From: Greg Kroah-Hartman Date: Thu, 30 Jan 2025 09:49:15 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v6.13.1~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a4a4db341152e4b6b101baad6eab1126346a2e9b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: ext4-avoid-ext4_error-s-caused-by-enomem-in-the-truncate-path.patch ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch m68k-add-missing-mmap_read_lock-to-sys_cacheflush.patch m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch net-xen-netback-hash.c-use-built-in-rcu-list-checking.patch net-xen-netback-prevent-uaf-in-xenvif_flush_hash.patch signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch vfio-platform-check-the-bounds-of-read-write-syscalls.patch --- diff --git a/queue-5.4/ext4-avoid-ext4_error-s-caused-by-enomem-in-the-truncate-path.patch b/queue-5.4/ext4-avoid-ext4_error-s-caused-by-enomem-in-the-truncate-path.patch new file mode 100644 index 0000000000..7a426898b4 --- /dev/null +++ b/queue-5.4/ext4-avoid-ext4_error-s-caused-by-enomem-in-the-truncate-path.patch @@ -0,0 +1,168 @@ +From 73c384c0cdaa8ea9ca9ef2d0cff6a25930f1648e Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 7 May 2020 10:50:28 -0700 +Subject: ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path + +From: Theodore Ts'o + +commit 73c384c0cdaa8ea9ca9ef2d0cff6a25930f1648e upstream. + +We can't fail in the truncate path without requiring an fsck. +Add work around for this by using a combination of retry loops +and the __GFP_NOFAIL flag. + +From: Theodore Ts'o +Signed-off-by: Theodore Ts'o +Signed-off-by: Anna Pendleton +Reviewed-by: Harshad Shirwadkar +Link: https://lore.kernel.org/r/20200507175028.15061-1-pendleton@google.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: c26ab35702f8 ("ext4: fix slab-use-after-free in ext4_split_extent_at()") +[v5.4: resolved contextual conflict in __read_extent_tree_block] +Signed-off-by: Shaoying Xu +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ext4.h | 1 + + fs/ext4/extents.c | 43 +++++++++++++++++++++++++++++++++---------- + 2 files changed, 34 insertions(+), 10 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -628,6 +628,7 @@ enum { + */ + #define EXT4_EX_NOCACHE 0x40000000 + #define EXT4_EX_FORCE_CACHE 0x20000000 ++#define EXT4_EX_NOFAIL 0x10000000 + + /* + * Flags used by ext4_free_blocks +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -304,11 +304,14 @@ ext4_force_split_extent_at(handle_t *han + { + struct ext4_ext_path *path = *ppath; + int unwritten = ext4_ext_is_unwritten(path[path->p_depth].p_ext); ++ int flags = EXT4_EX_NOCACHE | EXT4_GET_BLOCKS_PRE_IO; ++ ++ if (nofail) ++ flags |= EXT4_GET_BLOCKS_METADATA_NOFAIL | EXT4_EX_NOFAIL; + + return ext4_split_extent_at(handle, inode, ppath, lblk, unwritten ? + EXT4_EXT_MARK_UNWRIT1|EXT4_EXT_MARK_UNWRIT2 : 0, +- EXT4_EX_NOCACHE | EXT4_GET_BLOCKS_PRE_IO | +- (nofail ? EXT4_GET_BLOCKS_METADATA_NOFAIL:0)); ++ flags); + } + + /* +@@ -572,9 +575,13 @@ __read_extent_tree_block(const char *fun + struct buffer_head *bh; + int err; + ext4_fsblk_t pblk; ++ gfp_t gfp_flags = __GFP_MOVABLE | GFP_NOFS; ++ ++ if (flags & EXT4_EX_NOFAIL) ++ gfp_flags |= __GFP_NOFAIL; + + pblk = ext4_idx_pblock(idx); +- bh = sb_getblk_gfp(inode->i_sb, pblk, __GFP_MOVABLE | GFP_NOFS); ++ bh = sb_getblk_gfp(inode->i_sb, pblk, gfp_flags); + if (unlikely(!bh)) + return ERR_PTR(-ENOMEM); + +@@ -919,6 +926,10 @@ ext4_find_extent(struct inode *inode, ex + struct ext4_ext_path *path = orig_path ? *orig_path : NULL; + short int depth, i, ppos = 0; + int ret; ++ gfp_t gfp_flags = GFP_NOFS; ++ ++ if (flags & EXT4_EX_NOFAIL) ++ gfp_flags |= __GFP_NOFAIL; + + eh = ext_inode_hdr(inode); + depth = ext_depth(inode); +@@ -939,7 +950,7 @@ ext4_find_extent(struct inode *inode, ex + if (!path) { + /* account possible depth increase */ + path = kcalloc(depth + 2, sizeof(struct ext4_ext_path), +- GFP_NOFS); ++ gfp_flags); + if (unlikely(!path)) + return ERR_PTR(-ENOMEM); + path[0].p_maxdepth = depth + 1; +@@ -1088,9 +1099,13 @@ static int ext4_ext_split(handle_t *hand + ext4_fsblk_t newblock, oldblock; + __le32 border; + ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ ++ gfp_t gfp_flags = GFP_NOFS; + int err = 0; + size_t ext_size = 0; + ++ if (flags & EXT4_EX_NOFAIL) ++ gfp_flags |= __GFP_NOFAIL; ++ + /* make decision: where to split? */ + /* FIXME: now decision is simplest: at current extent */ + +@@ -1124,7 +1139,7 @@ static int ext4_ext_split(handle_t *hand + * We need this to handle errors and free blocks + * upon them. + */ +- ablocks = kcalloc(depth, sizeof(ext4_fsblk_t), GFP_NOFS); ++ ablocks = kcalloc(depth, sizeof(ext4_fsblk_t), gfp_flags); + if (!ablocks) + return -ENOMEM; + +@@ -2110,7 +2125,7 @@ prepend: + if (next != EXT_MAX_BLOCKS) { + ext_debug("next leaf block - %u\n", next); + BUG_ON(npath != NULL); +- npath = ext4_find_extent(inode, next, NULL, 0); ++ npath = ext4_find_extent(inode, next, NULL, gb_flags); + if (IS_ERR(npath)) + return PTR_ERR(npath); + BUG_ON(npath->p_depth != path->p_depth); +@@ -3018,7 +3033,8 @@ again: + ext4_fsblk_t pblk; + + /* find extent for or closest extent to this block */ +- path = ext4_find_extent(inode, end, NULL, EXT4_EX_NOCACHE); ++ path = ext4_find_extent(inode, end, NULL, ++ EXT4_EX_NOCACHE | EXT4_EX_NOFAIL); + if (IS_ERR(path)) { + ext4_journal_stop(handle); + return PTR_ERR(path); +@@ -3104,7 +3120,7 @@ again: + le16_to_cpu(path[k].p_hdr->eh_entries)+1; + } else { + path = kcalloc(depth + 1, sizeof(struct ext4_ext_path), +- GFP_NOFS); ++ GFP_NOFS | __GFP_NOFAIL); + if (path == NULL) { + ext4_journal_stop(handle); + return -ENOMEM; +@@ -3528,7 +3544,7 @@ static int ext4_split_extent(handle_t *h + * Update path is required because previous ext4_split_extent_at() may + * result in split of original leaf or extent zeroout. + */ +- path = ext4_find_extent(inode, map->m_lblk, ppath, 0); ++ path = ext4_find_extent(inode, map->m_lblk, ppath, flags); + if (IS_ERR(path)) + return PTR_ERR(path); + depth = ext_depth(inode); +@@ -4650,7 +4666,14 @@ retry: + } + if (err) + return err; +- return ext4_ext_remove_space(inode, last_block, EXT_MAX_BLOCKS - 1); ++retry_remove_space: ++ err = ext4_ext_remove_space(inode, last_block, EXT_MAX_BLOCKS - 1); ++ if (err == -ENOMEM) { ++ cond_resched(); ++ congestion_wait(BLK_RW_ASYNC, HZ/50); ++ goto retry_remove_space; ++ } ++ return err; + } + + static int ext4_alloc_file_blocks(struct file *file, ext4_lblk_t offset, diff --git a/queue-5.4/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch b/queue-5.4/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch new file mode 100644 index 0000000000..9524ef9c13 --- /dev/null +++ b/queue-5.4/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch @@ -0,0 +1,128 @@ +From c26ab35702f8cd0cdc78f96aa5856bfb77be798f Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 22 Aug 2024 10:35:23 +0800 +Subject: ext4: fix slab-use-after-free in ext4_split_extent_at() + +From: Baokun Li + +commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f upstream. + +We hit the following use-after-free: + +================================================================== +BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 +Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 +CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 +Call Trace: + + kasan_report+0x93/0xc0 + ext4_split_extent_at+0xba8/0xcc0 + ext4_split_extent.isra.0+0x18f/0x500 + ext4_split_convert_extents+0x275/0x750 + ext4_ext_handle_unwritten_extents+0x73e/0x1580 + ext4_ext_map_blocks+0xe20/0x2dc0 + ext4_map_blocks+0x724/0x1700 + ext4_do_writepages+0x12d6/0x2a70 +[...] + +Allocated by task 40: + __kmalloc_noprof+0x1ac/0x480 + ext4_find_extent+0xf3b/0x1e70 + ext4_ext_map_blocks+0x188/0x2dc0 + ext4_map_blocks+0x724/0x1700 + ext4_do_writepages+0x12d6/0x2a70 +[...] + +Freed by task 40: + kfree+0xf1/0x2b0 + ext4_find_extent+0xa71/0x1e70 + ext4_ext_insert_extent+0xa22/0x3260 + ext4_split_extent_at+0x3ef/0xcc0 + ext4_split_extent.isra.0+0x18f/0x500 + ext4_split_convert_extents+0x275/0x750 + ext4_ext_handle_unwritten_extents+0x73e/0x1580 + ext4_ext_map_blocks+0xe20/0x2dc0 + ext4_map_blocks+0x724/0x1700 + ext4_do_writepages+0x12d6/0x2a70 +[...] +================================================================== + +The flow of issue triggering is as follows: + +ext4_split_extent_at + path = *ppath + ext4_ext_insert_extent(ppath) + ext4_ext_create_new_leaf(ppath) + ext4_find_extent(orig_path) + path = *orig_path + read_extent_tree_block + // return -ENOMEM or -EIO + ext4_free_ext_path(path) + kfree(path) + *orig_path = NULL + a. If err is -ENOMEM: + ext4_ext_dirty(path + path->p_depth) + // path use-after-free !!! + b. If err is -EIO and we have EXT_DEBUG defined: + ext4_ext_show_leaf(path) + eh = path[depth].p_hdr + // path also use-after-free !!! + +So when trying to zeroout or fix the extent length, call ext4_find_extent() +to update the path. + +In addition we use *ppath directly as an ext4_ext_show_leaf() input to +avoid possible use-after-free when EXT_DEBUG is defined, and to avoid +unnecessary path updates. + +Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Reviewed-by: Ojaswin Mujoo +Tested-by: Ojaswin Mujoo +Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Shaoying Xu +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -3440,6 +3440,25 @@ static int ext4_split_extent_at(handle_t + if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM) + goto out; + ++ /* ++ * Update path is required because previous ext4_ext_insert_extent() ++ * may have freed or reallocated the path. Using EXT4_EX_NOFAIL ++ * guarantees that ext4_find_extent() will not return -ENOMEM, ++ * otherwise -ENOMEM will cause a retry in do_writepages(), and a ++ * WARN_ON may be triggered in ext4_da_update_reserve_space() due to ++ * an incorrect ee_len causing the i_reserved_data_blocks exception. ++ */ ++ path = ext4_find_extent(inode, ee_block, ppath, ++ flags | EXT4_EX_NOFAIL); ++ if (IS_ERR(path)) { ++ EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld", ++ split, PTR_ERR(path)); ++ return PTR_ERR(path); ++ } ++ depth = ext_depth(inode); ++ ex = path[depth].p_ext; ++ *ppath = path; ++ + if (EXT4_EXT_MAY_ZEROOUT & split_flag) { + if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { + if (split_flag & EXT4_EXT_DATA_VALID1) { +@@ -3488,7 +3507,7 @@ fix_extent_len: + ext4_ext_dirty(handle, inode, path + path->p_depth); + return err; + out: +- ext4_ext_show_leaf(inode, path); ++ ext4_ext_show_leaf(inode, *ppath); + return err; + } + diff --git a/queue-5.4/m68k-add-missing-mmap_read_lock-to-sys_cacheflush.patch b/queue-5.4/m68k-add-missing-mmap_read_lock-to-sys_cacheflush.patch new file mode 100644 index 0000000000..73ccbefa3c --- /dev/null +++ b/queue-5.4/m68k-add-missing-mmap_read_lock-to-sys_cacheflush.patch @@ -0,0 +1,36 @@ +From f829b4b212a315b912cb23fd10aaf30534bb5ce9 Mon Sep 17 00:00:00 2001 +From: Liam Howlett +Date: Wed, 7 Apr 2021 20:00:45 +0000 +Subject: m68k: Add missing mmap_read_lock() to sys_cacheflush() + +From: Liam Howlett + +commit f829b4b212a315b912cb23fd10aaf30534bb5ce9 upstream. + +When the superuser flushes the entire cache, the mmap_read_lock() is not +taken, but mmap_read_unlock() is called. Add the missing +mmap_read_lock() call. + +Fixes: cd2567b6850b1648 ("m68k: call find_vma with the mmap_sem held in sys_cacheflush()") +Signed-off-by: Liam R. Howlett +Reviewed-by: Matthew Wilcox (Oracle) +Link: https://lore.kernel.org/r/20210407200032.764445-1-Liam.Howlett@Oracle.com +Signed-off-by: Geert Uytterhoeven +[ mmap_read_lock() open-coded using down_read() as was done prior to v5.8 ] +Signed-off-by: Finn Thain +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/kernel/sys_m68k.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/m68k/kernel/sys_m68k.c ++++ b/arch/m68k/kernel/sys_m68k.c +@@ -388,6 +388,8 @@ sys_cacheflush (unsigned long addr, int + ret = -EPERM; + if (!capable(CAP_SYS_ADMIN)) + goto out; ++ ++ down_read(¤t->mm->mmap_sem); + } else { + struct vm_area_struct *vma; + diff --git a/queue-5.4/m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch b/queue-5.4/m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch new file mode 100644 index 0000000000..d1b2d5240a --- /dev/null +++ b/queue-5.4/m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch @@ -0,0 +1,39 @@ +From 50e43a57334400668952f8e551c9d87d3ed2dfef Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 25 Jul 2021 17:19:45 +0000 +Subject: m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal + +From: Al Viro + +commit 50e43a57334400668952f8e551c9d87d3ed2dfef upstream. + +We get there when sigreturn has performed obscene acts on kernel stack; +in particular, the location of pt_regs has shifted. We are about to call +syscall_trace(), which might stop for tracer. If that happens, we'd better +have task_pt_regs() returning correct result... + +Fucked-up-by: Al Viro +Fixes: bd6f56a75bb2 ("m68k: Missing syscall_trace() on sigreturn") +Signed-off-by: Al Viro +Tested-by: Michael Schmitz +Reviewed-by: Michael Schmitz +Tested-by: Finn Thain +Link: https://lore.kernel.org/r/YP2dMWeV1LkHiOpr@zeniv-ca.linux.org.uk +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Finn Thain +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/kernel/entry.S | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/m68k/kernel/entry.S ++++ b/arch/m68k/kernel/entry.S +@@ -182,6 +182,8 @@ ENTRY(ret_from_signal) + movel %curptr@(TASK_STACK),%a1 + tstb %a1@(TINFO_FLAGS+2) + jge 1f ++ lea %sp@(SWITCH_STACK_SIZE),%a1 ++ movel %a1,%curptr@(TASK_THREAD+THREAD_ESP0) + jbsr syscall_trace + 1: RESTORE_SWITCH_STACK + addql #4,%sp diff --git a/queue-5.4/net-xen-netback-hash.c-use-built-in-rcu-list-checking.patch b/queue-5.4/net-xen-netback-hash.c-use-built-in-rcu-list-checking.patch new file mode 100644 index 0000000000..4184c276ca --- /dev/null +++ b/queue-5.4/net-xen-netback-hash.c-use-built-in-rcu-list-checking.patch @@ -0,0 +1,44 @@ +From f3265971ded98a069ad699b51b8a5ab95e9e5be1 Mon Sep 17 00:00:00 2001 +From: Madhuparna Bhowmik +Date: Wed, 15 Jan 2020 21:25:53 +0530 +Subject: net: xen-netback: hash.c: Use built-in RCU list checking + +From: Madhuparna Bhowmik + +commit f3265971ded98a069ad699b51b8a5ab95e9e5be1 upstream. + +list_for_each_entry_rcu has built-in RCU and lock checking. +Pass cond argument to list_for_each_entry_rcu. + +Signed-off-by: Madhuparna Bhowmik +Acked-by: Wei Liu +Signed-off-by: David S. Miller +Stable-dep-of: 0fa5e94a1811 ("net/xen-netback: prevent UAF in xenvif_flush_hash()") +Signed-off-by: Hagar Hemdan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/hash.