4.14-stable patches

added patches:
	proc-avoid-integer-type-confusion-in-get_proc_long.patch
	proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch

diff --git a/queue-4.14/proc-avoid-integer-type-confusion-in-get_proc_long.patch b/queue-4.14/proc-avoid-integer-type-confusion-in-get_proc_long.patch
new file mode 100644 (file)
index 0000000..55638a0
--- /dev/null
+++ b/queue-4.14/proc-avoid-integer-type-confusion-in-get_proc_long.patch
@@ -0,0 +1,40 @@
+From e6cfaf34be9fcd1a8285a294e18986bfc41a409c Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 5 Dec 2022 11:33:40 -0800
+Subject: proc: avoid integer type confusion in get_proc_long
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e6cfaf34be9fcd1a8285a294e18986bfc41a409c upstream.
+
+proc_get_long() is passed a size_t, but then assigns it to an 'int'
+variable for the length.  Let's not do that, even if our IO paths are
+limited to MAX_RW_COUNT (exactly because of these kinds of type errors).
+
+So do the proper test in the rigth type.
+
+Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sysctl.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -2106,13 +2106,12 @@ static int proc_get_long(char **buf, siz
+                         unsigned long *val, bool *neg,
+                         const char *perm_tr, unsigned perm_tr_len, char *tr)
+ {
+-      int len;
+       char *p, tmp[TMPBUFLEN];
++      ssize_t len = *size;
+ 
+-      if (!*size)
++      if (len <= 0)
+               return -EINVAL;
+ 
+-      len = *size;
+       if (len > TMPBUFLEN - 1)
+               len = TMPBUFLEN - 1;
+ 

diff --git a/queue-4.14/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch b/queue-4.14/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch
new file mode 100644 (file)
index 0000000..2efcce7
--- /dev/null
+++ b/queue-4.14/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch
@@ -0,0 +1,106 @@
+From bce9332220bd677d83b19d21502776ad555a0e73 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 5 Dec 2022 12:09:06 -0800
+Subject: proc: proc_skip_spaces() shouldn't think it is working on C strings
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit bce9332220bd677d83b19d21502776ad555a0e73 upstream.
+
+proc_skip_spaces() seems to think it is working on C strings, and ends
+up being just a wrapper around skip_spaces() with a really odd calling
+convention.
+
+Instead of basing it on skip_spaces(), it should have looked more like
+proc_skip_char(), which really is the exact same function (except it
+skips a particular character, rather than whitespace).  So use that as
+inspiration, odd coding and all.
+
+Now the calling convention actually makes sense and works for the
+intended purpose.
+
+Reported-and-tested-by: Kyle Zeng <zengyhkyle@gmail.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sysctl.c |   25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -2066,13 +2066,14 @@ int proc_dostring(struct ctl_table *tabl
+                              (char __user *)buffer, lenp, ppos);
+ }
+ 
+-static size_t proc_skip_spaces(char **buf)
++static void proc_skip_spaces(char **buf, size_t *size)
+ {
+-      size_t ret;
+-      char *tmp = skip_spaces(*buf);
+-      ret = tmp - *buf;
+-      *buf = tmp;
+-      return ret;
++      while (*size) {
++              if (!isspace(**buf))
++                      break;
++              (*size)--;
++              (*buf)++;
++      }
+ }
+ 
+ static void proc_skip_char(char **buf, size_t *size, const char v)
+@@ -2273,7 +2274,7 @@ static int __do_proc_dointvec(void *tbl_
+               bool neg;
+ 
+               if (write) {
+-                      left -= proc_skip_spaces(&p);
++                      proc_skip_spaces(&p, &left);
+ 
+                       if (!left)
+                               break;
+@@ -2304,7 +2305,7 @@ static int __do_proc_dointvec(void *tbl_
+       if (!write && !first && left && !err)
+               err = proc_put_char(&buffer, &left, '\n');
+       if (write && !err && left)
+-              left -= proc_skip_spaces(&p);
++              proc_skip_spaces(&p, &left);
+       if (write) {
+               kfree(kbuf);
+               if (first)
+@@ -2353,7 +2354,7 @@ static int do_proc_douintvec_w(unsigned
+       if (IS_ERR(kbuf))
+               return -EINVAL;
+ 
+-      left -= proc_skip_spaces(&p);
++      proc_skip_spaces(&p, &left);
+       if (!left) {
+               err = -EINVAL;
+               goto out_free;
+@@ -2373,7 +2374,7 @@ static int do_proc_douintvec_w(unsigned
+       }
+ 
+       if (!err && left)
+-              left -= proc_skip_spaces(&p);
++              proc_skip_spaces(&p, &left);
+ 
+ out_free:
+       kfree(kbuf);
+@@ -2748,7 +2749,7 @@ static int __do_proc_doulongvec_minmax(v
+               if (write) {
+                       bool neg;
+ 
+-                      left -= proc_skip_spaces(&p);
++                      proc_skip_spaces(&p, &left);
+                       if (!left)
+                               break;
+ 
+@@ -2781,7 +2782,7 @@ static int __do_proc_doulongvec_minmax(v
+       if (!write && !first && left && !err)
+               err = proc_put_char(&buffer, &left, '\n');
+       if (write && !err)
+-              left -= proc_skip_spaces(&p);
++              proc_skip_spaces(&p, &left);
+       if (write) {
+               kfree(kbuf);
+               if (first)

diff --git a/queue-4.14/series b/queue-4.14/series
index 687e2a31c3199a422b8677f01e13069e9df375e5..b97d291b97d329d7808e621380048c18e1059d1f 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -75,3 +75,5 @@ bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch
 x86-ioremap-fix-page-aligned-size-calculation-in-__i.patch
 mmc-sdhci-use-field_get-for-preset-value-bit-masks.patch
 mmc-sdhci-fix-voltage-switch-delay.patch
+proc-avoid-integer-type-confusion-in-get_proc_long.patch
+proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch