From: Greg Kroah-Hartman Date: Fri, 20 Jun 2025 15:28:09 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.4.295~122 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=01a34c442a87fa2ada13bc9f2b52ff8649bedd0b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch scsi-s390-zfcp-ensure-synchronous-unit_add.patch scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch --- diff --git a/queue-5.4/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch b/queue-5.4/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch new file mode 100644 index 0000000000..609c4743f0 --- /dev/null +++ b/queue-5.4/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch @@ -0,0 +1,75 @@ +From 7851263998d4269125fd6cb3fdbfc7c6db853859 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Mon, 16 Jun 2025 11:21:15 -0700 +Subject: atm: Revert atm_account_tx() if copy_from_iter_full() fails. + +From: Kuniyuki Iwashima + +commit 7851263998d4269125fd6cb3fdbfc7c6db853859 upstream. + +In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by +atm_account_tx(). + +It is expected to be reverted by atm_pop_raw() later called by +vcc->dev->ops->send(vcc, skb). + +However, vcc_sendmsg() misses the same revert when copy_from_iter_full() +fails, and then we will leak a socket. + +Let's factorise the revert part as atm_return_tx() and call it in +the failure path. + +Note that the corresponding sk_wmem_alloc operation can be found in +alloc_tx() as of the blamed commit. + + $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Simon Horman +Closes: https://lore.kernel.org/netdev/20250614161959.GR414686@horms.kernel.org/ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250616182147.963333-3-kuni1840@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/atmdev.h | 6 ++++++ + net/atm/common.c | 1 + + net/atm/raw.c | 2 +- + 3 files changed, 8 insertions(+), 1 deletion(-) + +--- a/include/linux/atmdev.h ++++ b/include/linux/atmdev.h +@@ -257,6 +257,12 @@ static inline void atm_account_tx(struct + ATM_SKB(skb)->atm_options = vcc->atm_options; + } + ++static inline void atm_return_tx(struct atm_vcc *vcc, struct sk_buff *skb) ++{ ++ WARN_ON_ONCE(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, ++ &sk_atm(vcc)->sk_wmem_alloc)); ++} ++ + static inline void atm_force_charge(struct atm_vcc *vcc,int truesize) + { + atomic_add(truesize, &sk_atm(vcc)->sk_rmem_alloc); +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -635,6 +635,7 @@ int vcc_sendmsg(struct socket *sock, str + + skb->dev = NULL; /* for paths shared with net_device interfaces */ + if (!copy_from_iter_full(skb_put(skb, size), size, &m->msg_iter)) { ++ atm_return_tx(vcc, skb); + kfree_skb(skb); + error = -EFAULT; + goto out; +--- a/net/atm/raw.c ++++ b/net/atm/raw.c +@@ -36,7 +36,7 @@ static void atm_pop_raw(struct atm_vcc * + + pr_debug("(%d) %d -= %d\n", + vcc->vci, sk_wmem_alloc_get(sk), ATM_SKB(skb)->acct_truesize); +- WARN_ON(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, &sk->sk_wmem_alloc)); ++ atm_return_tx(vcc, skb); + dev_kfree_skb_any(skb); + sk->sk_write_space(sk); + } diff --git a/queue-5.4/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch b/queue-5.4/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch new file mode 100644 index 0000000000..ef7d5a8525 --- /dev/null +++ b/queue-5.4/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch @@ -0,0 +1,47 @@ +From 50695153d7ddde3b1696dbf0085be0033bf3ddb3 Mon Sep 17 00:00:00 2001 +From: Andrew Morton +Date: Sat, 7 Jun 2025 17:43:18 -0700 +Subject: drivers/rapidio/rio_cm.c: prevent possible heap overwrite + +From: Andrew Morton + +commit 50695153d7ddde3b1696dbf0085be0033bf3ddb3 upstream. + +In + +riocm_cdev_ioctl(RIO_CM_CHAN_SEND) + -> cm_chan_msg_send() + -> riocm_ch_send() + +cm_chan_msg_send() checks that userspace didn't send too much data but +riocm_ch_send() failed to check that userspace sent sufficient data. The +result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr +which were outside the bounds of the space which cm_chan_msg_send() +allocated. + +Address this by teaching riocm_ch_send() to check that the entire +rio_ch_chan_hdr was copied in from userspace. + +Reported-by: maher azz +Cc: Matt Porter +Cc: Alexandre Bounine +Cc: Linus Torvalds +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rapidio/rio_cm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/rapidio/rio_cm.c ++++ b/drivers/rapidio/rio_cm.c +@@ -787,6 +787,9 @@ static int riocm_ch_send(u16 ch_id, void + if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE) + return -EINVAL; + ++ if (len < sizeof(struct rio_ch_chan_hdr)) ++ return -EINVAL; /* insufficient data from user */ ++ + ch = riocm_get_channel(ch_id); + if (!ch) { + riocm_error("%s(%d) ch_%d not found", current->comm, diff --git a/queue-5.4/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch b/queue-5.4/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch new file mode 100644 index 0000000000..033863db01 --- /dev/null +++ b/queue-5.4/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch @@ -0,0 +1,80 @@ +From 2b6d96503255a3ed676cd70f8368870c6d6a25c6 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Tue, 25 Mar 2025 19:32:13 +0300 +Subject: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places + +From: Fedor Pchelkin + +commit 2b6d96503255a3ed676cd70f8368870c6d6a25c6 upstream. + +Fuzzing hit another invalid pointer dereference due to the lack of +checking whether jffs2_prealloc_raw_node_refs() completed successfully. +Subsequent logic implies that the node refs have been allocated. + +Handle that. The code is ready for propagating the error upwards. + +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600 +Call Trace: + jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline] + jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118 + jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253 + jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167 + jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 + jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302 + generic_perform_write+0x2c2/0x500 mm/filemap.c:3347 + __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465 + generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497 + call_write_iter include/linux/fs.h:2039 [inline] + do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740 + do_iter_write+0x18c/0x710 fs/read_write.c:866 + vfs_writev+0x1db/0x6a0 fs/read_write.c:939 + do_pwritev fs/read_write.c:1036 [inline] + __do_sys_pwritev fs/read_write.c:1083 [inline] + __se_sys_pwritev fs/read_write.c:1078 [inline] + __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078 + do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x67/0xd1 + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.") +Fixes: f560928baa60 ("[JFFS2] Allocate node_ref for wasted space when skipping to page boundary") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/erase.c | 4 +++- + fs/jffs2/scan.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/jffs2/erase.c ++++ b/fs/jffs2/erase.c +@@ -427,7 +427,9 @@ static void jffs2_mark_erased_block(stru + .totlen = cpu_to_je32(c->cleanmarker_size) + }; + +- jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ if (ret) ++ goto filebad; + + marker.hdr_crc = cpu_to_je32(crc32(0, &marker, sizeof(struct jffs2_unknown_node)-4)); + +--- a/fs/jffs2/scan.c ++++ b/fs/jffs2/scan.c +@@ -256,7 +256,9 @@ int jffs2_scan_medium(struct jffs2_sb_in + + jffs2_dbg(1, "%s(): Skipping %d bytes in nextblock to ensure page alignment\n", + __func__, skip); +- jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); ++ if (ret) ++ goto out; + jffs2_scan_dirty_space(c, c->nextblock, skip); + } + #endif diff --git a/queue-5.4/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch b/queue-5.4/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch new file mode 100644 index 0000000000..ad59dd44de --- /dev/null +++ b/queue-5.4/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch @@ -0,0 +1,87 @@ +From ec9e6f22bce433b260ea226de127ec68042849b0 Mon Sep 17 00:00:00 2001 +From: Artem Sadovnikov +Date: Fri, 7 Mar 2025 16:34:09 +0000 +Subject: jffs2: check that raw node were preallocated before writing summary + +From: Artem Sadovnikov + +commit ec9e6f22bce433b260ea226de127ec68042849b0 upstream. + +Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault +injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't +check return value of jffs2_prealloc_raw_node_refs and simply lets any +error propagate into jffs2_sum_write_data, which eventually calls +jffs2_link_node_ref in order to link the summary to an expectedly allocated +node. + +kernel BUG at fs/jffs2/nodelist.c:592! