From: Greg Kroah-Hartman Date: Tue, 25 Jul 2023 10:28:31 +0000 (+0200) Subject: drop can-raw-fix-receiver-memory-leak.patch from all queues X-Git-Tag: v5.4.251~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c52b963432d66fc0bcf674ceb2e93f4ded6f450a;p=thirdparty%2Fkernel%2Fstable-queue.git drop can-raw-fix-receiver-memory-leak.patch from all queues --- diff --git a/queue-5.15/can-raw-fix-receiver-memory-leak.patch b/queue-5.15/can-raw-fix-receiver-memory-leak.patch deleted file mode 100644 index ba3f572bed9..00000000000 --- a/queue-5.15/can-raw-fix-receiver-memory-leak.patch +++ /dev/null @@ -1,233 +0,0 @@ -From ee8b94c8510ce64afe0b87ef548d23e00915fb10 Mon Sep 17 00:00:00 2001 -From: Ziyang Xuan -Date: Tue, 11 Jul 2023 09:17:37 +0800 -Subject: can: raw: fix receiver memory leak - -From: Ziyang Xuan - -commit ee8b94c8510ce64afe0b87ef548d23e00915fb10 upstream. - -Got kmemleak errors with the following ltp can_filter testcase: - -for ((i=1; i<=100; i++)) -do - ./can_filter & - sleep 0.1 -done - -============================================================== -[<00000000db4a4943>] can_rx_register+0x147/0x360 [can] -[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw] -[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0 -[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70 -[<00000000fd468496>] do_syscall_64+0x33/0x40 -[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 - -It's a bug in the concurrent scenario of unregister_netdevice_many() -and raw_release() as following: - - cpu0 cpu1 -unregister_netdevice_many(can_dev) - unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this - net_set_todo(can_dev) - raw_release(can_socket) - dev = dev_get_by_index(, ro->ifindex); // dev == NULL - if (dev) { // receivers in dev_rcv_lists not free because dev is NULL - raw_disable_allfilters(, dev, ); - dev_put(dev); - } - ... - ro->bound = 0; - ... - -call_netdevice_notifiers(NETDEV_UNREGISTER, ) - raw_notify(, NETDEV_UNREGISTER, ) - if (ro->bound) // invalid because ro->bound has been set 0 - raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed - -Add a net_device pointer member in struct raw_sock to record bound -can_dev, and use rtnl_lock to serialize raw_socket members between -raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use -ro->dev to decide whether to free receivers in dev_rcv_lists. - -Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier") -Reviewed-by: Oliver Hartkopp -Acked-by: Oliver Hartkopp -Signed-off-by: Ziyang Xuan -Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com -Cc: stable@vger.kernel.org -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - net/can/raw.c | 57 ++++++++++++++++++++++++--------------------------------- - 1 file changed, 24 insertions(+), 33 deletions(-) - ---- a/net/can/raw.c -+++ b/net/can/raw.c -@@ -83,6 +83,7 @@ struct raw_sock { - struct sock sk; - int bound; - int ifindex; -+ struct net_device *dev; - struct list_head notifier; - int loopback; - int recv_own_msgs; -@@ -275,7 +276,7 @@ static void raw_notify(struct raw_sock * - if (!net_eq(dev_net(dev), sock_net(sk))) - return; - -- if (ro->ifindex != dev->ifindex) -+ if (ro->dev != dev) - return; - - switch (msg) { -@@ -290,6 +291,7 @@ static void raw_notify(struct raw_sock * - - ro->ifindex = 0; - ro->bound = 0; -+ ro->dev = NULL; - ro->count = 0; - release_sock(sk); - -@@ -335,6 +337,7 @@ static int raw_init(struct sock *sk) - - ro->bound = 0; - ro->ifindex = 0; -+ ro->dev = NULL; - - /* set default filter to single entry dfilter */ - ro->dfilter.can_id = 0; -@@ -382,19 +385,13 @@ static int raw_release(struct socket *so - - lock_sock(sk); - -+ rtnl_lock(); - /* remove current filters & unregister */ - if (ro->bound) { -- if (ro->ifindex) { -- struct net_device *dev; -- -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (dev) { -- raw_disable_allfilters(dev_net(dev), dev, sk); -- dev_put(dev); -- } -- } else { -+ if (ro->dev) -+ raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk); -+ else - raw_disable_allfilters(sock_net(sk), NULL, sk); -- } - } - - if (ro->count > 1) -@@ -402,8 +399,10 @@ static int raw_release(struct socket *so - - ro->ifindex = 0; - ro->bound = 0; -+ ro->dev = NULL; - ro->count = 0; - free_percpu(ro->uniq); -+ rtnl_unlock(); - - sock_orphan(sk); - sock->sk = NULL; -@@ -419,6 +418,7 @@ static int raw_bind(struct socket *sock, - struct sockaddr_can *addr = (struct sockaddr_can *)uaddr; - struct sock *sk = sock->sk; - struct raw_sock *ro = raw_sk(sk); -+ struct net_device *dev = NULL; - int ifindex; - int err = 0; - int notify_enetdown = 0; -@@ -428,14 +428,13 @@ static int raw_bind(struct socket *sock, - if (addr->can_family != AF_CAN) - return -EINVAL; - -+ rtnl_lock(); - lock_sock(sk); - - if (ro->bound && addr->can_ifindex == ro->ifindex) - goto out; - - if (addr->can_ifindex) { -- struct net_device *dev; -- - dev = dev_get_by_index(sock_net(sk), addr->can_ifindex); - if (!dev) { - err = -ENODEV; -@@ -464,26 +463,20 @@ static int raw_bind(struct socket *sock, - if (!err) { - if (ro->bound) { - /* unregister old filters */ -- if (ro->ifindex) { -- struct net_device *dev; -- -- dev = dev_get_by_index(sock_net(sk), -- ro->ifindex); -- if (dev) { -- raw_disable_allfilters(dev_net(dev), -- dev, sk); -- dev_put(dev); -- } -- } else { -+ if (ro->dev) -+ raw_disable_allfilters(dev_net(ro->dev), -+ ro->dev, sk); -+ else - raw_disable_allfilters(sock_net(sk), NULL, sk); -- } - } - ro->ifindex = ifindex; - ro->bound = 1; -+ ro->dev = dev; - } - - out: - release_sock(sk); -+ rtnl_unlock(); - - if (notify_enetdown) { - sk->sk_err = ENETDOWN; -@@ -549,9 +542,9 @@ static int raw_setsockopt(struct socket - rtnl_lock(); - lock_sock(sk); - -- if (ro->bound && ro->ifindex) { -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (!dev) { -+ dev = ro->dev; -+ if (ro->bound && dev) { -+ if (dev->reg_state != NETREG_REGISTERED) { - if (count > 1) - kfree(filter); - err = -ENODEV; -@@ -592,7 +585,6 @@ static int raw_setsockopt(struct socket - ro->count = count; - - out_fil: -- dev_put(dev); - release_sock(sk); - rtnl_unlock(); - -@@ -610,9 +602,9 @@ static int raw_setsockopt(struct socket - rtnl_lock(); - lock_sock(sk); - -- if (ro->bound && ro->ifindex) { -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (!dev) { -+ dev = ro->dev; -+ if (ro->bound && dev) { -+ if (dev->reg_state != NETREG_REGISTERED) { - err = -ENODEV; - goto out_err; - } -@@ -636,7 +628,6 @@ static int raw_setsockopt(struct socket - ro->err_mask = err_mask; - - out_err: -- dev_put(dev); - release_sock(sk); - rtnl_unlock(); - diff --git a/queue-5.15/series b/queue-5.15/series index 4d2cf93273f..c03630a6c7e 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -11,7 +11,6 @@ selftests-tc-set-timeout-to-15-minutes.patch selftests-tc-add-ct-action-kconfig-dep.patch regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch regmap-account-for-register-length-in-smbus-i-o-limits.patch -can-raw-fix-receiver-memory-leak.patch can-bcm-fix-uaf-in-bcm_proc_show.patch selftests-tc-add-conntrack-procfs-kconfig.patch drm-client-fix-memory-leak-in-drm_client_target_cloned.patch diff --git a/queue-6.1/can-raw-fix-receiver-memory-leak.patch b/queue-6.1/can-raw-fix-receiver-memory-leak.patch deleted file mode 100644 index 26a08c5711e..00000000000 --- a/queue-6.1/can-raw-fix-receiver-memory-leak.patch +++ /dev/null @@ -1,233 +0,0 @@ -From ee8b94c8510ce64afe0b87ef548d23e00915fb10 Mon Sep 17 00:00:00 2001 -From: Ziyang Xuan -Date: Tue, 11 Jul 2023 09:17:37 +0800 -Subject: can: raw: fix receiver memory leak - -From: Ziyang Xuan - -commit ee8b94c8510ce64afe0b87ef548d23e00915fb10 upstream. - -Got kmemleak errors with the following ltp can_filter testcase: - -for ((i=1; i<=100; i++)) -do - ./can_filter & - sleep 0.1 -done - -============================================================== -[<00000000db4a4943>] can_rx_register+0x147/0x360 [can] -[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw] -[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0 -[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70 -[<00000000fd468496>] do_syscall_64+0x33/0x40 -[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 - -It's a bug in the concurrent scenario of unregister_netdevice_many() -and raw_release() as following: - - cpu0 cpu1 -unregister_netdevice_many(can_dev) - unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this - net_set_todo(can_dev) - raw_release(can_socket) - dev = dev_get_by_index(, ro->ifindex); // dev == NULL - if (dev) { // receivers in dev_rcv_lists not free because dev is NULL - raw_disable_allfilters(, dev, ); - dev_put(dev); - } - ... - ro->bound = 0; - ... - -call_netdevice_notifiers(NETDEV_UNREGISTER, ) - raw_notify(, NETDEV_UNREGISTER, ) - if (ro->bound) // invalid because ro->bound has been set 0 - raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed - -Add a net_device pointer member in struct raw_sock to record bound -can_dev, and use rtnl_lock to serialize raw_socket members between -raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use -ro->dev to decide whether to free receivers in dev_rcv_lists. - -Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier") -Reviewed-by: Oliver Hartkopp -Acked-by: Oliver Hartkopp -Signed-off-by: Ziyang Xuan -Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com -Cc: stable@vger.kernel.org -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - net/can/raw.c | 57 ++++++++++++++++++++++++--------------------------------- - 1 file changed, 24 insertions(+), 33 deletions(-) - ---- a/net/can/raw.c -+++ b/net/can/raw.c -@@ -84,6 +84,7 @@ struct raw_sock { - struct sock sk; - int bound; - int ifindex; -+ struct net_device *dev; - struct list_head notifier; - int loopback; - int recv_own_msgs; -@@ -277,7 +278,7 @@ static void raw_notify(struct raw_sock * - if (!net_eq(dev_net(dev), sock_net(sk))) - return; - -- if (ro->ifindex != dev->ifindex) -+ if (ro->dev != dev) - return; - - switch (msg) { -@@ -292,6 +293,7 @@ static void raw_notify(struct raw_sock * - - ro->ifindex = 0; - ro->bound = 0; -+ ro->dev = NULL; - ro->count = 0; - release_sock(sk); - -@@ -337,6 +339,7 @@ static int raw_init(struct sock *sk) - - ro->bound = 0; - ro->ifindex = 0; -+ ro->dev = NULL; - - /* set default filter to single entry dfilter */ - ro->dfilter.can_id = 0; -@@ -385,19 +388,13 @@ static