--- /dev/null
+From 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 Mon Sep 17 00:00:00 2001
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Date: Wed, 7 Jan 2026 10:33:46 +0800
+Subject: f2fs: fix out-of-bounds access in sysfs attribute read/write
+
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+
+commit 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 upstream.
+
+Some f2fs sysfs attributes suffer from out-of-bounds memory access and
+incorrect handling of integer values whose size is not 4 bytes.
+
+For example:
+vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out
+vm:~# cat /sys/fs/f2fs/vde/carve_out
+65537
+vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold
+vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold
+1
+
+carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit
+integer. However, the sysfs interface allows setting it to a value
+larger than 255, resulting in an out-of-range update.
+
+atgc_age_threshold maps to {struct atgc_management}->age_threshold,
+which is a 64-bit integer, but its sysfs interface cannot correctly set
+values larger than UINT_MAX.
+
+The root causes are:
+1. __sbi_store() treats all default values as unsigned int, which
+prevents updating integers larger than 4 bytes and causes out-of-bounds
+writes for integers smaller than 4 bytes.
+
+2. f2fs_sbi_show() also assumes all default values are unsigned int,
+leading to out-of-bounds reads and incorrect access to integers larger
+than 4 bytes.
+
+This patch introduces {struct f2fs_attr}->size to record the actual size
+of the integer associated with each sysfs attribute. With this
+information, sysfs read and write operations can correctly access and
+update values according to their real data size, avoiding memory
+corruption and truncation.
+
+Fixes: b59d0bae6ca3 ("f2fs: add sysfs support for controlling the gc_thread")
+Cc: stable@kernel.org
+Signed-off-by: Jinbao Liu <liujinbao1@xiaomi.com>
+Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/sysfs.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 52 insertions(+), 8 deletions(-)
+
+--- a/fs/f2fs/sysfs.c
++++ b/fs/f2fs/sysfs.c
+@@ -58,6 +58,7 @@ struct f2fs_attr {
+ const char *buf, size_t len);
+ int struct_type;
+ int offset;
++ int size;
+ int id;
+ };
+
+@@ -325,11 +326,30 @@ static ssize_t main_blkaddr_show(struct
+ (unsigned long long)MAIN_BLKADDR(sbi));
+ }
+
++static ssize_t __sbi_show_value(struct f2fs_attr *a,
++ struct f2fs_sb_info *sbi, char *buf,
++ unsigned char *value)
++{
++ switch (a->size) {
++ case 1:
++ return sysfs_emit(buf, "%u\n", *(u8 *)value);
++ case 2:
++ return sysfs_emit(buf, "%u\n", *(u16 *)value);
++ case 4:
++ return sysfs_emit(buf, "%u\n", *(u32 *)value);
++ case 8:
++ return sysfs_emit(buf, "%llu\n", *(u64 *)value);
++ default:
++ f2fs_bug_on(sbi, 1);
++ return sysfs_emit(buf,
++ "show sysfs node value with wrong type\n");
++ }
++}
++
+ static ssize_t f2fs_sbi_show(struct f2fs_attr *a,
+ struct f2fs_sb_info *sbi, char *buf)
+ {
+ unsigned char *ptr = NULL;
+- unsigned int *ui;
+
+ ptr = __struct_ptr(sbi, a->struct_type);
+ if (!ptr)
+@@ -409,9 +429,30 @@ static ssize_t f2fs_sbi_show(struct f2fs
+ atomic_read(&sbi->cp_call_count[BACKGROUND]));
+ #endif
+
+- ui = (unsigned int *)(ptr + a->offset);
++ return __sbi_show_value(a, sbi, buf, ptr + a->offset);
++}
+
+- return sysfs_emit(buf, "%u\n", *ui);
++static void __sbi_store_value(struct f2fs_attr *a,
++ struct f2fs_sb_info *sbi,
++ unsigned char *ui, unsigned long value)
++{
++ switch (a->size) {
++ case 1:
++ *(u8 *)ui = value;
++ break;
++ case 2:
++ *(u16 *)ui = value;
++ break;
++ case 4:
++ *(u32 *)ui = value;
++ break;
++ case 8:
++ *(u64 *)ui = value;
++ break;
