Commit f03e578c authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'uml-for-6.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/uml/linux 

Pull UML fixes from Johannes Berg:
 "A few fixes for UML, which I'd meant to send earlier but then forgot.

  All of them are pretty long-standing issues that are either not really
  happening (the UAF), in rarely used code (the FD buffer issue), or an
  issue only for some host configurations (the executable stack):

   - mark stack not executable to work on more modern systems with
     selinux

   - fix use-after-free in a virtio error path

   - fix stack buffer overflow in external unix socket FD receive
     function"

* tag 'uml-for-6.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/uml/linux:
  um: Fix FD copy size in os_rcv_fd_msg()
  um: virtio_uml: Fix use-after-free after put_device in probe
  um: Don't mark stack executable
parents 8b789f2b df447a3b

arch/um/drivers/virtio_uml.c

+4 −2
Original line number Diff line number Diff line
@@ -1250,10 +1250,12 @@ static int virtio_uml_probe(struct platform_device *pdev) 
	device_set_wakeup_capable(&vu_dev->vdev.dev, true);



	rc = register_virtio_device(&vu_dev->vdev);

	if (rc)

	if (rc) {

		put_device(&vu_dev->vdev.dev);

	vu_dev->registered = 1;

		return rc;

	}

	vu_dev->registered = 1;

	return 0;



error_init:

	os_close_file(vu_dev->sock);

arch/um/os-Linux/file.c

+1 −1
Original line number Diff line number Diff line
@@ -535,7 +535,7 @@ ssize_t os_rcv_fd_msg(int fd, int *fds, unsigned int n_fds, 
	    cmsg->cmsg_type != SCM_RIGHTS)

		return n;



	memcpy(fds, CMSG_DATA(cmsg), cmsg->cmsg_len);

	memcpy(fds, CMSG_DATA(cmsg), cmsg->cmsg_len - CMSG_LEN(0));

	return n;

}

arch/um/os-Linux/util.c

+1 −2
Original line number Diff line number Diff line
@@ -20,8 +20,7 @@ 


void stack_protections(unsigned long address)

{

	if (mprotect((void *) address, UM_THREAD_SIZE,

		    PROT_READ | PROT_WRITE | PROT_EXEC) < 0)

	if (mprotect((void *) address, UM_THREAD_SIZE, PROT_READ | PROT_WRITE) < 0)

		panic("protecting stack failed, errno = %d", errno);

}