--- /dev/null
+From 88969e53ef162c185e16d446b3fcb3772cf6e912 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2024 09:40:37 -0500
+Subject: jfs: Fix sanity check in dbMount
+
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+
+[ Upstream commit 67373ca8404fe57eb1bb4b57f314cff77ce54932 ]
+
+MAXAG is a legitimate value for bmp->db_numag
+
+Fixes: e63866a47556 ("jfs: fix out-of-bounds in dbNextAG() and diAlloc()")
+
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 974ecf5e0d952..3ab410059dc20 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -187,7 +187,7 @@ int dbMount(struct inode *ipbmap)
+ }
+
+ bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
+- if (!bmp->db_numag || bmp->db_numag >= MAXAG) {
++ if (!bmp->db_numag || bmp->db_numag > MAXAG) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+--
+2.43.0
+
--- /dev/null
+From 6bc3edf81a7f585405d4a37221bb17f5182999ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2024 22:11:19 +0800
+Subject: LoongArch: Don't crash in stack_top() for tasks without vDSO
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit 134475a9ab8487527238d270639a8cb74c10aab2 ]
+
+Not all tasks have a vDSO mapped, for example kthreads never do. If such
+a task ever ends up calling stack_top(), it will derefence the NULL vdso
+pointer and crash.
+
+This can for example happen when using kunit:
+
+ [<9000000000203874>] stack_top+0x58/0xa8
+ [<90000000002956cc>] arch_pick_mmap_layout+0x164/0x220
+ [<90000000003c284c>] kunit_vm_mmap_init+0x108/0x12c
+ [<90000000003c1fbc>] __kunit_add_resource+0x38/0x8c
+ [<90000000003c2704>] kunit_vm_mmap+0x88/0xc8
+ [<9000000000410b14>] usercopy_test_init+0xbc/0x25c
+ [<90000000003c1db4>] kunit_try_run_case+0x5c/0x184
+ [<90000000003c3d54>] kunit_generic_run_threadfn_adapter+0x24/0x48
+ [<900000000022e4bc>] kthread+0xc8/0xd4
+ [<9000000000200ce8>] ret_from_kernel_thread+0xc/0xa4
+
+Fixes: 803b0fc5c3f2 ("LoongArch: Add process management")
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/kernel/process.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/arch/loongarch/kernel/process.c b/arch/loongarch/kernel/process.c
+index f2ff8b5d591e4..6e58f65455c7c 100644
+--- a/arch/loongarch/kernel/process.c
++++ b/arch/loongarch/kernel/process.c
+@@ -293,13 +293,15 @@ unsigned long stack_top(void)
+ {
+ unsigned long top = TASK_SIZE & PAGE_MASK;
+
+- /* Space for the VDSO & data page */
+- top -= PAGE_ALIGN(current->thread.vdso->size);
+- top -= VVAR_SIZE;
+-
+- /* Space to randomize the VDSO base */
+- if (current->flags & PF_RANDOMIZE)
+- top -= VDSO_RANDOMIZE_SIZE;
++ if (current->thread.vdso) {
++ /* Space for the VDSO & data page */
++ top -= PAGE_ALIGN(current->thread.vdso->size);
++ top -= VVAR_SIZE;
++
++ /* Space to randomize the VDSO base */
++ if (current->flags & PF_RANDOMIZE)
++ top -= VDSO_RANDOMIZE_SIZE;
++ }
+
+ return top;
+ }
+--
+2.43.0
+
--- /dev/null
+From 09b446b6ded4d3801b680fba7d4edcc7ca4d2357 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 08:07:18 +0200
+Subject: objpool: fix choosing allocation for percpu slots
+
+From: Viktor Malik <vmalik@redhat.com>
+
+[ Upstream commit aff1871bfc81e9dffa7d2a77e67cc5441cc37f81 ]
+
+objpool intends to use vmalloc for default (non-atomic) allocations of
+percpu slots and objects. However, the condition checking if GFP flags
+set any bit of GFP_ATOMIC is wrong b/c GFP_ATOMIC is a combination of bits
+(__GFP_HIGH|__GFP_KSWAPD_RECLAIM) and so `pool->gfp & GFP_ATOMIC` will
+be true if either bit is set. Since GFP_ATOMIC and GFP_KERNEL share the
+___GFP_KSWAPD_RECLAIM bit, kmalloc will be used in cases when GFP_KERNEL
+is specified, i.e. in all current usages of objpool.
+
+This may lead to unexpected OOM errors since kmalloc cannot allocate
+large amounts of memory.
