--- /dev/null
+From 73c384c0cdaa8ea9ca9ef2d0cff6a25930f1648e Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 7 May 2020 10:50:28 -0700
+Subject: ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 73c384c0cdaa8ea9ca9ef2d0cff6a25930f1648e upstream.
+
+We can't fail in the truncate path without requiring an fsck.
+Add work around for this by using a combination of retry loops
+and the __GFP_NOFAIL flag.
+
+From: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Anna Pendleton <pendleton@google.com>
+Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
+Link: https://lore.kernel.org/r/20200507175028.15061-1-pendleton@google.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: c26ab35702f8 ("ext4: fix slab-use-after-free in ext4_split_extent_at()")
+[v5.4: resolved contextual conflict in __read_extent_tree_block]
+Signed-off-by: Shaoying Xu <shaoyi@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/ext4.h | 1 +
+ fs/ext4/extents.c | 43 +++++++++++++++++++++++++++++++++----------
+ 2 files changed, 34 insertions(+), 10 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -628,6 +628,7 @@ enum {
+ */
+ #define EXT4_EX_NOCACHE 0x40000000
+ #define EXT4_EX_FORCE_CACHE 0x20000000
++#define EXT4_EX_NOFAIL 0x10000000
+
+ /*
+ * Flags used by ext4_free_blocks
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -304,11 +304,14 @@ ext4_force_split_extent_at(handle_t *han
+ {
+ struct ext4_ext_path *path = *ppath;
+ int unwritten = ext4_ext_is_unwritten(path[path->p_depth].p_ext);
++ int flags = EXT4_EX_NOCACHE | EXT4_GET_BLOCKS_PRE_IO;
++
++ if (nofail)
++ flags |= EXT4_GET_BLOCKS_METADATA_NOFAIL | EXT4_EX_NOFAIL;
+
+ return ext4_split_extent_at(handle, inode, ppath, lblk, unwritten ?
+ EXT4_EXT_MARK_UNWRIT1|EXT4_EXT_MARK_UNWRIT2 : 0,
+- EXT4_EX_NOCACHE | EXT4_GET_BLOCKS_PRE_IO |
+- (nofail ? EXT4_GET_BLOCKS_METADATA_NOFAIL:0));
++ flags);
+ }
+
+ /*
+@@ -572,9 +575,13 @@ __read_extent_tree_block(const char *fun
+ struct buffer_head *bh;
+ int err;
+ ext4_fsblk_t pblk;
++ gfp_t gfp_flags = __GFP_MOVABLE | GFP_NOFS;
++
++ if (flags & EXT4_EX_NOFAIL)
++ gfp_flags |= __GFP_NOFAIL;
+
+ pblk = ext4_idx_pblock(idx);
+- bh = sb_getblk_gfp(inode->i_sb, pblk, __GFP_MOVABLE | GFP_NOFS);
++ bh = sb_getblk_gfp(inode->i_sb, pblk, gfp_flags);
+ if (unlikely(!bh))
+ return ERR_PTR(-ENOMEM);
+
+@@ -919,6 +926,10 @@ ext4_find_extent(struct inode *inode, ex
+ struct ext4_ext_path *path = orig_path ? *orig_path : NULL;
+ short int depth, i, ppos = 0;
+ int ret;
++ gfp_t gfp_flags = GFP_NOFS;
++
++ if (flags & EXT4_EX_NOFAIL)
++ gfp_flags |= __GFP_NOFAIL;
+
+ eh = ext_inode_hdr(inode);
+ depth = ext_depth(inode);
+@@ -939,7 +950,7 @@ ext4_find_extent(struct inode *inode, ex
+ if (!path) {
+ /* account possible depth increase */
+ path = kcalloc(depth + 2, sizeof(struct ext4_ext_path),
+- GFP_NOFS);
++ gfp_flags);
+ if (unlikely(!path))
+ return ERR_PTR(-ENOMEM);
+ path[0].p_maxdepth = depth + 1;
+@@ -1088,9 +1099,13 @@ static int ext4_ext_split(handle_t *hand
+ ext4_fsblk_t newblock, oldblock;
+ __le32 border;
+ ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */
++ gfp_t gfp_flags = GFP_NOFS;
+ int err = 0;
+ size_t ext_size = 0;
+
++ if (flags & EXT4_EX_NOFAIL)
++ gfp_flags |= __GFP_NOFAIL;
++
+ /* make decision: where to split? */
+ /* FIXME: now decision is simplest: at current extent */
+
+@@ -1124,7 +1139,7 @@ static int ext4_ext_split(handle_t *hand
+ * We need this to handle errors and free blocks
+ * upon them.
