From: Sasha Levin <sashal@kernel.org>
Date: Sun, 15 Jun 2025 22:47:46 +0000 (-0400)
Subject: Fixes for 5.4
X-Git-Tag: v6.6.94~52
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=55826a954e15c6d164439dfd2713687243cf5c89;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.4/fs-filesystems-fix-potential-unsigned-integer-underf.patch b/queue-5.4/fs-filesystems-fix-potential-unsigned-integer-underf.patch
new file mode 100644
index 0000000000..e3d8db24b7
--- /dev/null
+++ b/queue-5.4/fs-filesystems-fix-potential-unsigned-integer-underf.patch
@@ -0,0 +1,55 @@
+From 705ee915b9f1ddd04f310af4702d8858b246851d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 19:45:27 +0800
+Subject: fs/filesystems: Fix potential unsigned integer underflow in fs_name()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit 1363c134ade81e425873b410566e957fecebb261 ]
+
+fs_name() has @index as unsigned int, so there is underflow risk for
+operation '@index--'.
+
+Fix by breaking the for loop when '@index == 0' which is also more proper
+than '@index <= 0' for unsigned integer comparison.
+
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/20250410-fix_fs-v1-1-7c14ccc8ebaa@quicinc.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/filesystems.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/fs/filesystems.c b/fs/filesystems.c
+index 5e1a190133738..148073e372acd 100644
+--- a/fs/filesystems.c
++++ b/fs/filesystems.c
+@@ -155,15 +155,19 @@ static int fs_index(const char __user * __name)
+ static int fs_name(unsigned int index, char __user * buf)
+ {
+ 	struct file_system_type * tmp;
+-	int len, res;
++	int len, res = -EINVAL;
+ 
+ 	read_lock(&file_systems_lock);
+-	for (tmp = file_systems; tmp; tmp = tmp->next, index--)
+-		if (index <= 0 && try_module_get(tmp->owner))
++	for (tmp = file_systems; tmp; tmp = tmp->next, index--) {
++		if (index == 0) {
++			if (try_module_get(tmp->owner))
++				res = 0;
+ 			break;
++		}
++	}
+ 	read_unlock(&file_systems_lock);
+-	if (!tmp)
+-		return -EINVAL;
++	if (res)
++		return res;
+ 
+ 	/* OK, we got the reference, so we can safely block */
+ 	len = strlen(tmp->name) + 1;
+-- 
+2.39.5
+
diff --git a/queue-5.4/series b/queue-5.4/series
index b7ff9d3086..bb11149552 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -91,3 +91,4 @@ sch_ets-make-est_qlen_notify-idempotent.patch
 net_sched-ets-fix-a-race-in-ets_qdisc_change.patch
 net-mdio-c22-is-now-optional-eopnotsupp-if-not-provi.patch
 net-mdiobus-fix-potential-out-of-bounds-read-write-a.patch
+fs-filesystems-fix-potential-unsigned-integer-underf.patch