diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-04-30 11:13:05 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-04-30 11:13:05 +0200 |
| commit | d555cc6ff25170e92c37a04abbe851b34d81c473 (patch) | |
| tree | 28b4afc51e0aa4ad6bf1e9e85e416b5dc49ae3e7 | |
| parent | cd5a419868866be94da44b76fed614e0c0f76b77 (diff) | |
| parent | 03e81f004d7e665e7c0e203c2f240abefbb79056 (diff) | |
| download | linux-rolling-stable.tar.gz | |
Merge v7.0.3linux-rolling-stable
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | drivers/xen/privcmd.c | 7 | ||||
| -rw-r--r-- | drivers/xen/sys-hypervisor.c | 8 |
3 files changed, 14 insertions, 3 deletions
diff --git a/Makefile b/Makefile index b17ca865bcee7..61f8019efd5af 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 VERSION = 7 PATCHLEVEL = 0 -SUBLEVEL = 2 +SUBLEVEL = 3 EXTRAVERSION = NAME = Baby Opossum Posse diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c index 15ba592236e84..725a49a0eee72 100644 --- a/drivers/xen/privcmd.c +++ b/drivers/xen/privcmd.c @@ -1620,6 +1620,12 @@ static void privcmd_close(struct vm_area_struct *vma) kvfree(pages); } +static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr) +{ + /* Forbid splitting, avoids double free via privcmd_close(). */ + return -EINVAL; +} + static vm_fault_t privcmd_fault(struct vm_fault *vmf) { printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n", @@ -1631,6 +1637,7 @@ static vm_fault_t privcmd_fault(struct vm_fault *vmf) static const struct vm_operations_struct privcmd_vm_ops = { .close = privcmd_close, + .may_split = privcmd_may_split, .fault = privcmd_fault }; diff --git a/drivers/xen/sys-hypervisor.c b/drivers/xen/sys-hypervisor.c index b1bb01ba82f88..91923242a5ae7 100644 --- a/drivers/xen/sys-hypervisor.c +++ b/drivers/xen/sys-hypervisor.c @@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_sysfs_attr *attr, char *buffer) ret = sprintf(buffer, "<denied>"); return ret; } + if (ret > PAGE_SIZE) + return -ENOSPC; buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL); if (!buildid) @@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_sysfs_attr *attr, char *buffer) buildid->len = ret; ret = HYPERVISOR_xen_version(XENVER_build_id, buildid); - if (ret > 0) - ret = sprintf(buffer, "%s", buildid->buf); + if (ret > 0) { + /* Build id is binary, not a string. */ + memcpy(buffer, buildid->buf, ret); + } kfree(buildid); return ret; |