Commit bc0230b6 authored by Steffen Klassert's avatar Steffen Klassert
Browse files

Merge branch 'xfrm/compat: syzbot-found fixes' 



Dmitry Safonov says:

====================
v2: Added "Fixes" tags to the patches.

WARN_ON() for XFRMA_UNSPEC translation which likely no-one except
syzkaller uses; properly zerofy tail-padding for 64-bit attribute;
don't use __GFP_ZERO as the memory is initialized during translation.
====================

Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parents 4e0396c5 ad37f77f

net/xfrm/xfrm_compat.c

+3 −2
Original line number Diff line number Diff line
@@ -234,6 +234,7 @@ static int xfrm_xlate64_attr(struct sk_buff *dst, const struct nlattr *src) 
	case XFRMA_PAD:

		/* Ignore */

		return 0;

	case XFRMA_UNSPEC:

	case XFRMA_ALG_AUTH:

	case XFRMA_ALG_CRYPT:

	case XFRMA_ALG_COMP:
@@ -387,7 +388,7 @@ static int xfrm_attr_cpy32(void *dst, size_t *pos, const struct nlattr *src, 


	memcpy(nla, src, nla_attr_size(copy_len));

	nla->nla_len = nla_attr_size(payload);

	*pos += nla_attr_size(payload);

	*pos += nla_attr_size(copy_len);

	nlmsg->nlmsg_len += nla->nla_len;



	memset(dst + *pos, 0, payload - copy_len);
@@ -563,7 +564,7 @@ static struct nlmsghdr *xfrm_user_rcv_msg_compat(const struct nlmsghdr *h32, 
		return NULL;



	len += NLMSG_HDRLEN;

	h64 = kvmalloc(len, GFP_KERNEL | __GFP_ZERO);

	h64 = kvmalloc(len, GFP_KERNEL);

	if (!h64)

		return ERR_PTR(-ENOMEM);