From: Greg Kroah-Hartman Date: Mon, 29 Sep 2025 13:11:06 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.4.300~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=87b82604a36364a524b89e63fa8a3a3cbfbb251e;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: afs-fix-potential-null-pointer-dereference-in-afs_put_server.patch fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch fbcon-fix-oob-access-in-font-allocation.patch mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch --- diff --git a/queue-6.1/afs-fix-potential-null-pointer-dereference-in-afs_put_server.patch b/queue-6.1/afs-fix-potential-null-pointer-dereference-in-afs_put_server.patch new file mode 100644 index 0000000000..2fd28a605a --- /dev/null +++ b/queue-6.1/afs-fix-potential-null-pointer-dereference-in-afs_put_server.patch @@ -0,0 +1,42 @@ +From 9158c6bb245113d4966df9b2ba602197a379412e Mon Sep 17 00:00:00 2001 +From: Zhen Ni +Date: Tue, 23 Sep 2025 15:51:04 +0800 +Subject: afs: Fix potential null pointer dereference in afs_put_server + +From: Zhen Ni + +commit 9158c6bb245113d4966df9b2ba602197a379412e upstream. + +afs_put_server() accessed server->debug_id before the NULL check, which +could lead to a null pointer dereference. Move the debug_id assignment, +ensuring we never dereference a NULL server pointer. + +Fixes: 2757a4dc1849 ("afs: Fix access after dec in put functions") +Cc: stable@vger.kernel.org +Signed-off-by: Zhen Ni +Acked-by: David Howells +Reviewed-by: Jeffrey Altman +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/server.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/afs/server.c ++++ b/fs/afs/server.c +@@ -401,13 +401,14 @@ struct afs_server *afs_use_server(struct + void afs_put_server(struct afs_net *net, struct afs_server *server, + enum afs_server_trace reason) + { +- unsigned int a, debug_id = server->debug_id; ++ unsigned int a, debug_id; + bool zero; + int r; + + if (!server) + return; + ++ debug_id = server->debug_id; + a = atomic_read(&server->active); + zero = __refcount_dec_and_test(&server->ref, &r); + trace_afs_server(debug_id, r - 1, a, reason); diff --git a/queue-6.1/fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch b/queue-6.1/fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch new file mode 100644 index 0000000000..eb86455684 --- /dev/null +++ b/queue-6.1/fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch @@ -0,0 +1,71 @@ +From 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe Mon Sep 17 00:00:00 2001 +From: Samasth Norway Ananda +Date: Fri, 12 Sep 2025 10:00:23 -0700 +Subject: fbcon: fix integer overflow in fbcon_do_set_font +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Samasth Norway Ananda + +commit 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe upstream. + +Fix integer overflow vulnerabilities in fbcon_do_set_font() where font +size calculations could overflow when handling user-controlled font +parameters. + +The vulnerabilities occur when: +1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount + multiplication with user-controlled values that can overflow. +2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow +3. This results in smaller allocations than expected, leading to buffer + overflows during font data copying. + +Add explicit overflow checking using check_mul_overflow() and +check_add_overflow() kernel helpers to safety validate all size +calculations before allocation. + +Signed-off-by: Samasth Norway Ananda +Reviewed-by: Thomas Zimmermann +Fixes: 39b3cffb8cf3 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access") +Cc: George Kennedy +Cc: stable +Cc: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com +Cc: Greg Kroah-Hartman +Cc: Simona Vetter +Cc: Helge Deller +Cc: Thomas Zimmermann +Cc: "Ville Syrjälä" +Cc: Sam Ravnborg +Cc: Qianqiang Liu +Cc: Shixiong Ou +Cc: Kees Cook +Cc: # v5.9+ +Signed-off-by: Thomas Zimmermann +Link: https://lore.kernel.org/r/20250912170023.3931881-1-samasth.norway.ananda@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -2516,9 +2516,16 @@ static int fbcon_set_font(struct vc_data + if (fbcon_invalid_charcount(info, charcount)) + return -EINVAL; + +- size = CALC_FONTSZ(h, pitch, charcount); ++ /* Check for integer overflow in font size calculation */ ++ if (check_mul_overflow(h, pitch, &size) || ++ check_mul_overflow(size, charcount, &size)) ++ return -EINVAL; ++ ++ /* Check for overflow in allocation size calculation */ ++ if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size)) ++ return -EINVAL; + +- new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER); ++ new_data = kmalloc(size, GFP_USER); + + if (!new_data) + return -ENOMEM; diff --git a/queue-6.1/fbcon-fix-oob-access-in-font-allocation.patch b/queue-6.1/fbcon-fix-oob-access-in-font-allocation.patch new file mode 100644 index 0000000000..648f0fb49c --- /dev/null +++ b/queue-6.1/fbcon-fix-oob-access-in-font-allocation.patch @@ -0,0 +1,67 @@ +From 9b2f5ef00e852f8e8902a4d4f73aeedc60220c12 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Mon, 22 Sep 2025 15:45:54 +0200 +Subject: fbcon: Fix OOB access in font allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Zimmermann + +commit 9b2f5ef00e852f8e8902a4d4f73aeedc60220c12 upstream. + +Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") +introduced an