From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 23 May 2026 09:23:41 +0000 (+0200)
Subject: 6.18-stable patches
X-Git-Tag: v6.6.141~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6bd758b0e9d88c2c83aa646e709c8290a4b8c5a;p=thirdparty%2Fkernel%2Fstable-queue.git

6.18-stable patches

added patches:
	netfs-fix-potential-uninitialised-var-in-netfs_extract_user_iter.patch
---

diff --git a/queue-6.18/netfs-fix-potential-uninitialised-var-in-netfs_extract_user_iter.patch b/queue-6.18/netfs-fix-potential-uninitialised-var-in-netfs_extract_user_iter.patch
new file mode 100644
index 0000000000..99b77bea07
--- /dev/null
+++ b/queue-6.18/netfs-fix-potential-uninitialised-var-in-netfs_extract_user_iter.patch
@@ -0,0 +1,41 @@
+From 7e3d8db899d54af39fafb2eb3392b0cdae9973b5 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 12 May 2026 13:33:45 +0100
+Subject: netfs: Fix potential uninitialised var in netfs_extract_user_iter()
+
+From: David Howells <dhowells@redhat.com>
+
+commit 7e3d8db899d54af39fafb2eb3392b0cdae9973b5 upstream.
+
+In netfs_extract_user_iter(), if it's given a zero-length iterator, it will
+fall through the loop without setting ret, and so the error handling
+behaviour will be undefined, depending on whether ret happens to be
+negative.  The value of ret then propagates back up the callstack.
+
+Fix this by presetting ret to 0.
+
+Fixes: 85dd2c8ff368 ("netfs: Add a function to extract a UBUF or IOVEC into a BVEC iterator")
+Closes: https://sashiko.dev/#/patchset/20260414082004.3756080-1-dhowells%40redhat.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://patch.msgid.link/20260512123404.719402-9-dhowells@redhat.com
+cc: Paulo Alcantara <pc@manguebit.org>
+cc: Matthew Wilcox <willy@infradead.org>
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/netfs/iterator.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/netfs/iterator.c
++++ b/fs/netfs/iterator.c
+@@ -43,7 +43,7 @@ ssize_t netfs_extract_user_iter(struct i
+ 	unsigned int max_pages;
+ 	unsigned int npages = 0;
+ 	unsigned int i;
+-	ssize_t ret;
++	ssize_t ret = 0;
+ 	size_t count = orig_len, offset, len;
+ 	size_t bv_size, pg_size;
+ 
diff --git a/queue-6.18/series b/queue-6.18/series
index 6b375bd8aa..eed89119b6 100644
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -948,3 +948,4 @@ net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
 net-skbuff-preserve-shared-frag-marker-during-coalescing.patch
 net-skbuff-propagate-shared-frag-marker-through-frag-transfer-helpers.patch
 selftests-bpf-remove-test_access_variable_array.patch
+netfs-fix-potential-uninitialised-var-in-netfs_extract_user_iter.patch