From 401b0a72da6af527bb5dd5e93f1c2516471b10f3 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 9 May 2021 12:12:50 +0200
Subject: [PATCH] 5.4-stable patches

added patches:
	f2fs-fix-to-avoid-out-of-bounds-memory-access.patch
	makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch
	ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch
	virtiofs-fix-memory-leak-in-virtio_fs_probe.patch
---
 ...to-avoid-out-of-bounds-memory-access.patch | 58 ++++++++++++++++++
 ...t-set-variable-out-of-gcc-only-block.patch | 49 +++++++++++++++
 queue-5.4/series                              |  4 ++
 ...-inode-type-to-judge-if-inode-linked.patch | 46 +++++++++++++++
 ...s-fix-memory-leak-in-virtio_fs_probe.patch | 59 +++++++++++++++++++
 5 files changed, 216 insertions(+)
 create mode 100644 queue-5.4/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch
 create mode 100644 queue-5.4/makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch
 create mode 100644 queue-5.4/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch
 create mode 100644 queue-5.4/virtiofs-fix-memory-leak-in-virtio_fs_probe.patch

diff --git a/queue-5.4/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch b/queue-5.4/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch
new file mode 100644
index 00000000000..0af0a5dc41e
--- /dev/null
+++ b/queue-5.4/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch
@@ -0,0 +1,58 @@
+From b862676e371715456c9dade7990c8004996d0d9e Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Mon, 22 Mar 2021 19:47:30 +0800
+Subject: f2fs: fix to avoid out-of-bounds memory access
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit b862676e371715456c9dade7990c8004996d0d9e upstream.
+
+butt3rflyh4ck <butterflyhuangxx@gmail.com> reported a bug found by
+syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]:
+
+ dump_stack+0xfa/0x151 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232
+ __kasan_report mm/kasan/report.c:399 [inline]
+ kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
+ f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
+ current_nat_addr fs/f2fs/node.h:213 [inline]
+ get_next_nat_page fs/f2fs/node.c:123 [inline]
+ __flush_nat_entry_set fs/f2fs/node.c:2888 [inline]
+ f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991
+ f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640
+ f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807
+ f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454
+ __sync_filesystem fs/sync.c:39 [inline]
+ sync_filesystem fs/sync.c:67 [inline]
+ sync_filesystem+0x1b5/0x260 fs/sync.c:48
+ generic_shutdown_super+0x70/0x370 fs/super.c:448
+ kill_block_super+0x97/0xf0 fs/super.c:1394
+
+The root cause is, if nat entry in checkpoint journal area is corrupted,
+e.g. nid of journalled nat entry exceeds max nid value, during checkpoint,
+once it tries to flush nat journal to NAT area, get_next_nat_page() may
+access out-of-bounds memory on nat_bitmap due to it uses wrong nid value
+as bitmap offset.
+
+[1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u
+
+Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -2718,6 +2718,9 @@ static void remove_nats_in_journal(struc
+ 		struct f2fs_nat_entry raw_ne;
+ 		nid_t nid = le32_to_cpu(nid_in_journal(journal, i));
+ 
++		if (f2fs_check_nid_range(sbi, nid))
++			continue;
++
+ 		raw_ne = nat_in_journal(journal, i);
+ 
+ 		ne = __lookup_nat_cache(nm_i, nid);
diff --git a/queue-5.4/makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch b/queue-5.4/makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch
new file mode 100644
index 00000000000..4a348ea91b0
--- /dev/null
+++ b/queue-5.4/makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch
@@ -0,0 +1,49 @@
+From 885480b084696331bea61a4f7eba10652999a9c1 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 28 Apr 2021 18:23:50 -0700
+Subject: Makefile: Move -Wno-unused-but-set-variable out of GCC only block
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 885480b084696331bea61a4f7eba10652999a9c1 upstream.
+
+Currently, -Wunused-but-set-variable is only supported by GCC so it is
+disabled unconditionally in a GCC only block (it is enabled with W=1).
+clang currently has its implementation for this warning in review so
+preemptively move this statement out of the GCC only block and wrap it
+with cc-disable-warning so that both compilers function the same.
+
+Cc: stable@vger.kernel.org
+Link: https://reviews.llvm.org/D100581
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -765,16 +765,16 @@ KBUILD_CFLAGS += -Wno-tautological-compa
+ KBUILD_CFLAGS += -mno-global-merge
+ else
+ 
+-# These warnings generated too much noise in a regular build.
+-# Use make W=1 to enable them (see scripts/Makefile.extrawarn)
+-KBUILD_CFLAGS += -Wno-unused-but-set-variable
+-
+ # Warn about unmarked fall-throughs in switch statement.
+ # Disabled for clang while comment to attribute conversion happens and
+ # https://github.com/ClangBuiltLinux/linux/issues/636 is discussed.
+ KBUILD_CFLAGS += $(call cc-option,-Wimplicit-fallthrough,)
+ endif
+ 
++# These warnings generated too much noise in a regular build.
