From cb1717f439126f841c45a3d632a443a2efa05c65 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 13 Jun 2024 12:13:51 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	ext4-fix-mb_cache_entry-s-e_refcnt-leak-in-ext4_xattr_block_cache_find.patch
	s390-ap-fix-crash-in-ap-internal-function-modify_bitmap.patch
---
 ...-leak-in-ext4_xattr_block_cache_find.patch | 59 +++++++++++++++
 ...n-ap-internal-function-modify_bitmap.patch | 75 +++++++++++++++++++
 queue-4.19/series                             |  2 +
 3 files changed, 136 insertions(+)
 create mode 100644 queue-4.19/ext4-fix-mb_cache_entry-s-e_refcnt-leak-in-ext4_xattr_block_cache_find.patch
 create mode 100644 queue-4.19/s390-ap-fix-crash-in-ap-internal-function-modify_bitmap.patch

diff --git a/queue-4.19/ext4-fix-mb_cache_entry-s-e_refcnt-leak-in-ext4_xattr_block_cache_find.patch b/queue-4.19/ext4-fix-mb_cache_entry-s-e_refcnt-leak-in-ext4_xattr_block_cache_find.patch
new file mode 100644
index 00000000000..856ef9a524a
--- /dev/null
+++ b/queue-4.19/ext4-fix-mb_cache_entry-s-e_refcnt-leak-in-ext4_xattr_block_cache_find.patch
@@ -0,0 +1,59 @@
+From 0c0b4a49d3e7f49690a6827a41faeffad5df7e21 Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Sat, 4 May 2024 15:55:25 +0800
+Subject: ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit 0c0b4a49d3e7f49690a6827a41faeffad5df7e21 upstream.
+
+Syzbot reports a warning as follows:
+
+============================================
+WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290
+Modules linked in:
+CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7
+RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419
+Call Trace:
+ <TASK>
+ ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375
+ generic_shutdown_super+0x136/0x2d0 fs/super.c:641
+ kill_block_super+0x44/0x90 fs/super.c:1675
+ ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327
+[...]
+============================================
+
+This is because when finding an entry in ext4_xattr_block_cache_find(), if
+ext4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown
+in the __entry_find(), won't be put away, and eventually trigger the above
+issue in mb_cache_destroy() due to reference count leakage.
+
+So call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.
+
+Reported-by: syzbot+dd43bd0f7474512edc47@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=dd43bd0f7474512edc47
+Fixes: fb265c9cb49e ("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases")
+Cc: stable@kernel.org
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20240504075526.2254349-2-libaokun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/xattr.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -3104,8 +3104,10 @@ ext4_xattr_block_cache_find(struct inode
+ 
+ 		bh = ext4_sb_bread(inode->i_sb, ce->e_value, REQ_PRIO);
+ 		if (IS_ERR(bh)) {
+-			if (PTR_ERR(bh) == -ENOMEM)
++			if (PTR_ERR(bh) == -ENOMEM) {
++				mb_cache_entry_put(ea_block_cache, ce);
+ 				return NULL;
++			}
+ 			bh = NULL;
+ 			EXT4_ERROR_INODE(inode, "block %lu read error",
+ 					 (unsigned long)ce->e_value);
diff --git a/queue-4.19/s390-ap-fix-crash-in-ap-internal-function-modify_bitmap.patch b/queue-4.19/s390-ap-fix-crash-in-ap-internal-function-modify_bitmap.patch
new file mode 100644
index 00000000000..8831646d249
--- /dev/null
+++ b/queue-4.19/s390-ap-fix-crash-in-ap-internal-function-modify_bitmap.patch
@@ -0,0 +1,75 @@
+From d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9 Mon Sep 17 00:00:00 2001
+From: Harald Freudenberger <freude@linux.ibm.com>
+Date: Mon, 13 May 2024 14:49:13 +0200
+Subject: s390/ap: Fix crash in AP internal function modify_bitmap()
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+commit d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9 upstream.
+
+A system crash like this
+
+  Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403
+  Fault in home space mode while using kernel ASCE.
+  AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d
+  Oops: 0038 ilc:3 [#1] PREEMPT SMP
+  Modules linked in: mlx5_ib ...
+  CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8
+  Hardware name: IBM 3931 A01 704 (LPAR)
+  Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)
+  R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
+  Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3
+  000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0
+  000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff
+  000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8
+  Krnl Code: 0000014b75e7b5fc: a7840047            brc     8,0000014b75e7b68a
+  0000014b75e7b600: 18b2                lr      %r11,%r2
+  #0000014b75e7b602: a7f4000a            brc     15,0000014b75e7b616
+  >0000014b75e7b606: eb22d00000e6        laog    %r2,%r2,0(%r13)
+  0000014b75e7b60c: a7680001            lhi     %r6,1
+  0000014b75e7b610: 187b                lr      %r7,%r11
+  0000014b75e7b612: 84960021            brxh    %r9,%r6,0000014b75e7b654
+  0000014b75e7b616: 18e9                lr      %r14,%r9
+  Call Trace:
+  [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8
+  ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)
+  [<0000014b75e7b758>] apmask_store+0x68/0x140
+  [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8
+  [<0000014b75598524>] vfs_write+0x1b4/0x448
+  [<0000014b7559894c>] ksys_write+0x74/0x100
+  [<0000014b7618a440>] __do_syscall+0x268/0x328
+  [<0000014b761a3558>] system_call+0x70/0x98
+  INFO: lockdep is turned off.
+  Last Breaking-Event-Address:
+  [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8
+  Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value
+(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.
+
+The fix is simple: use unsigned long values for the internal variables. The
+correct checks are already in place in the function but a simple int for
+the internal variables was used with the possibility to overflow.
+
+Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Tested-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/ap_bus.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/crypto/ap_bus.c
++++ b/drivers/s390/crypto/ap_bus.c
+@@ -916,7 +916,7 @@ static int hex2bitmap(const char *str, u
+  */
+ static int modify_bitmap(const char *str, unsigned long *bitmap, int bits)
+ {
+-	int a, i, z;
++	unsigned long a, i, z;
+ 	char *np, sign;
+ 
+ 	/* bits needs to be a multiple of 8 */
diff --git a/queue-4.19/series b/queue-4.19/series
index 43f47dff149..3e7a7d60f28 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -208,3 +208,5 @@ kdb-merge-identical-case-statements-in-kdb_read.patch
 kdb-use-format-specifiers-rather-than-memset-for-padding-in-kdb_read.patch
 net-fix-__dst_negative_advice-race.patch
 sparc-move-struct-termio-to-asm-termios.h.patch
+ext4-fix-mb_cache_entry-s-e_refcnt-leak-in-ext4_xattr_block_cache_find.patch
+s390-ap-fix-crash-in-ap-internal-function-modify_bitmap.patch
-- 
2.47.3