fs: add some mainline backports in v5.4.6x
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
diff --git a/queue/ext4-fix-potential-negative-array-index-in-do_split.patch b/queue/ext4-fix-potential-negative-array-index-in-do_split.patch
new file mode 100644
index 0000000..7e4f441
--- /dev/null
+++ b/queue/ext4-fix-potential-negative-array-index-in-do_split.patch
@@ -0,0 +1,63 @@
+From caea1e58db9848b12b0cf7a0d70250bff9b59bd6 Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Wed, 17 Jun 2020 14:19:04 -0500
+Subject: [PATCH] ext4: fix potential negative array index in do_split()
+
+commit 5872331b3d91820e14716632ebb56b1399b34fe1 upstream.
+
+If for any reason a directory passed to do_split() does not have enough
+active entries to exceed half the size of the block, we can end up
+iterating over all "count" entries without finding a split point.
+
+In this case, count == move, and split will be zero, and we will
+attempt a negative index into map[].
+
+Guard against this by detecting this case, and falling back to
+split-to-half-of-count instead; in this case we will still have
+plenty of space (> half blocksize) in each split block.
+
+Fixes: ef2b02d3e617 ("ext34: ensure do_split leaves enough free space in both blocks")
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/f53e246b-647c-64bb-16ec-135383c70ad7@redhat.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 7f1cb46f4f0d..8e1d5912556a 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1853,7 +1853,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir,
+ blocksize, hinfo, map);
+ map -= count;
+ dx_sort_map(map, count);
+- /* Split the existing block in the middle, size-wise */
++ /* Ensure that neither split block is over half full */
+ size = 0;
+ move = 0;
+ for (i = count-1; i >= 0; i--) {
+@@ -1863,8 +1863,18 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir,
+ size += map[i].size;
+ move++;
+ }
+- /* map index at which we will split */
+- split = count - move;
++ /*
++ * map index at which we will split
++ *
++ * If the sum of active entries didn't exceed half the block size, just
++ * split it in half by count; each resulting block will have at least
++ * half the space free.
++ */
++ if (i > 0)
++ split = count - move;
++ else
++ split = count/2;
++
+ hash2 = map[split].hash;
+ continued = hash2 == map[split - 1].hash;
+ dxtrace(printk(KERN_INFO "Split block %lu at %x, %i/%i\n",
+--
+2.27.0
+
diff --git a/queue/jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch b/queue/jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch
new file mode 100644
index 0000000..6ec6b2f
--- /dev/null
+++ b/queue/jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch
@@ -0,0 +1,39 @@
+From ef3f5830b859604eda8723c26d90ab23edc027a4 Mon Sep 17 00:00:00 2001
+From: "zhangyi (F)" <yi.zhang@huawei.com>
+Date: Sat, 20 Jun 2020 14:19:48 +0800
+Subject: [PATCH] jbd2: add the missing unlock_buffer() in the error path of
+ jbd2_write_superblock()
+
+commit ef3f5830b859604eda8723c26d90ab23edc027a4 upstream.
+
+jbd2_write_superblock() is under the buffer lock of journal superblock
+before ending that superblock write, so add a missing unlock_buffer() in
+in the error path before submitting buffer.
+
+Fixes: 742b06b5628f ("jbd2: check superblock mapped prior to committing")
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Reviewed-by: Ritesh Harjani <riteshh@linux.ibm.com>
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/20200620061948.2049579-1-yi.zhang@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
+index e4944436e733..5493a0da23dd 100644
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -1367,8 +1367,10 @@ static int jbd2_write_superblock(journal_t *journal, int write_flags)
+ int ret;
+
+ /* Buffer got discarded which means block device got invalidated */
+- if (!buffer_mapped(bh))
++ if (!buffer_mapped(bh)) {
++ unlock_buffer(bh);
+ return -EIO;
++ }
+
+ trace_jbd2_write_superblock(journal, write_flags);
+ if (!(journal->j_flags & JBD2_BARRIER))
+--
+2.27.0
+
diff --git a/queue/series b/queue/series
index c100238..e43dda2 100644
--- a/queue/series
+++ b/queue/series
@@ -31,6 +31,9 @@
driver-core-Avoid-binding-drivers-to-dead-devices.patch
MIPS-CPU-0-is-not-hotpluggable.patch
ext2-fix-missing-percpu_counter_inc.patch
+ext4-fix-potential-negative-array-index-in-do_split.patch
+jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch
+xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch
mm-page_counter.c-fix-protection-usage-propagation.patch
ftrace-Setup-correct-FTRACE_FL_REGS-flags-for-module.patch
kprobes-Fix-NULL-pointer-dereference-at-kprobe_ftrac.patch
diff --git a/queue/xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch b/queue/xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch
new file mode 100644
index 0000000..4392059
--- /dev/null
+++ b/queue/xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch
@@ -0,0 +1,49 @@
+From f4020438fab05364018c91f7e02ebdd192085933 Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Wed, 26 Aug 2020 14:11:58 -0700
+Subject: [PATCH] xfs: fix boundary test in xfs_attr_shortform_verify
+
+commit f4020438fab05364018c91f7e02ebdd192085933 upstream.
+
+The boundary test for the fixed-offset parts of xfs_attr_sf_entry in
+xfs_attr_shortform_verify is off by one, because the variable array
+at the end is defined as nameval[1] not nameval[].
+Hence we need to subtract 1 from the calculation.
+
+This can be shown by:
+
+# touch file
+# setfattr -n root.a file
+
+and verifications will fail when it's written to disk.
+
+This only matters for a last attribute which has a single-byte name
+and no value, otherwise the combination of namelen & valuelen will
+push endp further out and this test won't fail.
+
+Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs")
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
+index 8623c815164a..383b08f2ac61 100644
+--- a/fs/xfs/libxfs/xfs_attr_leaf.c
++++ b/fs/xfs/libxfs/xfs_attr_leaf.c
+@@ -1036,8 +1036,10 @@ xfs_attr_shortform_verify(
+ * struct xfs_attr_sf_entry has a variable length.
+ * Check the fixed-offset parts of the structure are
+ * within the data buffer.
++ * xfs_attr_sf_entry is defined with a 1-byte variable
++ * array at the end, so we must subtract that off.
+ */
+- if (((char *)sfep + sizeof(*sfep)) >= endp)
++ if (((char *)sfep + sizeof(*sfep) - 1) >= endp)
+ return __this_address;
+
+ /* Don't allow names with known bad length. */
+--
+2.27.0
+
