!10917 Fix CVE-2024-36031

	unsigned int flags;

#define KEY_TYPE_NET_DOMAIN	0x00000001 /* Keys of this type have a net namespace domain */

#define KEY_TYPE_INSTANT_REAP	0x00000002 /* Keys of this type don't have a delay after expiring */

	/* vet a description */

	int (*vet_description)(const char *description);

static int

dns_resolver_preparse(struct key_preparsed_payload *prep)

{

	const struct dns_payload_header *bin;

	struct user_key_payload *upayload;

	unsigned long derrno;

	int ret;

		return -EINVAL;

	if (data[0] == 0) {

		const struct dns_server_list_v1_header *v1;

		/* It may be a server list. */

		if (datalen <= sizeof(*bin))

		if (datalen < sizeof(*v1))

			return -EINVAL;

		bin = (const struct dns_payload_header *)data;

		kenter("[%u,%u],%u", bin->content, bin->version, datalen);

		if (bin->content != DNS_PAYLOAD_IS_SERVER_LIST) {

		v1 = (const struct dns_server_list_v1_header *)data;

		kenter("[%u,%u],%u", v1->hdr.content, v1->hdr.version, datalen);

		if (v1->hdr.content != DNS_PAYLOAD_IS_SERVER_LIST) {

			pr_warn_ratelimited(

				"dns_resolver: Unsupported content type (%u)\n",

				bin->content);

				v1->hdr.content);

			return -EINVAL;

		}

		if (bin->version != 1) {

		if (v1->hdr.version != 1) {

			pr_warn_ratelimited(

				"dns_resolver: Unsupported server list version (%u)\n",

				bin->version);

				v1->hdr.version);

			return -EINVAL;

		}

		if ((v1->status != DNS_LOOKUP_GOOD &&

		     v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) {

			if (prep->expiry == TIME64_MAX)

				prep->expiry = ktime_get_real_seconds() + 1;

		}

		result_len = datalen;

		goto store_result;

	}

struct key_type key_type_dns_resolver = {

	.name		= "dns_resolver",

	.flags		= KEY_TYPE_NET_DOMAIN,

	.flags		= KEY_TYPE_NET_DOMAIN | KEY_TYPE_INSTANT_REAP,

	.preparse	= dns_resolver_preparse,

	.free_preparse	= dns_resolver_free_preparse,

	.instantiate	= generic_key_instantiate,

	}

}

/*

 * Set the expiration time on a key.

 */

void key_set_expiry(struct key *key, time64_t expiry)

{

	key->expiry = expiry;

	if (expiry != TIME64_MAX) {

		if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))

			expiry += key_gc_delay;

		key_schedule_gc(expiry);

	}

}

/*

 * Schedule a dead links collection run.

 */

	static u8 gc_state;		/* Internal persistent state */

#define KEY_GC_REAP_AGAIN	0x01	/* - Need another cycle */

#define KEY_GC_REAPING_LINKS	0x02	/* - We need to reap links */

#define KEY_GC_SET_TIMER	0x04	/* - We need to restart the timer */

#define KEY_GC_REAPING_DEAD_1	0x10	/* - We need to mark dead keys */

#define KEY_GC_REAPING_DEAD_2	0x20	/* - We need to reap dead key links */

#define KEY_GC_REAPING_DEAD_3	0x40	/* - We need to reap dead keys */

	struct rb_node *cursor;

	struct key *key;

	time64_t new_timer, limit;

	time64_t new_timer, limit, expiry;

	kenter("[%lx,%x]", key_gc_flags, gc_state);

	limit = ktime_get_real_seconds();

	if (limit > key_gc_delay)

		limit -= key_gc_delay;

	else

		limit = key_gc_delay;

	/* Work out what we're going to be doing in this pass */

	gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2;

	gc_state <<= 1;

	if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags))

		gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER;

		gc_state |= KEY_GC_REAPING_LINKS;

	if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags))

		gc_state |= KEY_GC_REAPING_DEAD_1;

			}

		}

		if (gc_state & KEY_GC_SET_TIMER) {

			if (key->expiry > limit && key->expiry < new_timer) {

		expiry = key->expiry;

		if (expiry != TIME64_MAX) {

			if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))

				expiry += key_gc_delay;

			if (expiry > limit && expiry < new_timer) {

				kdebug("will expire %x in %lld",

				       key_serial(key), key->expiry - limit);

				new_timer = key->expiry;

	 */

	kdebug("pass complete");

	if (gc_state & KEY_GC_SET_TIMER && new_timer != (time64_t)TIME64_MAX) {

	if (new_timer != TIME64_MAX) {

		new_timer += key_gc_delay;

		key_schedule_gc(new_timer);

	}

extern void keyring_gc(struct key *keyring, time64_t limit);

extern void keyring_restriction_gc(struct key *keyring,

				   struct key_type *dead_type);

void key_set_expiry(struct key *key, time64_t expiry);

extern void key_schedule_gc(time64_t gc_at);

extern void key_schedule_gc_links(void);

extern void key_gc_keytype(struct key_type *ktype);

 */

static inline bool key_is_dead(const struct key *key, time64_t limit)

{

	time64_t expiry = key->expiry;

	if (expiry != TIME64_MAX) {

		if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))

			expiry += key_gc_delay;

		if (expiry <= limit)

			return true;

	}

	return

		key->flags & ((1 << KEY_FLAG_DEAD) |

			      (1 << KEY_FLAG_INVALIDATED)) ||

		(key->expiry > 0 && key->expiry <= limit) ||

		key->domain_tag->removed;

}

	key->uid = uid;

	key->gid = gid;

	key->perm = perm;

	key->expiry = TIME64_MAX;

	key->restrict_link = restrict_link;

	key->last_used_at = ktime_get_real_seconds();

			if (authkey)

				key_invalidate(authkey);

			if (prep->expiry != TIME64_MAX) {

				key->expiry = prep->expiry;

				key_schedule_gc(prep->expiry + key_gc_delay);

			}

			if (prep->expiry != TIME64_MAX)

				key_set_expiry(key, prep->expiry);

		}

	}

		atomic_inc(&key->user->nikeys);

		mark_key_instantiated(key, -error);

		notify_key(key, NOTIFY_KEY_INSTANTIATED, -error);

		key->expiry = ktime_get_real_seconds() + timeout;

		key_schedule_gc(key->expiry + key_gc_delay);

		key_set_expiry(key, ktime_get_real_seconds() + timeout);

		if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))

			awaken = 1;

void key_set_timeout(struct key *key, unsigned timeout)

{

	time64_t expiry = 0;

	time64_t expiry = TIME64_MAX;

	/* make the changes with the locks held to prevent races */

	down_write(&key->sem);

	if (timeout > 0)

		expiry = ktime_get_real_seconds() + timeout;

	key->expiry = expiry;

	key_schedule_gc(key->expiry + key_gc_delay);

	key_set_expiry(key, expiry);

	up_write(&key->sem);

}