From: Christian Brauner <brauner@xxxxxxxxxx>
commit 8d42877ad65b02741c9099392a001b7209baa5d4 upstream.
Avoid copying when we failed to, or didn't have any mounts to list.
Fixes: cb54ef4f050e ("fs: don't copy to userspace under namespace semaphore") # mainline only
Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/namespace.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -5138,6 +5138,8 @@ SYSCALL_DEFINE4(listmount, const struct
scoped_guard(rwsem_read, &namespace_sem)
ret = do_listmount(kreq.mnt_id, kreq.param, kmnt_ids, nr_mnt_ids);
+ if (ret <= 0)
+ return ret;
if (copy_to_user(mnt_ids, kmnt_ids, ret * sizeof(*mnt_ids)))
return -EFAULT;
Patches currently in stable-queue which might be from brauner@xxxxxxxxxx are
queue-6.10/fs-don-t-copy-to-userspace-under-namespace-semaphore.patch
queue-6.10/libfs-fix-get_stashed_dentry.patch
queue-6.10/squashfs-sanity-check-symbolic-link-size.patch
queue-6.10/cachefiles-set-the-max-subreq-size-for-cache-writes-.patch
queue-6.10/fs-only-copy-to-userspace-on-success-in-listmount.patch
queue-6.10/vfs-fix-potential-circular-locking-through-setxattr-.patch
queue-6.10/fs-relax-permissions-for-statmount.patch
queue-6.10/fscache-delete-fscache_cookie_lru_timer-when-fscache-exits-to-avoid-uaf.patch
