kernel security update

- Fix Jinja version issue - Fix Compilation Issues: Revert "net/sched: act_mirred: don't override retval if we already lost the skb" Revert "net/sched: act_mirred: use the backlog for mirred ingress" Revert "sysctl: Fix out of bounds access for empty sysctl registers" Revert "Fix memory leak in posix_clock_open()" Test Done: - Android Boot - Wifi/BT - Audio Tracked-On: OAM-122906 Signed-off-by: sgnanase <[email protected]>
projectceladon · Aug 3, 2024 · e1b089a · e1b089a
1 parent f942a88
commit e1b089a
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 29 deletions.
diff --git a/Documentation/sphinx/requirements.txt b/Documentation/sphinx/requirements.txt
@@ -1,4 +1,4 @@
 # jinja2>=3.1 is not compatible with Sphinx<4.0
-jinja2<3.1
+jinja2==3.1.4
 sphinx_rtd_theme
 Sphinx==2.4.4
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
@@ -237,8 +237,7 @@ static int insert_header(struct ctl_dir *dir, struct ctl_table_header *header)
 		return -EROFS;
 
 	/* Am I creating a permanently empty directory? */
-	if (header->ctl_table_size > 0 &&
-	    header->ctl_table == sysctl_mount_point) {
+	if (header->ctl_table == sysctl_mount_point) {
 		if (!RB_EMPTY_ROOT(&dir->root))
 			return -EINVAL;
 		set_empty_dir(dir);
@@ -1215,10 +1214,6 @@ static bool get_links(struct ctl_dir *dir,
 	struct ctl_table_header *head;
 	struct ctl_table *entry, *link;
 
-	if (header->ctl_table_size == 0 ||
-	    sysctl_is_perm_empty_ctl_table(header->ctl_table))
-		return true;
-
 	/* Are there links available for every entry in table? */
 	list_for_each_table_entry(entry, table) {
 		const char *procname = entry->procname;

diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c
@@ -117,17 +117,15 @@ static int posix_clock_open(struct inode *inode, struct file *fp)
 		err = -ENODEV;
 		goto out;
 	}
-	if (clk->ops.open) {
+	if (clk->ops.open)
 		err = clk->ops.open(clk, fp->f_mode);
-		if (err) {
-			kfree(pccontext);
-			goto out;
-		}
-	}
+	else
+		err = 0;
 
-	fp->private_data = pccontext;
-	get_device(clk->dev);
-	err = 0;
+	if (!err) {
+		get_device(clk->dev);
+		fp->private_data = clk;
+	}
 out:
 	up_read(&clk->rwsem);
 	return err;

diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
@@ -447,7 +447,7 @@ static bool tcp_rtx_probe0_timed_out(const struct sock *sk,
 	const struct inet_connection_sock *icsk = inet_csk(sk);
 	u32 user_timeout = READ_ONCE(icsk->icsk_user_timeout);
 	const struct tcp_sock *tp = tcp_sk(sk);
-	const int timeout = TCP_RTO_MAX * 2;
+	int timeout = TCP_RTO_MAX * 2;
 	u32 rcv_delta, rtx_delta;
 
 	rcv_delta = inet_csk(sk)->icsk_timeout - tp->rcv_tstamp;

diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
@@ -205,14 +205,18 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla,
 	return err;
 }
 
-static int
-tcf_mirred_forward(bool at_ingress, bool want_ingress, struct sk_buff *skb)
+static bool is_mirred_nested(void)
+{
+	return unlikely(__this_cpu_read(mirred_nest_level) > 1);
+}
+
+static int tcf_mirred_forward(bool want_ingress, struct sk_buff *skb)
 {
 	int err;
 
 	if (!want_ingress)
 		err = tcf_dev_queue_xmit(skb, dev_queue_xmit);
-	else if (!at_ingress)
+	else if (is_mirred_nested())
 		err = netif_rx(skb);
 	else
 		err = netif_receive_skb(skb);
@@ -261,7 +265,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
 	if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) {
 		net_notice_ratelimited("tc mirred to Houston: device %s is down\n",
 				       dev->name);
-		goto err_cant_do;
+		goto out;
 	}
 
 	/* we could easily avoid the clone only if called by ingress and clsact;
@@ -275,7 +279,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
 	if (!use_reinsert) {
 		skb2 = skb_clone(skb, GFP_ATOMIC);
 		if (!skb2)
-			goto err_cant_do;
+			goto out;
 	}
 
 	want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
@@ -317,16 +321,14 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
 	}
 
 	err = tcf_mirred_forward(want_ingress, skb2);
-	if (err)
+	if (err) {
+out:
 		tcf_action_inc_overlimit_qstats(&m->common);
-
+		if (tcf_mirred_is_act_redirect(m_eaction))
+			retval = TC_ACT_SHOT;
+	}
 	__this_cpu_dec(mirred_nest_level);
-	return retval;
 
-err_cant_do:
-	if (is_redirect)
-		retval = TC_ACT_SHOT;
-	tcf_action_inc_overlimit_qstats(&m->common);
 	return retval;
 }
 

diff --git a/tools/testing/selftests/net/forwarding/tc_actions.sh b/tools/testing/selftests/net/forwarding/tc_actions.sh
@@ -235,6 +235,9 @@ mirred_egress_to_ingress_tcp_test()
 	check_err $? "didn't mirred redirect ICMP"
 	tc_check_packets "dev $h1 ingress" 102 10
 	check_err $? "didn't drop mirred ICMP"
+	local overlimits=$(tc_rule_stats_get ${h1} 101 egress .overlimits)
+	test ${overlimits} = 10
+	check_err $? "wrong overlimits, expected 10 got ${overlimits}"
 
 	tc filter del dev $h1 egress protocol ip pref 100 handle 100 flower
 	tc filter del dev $h1 egress protocol ip pref 101 handle 101 flower