From: Greg Kroah-Hartman Date: Fri, 20 Jun 2025 15:28:31 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.4.295~120 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b11f5e7b8fb45f0cef19282edb5f0a0e3da20c5b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch scsi-s390-zfcp-ensure-synchronous-unit_add.patch scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch udmabuf-use-sgtable-based-scatterlist-wrappers.patch --- diff --git a/queue-5.15/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch b/queue-5.15/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch new file mode 100644 index 0000000000..edb71bbf27 --- /dev/null +++ b/queue-5.15/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch @@ -0,0 +1,75 @@ +From 7851263998d4269125fd6cb3fdbfc7c6db853859 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Mon, 16 Jun 2025 11:21:15 -0700 +Subject: atm: Revert atm_account_tx() if copy_from_iter_full() fails. + +From: Kuniyuki Iwashima + +commit 7851263998d4269125fd6cb3fdbfc7c6db853859 upstream. + +In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by +atm_account_tx(). + +It is expected to be reverted by atm_pop_raw() later called by +vcc->dev->ops->send(vcc, skb). + +However, vcc_sendmsg() misses the same revert when copy_from_iter_full() +fails, and then we will leak a socket. + +Let's factorise the revert part as atm_return_tx() and call it in +the failure path. + +Note that the corresponding sk_wmem_alloc operation can be found in +alloc_tx() as of the blamed commit. + + $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Simon Horman +Closes: https://lore.kernel.org/netdev/20250614161959.GR414686@horms.kernel.org/ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250616182147.963333-3-kuni1840@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/atmdev.h | 6 ++++++ + net/atm/common.c | 1 + + net/atm/raw.c | 2 +- + 3 files changed, 8 insertions(+), 1 deletion(-) + +--- a/include/linux/atmdev.h ++++ b/include/linux/atmdev.h +@@ -249,6 +249,12 @@ static inline void atm_account_tx(struct + ATM_SKB(skb)->atm_options = vcc->atm_options; + } + ++static inline void atm_return_tx(struct atm_vcc *vcc, struct sk_buff *skb) ++{ ++ WARN_ON_ONCE(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, ++ &sk_atm(vcc)->sk_wmem_alloc)); ++} ++ + static inline void atm_force_charge(struct atm_vcc *vcc,int truesize) + { + atomic_add(truesize, &sk_atm(vcc)->sk_rmem_alloc); +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -635,6 +635,7 @@ int vcc_sendmsg(struct socket *sock, str + + skb->dev = NULL; /* for paths shared with net_device interfaces */ + if (!copy_from_iter_full(skb_put(skb, size), size, &m->msg_iter)) { ++ atm_return_tx(vcc, skb); + kfree_skb(skb); + error = -EFAULT; + goto out; +--- a/net/atm/raw.c ++++ b/net/atm/raw.c +@@ -36,7 +36,7 @@ static void atm_pop_raw(struct atm_vcc * + + pr_debug("(%d) %d -= %d\n", + vcc->vci, sk_wmem_alloc_get(sk), ATM_SKB(skb)->acct_truesize); +- WARN_ON(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, &sk->sk_wmem_alloc)); ++ atm_return_tx(vcc, skb); + dev_kfree_skb_any(skb); + sk->sk_write_space(sk); + } diff --git a/queue-5.15/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch b/queue-5.15/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch new file mode 100644 index 0000000000..ef7d5a8525 --- /dev/null +++ b/queue-5.15/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch @@ -0,0 +1,47 @@ +From 50695153d7ddde3b1696dbf0085be0033bf3ddb3 Mon Sep 17 00:00:00 2001 +From: Andrew Morton +Date: Sat, 7 Jun 2025 17:43:18 -0700 +Subject: drivers/rapidio/rio_cm.c: prevent possible heap overwrite + +From: Andrew Morton + +commit 50695153d7ddde3b1696dbf0085be0033bf3ddb3 upstream. + +In + +riocm_cdev_ioctl(RIO_CM_CHAN_SEND) + -> cm_chan_msg_send() + -> riocm_ch_send() + +cm_chan_msg_send() checks that userspace didn't send too much data but +riocm_ch_send() failed to check that userspace sent sufficient data. The +result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr +which were outside the