From d5e8bce56f99ba1eb0ca323527b7b202bb80a5c0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 17 Feb 2026 18:39:30 +0100 Subject: [PATCH] 5.10-stable patches added patches: f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch --- ...access-in-sysfs-attribute-read-write.patch | 176 ++++++++++++++++++ ...ix-to-avoid-uaf-in-f2fs_write_end_io.patch | 80 ++++++++ ...qcom-do-not-register-driver-in-probe.patch | 122 ++++++++++++ queue-5.10/series | 3 + 4 files changed, 381 insertions(+) create mode 100644 queue-5.10/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch create mode 100644 queue-5.10/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch create mode 100644 queue-5.10/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch diff --git a/queue-5.10/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch b/queue-5.10/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch new file mode 100644 index 0000000000..31d26e8035 --- /dev/null +++ b/queue-5.10/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch @@ -0,0 +1,176 @@ +From stable+bounces-216862-greg=kroah.com@vger.kernel.org Tue Feb 17 17:27:05 2026 +From: Sasha Levin +Date: Tue, 17 Feb 2026 11:24:58 -0500 +Subject: f2fs: fix out-of-bounds access in sysfs attribute read/write +To: stable@vger.kernel.org +Cc: Yongpeng Yang , stable@kernel.org, Jinbao Liu , Chao Yu , Jaegeuk Kim , Sasha Levin +Message-ID: <20260217162458.3771870-1-sashal@kernel.org> + +From: Yongpeng Yang + +[ Upstream commit 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 ] + +Some f2fs sysfs attributes suffer from out-of-bounds memory access and +incorrect handling of integer values whose size is not 4 bytes. + +For example: +vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out +vm:~# cat /sys/fs/f2fs/vde/carve_out +65537 +vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold +vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold +1 + +carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit +integer. However, the sysfs interface allows setting it to a value +larger than 255, resulting in an out-of-range update. + +atgc_age_threshold maps to {struct atgc_management}->age_threshold, +which is a 64-bit integer, but its sysfs interface cannot correctly set +values larger than UINT_MAX. + +The root causes are: +1. __sbi_store() treats all default values as unsigned int, which +prevents updating integers larger than 4 bytes and causes out-of-bounds +writes for integers smaller than 4 bytes. + +2. f2fs_sbi_show() also assumes all default values are unsigned int, +leading to out-of-bounds reads and incorrect access to integers larger +than 4 bytes. + +This patch introduces {struct f2fs_attr}->size to record the actual size +of the integer associated with each sysfs attribute. With this +information, sysfs read and write operations can correctly access and +update values according to their real data size, avoiding memory +corruption and truncation. + +Fixes: b59d0bae6ca3 ("f2fs: add sysfs support for controlling the gc_thread") +Cc: stable@kernel.org +Signed-off-by: Jinbao Liu +Signed-off-by: Yongpeng Yang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ f2fs_sbi_show() changes + .size for F2FS_STAT_ATTR ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/sysfs.