af_unix: Don't set err in unix_stream_read_generic unless there was an error

This fixes a regression in 4.4, also introduced in 4.3.4 and various
other stable updates.

3 files changed, 68 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 53349da5764a..617cac962d53 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,8 @@ linux (4.4.1-1) UNRELEASED; urgency=medium
     (regression in 4.2.6-2)
   * Revert "workqueue: make sure delayed work run in local cpu"
     (regression in 4.3)
+  * af_unix: Don't set err in unix_stream_read_generic unless there was an error
+    (regression in 4.4, 4.3.4)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Fri, 12 Feb 2016 23:34:23 +0000
 
diff --git a/debian/patches/bugfix/all/af_unix-don-t-set-err-in-unix_stream_read_generic-unless-there-was-an-error.patch b/debian/patches/bugfix/all/af_unix-don-t-set-err-in-unix_stream_read_generic-unless-there-was-an-error.patch
new file mode 100644
index 000000000000..3eec17f72ccb
--- /dev/null
+++ b/debian/patches/bugfix/all/af_unix-don-t-set-err-in-unix_stream_read_generic-unless-there-was-an-error.patch
@@ -0,0 +1,65 @@
+From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Mon, 08 Feb 2016 18:47:19 +0000
+Subject: af_unix: Don't set err in unix_stream_read_generic unless there was an error
+Origin: http://mid.gmane.org/87bn7rrqdk.fsf@doppelsaurus.mobileactivedefense.com
+
+The present unix_stream_read_generic contains various code sequences of
+the form
+
+err = -EDISASTER;
+if (<test>)
+	goto out;
+
+This has the unfortunate side effect of possibly causing the error code
+to bleed through to the final
+
+out:
+	return copied ? : err;
+
+and then to be wrongly returned if no data was copied because the caller
+didn't supply a data buffer, as demonstrated by the program available at
+
+http://pad.lv/1540731
+
+Change it such that err is only set if an error condition was detected.
+
+Fixes: 3822b5c2fc62 ("af_unix: Revert 'lock_interruptible' in stream receive code")
+Reported-by: Joseph Salisbury <joseph.salisbury@canonical.com>
+Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+---
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2275,13 +2275,15 @@ static int unix_stream_read_generic(stru
+ 	size_t size = state->size;
+ 	unsigned int last_len;
+ 
+-	err = -EINVAL;
+-	if (sk->sk_state != TCP_ESTABLISHED)
++	if (unlikely(sk->sk_state != TCP_ESTABLISHED)) {
++		err = -EINVAL;
+ 		goto out;
++	}
+ 
+-	err = -EOPNOTSUPP;
+-	if (flags & MSG_OOB)
++	if (unlikely(flags & MSG_OOB)) {
++		err = -EOPNOTSUPP;
+ 		goto out;
++	}
+ 
+ 	target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
+ 	timeo = sock_rcvtimeo(sk, noblock);
+@@ -2327,9 +2329,11 @@ again:
+ 				goto unlock;
+ 
+ 			unix_state_unlock(sk);
+-			err = -EAGAIN;
+-			if (!timeo)
++			if (!timeo) {
++				err = -EAGAIN;
+ 				break;
++			}
++
+ 			mutex_unlock(&u->readlock);
+ 
+ 			timeo = unix_stream_data_wait(sk, timeo, last,
diff --git a/debian/patches/series b/debian/patches/series
index ae6e0cc30265..f2c33195717f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -121,3 +121,4 @@ bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
 bugfix/all/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
 bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
 bugfix/all/revert-workqueue-make-sure-delayed-work-run-in-local-cpu.patch
+bugfix/all/af_unix-don-t-set-err-in-unix_stream_read_generic-unless-there-was-an-error.patch