From c8043b921093f759bf38ee7c2f587a63094d1ac1 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 28 Oct 2023 09:36:20 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	kasan-print-the-original-fault-addr-when-access-invalid-shadow.patch
---
 ...ault-addr-when-access-invalid-shadow.patch | 90 +++++++++++++++++++
 queue-5.10/series                             |  1 +
 2 files changed, 91 insertions(+)
 create mode 100644 queue-5.10/kasan-print-the-original-fault-addr-when-access-invalid-shadow.patch

diff --git a/queue-5.10/kasan-print-the-original-fault-addr-when-access-invalid-shadow.patch b/queue-5.10/kasan-print-the-original-fault-addr-when-access-invalid-shadow.patch
new file mode 100644
index 00000000000..7dc64e42b54
--- /dev/null
+++ b/queue-5.10/kasan-print-the-original-fault-addr-when-access-invalid-shadow.patch
@@ -0,0 +1,90 @@
+From babddbfb7d7d70ae7f10fedd75a45d8ad75fdddf Mon Sep 17 00:00:00 2001
+From: Haibo Li <haibo.li@mediatek.com>
+Date: Mon, 9 Oct 2023 15:37:48 +0800
+Subject: kasan: print the original fault addr when access invalid shadow
+
+From: Haibo Li <haibo.li@mediatek.com>
+
+commit babddbfb7d7d70ae7f10fedd75a45d8ad75fdddf upstream.
+
+when the checked address is illegal,the corresponding shadow address from
+kasan_mem_to_shadow may have no mapping in mmu table.  Access such shadow
+address causes kernel oops.  Here is a sample about oops on arm64(VA
+39bit) with KASAN_SW_TAGS and KASAN_OUTLINE on:
+
+[ffffffb80aaaaaaa] pgd=000000005d3ce003, p4d=000000005d3ce003,
+    pud=000000005d3ce003, pmd=0000000000000000
+Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 3 PID: 100 Comm: sh Not tainted 6.6.0-rc1-dirty #43
+Hardware name: linux,dummy-virt (DT)
+pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : __hwasan_load8_noabort+0x5c/0x90
+lr : do_ib_ob+0xf4/0x110
+ffffffb80aaaaaaa is the shadow address for efffff80aaaaaaaa.
+The problem is reading invalid shadow in kasan_check_range.
+
+The generic kasan also has similar oops.
+
+It only reports the shadow address which causes oops but not
+the original address.
+
+Commit 2f004eea0fc8("x86/kasan: Print original address on #GP")
+introduce to kasan_non_canonical_hook but limit it to KASAN_INLINE.
+
+This patch extends it to KASAN_OUTLINE mode.
+
+Link: https://lkml.kernel.org/r/20231009073748.159228-1-haibo.li@mediatek.com
+Fixes: 2f004eea0fc8("x86/kasan: Print original address on #GP")
+Signed-off-by: Haibo Li <haibo.li@mediatek.com>
+Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Haibo Li <haibo.li@mediatek.com>
+Cc: Matthias Brugger <matthias.bgg@gmail.com>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kasan.h |    6 +++---
+ mm/kasan/report.c     |    4 +---
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+--- a/include/linux/kasan.h
++++ b/include/linux/kasan.h
+@@ -234,10 +234,10 @@ static inline void kasan_release_vmalloc
+ 					 unsigned long free_region_end) {}
+ #endif
+ 
+-#ifdef CONFIG_KASAN_INLINE
++#ifdef CONFIG_KASAN
+ void kasan_non_canonical_hook(unsigned long addr);
+-#else /* CONFIG_KASAN_INLINE */
++#else /* CONFIG_KASAN */
+ static inline void kasan_non_canonical_hook(unsigned long addr) { }
+-#endif /* CONFIG_KASAN_INLINE */
++#endif /* CONFIG_KASAN */
+ 
+ #endif /* LINUX_KASAN_H */
+--- a/mm/kasan/report.c
++++ b/mm/kasan/report.c
+@@ -560,9 +560,8 @@ bool kasan_report(unsigned long addr, si
+ 	return ret;
+ }
+ 
+-#ifdef CONFIG_KASAN_INLINE
+ /*
+- * With CONFIG_KASAN_INLINE, accesses to bogus pointers (outside the high
++ * With CONFIG_KASAN, accesses to bogus pointers (outside the high
+  * canonical half of the address space) cause out-of-bounds shadow memory reads
+  * before the actual access. For addresses in the low canonical half of the
+  * address space, as well as most non-canonical addresses, that out-of-bounds
+@@ -598,4 +597,3 @@ void kasan_non_canonical_hook(unsigned l
+ 	pr_alert("KASAN: %s in range [0x%016lx-0x%016lx]\n", bug_type,
+ 		 orig_addr, orig_addr + KASAN_SHADOW_MASK);
+ }
+-#endif
diff --git a/queue-5.10/series b/queue-5.10/series
index 3d8938e145b..41f1edc4a0b 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -24,3 +24,4 @@ tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch
 gtp-uapi-fix-gtpa_max.patch
 gtp-fix-fragmentation-needed-check-with-gso.patch
 i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch
+kasan-print-the-original-fault-addr-when-access-invalid-shadow.patch
-- 
2.47.3