From: Greg Kroah-Hartman Date: Tue, 6 Dec 2022 11:36:45 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.9.335~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e165ffd090d3ae5a1fdf253786f3167204d2bdcf;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: proc-avoid-integer-type-confusion-in-get_proc_long.patch proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch --- diff --git a/queue-5.4/proc-avoid-integer-type-confusion-in-get_proc_long.patch b/queue-5.4/proc-avoid-integer-type-confusion-in-get_proc_long.patch new file mode 100644 index 00000000000..83133c0f568 --- /dev/null +++ b/queue-5.4/proc-avoid-integer-type-confusion-in-get_proc_long.patch @@ -0,0 +1,40 @@ +From e6cfaf34be9fcd1a8285a294e18986bfc41a409c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 11:33:40 -0800 +Subject: proc: avoid integer type confusion in get_proc_long + +From: Linus Torvalds + +commit e6cfaf34be9fcd1a8285a294e18986bfc41a409c upstream. + +proc_get_long() is passed a size_t, but then assigns it to an 'int' +variable for the length. Let's not do that, even if our IO paths are +limited to MAX_RW_COUNT (exactly because of these kinds of type errors). + +So do the proper test in the rigth type. + +Reported-by: Kyle Zeng +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sysctl.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2231,13 +2231,12 @@ static int proc_get_long(char **buf, siz + unsigned long *val, bool *neg, + const char *perm_tr, unsigned perm_tr_len, char *tr) + { +- int len; + char *p, tmp[TMPBUFLEN]; ++ ssize_t len = *size; + +- if (!*size) ++ if (len <= 0) + return -EINVAL; + +- len = *size; + if (len > TMPBUFLEN - 1) + len = TMPBUFLEN - 1; + diff --git a/queue-5.4/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch b/queue-5.4/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch new file mode 100644 index 00000000000..f494537c3b7 --- /dev/null +++ b/queue-5.4/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch @@ -0,0 +1,106 @@ +From bce9332220bd677d83b19d21502776ad555a0e73 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 12:09:06 -0800 +Subject: proc: proc_skip_spaces() shouldn't think it is working on C strings + +From: Linus Torvalds + +commit bce9332220bd677d83b19d21502776ad555a0e73 upstream. + +proc_skip_spaces() seems to think it is working on C strings, and ends +up being just a wrapper around skip_spaces() with a really odd calling +convention. + +Instead of basing it on skip_spaces(), it should have looked more like +proc_skip_char(), which really is the exact same function (except it +skips a particular character, rather than whitespace). So use that as +inspiration, odd coding and all. + +Now the calling convention actually makes sense and works for the +intended purpose. + +Reported-and-tested-by: Kyle Zeng +Acked-by: Eric Dumazet +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sysctl.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2156,13 +2156,14 @@ int proc_dostring(struct ctl_table *tabl + (char __user *)buffer, lenp, ppos); + } + +-static size_t proc_skip_spaces(char **buf) ++static void proc_skip_spaces(char **buf, size_t *size) + { +- size_t ret; +- char *tmp = skip_spaces(*buf); +- ret = tmp - *buf; +- *buf = tmp; +- return ret; ++ while (*size) { ++ if (!isspace(**buf)) ++ break; ++ (*size)--; ++ (*buf)++; ++ } + } + + static void proc_skip_char(char **buf, size_t *size, const char v) +@@ -2399,7 +2400,7 @@ static int __do_proc_dointvec(void *tbl_ + bool neg; + + if (write) { +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + if (!left) + break; +@@ -2430,7 +2431,7 @@ static int __do_proc_dointvec(void *tbl_ + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write) { + kfree(kbuf); + if (first) +@@ -2479,7 +2480,7 @@ static int do_proc_douintvec_w(unsigned + if (IS_ERR(kbuf)) + return -EINVAL; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) { + err = -EINVAL; + goto out_free; +@@ -2499,7 +2500,7 @@ static int do_proc_douintvec_w(unsigned + } + + if (!err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + out_free: + kfree(kbuf); +@@ -2913,7 +2914,7 @@ static int __do_proc_doulongvec_minmax(v + if (write) { + bool neg; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) + break; + +@@ -2946,7 +2947,7 @@ static int __do_proc_doulongvec_minmax(v + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write) { + kfree(kbuf); + if (first) diff --git a/queue-5.4/series b/queue-5.4/series index 51f97013992..720e7339838 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -151,3 +151,5 @@ revert-clocksource-drivers-riscv-events-are-stopped-.patch char-tpm-protect-tpm_pm_suspend-with-locks.patch mmc-sdhci-use-field_get-for-preset-value-bit-masks.patch mmc-sdhci-fix-voltage-switch-delay.patch +proc-avoid-integer-type-confusion-in-get_proc_long.patch +proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch