From f371f2166c40c4b6ea7ee1cfe6937a5fc9ec5daa Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 17 Feb 2026 13:57:11 +0100 Subject: [PATCH] 6.6-stable patches added patches: f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch fbdev-rivafb-fix-divide-error-in-nv3_arb.patch fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch --- ...access-in-sysfs-attribute-read-write.patch | 170 ++++++++++++++++++ ...o-add-gc-count-stat-in-f2fs_gc_range.patch | 31 ++++ ...v-rivafb-fix-divide-error-in-nv3_arb.patch | 65 +++++++ ...rly-copy-ioctl-memory-to-kernelspace.patch | 57 ++++++ queue-6.6/series | 4 + 5 files changed, 327 insertions(+) create mode 100644 queue-6.6/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch create mode 100644 queue-6.6/f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch create mode 100644 queue-6.6/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch create mode 100644 queue-6.6/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch diff --git a/queue-6.6/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch b/queue-6.6/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch new file mode 100644 index 0000000000..8198623d70 --- /dev/null +++ b/queue-6.6/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch @@ -0,0 +1,170 @@ +From 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 Mon Sep 17 00:00:00 2001 +From: Yongpeng Yang +Date: Wed, 7 Jan 2026 10:33:46 +0800 +Subject: f2fs: fix out-of-bounds access in sysfs attribute read/write + +From: Yongpeng Yang + +commit 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 upstream. + +Some f2fs sysfs attributes suffer from out-of-bounds memory access and +incorrect handling of integer values whose size is not 4 bytes. + +For example: +vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out +vm:~# cat /sys/fs/f2fs/vde/carve_out +65537 +vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold +vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold +1 + +carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit +integer. However, the sysfs interface allows setting it to a value +larger than 255, resulting in an out-of-range update. + +atgc_age_threshold maps to {struct atgc_management}->age_threshold, +which is a 64-bit integer, but its sysfs interface cannot correctly set +values larger than UINT_MAX. + +The root causes are: +1. __sbi_store() treats all default values as unsigned int, which +prevents updating integers larger than 4 bytes and causes out-of-bounds +writes for integers smaller than 4 bytes. + +2. f2fs_sbi_show() also assumes all default values are unsigned int, +leading to out-of-bounds reads and incorrect access to integers larger +than 4 bytes. + +This patch introduces {struct f2fs_attr}->size to record the actual size +of the integer associated with each sysfs attribute. With this +information, sysfs read and write operations can correctly access and +update values according to their real data size, avoiding memory +corruption and truncation. + +Fixes: b59d0bae6ca3 ("f2fs: add sysfs support for controlling the gc_thread") +Cc: stable@kernel.org +Signed-off-by: Jinbao Liu +Signed-off-by: Yongpeng Yang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/sysfs.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 52 insertions(+), 8 deletions(-) + +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -58,6 +58,7 @@ struct f2fs_attr { + const char *buf, size_t len); + int struct_type; + int offset; ++ int size; + int id; + }; + +@@ -285,11 +286,30 @@ static ssize_t main_blkaddr_show(struct + (unsigned long long)MAIN_BLKADDR(sbi)); + } + ++static ssize_t __sbi_show_value(struct f2fs_attr *a, ++ struct f2fs_sb_info *sbi, char *buf, ++ unsigned char *value) ++{ ++ switch (a->size) { ++ case 1: ++ return sysfs_emit(buf, "%u\n", *(u8 *)value); ++ case 2: ++ return sysfs_emit(buf, "%u\n", *(u16 *)value); ++ case 4: ++ return sysfs_emit(buf, "%u\n", *(u32 *)value); ++ case 8: ++ return sysfs_emit(buf, "%llu\n", *(u64 *)value); ++ default: ++ f2fs_bug_on(sbi, 1); ++ return sysfs_emit(buf, ++ "show sysfs node value with wrong type\n"); ++ } ++} ++ + static ssize_t f2fs_sbi_show(struct f2fs_attr *a, + struct f2fs_sb_info *sbi, char *buf) + { + unsigned char *ptr = NULL; +- unsigned int *ui; + + ptr = __struct_ptr(sbi, a->struct_type); + if (!ptr) +@@ -372,9 +392,30 @@ static ssize_t f2fs_sbi_show(struct f2fs + atomic_read(&sbi->cp_call_count[BACKGROUND])); + #endif + +- ui = (unsigned int *)(ptr + a->offset); ++ return __sbi_show_value(a, sbi, buf, ptr + a->offset); ++} + +- return sysfs_emit(buf, "%u\n", *ui); ++static void __sbi_store_value(struct f2fs_attr *a, ++ struct f2fs_sb_info *sbi, ++ unsigned char *ui, unsigned long value) ++{ ++ switch (a->size) { ++ case 1: ++ *(u8 *)ui = value; ++ break; ++ case 2: ++ *(u16 *)ui = value; ++ break; ++ case 4: ++ *(u32 *)ui = value; ++ break; ++ case 8: ++ *(u64 *)ui = value; ++ break; ++ default: ++ f2fs_bug_on(sbi, 1); ++ f2fs_err(sbi, "store sysfs node value with wrong type"); ++ } + } + + static ssize_t __sbi_store(struct f2fs_attr *a, +@@ -746,7 +787,7 @@ out: + return count; + } + +- *ui = (unsigned int)t; ++ __sbi_store_value(a, sbi, ptr + a->offset, t); + + return count; + } +@@ -860,24 +901,27 @@ static struct f2fs_attr f2fs_attr_sb_##_ + .id = F2FS_FEATURE_##_feat, \ + } + +-#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset) \ ++#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset, _size) \ + static struct f2fs_attr f2fs_attr_##_name = { \ + .attr = {.name = __stringify(_name), .mode = _mode }, \ + .show = _show, \ + .store = _store, \ + .struct_type = _struct_type, \ +- .offset = _offset \ ++ .offset = _offset, \ ++ .size = _size \ + } + + #define F2FS_RO_ATTR(struct_type, struct_name, name, elname) \ + F2FS_ATTR_OFFSET(struct_type, name, 0444, \ + f2fs_sbi_show, NULL, \ +- offsetof(struct struct_name, elname)) ++ offsetof(struct struct_name, elname), \ ++ sizeof_field(struct struct_name, elname)) + + #define F2FS_RW_ATTR(struct_type, struct_name, name, elname) \ + F2FS_ATTR_OFFSET(struct_type, name, 0644, \ + f2fs_sbi_show, f2fs_sbi_store, \ +- offsetof(struct struct_name, elname)) ++ offsetof(struct struct_name, elname), \ ++ sizeof_field(struct struct_name, elname)) + + #define F2FS_GENERAL_RO_ATTR(name) \ + static struct f2fs_attr f2fs_attr_##name = __ATTR(name, 0444, name##_show, NULL) diff --git a/queue-6.6/f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch b/queue-6.6/f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch new file mode 100644 index 0000000000..6771409b5f --- /dev/null +++ b/queue-6.6/f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch @@ -0,0 +1,31 @@ +From 761dac9073cd67d4705a94cd1af674945a117f4c Mon Sep 17 00:00:00 2001 +From: Zhiguo Niu +Date: Fri, 26 Dec 2025 10:56:04 +0800 +Subject: f2fs: fix to add gc count stat in f2fs_gc_range + +From: Zhiguo Niu + +commit 761dac9073cd67d4705a94cd1af674945a117f4c upstream. + +It missed the stat count in f2fs_gc_range. + +Cc: stable@kernel.org +Fixes: 9bf1dcbdfdc8 ("f2fs: fix to account gc stats correctly") +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1998,6 +1998,7 @@ int f2fs_gc_range(struct f2fs_sb_info *s + unsigned int segno; + unsigned int gc_secs = dry_run_sections; + ++ stat_inc_gc_call_count(sbi, FOREGROUND); + for (segno = start_seg; segno <= end_seg; segno += SEGS_PER_SEC(sbi)) { + struct gc_inode_list gc_list = { + .ilist = LIST_HEAD_INIT(gc_list.ilist), diff --git a/queue-6.6/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch b/queue-6.6/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch new file mode 100644 index 0000000000..508d7baab6 --- /dev/null +++ b/queue-6.6/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch @@ -0,0 +1,65 @@ +From 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 Mon Sep 17 00:00:00 2001 +From: Guangshuo Li +Date: Sun, 7 Dec 2025 15:25:32 +0800 +Subject: fbdev: rivafb: fix divide error in nv3_arb() + +From: Guangshuo Li + +commit 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 upstream. + +A userspace program can trigger the RIVA NV3 arbitration code by calling +the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver +recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz +(derived from the PRAMDAC MCLK PLL) as a divisor without validating it +first. + +In a normal setup, state->mclk_khz is provided by the real hardware and is +non-zero. However, an attacker can construct a malicious or misconfigured +device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL +configuration, causing state->mclk_khz to become zero. Once +nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns +calculation causes a divide error and crashes the kernel. + +Fix this by checking whether state->mclk_khz is zero and bailing out before +doing the division. + +The following log reveals it: + +rivafb: setting virtual Y resolution to 2184 +divide error: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] +RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 +Call Trace: + nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 + nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] + CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 + riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 + rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 + fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 + do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 + fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 + __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Guangshuo Li +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/riva/riva_hw.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/video/fbdev/riva/riva_hw.c ++++ b/drivers/video/fbdev/riva/riva_hw.c +@@ -436,6 +436,9 @@ static char nv3_arb(nv3_fifo_info * res_ + vmisses = 2; + eburst_size = state->memory_width * 1; + mburst_size = 32; ++ if (!state->mclk_khz) ++ return (0); ++ + gns = 1000000 * (gmisses*state->mem_page_miss + state->mem_latency)/state->mclk_khz; + ainfo->by_gfacc = gns*ainfo->gdrain_rate/1000000; + ainfo->wcmocc = 0; diff --git a/queue-6.6/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch b/queue-6.6/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch new file mode 100644 index 0000000000..75937091e4 --- /dev/null +++ b/queue-6.6/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch @@ -0,0 +1,57 @@ +From 120adae7b42faa641179270c067864544a50ab69 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 28 Dec 2025 14:17:03 +0100 +Subject: fbdev: smscufx: properly copy ioctl memory to kernelspace + +From: Greg Kroah-Hartman + +commit 120adae7b42faa641179270c067864544a50ab69 upstream. + +The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from +userspace to kernelspace, and instead directly references the memory, +which can cause problems if invalid data is passed from userspace. Fix +this all up by correctly copying the memory before accessing it within +the kernel. + +Reported-by: Tianchu Chen +Cc: stable +Cc: Steve Glendinning +Cc: Helge Deller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/smscufx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/smscufx.c ++++ b/drivers/video/fbdev/smscufx.c +@@ -988,7 +988,6 @@ static int ufx_ops_ioctl(struct fb_info + unsigned long arg) + { + struct ufx_data *dev = info->par; +- struct dloarea *area = NULL; + + if (!atomic_read(&dev->usb_active)) + return 0; +@@ -1003,6 +1002,10 @@ static int ufx_ops_ioctl(struct fb_info + + /* TODO: Help propose a standard fb.h ioctl to report mmap damage */ + if (cmd == UFX_IOCTL_REPORT_DAMAGE) { ++ struct dloarea *area __free(kfree) = kmalloc(sizeof(*area), GFP_KERNEL); ++ if (!area) ++ return -ENOMEM; ++ + /* If we have a damage-aware client, turn fb_defio "off" + * To avoid perf imact of unnecessary page fault handling. + * Done by resetting the delay for this fb_info to a very +@@ -1012,7 +1015,8 @@ static int ufx_ops_ioctl(struct fb_info + if (info->fbdefio) + info->fbdefio->delay = UFX_DEFIO_WRITE_DISABLE; + +- area = (struct dloarea *)arg; ++ if (copy_from_user(area, (u8 __user *)arg, sizeof(*area))) ++ return -EFAULT; + + if (area->x < 0) + area->x = 0; diff --git a/queue-6.6/series b/queue-6.6/series index 3a55e98191..e9c2f5875e 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -28,3 +28,7 @@ mm-hugetlb-fix-two-comments-related-to-huge_pmd_unshare.patch mm-hugetlb-fix-excessive-ipi-broadcasts-when-unsharing-pmd-tables-using-mmu_gather.patch cpuset-fix-missing-adaptation-for-cpuset_is_populated.patch loongarch-add-writecombine-support-for-dmw-based-ioremap.patch +fbdev-rivafb-fix-divide-error-in-nv3_arb.patch +fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch +f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch +f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch -- 2.47.3