+ */
+- ablocks = kcalloc(depth, sizeof(ext4_fsblk_t), GFP_NOFS);
++ ablocks = kcalloc(depth, sizeof(ext4_fsblk_t), gfp_flags);
+ if (!ablocks)
+ return -ENOMEM;
+
+@@ -2110,7 +2125,7 @@ prepend:
+ if (next != EXT_MAX_BLOCKS) {
+ ext_debug("next leaf block - %u\n", next);
+ BUG_ON(npath != NULL);
+- npath = ext4_find_extent(inode, next, NULL, 0);
++ npath = ext4_find_extent(inode, next, NULL, gb_flags);
+ if (IS_ERR(npath))
+ return PTR_ERR(npath);
+ BUG_ON(npath->p_depth != path->p_depth);
+@@ -3018,7 +3033,8 @@ again:
+ ext4_fsblk_t pblk;
+
+ /* find extent for or closest extent to this block */
+- path = ext4_find_extent(inode, end, NULL, EXT4_EX_NOCACHE);
++ path = ext4_find_extent(inode, end, NULL,
++ EXT4_EX_NOCACHE | EXT4_EX_NOFAIL);
+ if (IS_ERR(path)) {
+ ext4_journal_stop(handle);
+ return PTR_ERR(path);
+@@ -3104,7 +3120,7 @@ again:
+ le16_to_cpu(path[k].p_hdr->eh_entries)+1;
+ } else {
+ path = kcalloc(depth + 1, sizeof(struct ext4_ext_path),
+- GFP_NOFS);
++ GFP_NOFS | __GFP_NOFAIL);
+ if (path == NULL) {
+ ext4_journal_stop(handle);
+ return -ENOMEM;
+@@ -3528,7 +3544,7 @@ static int ext4_split_extent(handle_t *h
+ * Update path is required because previous ext4_split_extent_at() may
+ * result in split of original leaf or extent zeroout.
+ */
+- path = ext4_find_extent(inode, map->m_lblk, ppath, 0);
++ path = ext4_find_extent(inode, map->m_lblk, ppath, flags);
+ if (IS_ERR(path))
+ return PTR_ERR(path);
+ depth = ext_depth(inode);
+@@ -4650,7 +4666,14 @@ retry:
+ }
+ if (err)
+ return err;
+- return ext4_ext_remove_space(inode, last_block, EXT_MAX_BLOCKS - 1);
++retry_remove_space:
++ err = ext4_ext_remove_space(inode, last_block, EXT_MAX_BLOCKS - 1);
++ if (err == -ENOMEM) {
++ cond_resched();
++ congestion_wait(BLK_RW_ASYNC, HZ/50);
++ goto retry_remove_space;
++ }
++ return err;
+ }
+
+ static int ext4_alloc_file_blocks(struct file *file, ext4_lblk_t offset,
--- /dev/null
+From c26ab35702f8cd0cdc78f96aa5856bfb77be798f Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Thu, 22 Aug 2024 10:35:23 +0800
+Subject: ext4: fix slab-use-after-free in ext4_split_extent_at()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f upstream.
+
+We hit the following use-after-free:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0
+Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40
+CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724
+Call Trace:
+ <TASK>
+ kasan_report+0x93/0xc0
+ ext4_split_extent_at+0xba8/0xcc0
+ ext4_split_extent.isra.0+0x18f/0x500
+ ext4_split_convert_extents+0x275/0x750
+ ext4_ext_handle_unwritten_extents+0x73e/0x1580
+ ext4_ext_map_blocks+0xe20/0x2dc0
+ ext4_map_blocks+0x724/0x1700
+ ext4_do_writepages+0x12d6/0x2a70
+[...]
+
+Allocated by task 40:
+ __kmalloc_noprof+0x1ac/0x480
+ ext4_find_extent+0xf3b/0x1e70
+ ext4_ext_map_blocks+0x188/0x2dc0
+ ext4_map_blocks+0x724/0x1700
+ ext4_do_writepages+0x12d6/0x2a70
+[...]
