diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26720.patch')
| -rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26720.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26720.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26720.patch new file mode 100644 index 000000000..0bb927550 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26720.patch @@ -0,0 +1,49 @@ +From 16b1025eaa8fc223ab4273ece20d1c3a4211a95d Mon Sep 17 00:00:00 2001 +From: Zach O'Keefe <zokeefe@google.com> +Date: Thu, 18 Jan 2024 10:19:53 -0800 +Subject: mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again + +commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78 upstream. + +(struct dirty_throttle_control *)->thresh is an unsigned long, but is +passed as the u32 divisor argument to div_u64(). On architectures where +unsigned long is 64 bytes, the argument will be implicitly truncated. + +Use div64_u64() instead of div_u64() so that the value used in the "is +this a safe division" check is the same as the divisor. + +Also, remove redundant cast of the numerator to u64, as that should happen +implicitly. + +This would be difficult to exploit in memcg domain, given the ratio-based +arithmetic domain_drity_limits() uses, but is much easier in global +writeback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. +vm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32) + +Link: https://lkml.kernel.org/r/20240118181954.1415197-1-zokeefe@google.com +Fixes: f6789593d5ce ("mm/page-writeback.c: fix divide by zero in bdi_dirty_limits()") +Signed-off-by: Zach O'Keefe <zokeefe@google.com> +Cc: Maxim Patlasov <MPatlasov@parallels.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + mm/page-writeback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/page-writeback.c b/mm/page-writeback.c +index de5f69921b9465..d3e9d12860b9f4 100644 +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -1526,7 +1526,7 @@ static inline void wb_dirty_limits(struct dirty_throttle_control *dtc) + */ + dtc->wb_thresh = __wb_calc_thresh(dtc); + dtc->wb_bg_thresh = dtc->thresh ? +- div_u64((u64)dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; ++ div64_u64(dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; + + /* + * In order to avoid the stacked BDI deadlock we need +-- +cgit 1.2.3-korg + |