--- /dev/null
+From 169f9102f9198b04afffa6164372a4ba4070f412 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 1 Feb 2024 18:32:58 +0100
+Subject: ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 169f9102f9198b04afffa6164372a4ba4070f412 upstream.
+
+Under PAN emulation when dumping backtraces from things like the
+LKDTM EXEC_USERSPACE test[1], a double fault (which would hang a CPU)
+would happen because of dump_instr() attempting to read a userspace
+address. Make sure copy_from_kernel_nofault() does not attempt this
+any more.
+
+Closes: https://lava.sirena.org.uk/scheduler/job/497571
+Link: https://lore.kernel.org/all/202401181125.D48DCB4C@keescook/ [1]
+
+Reported-by: Mark Brown <broonie@kernel.org>
+Suggested-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Tested-by: Mark Brown <broonie@kernel.org>
+Cc: Wang Kefeng <wangkefeng.wang@huawei.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Cc: linux-arm-kernel@lists.infradead.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mm/fault.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -25,6 +25,13 @@
+
+ #include "fault.h"
+
++bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
++{
++ unsigned long addr = (unsigned long)unsafe_src;
++
++ return addr >= TASK_SIZE && ULONG_MAX - addr >= size;
++}
++
+ #ifdef CONFIG_MMU
+
+ /*
--- /dev/null
+From 8f09b8b4fa58e99cbfd9a650b31d65cdbd8e4276 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 1 Feb 2024 18:32:23 +0100
+Subject: ARM: 9351/1: fault: Add "cut here" line for prefetch aborts
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 8f09b8b4fa58e99cbfd9a650b31d65cdbd8e4276 upstream.
+
+The common pattern in arm is to emit a "8<--- cut here ---" line for
+faults, but it was missing for do_PrefetchAbort(). Add it.
+
+Cc: Wang Kefeng <wangkefeng.wang@huawei.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Cc: linux-arm-kernel@lists.infradead.org
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mm/fault.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -570,6 +570,7 @@ do_PrefetchAbort(unsigned long addr, uns
+ if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs))
+ return;
+
++ pr_alert("8<--- cut here ---\n");
+ pr_alert("Unhandled prefetch abort: %s (0x%03x) at 0x%08lx\n",
+ inf->name, ifsr, addr);
+
--- /dev/null
+From 3ccea4784fddd96fbd6c4497eb28b45dab638c2a Mon Sep 17 00:00:00 2001
+From: Yanjun Yang <yangyj.ee@gmail.com>
+Date: Tue, 11 Jun 2024 18:09:47 +0800
+Subject: ARM: Remove address checking for MMUless devices
+
+From: Yanjun Yang <yangyj.ee@gmail.com>
+
+commit 3ccea4784fddd96fbd6c4497eb28b45dab638c2a upstream.
+
+Commit 169f9102f9198b ("ARM: 9350/1: fault: Implement
+copy_from_kernel_nofault_allowed()") added the function to check address
+before use. However, for devices without MMU, addr > TASK_SIZE will
+always fail. This patch move this function after the #ifdef CONFIG_MMU
+statement.
+
+Signed-off-by: Yanjun Yang <yangyj.ee@gmail.com>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218953
+Fixes: 169f9102f9198b ("ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()")
+Link: https://lore.kernel.org/r/20240611100947.32241-1-yangyj.ee@gmail.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mm/fault.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -25,6 +25,8 @@
+
+ #include "fault.h"
+
++#ifdef CONFIG_MMU
++
+ bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
+ {
+ unsigned long addr = (unsigned long)unsafe_src;
+@@ -32,8 +34,6 @@ bool copy_from_kernel_nofault_allowed(co
+ return addr >= TASK_SIZE && ULONG_MAX - addr >= size;
+ }
+
+-#ifdef CONFIG_MMU
+-
+ /*
+ * This is useful to dump out the page tables associated with
+ * 'addr' in mm 'mm'.
--- /dev/null
+From bf2986fcf82a449441f9ee4335df19be19e83970 Mon Sep 17 00:00:00 2001
+From: Minjoong Kim <pwn9uin@gmail.com>
+Date: Sat, 22 Mar 2025 10:52:00 +0000
+Subject: atm: Fix NULL pointer dereference
+
+From: Minjoong Kim <pwn9uin@gmail.com>
+
+commit bf2986fcf82a449441f9ee4335df19be19e83970 upstream.
+
+When MPOA_cache_impos_rcvd() receives the msg, it can trigger
+Null Pointer Dereference Vulnerability if both entry and
+holding_time are NULL. Because there is only for the situation
+where entry is NULL and holding_time exists, it can be passed
+when both entry and holding_time are NULL. If these are NULL,
+the entry will be passd to eg_cache_put() as parameter and
+it is referenced by entry->use code in it.
+
+kasan log:
+
+[ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I
+[ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+[ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102
+[ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+[ 3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470
+[ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80
+[ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006
+[ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e
+[ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030
+[ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88
+[ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15
+[ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068
+[ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000
+[ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0
+[ 3.326430] Call Trace:
+[ 3.326725] <TASK>
+[ 3.326927] ? die_addr+0x3c/0xa0
+[ 3.327330] ? exc_general_protection+0x161/0x2a0
+[ 3.327662] ? asm_exc_general_protection+0x26/0x30
+[ 3.328214] ? vprintk_emit+0x15e/0x420
+[ 3.328543] ? eg_cache_remove_entry+0xa5/0x470
+[ 3.328910] ? eg_cache_remove_entry+0x9a/0x470
+[ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10
+[ 3.329664] ? console_unlock+0x107/0x1d0
+[ 3.329946] ? __pfx_console_unlock+0x10/0x10
+[ 3.330283] ? do_syscall_64+0xa6/0x1a0
+[ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f
+[ 3.331090] ? __pfx_prb_read_valid+0x10/0x10
+[ 3.331395] ? down_trylock+0x52/0x80
+[ 3.331703] ? vprintk_emit+0x15e/0x420
+[ 3.331986] ? __pfx_vprintk_emit+0x10/0x10
+[ 3.332279] ? down_trylock+0x52/0x80
+[ 3.332527] ? _printk+0xbf/0x100
+[ 3.332762] ? __pfx__printk+0x10/0x10
+[ 3.333007] ? _raw_write_lock_irq+0x81/0xe0
+[ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10
+[ 3.333614] msg_from_mpoad+0x1185/0x2750
+[ 3.333893] ? __build_skb_around+0x27b/0x3a0
+[ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10
+[ 3.334501] ? __alloc_skb+0x1c0/0x310
+[ 3.334809] ? __pfx___alloc_skb+0x10/0x10
+[ 3.335283] ? _raw_spin_lock+0xe0/0xe0
+[ 3.335632] ? finish_wait+0x8d/0x1e0
+[ 3.335975] vcc_sendmsg+0x684/0xba0
+[ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10
+[ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10
+[ 3.337056] ? fdget+0x176/0x3e0
+[ 3.337348] __sys_sendto+0x4a2/0x510
+[ 3.337663] ? __pfx___sys_sendto+0x10/0x10
+[ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400
+[ 3.338364] ? sock_ioctl+0x1bb/0x5a0
+[ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20
+[ 3.339017] ? __pfx_sock_ioctl+0x10/0x10
+[ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10
+[ 3.339727] ? selinux_file_ioctl+0xa4/0x260
+[ 3.340166] __x64_sys_sendto+0xe0/0x1c0
+[ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140
+[ 3.340898] do_syscall_64+0xa6/0x1a0
+[ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 3.341533] RIP: 0033:0x44a380
+[ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00
+[ 3.343078] RSP: 002b:00007ffc1d404098 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 3.343631] RAX: ffffffffffffffda RBX: 00007ffc1d404458 RCX: 000000000044a380
+[ 3.344306] RDX: 000000000000019c RSI: 00007ffc1d4040b0 RDI: 0000000000000003
+[ 3.344833] RBP: 00007ffc1d404260 R08: 0000000000000000 R09: 0000000000000000
+[ 3.345381] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
+[ 3.346015] R13: 00007ffc1d404448 R14: 00000000004c17d0 R15: 0000000000000001
+[ 3.346503] </TASK>
+[ 3.346679] Modules linked in:
+[ 3.346956] ---[ end trace 0000000000000000 ]---
+[ 3.347315] RIP: 0010:eg_cache_remove_entry+0xa5/0x470
+[ 3.347737] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80
+[ 3.349157] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006
+[ 3.349517] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e
+[ 3.350103] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030
+[ 3.350610] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88
+[ 3.351246] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15
+[ 3.351785] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068
+[ 3.352404] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000
+[ 3.353099] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3.353544] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0
+[ 3.354072] note: ex[79] exited with irqs disabled
+[ 3.354458] note: ex[79] exited with preempt_count 1
+
+Signed-off-by: Minjoong Kim <pwn9uin@gmail.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250322105200.14981-1-pwn9uin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/atm/mpc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/atm/mpc.c
++++ b/net/atm/mpc.c
+@@ -1314,6 +1314,8 @@ static void MPOA_cache_impos_rcvd(struct
+ holding_time = msg->content.eg_info.holding_time;
+ dprintk("(%s) entry = %p, holding_time = %u\n",
+ mpc->dev->name, entry, holding_time);
++ if (entry == NULL && !holding_time)
++ return;
+ if (entry == NULL && holding_time) {
+ entry = mpc->eg_ops->add_entry(msg, mpc);
+ mpc->eg_ops->put(entry);
projects / thirdparty / kernel / stable-queue.git / commitdiff
