From 313715456ef31ade73a2c72c44cfadc1a6c32658 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Oct 2025 20:14:55 +0200 Subject: [PATCH] 6.1-stable patches added patches: hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch --- ...of-bounds-read-in-hfsplus_strcasecmp.patch | 223 ++++++++++++++++++ ...-are-powered-for-config-reads-part-2.patch | 66 ++++++ queue-6.1/series | 2 + 3 files changed, 291 insertions(+) create mode 100644 queue-6.1/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch create mode 100644 queue-6.1/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch diff --git a/queue-6.1/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch b/queue-6.1/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch new file mode 100644 index 0000000000..0660fa2a1e --- /dev/null +++ b/queue-6.1/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch @@ -0,0 +1,223 @@ +From 42520df65bf67189541a425f7d36b0b3e7bd7844 Mon Sep 17 00:00:00 2001 +From: Viacheslav Dubeyko +Date: Fri, 19 Sep 2025 12:12:44 -0700 +Subject: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() + +From: Viacheslav Dubeyko + +commit 42520df65bf67189541a425f7d36b0b3e7bd7844 upstream. + +The hfsplus_strcasecmp() logic can trigger the issue: + +[ 117.317703][ T9855] ================================================================== +[ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 +[ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 +[ 117.319577][ T9855] +[ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) +[ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 117.319783][ T9855] Call Trace: +[ 117.319785][ T9855] +[ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 +[ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 +[ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 +[ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 +[ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 +[ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 +[ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 +[ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 +[ 117.319842][ T9855] print_report+0x17e/0x7e0 +[ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 +[ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 +[ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 +[ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 +[ 117.319876][ T9855] kasan_report+0x147/0x180 +[ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 +[ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 +[ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 +[ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 +[ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 +[ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 +[ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 +[ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 +[ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 +[ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 +[ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 +[ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 +[ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 +[ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 +[ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 +[ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 +[ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 +[ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 +[ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 +[ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 +[ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 +[ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 +[ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 +[ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 +[ 117.320055][ T9855] lookup_slow+0x53/0x70 +[ 117.320065][ T9855] walk_component+0x2f0/0x430 +[ 117.320073][ T9855] path_lookupat+0x169/0x440 +[ 117.320081][ T9855] filename_lookup+0x212/0x590 +[ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 +[ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 +[ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 +[ 117.320112][ T9855] user_path_at+0x3a/0x60 +[ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 +[ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 +[ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 +[ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 +[ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 +[ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 +[ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 +[ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6 +[ 117.320172][ T9855] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dd7908b07 +[ 117.320176][ T9855] RDX: 0000000000000009 RSI: 0000000000000009 RDI: 00007ffd5ebd9740 +[ 117.320179][ T9855] RBP: 00007ffd5ebda780 R08: 