From 1651dfa2962250a0dc3e2287bde643fc1374be3a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 15 Oct 2025 12:46:05 +0200 Subject: [PATCH] 6.1-stable patches added patches: fs-always-return-zero-on-success-from-replace_fd.patch fscontext-do-not-consume-log-entries-when-returning-emsgsize.patch series --- ...turn-zero-on-success-from-replace_fd.patch | 48 +++++++ ...-log-entries-when-returning-emsgsize.patch | 121 ++++++++++++++++++ queue-6.1/series | 2 + 3 files changed, 171 insertions(+) create mode 100644 queue-6.1/fs-always-return-zero-on-success-from-replace_fd.patch create mode 100644 queue-6.1/fscontext-do-not-consume-log-entries-when-returning-emsgsize.patch create mode 100644 queue-6.1/series diff --git a/queue-6.1/fs-always-return-zero-on-success-from-replace_fd.patch b/queue-6.1/fs-always-return-zero-on-success-from-replace_fd.patch new file mode 100644 index 0000000000..9424794107 --- /dev/null +++ b/queue-6.1/fs-always-return-zero-on-success-from-replace_fd.patch @@ -0,0 +1,48 @@ +From 708c04a5c2b78e22f56e2350de41feba74dfccd9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 5 Aug 2025 14:38:08 +0200 +Subject: fs: always return zero on success from replace_fd() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 708c04a5c2b78e22f56e2350de41feba74dfccd9 upstream. + +replace_fd() returns the number of the new file descriptor through the +return value of do_dup2(). However its callers never care about the +specific returned number. In fact the caller in receive_fd_replace() treats +any non-zero return value as an error and therefore never calls +__receive_sock() for most file descriptors, which is a bug. + +To fix the bug in receive_fd_replace() and to avoid the same issue +happening in future callers, signal success through a plain zero. + +Suggested-by: Al Viro +Link: https://lore.kernel.org/lkml/20250801220215.GS222315@ZenIV/ +Fixes: 173817151b15 ("fs: Expand __receive_fd() to accept existing fd") +Fixes: 42eb0d54c08a ("fs: split receive_fd_replace from __receive_fd") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/20250805-fix-receive_fd_replace-v3-1-b72ba8b34bac@linutronix.de +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/file.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/file.c ++++ b/fs/file.c +@@ -1136,7 +1136,10 @@ int replace_fd(unsigned fd, struct file + err = expand_files(files, fd); + if (unlikely(err < 0)) + goto out_unlock; +- return do_dup2(files, file, fd, flags); ++ err = do_dup2(files, file, fd, flags); ++ if (err < 0) ++ return err; ++ return 0; + + out_unlock: + spin_unlock(&files->file_lock); diff --git a/queue-6.1/fscontext-do-not-consume-log-entries-when-returning-emsgsize.patch b/queue-6.1/fscontext-do-not-consume-log-entries-when-returning-emsgsize.patch new file mode 100644 index 0000000000..80edfb9696 --- /dev/null +++ b/queue-6.1/fscontext-do-not-consume-log-entries-when-returning-emsgsize.patch @@ -0,0 +1,121 @@ +From 72d271a7baa7062cb27e774ac37c5459c6d20e22 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 7 Aug 2025 03:55:23 +1000 +Subject: fscontext: do not consume log entries when returning -EMSGSIZE + +From: Aleksa Sarai + +commit 72d271a7baa7062cb27e774ac37c5459c6d20e22 upstream. + +Userspace generally expects APIs that return -EMSGSIZE to allow for them +to adjust their buffer size and retry the operation. However, the +fscontext log would previously clear the message even in the -EMSGSIZE +case. + +Given that it is very cheap for us to check whether the buffer is too +small before we remove the message from the ring buffer, let's just do +that instead. While we're at it, refactor some fscontext_read() into a +separate helper to make the ring buffer logic a bit easier to read. + +Fixes: 007ec26cdc9f ("vfs: Implement logging through fs_context") +Cc: David Howells +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Aleksa Sarai +Link: https://lore.kernel.org/20250807-fscontext-log-cleanups-v3-1-8d91d6242dc3@cyphar.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/fsopen.c | 70 ++++++++++++++++++++++++++++++++---------------------------- + 1 file changed, 38 insertions(+), 32 deletions(-) + +--- a/fs/fsopen.c ++++ b/fs/fsopen.c +@@ -18,50 +18,56 @@ + #include "internal.h" + #include "mount.h" + ++static inline const char *fetch_message_locked(struct fc_log *log, size_t len, ++ bool *need_free) ++{ ++ const char *p; ++ int index; ++ ++ if (unlikely(log->head == log->tail)) ++ return ERR_PTR(-ENODATA); ++ ++ index = log->tail & (ARRAY_SIZE(log->buffer) - 1); ++ p = log->buffer[index]; ++ if (unlikely(strlen(p) > len)) ++ return ERR_PTR(-EMSGSIZE); ++ ++ log->buffer[index] = NULL; ++ *need_free = log->need_free & (1 << index); ++ log->need_free &= ~(1 << index); ++ log->tail++; ++ ++ return p; ++} ++ + /* + * Allow the user to read back any error, warning or informational messages. ++ * Only one message is returned for each read(2) call. + */ + static ssize_t fscontext_read(struct file *file, + char __user *_buf, size_t len, loff_t *pos) + { + struct fs_context *fc = file->private_data; +- struct fc_log *log = fc->log.log; +- unsigned int logsize = ARRAY_SIZE(log->buffer); +- ssize_t ret; +- char *p; ++ ssize_t err; ++ const char *p __free(kfree) = NULL, *message; + bool need_free; +- int index, n; +- +- ret = mutex_lock_interruptible(&fc->uapi_mutex); +- if (ret < 0) +- return ret; +- +- if (log->head == log->tail) { +- mutex_unlock(&fc->uapi_mutex); +- return -ENODATA; +- } ++ int n; + +- index = log->tail & (logsize - 1); +- p = log->buffer[index]; +- need_free = log->need_free & (1 << index); +- log->buffer[index] = NULL; +- log->need_free &= ~(1 << index); +- log->tail++; ++ err = mutex_lock_interruptible(&fc->uapi_mutex); ++ if (err < 0) ++ return err; ++ message = fetch_message_locked(fc->log.log, len, &need_free); + mutex_unlock(&fc->uapi_mutex); ++ if (IS_ERR(message)) ++ return PTR_ERR(message); + +- ret = -EMSGSIZE; +- n = strlen(p); +- if (n > len) +- goto err_free; +- ret = -EFAULT; +- if (copy_to_user(_buf, p, n) != 0) +- goto err_free; +- ret = n; +- +-err_free: + if (need_free) +- kfree(p); +- return ret; ++ p = message; ++ ++ n = strlen(message); ++ if (copy_to_user(_buf, message, n)) ++ return -EFAULT; ++ return n; + } + + static int fscontext_release(struct inode *inode, struct file *file) diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 0000000000..04bfff757d --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,2 @@ +fs-always-return-zero-on-success-from-replace_fd.patch +fscontext-do-not-consume-log-entries-when-returning-emsgsize.patch -- 2.47.3