++ default:
++ f2fs_bug_on(sbi, 1);
++ f2fs_err(sbi, "store sysfs node value with wrong type");
++ }
+ }
+
+ static ssize_t __sbi_store(struct f2fs_attr *a,
+@@ -868,7 +909,7 @@ out:
+ return count;
+ }
+
+- *ui = (unsigned int)t;
++ __sbi_store_value(a, sbi, ptr + a->offset, t);
+
+ return count;
+ }
+@@ -1015,24 +1056,27 @@ static struct f2fs_attr f2fs_attr_sb_##_
+ .id = F2FS_FEATURE_##_feat, \
+ }
+
+-#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset) \
++#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset, _size) \
+ static struct f2fs_attr f2fs_attr_##_name = { \
+ .attr = {.name = __stringify(_name), .mode = _mode }, \
+ .show = _show, \
+ .store = _store, \
+ .struct_type = _struct_type, \
+- .offset = _offset \
++ .offset = _offset, \
++ .size = _size \
+ }
+
+ #define F2FS_RO_ATTR(struct_type, struct_name, name, elname) \
+ F2FS_ATTR_OFFSET(struct_type, name, 0444, \
+ f2fs_sbi_show, NULL, \
+- offsetof(struct struct_name, elname))
++ offsetof(struct struct_name, elname), \
++ sizeof_field(struct struct_name, elname))
+
+ #define F2FS_RW_ATTR(struct_type, struct_name, name, elname) \
+ F2FS_ATTR_OFFSET(struct_type, name, 0644, \
+ f2fs_sbi_show, f2fs_sbi_store, \
+- offsetof(struct struct_name, elname))
++ offsetof(struct struct_name, elname), \
++ sizeof_field(struct struct_name, elname))
+
+ #define F2FS_GENERAL_RO_ATTR(name) \
+ static struct f2fs_attr f2fs_attr_##name = __ATTR(name, 0444, name##_show, NULL)
--- /dev/null
+From 761dac9073cd67d4705a94cd1af674945a117f4c Mon Sep 17 00:00:00 2001
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Date: Fri, 26 Dec 2025 10:56:04 +0800
+Subject: f2fs: fix to add gc count stat in f2fs_gc_range
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+commit 761dac9073cd67d4705a94cd1af674945a117f4c upstream.
+
+It missed the stat count in f2fs_gc_range.
+
+Cc: stable@kernel.org
+Fixes: 9bf1dcbdfdc8 ("f2fs: fix to account gc stats correctly")
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/gc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -2072,6 +2072,7 @@ int f2fs_gc_range(struct f2fs_sb_info *s
+ if (unlikely(f2fs_cp_error(sbi)))
+ return -EIO;
+
++ stat_inc_gc_call_count(sbi, FOREGROUND);
+ for (segno = start_seg; segno <= end_seg; segno += SEGS_PER_SEC(sbi)) {
+ struct gc_inode_list gc_list = {
+ .ilist = LIST_HEAD_INIT(gc_list.ilist),
--- /dev/null
+From 5c145c03188bc9ba1c29e0bc4d527a5978fc47f9 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Tue, 13 Jan 2026 14:22:29 +0800
+Subject: f2fs: fix to avoid mapping wrong physical block for swapfile
+
+From: Chao Yu <chao@kernel.org>
+
+commit 5c145c03188bc9ba1c29e0bc4d527a5978fc47f9 upstream.
+
+Xiaolong Guo reported a f2fs bug in bugzilla [1]
+
+[1] https://bugzilla.kernel.org/show_bug.cgi?id=220951
+
+Quoted:
+
+"When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+,
+the system experiences data corruption leading to either:
+1 dm-verity corruption errors and device reboot
+2 F2FS node corruption errors and boot hangs
+
+The issue occurs specifically when:
+1 Using F2FS filesystem (ext4 is unaffected)
+2 Swapfile size is less than F2FS section size (2MB)
+3 Swapfile has fragmented physical layout (multiple non-contiguous extents)
+4 Kernel version is 6.6+ (6.1 is unaffected)
+
+The root cause is in check_swap_activate() function in fs/f2fs/data.c. When the
+first extent of a small swapfile (< 2MB) is not aligned to section boundaries,
+the function incorrectly treats it as the last extent, failing to map
+subsequent extents. This results in incorrect swap_extent creation where only
+the first extent is mapped, causing subsequent swap writes to overwrite wrong
+physical locations (other files' data).
