--- /dev/null
+From 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 Mon Sep 17 00:00:00 2001
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Date: Wed, 7 Jan 2026 10:33:46 +0800
+Subject: f2fs: fix out-of-bounds access in sysfs attribute read/write
+
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+
+commit 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 upstream.
+
+Some f2fs sysfs attributes suffer from out-of-bounds memory access and
+incorrect handling of integer values whose size is not 4 bytes.
+
+For example:
+vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out
+vm:~# cat /sys/fs/f2fs/vde/carve_out
+65537
+vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold
+vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold
+1
+
+carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit
+integer. However, the sysfs interface allows setting it to a value
+larger than 255, resulting in an out-of-range update.
+
+atgc_age_threshold maps to {struct atgc_management}->age_threshold,
+which is a 64-bit integer, but its sysfs interface cannot correctly set
+values larger than UINT_MAX.
+
+The root causes are:
+1. __sbi_store() treats all default values as unsigned int, which
+prevents updating integers larger than 4 bytes and causes out-of-bounds
+writes for integers smaller than 4 bytes.
+
+2. f2fs_sbi_show() also assumes all default values are unsigned int,
+leading to out-of-bounds reads and incorrect access to integers larger
+than 4 bytes.
+
+This patch introduces {struct f2fs_attr}->size to record the actual size
+of the integer associated with each sysfs attribute. With this
+information, sysfs read and write operations can correctly access and
+update values according to their real data size, avoiding memory
+corruption and truncation.
+
+Fixes: b59d0bae6ca3 ("f2fs: add sysfs support for controlling the gc_thread")
+Cc: stable@kernel.org
+Signed-off-by: Jinbao Liu <liujinbao1@xiaomi.com>
+Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/sysfs.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 52 insertions(+), 8 deletions(-)
+
+--- a/fs/f2fs/sysfs.c
++++ b/fs/f2fs/sysfs.c
+@@ -58,6 +58,7 @@ struct f2fs_attr {
+ const char *buf, size_t len);
+ int struct_type;
+ int offset;
++ int size;
+ int id;
+ };
+
+@@ -285,11 +286,30 @@ static ssize_t main_blkaddr_show(struct
+ (unsigned long long)MAIN_BLKADDR(sbi));
+ }
+
++static ssize_t __sbi_show_value(struct f2fs_attr *a,
++ struct f2fs_sb_info *sbi, char *buf,
++ unsigned char *value)
++{
++ switch (a->size) {
++ case 1:
++ return sysfs_emit(buf, "%u\n", *(u8 *)value);
++ case 2:
++ return sysfs_emit(buf, "%u\n", *(u16 *)value);
++ case 4:
++ return sysfs_emit(buf, "%u\n", *(u32 *)value);
++ case 8:
++ return sysfs_emit(buf, "%llu\n", *(u64 *)value);
++ default:
++ f2fs_bug_on(sbi, 1);
++ return sysfs_emit(buf,
++ "show sysfs node value with wrong type\n");
++ }
++}
++
+ static ssize_t f2fs_sbi_show(struct f2fs_attr *a,
+ struct f2fs_sb_info *sbi, char *buf)
+ {
+ unsigned char *ptr = NULL;
+- unsigned int *ui;
+
+ ptr = __struct_ptr(sbi, a->struct_type);
+ if (!ptr)
+@@ -372,9 +392,30 @@ static ssize_t f2fs_sbi_show(struct f2fs
+ atomic_read(&sbi->cp_call_count[BACKGROUND]));
+ #endif
+
+- ui = (unsigned int *)(ptr + a->offset);
++ return __sbi_show_value(a, sbi, buf, ptr + a->offset);
++}
+
+- return sysfs_emit(buf, "%u\n", *ui);
++static void __sbi_store_value(struct f2fs_attr *a,
++ struct f2fs_sb_info *sbi,
++ unsigned char *ui, unsigned long value)
++{
++ switch (a->size) {
++ case 1:
++ *(u8 *)ui = value;
++ break;
++ case 2:
++ *(u16 *)ui = value;
++ break;
++ case 4:
++ *(u32 *)ui = value;
++ break;
++ case 8:
++ *(u64 *)ui = value;
++ break;
++ default:
++ f2fs_bug_on(sbi, 1);
++ f2fs_err(sbi, "store sysfs node value with wrong type");
++ }
+ }
+
+ static ssize_t __sbi_store(struct f2fs_attr *a,
+@@ -746,7 +787,7 @@ out:
+ return count;
+ }
+
+- *ui = (unsigned int)t;
++ __sbi_store_value(a, sbi, ptr + a->offset, t);
+
+ return count;
+ }
+@@ -860,24 +901,27 @@ static struct f2fs_attr f2fs_attr_sb_##_
+ .id = F2FS_FEATURE_##_feat, \
+ }
+
+-#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset) \
++#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset, _size) \
+ static struct f2fs_attr f2fs_attr_##_name = { \
+ .attr = {.name = __stringify(_name), .mode = _mode }, \
+ .show = _show, \
+ .store = _store, \
+ .struct_type = _struct_type, \
+- .offset = _offset \
++ .offset = _offset, \
++ .size = _size \
+ }
+
+ #define F2FS_RO_ATTR(struct_type, struct_name, name, elname) \
+ F2FS_ATTR_OFFSET(struct_type, name, 0444, \
+ f2fs_sbi_show, NULL, \
+- offsetof(struct struct_name, elname))
++ offsetof(struct struct_name, elname), \
++ sizeof_field(struct struct_name, elname))
+
+ #define F2FS_RW_ATTR(struct_type, struct_name, name, elname) \
+ F2FS_ATTR_OFFSET(struct_type, name, 0644, \
+ f2fs_sbi_show, f2fs_sbi_store, \
+- offsetof(struct struct_name, elname))
++ offsetof(struct struct_name, elname), \
++ sizeof_field(struct struct_name, elname))
+
+ #define F2FS_GENERAL_RO_ATTR(name) \
+ static struct f2fs_attr f2fs_attr_##name = __ATTR(name, 0444, name##_show, NULL)
--- /dev/null
+From 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Sun, 7 Dec 2025 15:25:32 +0800
+Subject: fbdev: rivafb: fix divide error in nv3_arb()
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 upstream.