bounds of the space which cm_chan_msg_send() +allocated. + +Address this by teaching riocm_ch_send() to check that the entire +rio_ch_chan_hdr was copied in from userspace. + +Reported-by: maher azz +Cc: Matt Porter +Cc: Alexandre Bounine +Cc: Linus Torvalds +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rapidio/rio_cm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/rapidio/rio_cm.c ++++ b/drivers/rapidio/rio_cm.c +@@ -787,6 +787,9 @@ static int riocm_ch_send(u16 ch_id, void + if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE) + return -EINVAL; + ++ if (len < sizeof(struct rio_ch_chan_hdr)) ++ return -EINVAL; /* insufficient data from user */ ++ + ch = riocm_get_channel(ch_id); + if (!ch) { + riocm_error("%s(%d) ch_%d not found", current->comm, diff --git a/queue-5.15/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch b/queue-5.15/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch new file mode 100644 index 0000000000..033863db01 --- /dev/null +++ b/queue-5.15/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch @@ -0,0 +1,80 @@ +From 2b6d96503255a3ed676cd70f8368870c6d6a25c6 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Tue, 25 Mar 2025 19:32:13 +0300 +Subject: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places + +From: Fedor Pchelkin + +commit 2b6d96503255a3ed676cd70f8368870c6d6a25c6 upstream. + +Fuzzing hit another invalid pointer dereference due to the lack of +checking whether jffs2_prealloc_raw_node_refs() completed successfully. +Subsequent logic implies that the node refs have been allocated. + +Handle that. The code is ready for propagating the error upwards. + +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600 +Call Trace: + jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline] + jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118 + jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253 + jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167 + jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 + jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302 + generic_perform_write+0x2c2/0x500 mm/filemap.c:3347 + __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465 + generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497 + call_write_iter include/linux/fs.h:2039 [inline] + do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740 + do_iter_write+0x18c/0x710 fs/read_write.c:866 + vfs_writev+0x1db/0x6a0 fs/read_write.c:939 + do_pwritev fs/read_write.c:1036 [inline] + __do_sys_pwritev fs/read_write.c:1083 [inline] + __se_sys_pwritev fs/read_write.c:1078 [inline] + __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078 + do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x67/0xd1 + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.") +Fixes: f560928baa60 ("[JFFS2] Allocate node_ref for wasted space when skipping to page boundary") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/erase.c | 4 +++- + fs/jffs2/scan.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/jffs2/erase.c ++++ b/fs/jffs2/erase.c +@@ -427,7 +427,9 @@ static void jffs2_mark_erased_block(stru + .totlen = cpu_to_je32(c->cleanmarker_size) + }; + +- jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ if (ret) ++ goto filebad; + + marker.hdr_crc = cpu_to_je32(crc32(0, &marker, sizeof(struct jffs2_unknown_node)-4)); + +--- a/fs/jffs2/scan.c ++++ b/fs/jffs2/scan.c +@@ -256,7 +256,9 @@ int jffs2_scan_medium(struct jffs2_sb_in + + jffs2_dbg(1, "%s(): Skipping %d bytes in nextblock to ensure page alignment\n", + __func__, skip); +- jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); ++ if (ret) ++ goto out; + jffs2_scan_dirty_space(c, c->nextblock, skip); + } + #endif diff --git a/queue-5.15/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch b/queue-5.15/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch new file mode 100644 index 0000000000..ad59dd44de --- /dev/null +++ b/queue-5.15/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch @@ -0,0 +1,87 @@ +From