out-of-bounds access by storing data and allocation sizes +in the same variable. Restore the old size calculation and use the new +variable 'alloc_size' for the allocation. + +Signed-off-by: Thomas Zimmermann +Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") +Reported-by: Jani Nikula +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020 +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6201 +Cc: Samasth Norway Ananda +Cc: Thomas Zimmermann +Cc: George Kennedy +Cc: Greg Kroah-Hartman +Cc: Simona Vetter +Cc: Helge Deller +Cc: "Ville Syrjälä" +Cc: Sam Ravnborg +Cc: Qianqiang Liu +Cc: Shixiong Ou +Cc: Kees Cook +Cc: # v5.9+ +Cc: Zsolt Kajtar +Reviewed-by: Lucas De Marchi +Reviewed-by: Qianqiang Liu +Link: https://lore.kernel.org/r/20250922134619.257684-1-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -2489,7 +2489,7 @@ static int fbcon_set_font(struct vc_data + unsigned charcount = font->charcount; + int w = font->width; + int h = font->height; +- int size; ++ int size, alloc_size; + int i, csum; + u8 *new_data, *data = font->data; + int pitch = PITCH(font->width); +@@ -2522,10 +2522,10 @@ static int fbcon_set_font(struct vc_data + return -EINVAL; + + /* Check for overflow in allocation size calculation */ +- if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size)) ++ if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &alloc_size)) + return -EINVAL; + +- new_data = kmalloc(size, GFP_USER); ++ new_data = kmalloc(alloc_size, GFP_USER); + + if (!new_data) + return -ENOMEM; diff --git a/queue-6.1/mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch b/queue-6.1/mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch new file mode 100644 index 0000000000..1f8c76f0e1 --- /dev/null +++ b/queue-6.1/mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch @@ -0,0 +1,78 @@ +From 7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7 Mon Sep 17 00:00:00 2001 +From: Jinjiang Tu +Date: Fri, 12 Sep 2025 15:41:39 +0800 +Subject: mm/hugetlb: fix folio is still mapped when deleted + +From: Jinjiang Tu + +commit 7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7 upstream. + +Migration may be raced with fallocating hole. remove_inode_single_folio +will unmap the folio if the folio is still mapped. However, it's called +without folio lock. If the folio is migrated and the mapped pte has been +converted to migration entry, folio_mapped() returns false, and won't +unmap it. Due to extra refcount held by remove_inode_single_folio, +migration fails, restores migration entry to normal pte, and the folio is +mapped again. As a result, we triggered BUG in filemap_unaccount_folio. + +The log is as follows: + BUG: Bad page cache in process hugetlb pfn:156c00 + page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00 + head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0 + aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file" + flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff) + page_type: f4(hugetlb) + page dumped because: still mapped when deleted + CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE + Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 + Call Trace: + + dump_stack_lvl+0x4f/0x70 + filemap_unaccount_folio+0xc4/0x1c0 + __filemap_remove_folio+0x38/0x1c0 + filemap_remove_folio+0x41/0xd0 + remove_inode_hugepages+0x142/0x250 + hugetlbfs_fallocate+0x471/0x5a0 + vfs_fallocate+0x149/0x380 + +Hold folio lock before checking if the folio is mapped to avold race with +migration. + +Link: https://lkml.kernel.org/r/20250912074139.3575005-1-tujinjiang@huawei.com +Fixes: 4aae8d1c051e ("mm/hugetlbfs: unmap pages if page fault raced with hole punch") +Signed-off-by: Jinjiang Tu +Cc: David Hildenbrand +Cc: Kefeng Wang +Cc: Matthew Wilcox (Oracle) +Cc: Muchun Song +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/hugetlbfs/inode.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -576,14 +576,16 @@ static bool remove_inode_single_folio(st + + /* + * If folio is mapped, it was faulted in after being +- * unmapped in caller. Unmap (again) while holding +- * the fault mutex. The mutex will prevent faults +- * until we finish removing the folio. ++ * unmapped in caller or hugetlb_vmdelete_list() skips ++ * unmapping it due to fail to grab lock. Unmap (again) ++ * while holding the fault mutex. The mutex will prevent ++ * faults until we finish removing the folio. Hold folio ++ * lock to guarantee no concurrent migration. + */ ++ folio_lock(folio); + if (unlikely(folio_mapped(folio))) + hugetlb_unmap_file_folio(h, mapping, folio, index); + +- folio_lock(folio); + /* + * We must remove the folio from page cache before removing + * the region/ reserve map (hugetlb_unreserve_pages). In diff --git a/queue-6.1/series b/queue-6.1/series index 9a588ef9e0..724da21ffb 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -50,3 +50,7 @@ i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch i40e-improve-vf-mac-filters-accounting.patch crypto-af_alg-fix-incorrect-boolean-values-in-af_alg_ctx.patch tracing-dynevent-add-a-missing-lockdown-check-on-dynevent.patch +afs-fix-potential-null-pointer-dereference-in-afs_put_server.patch +mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch +fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch +fbcon-fix-oob-access-in-font-allocation.patch