+
+A userspace program can trigger the RIVA NV3 arbitration code by calling
+the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver
+recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz
+(derived from the PRAMDAC MCLK PLL) as a divisor without validating it
+first.
+
+In a normal setup, state->mclk_khz is provided by the real hardware and is
+non-zero. However, an attacker can construct a malicious or misconfigured
+device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL
+configuration, causing state->mclk_khz to become zero. Once
+nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns
+calculation causes a divide error and crashes the kernel.
+
+Fix this by checking whether state->mclk_khz is zero and bailing out before
+doing the division.
+
+The following log reveals it:
+
+rivafb: setting virtual Y resolution to 2184
+divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline]
+RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546
+Call Trace:
+ nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603
+ nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline]
+ CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246
+ riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779
+ rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196
+ fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033
+ do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109
+ fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188
+ __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/riva/riva_hw.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/video/fbdev/riva/riva_hw.c
++++ b/drivers/video/fbdev/riva/riva_hw.c
+@@ -436,6 +436,9 @@ static char nv3_arb(nv3_fifo_info * res_
+ vmisses = 2;
+ eburst_size = state->memory_width * 1;
+ mburst_size = 32;
++ if (!state->mclk_khz)
++ return (0);
++
+ gns = 1000000 * (gmisses*state->mem_page_miss + state->mem_latency)/state->mclk_khz;
+ ainfo->by_gfacc = gns*ainfo->gdrain_rate/1000000;
+ ainfo->wcmocc = 0;
--- /dev/null
+From 120adae7b42faa641179270c067864544a50ab69 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 28 Dec 2025 14:17:03 +0100
+Subject: fbdev: smscufx: properly copy ioctl memory to kernelspace
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 120adae7b42faa641179270c067864544a50ab69 upstream.
+
+The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from
+userspace to kernelspace, and instead directly references the memory,
+which can cause problems if invalid data is passed from userspace. Fix
+this all up by correctly copying the memory before accessing it within
+the kernel.
+
+Reported-by: Tianchu Chen <flynnnchen@tencent.com>
+Cc: stable <stable@kernel.org>
+Cc: Steve Glendinning <steve.glendinning@shawell.net>
+Cc: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/smscufx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/smscufx.c
++++ b/drivers/video/fbdev/smscufx.c
+@@ -988,7 +988,6 @@ static int ufx_ops_ioctl(struct fb_info
+ unsigned long arg)
+ {
+ struct ufx_data *dev = info->par;
+- struct dloarea *area = NULL;
+
+ if (!atomic_read(&dev->usb_active))
+ return 0;
+@@ -1003,6 +1002,10 @@ static int ufx_ops_ioctl(struct fb_info
+
+ /* TODO: Help propose a standard fb.h ioctl to report mmap damage */
+ if (cmd == UFX_IOCTL_REPORT_DAMAGE) {
++ struct dloarea *area __free(kfree) = kmalloc(sizeof(*area), GFP_KERNEL);
++ if (!area)
++ return -ENOMEM;
++
+ /* If we have a damage-aware client, turn fb_defio "off"
+ * To avoid perf imact of unnecessary page fault handling.
+ * Done by resetting the delay for this fb_info to a very
+@@ -1012,7 +1015,8 @@ static int ufx_ops_ioctl(struct fb_info
+ if (info->fbdefio)
+ info->fbdefio->delay = UFX_DEFIO_WRITE_DISABLE;
+
+- area = (struct dloarea *)arg;
++ if (copy_from_user(area, (u8 __user *)arg, sizeof(*area)))
++ return -EFAULT;
+
+ if (area->x < 0)
+ area->x = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
