On Mon, Jan 10, 2022 at 11:07:08AM +0100, Pavel Machek wrote: > Hi! > > > From: Christoph Hellwig <hch@xxxxxx> > > > > commit 3087a6f36ee028ec095c04a8531d7d33899b7fed upstream. > > > > This code used to copy in an unsigned long worth of data before > > the sockptr_t conversion, so restore that. > > Maybe, but then the size checks need to be updated, too. > > > Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > Signed-off-by: Christoph Hellwig <hch@xxxxxx> > > Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> > > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > --- > > net/netrom/af_netrom.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > --- a/net/netrom/af_netrom.c > > +++ b/net/netrom/af_netrom.c > > @@ -306,7 +306,7 @@ static int nr_setsockopt(struct socket * > > if (optlen < sizeof(unsigned int)) > > This should be < sizeof(unsigned long)) ... AFAICT. > > > return -EINVAL; Yeah. This patch isn't right. I sent a follow on that changes everything to unsigned int. Originally it was: if (get_user(opt, (unsigned int __user *)optval)) Which copies an unsigned int from the user into an unsigned long opt variable. My fix is required to fix an uninitialized data bug in a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt"). It would be sligthly more complicated to just backport my fix without first backporting this one and it would look sort of weird. So I think it's better to backport this and then mine. regards, dan carpenter