+
+For instance, objpool is used by fprobe rethook which in turn is used by
+BPF kretprobe.multi and kprobe.session probe types. Trying to attach
+these to all kernel functions with libbpf using
+
+ SEC("kprobe.session/*")
+ int kprobe(struct pt_regs *ctx)
+ {
+ [...]
+ }
+
+fails on objpool slot allocation with ENOMEM.
+
+Fix the condition to truly use vmalloc by default.
+
+Link: https://lore.kernel.org/all/20240826060718.267261-1-vmalik@redhat.com/
+
+Fixes: b4edb8d2d464 ("lib: objpool added: ring-array based lockless MPMC")
+Signed-off-by: Viktor Malik <vmalik@redhat.com>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Matt Wu <wuqiang.matt@bytedance.com>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/objpool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/objpool.c b/lib/objpool.c
+index 234f9d0bd081a..fd108fe0d095a 100644
+--- a/lib/objpool.c
++++ b/lib/objpool.c
+@@ -76,7 +76,7 @@ objpool_init_percpu_slots(struct objpool_head *pool, int nr_objs,
+ * mimimal size of vmalloc is one page since vmalloc would
+ * always align the requested size to page size
+ */
+- if (pool->gfp & GFP_ATOMIC)
++ if ((pool->gfp & GFP_ATOMIC) == GFP_ATOMIC)
+ slot = kmalloc_node(size, pool->gfp, cpu_to_node(i));
+ else
+ slot = __vmalloc_node(size, sizeof(void *), pool->gfp,
+--
+2.43.0
+
drm-xe-mcr-use-xe2_lpm-steering-tables-for-xe2_hpm.patch
cifs-validate-content-of-nfs-reparse-point-buffer.patch
platform-x86-dell-sysman-add-support-for-alienware-p.patch
+loongarch-don-t-crash-in-stack_top-for-tasks-without.patch
+objpool-fix-choosing-allocation-for-percpu-slots.patch
+jfs-fix-sanity-check-in-dbmount.patch
+tracing-probes-fix-max_trace_args-limit-handling.patch
+tracing-consider-the-null-character-when-validating-.patch
--- /dev/null
+From 763c0f93bb840973f798d4ecfde63dbf1a9c8a66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 15:47:24 +0100
+Subject: tracing: Consider the NULL character when validating the event length
+
+From: Leo Yan <leo.yan@arm.com>
+
+[ Upstream commit 0b6e2e22cb23105fcb171ab92f0f7516c69c8471 ]
+
+strlen() returns a string length excluding the null byte. If the string
+length equals to the maximum buffer length, the buffer will have no
+space for the NULL terminating character.
+
+This commit checks this condition and returns failure for it.
+
+Link: https://lore.kernel.org/all/20241007144724.920954-1-leo.yan@arm.com/
+
+Fixes: dec65d79fd26 ("tracing/probe: Check event name length correctly")
+Signed-off-by: Leo Yan <leo.yan@arm.com>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index 39877c80d6cb9..16a5e368e7b77 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -276,7 +276,7 @@ int traceprobe_parse_event_name(const char **pevent, const char **pgroup,
+ }
+ trace_probe_log_err(offset, NO_EVENT_NAME);
+ return -EINVAL;
+- } else if (len > MAX_EVENT_NAME_LEN) {
++ } else if (len >= MAX_EVENT_NAME_LEN) {
+ trace_probe_log_err(offset, EVENT_TOO_LONG);
+ return -EINVAL;
+ }
+--
+2.43.0
+
--- /dev/null
+From ff6cb2537676cb3ff35de727ed1af05515a402a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 16:26:54 -0400
+Subject: tracing/probes: Fix MAX_TRACE_ARGS limit handling
+
+From: Mikel Rychliski <mikel@mikelr.com>
+
+[ Upstream commit 73f35080477e893aa6f4c8d388352b871b288fbc ]
+
+When creating a trace_probe we would set nr_args prior to truncating the
+arguments to MAX_TRACE_ARGS. However, we would only initialize arguments
+up to the limit.
+
+This caused invalid memory access when attempting to set up probes with
+more than 128 fetchargs.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000020
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] PREEMPT SMP PTI
+ CPU: 0 UID: 0 PID: 1769 Comm: cat Not tainted 6.11.0-rc7+ #8
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
+ RIP: 0010:__set_print_fmt+0x134/0x330
+
+Resolve the issue by applying the MAX_TRACE_ARGS limit earlier. Return
+an error when there are too many arguments instead of silently
+truncating.