+
+Steps to Reproduce
+1 Setup a device with F2FS-formatted userdata partition
+2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng
+3 Run swap stress test: (Android devices)
+adb shell "cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60
+--swap 0"
+
+Log:
+1 Ftrace shows in kernel 6.6, only first extent is mapped during second
+f2fs_map_blocks call in check_swap_activate():
+stress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start
+blkaddr=0x43143, len=0x1
+(Only 4KB mapped, not the full swapfile)
+2 in kernel 6.1, both extents are correctly mapped:
+stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start
+blkaddr=0x13cd4, len=0x1
+stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start
+blkaddr=0x60c84b, len=0xff
+
+The problematic code is in check_swap_activate():
+if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec ||
+ nr_pblocks % blks_per_sec ||
+ !f2fs_valid_pinned_area(sbi, pblock)) {
+ bool last_extent = false;
+
+ not_aligned++;
+
+ nr_pblocks = roundup(nr_pblocks, blks_per_sec);
+ if (cur_lblock + nr_pblocks > sis->max)
+ nr_pblocks -= blks_per_sec;
+
+ /* this extent is last one */
+ if (!nr_pblocks) {
+ nr_pblocks = last_lblock - cur_lblock;
+ last_extent = true;
+ }
+
+ ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks);
+ if (ret) {
+ if (ret == -ENOENT)
+ ret = -EINVAL;
+ goto out;
+ }
+
+ if (!last_extent)
+ goto retry;
+}
+
+When the first extent is unaligned and roundup(nr_pblocks, blks_per_sec)
+exceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The
+code then incorrectly assumes this is the last extent, sets nr_pblocks =
+last_lblock - cur_lblock (entire swapfile), and performs migration. After
+migration, it doesn't retry mapping, so subsequent extents are never processed.
+"
+
+In order to fix this issue, we need to lookup block mapping info after
+we migrate all blocks in the tail of swapfile.
+
+Cc: stable@kernel.org
+Fixes: 9703d69d9d15 ("f2fs: support file pinning for zoned devices")
+Cc: Daeho Jeong <daehojeong@google.com>
+Reported-and-tested-by: Xiaolong Guo <guoxiaolong2008@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220951
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -3980,6 +3980,7 @@ static int check_swap_activate(struct sw
+
+ while (cur_lblock < last_lblock && cur_lblock < sis->max) {
+ struct f2fs_map_blocks map;
++ bool last_extent = false;
+ retry:
+ cond_resched();
+
+@@ -4005,11 +4006,10 @@ retry:
+ pblock = map.m_pblk;
+ nr_pblocks = map.m_len;
+
+- if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec ||
+- nr_pblocks % blks_per_sec ||
+- f2fs_is_sequential_zone_area(sbi, pblock)) {
+- bool last_extent = false;
+-
++ if (!last_extent &&
++ ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec ||
++ nr_pblocks % blks_per_sec ||
++ f2fs_is_sequential_zone_area(sbi, pblock))) {
+ not_aligned++;
+
+ nr_pblocks = roundup(nr_pblocks, blks_per_sec);
+@@ -4030,8 +4030,8 @@ retry:
+ goto out;
+ }
+
+- if (!last_extent)
+- goto retry;
++ /* lookup block mapping info after block migration */
++ goto retry;
+ }
+
+ if (cur_lblock + nr_pblocks >= sis->max)
--- /dev/null
+From 0eda086de85e140f53c6123a4c00662f4e614ee4 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Tue, 6 Jan 2026 14:31:17 +0800
+Subject: f2fs: fix to check sysfs filename w/ gc_pin_file_thresh correctly
+
+From: Chao Yu <chao@kernel.org>
+
+commit 0eda086de85e140f53c6123a4c00662f4e614ee4 upstream.
+
+Sysfs entry name is gc_pin_file_thresh instead of gc_pin_file_threshold,
+fix it.
+
+Cc: stable@kernel.org
+Fixes: c521a6ab4ad7 ("f2fs: fix to limit gc_pin_file_threshold")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/f2fs/sysfs.c
++++ b/fs/f2fs/sysfs.c
+@@ -732,7 +732,7 @@ out:
+ return count;
+ }
+
+- if (!strcmp(a->attr.name, "gc_pin_file_threshold")) {
++ if (!strcmp(a->attr.name, "gc_pin_file_thresh")) {
+ if (t > MAX_GC_FAILED_PINNED_FILES)
+ return -EINVAL;
+ sbi->gc_pin_file_threshold = t;
--- /dev/null
+From 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Sun, 7 Dec 2025 15:25:32 +0800
+Subject: fbdev: rivafb: fix divide error in nv3_arb()
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 upstream.
