From: Greg Kroah-Hartman Date: Wed, 15 Oct 2025 10:45:54 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.195~122 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=af05cfc2ef65b9328ae6cb2044a53d501bb57b55;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: fs-always-return-zero-on-success-from-replace_fd.patch --- diff --git a/queue-5.15/fs-always-return-zero-on-success-from-replace_fd.patch b/queue-5.15/fs-always-return-zero-on-success-from-replace_fd.patch new file mode 100644 index 0000000000..accf89b164 --- /dev/null +++ b/queue-5.15/fs-always-return-zero-on-success-from-replace_fd.patch @@ -0,0 +1,48 @@ +From 708c04a5c2b78e22f56e2350de41feba74dfccd9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 5 Aug 2025 14:38:08 +0200 +Subject: fs: always return zero on success from replace_fd() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 708c04a5c2b78e22f56e2350de41feba74dfccd9 upstream. + +replace_fd() returns the number of the new file descriptor through the +return value of do_dup2(). However its callers never care about the +specific returned number. In fact the caller in receive_fd_replace() treats +any non-zero return value as an error and therefore never calls +__receive_sock() for most file descriptors, which is a bug. + +To fix the bug in receive_fd_replace() and to avoid the same issue +happening in future callers, signal success through a plain zero. + +Suggested-by: Al Viro +Link: https://lore.kernel.org/lkml/20250801220215.GS222315@ZenIV/ +Fixes: 173817151b15 ("fs: Expand __receive_fd() to accept existing fd") +Fixes: 42eb0d54c08a ("fs: split receive_fd_replace from __receive_fd") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/20250805-fix-receive_fd_replace-v3-1-b72ba8b34bac@linutronix.de +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/file.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/file.c ++++ b/fs/file.c +@@ -1154,7 +1154,10 @@ int replace_fd(unsigned fd, struct file + err = expand_files(files, fd); + if (unlikely(err < 0)) + goto out_unlock; +- return do_dup2(files, file, fd, flags); ++ err = do_dup2(files, file, fd, flags); ++ if (err < 0) ++ return err; ++ return 0; + + out_unlock: + spin_unlock(&files->file_lock); diff --git a/queue-5.15/series b/queue-5.15/series index fd80aa2fda..326f72da94 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -117,3 +117,4 @@ input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch bus-fsl-mc-check-return-value-of-platform_get_resource.patch usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch +fs-always-return-zero-on-success-from-replace_fd.patch