From d4ae569a12ddd2fc16c5c1a3626f296c93f262aa Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 Dec 2022 12:36:55 +0100 Subject: [PATCH] 5.10-stable patches added patches: proc-avoid-integer-type-confusion-in-get_proc_long.patch proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch --- ...eger-type-confusion-in-get_proc_long.patch | 40 +++++++ ...n-t-think-it-is-working-on-c-strings.patch | 106 ++++++++++++++++++ queue-5.10/series | 2 + 3 files changed, 148 insertions(+) create mode 100644 queue-5.10/proc-avoid-integer-type-confusion-in-get_proc_long.patch create mode 100644 queue-5.10/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch diff --git a/queue-5.10/proc-avoid-integer-type-confusion-in-get_proc_long.patch b/queue-5.10/proc-avoid-integer-type-confusion-in-get_proc_long.patch new file mode 100644 index 00000000000..bf60b6f6f32 --- /dev/null +++ b/queue-5.10/proc-avoid-integer-type-confusion-in-get_proc_long.patch @@ -0,0 +1,40 @@ +From e6cfaf34be9fcd1a8285a294e18986bfc41a409c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 11:33:40 -0800 +Subject: proc: avoid integer type confusion in get_proc_long + +From: Linus Torvalds + +commit e6cfaf34be9fcd1a8285a294e18986bfc41a409c upstream. + +proc_get_long() is passed a size_t, but then assigns it to an 'int' +variable for the length. Let's not do that, even if our IO paths are +limited to MAX_RW_COUNT (exactly because of these kinds of type errors). + +So do the proper test in the rigth type. + +Reported-by: Kyle Zeng +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sysctl.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -466,13 +466,12 @@ static int proc_get_long(char **buf, siz + unsigned long *val, bool *neg, + const char *perm_tr, unsigned perm_tr_len, char *tr) + { +- int len; + char *p, tmp[TMPBUFLEN]; ++ ssize_t len = *size; + +- if (!*size) ++ if (len <= 0) + return -EINVAL; + +- len = *size; + if (len > TMPBUFLEN - 1) + len = TMPBUFLEN - 1; + diff --git a/queue-5.10/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch b/queue-5.10/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch new file mode 100644 index 00000000000..d99a9c8e99a --- /dev/null +++ b/queue-5.10/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch @@ -0,0 +1,106 @@ +From bce9332220bd677d83b19d21502776ad555a0e73 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 12:09:06 -0800 +Subject: proc: proc_skip_spaces() shouldn't think it is working on C strings + +From: Linus Torvalds + +commit bce9332220bd677d83b19d21502776ad555a0e73 upstream. + +proc_skip_spaces() seems to think it is working on C strings, and ends +up being just a wrapper around skip_spaces() with a really odd calling +convention. + +Instead of basing it on skip_spaces(), it should have looked more like +proc_skip_char(), which really is the exact same function (except it +skips a particular character, rather than whitespace). So use that as +inspiration, odd coding and all. + +Now the calling convention actually makes sense and works for the +intended purpose. + +Reported-and-tested-by: Kyle Zeng +Acked-by: Eric Dumazet +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sysctl.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -391,13 +391,14 @@ int proc_dostring(struct ctl_table *tabl + ppos); + } + +-static size_t proc_skip_spaces(char **buf) ++static void proc_skip_spaces(char **buf, size_t *size) + { +- size_t ret; +- char *tmp = skip_spaces(*buf); +- ret = tmp - *buf; +- *buf = tmp; +- return ret; ++ while (*size) { ++ if (!isspace(**buf)) ++ break; ++ (*size)--; ++ (*buf)++; ++ } + } + + static void proc_skip_char(char **buf, size_t *size, const char v) +@@ -629,7 +630,7 @@ static int __do_proc_dointvec(void *tbl_ + bool neg; + + if (write) { +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + if (!left) + break; +@@ -656,7 +657,7 @@ static int __do_proc_dointvec(void *tbl_ + if (!write && !first && left && !err) + proc_put_char(&buffer, &left, '\n'); + if (write && !err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write && first) + return err ? : -EINVAL; + *lenp -= left; +@@ -698,7 +699,7 @@ static int do_proc_douintvec_w(unsigned + if (left > PAGE_SIZE - 1) + left = PAGE_SIZE - 1; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) { + err = -EINVAL; + goto out_free; +@@ -718,7 +719,7 @@ static int do_proc_douintvec_w(unsigned + } + + if (!err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + out_free: + if (err) +@@ -1176,7 +1177,7 @@ static int __do_proc_doulongvec_minmax(v + if (write) { + bool neg; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) + break; + +@@ -1204,7 +1205,7 @@ static int __do_proc_doulongvec_minmax(v + if (!write && !first && left && !err) + proc_put_char(&buffer, &left, '\n'); + if (write && !err) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write && first) + return err ? : -EINVAL; + *lenp -= left; diff --git a/queue-5.10/series b/queue-5.10/series index 2686b75f6af..272de4de34e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -90,3 +90,5 @@ revert-clocksource-drivers-riscv-events-are-stopped-.patch char-tpm-protect-tpm_pm_suspend-with-locks.patch input-raydium_ts_i2c-fix-memory-leak-in-raydium_i2c_send.patch block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch +proc-avoid-integer-type-confusion-in-get_proc_long.patch +proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch -- 2.47.3