--- /dev/null
+From d5e206778e96e8667d3bde695ad372c296dc9353 Mon Sep 17 00:00:00 2001
+From: "Acs, Jakub" <acsjakub@amazon.de>
+Date: Thu, 20 Mar 2025 15:46:49 +0000
+Subject: ext4: fix OOB read when checking dotdot dir
+
+From: Acs, Jakub <acsjakub@amazon.de>
+
+commit d5e206778e96e8667d3bde695ad372c296dc9353 upstream.
+
+Mounting a corrupted filesystem with directory which contains '.' dir
+entry with rec_len == block size results in out-of-bounds read (later
+on, when the corrupted directory is removed).
+
+ext4_empty_dir() assumes every ext4 directory contains at least '.'
+and '..' as directory entries in the first data block. It first loads
+the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry()
+and then uses its rec_len member to compute the location of '..' dir
+entry (in ext4_next_entry). It assumes the '..' dir entry fits into the
+same data block.
+
+If the rec_len of '.' is precisely one block (4KB), it slips through the
+sanity checks (it is considered the last directory entry in the data
+block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the
+memory slot allocated to the data block. The following call to
+ext4_check_dir_entry() on new value of de then dereferences this pointer
+which results in out-of-bounds mem access.
+
+Fix this by extending __ext4_check_dir_entry() to check for '.' dir
+entries that reach the end of data block. Make sure to ignore the phony
+dir entries for checksum (by checking name_len for non-zero).
+
+Note: This is reported by KASAN as use-after-free in case another
+structure was recently freed from the slot past the bound, but it is
+really an OOB read.
+
+This issue was found by syzkaller tool.
+
+Call Trace:
+[ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710
+[ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375
+[ 38.595158]
+[ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1
+[ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+[ 38.595304] Call Trace:
+[ 38.595308] <TASK>
+[ 38.595311] dump_stack_lvl+0xa7/0xd0
+[ 38.595325] print_address_description.constprop.0+0x2c/0x3f0
+[ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710
+[ 38.595349] print_report+0xaa/0x250
+[ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710
+[ 38.595368] ? kasan_addr_to_slab+0x9/0x90
+[ 38.595378] kasan_report+0xab/0xe0
+[ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710
+[ 38.595400] __ext4_check_dir_entry+0x67e/0x710
+[ 38.595410] ext4_empty_dir+0x465/0x990
+[ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10
+[ 38.595432] ext4_rmdir.part.0+0x29a/0xd10
+[ 38.595441] ? __dquot_initialize+0x2a7/0xbf0
+[ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10
+[ 38.595464] ? __pfx___dquot_initialize+0x10/0x10
+[ 38.595478] ? down_write+0xdb/0x140
+[ 38.595487] ? __pfx_down_write+0x10/0x10
+[ 38.595497] ext4_rmdir+0xee/0x140
+[ 38.595506] vfs_rmdir+0x209/0x670
+[ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190
+[ 38.595529] do_rmdir+0x363/0x3c0
+[ 38.595537] ? __pfx_do_rmdir+0x10/0x10
+[ 38.595544] ? strncpy_from_user+0x1ff/0x2e0
+[ 38.595561] __x64_sys_unlinkat+0xf0/0x130
+[ 38.595570] do_syscall_64+0x5b/0x180
+[ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Fixes: ac27a0ec112a0 ("[PATCH] ext4: initial copy of files from ext3")
+Signed-off-by: Jakub Acs <acsjakub@amazon.de>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Andreas Dilger <adilger.kernel@dilger.ca>
+Cc: linux-ext4@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: Mahmoud Adam <mngyadam@amazon.com>
+Cc: stable@vger.kernel.org
+Cc: security@kernel.org
+Link: https://patch.msgid.link/b3ae36a6794c4a01944c7d70b403db5b@amazon.de
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/dir.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ext4/dir.c
++++ b/fs/ext4/dir.c
+@@ -89,6 +89,9 @@ int __ext4_check_dir_entry(const char *f
+ else if (unlikely(le32_to_cpu(de->inode) >
+ le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count)))
+ error_msg = "inode out of bounds";
++ else if (unlikely(next_offset == size && de->name_len == 1 &&
++ de->name[0] == '.'))
++ error_msg = "'.' directory cannot be the last in data block";
+ else
+ return 0;
+
--- /dev/null
+From a8dfb2168906944ea61acfc87846b816eeab882d Mon Sep 17 00:00:00 2001
+From: Roman Smirnov <r.smirnov@omp.ru>
+Date: Wed, 26 Feb 2025 11:25:22 +0300
+Subject: jfs: add index corruption check to DT_GETPAGE()
+
+From: Roman Smirnov <r.smirnov@omp.ru>
+
+commit a8dfb2168906944ea61acfc87846b816eeab882d upstream.
+
+If the file system is corrupted, the header.stblindex variable
+may become greater than 127. Because of this, an array access out
+of bounds may occur:
+
+------------[ cut here ]------------
+UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:3096:10
+index 237 is out of range for type 'struct dtslot[128]'
+CPU: 0 UID: 0 PID: 5822 Comm: syz-executor740 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ ubsan_epilogue lib/ubsan.c:231 [inline]
+ __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
+ dtReadFirst+0x622/0xc50 fs/jfs/jfs_dtree.c:3096
+ dtReadNext fs/jfs/jfs_dtree.c:3147 [inline]
+ jfs_readdir+0x9aa/0x3c50 fs/jfs/jfs_dtree.c:2862
+ wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65
+ iterate_dir+0x571/0x800 fs/readdir.c:108
+ __do_sys_getdents64 fs/readdir.c:403 [inline]
+ __se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+---[ end trace ]---
+
+Add a stblindex check for corruption.
+
+Reported-by: syzbot <syzbot+9120834fc227768625ba@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=9120834fc227768625ba
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jfs/jfs_dtree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/jfs/jfs_dtree.c
++++ b/fs/jfs/jfs_dtree.c
+@@ -117,7 +117,8 @@ do { \
+ if (!(RC)) { \
+ if (((P)->header.nextindex > \
+ (((BN) == 0) ? DTROOTMAXSLOT : (P)->header.maxslot)) || \
+- ((BN) && ((P)->header.maxslot > DTPAGEMAXSLOT))) { \
++ ((BN) && (((P)->header.maxslot > DTPAGEMAXSLOT) || \
++ ((P)->header.stblindex >= DTPAGEMAXSLOT)))) { \
+ BT_PUTPAGE(MP); \
+ jfs_error((IP)->i_sb, \
+ "DT_GETPAGE: dtree page corrupt\n"); \
--- /dev/null
+From fdf480da5837c23b146c4743c18de97202fcab37 Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Thu, 13 Feb 2025 21:05:53 +0000
+Subject: jfs: fix slab-out-of-bounds read in ea_get()
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit fdf480da5837c23b146c4743c18de97202fcab37 upstream.
+
+During the "size_check" label in ea_get(), the code checks if the extended
+attribute list (xattr) size matches ea_size. If not, it logs
+"ea_get: invalid extended attribute" and calls print_hex_dump().
+
+Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds
+INT_MAX (2,147,483,647). Then ea_size is clamped:
+
+ int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
+
+Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper
+limit is treated as an int, causing an overflow above 2^31 - 1. This leads
+"size" to wrap around and become negative (-184549328).
+
+The "size" is then passed to print_hex_dump() (called "len" in
+print_hex_dump()), it is passed as type size_t (an unsigned
+type), this is then stored inside a variable called
+"int remaining", which is then assigned to "int linelen" which
+is then passed to hex_dump_to_buffer(). In print_hex_dump()
+the for loop, iterates through 0 to len-1, where len is
+18446744073525002176, calling hex_dump_to_buffer()
+on each iteration:
+
+ for (i = 0; i < len; i += rowsize) {
+ linelen = min(remaining, rowsize);
+ remaining -= rowsize;
+
+ hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
+ linebuf, sizeof(linebuf), ascii);
+
+ ...
+ }
+
+The expected stopping condition (i < len) is effectively broken
+since len is corrupted and very large. This eventually leads to
+the "ptr+i" being passed to hex_dump_to_buffer() to get closer
+to the end of the actual bounds of "ptr", eventually an out of
+bounds access is done in hex_dump_to_buffer() in the following
+for loop:
+
+ for (j = 0; j < len; j++) {
+ if (linebuflen < lx + 2)
+ goto overflow2;
+ ch = ptr[j];
+ ...