ec9e6f22bce433b260ea226de127ec68042849b0 Mon Sep 17 00:00:00 2001 +From: Artem Sadovnikov +Date: Fri, 7 Mar 2025 16:34:09 +0000 +Subject: jffs2: check that raw node were preallocated before writing summary + +From: Artem Sadovnikov + +commit ec9e6f22bce433b260ea226de127ec68042849b0 upstream. + +Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault +injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't +check return value of jffs2_prealloc_raw_node_refs and simply lets any +error propagate into jffs2_sum_write_data, which eventually calls +jffs2_link_node_ref in order to link the summary to an expectedly allocated +node. + +kernel BUG at fs/jffs2/nodelist.c:592! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI +CPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592 +Call Trace: + + jffs2_sum_write_data fs/jffs2/summary.c:841 [inline] + jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874 + jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388 + jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197 + jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 + jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301 + generic_perform_write+0x314/0x5d0 mm/filemap.c:3856 + __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973 + generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005 + call_write_iter include/linux/fs.h:2265 [inline] + do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735 + do_iter_write+0x186/0x710 fs/read_write.c:861 + vfs_iter_write+0x70/0xa0 fs/read_write.c:902 + iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 + do_splice_from fs/splice.c:763 [inline] + direct_splice_actor+0x10c/0x170 fs/splice.c:950 + splice_direct_to_actor+0x337/0xa10 fs/splice.c:896 + do_splice_direct+0x1a9/0x280 fs/splice.c:1002 + do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 + __do_sys_sendfile64 fs/read_write.c:1323 [inline] + __se_sys_sendfile64 fs/read_write.c:1309 [inline] + __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Fix this issue by checking return value of jffs2_prealloc_raw_node_refs +before calling jffs2_sum_write_data. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.") +Signed-off-by: Artem Sadovnikov +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/summary.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/jffs2/summary.c ++++ b/fs/jffs2/summary.c +@@ -858,7 +858,10 @@ int jffs2_sum_write_sumnode(struct jffs2 + spin_unlock(&c->erase_completion_lock); + + jeb = c->nextblock; +- jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ++ if (ret) ++ goto out; + + if (!c->summary->sum_num || !c->summary->sum_list_head) { + JFFS2_WARNING("Empty summary info!!!\n"); +@@ -872,6 +875,8 @@ int jffs2_sum_write_sumnode(struct jffs2 + datasize += padsize; + + ret = jffs2_sum_write_data(c, jeb, infosize, datasize, padsize); ++ ++out: + spin_lock(&c->erase_completion_lock); + return ret; + } diff --git a/queue-5.15/scsi-s390-zfcp-ensure-synchronous-unit_add.patch b/queue-5.15/scsi-s390-zfcp-ensure-synchronous-unit_add.patch new file mode 100644 index 0000000000..e4b4279fc4 --- /dev/null +++ b/queue-5.15/scsi-s390-zfcp-ensure-synchronous-unit_add.patch @@ -0,0 +1,46 @@ +From 9697ca0d53e3db357be26d2414276143c4a2cd49 Mon Sep 17 00:00:00 2001 +From: Peter Oberparleiter +Date: Tue, 3 Jun 2025 20:21:56 +0200 +Subject: scsi: s390: zfcp: Ensure synchronous unit_add + +From: Peter Oberparleiter + +commit 9697ca0d53e3db357be26d2414276143c4a2cd49 upstream. + +Improve the usability of the unit_add sysfs attribute by ensuring that +the associated FCP LUN scan processing is completed synchronously. This +enables configuration tooling to consistently determine the end of the +scan process to allow for serialization of follow-on actions. + +While the scan process associated with unit_add typically completes +synchronously, it is deferred to an asynchronous background process if +unit_add is used before initial remote port scanning has completed. This +occurs when unit_add is used immediately after setting the associated FCP +device online. + +To ensure synchronous unit_add processing, wait for remote port scanning +to complete before initiating the FCP LUN scan. + +Cc: stable@vger.kernel.org +Reviewed-by: M Nikhil +Reviewed-by: Nihar Panda +Signed-off-by: Peter Oberparleiter +Signed-off-by: Nihar Panda +Link: https://lore.kernel.org/r/20250603182252.2287285-2-niharp@linux.ibm.