5.10-stable patches

added patches:
	dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch

diff --git a/queue-5.10/dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch b/queue-5.10/dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch
new file mode 100644 (file)
index 0000000..90934cb
--- /dev/null
+++ b/queue-5.10/dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch
@@ -0,0 +1,44 @@
+From ea5ff5d351b520524019f7ff7f9ce418de2dad87 Mon Sep 17 00:00:00 2001
+From: "T.J. Mercier" <tjmercier@google.com>
+Date: Fri, 30 Aug 2024 19:26:26 +0000
+Subject: dma-buf: heaps: Fix off-by-one in CMA heap fault handler
+
+From: T.J. Mercier <tjmercier@google.com>
+
+commit ea5ff5d351b520524019f7ff7f9ce418de2dad87 upstream.
+
+Until VM_DONTEXPAND was added in commit 1c1914d6e8c6 ("dma-buf: heaps:
+Don't track CMA dma-buf pages under RssFile") it was possible to obtain
+a mapping larger than the buffer size via mremap and bypass the overflow
+check in dma_buf_mmap_internal. When using such a mapping to attempt to
+fault past the end of the buffer, the CMA heap fault handler also checks
+the fault offset against the buffer size, but gets the boundary wrong by
+1. Fix the boundary check so that we don't read off the end of the pages
+array and insert an arbitrary page in the mapping.
+
+Reported-by: Xingyu Jin <xingyuj@google.com>
+Fixes: a5d2d29e24be ("dma-buf: heaps: Move heap-helper logic into the cma_heap implementation")
+Cc: stable@vger.kernel.org # Applicable >= 5.10. Needs adjustments only for 5.10.
+Signed-off-by: T.J. Mercier <tjmercier@google.com>
+Acked-by: John Stultz <jstultz@google.com>
+Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240830192627.2546033-1-tjmercier@google.com
+[ TJ: Backport to 5.10. On this kernel the bug is located in
+  dma_heap_vm_fault which is used by both the CMA and system heaps. ]
+Signed-off-by: T.J. Mercier <tjmercier@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/heaps/heap-helpers.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma-buf/heaps/heap-helpers.c
++++ b/drivers/dma-buf/heaps/heap-helpers.c
+@@ -161,7 +161,7 @@ static vm_fault_t dma_heap_vm_fault(stru
+       struct vm_area_struct *vma = vmf->vma;
+       struct heap_helper_buffer *buffer = vma->vm_private_data;
+ 
+-      if (vmf->pgoff > buffer->pagecount)
++      if (vmf->pgoff >= buffer->pagecount)
+               return VM_FAULT_SIGBUS;
+ 
+       vmf->page = buffer->pages[vmf->pgoff];

diff --git a/queue-5.10/series b/queue-5.10/series
index 5ee8c43f5dcc489c6e15b42095a8a2100aa422bc..fdaa0d5ae37c85b8a8f7a295adff12ad021e372f 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -25,3 +25,4 @@ net-dpaa-pad-packets-to-eth_zlen.patch
 spi-nxp-fspi-fix-the-kasan-report-out-of-bounds-bug.patch
 soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch
 asoc-meson-axg-card-fix-use-after-free.patch
+dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch