From: zhanglin zhang.lin16@zte.com.cn

mainline inclusion from mainline-v5.3-rc7 commit b45ce32135d1c82a5bf12aa56957c3fd27956057 category: bugfix bugzilla: 20825 CVE: NA

-------------------------------------

If protocols registered exceeded PROTO_INUSE_NR, prot will be added to proto_list, but no available bit left for prot in proto_inuse_idx.

Changes since v2: * Propagate the error code properly

Signed-off-by: zhanglin zhang.lin16@zte.com.cn Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: guodeqing geffrey.guo@huawei.com Reviewed-by: Wenan Mao maowenan@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- net/core/sock.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/net/core/sock.c b/net/core/sock.c index f0b4657..910d0e0 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -3216,16 +3216,17 @@ static __init int net_inuse_init(void)

core_initcall(net_inuse_init);

-static void assign_proto_idx(struct proto *prot) +static int assign_proto_idx(struct proto *prot) { prot->inuse_idx = find_first_zero_bit(proto_inuse_idx, PROTO_INUSE_NR);

if (unlikely(prot->inuse_idx == PROTO_INUSE_NR - 1)) { pr_err("PROTO_INUSE_NR exhausted\n"); - return; + return -ENOSPC; }

set_bit(prot->inuse_idx, proto_inuse_idx); + return 0; }

static void release_proto_idx(struct proto *prot) @@ -3234,8 +3235,9 @@ static void release_proto_idx(struct proto *prot) clear_bit(prot->inuse_idx, proto_inuse_idx); } #else -static inline void assign_proto_idx(struct proto *prot) +static inline int assign_proto_idx(struct proto *prot) { + return 0; }

static inline void release_proto_idx(struct proto *prot) @@ -3284,6 +3286,8 @@ static int req_prot_init(const struct proto *prot)

int proto_register(struct proto *prot, int alloc_slab) { + int ret = -ENOBUFS; + if (alloc_slab) { prot->slab = kmem_cache_create_usercopy(prot->name, prot->obj_size, 0, @@ -3320,20 +3324,27 @@ int proto_register(struct proto *prot, int alloc_slab) }

mutex_lock(&proto_list_mutex); + ret = assign_proto_idx(prot); + if (ret) { + mutex_unlock(&proto_list_mutex); + goto out_free_timewait_sock_slab_name; + } list_add(&prot->node, &proto_list); - assign_proto_idx(prot); mutex_unlock(&proto_list_mutex); - return 0; + return ret;

out_free_timewait_sock_slab_name: - kfree(prot->twsk_prot->twsk_slab_name); + if (alloc_slab && prot->twsk_prot) + kfree(prot->twsk_prot->twsk_slab_name); out_free_request_sock_slab: - req_prot_cleanup(prot->rsk_prot); + if (alloc_slab) { + req_prot_cleanup(prot->rsk_prot);

- kmem_cache_destroy(prot->slab); - prot->slab = NULL; + kmem_cache_destroy(prot->slab); + prot->slab = NULL; + } out: - return -ENOBUFS; + return ret; } EXPORT_SYMBOL(proto_register);