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/xen-netback/hash.c ++++ b/drivers/net/xen-netback/hash.c +@@ -51,7 +51,8 @@ static void xenvif_add_hash(struct xenvi + + found = false; + oldest = NULL; +- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) { ++ list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, ++ lockdep_is_held(&vif->hash.cache.lock)) { + /* Make sure we don't add duplicate entries */ + if (entry->len == len && + memcmp(entry->tag, tag, len) == 0) +@@ -102,7 +103,8 @@ static void xenvif_flush_hash(struct xen + + spin_lock_irqsave(&vif->hash.cache.lock, flags); + +- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) { ++ list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, ++ lockdep_is_held(&vif->hash.cache.lock)) { + list_del_rcu(&entry->link); + vif->hash.cache.count--; + kfree_rcu(entry, rcu); diff --git a/queue-5.4/net-xen-netback-prevent-uaf-in-xenvif_flush_hash.patch b/queue-5.4/net-xen-netback-prevent-uaf-in-xenvif_flush_hash.patch new file mode 100644 index 0000000000..1e2dd266b7 --- /dev/null +++ b/queue-5.4/net-xen-netback-prevent-uaf-in-xenvif_flush_hash.patch @@ -0,0 +1,46 @@ +From 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Fri, 23 Aug 2024 03:11:09 +0900 +Subject: net/xen-netback: prevent UAF in xenvif_flush_hash() + +From: Jeongjun Park + +commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 upstream. + +During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, +kfree_rcu does not exist inside the rcu read critical section, so if +kfree_rcu is called when the rcu grace period ends during the iteration, +UAF occurs when accessing head->next after the entry becomes free. + +Therefore, to solve this, you need to change it to list_for_each_entry_safe. + +Signed-off-by: Jeongjun Park +Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Hagar Hemdan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/hash.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/xen-netback/hash.c ++++ b/drivers/net/xen-netback/hash.c +@@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif + + static void xenvif_flush_hash(struct xenvif *vif) + { +- struct xenvif_hash_cache_entry *entry; ++ struct xenvif_hash_cache_entry *entry, *n; + unsigned long flags; + + if (xenvif_hash_cache_size == 0) +@@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xen + + spin_lock_irqsave(&vif->hash.cache.lock, flags); + +- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, +- lockdep_is_held(&vif->hash.cache.lock)) { ++ list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { + list_del_rcu(&entry->link); + vif->hash.cache.count--; + kfree_rcu(entry, rcu); diff --git a/queue-5.4/series b/queue-5.4/series index d417711249..0e35d4e66f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -76,3 +76,11 @@ asoc-wm8994-add-depends-on-mfd-core.patch scsi-iscsi-fix-redundant-response-for-iscsi_uevent_g.patch irqchip-sunxi-nmi-add-missing-skip_wake-flag.patch gfs2-truncate-address-space-when-flipping-gfs2_dif_jdata-flag.patch +m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch +m68k-add-missing-mmap_read_lock-to-sys_cacheflush.patch +signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch +net-xen-netback-hash.c-use-built-in-rcu-list-checking.patch +net-xen-netback-prevent-uaf-in-xenvif_flush_hash.patch +vfio-platform-check-the-bounds-of-read-write-syscalls.patch +ext4-avoid-ext4_error-s-caused-by-enomem-in-the-truncate-path.patch +ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch diff --git a/queue-5.4/signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch b/queue-5.4/signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch new file mode 100644 index 0000000000..e39d42219d --- /dev/null +++ b/queue-5.4/signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch @@ -0,0 +1,63 @@ +From a3616a3c02722d1edb95acc7fceade242f6553ba Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 26 Jul 2021 14:23:11 -0500 +Subject: signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die + +From: Eric W. Biederman + +commit a3616a3c02722d1edb95acc7fceade242f6553ba upstream. + +In the fpsp040 code when copyin or copyout fails call +force_sigsegv(SIGSEGV) instead of do_exit(SIGSEGV). + +This solves a couple of problems. Because do_exit embeds the ptrace +stop PTRACE_EVENT_EXIT a complete stack frame needs to be present for +that to work correctly. There is always the information needed for a +ptrace stop where get_signal is called. So exiting with a signal +solves the ptrace issue. + +Further exiting with a signal ensures that all of the threads in a +process are killed not just the thread that malfunctioned. Which +avoids confusing userspace. + +To make force_sigsegv(SIGSEGV) work in fpsp040_die modify the code to +save all of the registers and jump to ret_from_exception (which +ultimately calls get_signal) after fpsp040_die returns. + +v2: Updated the branches to use gas's pseudo ops that automatically + calculate the best branch instruction to use for the purpose. + +v1: https://lkml.kernel.org/r/87a6m8kgtx.fsf_-_@disp2133 +Link: https://lkml.kernel.org/r/87tukghjfs.fsf_-_@disp2133 +Acked-by: Geert Uytterhoeven +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Finn Thain +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/fpsp040/skeleton.S | 3 ++- + arch/m68k/kernel/traps.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/m68k/fpsp040/skeleton.S ++++ b/arch/m68k/fpsp040/skeleton.S +@@ -502,7 +502,8 @@ in_ea: + .section .fixup,"ax" + .even + 1: +- jbra fpsp040_die ++ jbsr fpsp040_die ++ jbra .Lnotkern + + .section __ex_table,"a" + .align 4 +--- a/arch/m68k/kernel/traps.c ++++ b/arch/m68k/kernel/traps.c +@@ -1155,7 +1155,7 @@ asmlinkage void set_esp0(unsigned long s + */ + asmlinkage void fpsp040_die(void) + { +- do_exit(SIGSEGV); ++ force_sigsegv(SIGSEGV); + } + + #ifdef CONFIG_M68KFPU_EMU diff --git a/queue-5.4/vfio-platform-check-the-bounds-of-read-write-syscalls.patch b/queue-5.4/vfio-platform-check-the-bounds-of-read-write-syscalls.patch new file mode 100644 index 0000000000..82395d4402 --- /dev/null +++ b/queue-5.4/vfio-platform-check-the-bounds-of-read-write-syscalls.patch @@ -0,0 +1,54 @@ +From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 22 Jan 2025 10:38:30 -0700 +Subject: vfio/platform: check the bounds of read/write syscalls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Williamson + +commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream. + +count and offset are passed from user space and not checked, only +offset is capped to 40 bits, which can be used to read/write out of +bounds of the device. + +Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”) +Cc: stable@vger.kernel.org +Reported-by: Mostafa Saleh +Reviewed-by: Eric Auger +Reviewed-by: Mostafa Saleh +Tested-by: Mostafa Saleh +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -405,6 +405,11 @@ static ssize_t vfio_platform_read_mmio(s + { + unsigned int done = 0; + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap_nocache(reg->addr, reg->size); +@@ -482,6 +487,11 @@ static ssize_t vfio_platform_write_mmio( + { + unsigned int done = 0; + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap_nocache(reg->addr, reg->size);