From: Greg Kroah-Hartman Date: Thu, 16 Oct 2025 12:05:28 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.195~86 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=37b8746a93d3428a5634d1dd535e59602030445a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch --- diff --git a/queue-5.15/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch b/queue-5.15/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch new file mode 100644 index 0000000000..ba5e52234c --- /dev/null +++ b/queue-5.15/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch @@ -0,0 +1,71 @@ +From dff4f9ff5d7f289e4545cc936362e01ed3252742 Mon Sep 17 00:00:00 2001 +From: Anderson Nascimento +Date: Mon, 8 Sep 2025 09:49:02 -0300 +Subject: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() + +From: Anderson Nascimento + +commit dff4f9ff5d7f289e4545cc936362e01ed3252742 upstream. + +The function btrfs_encode_fh() does not properly account for the three +cases it handles. + +Before writing to the file handle (fh), the function only returns to the +user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or +BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). + +However, when a parent exists and the root ID of the parent and the +inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT +(10 dwords, 40 bytes). + +If *max_len is not large enough, this write goes out of bounds because +BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than +BTRFS_FID_SIZE_CONNECTABLE originally returned. + +This results in an 8-byte out-of-bounds write at +fid->parent_root_objectid = parent_root_id. + +A previous attempt to fix this issue was made but was lost. + +https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ + +Although this issue does not seem to be easily triggerable, it is a +potential memory corruption bug that should be fixed. This patch +resolves the issue by ensuring the function returns the appropriate size +for all three cases and validates that *max_len is large enough before +writing any data. + +Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3") +CC: stable@vger.kernel.org # 3.0+ +Signed-off-by: Anderson Nascimento +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/export.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/export.c ++++ b/fs/btrfs/export.c +@@ -22,7 +22,11 @@ static int btrfs_encode_fh(struct inode + int type; + + if (parent && (len < BTRFS_FID_SIZE_CONNECTABLE)) { +- *max_len = BTRFS_FID_SIZE_CONNECTABLE; ++ if (btrfs_root_id(BTRFS_I(inode)->root) != ++ btrfs_root_id(BTRFS_I(parent)->root)) ++ *max_len = BTRFS_FID_SIZE_CONNECTABLE_ROOT; ++ else ++ *max_len = BTRFS_FID_SIZE_CONNECTABLE; + return FILEID_INVALID; + } else if (len < BTRFS_FID_SIZE_NON_CONNECTABLE) { + *max_len = BTRFS_FID_SIZE_NON_CONNECTABLE; +@@ -44,6 +48,8 @@ static int btrfs_encode_fh(struct inode + parent_root_id = BTRFS_I(parent)->root->root_key.objectid; + + if (parent_root_id != fid->root_objectid) { ++ if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT) ++ return FILEID_INVALID; + fid->parent_root_objectid = parent_root_id; + len = BTRFS_FID_SIZE_CONNECTABLE_ROOT; + type = FILEID_BTRFS_WITH_PARENT_ROOT; diff --git a/queue-5.15/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch b/queue-5.15/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch new file mode 100644 index 0000000000..b529a054dd --- /dev/null +++ b/queue-5.15/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch @@ -0,0 +1,53 @@ +From d0856a6dff57f95cc5d2d74e50880f01697d0cc4 Mon Sep 17 00:00:00 2001 +From: Adam Xue +Date: Fri, 5 Sep 2025 10:41:18 -0700 +Subject: bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup() + +From: Adam Xue + +commit d0856a6dff57f95cc5d2d74e50880f01697d0cc4 upstream. + +In mhi_init_irq_setup, the device pointer used for dev_err() was not +initialized. Use the pointer from mhi_cntrl instead. + +Fixes: b0fc0167f254 ("bus: mhi: core: Allow shared IRQ for event rings") +Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations") +Signed-off-by: Adam Xue +[mani: reworded subject/description and CCed stable] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Krishna Chaitanya Chundru +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250905174118.38512-1-zxue@semtech.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/init.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/bus/mhi/host/init.c ++++ b/drivers/bus/mhi/host/init.c +@@ -161,7 +161,6 @@ void mhi_deinit_free_irq(struct mhi_cont + int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl) + { + struct mhi_event *mhi_event = mhi_cntrl->mhi_event; +- struct device *dev = &mhi_cntrl->mhi_dev->dev; + unsigned long irq_flags = IRQF_SHARED | IRQF_NO_SUSPEND; + int i, ret; + +@@ -182,7 +181,7 @@ int mhi_init_irq_setup(struct mhi_contro + continue; + + if (mhi_event->irq >= mhi_cntrl->nr_irqs) { +- dev_err(dev, "irq %d not available for event ring\n", ++ dev_err(mhi_cntrl->cntrl_dev, "irq %d not available for event ring\n", + mhi_event->irq); + ret = -EINVAL; + goto error_request; +@@ -193,7 +192,7 @@ int mhi_init_irq_setup(struct mhi_contro + irq_flags, + "mhi", mhi_event); + if (ret) { +- dev_err(dev, "Error requesting irq:%d for ev:%d\n", ++ dev_err(mhi_cntrl->cntrl_dev, "Error requesting irq:%d for ev:%d\n", + mhi_cntrl->irq[mhi_event->irq], i); + goto error_request; + } diff --git a/queue-5.15/series b/queue-5.15/series index b331ce3981..08efb5de84 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -173,3 +173,5 @@ xen-manage-fix-suspend-error-path.patch firmware-meson_sm-fix-device-leak-at-probe.patch media-i2c-mt9v111-fix-incorrect-type-for-ret.patch drm-nouveau-fix-bad-ret-code-in-nouveau_bo_move_prep.patch +btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch +bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch