From: Greg Kroah-Hartman Date: Wed, 20 Nov 2024 12:55:43 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.12.1~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=918b3b0148343e6faae6814ba449b31fbb8f564c;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: char-xillybus-fix-trivial-bug-with-mutex.patch net-make-copy_safe_from_sockptr-match-documentation.patch --- diff --git a/queue-6.1/char-xillybus-fix-trivial-bug-with-mutex.patch b/queue-6.1/char-xillybus-fix-trivial-bug-with-mutex.patch new file mode 100644 index 00000000000..2f9dd5606f3 --- /dev/null +++ b/queue-6.1/char-xillybus-fix-trivial-bug-with-mutex.patch @@ -0,0 +1,45 @@ +From c002f04c0bc79ec00d4beb75fb631d5bf37419bd Mon Sep 17 00:00:00 2001 +From: Eli Billauer +Date: Thu, 17 Nov 2022 09:18:25 +0200 +Subject: char: xillybus: Fix trivial bug with mutex + +From: Eli Billauer + +commit c002f04c0bc79ec00d4beb75fb631d5bf37419bd upstream. + +@unit_mutex protects @unit from being freed, so obviously it should be +released after @unit is used, and not before. + +This is a follow-up to commit 282a4b71816b ("char: xillybus: Prevent +use-after-free due to race condition") which ensures, among others, the +protection of @private_data after @unit_mutex has been released. + +Reported-by: Hyunwoo Kim +Signed-off-by: Eli Billauer +Link: https://lore.kernel.org/r/20221117071825.3942-1-eli.billauer@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/xillybus/xillybus_class.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/char/xillybus/xillybus_class.c ++++ b/drivers/char/xillybus/xillybus_class.c +@@ -227,14 +227,15 @@ int xillybus_find_inode(struct inode *in + break; + } + +- mutex_unlock(&unit_mutex); +- +- if (!unit) ++ if (!unit) { ++ mutex_unlock(&unit_mutex); + return -ENODEV; ++ } + + *private_data = unit->private_data; + *index = minor - unit->lowest_minor; + ++ mutex_unlock(&unit_mutex); + return 0; + } + EXPORT_SYMBOL(xillybus_find_inode); diff --git a/queue-6.1/net-make-copy_safe_from_sockptr-match-documentation.patch b/queue-6.1/net-make-copy_safe_from_sockptr-match-documentation.patch new file mode 100644 index 00000000000..14cd7f787ca --- /dev/null +++ b/queue-6.1/net-make-copy_safe_from_sockptr-match-documentation.patch @@ -0,0 +1,42 @@ +From eb94b7bb10109a14a5431a67e5d8e31cfa06b395 Mon Sep 17 00:00:00 2001 +From: Michal Luczaj +Date: Mon, 11 Nov 2024 00:17:34 +0100 +Subject: net: Make copy_safe_from_sockptr() match documentation + +From: Michal Luczaj + +commit eb94b7bb10109a14a5431a67e5d8e31cfa06b395 upstream. + +copy_safe_from_sockptr() + return copy_from_sockptr() + return copy_from_sockptr_offset() + return copy_from_user() + +copy_from_user() does not return an error on fault. Instead, it returns a +number of bytes that were not copied. Have it handled. + +Patch has a side effect: it un-breaks garbage input handling of +nfc_llcp_setsockopt() and mISDN's data_sock_setsockopt(). + +Fixes: 6309863b31dd ("net: add copy_safe_from_sockptr() helper") +Signed-off-by: Michal Luczaj +Link: https://patch.msgid.link/20241111-sockptr-copy-ret-fix-v1-1-a520083a93fb@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sockptr.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/include/linux/sockptr.h ++++ b/include/linux/sockptr.h +@@ -77,7 +77,9 @@ static inline int copy_safe_from_sockptr + { + if (optlen < ksize) + return -EINVAL; +- return copy_from_sockptr(dst, optval, ksize); ++ if (copy_from_sockptr(dst, optval, ksize)) ++ return -EFAULT; ++ return 0; + } + + static inline int copy_to_sockptr_offset(sockptr_t dst, size_t offset, diff --git a/queue-6.1/series b/queue-6.1/series index 6f3cc6ba76b..0a992cda082 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -69,3 +69,5 @@ null_blk-remove-usage-of-the-deprecated-ida_simple_xx-api.patch null_blk-fix-null-ptr-dereference-while-configuring-power-and-submit_queues.patch null_blk-fix-return-value-of-nullb_device_power_store.patch parisc-fix-a-possible-dma-corruption.patch +char-xillybus-fix-trivial-bug-with-mutex.patch +net-make-copy_safe_from_sockptr-match-documentation.patch