This is a note to let you know that I've just added the patch titled module: avoid *goto*s in module_sig_check() to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: module-avoid-goto-s-in-module_sig_check.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit c5d4af31cebd2d83fdb7bb7b7d11cbc086c18a4a Author: Sergey Shtylyov <s.shtylyov@xxxxxxxxxxxx> Date: Sat Oct 31 23:09:31 2020 +0300 module: avoid *goto*s in module_sig_check() [ Upstream commit 10ccd1abb808599a6dc7c9389560016ea3568085 ] Let's move the common handling of the non-fatal errors after the *switch* statement -- this avoids *goto*s inside that *switch*... Suggested-by: Joe Perches <joe@xxxxxxxxxxx> Reviewed-by: Miroslav Benes <mbenes@xxxxxxx> Signed-off-by: Sergey Shtylyov <s.shtylyov@xxxxxxxxxxxx> Signed-off-by: Jessica Yu <jeyu@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/kernel/module.c b/kernel/module.c index 3b6dd8200d3d..f1be6b6a3a3d 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2923,20 +2923,13 @@ static int module_sig_check(struct load_info *info, int flags) */ case -ENODATA: reason = "unsigned module"; - goto decide; + break; case -ENOPKG: reason = "module with unsupported crypto"; - goto decide; + break; case -ENOKEY: reason = "module with unavailable key"; - decide: - if (is_module_sig_enforced()) { - pr_notice("%s: loading of %s is rejected\n", - info->name, reason); - return -EKEYREJECTED; - } - - return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); + break; /* All other errors are fatal, including nomem, unparseable * signatures and signature check failures - even if signatures @@ -2945,6 +2938,13 @@ static int module_sig_check(struct load_info *info, int flags) default: return err; } + + if (is_module_sig_enforced()) { + pr_notice("%s: loading of %s is rejected\n", info->name, reason); + return -EKEYREJECTED; + } + + return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); } #else /* !CONFIG_MODULE_SIG */ static int module_sig_check(struct load_info *info, int flags)