aboutsummaryrefslogtreecommitdiffstats
path: root/queue-5.10/net-atm-fix-proc-net-atm-lec-handling.patch
diff options
Diffstat (limited to 'queue-5.10/net-atm-fix-proc-net-atm-lec-handling.patch')
-rw-r--r--queue-5.10/net-atm-fix-proc-net-atm-lec-handling.patch58
1 files changed, 58 insertions, 0 deletions
diff --git a/queue-5.10/net-atm-fix-proc-net-atm-lec-handling.patch b/queue-5.10/net-atm-fix-proc-net-atm-lec-handling.patch
new file mode 100644
index 0000000000..68f00df1ec
--- /dev/null
+++ b/queue-5.10/net-atm-fix-proc-net-atm-lec-handling.patch
@@ -0,0 +1,58 @@
+From aefa3deb6cba4e9be7bf4837fbbe87b2f6ad6c84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 14:08:44 +0000
+Subject: net: atm: fix /proc/net/atm/lec handling
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d03b79f459c7935cff830d98373474f440bd03ae ]
+
+/proc/net/atm/lec must ensure safety against dev_lec[] changes.
+
+It appears it had dev_put() calls without prior dev_hold(),
+leading to imbalance and UAF.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Francois Romieu <romieu@fr.zoreil.com> # Minor atm contributor
+Link: https://patch.msgid.link/20250618140844.1686882-3-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/lec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/atm/lec.c b/net/atm/lec.c
+index 3f67b84c8f1c9..73078306504c0 100644
+--- a/net/atm/lec.c
++++ b/net/atm/lec.c
+@@ -911,7 +911,6 @@ static void *lec_itf_walk(struct lec_state *state, loff_t *l)
+ v = (dev && netdev_priv(dev)) ?
+ lec_priv_walk(state, l, netdev_priv(dev)) : NULL;
+ if (!v && dev) {
+- dev_put(dev);
+ /* Partial state reset for the next time we get called */
+ dev = NULL;
+ }
+@@ -935,6 +934,7 @@ static void *lec_seq_start(struct seq_file *seq, loff_t *pos)
+ {
+ struct lec_state *state = seq->private;
+
++ mutex_lock(&lec_mutex);
+ state->itf = 0;
+ state->dev = NULL;
+ state->locked = NULL;
+@@ -952,8 +952,9 @@ static void lec_seq_stop(struct seq_file *seq, void *v)
+ if (state->dev) {
+ spin_unlock_irqrestore(&state->locked->lec_arp_lock,
+ state->flags);
+- dev_put(state->dev);
++ state->dev = NULL;
+ }
++ mutex_unlock(&lec_mutex);
+ }
+
+ static void *lec_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+--
+2.39.5
+
generated by cgit 1.2.3-korg (git 2.43.0) at 2025-07-04 06:33:03 +0000