From c8d69187052423d6e25bba34344efb7c16d76eab Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 25 Oct 2024 06:20:38 -0400 Subject: [PATCH] Fixes for 6.6 Signed-off-by: Sasha Levin --- .../jfs-fix-sanity-check-in-dbmount.patch | 35 +++++ ...crash-in-stack_top-for-tasks-without.patch | 67 +++++++++ queue-6.6/series | 4 + ...-the-null-character-when-validating-.patch | 42 ++++++ ...es-fix-max_trace_args-limit-handling.patch | 140 ++++++++++++++++++ 5 files changed, 288 insertions(+) create mode 100644 queue-6.6/jfs-fix-sanity-check-in-dbmount.patch create mode 100644 queue-6.6/loongarch-don-t-crash-in-stack_top-for-tasks-without.patch create mode 100644 queue-6.6/tracing-consider-the-null-character-when-validating-.patch create mode 100644 queue-6.6/tracing-probes-fix-max_trace_args-limit-handling.patch diff --git a/queue-6.6/jfs-fix-sanity-check-in-dbmount.patch b/queue-6.6/jfs-fix-sanity-check-in-dbmount.patch new file mode 100644 index 00000000000..3f250591b27 --- /dev/null +++ b/queue-6.6/jfs-fix-sanity-check-in-dbmount.patch @@ -0,0 +1,35 @@ +From 55776cd128be3d3dfe7417820aa9e5dee4588943 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2024 09:40:37 -0500 +Subject: jfs: Fix sanity check in dbMount + +From: Dave Kleikamp + +[ Upstream commit 67373ca8404fe57eb1bb4b57f314cff77ce54932 ] + +MAXAG is a legitimate value for bmp->db_numag + +Fixes: e63866a47556 ("jfs: fix out-of-bounds in dbNextAG() and diAlloc()") + +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 974ecf5e0d952..3ab410059dc20 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -187,7 +187,7 @@ int dbMount(struct inode *ipbmap) + } + + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); +- if (!bmp->db_numag || bmp->db_numag >= MAXAG) { ++ if (!bmp->db_numag || bmp->db_numag > MAXAG) { + err = -EINVAL; + goto err_release_metapage; + } +-- +2.43.0 + diff --git a/queue-6.6/loongarch-don-t-crash-in-stack_top-for-tasks-without.patch b/queue-6.6/loongarch-don-t-crash-in-stack_top-for-tasks-without.patch new file mode 100644 index 00000000000..1e1b0520e23 --- /dev/null +++ b/queue-6.6/loongarch-don-t-crash-in-stack_top-for-tasks-without.patch @@ -0,0 +1,67 @@ +From 5f5485d9ba085fbc1d1e628b97e7a189f96859eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2024 22:11:19 +0800 +Subject: LoongArch: Don't crash in stack_top() for tasks without vDSO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 134475a9ab8487527238d270639a8cb74c10aab2 ] + +Not all tasks have a vDSO mapped, for example kthreads never do. If such +a task ever ends up calling stack_top(), it will derefence the NULL vdso +pointer and crash. + +This can for example happen when using kunit: + + [<9000000000203874>] stack_top+0x58/0xa8 + [<90000000002956cc>] arch_pick_mmap_layout+0x164/0x220 + [<90000000003c284c>] kunit_vm_mmap_init+0x108/0x12c + [<90000000003c1fbc>] __kunit_add_resource+0x38/0x8c + [<90000000003c2704>] kunit_vm_mmap+0x88/0xc8 + [<9000000000410b14>] usercopy_test_init+0xbc/0x25c + [<90000000003c1db4>] kunit_try_run_case+0x5c/0x184 + [<90000000003c3d54>] kunit_generic_run_threadfn_adapter+0x24/0x48 + [<900000000022e4bc>] kthread+0xc8/0xd4 + [<9000000000200ce8>] ret_from_kernel_thread+0xc/0xa4 + +Fixes: 803b0fc5c3f2 ("LoongArch: Add process management") +Signed-off-by: Thomas Weißschuh +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kernel/process.