From 01a3c0f30ff03d97aef9c45ec9b69324453ec72a Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 22 May 2024 17:55:22 +0200
Subject: [PATCH] 5.4-stable patches

added patches:
	ext4-fix-bug_on-in-__es_tree_search.patch
	pinctrl-core-handle-radix_tree_insert-errors-in-pinctrl_register_one_pin.patch
	series
---
 .../ext4-fix-bug_on-in-__es_tree_search.patch | 142 ++++++++++++++++++
 ...t-errors-in-pinctrl_register_one_pin.patch |  66 ++++++++
 queue-5.4/series                              |   2 +
 3 files changed, 210 insertions(+)
 create mode 100644 queue-5.4/ext4-fix-bug_on-in-__es_tree_search.patch
 create mode 100644 queue-5.4/pinctrl-core-handle-radix_tree_insert-errors-in-pinctrl_register_one_pin.patch
 create mode 100644 queue-5.4/series

diff --git a/queue-5.4/ext4-fix-bug_on-in-__es_tree_search.patch b/queue-5.4/ext4-fix-bug_on-in-__es_tree_search.patch
new file mode 100644
index 00000000000..a9ff8038158
--- /dev/null
+++ b/queue-5.4/ext4-fix-bug_on-in-__es_tree_search.patch
@@ -0,0 +1,142 @@
+From d36f6ed761b53933b0b4126486c10d3da7751e7f Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Wed, 18 May 2022 20:08:16 +0800
+Subject: ext4: fix bug_on in __es_tree_search
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit d36f6ed761b53933b0b4126486c10d3da7751e7f upstream.
+
+Hulk Robot reported a BUG_ON:
+==================================================================
+kernel BUG at fs/ext4/extents_status.c:199!
+[...]
+RIP: 0010:ext4_es_end fs/ext4/extents_status.c:199 [inline]
+RIP: 0010:__es_tree_search+0x1e0/0x260 fs/ext4/extents_status.c:217
+[...]
+Call Trace:
+ ext4_es_cache_extent+0x109/0x340 fs/ext4/extents_status.c:766
+ ext4_cache_extents+0x239/0x2e0 fs/ext4/extents.c:561
+ ext4_find_extent+0x6b7/0xa20 fs/ext4/extents.c:964
+ ext4_ext_map_blocks+0x16b/0x4b70 fs/ext4/extents.c:4384
+ ext4_map_blocks+0xe26/0x19f0 fs/ext4/inode.c:567
+ ext4_getblk+0x320/0x4c0 fs/ext4/inode.c:980
+ ext4_bread+0x2d/0x170 fs/ext4/inode.c:1031
+ ext4_quota_read+0x248/0x320 fs/ext4/super.c:6257
+ v2_read_header+0x78/0x110 fs/quota/quota_v2.c:63
+ v2_check_quota_file+0x76/0x230 fs/quota/quota_v2.c:82
+ vfs_load_quota_inode+0x5d1/0x1530 fs/quota/dquot.c:2368
+ dquot_enable+0x28a/0x330 fs/quota/dquot.c:2490
+ ext4_quota_enable fs/ext4/super.c:6137 [inline]
+ ext4_enable_quotas+0x5d7/0x960 fs/ext4/super.c:6163
+ ext4_fill_super+0xa7c9/0xdc00 fs/ext4/super.c:4754
+ mount_bdev+0x2e9/0x3b0 fs/super.c:1158
+ mount_fs+0x4b/0x1e4 fs/super.c:1261
+[...]
+==================================================================
+
+Above issue may happen as follows:
+-------------------------------------
+ext4_fill_super
+ ext4_enable_quotas
+  ext4_quota_enable
+   ext4_iget
+    __ext4_iget
+     ext4_ext_check_inode
+      ext4_ext_check
+       __ext4_ext_check
+        ext4_valid_extent_entries
+         Check for overlapping extents does't take effect
+   dquot_enable
+    vfs_load_quota_inode
+     v2_check_quota_file
+      v2_read_header
+       ext4_quota_read
+        ext4_bread
+         ext4_getblk
+          ext4_map_blocks
+           ext4_ext_map_blocks
+            ext4_find_extent
+             ext4_cache_extents
+              ext4_es_cache_extent
+               ext4_es_cache_extent
+                __es_tree_search
+                 ext4_es_end
+                  BUG_ON(es->es_lblk + es->es_len < es->es_lblk)
+
+The error ext4 extents is as follows:
+0af3 0300 0400 0000 00000000    extent_header
+00000000 0100 0000 12000000     extent1
+00000000 0100 0000 18000000     extent2
+02000000 0400 0000 14000000     extent3
+
+In the ext4_valid_extent_entries function,
+if prev is 0, no error is returned even if lblock<=prev.
+This was intended to skip the check on the first extent, but
+in the error image above, prev=0+1-1=0 when checking the second extent,
+so even though lblock<=prev, the function does not return an error.
+As a result, bug_ON occurs in __es_tree_search and the system panics.
+
+To solve this problem, we only need to check that:
+1. The lblock of the first extent is not less than 0.
+2. The lblock of the next extent  is not less than
+   the next block of the previous extent.
+The same applies to extent_idx.
