From: Greg Kroah-Hartman Date: Tue, 29 Apr 2025 07:41:29 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.4.293~36 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2b8b8ec509f197c2cfbe9180a2d452293f4716e3;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: jfs-define-xtree-root-and-page-independently.patch of-module-add-buffer-overflow-check-in-of_modalias.patch --- diff --git a/queue-6.1/jfs-define-xtree-root-and-page-independently.patch b/queue-6.1/jfs-define-xtree-root-and-page-independently.patch new file mode 100644 index 0000000000..0c7887ef78 --- /dev/null +++ b/queue-6.1/jfs-define-xtree-root-and-page-independently.patch @@ -0,0 +1,174 @@ +From a779ed754e52d582b8c0e17959df063108bd0656 Mon Sep 17 00:00:00 2001 +From: Dave Kleikamp +Date: Thu, 5 Oct 2023 09:16:14 -0500 +Subject: jfs: define xtree root and page independently + +From: Dave Kleikamp + +commit a779ed754e52d582b8c0e17959df063108bd0656 upstream. + +In order to make array bounds checking sane, provide a separate +definition of the in-inode xtree root and the external xtree page. + +Signed-off-by: Dave Kleikamp +Tested-by: Manas Ghandat +Closes: https://syzkaller.appspot.com/bug?extid=7cb897779f3c479d0615 +Closes: https://syzkaller.appspot.com/bug?extid=6b1d79dad6cc6b3eef41 +Closes: https://syzkaller.appspot.com/bug?extid=67f714a53ce18d5b542e +Closes: https://syzkaller.appspot.com/bug?extid=e829cfdd0de521302df4 +Reported-by: syzbot+7cb897779f3c479d0615@syzkaller.appspotmail.com +Reported-by: syzbot+6b1d79dad6cc6b3eef41@syzkaller.appspotmail.com +Reported-by: syzbot+67f714a53ce18d5b542e@syzkaller.appspotmail.com +Reported-by: syzbot+e829cfdd0de521302df4@syzkaller.appspotmail.com +Signed-off-by: Aditya Dutt +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_dinode.h | 2 +- + fs/jfs/jfs_imap.c | 6 +++--- + fs/jfs/jfs_incore.h | 2 +- + fs/jfs/jfs_txnmgr.c | 4 ++-- + fs/jfs/jfs_xtree.c | 4 ++-- + fs/jfs/jfs_xtree.h | 37 +++++++++++++++++++++++-------------- + 6 files changed, 32 insertions(+), 23 deletions(-) + +--- a/fs/jfs/jfs_dinode.h ++++ b/fs/jfs/jfs_dinode.h +@@ -96,7 +96,7 @@ struct dinode { + #define di_gengen u._file._u1._imap._gengen + + union { +- xtpage_t _xtroot; ++ xtroot_t _xtroot; + struct { + u8 unused[16]; /* 16: */ + dxd_t _dxd; /* 16: */ +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -673,7 +673,7 @@ int diWrite(tid_t tid, struct inode *ip) + * This is the special xtree inside the directory for storing + * the directory table + */ +- xtpage_t *p, *xp; ++ xtroot_t *p, *xp; + xad_t *xad; + + jfs_ip->xtlid = 0; +@@ -687,7 +687,7 @@ int diWrite(tid_t tid, struct inode *ip) + * copy xtree root from inode to dinode: + */ + p = &jfs_ip->i_xtroot; +- xp = (xtpage_t *) &dp->di_dirtable; ++ xp = (xtroot_t *) &dp->di_dirtable; + lv = ilinelock->lv; + for (n = 0; n < ilinelock->index; n++, lv++) { + memcpy(&xp->xad[lv->offset], &p->xad[lv->offset], +@@ -716,7 +716,7 @@ int diWrite(tid_t tid, struct inode *ip) + * regular file: 16 byte (XAD slot) granularity + */ + if (type & tlckXTREE) { +- xtpage_t *p, *xp; ++ xtroot_t *p, *xp; + xad_t *xad; + + /* +--- a/fs/jfs/jfs_incore.h ++++ b/fs/jfs/jfs_incore.h +@@ -66,7 +66,7 @@ struct jfs_inode_info { + lid_t xtlid; /* lid of xtree lock on directory */ + union { + struct { +- xtpage_t _xtroot; /* 288: xtree root */ ++ xtroot_t _xtroot; /* 288: xtree root */ + struct inomap *_imap; /* 4: inode map header */ + } file; + struct { +--- a/fs/jfs/jfs_txnmgr.c ++++ b/fs/jfs/jfs_txnmgr.c +@@ -783,7 +783,7 @@ struct tlock *txLock(tid_t tid, struct i + if (mp->xflag & COMMIT_PAGE) + p = (xtpage_t *) mp->data; + else +- p = &jfs_ip->i_xtroot; ++ p = (xtpage_t *) &jfs_ip->i_xtroot; + xtlck->lwm.offset = + le16_to_cpu(p->header.nextindex); + } +@@ -1676,7 +1676,7 @@ static void xtLog(struct jfs_log * log, + + if (tlck->type & tlckBTROOT) { + lrd->log.redopage.type |= cpu_to_le16(LOG_BTROOT); +- p = &JFS_IP(ip)->i_xtroot; ++ p = (xtpage_t *) &JFS_IP(ip)->i_xtroot; + if (S_ISDIR(ip->i_mode)) + lrd->log.redopage.type |= + cpu_to_le16(LOG_DIR_XTREE); +--- a/fs/jfs/jfs_xtree.c ++++ b/fs/jfs/jfs_xtree.c +@@ -1213,7 +1213,7 @@ xtSplitRoot(tid_t tid, + struct xtlock *xtlck; + int rc; + +- sp = &JFS_IP(ip)->i_xtroot; ++ sp = (xtpage_t *) &JFS_IP(ip)->i_xtroot; + + INCREMENT(xtStat.split); + +@@ -2098,7 +2098,7 @@ int xtAppend(tid_t tid, /* transaction + */ + void xtInitRoot(tid_t tid, struct inode *ip) + { +- xtpage_t *p; ++ xtroot_t *p; + + /* + * acquire a transaction lock on the root +--- a/fs/jfs/jfs_xtree.h ++++ b/fs/jfs/jfs_xtree.h +@@ -65,24 +65,33 @@ struct xadlist { + #define XTPAGEMAXSLOT 256 + #define XTENTRYSTART 2 + ++struct xtheader { ++ __le64 next; /* 8: */ ++ __le64 prev; /* 8: */ ++ ++ u8 flag; /* 1: */ ++ u8 rsrvd1; /* 1: */ ++ __le16 nextindex; /* 2: next index = number of entries */ ++ __le16 maxentry; /* 2: max number of entries */ ++ __le16 rsrvd2; /* 2: */ ++ ++ pxd_t self; /* 8: self */ ++}; ++ + /* +- * xtree page: ++ * xtree root (in inode): + */ + typedef union { +- struct xtheader { +- __le64 next; /* 8: */ +- __le64 prev; /* 8: */ +- +- u8 flag; /* 1: */ +- u8 rsrvd1; /* 1: */ +- __le16 nextindex; /* 2: next index = number of entries */ +- __le16 maxentry; /* 2: max number of entries */ +- __le16 rsrvd2; /* 2: */ +- +- pxd_t self; /* 8: self */ +- } header; /* (32) */ +- ++ struct xtheader header; + xad_t xad[XTROOTMAXSLOT]; /* 16 * maxentry: xad array */ ++} xtroot_t; ++ ++/* ++ * xtree page: ++ */ ++typedef union { ++ struct xtheader header; ++ xad_t xad[XTPAGEMAXSLOT]; /* 16 * maxentry: xad array */ + } xtpage_t; + + /* diff --git a/queue-6.1/of-module-add-buffer-overflow-check-in-of_modalias.patch b/queue-6.1/of-module-add-buffer-overflow-check-in-of_modalias.patch new file mode 100644 index 0000000000..efa41816d0 --- /dev/null +++ b/queue-6.1/of-module-add-buffer-overflow-check-in-of_modalias.patch @@ -0,0 +1,46 @@ +From cf7385cb26ac4f0ee6c7385960525ad534323252 Mon Sep 17 00:00:00 2001 +From: Sergey Shtylyov +Date: Sun, 14 Apr 2024 11:51:39 +0300 +Subject: of: module: add buffer overflow check in of_modalias() + +From: Sergey Shtylyov + +commit cf7385cb26ac4f0ee6c7385960525ad534323252 upstream. + +In of_modalias(), if the buffer happens to be too small even for the 1st +snprintf() call, the len parameter will become negative and str parameter +(if not NULL initially) will point beyond the buffer's end. Add the buffer +overflow check after the 1st snprintf() call and fix such check after the +strlen() call (accounting for the terminating NUL char). + +Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru +Signed-off-by: Rob Herring +Signed-off-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/device.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/of/device.c ++++ b/drivers/of/device.c +@@ -264,14 +264,15 @@ static ssize_t of_device_get_modalias(st + csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', + of_node_get_device_type(dev->of_node)); + tsize = csize; ++ if (csize >= len) ++ csize = len > 0 ? len - 1 : 0; + len -= csize; +- if (str) +- str += csize; ++ str += csize; + + of_property_for_each_string(dev->of_node, "compatible", p, compat) { + csize = strlen(compat) + 1; + tsize += csize; +- if (csize > len) ++ if (csize >= len) + continue; + + csize = snprintf(str, len, "C%s", compat); diff --git a/queue-6.1/series b/queue-6.1/series index b298297970..2489853874 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -147,3 +147,5 @@ spi-tegra210-quad-add-rate-limiting-and-simplify-tim.patch ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch md-raid1-add-check-for-missing-source-disk-in-proces.patch spi-spi-imx-add-check-for-spi_imx_setupxfer.patch +of-module-add-buffer-overflow-check-in-of_modalias.patch +jfs-define-xtree-root-and-page-independently.patch