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 51 insertions(+), 7 deletions(-) + +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -43,6 +43,7 @@ struct f2fs_attr { + const char *, size_t); + int struct_type; + int offset; ++ int size; + int id; + }; + +@@ -232,11 +233,30 @@ static ssize_t main_blkaddr_show(struct + (unsigned long long)MAIN_BLKADDR(sbi)); + } + ++static ssize_t __sbi_show_value(struct f2fs_attr *a, ++ struct f2fs_sb_info *sbi, char *buf, ++ unsigned char *value) ++{ ++ switch (a->size) { ++ case 1: ++ return sysfs_emit(buf, "%u\n", *(u8 *)value); ++ case 2: ++ return sysfs_emit(buf, "%u\n", *(u16 *)value); ++ case 4: ++ return sysfs_emit(buf, "%u\n", *(u32 *)value); ++ case 8: ++ return sysfs_emit(buf, "%llu\n", *(u64 *)value); ++ default: ++ f2fs_bug_on(sbi, 1); ++ return sysfs_emit(buf, ++ "show sysfs node value with wrong type\n"); ++ } ++} ++ + static ssize_t f2fs_sbi_show(struct f2fs_attr *a, + struct f2fs_sb_info *sbi, char *buf) + { + unsigned char *ptr = NULL; +- unsigned int *ui; + + ptr = __struct_ptr(sbi, a->struct_type); + if (!ptr) +@@ -263,9 +283,30 @@ static ssize_t f2fs_sbi_show(struct f2fs + return len; + } + +- ui = (unsigned int *)(ptr + a->offset); ++ return __sbi_show_value(a, sbi, buf, ptr + a->offset); ++} + +- return sprintf(buf, "%u\n", *ui); ++static void __sbi_store_value(struct f2fs_attr *a, ++ struct f2fs_sb_info *sbi, ++ unsigned char *ui, unsigned long value) ++{ ++ switch (a->size) { ++ case 1: ++ *(u8 *)ui = value; ++ break; ++ case 2: ++ *(u16 *)ui = value; ++ break; ++ case 4: ++ *(u32 *)ui = value; ++ break; ++ case 8: ++ *(u64 *)ui = value; ++ break; ++ default: ++ f2fs_bug_on(sbi, 1); ++ f2fs_err(sbi, "store sysfs node value with wrong type"); ++ } + } + + static ssize_t __sbi_store(struct f2fs_attr *a, +@@ -409,7 +450,7 @@ out: + return count; + } + +- *ui = (unsigned int)t; ++ __sbi_store_value(a, sbi, ptr + a->offset, t); + + return count; + } +@@ -502,19 +543,21 @@ static ssize_t f2fs_feature_show(struct + return 0; + } + +-#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset) \ ++#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset, _size) \ + static struct f2fs_attr f2fs_attr_##_name = { \ + .attr = {.name = __stringify(_name), .mode = _mode }, \ + .show = _show, \ + .store = _store, \ + .struct_type = _struct_type, \ +- .offset = _offset \ ++ .offset = _offset, \ ++ .size = _size \ + } + + #define F2FS_RW_ATTR(struct_type, struct_name, name, elname) \ + F2FS_ATTR_OFFSET(struct_type, name, 0644, \ + f2fs_sbi_show, f2fs_sbi_store, \ +- offsetof(struct struct_name, elname)) ++ offsetof(struct struct_name, elname), \ ++ sizeof_field(struct struct_name, elname)) + + #define F2FS_GENERAL_RO_ATTR(name) \ + static struct f2fs_attr f2fs_attr_##name = __ATTR(name, 0444, name##_show, NULL) +@@ -532,6 +575,7 @@ static struct f2fs_attr f2fs_attr_##_nam + .show = f2fs_sbi_show, \ + .struct_type = _struct_type, \ + .offset = offsetof(struct _struct_name, _elname), \ ++ .size = sizeof_field(struct _struct_name, _elname), \ + } + + F2FS_RW_ATTR(GC_THREAD, f2fs_gc_kthread, gc_urgent_sleep_time, diff --git a/queue-5.10/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch b/queue-5.10/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch new file mode 100644 index 0000000000..47a23898de --- /dev/null +++ b/queue-5.10/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch @@ -0,0 +1,80 @@ +From stable+bounces-216861-greg=kroah.com@vger.kernel.org Tue Feb 17 17:18:39 2026 +From: Sasha Levin +Date: Tue, 17 Feb 2026 11:18:33 -0500 +Subject: f2fs: fix to avoid UAF in f2fs_write_end_io() +To: stable@vger.kernel.org +Cc: Chao Yu , stable@kernel.org, syzbot+b4444e3c972a7a124187@syzkaller.appspotmail.com, Jaegeuk Kim , Sasha Levin +Message-ID: <20260217161833.3766136-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit ce2739e482bce8d2c014d76c4531c877f382aa54 ] + +As syzbot reported an use-after-free issue in f2fs_write_end_io(). + +It is caused by below race condition: + +loop device umount +- worker_thread + - loop_process_work + - do_req_filebacked + - lo_rw_aio + - lo_rw_aio_complete + - blk_mq_end_request + - blk_update_request + - f2fs_write_end_io + - dec_page_count + - folio_end_writeback + - kill_f2fs_super + - kill_block_super + - f2fs_put_super + : free(sbi) + : get_pages(, F2FS_WB_CP_DATA) + accessed sbi which is freed + +In kill_f2fs_super(), we will drop all page caches of f2fs inodes before +call free(sbi), it guarantee that all folios should end its writeback, so +it should be safe to access sbi before last folio_end_writeback(). + +Let's relocate ckpt thread wakeup flow before folio_end_writeback() to +resolve this issue. + +Cc: stable@kernel.org +Fixes: e234088758fc ("f2fs: avoid wait if IO end up when do_checkpoint for better performance") +Reported-by: syzbot+b4444e3c972a7a124187@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b4444e3c972a7a124187 +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ folio => page ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/data.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -379,14 +379,20 @@ static void f2fs_write_end_io(struct bio + page->index != nid_of_node(page)); + + dec_page_count(sbi, type); ++ ++ /* ++ * we should access sbi before end_page_writeback() to ++ * avoid racing w/ kill_f2fs_super() ++ */ ++ if (type == F2FS_WB_CP_DATA && !get_pages(sbi, type) && ++ wq_has_sleeper(&sbi->cp_wait)) ++ wake_up(&sbi->cp_wait); ++ + if (f2fs_in_warm_node_list(sbi, page)) + f2fs_del_fsync_node_entry(sbi, page); + clear_cold_data(page); + end_page_writeback(page); + } +- if (!get_pages(sbi, F2FS_WB_CP_DATA) && +- wq_has_sleeper(&sbi->cp_wait)) +- wake_up(&sbi->cp_wait); + + bio_put(bio); + } diff --git a/queue-5.10/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch b/queue-5.10/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch new file mode 100644 index 0000000000..95c01e17f1 --- /dev/null +++ b/queue-5.10/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch @@ -0,0 +1,122 @@ +From ed1ac3c977dd6b119405fa36dd41f7151bd5b4de Mon Sep 17 00:00:00 2001 +From: Danilo Krummrich +Date: Wed, 21 Jan 2026 15:12:01 +0100 +Subject: iommu/arm-smmu-qcom: do not register driver in probe() + +From: Danilo Krummrich + +commit ed1ac3c977dd6b119405fa36dd41f7151bd5b4de upstream. + +Commit 0b4eeee2876f ("iommu/arm-smmu-qcom: Register the TBU driver in +qcom_smmu_impl_init") intended to also probe the TBU driver when +CONFIG_ARM_SMMU_QCOM_DEBUG is disabled, but also moved the corresponding +platform_driver_register() call into qcom_smmu_impl_init() which is +called from arm_smmu_device_probe(). + +However, it neither makes sense to register drivers from probe() +callbacks of other drivers, nor does the driver core allow registering +drivers with a device lock already being held. + +The latter was revealed by commit dc23806a7c47 ("driver core: enforce +device_lock for driver_match_device()") leading to a deadlock condition +described in [1]. + +Additionally, it was noted by Robin that the current approach is +potentially racy with async probe [2]. + +Hence, fix this by registering the qcom_smmu_tbu_driver from +module_init(). Unfortunately, due to the vendoring of the driver, this +requires an indirection through