+
+Freed by task 40:
+ kfree+0xf1/0x2b0
+ ext4_find_extent+0xa71/0x1e70
+ ext4_ext_insert_extent+0xa22/0x3260
+ ext4_split_extent_at+0x3ef/0xcc0
+ ext4_split_extent.isra.0+0x18f/0x500
+ ext4_split_convert_extents+0x275/0x750
+ ext4_ext_handle_unwritten_extents+0x73e/0x1580
+ ext4_ext_map_blocks+0xe20/0x2dc0
+ ext4_map_blocks+0x724/0x1700
+ ext4_do_writepages+0x12d6/0x2a70
+[...]
+==================================================================
+
+The flow of issue triggering is as follows:
+
+ext4_split_extent_at
+ path = *ppath
+ ext4_ext_insert_extent(ppath)
+ ext4_ext_create_new_leaf(ppath)
+ ext4_find_extent(orig_path)
+ path = *orig_path
+ read_extent_tree_block
+ // return -ENOMEM or -EIO
+ ext4_free_ext_path(path)
+ kfree(path)
+ *orig_path = NULL
+ a. If err is -ENOMEM:
+ ext4_ext_dirty(path + path->p_depth)
+ // path use-after-free !!!
+ b. If err is -EIO and we have EXT_DEBUG defined:
+ ext4_ext_show_leaf(path)
+ eh = path[depth].p_hdr
+ // path also use-after-free !!!
+
+So when trying to zeroout or fix the extent length, call ext4_find_extent()
+to update the path.
+
+In addition we use *ppath directly as an ext4_ext_show_leaf() input to
+avoid possible use-after-free when EXT_DEBUG is defined, and to avoid
+unnecessary path updates.
+
+Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code")
+Cc: stable@kernel.org
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Shaoying Xu <shaoyi@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/extents.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3440,6 +3440,25 @@ static int ext4_split_extent_at(handle_t
+ if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM)
+ goto out;
+
++ /*
++ * Update path is required because previous ext4_ext_insert_extent()
++ * may have freed or reallocated the path. Using EXT4_EX_NOFAIL
++ * guarantees that ext4_find_extent() will not return -ENOMEM,
++ * otherwise -ENOMEM will cause a retry in do_writepages(), and a
++ * WARN_ON may be triggered in ext4_da_update_reserve_space() due to
++ * an incorrect ee_len causing the i_reserved_data_blocks exception.
++ */
++ path = ext4_find_extent(inode, ee_block, ppath,
++ flags | EXT4_EX_NOFAIL);
++ if (IS_ERR(path)) {
++ EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
++ split, PTR_ERR(path));
++ return PTR_ERR(path);
++ }
++ depth = ext_depth(inode);
++ ex = path[depth].p_ext;
++ *ppath = path;
++
+ if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
+ if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
+ if (split_flag & EXT4_EXT_DATA_VALID1) {
+@@ -3488,7 +3507,7 @@ fix_extent_len:
+ ext4_ext_dirty(handle, inode, path + path->p_depth);
+ return err;
+ out:
+- ext4_ext_show_leaf(inode, path);
++ ext4_ext_show_leaf(inode, *ppath);
+ return err;
+ }
+
--- /dev/null
+From f829b4b212a315b912cb23fd10aaf30534bb5ce9 Mon Sep 17 00:00:00 2001
+From: Liam Howlett <liam.howlett@oracle.com>
+Date: Wed, 7 Apr 2021 20:00:45 +0000
+Subject: m68k: Add missing mmap_read_lock() to sys_cacheflush()
+
+From: Liam Howlett <liam.howlett@oracle.com>
+
+commit f829b4b212a315b912cb23fd10aaf30534bb5ce9 upstream.
+
+When the superuser flushes the entire cache, the mmap_read_lock() is not
+taken, but mmap_read_unlock() is called. Add the missing
+mmap_read_lock() call.
+
+Fixes: cd2567b6850b1648 ("m68k: call find_vma with the mmap_sem held in sys_cacheflush()")
+Signed-off-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Link: https://lore.kernel.org/r/20210407200032.764445-1-Liam.Howlett@Oracle.com
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+[ mmap_read_lock() open-coded using down_read() as was done prior to v5.8 ]
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/m68k/kernel/sys_m68k.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/m68k/kernel/sys_m68k.c
++++ b/arch/m68k/kernel/sys_m68k.c
+@@ -388,6 +388,8 @@ sys_cacheflush (unsigned long addr, int
+ ret = -EPERM;
+ if (!capable(CAP_SYS_ADMIN))
+ goto out;
++
++ down_read(¤t->mm->mmap_sem);
+ } else {
+ struct vm_area_struct *vma;
+
--- /dev/null
+From 50e43a57334400668952f8e551c9d87d3ed2dfef Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 25 Jul 2021 17:19:45 +0000
+Subject: m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 50e43a57334400668952f8e551c9d87d3ed2dfef upstream.