+
+A userspace program can trigger the RIVA NV3 arbitration code by calling
+the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver
+recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz
+(derived from the PRAMDAC MCLK PLL) as a divisor without validating it
+first.
+
+In a normal setup, state->mclk_khz is provided by the real hardware and is
+non-zero. However, an attacker can construct a malicious or misconfigured
+device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL
+configuration, causing state->mclk_khz to become zero. Once
+nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns
+calculation causes a divide error and crashes the kernel.
+
+Fix this by checking whether state->mclk_khz is zero and bailing out before
+doing the division.
+
+The following log reveals it:
+
+rivafb: setting virtual Y resolution to 2184
+divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline]
+RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546
+Call Trace:
+ nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603
+ nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline]
+ CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246
+ riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779
+ rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196
+ fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033
+ do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109
+ fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188
+ __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/riva/riva_hw.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/video/fbdev/riva/riva_hw.c
++++ b/drivers/video/fbdev/riva/riva_hw.c
+@@ -436,6 +436,9 @@ static char nv3_arb(nv3_fifo_info * res_
+ vmisses = 2;
+ eburst_size = state->memory_width * 1;
+ mburst_size = 32;
++ if (!state->mclk_khz)
++ return (0);
++
+ gns = 1000000 * (gmisses*state->mem_page_miss + state->mem_latency)/state->mclk_khz;
+ ainfo->by_gfacc = gns*ainfo->gdrain_rate/1000000;
+ ainfo->wcmocc = 0;
--- /dev/null
+From 120adae7b42faa641179270c067864544a50ab69 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 28 Dec 2025 14:17:03 +0100
+Subject: fbdev: smscufx: properly copy ioctl memory to kernelspace
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 120adae7b42faa641179270c067864544a50ab69 upstream.
+
+The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from
+userspace to kernelspace, and instead directly references the memory,
+which can cause problems if invalid data is passed from userspace. Fix
+this all up by correctly copying the memory before accessing it within
+the kernel.
+
+Reported-by: Tianchu Chen <flynnnchen@tencent.com>
+Cc: stable <stable@kernel.org>
+Cc: Steve Glendinning <steve.glendinning@shawell.net>
+Cc: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/smscufx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/smscufx.c
++++ b/drivers/video/fbdev/smscufx.c
+@@ -932,7 +932,6 @@ static int ufx_ops_ioctl(struct fb_info
+ unsigned long arg)
+ {
+ struct ufx_data *dev = info->par;
+- struct dloarea *area = NULL;
+
+ if (!atomic_read(&dev->usb_active))
+ return 0;
+@@ -947,6 +946,10 @@ static int ufx_ops_ioctl(struct fb_info
+
+ /* TODO: Help propose a standard fb.h ioctl to report mmap damage */
+ if (cmd == UFX_IOCTL_REPORT_DAMAGE) {
++ struct dloarea *area __free(kfree) = kmalloc(sizeof(*area), GFP_KERNEL);
++ if (!area)
++ return -ENOMEM;
++
+ /* If we have a damage-aware client, turn fb_defio "off"
+ * To avoid perf imact of unnecessary page fault handling.
+ * Done by resetting the delay for this fb_info to a very
+@@ -956,7 +959,8 @@ static int ufx_ops_ioctl(struct fb_info
+ if (info->fbdefio)
+ info->fbdefio->delay = UFX_DEFIO_WRITE_DISABLE;
+
+- area = (struct dloarea *)arg;
++ if (copy_from_user(area, (u8 __user *)arg, sizeof(*area)))
++ return -EFAULT;
+
+ if (area->x < 0)
+ area->x = 0;
loongarch-rework-kasan-initialization-for-ptw-enabled-systems.patch
revert-wireguard-device-enable-threaded-napi.patch
cpuset-fix-missing-adaptation-for-cpuset_is_populated.patch
+fbdev-rivafb-fix-divide-error-in-nv3_arb.patch
+fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch
+f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch
+f2fs-fix-to-check-sysfs-filename-w-gc_pin_file_thresh-correctly.patch
+f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch
+f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