+ }
+
+To fix this we should validate "EALIST_SIZE(ea_buf->xattr)"
+before it is utilised.
+
+Reported-by: syzbot <syzbot+4e6e7e4279d046613bc5@syzkaller.appspotmail.com>
+Tested-by: syzbot <syzbot+4e6e7e4279d046613bc5@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=4e6e7e4279d046613bc5
+Fixes: d9f9d96136cb ("jfs: xattr: check invalid xattr size more strictly")
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jfs/xattr.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/jfs/xattr.c
++++ b/fs/jfs/xattr.c
+@@ -559,11 +559,16 @@ static int ea_get(struct inode *inode, s
+
+ size_check:
+ if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
+- int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
++ if (unlikely(EALIST_SIZE(ea_buf->xattr) > INT_MAX)) {
++ printk(KERN_ERR "ea_get: extended attribute size too large: %u > INT_MAX\n",
++ EALIST_SIZE(ea_buf->xattr));
++ } else {
++ int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
+
+- printk(KERN_ERR "ea_get: invalid extended attribute\n");
+- print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
+- ea_buf->xattr, size, 1);
++ printk(KERN_ERR "ea_get: invalid extended attribute\n");
++ print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
++ ea_buf->xattr, size, 1);
++ }
+ ea_release(inode, ea_buf);
+ rc = -EIO;
+ goto clean_up;
--- /dev/null
+From a41fcca4b342811b473bbaa4b44f1d34d87fcce6 Mon Sep 17 00:00:00 2001
+From: Karel Balej <balejk@matfyz.cz>
+Date: Mon, 10 Mar 2025 15:07:04 +0100
+Subject: mmc: sdhci-pxav3: set NEED_RSP_BUSY capability
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Karel Balej <balejk@matfyz.cz>
+
+commit a41fcca4b342811b473bbaa4b44f1d34d87fcce6 upstream.
+
+Set the MMC_CAP_NEED_RSP_BUSY capability for the sdhci-pxav3 host to
+prevent conversion of R1B responses to R1. Without this, the eMMC card
+in the samsung,coreprimevelte smartphone using the Marvell PXA1908 SoC
+with this mmc host doesn't probe with the ETIMEDOUT error originating in
+__mmc_poll_for_busy.
+
+Note that the other issues reported for this phone and host, namely
+floods of "Tuning failed, falling back to fixed sampling clock" dmesg
+messages for the eMMC and unstable SDIO are not mitigated by this
+change.
+
+Link: https://lore.kernel.org/r/20200310153340.5593-1-ulf.hansson@linaro.org/
+Link: https://lore.kernel.org/r/D7204PWIGQGI.1FRFQPPIEE2P9@matfyz.cz/
+Link: https://lore.kernel.org/r/20250115-pxa1908-lkml-v14-0-847d24f3665a@skole.hr/
+Cc: stable@vger.kernel.org
+Signed-off-by: Karel Balej <balejk@matfyz.cz>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Duje Mihanović <duje.mihanovic@skole.hr>
+Link: https://lore.kernel.org/r/20250310140707.23459-1-balejk@matfyz.cz
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pxav3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/sdhci-pxav3.c
++++ b/drivers/mmc/host/sdhci-pxav3.c
+@@ -401,6 +401,7 @@ static int sdhci_pxav3_probe(struct plat
+ if (!IS_ERR(pxa->clk_core))
+ clk_prepare_enable(pxa->clk_core);
+
++ host->mmc->caps |= MMC_CAP_NEED_RSP_BUSY;
+ /* enable 1/8V DDR capable */
+ host->mmc->caps |= MMC_CAP_1_8V_DDR;
+
x86-tsc-always-save-restore-tsc-sched_clock-on-suspend-resume.patch
x86-mm-fix-flush_tlb_range-when-used-for-zapping-normal-pmds.patch
acpi-resource-skip-irq-override-on-asus-vivobook-14-x1404vap.patch
+mmc-sdhci-pxav3-set-need_rsp_busy-capability.patch
+tracing-fix-use-after-free-in-print_graph_function_flags-during-tracer-switching.patch
+ext4-fix-oob-read-when-checking-dotdot-dir.patch
+jfs-fix-slab-out-of-bounds-read-in-ea_get.patch
+jfs-add-index-corruption-check-to-dt_getpage.patch
--- /dev/null
+From 7f81f27b1093e4895e87b74143c59c055c3b1906 Mon Sep 17 00:00:00 2001
+From: Tengda Wu <wutengda@huaweicloud.com>
+Date: Thu, 20 Mar 2025 12:21:37 +0000
+Subject: tracing: Fix use-after-free in print_graph_function_flags during tracer switching
+
+From: Tengda Wu <wutengda@huaweicloud.com>
+
+commit 7f81f27b1093e4895e87b74143c59c055c3b1906 upstream.