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI +CPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592 +Call Trace: + + jffs2_sum_write_data fs/jffs2/summary.c:841 [inline] + jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874 + jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388 + jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197 + jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 + jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301 + generic_perform_write+0x314/0x5d0 mm/filemap.c:3856 + __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973 + generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005 + call_write_iter include/linux/fs.h:2265 [inline] + do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735 + do_iter_write+0x186/0x710 fs/read_write.c:861 + vfs_iter_write+0x70/0xa0 fs/read_write.c:902 + iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 + do_splice_from fs/splice.c:763 [inline] + direct_splice_actor+0x10c/0x170 fs/splice.c:950 + splice_direct_to_actor+0x337/0xa10 fs/splice.c:896 + do_splice_direct+0x1a9/0x280 fs/splice.c:1002 + do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 + __do_sys_sendfile64 fs/read_write.c:1323 [inline] + __se_sys_sendfile64 fs/read_write.c:1309 [inline] + __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Fix this issue by checking return value of jffs2_prealloc_raw_node_refs +before calling jffs2_sum_write_data. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.") +Signed-off-by: Artem Sadovnikov +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/summary.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/jffs2/summary.c ++++ b/fs/jffs2/summary.c +@@ -858,7 +858,10 @@ int jffs2_sum_write_sumnode(struct jffs2 + spin_unlock(&c->erase_completion_lock); + + jeb = c->nextblock; +- jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ++ if (ret) ++ goto out; + + if (!c->summary->sum_num || !c->summary->sum_list_head) { + JFFS2_WARNING("Empty summary info!!!\n"); +@@ -872,6 +875,8 @@ int jffs2_sum_write_sumnode(struct jffs2 + datasize += padsize; + + ret = jffs2_sum_write_data(c, jeb, infosize, datasize, padsize); ++ ++out: + spin_lock(&c->erase_completion_lock); + return ret; + } diff --git a/queue-5.4/scsi-s390-zfcp-ensure-synchronous-unit_add.patch b/queue-5.4/scsi-s390-zfcp-ensure-synchronous-unit_add.patch new file mode 100644 index 0000000000..43bc5a4f9a --- /dev/null +++ b/queue-5.4/scsi-s390-zfcp-ensure-synchronous-unit_add.patch @@ -0,0 +1,46 @@ +From 9697ca0d53e3db357be26d2414276143c4a2cd49 Mon Sep 17 00:00:00 2001 +From: Peter Oberparleiter +Date: Tue, 3 Jun 2025 20:21:56 +0200 +Subject: scsi: s390: zfcp: Ensure synchronous unit_add + +From: Peter Oberparleiter + +commit 9697ca0d53e3db357be26d2414276143c4a2cd49 upstream. + +Improve the usability of the unit_add sysfs attribute by ensuring that +the associated FCP LUN scan processing is completed synchronously. This +enables configuration tooling to consistently determine the end of the +scan process to allow for serialization of follow-on actions. + +While the scan process associated with unit_add typically completes +synchronously, it is deferred to an asynchronous background process if +unit_add is used before initial remote port scanning has completed. This +occurs when unit_add is used immediately after setting the associated FCP +device online. + +To ensure synchronous unit_add processing, wait for remote port scanning +to complete before initiating the FCP LUN scan. + +Cc: stable@vger.kernel.org +Reviewed-by: M Nikhil +Reviewed-by: Nihar Panda +Signed-off-by: Peter Oberparleiter +Signed-off-by: Nihar Panda +Link: https://lore.kernel.org/r/20250603182252.2287285-2-niharp@linux.ibm.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/scsi/zfcp_sysfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/s390/scsi/zfcp_sysfs.c ++++ b/drivers/s390/scsi/zfcp_sysfs.c +@@ -355,6 +355,8 @@ static ssize_t zfcp_sysfs_unit_add_store + if (kstrtoull(buf, 0, (unsigned long long *) &fcp_lun)) + return -EINVAL; + ++ flush_work(&port->rport_work); ++ + retval = zfcp_unit_add(port, fcp_lun); + if (retval) + return retval; diff --git a/queue-5.4/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch b/queue-5.4/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch new file mode 100644 index 0000000000..f8359810e4 --- /dev/null +++ b/queue-5.4/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch @@ -0,0 +1,76 @@ +From b2f966568faaad326de97481096d0f3dc0971c43 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Fri, 6 Jun 2025 