--- /dev/null
+From b45193cb4df556fe6251b285a5ce44046dd36b4a Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Tue, 4 Apr 2023 09:31:28 +0200
+Subject: can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit b45193cb4df556fe6251b285a5ce44046dd36b4a upstream.
+
+In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access
+could occur during the memcpy() operation if the size of skb->cb is
+larger than the size of struct j1939_sk_buff_cb. This is because the
+memcpy() operation uses the size of skb->cb, leading to a read beyond
+the struct j1939_sk_buff_cb.
+
+Updated the memcpy() operation to use the size of struct
+j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the
+memcpy() operation only reads the memory within the bounds of struct
+j1939_sk_buff_cb, preventing out-of-bounds memory access.
+
+Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb
+is greater than or equal to the size of struct j1939_sk_buff_cb. This
+ensures that the skb->cb buffer is large enough to hold the
+j1939_sk_buff_cb structure.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Reported-by: Shuangpeng Bai <sjb7183@psu.edu>
+Tested-by: Shuangpeng Bai <sjb7183@psu.edu>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://groups.google.com/g/syzkaller/c/G_LL-C3plRs/m/-8xCi6dCAgAJ
+Link: https://lore.kernel.org/all/20230404073128.3173900-1-o.rempel@pengutronix.de
+Cc: stable@vger.kernel.org
+[mkl: rephrase commit message]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/transport.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -600,7 +600,10 @@ sk_buff *j1939_tp_tx_dat_new(struct j193
+ /* reserve CAN header */
+ skb_reserve(skb, offsetof(struct can_frame, data));
+
+- memcpy(skb->cb, re_skcb, sizeof(skb->cb));
++ /* skb->cb must be large enough to hold a j1939_sk_buff_cb structure */
++ BUILD_BUG_ON(sizeof(skb->cb) < sizeof(*re_skcb));
++
++ memcpy(skb->cb, re_skcb, sizeof(*re_skcb));
+ skcb = j1939_skb_to_cb(skb);
+ if (swap_src_dst)
+ j1939_skbcb_swap(skcb);
--- /dev/null
+From ea65b41807a26495ff2a73dd8b1bab2751940887 Mon Sep 17 00:00:00 2001
+From: John Keeping <john@metanate.com>
+Date: Mon, 27 Mar 2023 18:36:46 +0100
+Subject: ftrace: Mark get_lock_parent_ip() __always_inline
+
+From: John Keeping <john@metanate.com>
+
+commit ea65b41807a26495ff2a73dd8b1bab2751940887 upstream.
+
+If the compiler decides not to inline this function then preemption
+tracing will always show an IP inside the preemption disabling path and
+never the function actually calling preempt_{enable,disable}.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230327173647.1690849-1-john@metanate.com
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: stable@vger.kernel.org
+Fixes: f904f58263e1d ("sched/debug: Fix preempt_disable_ip recording for preempt_disable()")
+Signed-off-by: John Keeping <john@metanate.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ftrace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/ftrace.h
++++ b/include/linux/ftrace.h
+@@ -712,7 +712,7 @@ static inline void __ftrace_enabled_rest
+ #define CALLER_ADDR5 ((unsigned long)ftrace_return_address(5))
+ #define CALLER_ADDR6 ((unsigned long)ftrace_return_address(6))
+
+-static inline unsigned long get_lock_parent_ip(void)
++static __always_inline unsigned long get_lock_parent_ip(void)
+ {
+ unsigned long addr = CALLER_ADDR0;
+
nilfs2-fix-sysfs-interface-lifetime.patch
alsa-hda-realtek-add-quirk-for-clevo-x370snw.patch
perf-core-fix-the-same-task-check-in-perf_event_set_.patch
+ftrace-mark-get_lock_parent_ip-__always_inline.patch
+can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch
+tracing-free-error-logs-of-tracing-instances.patch
--- /dev/null
+From 3357c6e429643231e60447b52ffbb7ac895aca22 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
+Date: Tue, 4 Apr 2023 19:45:04 -0400
+Subject: tracing: Free error logs of tracing instances
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+commit 3357c6e429643231e60447b52ffbb7ac895aca22 upstream.