+
+Kairui reported a UAF issue in print_graph_function_flags() during
+ftrace stress testing [1]. This issue can be reproduced if puting a
+'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(),
+and executing the following script:
+
+ $ echo function_graph > current_tracer
+ $ cat trace > /dev/null &
+ $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point
+ $ echo timerlat > current_tracer
+
+The root cause lies in the two calls to print_graph_function_flags
+within print_trace_line during each s_show():
+
+ * One through 'iter->trace->print_line()';
+ * Another through 'event->funcs->trace()', which is hidden in
+ print_trace_fmt() before print_trace_line returns.
+
+Tracer switching only updates the former, while the latter continues
+to use the print_line function of the old tracer, which in the script
+above is print_graph_function_flags.
+
+Moreover, when switching from the 'function_graph' tracer to the
+'timerlat' tracer, s_start only calls graph_trace_close of the
+'function_graph' tracer to free 'iter->private', but does not set
+it to NULL. This provides an opportunity for 'event->funcs->trace()'
+to use an invalid 'iter->private'.
+
+To fix this issue, set 'iter->private' to NULL immediately after
+freeing it in graph_trace_close(), ensuring that an invalid pointer
+is not passed to other tracers. Additionally, clean up the unnecessary
+'iter->private = NULL' during each 'cat trace' when using wakeup and
+irqsoff tracers.
+
+ [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Zheng Yejian <zhengyejian1@huawei.com>
+Link: https://lore.kernel.org/20250320122137.23635-1-wutengda@huaweicloud.com
+Fixes: eecb91b9f98d ("tracing: Fix memleak due to race between current_tracer and trace")
+Closes: https://lore.kernel.org/all/CAMgjq7BW79KDSCyp+tZHjShSzHsScSiJxn5ffskp-QzVM06fxw@mail.gmail.com/
+Reported-by: Kairui Song <kasong@tencent.com>
+Signed-off-by: Tengda Wu <wutengda@huaweicloud.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_functions_graph.c | 1 +
+ kernel/trace/trace_irqsoff.c | 2 --
+ kernel/trace/trace_sched_wakeup.c | 2 --
+ 3 files changed, 1 insertion(+), 4 deletions(-)
+
+--- a/kernel/trace/trace_functions_graph.c
++++ b/kernel/trace/trace_functions_graph.c
+@@ -1246,6 +1246,7 @@ void graph_trace_close(struct trace_iter
+ if (data) {
+ free_percpu(data->cpu_data);
+ kfree(data);
++ iter->private = NULL;
+ }
+ }
+
+--- a/kernel/trace/trace_irqsoff.c
++++ b/kernel/trace/trace_irqsoff.c
+@@ -228,8 +228,6 @@ static void irqsoff_trace_open(struct tr
+ {
+ if (is_graph(iter->tr))
+ graph_trace_open(iter);
+- else
+- iter->private = NULL;
+ }
+
+ static void irqsoff_trace_close(struct trace_iterator *iter)
+--- a/kernel/trace/trace_sched_wakeup.c
++++ b/kernel/trace/trace_sched_wakeup.c
+@@ -171,8 +171,6 @@ static void wakeup_trace_open(struct tra
+ {
+ if (is_graph(iter->tr))
+ graph_trace_open(iter);
+- else
+- iter->private = NULL;
+ }
+
+ static void wakeup_trace_close(struct trace_iterator *iter)
projects / thirdparty / kernel / stable-queue.git / commitdiff