int raw_release(struct socket *so - - lock_sock(sk); - -+ rtnl_lock(); - /* remove current filters & unregister */ - if (ro->bound) { -- if (ro->ifindex) { -- struct net_device *dev; -- -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (dev) { -- raw_disable_allfilters(dev_net(dev), dev, sk); -- dev_put(dev); -- } -- } else { -+ if (ro->dev) -+ raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk); -+ else - raw_disable_allfilters(sock_net(sk), NULL, sk); -- } - } - - if (ro->count > 1) -@@ -405,8 +402,10 @@ static int raw_release(struct socket *so - - ro->ifindex = 0; - ro->bound = 0; -+ ro->dev = NULL; - ro->count = 0; - free_percpu(ro->uniq); -+ rtnl_unlock(); - - sock_orphan(sk); - sock->sk = NULL; -@@ -422,6 +421,7 @@ static int raw_bind(struct socket *sock, - struct sockaddr_can *addr = (struct sockaddr_can *)uaddr; - struct sock *sk = sock->sk; - struct raw_sock *ro = raw_sk(sk); -+ struct net_device *dev = NULL; - int ifindex; - int err = 0; - int notify_enetdown = 0; -@@ -431,14 +431,13 @@ static int raw_bind(struct socket *sock, - if (addr->can_family != AF_CAN) - return -EINVAL; - -+ rtnl_lock(); - lock_sock(sk); - - if (ro->bound && addr->can_ifindex == ro->ifindex) - goto out; - - if (addr->can_ifindex) { -- struct net_device *dev; -- - dev = dev_get_by_index(sock_net(sk), addr->can_ifindex); - if (!dev) { - err = -ENODEV; -@@ -467,26 +466,20 @@ static int raw_bind(struct socket *sock, - if (!err) { - if (ro->bound) { - /* unregister old filters */ -- if (ro->ifindex) { -- struct net_device *dev; -- -- dev = dev_get_by_index(sock_net(sk), -- ro->ifindex); -- if (dev) { -- raw_disable_allfilters(dev_net(dev), -- dev, sk); -- dev_put(dev); -- } -- } else { -+ if (ro->dev) -+ raw_disable_allfilters(dev_net(ro->dev), -+ ro->dev, sk); -+ else - raw_disable_allfilters(sock_net(sk), NULL, sk); -- } - } - ro->ifindex = ifindex; - ro->bound = 1; -+ ro->dev = dev; - } - - out: - release_sock(sk); -+ rtnl_unlock(); - - if (notify_enetdown) { - sk->sk_err = ENETDOWN; -@@ -552,9 +545,9 @@ static int raw_setsockopt(struct socket - rtnl_lock(); - lock_sock(sk); - -- if (ro->bound && ro->ifindex) { -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (!dev) { -+ dev = ro->dev; -+ if (ro->bound && dev) { -+ if (dev->reg_state != NETREG_REGISTERED) { - if (count > 1) - kfree(filter); - err = -ENODEV; -@@ -595,7 +588,6 @@ static int raw_setsockopt(struct socket - ro->count = count; - - out_fil: -- dev_put(dev); - release_sock(sk); - rtnl_unlock(); - -@@ -613,9 +605,9 @@ static int raw_setsockopt(struct socket - rtnl_lock(); - lock_sock(sk); - -- if (ro->bound && ro->ifindex) { -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (!dev) { -+ dev = ro->dev; -+ if (ro->bound && dev) { -+ if (dev->reg_state != NETREG_REGISTERED) { - err = -ENODEV; - goto out_err; - } -@@ -639,7 +631,6 @@ static int raw_setsockopt(struct socket - ro->err_mask = err_mask; - - out_err: -- dev_put(dev); - release_sock(sk); - rtnl_unlock(); - diff --git a/queue-6.1/series b/queue-6.1/series index 9b54e19a76b..fff52a9eee0 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -19,7 +19,6 @@ regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch of-preserve-of-display-device-name-for-compatibility.patch regmap-account-for-register-length-in-smbus-i-o-limits.patch arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch -can-raw-fix-receiver-memory-leak.patch can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch can-bcm-fix-uaf-in-bcm_proc_show.patch can-gs_usb-gs_can_open-improve-error-handling.patch diff --git a/queue-6.4/can-raw-fix-receiver-memory-leak.patch b/queue-6.4/can-raw-fix-receiver-memory-leak.patch deleted file mode 100644 index 7096dff2c77..00000000000 --- a/queue-6.4/can-raw-fix-receiver-memory-leak.patch +++ /dev/null @@ -1,233 +0,0 @@ -From ee8b94c8510ce64afe0b87ef548d23e00915fb10 Mon Sep 17 00:00:00 2001 -From: Ziyang Xuan -Date: Tue, 11 Jul 2023 09:17:37 +0800 -Subject: can: raw: fix receiver memory leak - -From: Ziyang Xuan - -commit ee8b94c8510ce64afe0b87ef548d23e00915fb10 upstream. - -Got kmemleak errors with the following ltp can_filter testcase: - -for ((i=1; i<=100; i++)) -do - ./can_filter & - sleep 0.1 -done - -============================================================== -[<00000000db4a4943>] can_rx_register+0x147/0x360 [can] -[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw] -[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0 -[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70 -[<00000000fd468496>] do_syscall_64+0x33/0x40 -[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 - -It's a bug in the concurrent scenario of unregister_netdevice_many() -and raw_release() as following: - - cpu0 cpu1 -unregister_netdevice_many(can_dev) - unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this - net_set_todo(can_dev) - raw_release(can_socket) - dev = dev_get_by_index(, ro->ifindex); // dev == NULL - if (dev) { // receivers in dev_rcv_lists not free because dev is NULL - raw_disable_allfilters(, dev, ); - dev_put(dev); - } - ... - ro->bound = 0; - ... - -call_netdevice_notifiers(NETDEV_UNREGISTER, ) - raw_notify(, NETDEV_UNREGISTER, ) - if (ro->bound) // invalid because ro->bound has been set 0 - raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed - -Add a net_device pointer member in struct raw_sock to record bound -can_dev, and use rtnl_lock to serialize raw_socket members between -raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use -ro->dev to decide whether to free receivers in dev_rcv_lists. - -Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier") -Reviewed-by: Oliver Hartkopp -Acked-by: Oliver Hartkopp -Signed-off-by: Ziyang Xuan -Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com -Cc: stable@vger.kernel.org -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - net/can/raw.c | 57 ++++++++++++++++++++++++--------------------------------- - 1 file changed, 24 insertions(+), 33 deletions(-) - ---- a/net/can/raw.c -+++ b/net/can/raw.c -@@ -84,6 +84,7 @@ struct raw_sock { - struct sock sk; - int bound; - int ifindex; -+ struct net_device *dev; - struct list_head notifier; - int loopback; - int recv_own_msgs; -@@ -277,7 +278,7 @@ static void raw_notify(struct raw_sock * - if (!net_eq(dev_net(dev), sock_net(sk))) - return; - -- if (ro->ifindex != dev->ifindex) -+ if (ro->dev != dev) - return; - - switch (msg) { -@@ -292,6 +293,7 @@ static void raw_notify(struct raw_sock * - - ro->ifindex = 0; - ro->bound = 0; -+ ro->dev = NULL; - ro->count = 0; - release_sock(sk); - -@@ -337,6 +339,7 @@ static int raw_init(struct sock *sk) - - ro->bound = 0; - ro->ifindex = 0; -+ ro->dev = NULL; - - /* set default filter to single entry dfilter */ - ro->dfilter.can_id = 0; -@@ -385,19 +388,13 @@ static int raw_release(struct socket *so - - lock_sock(sk); - -+ rtnl_lock(); - /* remove current filters & unregister */ - if (ro->bound) { -- if (ro->ifindex) { -- struct net_device *dev; -- -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (dev) { -- raw_disable_allfilters(dev_net(dev), dev, sk); -- dev_put(dev); -- } -- } else { -+ if (ro->dev) -+ raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk); -+ else - raw_disable_allfilters(sock_net(sk), NULL, sk); -- } - } - - if (ro->count > 1) -@@ -405,8 +402,10 @@ static int raw_release(struct socket *so - - ro->ifindex = 0; - ro->bound = 0; -+ ro->dev = NULL; - ro->count = 0; - free_percpu(ro->uniq); -+ rtnl_unlock(); - - sock_orphan(sk); - sock->sk = NULL; -@@ -422,6 +421,7 @@ static int raw_bind(struct socket *sock, - struct sockaddr_can *addr = (struct sockaddr_can *)uaddr; - struct sock *sk = sock->sk; - struct raw_sock *ro = raw_sk(sk); -+ struct net_device *dev = NULL; - int ifindex; - int err = 0; - int notify_enetdown = 0; -@@ -431,14 +431,13 @@ static int raw_bind(struct socket *sock, - if (addr->can_family != AF_CAN) - return -EINVAL; - -+ rtnl_lock(); - lock_sock(sk); - - if (ro->bound && addr->can_ifindex == ro->ifindex) - goto out; - - if (addr->can_ifindex) { -- struct net_device *dev; -- - dev = dev_get_by_index(sock_net(sk), addr->can_ifindex); - if (!dev) { - err = -ENODEV; -@@ -467,26 +466,20 @@ static int raw_bind(struct socket *sock, - if (!err) { - if (ro->bound) { - /* unregister old filters */ -- if (ro->ifindex) { -- struct net_device *dev; -- -- dev = dev_get_by_index(sock_net(sk), -- ro->ifindex); -- if (dev) { -- raw_disable_allfilters(dev_net(dev), -- dev, sk); -- dev_put(dev); -- } -- } else { -+ if (ro->dev) -+ raw_disable_allfilters(dev_net(ro->dev), -+ ro->dev, sk); -+ else - raw_disable_allfilters(sock_net(sk), NULL, sk); -- } - } - ro->ifindex = ifindex; - ro->bound = 1; -+ ro->dev = dev; - } - - out: - release_sock(sk); -+ rtnl_unlock(); - - if (notify_enetdown) { - sk->sk_err = ENETDOWN; -@@ -553,9 +546,9 @@ static int raw_setsockopt(struct socket - rtnl_lock(); - lock_sock(sk); - -- if (ro->bound && ro->ifindex) { -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (!dev) { -+ dev = ro->dev; -+ if (ro->bound && dev) { -+ if (dev->reg_state != NETREG_REGISTERED) { - if (count > 1) - kfree(filter); - err = -ENODEV; -@@ -596,7 +589,6 @@ static int raw_setsockopt(struct socket - ro->count = count; - - out_fil: -- dev_put(dev); - release_sock(sk); - rtnl_unlock(); - -@@ -614,9 +606,9 @@ static int raw_setsockopt(struct socket - rtnl_lock(); - lock_sock(sk); - -- if (ro->bound && ro->ifindex) { -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (!dev) { -+ dev = ro->dev; -+ if (ro->bound && dev) { -+ if (dev->reg_state != NETREG_REGISTERED) { - err = -ENODEV; - goto out_err; - } -@@ -640,7 +632,6 @@ static int raw_setsockopt(struct socket - ro->err_mask = err_mask; - - out_err: -- dev_put(dev); - release_sock(sk); - rtnl_unlock(); - diff --git a/queue-6.4/series b/queue-6.4/series index 064ccde3ba9..01179ece61f 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -31,7 +31,6 @@ of-preserve-of-display-device-name-for-compatibility.patch regmap-account-for-register-length-in-smbus-i-o-limits.patch ia64-mmap-consider-pgoff-when-searching-for-free-mapping.patch arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch -can-raw-fix-receiver-memory-leak.patch can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch can-bcm-fix-uaf-in-bcm_proc_show.patch can-gs_usb-gs_can_open-improve-error-handling.patch