diff options
Diffstat (limited to 'queue-5.15/net-atm-fix-proc-net-atm-lec-handling.patch')
| -rw-r--r-- | queue-5.15/net-atm-fix-proc-net-atm-lec-handling.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/queue-5.15/net-atm-fix-proc-net-atm-lec-handling.patch b/queue-5.15/net-atm-fix-proc-net-atm-lec-handling.patch new file mode 100644 index 0000000000..d6cf343737 --- /dev/null +++ b/queue-5.15/net-atm-fix-proc-net-atm-lec-handling.patch @@ -0,0 +1,58 @@ +From 8934a8c4e159ae71a42f2fe44c5f4ca5b960d811 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 18 Jun 2025 14:08:44 +0000 +Subject: net: atm: fix /proc/net/atm/lec handling + +From: Eric Dumazet <edumazet@google.com> + +[ Upstream commit d03b79f459c7935cff830d98373474f440bd03ae ] + +/proc/net/atm/lec must ensure safety against dev_lec[] changes. + +It appears it had dev_put() calls without prior dev_hold(), +leading to imbalance and UAF. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Acked-by: Francois Romieu <romieu@fr.zoreil.com> # Minor atm contributor +Link: https://patch.msgid.link/20250618140844.1686882-3-edumazet@google.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/atm/lec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/atm/lec.c b/net/atm/lec.c +index 3f67b84c8f1c9..73078306504c0 100644 +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -911,7 +911,6 @@ static void *lec_itf_walk(struct lec_state *state, loff_t *l) + v = (dev && netdev_priv(dev)) ? + lec_priv_walk(state, l, netdev_priv(dev)) : NULL; + if (!v && dev) { +- dev_put(dev); + /* Partial state reset for the next time we get called */ + dev = NULL; + } +@@ -935,6 +934,7 @@ static void *lec_seq_start(struct seq_file *seq, loff_t *pos) + { + struct lec_state *state = seq->private; + ++ mutex_lock(&lec_mutex); + state->itf = 0; + state->dev = NULL; + state->locked = NULL; +@@ -952,8 +952,9 @@ static void lec_seq_stop(struct seq_file *seq, void *v) + if (state->dev) { + spin_unlock_irqrestore(&state->locked->lec_arp_lock, + state->flags); +- dev_put(state->dev); ++ state->dev = NULL; + } ++ mutex_unlock(&lec_mutex); + } + + static void *lec_seq_next(struct seq_file *seq, void *v, loff_t *pos) +-- +2.39.5 + |