From 17a743d410f20f70fec2d07cb940824c62df5855 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 8 Feb 2026 16:03:01 +0100 Subject: [PATCH] 6.1-stable patches added patches: hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch --- ...ut-of-bounds-read-in-hfsplus_uni2asc.patch | 176 ++++++++++++++++++ ...ence.i-after-building-the-xol-buffer.patch | 57 ++++++ queue-6.1/series | 2 + 3 files changed, 235 insertions(+) create mode 100644 queue-6.1/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch create mode 100644 queue-6.1/riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch diff --git a/queue-6.1/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch b/queue-6.1/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch new file mode 100644 index 0000000000..e84dc21511 --- /dev/null +++ b/queue-6.1/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch @@ -0,0 +1,176 @@ +From bea3e1d4467bcf292c8e54f080353d556d355e26 Mon Sep 17 00:00:00 2001 +From: Kang Chen +Date: Tue, 9 Sep 2025 11:13:16 +0800 +Subject: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() + +From: Kang Chen + +commit bea3e1d4467bcf292c8e54f080353d556d355e26 upstream. + +BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 +Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290 + +CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x5f0 mm/kasan/report.c:482 + kasan_report+0xca/0x100 mm/kasan/report.c:595 + hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 + hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738 + vfs_listxattr+0xbe/0x140 fs/xattr.c:493 + listxattr+0xee/0x190 fs/xattr.c:924 + filename_listxattr fs/xattr.c:958 [inline] + path_listxattrat+0x143/0x360 fs/xattr.c:988 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fe0e9fae16d +Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3 +RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000 +RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000 + + +Allocated by task 14290: + kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4333 [inline] + __kmalloc_noprof+0x219/0x540 mm/slub.c:4345 + kmalloc_noprof include/linux/slab.h:909 [inline] + hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21 + hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697 + vfs_listxattr+0xbe/0x140 fs/xattr.c:493 + listxattr+0xee/0x190 fs/xattr.c:924 + filename_listxattr fs/xattr.c:958 [inline] + path_listxattrat+0x143/0x360 fs/xattr.c:988 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +When hfsplus_uni2asc is called from hfsplus_listxattr, +it actually passes in a struct hfsplus_attr_unistr*. +The size of the corresponding structure is different from that of hfsplus_unistr, +so the previous fix (94458781aee6) is insufficient. +The pointer on the unicode buffer is still going beyond the allocated memory. + +This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and +hfsplus_uni2asc_str to process two unicode buffers, +struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively. +When ustrlen value is bigger than the allocated memory size, +the ustrlen value is limited to an safe size. + +Fixes: 94458781aee6 ("hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()") +Signed-off-by: Kang Chen +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250909031316.1647094-1-k.chen@smail.nju.edu.cn +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Jianqiang kang +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfsplus/dir.c | 2 +- + fs/hfsplus/hfsplus_fs.h | 8 ++++++-- + fs/hfsplus/unicode.c | 24 +++++++++++++++++++----- + fs/hfsplus/xattr.c | 6 +++--- + 4 files changed, 29 insertions(+), 11 deletions(-) + +--- a/fs/hfsplus/dir.c ++++ b/fs/hfsplus/dir.c +@@ -204,7 +204,7 @@ static int hfsplus_readdir(struct file * + fd.entrylength); + type = be16_to_cpu(entry.type); + len = NLS_MAX_CHARSET_SIZE * HFSPLUS_MAX_STRLEN; +- err = hfsplus_uni2asc(sb, &fd.key->cat.name, strbuf, &len); ++ err = hfsplus_uni2asc_str(sb, &fd.key->cat.name, strbuf, &len); + if (err) + goto out; + if (type == HFSPLUS_FOLDER) { +--- a/fs/hfsplus/hfsplus_fs.h ++++ b/fs/hfsplus/hfsplus_fs.h +@@ -518,8 +518,12 @@ int hfsplus_strcasecmp(const struct hfsp + const struct hfsplus_unistr *s2); + int hfsplus_strcmp(const struct hfsplus_unistr *s1, + const struct hfsplus_unistr *s2); +-int hfsplus_uni2asc(struct super_block *sb, const struct hfsplus_unistr *ustr, +- char *astr, int *len_p); ++int hfsplus_uni2asc_str(struct super_block *sb, ++ const struct hfsplus_unistr *ustr, char *astr, ++ int *len_p); ++int hfsplus_uni2asc_xattr_str(struct super_block *sb, ++ const struct hfsplus_attr_unistr *ustr, ++ char *astr, int *len_p); + int hfsplus_asc2uni(struct super_block *sb, struct