0000000000000005 R09: 00007ffd5ebd9530 +[ 117.320181][ T9855] R10: 00007f7dd799bfc0 R11: 0000000000000202 R12: 000055e2008b32d0 +[ 117.320184][ T9855] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 117.320189][ T9855] +[ 117.320190][ T9855] +[ 117.351311][ T9855] Allocated by task 9855: +[ 117.351683][ T9855] kasan_save_track+0x3e/0x80 +[ 117.352093][ T9855] __kasan_kmalloc+0x8d/0xa0 +[ 117.352490][ T9855] __kmalloc_noprof+0x288/0x510 +[ 117.352914][ T9855] hfsplus_find_init+0x8c/0x1d0 +[ 117.353342][ T9855] hfsplus_lookup+0x19c/0x890 +[ 117.353747][ T9855] __lookup_slow+0x297/0x3d0 +[ 117.354148][ T9855] lookup_slow+0x53/0x70 +[ 117.354514][ T9855] walk_component+0x2f0/0x430 +[ 117.354921][ T9855] path_lookupat+0x169/0x440 +[ 117.355325][ T9855] filename_lookup+0x212/0x590 +[ 117.355740][ T9855] user_path_at+0x3a/0x60 +[ 117.356115][ T9855] __x64_sys_umount+0xee/0x160 +[ 117.356529][ T9855] do_syscall_64+0xf3/0x3a0 +[ 117.356920][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 117.357429][ T9855] +[ 117.357636][ T9855] The buggy address belongs to the object at ffff88802160f000 +[ 117.357636][ T9855] which belongs to the cache kmalloc-2k of size 2048 +[ 117.358827][ T9855] The buggy address is located 0 bytes to the right of +[ 117.358827][ T9855] allocated 1036-byte region [ffff88802160f000, ffff88802160f40c) +[ 117.360061][ T9855] +[ 117.360266][ T9855] The buggy address belongs to the physical page: +[ 117.360813][ T9855] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21608 +[ 117.361562][ T9855] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +[ 117.362285][ T9855] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) +[ 117.362929][ T9855] page_type: f5(slab) +[ 117.363282][ T9855] raw: 00fff00000000040 ffff88801a842f00 ffffea0000932000 dead000000000002 +[ 117.364015][ T9855] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 +[ 117.364750][ T9855] head: 00fff00000000040 ffff88801a842f00 ffffea0000932000 dead000000000002 +[ 117.365491][ T9855] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 +[ 117.366232][ T9855] head: 00fff00000000003 ffffea0000858201 00000000ffffffff 00000000ffffffff +[ 117.366968][ T9855] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +[ 117.367711][ T9855] page dumped because: kasan: bad access detected +[ 117.368259][ T9855] page_owner tracks the page as allocated +[ 117.368745][ T9855] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN1 +[ 117.370541][ T9855] post_alloc_hook+0x240/0x2a0 +[ 117.370954][ T9855] get_page_from_freelist+0x2101/0x21e0 +[ 117.371435][ T9855] __alloc_frozen_pages_noprof+0x274/0x380 +[ 117.371935][ T9855] alloc_pages_mpol+0x241/0x4b0 +[ 117.372360][ T9855] allocate_slab+0x8d/0x380 +[ 117.372752][ T9855] ___slab_alloc+0xbe3/0x1400 +[ 117.373159][ T9855] __kmalloc_cache_noprof+0x296/0x3d0 +[ 117.373621][ T9855] nexthop_net_init+0x75/0x100 +[ 117.374038][ T9855] ops_init+0x35c/0x5c0 +[ 117.374400][ T9855] setup_net+0x10c/0x320 +[ 117.374768][ T9855] copy_net_ns+0x31b/0x4d0 +[ 117.375156][ T9855] create_new_namespaces+0x3f3/0x720 +[ 117.375613][ T9855] unshare_nsproxy_namespaces+0x11c/0x170 +[ 117.376094][ T9855] ksys_unshare+0x4ca/0x8d0 +[ 117.376477][ T9855] __x64_sys_unshare+0x38/0x50 +[ 117.376879][ T9855] do_syscall_64+0xf3/0x3a0 +[ 117.377265][ T9855] page last free pid 9110 tgid 9110 stack trace: +[ 117.377795][ T9855] __free_frozen_pages+0xbeb/0xd50 +[ 117.378229][ T9855] __put_partials+0x152/0x1a0 +[ 117.378625][ T9855] put_cpu_partial+0x17c/0x250 +[ 117.379026][ T9855] __slab_free+0x2d4/0x3c0 +[ 117.379404][ T9855] qlist_free_all+0x97/0x140 +[ 117.379790][ T9855] kasan_quarantine_reduce+0x148/0x160 +[ 117.380250][ T9855] __kasan_slab_alloc+0x22/0x80 +[ 117.380662][ T9855] __kmalloc_noprof+0x232/0x510 +[ 117.381074][ T9855] tomoyo_supervisor+0xc0a/0x1360 +[ 117.381498][ T9855] tomoyo_env_perm+0x149/0x1e0 +[ 117.381903][ T9855] tomoyo_find_next_domain+0x15ad/0x1b90 +[ 117.382378][ T9855] tomoyo_bprm_check_security+0x11c/0x180 +[ 117.382859][ T9855] security_bprm_check+0x89/0x280 +[ 117.383289][ T9855] bprm_execve+0x8f1/0x14a0 +[ 117.383673][ T9855] do_execveat_common+0x528/0x6b0 +[ 117.384103][ T9855] __x64_sys_execve+0x94/0xb0 +[ 117.384500][ T9855] +[ 117.384706][ T9855] Memory state around the buggy address: +[ 117.385179][ T9855] ffff88802160f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 117.385854][ T9855] ffff88802160f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 117.386534][ T9855] >ffff88802160f400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 117.387204][ T9855] ^ +[ 117.387566][ T9855] ffff88802160f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 117.388243][ T9855] ffff88802160f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 117.388918][ T9855] ================================================================== + +The issue takes place if the length field of struct hfsplus_unistr +is bigger than HFSPLUS_MAX_STRLEN. The patch simply checks +the length of comparing strings. And if the strings' length +is bigger than HFSPLUS_MAX_STRLEN, then it is corrected +to this value. + +v2 +The string length correction has been added for hfsplus_strcmp(). + +Reported-by: Jiaming Zhang +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +cc: syzkaller@googlegroups.com +Link: https://lore.kernel.org/r/20250919191243.1370388-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfsplus/unicode.