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/scsi/zfcp_sysfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/s390/scsi/zfcp_sysfs.c ++++ b/drivers/s390/scsi/zfcp_sysfs.c +@@ -450,6 +450,8 @@ static ssize_t zfcp_sysfs_unit_add_store + if (kstrtoull(buf, 0, (unsigned long long *) &fcp_lun)) + return -EINVAL; + ++ flush_work(&port->rport_work); ++ + retval = zfcp_unit_add(port, fcp_lun); + if (retval) + return retval; diff --git a/queue-5.15/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch b/queue-5.15/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch new file mode 100644 index 0000000000..ec2cadd1c0 --- /dev/null +++ b/queue-5.15/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch @@ -0,0 +1,76 @@ +From b2f966568faaad326de97481096d0f3dc0971c43 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Fri, 6 Jun 2025 13:57:39 -0700 +Subject: scsi: storvsc: Increase the timeouts to storvsc_timeout + +From: Dexuan Cui + +commit b2f966568faaad326de97481096d0f3dc0971c43 upstream. + +Currently storvsc_timeout is only used in storvsc_sdev_configure(), and +5s and 10s are used elsewhere. It turns out that rarely the 5s is not +enough on Azure, so let's use storvsc_timeout everywhere. + +In case a timeout happens and storvsc_channel_init() returns an error, +close the VMBus channel so that any host-to-guest messages in the +channel's ringbuffer, which might come late, can be safely ignored. + +Add a "const" to storvsc_timeout. + +Cc: stable@kernel.org +Signed-off-by: Dexuan Cui +Link: https://lore.kernel.org/r/1749243459-10419-1-git-send-email-decui@microsoft.com +Reviewed-by: Long Li +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -399,7 +399,7 @@ MODULE_PARM_DESC(ring_avail_percent_lowa + /* + * Timeout in seconds for all devices managed by this driver. + */ +-static int storvsc_timeout = 180; ++static const int storvsc_timeout = 180; + + #if IS_ENABLED(CONFIG_SCSI_FC_ATTRS) + static struct scsi_transport_template *fc_transport_template; +@@ -819,7 +819,7 @@ static void handle_multichannel_storage + return; + } + +- t = wait_for_completion_timeout(&request->wait_event, 10*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) { + dev_err(dev, "Failed to create sub-channel: timed out\n"); + return; +@@ -885,7 +885,7 @@ static int storvsc_execute_vstor_op(stru + if (ret != 0) + return ret; + +- t = wait_for_completion_timeout(&request->wait_event, 5*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) + return -ETIMEDOUT; + +@@ -1398,6 +1398,8 @@ static int storvsc_connect_to_vsp(struct + return ret; + + ret = storvsc_channel_init(device, is_fc); ++ if (ret) ++ vmbus_close(device->channel); + + return ret; + } +@@ -1719,7 +1721,7 @@ static int storvsc_host_reset_handler(st + if (ret != 0) + return FAILED; + +- t = wait_for_completion_timeout(&request->wait_event, 5*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) + return TIMEOUT_ERROR; + diff --git a/queue-5.15/selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch b/queue-5.15/selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch new file mode 100644 index 0000000000..ba6e08eedf --- /dev/null +++ b/queue-5.15/selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch @@ -0,0 +1,152 @@ +From f287822688eeb44ae1cf6ac45701d965efc33218 Mon Sep 17 00:00:00 2001 +From: "Xin Li (Intel)" +Date: Mon, 9 Jun 2025 01:40:54 -0700 +Subject: selftests/x86: Add a test to detect infinite SIGTRAP handler loop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xin Li (Intel) + +commit f287822688eeb44ae1cf6ac45701d965efc33218 upstream. + +When FRED is enabled, if the Trap Flag (TF) is set without an external +debugger attached, it can lead to