5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz luiz.von.dentz@intel.com
[ Upstream commit 13244cccc2b61ec715f0ac583d3037497004d4a5 ]
Like skb_pull but returns the original data pointer before pulling the data after performing a check against sbk->len.
This allows to change code that does "struct foo *p = (void *)skb->data;" which is hard to audit and error prone, to:
p = skb_pull_data(skb, sizeof(*p)); if (!p) return;
Which is both safer and cleaner.
Acked-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Marcel Holtmann marcel@holtmann.org Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") Signed-off-by: Sasha Levin sashal@kernel.org --- include/linux/skbuff.h | 2 ++ net/core/skbuff.c | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 15de91c65a09a..b230c422dc3b9 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2447,6 +2447,8 @@ static inline void *skb_pull_inline(struct sk_buff *skb, unsigned int len) return unlikely(len > skb->len) ? NULL : __skb_pull(skb, len); }
+void *skb_pull_data(struct sk_buff *skb, size_t len); + void *__pskb_pull_tail(struct sk_buff *skb, int delta);
static inline void *__pskb_pull(struct sk_buff *skb, unsigned int len) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 4ec8cfd357eba..17073429cc365 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2071,6 +2071,30 @@ void *skb_pull(struct sk_buff *skb, unsigned int len) } EXPORT_SYMBOL(skb_pull);
+/** + * skb_pull_data - remove data from the start of a buffer returning its + * original position. + * @skb: buffer to use + * @len: amount of data to remove + * + * This function removes data from the start of a buffer, returning + * the memory to the headroom. A pointer to the original data in the buffer + * is returned after checking if there is enough data to pull. Once the + * data has been pulled future pushes will overwrite the old data. + */ +void *skb_pull_data(struct sk_buff *skb, size_t len) +{ + void *data = skb->data; + + if (skb->len < len) + return NULL; + + skb_pull(skb, len); + + return data; +} +EXPORT_SYMBOL(skb_pull_data); + /** * skb_trim - remove end from a buffer * @skb: buffer to alter