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/arch/loongarch/kernel/process.c b/arch/loongarch/kernel/process.c +index f2ff8b5d591e4..6e58f65455c7c 100644 +--- a/arch/loongarch/kernel/process.c ++++ b/arch/loongarch/kernel/process.c +@@ -293,13 +293,15 @@ unsigned long stack_top(void) + { + unsigned long top = TASK_SIZE & PAGE_MASK; + +- /* Space for the VDSO & data page */ +- top -= PAGE_ALIGN(current->thread.vdso->size); +- top -= VVAR_SIZE; +- +- /* Space to randomize the VDSO base */ +- if (current->flags & PF_RANDOMIZE) +- top -= VDSO_RANDOMIZE_SIZE; ++ if (current->thread.vdso) { ++ /* Space for the VDSO & data page */ ++ top -= PAGE_ALIGN(current->thread.vdso->size); ++ top -= VVAR_SIZE; ++ ++ /* Space to randomize the VDSO base */ ++ if (current->flags & PF_RANDOMIZE) ++ top -= VDSO_RANDOMIZE_SIZE; ++ } + + return top; + } +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 77b83c6d2a4..eac81e486f9 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -124,3 +124,7 @@ udf-fix-uninit-value-use-in-udf_get_fileshortad.patch asoc-qcom-sm8250-add-qrb4210-rb2-sndcard-compatible-.patch cifs-validate-content-of-nfs-reparse-point-buffer.patch platform-x86-dell-sysman-add-support-for-alienware-p.patch +loongarch-don-t-crash-in-stack_top-for-tasks-without.patch +jfs-fix-sanity-check-in-dbmount.patch +tracing-probes-fix-max_trace_args-limit-handling.patch +tracing-consider-the-null-character-when-validating-.patch diff --git a/queue-6.6/tracing-consider-the-null-character-when-validating-.patch b/queue-6.6/tracing-consider-the-null-character-when-validating-.patch new file mode 100644 index 00000000000..519b75f5b8f --- /dev/null +++ b/queue-6.6/tracing-consider-the-null-character-when-validating-.patch @@ -0,0 +1,42 @@ +From d5d8282bda704828e742c40b498866fdba85ffe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 15:47:24 +0100 +Subject: tracing: Consider the NULL character when validating the event length + +From: Leo Yan + +[ Upstream commit 0b6e2e22cb23105fcb171ab92f0f7516c69c8471 ] + +strlen() returns a string length excluding the null byte. If the string +length equals to the maximum buffer length, the buffer will have no +space for the NULL terminating character. + +This commit checks this condition and returns failure for it. + +Link: https://lore.kernel.org/all/20241007144724.920954-1-leo.yan@arm.com/ + +Fixes: dec65d79fd26 ("tracing/probe: Check event name length correctly") +Signed-off-by: Leo Yan +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index 58a6275c7f496..a1bc49de648f2 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -275,7 +275,7 @@ int traceprobe_parse_event_name(const char **pevent, const char **pgroup, + } + trace_probe_log_err(offset, NO_EVENT_NAME); + return -EINVAL; +- } else if (len > MAX_EVENT_NAME_LEN) { ++ } else if (len >= MAX_EVENT_NAME_LEN) { + trace_probe_log_err(offset, EVENT_TOO_LONG); + return -EINVAL; + } +-- +2.43.0 + diff --git a/queue-6.6/tracing-probes-fix-max_trace_args-limit-handling.patch b/queue-6.6/tracing-probes-fix-max_trace_args-limit-handling.patch new file mode 100644 index 00000000000..bd6f807b112 --- /dev/null +++ b/queue-6.6/tracing-probes-fix-max_trace_args-limit-handling.patch @@ -0,0 +1,140 @@ +From 25a2e5c8508698ae1406e581f09f9fcba7fc1b3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 16:26:54 -0400 +Subject: tracing/probes: Fix MAX_TRACE_ARGS limit handling + +From: Mikel Rychliski + +[ Upstream commit 73f35080477e893aa6f4c8d388352b871b288fbc ] + +When creating a trace_probe we would set nr_args prior to truncating the +arguments to MAX_TRACE_ARGS. However, we would only initialize arguments +up to the limit. + +This caused invalid memory access when attempting to set up probes with +more than 128 fetchargs. + + BUG: kernel NULL pointer dereference, address: 0000000000000020 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] PREEMPT SMP PTI + CPU: 0 UID: 0 PID: 1769 Comm: cat Not tainted 6.11.0-rc7+ #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 + RIP: 0010:__set_print_fmt+0x134/0x330 + +Resolve