--- /dev/null
+From 9144d75e22cad3c89e6b2ccab551db9ee28d250a Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Tue, 21 Aug 2018 21:57:03 -0700
+Subject: include/linux/bitops.h: introduce BITS_PER_TYPE
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 9144d75e22cad3c89e6b2ccab551db9ee28d250a upstream.
+
+net_dim.h has a rather useful extension to BITS_PER_BYTE to compute the
+number of bits in a type (BITS_PER_BYTE * sizeof(T)), so promote the macro
+to bitops.h, alongside BITS_PER_BYTE, for wider usage.
+
+Link: http://lkml.kernel.org/r/20180706094458.14116-1-chris@chris-wilson.co.uk
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Andy Gospodarek <gospo@broadcom.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[only take the bitops.h portion for stable kernels - gregkh]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/bitops.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/bitops.h
++++ b/include/linux/bitops.h
+@@ -3,7 +3,8 @@
+ #include <asm/types.h>
+ #include <linux/bits.h>
+
+-#define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(long))
++#define BITS_PER_TYPE(type) (sizeof(type) * BITS_PER_BYTE)
++#define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, BITS_PER_TYPE(long))
+
+ extern unsigned int __sw_hweight8(unsigned int w);
+ extern unsigned int __sw_hweight16(unsigned int w);
--- /dev/null
+From 3a20773beeeeadec41477a5ba872175b778ff752 Mon Sep 17 00:00:00 2001
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Thu, 20 Feb 2020 16:42:13 +0200
+Subject: net: netlink: cap max groups which will be considered in netlink_bind()
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+commit 3a20773beeeeadec41477a5ba872175b778ff752 upstream.
+
+Since nl_groups is a u32 we can't bind more groups via ->bind
+(netlink_bind) call, but netlink has supported more groups via
+setsockopt() for a long time and thus nlk->ngroups could be over 32.
+Recently I added support for per-vlan notifications and increased the
+groups to 33 for NETLINK_ROUTE which exposed an old bug in the
+netlink_bind() code causing out-of-bounds access on archs where unsigned
+long is 32 bits via test_bit() on a local variable. Fix this by capping the
+maximum groups in netlink_bind() to BITS_PER_TYPE(u32), effectively
+capping them at 32 which is the minimum of allocated groups and the
+maximum groups which can be bound via netlink_bind().
+
+CC: Christophe Leroy <christophe.leroy@c-s.fr>
+CC: Richard Guy Briggs <rgb@redhat.com>
+Fixes: 4f520900522f ("netlink: have netlink per-protocol bind function return an error code.")
+Reported-by: Erhard F. <erhard_f@mailbox.org>
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netlink/af_netlink.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1003,7 +1003,8 @@ static int netlink_bind(struct socket *s
+ if (nlk->netlink_bind && groups) {
+ int group;
+
+- for (group = 0; group < nlk->ngroups; group++) {
++ /* nl_groups is a u32, so cap the maximum groups we can bind */
++ for (group = 0; group < BITS_PER_TYPE(u32); group++) {
+ if (!test_bit(group, &groups))
+ continue;
+ err = nlk->netlink_bind(net, group + 1);
+@@ -1022,7 +1023,7 @@ static int netlink_bind(struct socket *s
+ netlink_insert(sk, nladdr->nl_pid) :
+ netlink_autobind(sock);
+ if (err) {
+- netlink_undo_bind(nlk->ngroups, groups, sk);
++ netlink_undo_bind(BITS_PER_TYPE(u32), groups, sk);
+ return err;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