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/fs/hfsplus/unicode.c ++++ b/fs/hfsplus/unicode.c +@@ -40,6 +40,18 @@ int hfsplus_strcasecmp(const struct hfsp + p1 = s1->unicode; + p2 = s2->unicode; + ++ if (len1 > HFSPLUS_MAX_STRLEN) { ++ len1 = HFSPLUS_MAX_STRLEN; ++ pr_err("invalid length %u has been corrected to %d\n", ++ be16_to_cpu(s1->length), len1); ++ } ++ ++ if (len2 > HFSPLUS_MAX_STRLEN) { ++ len2 = HFSPLUS_MAX_STRLEN; ++ pr_err("invalid length %u has been corrected to %d\n", ++ be16_to_cpu(s2->length), len2); ++ } ++ + while (1) { + c1 = c2 = 0; + +@@ -74,6 +86,18 @@ int hfsplus_strcmp(const struct hfsplus_ + p1 = s1->unicode; + p2 = s2->unicode; + ++ if (len1 > HFSPLUS_MAX_STRLEN) { ++ len1 = HFSPLUS_MAX_STRLEN; ++ pr_err("invalid length %u has been corrected to %d\n", ++ be16_to_cpu(s1->length), len1); ++ } ++ ++ if (len2 > HFSPLUS_MAX_STRLEN) { ++ len2 = HFSPLUS_MAX_STRLEN; ++ pr_err("invalid length %u has been corrected to %d\n", ++ be16_to_cpu(s2->length), len2); ++ } ++ + for (len = min(len1, len2); len > 0; len--) { + c1 = be16_to_cpu(*p1); + c2 = be16_to_cpu(*p2); diff --git a/queue-6.1/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch b/queue-6.1/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch new file mode 100644 index 0000000000..0041ca06e9 --- /dev/null +++ b/queue-6.1/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch @@ -0,0 +1,66 @@ +From briannorris@chromium.org Tue Oct 21 20:12:10 2025 +From: Brian Norris +Date: Mon, 20 Oct 2025 13:41:36 -0700 +Subject: PCI/sysfs: Ensure devices are powered for config reads (part 2) +To: stable@vger.kernel.org +Cc: bhelgaas@google.com, Brian Norris , Brian Norris +Message-ID: <20251020204146.3193844-1-briannorris@chromium.org> + +From: Brian Norris + +Commit 48991e493507 ("PCI/sysfs: Ensure devices are powered for config +reads") was applied to various linux-stable trees. However, prior to +6.12.y, we do not have commit d2bd39c0456b ("PCI: Store all PCIe +Supported Link Speeds"). Therefore, we also need to apply the change to +max_link_speed_show(). + +This was pointed out here: + + Re: Patch "PCI/sysfs: Ensure devices are powered for config reads" has been added to the 6.6-stable tree + https://lore.kernel.org/all/aPEMIreBYZ7yk3cm@google.com/ + +Original change description follows: + + The "max_link_width", "current_link_speed", "current_link_width", + "secondary_bus_number", and "subordinate_bus_number" sysfs files all access + config registers, but they don't check the runtime PM state. If the device + is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus + values, or worse, depending on implementation details. + + Wrap these access in pci_config_pm_runtime_{get,put}() like most of the + rest of the similar sysfs attributes. + + Notably, "max_link_speed" does not access config registers; it returns a + cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link + Speeds"). + +Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") +Link: https://lore.kernel.org/all/aPEMIreBYZ7yk3cm@google.com/ +Signed-off-by: Brian Norris +Signed-off-by: Brian Norris +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-sysfs.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -186,9 +186,15 @@ static ssize_t max_link_speed_show(struc + struct device_attribute *attr, char *buf) + { + struct pci_dev *pdev = to_pci_dev(dev); ++ ssize_t ret; + +- return sysfs_emit(buf, "%s\n", +- pci_speed_string(pcie_get_speed_cap(pdev))); ++ /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */ ++ pci_config_pm_runtime_get(pdev); ++ ret = sysfs_emit(buf, "%s\n", ++ pci_speed_string(pcie_get_speed_cap(pdev))); ++ pci_config_pm_runtime_put(pdev); ++ ++ return ret; + } + static DEVICE_ATTR_RO(max_link_speed); + diff --git a/queue-6.1/series b/queue-6.1/series index d192c96692..57f4e439fb 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -63,3 +63,5 @@ alsa-firewire-amdtp-stream-fix-enum-kernel-doc-warni.patch alsa-usb-audio-fix-null-pointer-deference-in-try_to_.patch hid-hid-input-only-ignore-0-battery-events-for-digit.patch hid-multitouch-fix-name-of-stylus-input-devices.patch +hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch +pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch -- 2.47.3