the issue by applying the MAX_TRACE_ARGS limit earlier. Return +an error when there are too many arguments instead of silently +truncating. + +Link: https://lore.kernel.org/all/20240930202656.292869-1-mikel@mikelr.com/ + +Fixes: 035ba76014c0 ("tracing/probes: cleanup: Set trace_probe::nr_args at trace_probe_init") +Signed-off-by: Mikel Rychliski +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_eprobe.c | 7 ++++++- + kernel/trace/trace_fprobe.c | 6 +++++- + kernel/trace/trace_kprobe.c | 6 +++++- + kernel/trace/trace_uprobe.c | 4 +++- + 4 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace_eprobe.c b/kernel/trace/trace_eprobe.c +index b03bc30f85ee3..31bb977670bdf 100644 +--- a/kernel/trace/trace_eprobe.c ++++ b/kernel/trace/trace_eprobe.c +@@ -915,6 +915,11 @@ static int __trace_eprobe_create(int argc, const char *argv[]) + } + } + ++ if (argc - 2 > MAX_TRACE_ARGS) { ++ ret = -E2BIG; ++ goto error; ++ } ++ + mutex_lock(&event_mutex); + event_call = find_and_get_event(sys_name, sys_event); + ep = alloc_event_probe(group, event, event_call, argc - 2); +@@ -940,7 +945,7 @@ static int __trace_eprobe_create(int argc, const char *argv[]) + + argc -= 2; argv += 2; + /* parse arguments */ +- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) { ++ for (i = 0; i < argc; i++) { + trace_probe_log_set_index(i + 2); + ret = trace_eprobe_tp_update_arg(ep, argv, i); + if (ret) +diff --git a/kernel/trace/trace_fprobe.c b/kernel/trace/trace_fprobe.c +index 4f42808155225..f26bb8a90cb54 100644 +--- a/kernel/trace/trace_fprobe.c ++++ b/kernel/trace/trace_fprobe.c +@@ -1103,6 +1103,10 @@ static int __trace_fprobe_create(int argc, const char *argv[]) + argc = new_argc; + argv = new_argv; + } ++ if (argc > MAX_TRACE_ARGS) { ++ ret = -E2BIG; ++ goto out; ++ } + + /* setup a probe */ + tf = alloc_trace_fprobe(group, event, symbol, tpoint, maxactive, +@@ -1119,7 +1123,7 @@ static int __trace_fprobe_create(int argc, const char *argv[]) + (unsigned long)tf->tpoint->probestub); + + /* parse arguments */ +- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) { ++ for (i = 0; i < argc; i++) { + trace_probe_log_set_index(i + 2); + ctx.offset = 0; + ret = traceprobe_parse_probe_arg(&tf->tp, i, argv[i], &ctx); +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index 32c617123f374..12d997bb3e789 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -932,6 +932,10 @@ static int __trace_kprobe_create(int argc, const char *argv[]) + argc = new_argc; + argv = new_argv; + } ++ if (argc > MAX_TRACE_ARGS) { ++ ret = -E2BIG; ++ goto out; ++ } + + /* setup a probe */ + tk = alloc_trace_kprobe(group, event, addr, symbol, offset, maxactive, +@@ -944,7 +948,7 @@ static int __trace_kprobe_create(int argc, const char *argv[]) + } + + /* parse arguments */ +- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) { ++ for (i = 0; i < argc; i++) { + trace_probe_log_set_index(i + 2); + ctx.offset = 0; + ret = traceprobe_parse_probe_arg(&tk->tp, i, argv[i], &ctx); +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c +index d72ac9dde5321..3e7d92d2650bc 100644 +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -556,6 +556,8 @@ static int __trace_uprobe_create(int argc, const char **argv) + + if (argc < 2) + return -ECANCELED; ++ if (argc - 2 > MAX_TRACE_ARGS) ++ return -E2BIG; + + if (argv[0][1] == ':') + event = &argv[0][2]; +@@ -681,7 +683,7 @@ static int __trace_uprobe_create(int argc, const char **argv) + tu->filename = filename; + + /* parse arguments */ +- for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) { ++ for (i = 0; i < argc; i++) { + struct traceprobe_parse_context ctx = { + .flags = (is_return ? TPARG_FL_RETURN : 0) | TPARG_FL_USER, + }; +-- +2.43.0 + -- 2.47.2