The quilt patch titled Subject: drivers/rapidio/rio_cm.c: prevent possible heap overwrite has been removed from the -mm tree. Its filename was drivers-rapidio-rio_cmc-prevent-possible-used-uninitialized.patch

This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

------------------------------------------------------ From: Andrew Morton akpm@linux-foundation.org Subject: drivers/rapidio/rio_cm.c: prevent possible heap overwrite Date: Sat Jun 7 05:43:18 PM PDT 2025

In

riocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send()

cm_chan_msg_send() checks that userspace didn't send too much data but riocm_ch_send() failed to check that userspace sent sufficient data. The result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr which were outside the bounds of the space which cm_chan_msg_send() allocated.

Address this by teaching riocm_ch_send() to check that the entire rio_ch_chan_hdr was copied in from userspace.

Reported-by: maher azz maherazz04@gmail.com Cc: Matt Porter mporter@kernel.crashing.org Cc: Alexandre Bounine alex.bou9@gmail.com Cc: Linus Torvalds torvalds@linuxfoundation.org Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org ---

drivers/rapidio/rio_cm.c | 3 +++ 1 file changed, 3 insertions(+)

--- a/drivers/rapidio/rio_cm.c~drivers-rapidio-rio_cmc-prevent-possible-used-uninitialized +++ a/drivers/rapidio/rio_cm.c @@ -783,6 +783,9 @@ static int riocm_ch_send(u16 ch_id, void if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE) return -EINVAL;

+ if (len < sizeof(struct rio_ch_chan_hdr)) + return -EINVAL; /* insufficient data from user */ + ch = riocm_get_channel(ch_id); if (!ch) { riocm_error("%s(%d) ch_%d not found", current->comm, _

Patches currently in -mm which might be from akpm@linux-foundation.org are

mm-add-mmap_prepare-compatibility-layer-for-nested-file-systems-fix.patch