13:57:39 -0700 +Subject: scsi: storvsc: Increase the timeouts to storvsc_timeout + +From: Dexuan Cui + +commit b2f966568faaad326de97481096d0f3dc0971c43 upstream. + +Currently storvsc_timeout is only used in storvsc_sdev_configure(), and +5s and 10s are used elsewhere. It turns out that rarely the 5s is not +enough on Azure, so let's use storvsc_timeout everywhere. + +In case a timeout happens and storvsc_channel_init() returns an error, +close the VMBus channel so that any host-to-guest messages in the +channel's ringbuffer, which might come late, can be safely ignored. + +Add a "const" to storvsc_timeout. + +Cc: stable@kernel.org +Signed-off-by: Dexuan Cui +Link: https://lore.kernel.org/r/1749243459-10419-1-git-send-email-decui@microsoft.com +Reviewed-by: Long Li +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -393,7 +393,7 @@ MODULE_PARM_DESC(ring_avail_percent_lowa + /* + * Timeout in seconds for all devices managed by this driver. + */ +-static int storvsc_timeout = 180; ++static const int storvsc_timeout = 180; + + #if IS_ENABLED(CONFIG_SCSI_FC_ATTRS) + static struct scsi_transport_template *fc_transport_template; +@@ -707,7 +707,7 @@ static void handle_multichannel_storage + return; + } + +- t = wait_for_completion_timeout(&request->wait_event, 10*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) { + dev_err(dev, "Failed to create sub-channel: timed out\n"); + return; +@@ -768,7 +768,7 @@ static int storvsc_execute_vstor_op(stru + if (ret != 0) + return ret; + +- t = wait_for_completion_timeout(&request->wait_event, 5*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) + return -ETIMEDOUT; + +@@ -1200,6 +1200,8 @@ static int storvsc_connect_to_vsp(struct + return ret; + + ret = storvsc_channel_init(device, is_fc); ++ if (ret) ++ vmbus_close(device->channel); + + return ret; + } +@@ -1503,7 +1505,7 @@ static int storvsc_host_reset_handler(st + if (ret != 0) + return FAILED; + +- t = wait_for_completion_timeout(&request->wait_event, 5*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) + return TIMEOUT_ERROR; + diff --git a/queue-5.4/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch b/queue-5.4/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch new file mode 100644 index 0000000000..4b2fa8ed3f --- /dev/null +++ b/queue-5.4/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch @@ -0,0 +1,41 @@ +From 86c8db86af43f52f682e53a0f2f0828683be1e52 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Fri, 13 Jun 2025 15:37:05 -0400 +Subject: selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephen Smalley + +commit 86c8db86af43f52f682e53a0f2f0828683be1e52 upstream. + +We should count the terminating NUL byte as part of the ctx_len. +Otherwise, UBSAN logs a warning: + UBSAN: array-index-out-of-bounds in security/selinux/xfrm.c:99:14 + index 60 is out of range for type 'char [*]' + +The allocation itself is correct so there is no actual out of bounds +indexing, just a warning. + +Cc: stable@vger.kernel.org +Suggested-by: Christian Göttsche +Link: https://lore.kernel.org/selinux/CAEjxPJ6tA5+LxsGfOJokzdPeRomBHjKLBVR6zbrg+_w3ZZbM3A@mail.gmail.com/ +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/xfrm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/xfrm.c ++++ b/security/selinux/xfrm.c +@@ -95,7 +95,7 @@ static int selinux_xfrm_alloc_user(struc + + ctx->ctx_doi = XFRM_SC_DOI_LSM; + ctx->ctx_alg = XFRM_SC_ALG_SELINUX; +- ctx->ctx_len = str_len; ++ ctx->ctx_len = str_len + 1; + memcpy(ctx->ctx_str, &uctx[1], str_len); + ctx->ctx_str[str_len] = '\0'; + rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len, diff --git a/queue-5.4/series b/queue-5.4/series index 54c28c4771..271264ae93 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -186,3 +186,10 @@ platform-add-surface-platform-directory.patch platform-x86-dell_rbu-stop-overwriting-data-buffer.patch powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch revert-x86-bugs-make-spectre-user-default-depend-on-mitigation_spectre_v2-on-v6.6-and-older.patch +drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch +jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch +jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch +scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch +scsi-s390-zfcp-ensure-synchronous-unit_add.patch +selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch +atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch