From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 16 Jul 2024 13:29:48 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.19.318~27
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=04c8e1249ba04353c4639602266e8a5649e4ac2d;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	ext4-avoid-ptr-null-pointer-dereference.patch
	nilfs2-fix-kernel-bug-on-rename-operation-of-broken-directory.patch
---

diff --git a/queue-5.4/ext4-avoid-ptr-null-pointer-dereference.patch b/queue-5.4/ext4-avoid-ptr-null-pointer-dereference.patch
new file mode 100644
index 00000000000..350b56a3d17
--- /dev/null
+++ b/queue-5.4/ext4-avoid-ptr-null-pointer-dereference.patch
@@ -0,0 +1,39 @@
+From libaokun@huaweicloud.com  Tue Jul 16 15:13:28 2024
+From: libaokun@huaweicloud.com
+Date: Tue, 16 Jul 2024 17:29:29 +0800
+Subject: ext4: avoid ptr null pointer dereference
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: sashal@kernel.org, tytso@mit.edu, jack@suse.cz, patches@lists.linux.dev, yi.zhang@huawei.com, yangerkun@huawei.com, libaokun@huaweicloud.com, Baokun Li <libaokun1@huawei.com>
+Message-ID: <20240716092929.864207-1-libaokun@huaweicloud.com>
+
+From: Baokun Li <libaokun1@huawei.com>
+
+When commit 13df4d44a3aa ("ext4: fix slab-out-of-bounds in
+ext4_mb_find_good_group_avg_frag_lists()") was backported to stable, the
+commit f536808adcc3 ("ext4: refactor out ext4_generic_attr_store()") that
+uniformly determines if the ptr is null is not merged in, so it needs to
+be judged whether ptr is null or not in each case of the switch, otherwise
+null pointer dereferencing may occur.
+
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/sysfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/ext4/sysfs.c b/fs/ext4/sysfs.c
+index 63cbda3700ea..d65dccb44ed5 100644
+--- a/fs/ext4/sysfs.c
++++ b/fs/ext4/sysfs.c
+@@ -473,6 +473,8 @@ static ssize_t ext4_attr_store(struct kobject *kobj,
+ 			*((unsigned int *) ptr) = t;
+ 		return len;
+ 	case attr_clusters_in_group:
++		if (!ptr)
++			return 0;
+ 		ret = kstrtouint(skip_spaces(buf), 0, &t);
+ 		if (ret)
+ 			return ret;
+-- 
+2.39.2
+
diff --git a/queue-5.4/nilfs2-fix-kernel-bug-on-rename-operation-of-broken-directory.patch b/queue-5.4/nilfs2-fix-kernel-bug-on-rename-operation-of-broken-directory.patch
new file mode 100644
index 00000000000..ed46a3e48d8
--- /dev/null
+++ b/queue-5.4/nilfs2-fix-kernel-bug-on-rename-operation-of-broken-directory.patch
@@ -0,0 +1,78 @@
+From a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Sat, 29 Jun 2024 01:51:07 +0900
+Subject: nilfs2: fix kernel bug on rename operation of broken directory
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 upstream.
+
+Syzbot reported that in rename directory operation on broken directory on
+nilfs2, __block_write_begin_int() called to prepare block write may fail
+BUG_ON check for access exceeding the folio/page size.
+
+This is because nilfs_dotdot(), which gets parent directory reference
+entry ("..") of the directory to be moved or renamed, does not check
+consistency enough, and may return location exceeding folio/page size for
+broken directories.
+
+Fix this issue by checking required directory entries ("." and "..") in
+the first chunk of the directory in nilfs_dotdot().
+
+Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
+Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/dir.c |   32 ++++++++++++++++++++++++++++++--
+ 1 file changed, 30 insertions(+), 2 deletions(-)
+
+--- a/fs/nilfs2/dir.c
++++ b/fs/nilfs2/dir.c
+@@ -396,11 +396,39 @@ found:
+ 
+ struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct page **p)
+ {
+-	struct nilfs_dir_entry *de = nilfs_get_page(dir, 0, p);
++	struct page *page;
++	struct nilfs_dir_entry *de, *next_de;
++	size_t limit;
++	char *msg;
+ 
++	de = nilfs_get_page(dir, 0, &page);
+ 	if (IS_ERR(de))
+ 		return NULL;
+-	return nilfs_next_entry(de);
++
++	limit = nilfs_last_byte(dir, 0);  /* is a multiple of chunk size */
++	if (unlikely(!limit || le64_to_cpu(de->inode) != dir->i_ino ||
++		     !nilfs_match(1, ".", de))) {
++		msg = "missing '.'";
++		goto fail;
++	}
++
++	next_de = nilfs_next_entry(de);
++	/*
++	 * If "next_de" has not reached the end of the chunk, there is
++	 * at least one more record.  Check whether it matches "..".
++	 */
++	if (unlikely((char *)next_de == (char *)de + nilfs_chunk_size(dir) ||
++		     !nilfs_match(2, "..", next_de))) {
++		msg = "missing '..'";
++		goto fail;
++	}
++	*p = page;
++	return next_de;
++
++fail:
++	nilfs_error(dir->i_sb, "directory #%lu %s", dir->i_ino, msg);
++	nilfs_put_page(page);
++	return NULL;
+ }
+ 
+ ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr)
diff --git a/queue-5.4/series b/queue-5.4/series
index fc22829fb1a..29b5289a992 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -74,3 +74,5 @@ tcp-refactor-tcp_retransmit_timer.patch
 net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch
 tcp-use-signed-arithmetic-in-tcp_rtx_probe0_timed_out.patch
 tcp-avoid-too-many-retransmit-packets.patch
+nilfs2-fix-kernel-bug-on-rename-operation-of-broken-directory.patch
+ext4-avoid-ptr-null-pointer-dereference.patch