From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 15 Nov 2024 06:08:56 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v4.19.324~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=318c79df7e40e03b9531c304a4463dc900d285af;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	9p-fix-slab-cache-name-creation-for-real.patch
---

diff --git a/queue-6.1/9p-fix-slab-cache-name-creation-for-real.patch b/queue-6.1/9p-fix-slab-cache-name-creation-for-real.patch
new file mode 100644
index 00000000000..5b9410d99c6
--- /dev/null
+++ b/queue-6.1/9p-fix-slab-cache-name-creation-for-real.patch
@@ -0,0 +1,49 @@
+From a360f311f57a36e96d88fa8086b749159714dcd2 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 21 Oct 2024 11:57:38 -0700
+Subject: 9p: fix slab cache name creation for real
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a360f311f57a36e96d88fa8086b749159714dcd2 upstream.
+
+This was attempted by using the dev_name in the slab cache name, but as
+Omar Sandoval pointed out, that can be an arbitrary string, eg something
+like "/dev/root".  Which in turn trips verify_dirent_name(), which fails
+if a filename contains a slash.
+
+So just make it use a sequence counter, and make it an atomic_t to avoid
+any possible races or locking issues.
+
+Reported-and-tested-by: Omar Sandoval <osandov@fb.com>
+Link: https://lore.kernel.org/all/ZxafcO8KWMlXaeWE@telecaster.dhcp.thefacebook.com/
+Fixes: 79efebae4afc ("9p: Avoid creating multiple slab caches with the same name")
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Dominique Martinet <asmadeus@codewreck.org>
+Cc: Thorsten Leemhuis <regressions@leemhuis.info>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/client.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -967,6 +967,7 @@ error:
+ struct p9_client *p9_client_create(const char *dev_name, char *options)
+ {
+ 	int err;
++	static atomic_t seqno = ATOMIC_INIT(0);
+ 	struct p9_client *clnt;
+ 	char *client_id;
+ 	char *cache_name;
+@@ -1027,7 +1028,8 @@ struct p9_client *p9_client_create(const
+ 	if (err)
+ 		goto close_trans;
+ 
+-	cache_name = kasprintf(GFP_KERNEL, "9p-fcall-cache-%s", dev_name);
++	cache_name = kasprintf(GFP_KERNEL,
++		"9p-fcall-cache-%u", atomic_inc_return(&seqno));
+ 	if (!cache_name) {
+ 		err = -ENOMEM;
+ 		goto close_trans;
diff --git a/queue-6.1/series b/queue-6.1/series
index 399cffd6080..1e6fdf79719 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -36,3 +36,4 @@ bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch
 mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch
 platform-x86-x86-android-tablets-fix-use-after-free-on-platform_device_register-errors.patch
 fs-ntfs3-fix-general-protection-fault-in-run_is_mapped_full.patch
+9p-fix-slab-cache-name-creation-for-real.patch