TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / hafnium / third_party / linux.git / 92d4c21e51fc12736c39c2a161a42f20e2be8a00^! / . / net / netlink
commit92d4c21e51fc12736c39c2a161a42f20e2be8a00[log] [tgz]
authorOlivier Deprez <olivier.deprez@arm.com>Tue Dec 06 15:05:30 2022 +0100
committerOlivier Deprez <olivier.deprez@arm.com>Tue Dec 06 15:05:30 2022 +0100
tree0ea63b023a85dff7aeb0895b46d3b22a65669ae1
parent157378f43faad830e4aa3815bde5fa9f9a9f5be6 [diff]
Update Linux to v5.10.157

Sourced from [1]

[1] https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.10.157.tar.xz

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I7b30d9e98d8c465d6b44de8e7433b4a40b3289ba

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index e55af5c..d96a610 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c

@@ -149,6 +149,8 @@
 
 static inline u32 netlink_group_mask(u32 group)
 {
+	if (group > 32)
+		return 0;
 	return group ? 1 << (group - 1) : 0;
 }
 
@@ -1986,7 +1988,6 @@
 		copied = len;
 	}
 
-	skb_reset_transport_header(data_skb);
 	err = skb_copy_datagram_msg(data_skb, 0, msg, copied);
 
 	if (msg->msg_name) {
@@ -2274,6 +2275,13 @@
 	 * single netdev. The outcome is MSG_TRUNC error.
 	 */
 	skb_reserve(skb, skb_tailroom(skb) - alloc_size);
+
+	/* Make sure malicious BPF programs can not read unitialized memory
+	 * from skb->head -> skb->data
+	 */
+	skb_reset_network_header(skb);
+	skb_reset_mac_header(skb);
+
 	netlink_skb_set_owner_r(skb, sk);
 
 	if (nlk->dump_done_errno > 0) {

diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index c992424..9fd7ba0 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c

@@ -1182,13 +1182,17 @@
 							     op.policy,
 							     op.maxattr);
 			if (err)
-				return err;
+				goto err_free_state;
 		}
 	}
 
 	if (!ctx->state)
 		return -ENODATA;
 	return 0;
+
+err_free_state:
+	netlink_policy_dump_free(ctx->state);
+	return err;
 }
 
 static void *ctrl_dumppolicy_prep(struct sk_buff *skb,

diff --git a/net/netlink/policy.c b/net/netlink/policy.c
index 8d7c900..87e3de0 100644
--- a/net/netlink/policy.c
+++ b/net/netlink/policy.c

@@ -144,7 +144,7 @@
 
 	err = add_policy(&state, policy, maxtype);
 	if (err)
-		return err;
+		goto err_try_undo;
 
 	for (policy_idx = 0;
 	     policy_idx < state->n_alloc && state->policies[policy_idx].policy;
@@ -164,7 +164,7 @@
 						 policy[type].nested_policy,
 						 policy[type].len);
 				if (err)
-					return err;
+					goto err_try_undo;
 				break;
 			default:
 				break;
@@ -174,6 +174,16 @@
 
 	*pstate = state;
 	return 0;
+
+err_try_undo:
+	/* Try to preserve reasonable unwind semantics - if we're starting from
+	 * scratch clean up fully, otherwise record what we got and caller will.
+	 */
+	if (!*pstate)
+		netlink_policy_dump_free(state);
+	else
+		*pstate = state;
+	return err;
 }
 
 static bool