+
+We get there when sigreturn has performed obscene acts on kernel stack;
+in particular, the location of pt_regs has shifted. We are about to call
+syscall_trace(), which might stop for tracer. If that happens, we'd better
+have task_pt_regs() returning correct result...
+
+Fucked-up-by: Al Viro <viro@zeniv.linux.org.uk>
+Fixes: bd6f56a75bb2 ("m68k: Missing syscall_trace() on sigreturn")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Reviewed-by: Michael Schmitz <schmitzmic@gmail.com>
+Tested-by: Finn Thain <fthain@linux-m68k.org>
+Link: https://lore.kernel.org/r/YP2dMWeV1LkHiOpr@zeniv-ca.linux.org.uk
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/m68k/kernel/entry.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/m68k/kernel/entry.S
++++ b/arch/m68k/kernel/entry.S
+@@ -182,6 +182,8 @@ ENTRY(ret_from_signal)
+ movel %curptr@(TASK_STACK),%a1
+ tstb %a1@(TINFO_FLAGS+2)
+ jge 1f
++ lea %sp@(SWITCH_STACK_SIZE),%a1
++ movel %a1,%curptr@(TASK_THREAD+THREAD_ESP0)
+ jbsr syscall_trace
+ 1: RESTORE_SWITCH_STACK
+ addql #4,%sp
--- /dev/null
+From f3265971ded98a069ad699b51b8a5ab95e9e5be1 Mon Sep 17 00:00:00 2001
+From: Madhuparna Bhowmik <madhuparnabhowmik04@gmail.com>
+Date: Wed, 15 Jan 2020 21:25:53 +0530
+Subject: net: xen-netback: hash.c: Use built-in RCU list checking
+
+From: Madhuparna Bhowmik <madhuparnabhowmik04@gmail.com>
+
+commit f3265971ded98a069ad699b51b8a5ab95e9e5be1 upstream.
+
+list_for_each_entry_rcu has built-in RCU and lock checking.
+Pass cond argument to list_for_each_entry_rcu.
+
+Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik04@gmail.com>
+Acked-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 0fa5e94a1811 ("net/xen-netback: prevent UAF in xenvif_flush_hash()")
+Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/hash.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/xen-netback/hash.c
++++ b/drivers/net/xen-netback/hash.c
+@@ -51,7 +51,8 @@ static void xenvif_add_hash(struct xenvi
+
+ found = false;
+ oldest = NULL;
+- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) {
++ list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
++ lockdep_is_held(&vif->hash.cache.lock)) {
+ /* Make sure we don't add duplicate entries */
+ if (entry->len == len &&
+ memcmp(entry->tag, tag, len) == 0)
+@@ -102,7 +103,8 @@ static void xenvif_flush_hash(struct xen
+
+ spin_lock_irqsave(&vif->hash.cache.lock, flags);
+
+- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) {
++ list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
++ lockdep_is_held(&vif->hash.cache.lock)) {
+ list_del_rcu(&entry->link);
+ vif->hash.cache.count--;
+ kfree_rcu(entry, rcu);
--- /dev/null
+From 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Fri, 23 Aug 2024 03:11:09 +0900
+Subject: net/xen-netback: prevent UAF in xenvif_flush_hash()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 upstream.
+
+During the list_for_each_entry_rcu iteration call of xenvif_flush_hash,
+kfree_rcu does not exist inside the rcu read critical section, so if
+kfree_rcu is called when the rcu grace period ends during the iteration,
+UAF occurs when accessing head->next after the entry becomes free.
+
+Therefore, to solve this, you need to change it to list_for_each_entry_safe.
