--- /dev/null
+From 708c04a5c2b78e22f56e2350de41feba74dfccd9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas.weissschuh@linutronix.de>
+Date: Tue, 5 Aug 2025 14:38:08 +0200
+Subject: fs: always return zero on success from replace_fd()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+commit 708c04a5c2b78e22f56e2350de41feba74dfccd9 upstream.
+
+replace_fd() returns the number of the new file descriptor through the
+return value of do_dup2(). However its callers never care about the
+specific returned number. In fact the caller in receive_fd_replace() treats
+any non-zero return value as an error and therefore never calls
+__receive_sock() for most file descriptors, which is a bug.
+
+To fix the bug in receive_fd_replace() and to avoid the same issue
+happening in future callers, signal success through a plain zero.
+
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Link: https://lore.kernel.org/lkml/20250801220215.GS222315@ZenIV/
+Fixes: 173817151b15 ("fs: Expand __receive_fd() to accept existing fd")
+Fixes: 42eb0d54c08a ("fs: split receive_fd_replace from __receive_fd")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Link: https://lore.kernel.org/20250805-fix-receive_fd_replace-v3-1-b72ba8b34bac@linutronix.de
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/file.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/file.c
++++ b/fs/file.c
+@@ -1136,7 +1136,10 @@ int replace_fd(unsigned fd, struct file
+ err = expand_files(files, fd);
+ if (unlikely(err < 0))
+ goto out_unlock;
+- return do_dup2(files, file, fd, flags);
++ err = do_dup2(files, file, fd, flags);
++ if (err < 0)
++ return err;
++ return 0;
+
+ out_unlock:
+ spin_unlock(&files->file_lock);
--- /dev/null
+From 72d271a7baa7062cb27e774ac37c5459c6d20e22 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Thu, 7 Aug 2025 03:55:23 +1000
+Subject: fscontext: do not consume log entries when returning -EMSGSIZE
+
+From: Aleksa Sarai <cyphar@cyphar.com>
+
+commit 72d271a7baa7062cb27e774ac37c5459c6d20e22 upstream.
+
+Userspace generally expects APIs that return -EMSGSIZE to allow for them
+to adjust their buffer size and retry the operation. However, the
+fscontext log would previously clear the message even in the -EMSGSIZE
+case.
+
+Given that it is very cheap for us to check whether the buffer is too
+small before we remove the message from the ring buffer, let's just do
+that instead. While we're at it, refactor some fscontext_read() into a
+separate helper to make the ring buffer logic a bit easier to read.
+
+Fixes: 007ec26cdc9f ("vfs: Implement logging through fs_context")
+Cc: David Howells <dhowells@redhat.com>
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+Link: https://lore.kernel.org/20250807-fscontext-log-cleanups-v3-1-8d91d6242dc3@cyphar.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fsopen.c | 70 ++++++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 38 insertions(+), 32 deletions(-)
+
+--- a/fs/fsopen.c
++++ b/fs/fsopen.c
+@@ -18,50 +18,56 @@
+ #include "internal.h"
+ #include "mount.h"
+
++static inline const char *fetch_message_locked(struct fc_log *log, size_t len,
++ bool *need_free)
++{
++ const char *p;
++ int index;
++
++ if (unlikely(log->head == log->tail))
++ return ERR_PTR(-ENODATA);
++
++ index = log->tail & (ARRAY_SIZE(log->buffer) - 1);
++ p = log->buffer[index];
++ if (unlikely(strlen(p) > len))
++ return ERR_PTR(-EMSGSIZE);
++
++ log->buffer[index] = NULL;
++ *need_free = log->need_free & (1 << index);
++ log->need_free &= ~(1 << index);
++ log->tail++;
++
++ return p;
++}
++
+ /*
+ * Allow the user to read back any error, warning or informational messages.
++ * Only one message is returned for each read(2) call.
+ */
+ static ssize_t fscontext_read(struct file *file,
+ char __user *_buf, size_t len, loff_t *pos)
+ {
+ struct fs_context *fc = file->private_data;
+- struct fc_log *log = fc->log.log;
+- unsigned int logsize = ARRAY_SIZE(log->buffer);
+- ssize_t ret;
+- char *p;
++ ssize_t err;
++ const char *p __free(kfree) = NULL, *message;
+ bool need_free;
+- int index, n;
+-
+- ret = mutex_lock_interruptible(&fc->uapi_mutex);
+- if (ret < 0)
+- return ret;
+-
+- if (log->head == log->tail) {
+- mutex_unlock(&fc->uapi_mutex);
+- return -ENODATA;
+- }
++ int n;
+
+- index = log->tail & (logsize - 1);
+- p = log->buffer[index];
+- need_free = log->need_free & (1 << index);
+- log->buffer[index] = NULL;
+- log->need_free &= ~(1 << index);
+- log->tail++;
++ err = mutex_lock_interruptible(&fc->uapi_mutex);
++ if (err < 0)
++ return err;
++ message = fetch_message_locked(fc->log.log, len, &need_free);
+ mutex_unlock(&fc->uapi_mutex);
++ if (IS_ERR(message))
++ return PTR_ERR(message);
+
+- ret = -EMSGSIZE;
+- n = strlen(p);
+- if (n > len)
+- goto err_free;
+- ret = -EFAULT;
+- if (copy_to_user(_buf, p, n) != 0)
+- goto err_free;
+- ret = n;
+-
+-err_free:
+ if (need_free)
+- kfree(p);
+- return ret;
++ p = message;
++
++ n = strlen(message);
++ if (copy_to_user(_buf, message, n))
++ return -EFAULT;
++ return n;
+ }
+
+ static int fscontext_release(struct inode *inode, struct file *file)
projects / thirdparty / kernel / stable-queue.git / commitdiff
