The patch below does not apply to the 5.18-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From c2cb0dcce9dd8b748b6ca8bb8d4a389f2e232307 Mon Sep 17 00:00:00 2001
From: Naoya Horiguchi <naoya.horiguchi(a)nec.com>
Date: Mon, 4 Jul 2022 10:33:05 +0900
Subject: [PATCH] mm/hugetlb: separate path for hwpoison entry in
copy_hugetlb_page_range()
Originally copy_hugetlb_page_range() handles migration entries and
hwpoisoned entries in similar manner. But recently the related code path
has more code for migration entries, and when
is_writable_migration_entry() was converted to
!is_readable_migration_entry(), hwpoison entries on source processes got
to be unexpectedly updated (which is legitimate for migration entries, but
not for hwpoison entries). This results in unexpected serious issues like
kernel panic when forking processes with hwpoison entries in pmd.
Separate the if branch into one for hwpoison entries and one for migration
entries.
Link: https://lkml.kernel.org/r/20220704013312.2415700-3-naoya.horiguchi@linux.dev
Fixes: 6c287605fd56 ("mm: remember exclusively mapped anonymous pages with PG_anon_exclusive")
Signed-off-by: Naoya Horiguchi <naoya.horiguchi(a)nec.com>
Reviewed-by: Miaohe Lin <linmiaohe(a)huawei.com>
Reviewed-by: Mike Kravetz <mike.kravetz(a)oracle.com>
Reviewed-by: Muchun Song <songmuchun(a)bytedance.com>
Cc: <stable(a)vger.kernel.org> [5.18]
Cc: David Hildenbrand <david(a)redhat.com>
Cc: Liu Shixin <liushixin2(a)huawei.com>
Cc: Oscar Salvador <osalvador(a)suse.de>
Cc: Yang Shi <shy828301(a)gmail.com>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index a57e1be41401..baf7f6b19ce6 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4788,8 +4788,13 @@ int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src,
* sharing with another vma.
*/
;
- } else if (unlikely(is_hugetlb_entry_migration(entry) ||
- is_hugetlb_entry_hwpoisoned(entry))) {
+ } else if (unlikely(is_hugetlb_entry_hwpoisoned(entry))) {
+ bool uffd_wp = huge_pte_uffd_wp(entry);
+
+ if (!userfaultfd_wp(dst_vma) && uffd_wp)
+ entry = huge_pte_clear_uffd_wp(entry);
+ set_huge_pte_at(dst, addr, dst_pte, entry);
+ } else if (unlikely(is_hugetlb_entry_migration(entry))) {
swp_entry_t swp_entry = pte_to_swp_entry(entry);
bool uffd_wp = huge_pte_uffd_wp(entry);
refer to https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/
3 patches are provided to fix CVE-2021-3365 (When sending malicous data
to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out
of bounds. https://nvd.nist.gov/vuln/detail/CVE-2021-33655) in mainline.
But only
commit 65a01e601dbb ("fbcon: Disallow setting font bigger than screen size")
was backported to stable (4.19,4.14).
without other two commit
commit e64242caef18 ("fbcon: Prevent that screen size is smaller than font size")
commit 6c11df58fd1a ("fbmem: Check virtual screen sizes in fb_set_var()")
The problem still exists.
static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg)
fb_set_var(info, &var);
fb_notifier_call_chain(evnt, &event); // evnt = FB_EVENT_MODE_CHANGE
static int fbcon_event_notify(struct notifier_block *self,
unsigned long action, void *data)
fbcon_modechanged(info);
updatescrollmode(p, info, vc);
...
p->vrows = vyres/fh;
if (yres > (fh * (vc->vc_rows + 1)))
p->vrows -= (yres - (fh * vc->vc_rows)) / fh;
if ((yres % fh) && (vyres % fh < yres % fh))
p->vrows--; [1]
[1]: p->vrows could be -1, like what CVE-2021-3365 described.
I think, the two commits should be backported to 4.19 and 4.14.
Helge Deller (2):
fbcon: Prevent that screen size is smaller than font size
fbmem: Check virtual screen sizes in fb_set_var()
drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++
drivers/video/fbdev/core/fbmem.c | 20 +++++++++++++++++---
include/linux/fbcon.h | 4 ++++
3 files changed, 49 insertions(+), 3 deletions(-)
--
2.17.1
From: Yu Kuai <yukuai3(a)huawei.com>
One of our product reported a io hung problem, turns out the problem
can be fixed by the patch.
I'm not sure why this patch is not backported yet, however, please
consider it in 4.19 lts.
Ming Lei (1):
scsi: core: Fix race between handling STS_RESOURCE and completion
drivers/scsi/scsi_lib.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--
2.31.1