+
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/hash.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/xen-netback/hash.c
++++ b/drivers/net/xen-netback/hash.c
+@@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif
+
+ static void xenvif_flush_hash(struct xenvif *vif)
+ {
+- struct xenvif_hash_cache_entry *entry;
++ struct xenvif_hash_cache_entry *entry, *n;
+ unsigned long flags;
+
+ if (xenvif_hash_cache_size == 0)
+@@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xen
+
+ spin_lock_irqsave(&vif->hash.cache.lock, flags);
+
+- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
+- lockdep_is_held(&vif->hash.cache.lock)) {
++ list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) {
+ list_del_rcu(&entry->link);
+ vif->hash.cache.count--;
+ kfree_rcu(entry, rcu);
scsi-iscsi-fix-redundant-response-for-iscsi_uevent_g.patch
irqchip-sunxi-nmi-add-missing-skip_wake-flag.patch
gfs2-truncate-address-space-when-flipping-gfs2_dif_jdata-flag.patch
+m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch
+m68k-add-missing-mmap_read_lock-to-sys_cacheflush.patch
+signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch
+net-xen-netback-hash.c-use-built-in-rcu-list-checking.patch
+net-xen-netback-prevent-uaf-in-xenvif_flush_hash.patch
+vfio-platform-check-the-bounds-of-read-write-syscalls.patch
+ext4-avoid-ext4_error-s-caused-by-enomem-in-the-truncate-path.patch
+ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch
--- /dev/null
+From a3616a3c02722d1edb95acc7fceade242f6553ba Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 26 Jul 2021 14:23:11 -0500
+Subject: signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit a3616a3c02722d1edb95acc7fceade242f6553ba upstream.
+
+In the fpsp040 code when copyin or copyout fails call
+force_sigsegv(SIGSEGV) instead of do_exit(SIGSEGV).
+
+This solves a couple of problems. Because do_exit embeds the ptrace
+stop PTRACE_EVENT_EXIT a complete stack frame needs to be present for
+that to work correctly. There is always the information needed for a
+ptrace stop where get_signal is called. So exiting with a signal
+solves the ptrace issue.
+
+Further exiting with a signal ensures that all of the threads in a
+process are killed not just the thread that malfunctioned. Which
+avoids confusing userspace.
+
+To make force_sigsegv(SIGSEGV) work in fpsp040_die modify the code to
+save all of the registers and jump to ret_from_exception (which
+ultimately calls get_signal) after fpsp040_die returns.
+
+v2: Updated the branches to use gas's pseudo ops that automatically
+ calculate the best branch instruction to use for the purpose.
+
+v1: https://lkml.kernel.org/r/87a6m8kgtx.fsf_-_@disp2133
+Link: https://lkml.kernel.org/r/87tukghjfs.fsf_-_@disp2133
+Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/m68k/fpsp040/skeleton.S | 3 ++-
+ arch/m68k/kernel/traps.c | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/m68k/fpsp040/skeleton.S
++++ b/arch/m68k/fpsp040/skeleton.S
+@@ -502,7 +502,8 @@ in_ea:
+ .section .fixup,"ax"
+ .even
+ 1:
+- jbra fpsp040_die
++ jbsr fpsp040_die
++ jbra .Lnotkern
+
+ .section __ex_table,"a"
+ .align 4
+--- a/arch/m68k/kernel/traps.c
++++ b/arch/m68k/kernel/traps.c
+@@ -1155,7 +1155,7 @@ asmlinkage void set_esp0(unsigned long s
+ */
+ asmlinkage void fpsp040_die(void)
+ {
+- do_exit(SIGSEGV);
++ force_sigsegv(SIGSEGV);
+ }
+
+ #ifdef CONFIG_M68KFPU_EMU
--- /dev/null
+From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 22 Jan 2025 10:38:30 -0700
+Subject: vfio/platform: check the bounds of read/write syscalls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream.
+
+count and offset are passed from user space and not checked, only
+offset is capped to 40 bits, which can be used to read/write out of
+bounds of the device.
+
+Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”)
+Cc: stable@vger.kernel.org
+Reported-by: Mostafa Saleh <smostafa@google.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Mostafa Saleh <smostafa@google.com>
+Tested-by: Mostafa Saleh <smostafa@google.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/vfio/platform/vfio_platform_common.c
++++ b/drivers/vfio/platform/vfio_platform_common.c
+@@ -405,6 +405,11 @@ static ssize_t vfio_platform_read_mmio(s
+ {
+ unsigned int done = 0;
+
++ if (off >= reg->size)
++ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
+ if (!reg->ioaddr) {
+ reg->ioaddr =
+ ioremap_nocache(reg->addr, reg->size);
+@@ -482,6 +487,11 @@ static ssize_t vfio_platform_write_mmio(
+ {
+ unsigned int done = 0;
+
++ if (off >= reg->size)
++ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
+ if (!reg->ioaddr) {
+ reg->ioaddr =
+ ioremap_nocache(reg->addr, reg->size);
projects / thirdparty / kernel / stable-queue.git / commitdiff