+
+Cc: stable@kernel.org
+Fixes: 5946d089379a ("ext4: check for overlapping extents in ext4_valid_extent_entries()")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220518120816.1541863-1-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reported-by: syzbot+2a58d88f0fb315c85363@syzkaller.appspotmail.com
+[gpiccoli: Manual backport due to unrelated missing patches.]
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/extents.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -409,7 +409,7 @@ static int ext4_valid_extent_entries(str
+ {
+ 	unsigned short entries;
+ 	ext4_lblk_t lblock = 0;
+-	ext4_lblk_t prev = 0;
++	ext4_lblk_t cur = 0;
+ 
+ 	if (eh->eh_entries == 0)
+ 		return 1;
+@@ -435,12 +435,12 @@ static int ext4_valid_extent_entries(str
+ 
+ 			/* Check for overlapping extents */
+ 			lblock = le32_to_cpu(ext->ee_block);
+-			if ((lblock <= prev) && prev) {
++			if (lblock < cur) {
+ 				pblock = ext4_ext_pblock(ext);
+ 				es->s_last_error_block = cpu_to_le64(pblock);
+ 				return 0;
+ 			}
+-			prev = lblock + ext4_ext_get_actual_len(ext) - 1;
++			cur = lblock + ext4_ext_get_actual_len(ext);
+ 			ext++;
+ 			entries--;
+ 		}
+@@ -460,13 +460,13 @@ static int ext4_valid_extent_entries(str
+ 
+ 			/* Check for overlapping index extents */
+ 			lblock = le32_to_cpu(ext_idx->ei_block);
+-			if ((lblock <= prev) && prev) {
++			if (lblock < cur) {
+ 				*pblk = ext4_idx_pblock(ext_idx);
+ 				return 0;
+ 			}
+ 			ext_idx++;
+ 			entries--;
+-			prev = lblock;
++			cur = lblock + 1;
+ 		}
+ 	}
+ 	return 1;
diff --git a/queue-5.4/pinctrl-core-handle-radix_tree_insert-errors-in-pinctrl_register_one_pin.patch b/queue-5.4/pinctrl-core-handle-radix_tree_insert-errors-in-pinctrl_register_one_pin.patch
new file mode 100644
index 00000000000..bdf68987306
--- /dev/null
+++ b/queue-5.4/pinctrl-core-handle-radix_tree_insert-errors-in-pinctrl_register_one_pin.patch
@@ -0,0 +1,66 @@
+From ecfe9a015d3e1e46504d5b3de7eef1f2d186194a Mon Sep 17 00:00:00 2001
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+Date: Wed, 19 Jul 2023 23:22:52 +0300
+Subject: pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin()
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+commit ecfe9a015d3e1e46504d5b3de7eef1f2d186194a upstream.
+
+pinctrl_register_one_pin() doesn't check the result of radix_tree_insert()
+despite they both may return a negative error code.  Linus Walleij said he
+has copied the radix tree code from kernel/irq/ where the functions calling
+radix_tree_insert() are *void* themselves; I think it makes more sense to
+propagate the errors from radix_tree_insert() upstream if we can do that...
+
+Found by Linux Verification Center (linuxtesting.org) with the Svace static
+analysis tool.
+
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230719202253.13469-3-s.shtylyov@omp.ru
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Cc: "Hemdan, Hagar Gamal Halim" <hagarhem@amazon.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/core.c |   14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/core.c
++++ b/drivers/pinctrl/core.c
+@@ -203,6 +203,7 @@ static int pinctrl_register_one_pin(stru
+ 				    const struct pinctrl_pin_desc *pin)
+ {
+ 	struct pin_desc *pindesc;
++	int error;
+ 
+ 	pindesc = pin_desc_get(pctldev, pin->number);
+ 	if (pindesc) {
+@@ -224,18 +225,25 @@ static int pinctrl_register_one_pin(stru
+ 	} else {
+ 		pindesc->name = kasprintf(GFP_KERNEL, "PIN%u", pin->number);
+ 		if (!pindesc->name) {
+-			kfree(pindesc);
+-			return -ENOMEM;
++			error = -ENOMEM;
++			goto failed;
+ 		}
+ 		pindesc->dynamic_name = true;
+ 	}
+ 
+ 	pindesc->drv_data = pin->drv_data;
+ 
+-	radix_tree_insert(&pctldev->pin_desc_tree, pin->number, pindesc);
++	error = radix_tree_insert(&pctldev->pin_desc_tree, pin->number, pindesc);
++	if (error)
++		goto failed;
++
+ 	pr_debug("registered pin %d (%s) on %s\n",
+ 		 pin->number, pindesc->name, pctldev->desc->name);
+ 	return 0;
++
++failed:
++	kfree(pindesc);
++	return error;
+ }
+ 
+ static int pinctrl_register_pins(struct pinctrl_dev *pctldev,
diff --git a/queue-5.4/series b/queue-5.4/series
new file mode 100644
index 00000000000..1cea2669bb8
--- /dev/null
+++ b/queue-5.4/series
@@ -0,0 +1,2 @@
+pinctrl-core-handle-radix_tree_insert-errors-in-pinctrl_register_one_pin.patch
+ext4-fix-bug_on-in-__es_tree_search.patch
-- 
2.47.3