++# Use make W=1 to enable them (see scripts/Makefile.extrawarn)
++KBUILD_CFLAGS += $(call cc-disable-warning, unused-but-set-variable)
++
+ KBUILD_CFLAGS += $(call cc-disable-warning, unused-const-variable)
+ ifdef CONFIG_FRAME_POINTER
+ KBUILD_CFLAGS	+= -fno-omit-frame-pointer -fno-optimize-sibling-calls
diff --git a/queue-5.4/series b/queue-5.4/series
index 47af0769155..a5666e75dc3 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -134,3 +134,7 @@ alsa-hda-realtek-fix-static-noise-on-alc285-lenovo-laptops.patch
 alsa-hda-realtek-add-quirk-for-intel-clevo-pcx0dx.patch
 btrfs-fix-race-when-picking-most-recent-mod-log-oper.patch
 arm64-vdso-discard-.note.gnu.property-sections-in-vd.patch
+makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch
+virtiofs-fix-memory-leak-in-virtio_fs_probe.patch
+ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch
+f2fs-fix-to-avoid-out-of-bounds-memory-access.patch
diff --git a/queue-5.4/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch b/queue-5.4/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch
new file mode 100644
index 00000000000..077998d7a76
--- /dev/null
+++ b/queue-5.4/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch
@@ -0,0 +1,46 @@
+From 3e903315790baf4a966436e7f32e9c97864570ac Mon Sep 17 00:00:00 2001
+From: Guochun Mao <guochun.mao@mediatek.com>
+Date: Tue, 16 Mar 2021 16:52:14 +0800
+Subject: ubifs: Only check replay with inode type to judge if inode linked
+
+From: Guochun Mao <guochun.mao@mediatek.com>
+
+commit 3e903315790baf4a966436e7f32e9c97864570ac upstream.
+
+Conside the following case, it just write a big file into flash,
+when complete writing, delete the file, and then power off promptly.
+Next time power on, we'll get a replay list like:
+...
+LEB 1105:211344 len 4144 deletion 0 sqnum 428783 key type 1 inode 80
+LEB 15:233544 len 160 deletion 1 sqnum 428785 key type 0 inode 80
+LEB 1105:215488 len 4144 deletion 0 sqnum 428787 key type 1 inode 80
+...
+In the replay list, data nodes' deletion are 0, and the inode node's
+deletion is 1. In current logic, the file's dentry will be removed,
+but inode and the flash space it occupied will be reserved.
+User will see that much free space been disappeared.
+
+We only need to check the deletion value of the following inode type
+node of the replay entry.
+
+Fixes: e58725d51fa8 ("ubifs: Handle re-linking of inodes correctly while recovery")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guochun Mao <guochun.mao@mediatek.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/replay.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ubifs/replay.c
++++ b/fs/ubifs/replay.c
+@@ -223,7 +223,8 @@ static bool inode_still_linked(struct ub
+ 	 */
+ 	list_for_each_entry_reverse(r, &c->replay_list, list) {
+ 		ubifs_assert(c, r->sqnum >= rino->sqnum);
+-		if (key_inum(c, &r->key) == key_inum(c, &rino->key))
++		if (key_inum(c, &r->key) == key_inum(c, &rino->key) &&
++		    key_type(c, &r->key) == UBIFS_INO_KEY)
+ 			return r->deletion == 0;
+ 
+ 	}
diff --git a/queue-5.4/virtiofs-fix-memory-leak-in-virtio_fs_probe.patch b/queue-5.4/virtiofs-fix-memory-leak-in-virtio_fs_probe.patch
new file mode 100644
index 00000000000..5569b3dee9b
--- /dev/null
+++ b/queue-5.4/virtiofs-fix-memory-leak-in-virtio_fs_probe.patch
@@ -0,0 +1,59 @@
+From c79c5e0178922a9e092ec8fed026750f39dcaef4 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.de>
+Date: Wed, 17 Mar 2021 08:44:43 +0000
+Subject: virtiofs: fix memory leak in virtio_fs_probe()
+
+From: Luis Henriques <lhenriques@suse.de>
+
+commit c79c5e0178922a9e092ec8fed026750f39dcaef4 upstream.
+
+When accidentally passing twice the same tag to qemu, kmemleak ended up
+reporting a memory leak in virtiofs.  Also, looking at the log I saw the
+following error (that's when I realised the duplicated tag):
+
+  virtiofs: probe of virtio5 failed with error -17
+
+Here's the kmemleak log for reference:
+
+unreferenced object 0xffff888103d47800 (size 1024):
+  comm "systemd-udevd", pid 118, jiffies 4294893780 (age 18.340s)
+  hex dump (first 32 bytes):
+    00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
+    ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff  ................
+  backtrace:
+    [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs]
+    [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210
+    [<000000004d6baf3c>] really_probe+0xea/0x430
+    [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0
+    [<00000000196f47a7>] __driver_attach+0x98/0x140
+    [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0
+    [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0
+    [<0000000032b09ba7>] driver_register+0x8f/0xe0
+    [<00000000cdd55998>] 0xffffffffa002c013
+    [<000000000ea196a2>] do_one_initcall+0x64/0x2e0
+    [<0000000008f727ce>] do_init_module+0x5c/0x260
+    [<000000003cdedab6>] __do_sys_finit_module+0xb5/0x120
+    [<00000000ad2f48c6>] do_syscall_64+0x33/0x40
+    [<00000000809526b5>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Luis Henriques <lhenriques@suse.de>
+Fixes: a62a8ef9d97d ("virtio-fs: add virtiofs filesystem")
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/virtio_fs.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/fuse/virtio_fs.c
++++ b/fs/fuse/virtio_fs.c
+@@ -667,6 +667,7 @@ static int virtio_fs_probe(struct virtio
+ out_vqs:
+ 	vdev->config->reset(vdev);
+ 	virtio_fs_cleanup_vqs(vdev, fs);
++	kfree(fs->vqs);
+ 
+ out:
+ 	vdev->priv = NULL;
-- 
2.47.3