From: Thomas Weißschuh <linux@xxxxxxxxxxxxxx> commit 559d4c6a9d3b60f239493239070eb304edaea594 upstream. The test if a table is a permanently empty one, inspects the address of the registered ctl_table argument. However as sysctl_mount_point is an empty array and does not occupy and space it can end up sharing an address with another object in memory. If that other object itself is a "struct ctl_table" then registering that table will fail as it's incorrectly recognized as permanently empty. Avoid this issue by adding a dummy element to the array so that is not empty anymore. Explicitly register the table with zero elements as otherwise the dummy element would be recognized as a sentinel element which would lead to a runtime warning from the sysctl core. While the issue seems not being encountered at this time, this seems mostly to be due to luck. Also a future change, constifying sysctl_mount_point and root_table, can reliably trigger this issue on clang 18. Given that empty arrays are non-standard in the first place it seems prudent to avoid them if possible. Fixes: 4a7b29f65094 ("sysctl: move sysctl type to ctl_table_header") Fixes: a35dd3a786f5 ("sysctl: drop now unnecessary out-of-bounds check") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Thomas Weißschuh <linux@xxxxxxxxxxxxxx> Closes: https://lore.kernel.org/oe-lkp/202408051453.f638857e-lkp@xxxxxxxxx Signed-off-by: Joel Granados <j.granados@xxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/proc/proc_sysctl.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c @@ -29,8 +29,13 @@ static const struct inode_operations pro static const struct file_operations proc_sys_dir_file_operations; static const struct inode_operations proc_sys_dir_operations; -/* Support for permanently empty directories */ -static struct ctl_table sysctl_mount_point[] = { }; +/* + * Support for permanently empty directories. + * Must be non-empty to avoid sharing an address with other tables. + */ +static struct ctl_table sysctl_mount_point[] = { + { } +}; /** * register_sysctl_mount_point() - registers a sysctl mount point @@ -42,7 +47,7 @@ static struct ctl_table sysctl_mount_poi */ struct ctl_table_header *register_sysctl_mount_point(const char *path) { - return register_sysctl(path, sysctl_mount_point); + return register_sysctl_sz(path, sysctl_mount_point, 0); } EXPORT_SYMBOL(register_sysctl_mount_point); Patches currently in stable-queue which might be from linux@xxxxxxxxxxxxxx are queue-6.11/selftests-nolibc-avoid-passing-null-to-printf-s.patch queue-6.11/sysctl-avoid-spurious-permanent-empty-tables.patch queue-6.11/power-supply-drop-use_cnt-check-from-power_supply_property_is_writeable.patch queue-6.11/fbdev-efifb-register-sysfs-groups-through-driver-cor.patch queue-6.11/tools-nolibc-powerpc-limit-stack-protector-workaroun.patch