ext4_ioctl+0x1749/0x24e0
+  ext4_ioctl+0x12/0x20
+  __x64_sys_ioctl+0xa6/0x110
+  do_syscall_64+0x3b/0x90
+  entry_SYSCALL_64_after_hwframe+0x44/0xae
+ RIP: 0033:0x7f2dd739617b
+ ========
+
+The fix is simple, add a check in ext4_resize_begin() to make sure that
+the es->s_reserved_gdt_blocks is zero when the resize_inode feature is
+disabled.
+
+Cc: stable@kernel.org
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220601092717.763694-1-yi.zhang@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/resize.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -53,6 +53,16 @@ int ext4_resize_begin(struct super_block
+ 		return -EPERM;
+ 
+ 	/*
++	 * If the reserved GDT blocks is non-zero, the resize_inode feature
++	 * should always be set.
++	 */
++	if (EXT4_SB(sb)->s_es->s_reserved_gdt_blocks &&
++	    !ext4_has_feature_resize_inode(sb)) {
++		ext4_error(sb, "resize_inode disabled but reserved GDT blocks non-zero");
++		return -EFSCORRUPTED;
++	}
++
++	/*
+ 	 * If we are not using the primary superblock/GDT copy don't resize,
+          * because the user tools have no way of handling this.  Probably a
+          * bad time to do it anyways.
diff --git a/queue-4.14/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch b/queue-4.14/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch
new file mode 100644
index 00000000000..0ea896a1793
--- /dev/null
+++ b/queue-4.14/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch
@@ -0,0 +1,97 @@
+From a08f789d2ab5242c07e716baf9a835725046be89 Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Sat, 28 May 2022 19:00:15 +0800
+Subject: ext4: fix bug_on ext4_mb_use_inode_pa
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit a08f789d2ab5242c07e716baf9a835725046be89 upstream.
+
+Hulk Robot reported a BUG_ON:
+==================================================================
+kernel BUG at fs/ext4/mballoc.c:3211!
+[...]
+RIP: 0010:ext4_mb_mark_diskspace_used.cold+0x85/0x136f
+[...]
+Call Trace:
+ ext4_mb_new_blocks+0x9df/0x5d30
+ ext4_ext_map_blocks+0x1803/0x4d80
+ ext4_map_blocks+0x3a4/0x1a10
+ ext4_writepages+0x126d/0x2c30
+ do_writepages+0x7f/0x1b0
+ __filemap_fdatawrite_range+0x285/0x3b0
+ file_write_and_wait_range+0xb1/0x140
+ ext4_sync_file+0x1aa/0xca0
+ vfs_fsync_range+0xfb/0x260
+ do_fsync+0x48/0xa0
+[...]
+==================================================================
+
+Above issue may happen as follows:
+-------------------------------------
+do_fsync
+ vfs_fsync_range
+  ext4_sync_file
+   file_write_and_wait_range
+    __filemap_fdatawrite_range
+     do_writepages
+      ext4_writepages
+       mpage_map_and_submit_extent
+        mpage_map_one_extent
+         ext4_map_blocks
+          ext4_mb_new_blocks
+           ext4_mb_normalize_request
+            >>> start + size <= ac->ac_o_ex.fe_logical
+           ext4_mb_regular_allocator
+            ext4_mb_simple_scan_group
+             ext4_mb_use_best_found
+              ext4_mb_new_preallocation
+               ext4_mb_new_inode_pa
+                ext4_mb_use_inode_pa
+                 >>> set ac->ac_b_ex.fe_len <= 0
+           ext4_mb_mark_diskspace_used
+            >>> BUG_ON(ac->ac_b_ex.fe_len <= 0);
+
+we can easily reproduce this problem with the following commands:
+	`fallocate -l100M disk`
+	`mkfs.ext4 -b 1024 -g 256 disk`
+	`mount disk /mnt`
+	`fsstress -d /mnt -l 0 -n 1000 -p 1`
+
+The size must be smaller than or equal to EXT4_BLOCKS_PER_GROUP.
+Therefore, "start + size <= ac->ac_o_ex.fe_logical" may occur
+when the size is truncated. So start should be the start position of
+the group where ac_o_ex.fe_logical is located after alignment.
+In addition, when the value of fe_logical or EXT4_BLOCKS_PER_GROUP
+is very large, the value calculated by start_off is more accurate.
+
+Cc: stable@kernel.org
+Fixes: cd648b8a8fd5 ("ext4: trim allocation requests to group size")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com>
+Link: https://lore.kernel.org/r/20220528110017.354175-2-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/mballoc.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -3197,6 +3197,15 @@ ext4_mb_normalize_request(struct ext4_al
+ 	size = size >> bsbits;
+ 	start = start_off >> bsbits;
+ 
++	/*
++	 * For tiny groups (smaller than 8MB) the chosen allocation
++	 * alignment may be larger than group size. Make sure the
++	 * alignment does not move allocation to a different group which
++	 * makes mballoc fail assertions later.
++	 */
++	start = max(start, rounddown(ac->ac_o_ex.fe_logical,
++			(ext4_lblk_t)EXT4_BLOCKS_PER_GROUP(ac->ac_sb)));
++
+ 	/* don't cover already allocated blocks in selected range */
+ 	if (ar->pleft && start <= ar->lleft) {
+ 		size -= ar->lleft + 1 - start;
diff --git a/queue-4.14/ext4-make-variable-count-signed.patch b/queue-4.14/ext4-make-variable-count-signed.patch
new file mode 100644
index 00000000000..661be015216
--- /dev/null
+++ b/queue-4.14/ext4-make-variable-count-signed.patch
@@ -0,0 +1,35 @@
+From bc75a6eb856cb1507fa907bf6c1eda91b3fef52f Mon Sep 17 00:00:00 2001
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Date: Mon, 30 May 2022 18:00:47 +0800
+Subject: ext4: make variable "count" signed
+
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+
+commit bc75a6eb856cb1507fa907bf6c1eda91b3fef52f upstream.
+
+Since dx_make_map() may return -EFSCORRUPTED now, so change "count" to
+be a signed integer so we can correctly check for an error code returned
+by dx_make_map().
+
+Fixes: 46c116b920eb ("ext4: verify dir block before splitting it")
+Cc: stable@kernel.org
+Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Link: https://lore.kernel.org/r/20220530100047.537598-1-dingxiang@cmss.chinamobile.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/namei.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1724,7 +1724,8 @@ static struct ext4_dir_entry_2 *do_split
+ 			struct dx_hash_info *hinfo)
+ {
+ 	unsigned blocksize = dir->i_sb->s_blocksize;
+-	unsigned count, continued;
++	unsigned continued;
++	int count;
+ 	struct buffer_head *bh2;
+ 	ext4_lblk_t newblock;
+ 	u32 hash2;
diff --git a/queue-4.14/series b/queue-4.14/series
index 9809f997f09..68e489f05d8 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -220,3 +220,7 @@ usb-serial-io_ti-add-agilent-e5805a-support.patch
 usb-dwc2-fix-memory-leak-in-dwc2_hcd_init.patch
 usb-gadget-lpc32xx_udc-fix-refcount-leak-in-lpc32xx_udc_probe.patch
 serial-8250-store-to-lsr_save_flags-after-lsr-read.patch
+dm-mirror-log-round-up-region-bitmap-size-to-bits_per_long.patch
+ext4-fix-bug_on-ext4_mb_use_inode_pa.patch
+ext4-make-variable-count-signed.patch
+ext4-add-reserved-gdt-blocks-check.patch
-- 
2.47.3