From 172c351869e5920630f27d20976b079fca30650c Mon Sep 17 00:00:00 2001
From: Pavel Skripkin <paskripkin@gmail.com>
Date: Wed, 1 Sep 2021 21:55:25 +0300
Subject: [PATCH] net: xfrm: fix shift-out-of-bounds in xfrm_get_default

/* ... */

Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
 arch/x86/kernel/setup.c | 1 +
 net/xfrm/xfrm_user.c    | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index da0a4b64880f..c9e3a17b94f9 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -23,6 +23,7 @@
 #include <linux/usb/xhci-dbgp.h>
 #include <linux/static_call.h>
 #include <linux/swiotlb.h>
+#include <linux/acpi.h>
 
 #include <uapi/linux/mount.h>
 
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b7b986520dc7..a1dd38525957 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2007,6 +2007,9 @@ static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh,
 
 	r_up = nlmsg_data(r_nlh);
 
+	if (up->dirmask >= XFRM_USERPOLICY_DIRMASK_MAX)
+		return -EINVAL;
+
 	r_up->action = ((net->xfrm.policy_default & (1 << up->dirmask)) >> up->dirmask);
 	r_up->dirmask = up->dirmask;
 	nlmsg_end(r_skb, r_nlh);
-- 
2.33.0