hfsplus_unistr *ustr, + int max_unistr_len, const char *astr, int len); + int hfsplus_hash_dentry(const struct dentry *dentry, struct qstr *str); +--- a/fs/hfsplus/unicode.c ++++ b/fs/hfsplus/unicode.c +@@ -143,9 +143,8 @@ static u16 *hfsplus_compose_lookup(u16 * + return NULL; + } + +-int hfsplus_uni2asc(struct super_block *sb, +- const struct hfsplus_unistr *ustr, +- char *astr, int *len_p) ++static int hfsplus_uni2asc(struct super_block *sb, const struct hfsplus_unistr *ustr, ++ int max_len, char *astr, int *len_p) + { + const hfsplus_unichr *ip; + struct nls_table *nls = HFSPLUS_SB(sb)->nls; +@@ -158,8 +157,8 @@ int hfsplus_uni2asc(struct super_block * + ip = ustr->unicode; + + ustrlen = be16_to_cpu(ustr->length); +- if (ustrlen > HFSPLUS_MAX_STRLEN) { +- ustrlen = HFSPLUS_MAX_STRLEN; ++ if (ustrlen > max_len) { ++ ustrlen = max_len; + pr_err("invalid length %u has been corrected to %d\n", + be16_to_cpu(ustr->length), ustrlen); + } +@@ -280,6 +279,21 @@ out: + return res; + } + ++inline int hfsplus_uni2asc_str(struct super_block *sb, ++ const struct hfsplus_unistr *ustr, char *astr, ++ int *len_p) ++{ ++ return hfsplus_uni2asc(sb, ustr, HFSPLUS_MAX_STRLEN, astr, len_p); ++} ++ ++inline int hfsplus_uni2asc_xattr_str(struct super_block *sb, ++ const struct hfsplus_attr_unistr *ustr, ++ char *astr, int *len_p) ++{ ++ return hfsplus_uni2asc(sb, (const struct hfsplus_unistr *)ustr, ++ HFSPLUS_ATTR_MAX_STRLEN, astr, len_p); ++} ++ + /* + * Convert one or more ASCII characters into a single unicode character. + * Returns the number of ASCII characters corresponding to the unicode char. +--- a/fs/hfsplus/xattr.c ++++ b/fs/hfsplus/xattr.c +@@ -737,9 +737,9 @@ ssize_t hfsplus_listxattr(struct dentry + goto end_listxattr; + + xattr_name_len = NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN; +- if (hfsplus_uni2asc(inode->i_sb, +- (const struct hfsplus_unistr *)&fd.key->attr.key_name, +- strbuf, &xattr_name_len)) { ++ if (hfsplus_uni2asc_xattr_str(inode->i_sb, ++ &fd.key->attr.key_name, strbuf, ++ &xattr_name_len)) { + pr_err("unicode conversion failed\n"); + res = -EIO; + goto end_listxattr; diff --git a/queue-6.1/riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch b/queue-6.1/riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch new file mode 100644 index 0000000000..afb8627617 --- /dev/null +++ b/queue-6.1/riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch @@ -0,0 +1,57 @@ +From 7d1d19a11cfbfd8bae1d89cc010b2cc397cd0c48 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= +Date: Sat, 19 Apr 2025 13:14:00 +0200 +Subject: riscv: uprobes: Add missing fence.i after building the XOL buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +commit 7d1d19a11cfbfd8bae1d89cc010b2cc397cd0c48 upstream. + +The XOL (execute out-of-line) buffer is used to single-step the +replaced instruction(s) for uprobes. The RISC-V port was missing a +proper fence.i (i$ flushing) after constructing the XOL buffer, which +can result in incorrect execution of stale/broken instructions. + +This was found running the BPF selftests "test_progs: +uprobe_autoattach, attach_probe" on the Spacemit K1/X60, where the +uprobes tests randomly blew up. + +Reviewed-by: Guo Ren +Fixes: 74784081aac8 ("riscv: Add uprobes supported") +Signed-off-by: Björn Töpel +Link: https://lore.kernel.org/r/20250419111402.1660267-2-bjorn@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/probes/uprobes.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/arch/riscv/kernel/probes/uprobes.c ++++ b/arch/riscv/kernel/probes/uprobes.c +@@ -161,6 +161,7 @@ void arch_uprobe_copy_ixol(struct page * + /* Initialize the slot */ + void *kaddr = kmap_atomic(page); + void *dst = kaddr + (vaddr & ~PAGE_MASK); ++ unsigned long start = (unsigned long)dst; + + memcpy(dst, src, len); + +@@ -170,13 +171,6 @@ void arch_uprobe_copy_ixol(struct page * + *(uprobe_opcode_t *)dst = __BUG_INSN_32; + } + ++ flush_icache_range(start, start + len); + kunmap_atomic(kaddr); +- +- /* +- * We probably need flush_icache_user_page() but it needs vma. +- * This should work on most of architectures by default. If +- * architecture needs to do something different it can define +- * its own version of the function. +- */ +- flush_dcache_page(page); + } diff --git a/queue-6.1/series b/queue-6.1/series index 10e99a3033..2f53b80b59 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -57,3 +57,5 @@ drm-mgag200-fix-mgag200_bmc_stop_scanout.patch hwmon-occ-mark-occ_init_attribute-as-__printf.patch netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch +hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch +riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch -- 2.47.3