an infinite loop in the SIGTRAP +handler. To avoid this, the software event flag in the augmented SS +must be cleared, ensuring that no single-step trap remains pending when +ERETU completes. + +This test checks for that specific scenario—verifying whether the kernel +correctly prevents an infinite SIGTRAP loop in this edge case when FRED +is enabled. + +The test should _always_ pass with IDT event delivery, thus no need to +disable the test even when FRED is not enabled. + +Signed-off-by: Xin Li (Intel) +Signed-off-by: Dave Hansen +Tested-by: Sohil Mehta +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250609084054.2083189-3-xin%40zytor.com +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/Makefile | 2 + tools/testing/selftests/x86/sigtrap_loop.c | 101 +++++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+), 1 deletion(-) + create mode 100644 tools/testing/selftests/x86/sigtrap_loop.c + +--- a/tools/testing/selftests/x86/Makefile ++++ b/tools/testing/selftests/x86/Makefile +@@ -12,7 +12,7 @@ CAN_BUILD_WITH_NOPIE := $(shell ./check_ + + TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \ + check_initial_reg_state sigreturn iopl ioperm \ +- test_vsyscall mov_ss_trap \ ++ test_vsyscall mov_ss_trap sigtrap_loop \ + syscall_arg_fault fsgsbase_restore sigaltstack + TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \ + test_FCMOV test_FCOMI test_FISTTP \ +--- /dev/null ++++ b/tools/testing/selftests/x86/sigtrap_loop.c +@@ -0,0 +1,101 @@ ++// SPDX-License-Identifier: GPL-2.0-only ++/* ++ * Copyright (C) 2025 Intel Corporation ++ */ ++#define _GNU_SOURCE ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifdef __x86_64__ ++# define REG_IP REG_RIP ++#else ++# define REG_IP REG_EIP ++#endif ++ ++static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), int flags) ++{ ++ struct sigaction sa; ++ ++ memset(&sa, 0, sizeof(sa)); ++ sa.sa_sigaction = handler; ++ sa.sa_flags = SA_SIGINFO | flags; ++ sigemptyset(&sa.sa_mask); ++ ++ if (sigaction(sig, &sa, 0)) ++ err(1, "sigaction"); ++ ++ return; ++} ++ ++static void sigtrap(int sig, siginfo_t *info, void *ctx_void) ++{ ++ ucontext_t *ctx = (ucontext_t *)ctx_void; ++ static unsigned int loop_count_on_same_ip; ++ static unsigned long last_trap_ip; ++ ++ if (last_trap_ip == ctx->uc_mcontext.gregs[REG_IP]) { ++ printf("\tTrapped at %016lx\n", last_trap_ip); ++ ++ /* ++ * If the same IP is hit more than 10 times in a row, it is ++ * _considered_ an infinite loop. ++ */ ++ if (++loop_count_on_same_ip > 10) { ++ printf("[FAIL]\tDetected SIGTRAP infinite loop\n"); ++ exit(1); ++ } ++ ++ return; ++ } ++ ++ loop_count_on_same_ip = 0; ++ last_trap_ip = ctx->uc_mcontext.gregs[REG_IP]; ++ printf("\tTrapped at %016lx\n", last_trap_ip); ++} ++ ++int main(int argc, char *argv[]) ++{ ++ sethandler(SIGTRAP, sigtrap, 0); ++ ++ /* ++ * Set the Trap Flag (TF) to single-step the test code, therefore to ++ * trigger a SIGTRAP signal after each instruction until the TF is ++ * cleared. ++ * ++ * Because the arithmetic flags are not significant here, the TF is ++ * set by pushing 0x302 onto the stack and then popping it into the ++ * flags register. ++ * ++ * Four instructions in the following asm code are executed with the ++ * TF set, thus the SIGTRAP handler is expected to run four times. ++ */ ++ printf("[RUN]\tSIGTRAP infinite loop detection\n"); ++ asm volatile( ++#ifdef __x86_64__ ++ /* ++ * Avoid clobbering the redzone ++ * ++ * Equivalent to "sub $128, %rsp", however -128 can be encoded ++ * in a single byte immediate while 128 uses 4 bytes. ++ */ ++ "add $-128, %rsp\n\t" ++#endif ++ "push $0x302\n\t" ++ "popf\n\t" ++ "nop\n\t" ++ "nop\n\t" ++ "push $0x202\n\t" ++ "popf\n\t" ++#ifdef __x86_64__ ++ "sub $-128, %rsp\n\t" ++#endif ++ ); ++ ++ printf("[OK]\tNo SIGTRAP infinite loop detected\n"); ++ return 0; ++} diff --git a/queue-5.15/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch b/queue-5.15/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch new file mode 100644 index 0000000000..4b2fa8ed3f --- /dev/null +++ b/queue-5.15/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch @@ -0,0 +1,41 @@ +From 86c8db86af43f52f682e53a0f2f0828683be1e52 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Fri, 13 Jun 2025 15:37:05 -0400 +Subject: selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephen Smalley + +commit 86c8db86af43f52f682e53a0f2f0828683be1e52 upstream. + +We should count the terminating NUL byte as part of the ctx_len. +Otherwise, UBSAN logs a warning: + UBSAN: array-index-out-of-bounds in security/selinux/xfrm.c:99:14 + index 60 is out of range for type 'char [*]' + +The allocation itself is correct so there is no actual out of bounds +indexing, just a warning. + +Cc: stable@vger.kernel.org +Suggested-by: Christian Göttsche +Link: https://lore.kernel.org/selinux/CAEjxPJ6tA5+LxsGfOJokzdPeRomBHjKLBVR6zbrg+_w3ZZbM3A@mail.gmail.com/ +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/xfrm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/xfrm.c ++++ b/security/selinux/xfrm.c +@@ -95,7 +95,7 @@ static int selinux_xfrm_alloc_user(struc + + ctx->ctx_doi = XFRM_SC_DOI_LSM; + ctx->ctx_alg = XFRM_SC_ALG_SELINUX; +- ctx->ctx_len = str_len; ++ ctx->ctx_len = str_len + 1; + memcpy(ctx->ctx_str, &uctx[1], str_len); + ctx->ctx_str[str_len] = '\0'; + rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len, diff --git a/queue-5.15/series b/queue-5.15/series index 4e707d6ab9..0c3cd9de07 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -345,3 +345,12 @@ platform-x86-dell_rbu-fix-list-usage.patch platform-x86-dell_rbu-stop-overwriting-data-buffer.patch powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch revert-x86-bugs-make-spectre-user-default-depend-on-mitigation_spectre_v2-on-v6.6-and-older.patch +drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch +jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch +jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch +scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch +scsi-s390-zfcp-ensure-synchronous-unit_add.patch +udmabuf-use-sgtable-based-scatterlist-wrappers.patch +selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch +selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch +atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch diff --git a/queue-5.15/udmabuf-use-sgtable-based-scatterlist-wrappers.patch b/queue-5.15/udmabuf-use-sgtable-based-scatterlist-wrappers.patch new file mode 100644 index 0000000000..0d475b4c6b --- /dev/null +++ b/queue-5.15/udmabuf-use-sgtable-based-scatterlist-wrappers.patch @@ -0,0 +1,50 @@ +From afe382843717d44b24ef5014d57dcbaab75a4052 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Wed, 7 May 2025 18:09:12 +0200 +Subject: udmabuf: use sgtable-based scatterlist wrappers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Szyprowski + +commit afe382843717d44b24ef5014d57dcbaab75a4052 upstream. + +Use common wrappers operating directly on the struct sg_table objects to +fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() +functions have to be called with the number of elements originally passed +to dma_map_sg_*() function, not the one returned in sgtable's nents. + +Fixes: 1ffe09590121 ("udmabuf: fix dma-buf cpu access") +CC: stable@vger.kernel.org +Signed-off-by: Marek Szyprowski +Acked-by: Vivek Kasireddy +Reviewed-by: Christian König +Signed-off-by: Christian König +Link: https://lore.kernel.org/r/20250507160913.2084079-3-m.szyprowski@samsung.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/udmabuf.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -133,8 +133,7 @@ static int begin_cpu_udmabuf(struct dma_ + ubuf->sg = NULL; + } + } else { +- dma_sync_sg_for_cpu(dev, ubuf->sg->sgl, ubuf->sg->nents, +- direction); ++ dma_sync_sgtable_for_cpu(dev, ubuf->sg, direction); + } + + return ret; +@@ -149,7 +148,7 @@ static int end_cpu_udmabuf(struct dma_bu + if (!ubuf->sg) + return -EINVAL; + +- dma_sync_sg_for_device(dev, ubuf->sg->sgl, ubuf->sg->nents, direction); ++ dma_sync_sgtable_for_device(dev, ubuf->sg, direction); + return 0; + } +