arm-smmu-impl.c. + +Reported-by: Mark Brown +Closes: https://lore.kernel.org/lkml/7ae38e31-ef31-43ad-9106-7c76ea0e8596@sirena.org.uk/ +Link: https://lore.kernel.org/lkml/DFU7CEPUSG9A.1KKGVW4HIPMSH@kernel.org/ [1] +Link: https://lore.kernel.org/lkml/0c0d3707-9ea5-44f9-88a1-a65c62e3df8d@arm.com/ [2] +Fixes: dc23806a7c47 ("driver core: enforce device_lock for driver_match_device()") +Fixes: 0b4eeee2876f ("iommu/arm-smmu-qcom: Register the TBU driver in qcom_smmu_impl_init") +Acked-by: Robin Murphy +Tested-by: Bjorn Andersson +Reviewed-by: Bjorn Andersson +Acked-by: Konrad Dybcio +Reviewed-by: Greg Kroah-Hartman +Tested-by: Ioana Ciornei #LX2160ARDB +Tested-by: Wang Jiayue +Reviewed-by: Wang Jiayue +Tested-by: Mark Brown +Acked-by: Joerg Roedel +Link: https://patch.msgid.link/20260121141215.29658-1-dakr@kernel.org +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/arm/arm-smmu/arm-smmu-impl.c | 14 ++++++++++++++ + drivers/iommu/arm/arm-smmu/arm-smmu.c | 24 +++++++++++++++++++++++- + drivers/iommu/arm/arm-smmu/arm-smmu.h | 5 +++++ + 3 files changed, 42 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c +@@ -228,3 +228,17 @@ struct arm_smmu_device *arm_smmu_impl_in + + return smmu; + } ++ ++int __init arm_smmu_impl_module_init(void) ++{ ++ if (IS_ENABLED(CONFIG_ARM_SMMU_QCOM)) ++ return qcom_smmu_module_init(); ++ ++ return 0; ++} ++ ++void __exit arm_smmu_impl_module_exit(void) ++{ ++ if (IS_ENABLED(CONFIG_ARM_SMMU_QCOM)) ++ qcom_smmu_module_exit(); ++} +--- a/drivers/iommu/arm/arm-smmu/arm-smmu.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c +@@ -2352,7 +2352,29 @@ static struct platform_driver arm_smmu_d + .remove = arm_smmu_device_remove, + .shutdown = arm_smmu_device_shutdown, + }; +-module_platform_driver(arm_smmu_driver); ++ ++static int __init arm_smmu_init(void) ++{ ++ int ret; ++ ++ ret = platform_driver_register(&arm_smmu_driver); ++ if (ret) ++ return ret; ++ ++ ret = arm_smmu_impl_module_init(); ++ if (ret) ++ platform_driver_unregister(&arm_smmu_driver); ++ ++ return ret; ++} ++module_init(arm_smmu_init); ++ ++static void __exit arm_smmu_exit(void) ++{ ++ arm_smmu_impl_module_exit(); ++ platform_driver_unregister(&arm_smmu_driver); ++} ++module_exit(arm_smmu_exit); + + MODULE_DESCRIPTION("IOMMU API for ARM architected SMMU implementations"); + MODULE_AUTHOR("Will Deacon "); +--- a/drivers/iommu/arm/arm-smmu/arm-smmu.h ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.h +@@ -522,6 +522,11 @@ struct arm_smmu_device *arm_smmu_impl_in + struct arm_smmu_device *nvidia_smmu_impl_init(struct arm_smmu_device *smmu); + struct arm_smmu_device *qcom_smmu_impl_init(struct arm_smmu_device *smmu); + ++int __init arm_smmu_impl_module_init(void); ++void __exit arm_smmu_impl_module_exit(void); ++int __init qcom_smmu_module_init(void); ++void __exit qcom_smmu_module_exit(void); ++ + void arm_smmu_write_context_bank(struct arm_smmu_device *smmu, int idx); + int arm_mmu500_reset(struct arm_smmu_device *smmu); + diff --git a/queue-5.10/series b/queue-5.10/series index 2b8cb185a6..826bca9fd3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -19,3 +19,6 @@ scsi-qla2xxx-free-sp-in-error-path-to-fix-system-crash.patch scsi-qla2xxx-fix-bsg_done-causing-double-free.patch fbdev-rivafb-fix-divide-error-in-nv3_arb.patch fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch +iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch +f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch +f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch -- 2.47.3