From: Michal Luczaj <mhal@xxxxxxx>
commit eb94b7bb10109a14a5431a67e5d8e31cfa06b395 upstream.
copy_safe_from_sockptr()
return copy_from_sockptr()
return copy_from_sockptr_offset()
return copy_from_user()
copy_from_user() does not return an error on fault. Instead, it returns a
number of bytes that were not copied. Have it handled.
Patch has a side effect: it un-breaks garbage input handling of
nfc_llcp_setsockopt() and mISDN's data_sock_setsockopt().
Fixes: 6309863b31dd ("net: add copy_safe_from_sockptr() helper")
Signed-off-by: Michal Luczaj <mhal@xxxxxxx>
Link: https://patch.msgid.link/20241111-sockptr-copy-ret-fix-v1-1-a520083a93fb@xxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
include/linux/sockptr.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/include/linux/sockptr.h
+++ b/include/linux/sockptr.h
@@ -77,7 +77,9 @@ static inline int copy_safe_from_sockptr
{
if (optlen < ksize)
return -EINVAL;
- return copy_from_sockptr(dst, optval, ksize);
+ if (copy_from_sockptr(dst, optval, ksize))
+ return -EFAULT;
+ return 0;
}
static inline int copy_to_sockptr_offset(sockptr_t dst, size_t offset,
Patches currently in stable-queue which might be from mhal@xxxxxxx are
queue-6.1/net-make-copy_safe_from_sockptr-match-documentation.patch
queue-6.1/virtio-vsock-fix-accept_queue-memory-leak.patch