+
+When a tracing instance is removed, the error messages that hold errors
+that occurred in the instance needs to be freed. The following reports a
+memory leak:
+
+ # cd /sys/kernel/tracing
+ # mkdir instances/foo
+ # echo 'hist:keys=x' > instances/foo/events/sched/sched_switch/trigger
+ # cat instances/foo/error_log
+ [ 117.404795] hist:sched:sched_switch: error: Couldn't find field
+ Command: hist:keys=x
+ ^
+ # rmdir instances/foo
+
+Then check for memory leaks:
+
+ # echo scan > /sys/kernel/debug/kmemleak
+ # cat /sys/kernel/debug/kmemleak
+unreferenced object 0xffff88810d8ec700 (size 192):
+ comm "bash", pid 869, jiffies 4294950577 (age 215.752s)
+ hex dump (first 32 bytes):
+ 60 dd 68 61 81 88 ff ff 60 dd 68 61 81 88 ff ff `.ha....`.ha....
+ a0 30 8c 83 ff ff ff ff 26 00 0a 00 00 00 00 00 .0......&.......
+ backtrace:
+ [<00000000dae26536>] kmalloc_trace+0x2a/0xa0
+ [<00000000b2938940>] tracing_log_err+0x277/0x2e0
+ [<000000004a0e1b07>] parse_atom+0x966/0xb40
+ [<0000000023b24337>] parse_expr+0x5f3/0xdb0
+ [<00000000594ad074>] event_hist_trigger_parse+0x27f8/0x3560
+ [<00000000293a9645>] trigger_process_regex+0x135/0x1a0
+ [<000000005c22b4f2>] event_trigger_write+0x87/0xf0
+ [<000000002cadc509>] vfs_write+0x162/0x670
+ [<0000000059c3b9be>] ksys_write+0xca/0x170
+ [<00000000f1cddc00>] do_syscall_64+0x3e/0xc0
+ [<00000000868ac68c>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+unreferenced object 0xffff888170c35a00 (size 32):
+ comm "bash", pid 869, jiffies 4294950577 (age 215.752s)
+ hex dump (first 32 bytes):
+ 0a 20 20 43 6f 6d 6d 61 6e 64 3a 20 68 69 73 74 . Command: hist
+ 3a 6b 65 79 73 3d 78 0a 00 00 00 00 00 00 00 00 :keys=x.........
+ backtrace:
+ [<000000006a747de5>] __kmalloc+0x4d/0x160
+ [<000000000039df5f>] tracing_log_err+0x29b/0x2e0
+ [<000000004a0e1b07>] parse_atom+0x966/0xb40
+ [<0000000023b24337>] parse_expr+0x5f3/0xdb0
+ [<00000000594ad074>] event_hist_trigger_parse+0x27f8/0x3560
+ [<00000000293a9645>] trigger_process_regex+0x135/0x1a0
+ [<000000005c22b4f2>] event_trigger_write+0x87/0xf0
+ [<000000002cadc509>] vfs_write+0x162/0x670
+ [<0000000059c3b9be>] ksys_write+0xca/0x170
+ [<00000000f1cddc00>] do_syscall_64+0x3e/0xc0
+ [<00000000868ac68c>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+The problem is that the error log needs to be freed when the instance is
+removed.
+
+Link: https://lore.kernel.org/lkml/76134d9f-a5ba-6a0d-37b3-28310b4a1e91@alu.unizg.hr/
+Link: https://lore.kernel.org/linux-trace-kernel/20230404194504.5790b95f@gandalf.local.home
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Thorsten Leemhuis <regressions@leemhuis.info>
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: Eric Biggers <ebiggers@kernel.org>
+Fixes: 2f754e771b1a6 ("tracing: Have the error logs show up in the proper instances")
+Reported-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -8542,6 +8542,7 @@ static int __remove_instance(struct trac
+ ftrace_destroy_function_files(tr);
+ tracefs_remove_recursive(tr->dir);
+ free_trace_buffers(tr);
++ clear_tracing_err_log(tr);
+
+ for (i = 0; i < tr->nr_topts; i++) {
+ kfree(tr->topts[i].topts);
projects / thirdparty / kernel / stable-queue.git / commitdiff