+
+Link: https://lore.kernel.org/all/20240930202656.292869-1-mikel@mikelr.com/
+
+Fixes: 035ba76014c0 ("tracing/probes: cleanup: Set trace_probe::nr_args at trace_probe_init")
+Signed-off-by: Mikel Rychliski <mikel@mikelr.com>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_eprobe.c | 7 ++++++-
+ kernel/trace/trace_fprobe.c | 6 +++++-
+ kernel/trace/trace_kprobe.c | 6 +++++-
+ kernel/trace/trace_uprobe.c | 4 +++-
+ 4 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/trace_eprobe.c b/kernel/trace/trace_eprobe.c
+index b0e0ec85912e9..ebda68ee9abff 100644
+--- a/kernel/trace/trace_eprobe.c
++++ b/kernel/trace/trace_eprobe.c
+@@ -912,6 +912,11 @@ static int __trace_eprobe_create(int argc, const char *argv[])
+ }
+ }
+
++ if (argc - 2 > MAX_TRACE_ARGS) {
++ ret = -E2BIG;
++ goto error;
++ }
++
+ mutex_lock(&event_mutex);
+ event_call = find_and_get_event(sys_name, sys_event);
+ ep = alloc_event_probe(group, event, event_call, argc - 2);
+@@ -937,7 +942,7 @@ static int __trace_eprobe_create(int argc, const char *argv[])
+
+ argc -= 2; argv += 2;
+ /* parse arguments */
+- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) {
++ for (i = 0; i < argc; i++) {
+ trace_probe_log_set_index(i + 2);
+ ret = trace_eprobe_tp_update_arg(ep, argv, i);
+ if (ret)
+diff --git a/kernel/trace/trace_fprobe.c b/kernel/trace/trace_fprobe.c
+index 62e6a8f4aae9b..5107d466a1293 100644
+--- a/kernel/trace/trace_fprobe.c
++++ b/kernel/trace/trace_fprobe.c
+@@ -1104,6 +1104,10 @@ static int __trace_fprobe_create(int argc, const char *argv[])
+ argc = new_argc;
+ argv = new_argv;
+ }
++ if (argc > MAX_TRACE_ARGS) {
++ ret = -E2BIG;
++ goto out;
++ }
+
+ ret = traceprobe_expand_dentry_args(argc, argv, &dbuf);
+ if (ret)
+@@ -1124,7 +1128,7 @@ static int __trace_fprobe_create(int argc, const char *argv[])
+ (unsigned long)tf->tpoint->probestub);
+
+ /* parse arguments */
+- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) {
++ for (i = 0; i < argc; i++) {
+ trace_probe_log_set_index(i + 2);
+ ctx.offset = 0;
+ ret = traceprobe_parse_probe_arg(&tf->tp, i, argv[i], &ctx);
+diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
+index 61a6da808203e..263fac44d3ca3 100644
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -1013,6 +1013,10 @@ static int __trace_kprobe_create(int argc, const char *argv[])
+ argc = new_argc;
+ argv = new_argv;
+ }
++ if (argc > MAX_TRACE_ARGS) {
++ ret = -E2BIG;
++ goto out;
++ }
+
+ ret = traceprobe_expand_dentry_args(argc, argv, &dbuf);
+ if (ret)
+@@ -1029,7 +1033,7 @@ static int __trace_kprobe_create(int argc, const char *argv[])
+ }
+
+ /* parse arguments */
+- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) {
++ for (i = 0; i < argc; i++) {
+ trace_probe_log_set_index(i + 2);
+ ctx.offset = 0;
+ ret = traceprobe_parse_probe_arg(&tk->tp, i, argv[i], &ctx);
+diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
+index 2c30d948e733c..6de07df05ed8c 100644
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -556,6 +556,8 @@ static int __trace_uprobe_create(int argc, const char **argv)
+
+ if (argc < 2)
+ return -ECANCELED;
++ if (argc - 2 > MAX_TRACE_ARGS)
++ return -E2BIG;
+
+ if (argv[0][1] == ':')
+ event = &argv[0][2];
+@@ -681,7 +683,7 @@ static int __trace_uprobe_create(int argc, const char **argv)
+ tu->filename = filename;
+
+ /* parse arguments */
+- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) {
++ for (i = 0; i < argc; i++) {
+ struct traceprobe_parse_context ctx = {
+ .flags = (is_return ? TPARG_FL_RETURN : 0) | TPARG_FL_USER,
+ };
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
