]>
Commit | Line | Data |
---|---|---|
8af540ce GKH |
1 | From foo@baz Sun 09 Jun 2019 09:24:16 AM CEST |
2 | From: Willem de Bruijn <willemb@google.com> | |
3 | Date: Fri, 31 May 2019 12:37:23 -0400 | |
4 | Subject: packet: unconditionally free po->rollover | |
5 | ||
6 | From: Willem de Bruijn <willemb@google.com> | |
7 | ||
8 | [ Upstream commit afa0925c6fcc6a8f610e996ca09bc3215048033c ] | |
9 | ||
10 | Rollover used to use a complex RCU mechanism for assignment, which had | |
11 | a race condition. The below patch fixed the bug and greatly simplified | |
12 | the logic. | |
13 | ||
14 | The feature depends on fanout, but the state is private to the socket. | |
15 | Fanout_release returns f only when the last member leaves and the | |
16 | fanout struct is to be freed. | |
17 | ||
18 | Destroy rollover unconditionally, regardless of fanout state. | |
19 | ||
20 | Fixes: 57f015f5eccf2 ("packet: fix crash in fanout_demux_rollover()") | |
21 | Reported-by: syzbot <syzkaller@googlegroups.com> | |
22 | Diagnosed-by: Dmitry Vyukov <dvyukov@google.com> | |
23 | Signed-off-by: Willem de Bruijn <willemb@google.com> | |
24 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
25 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
26 | --- | |
27 | net/packet/af_packet.c | 2 +- | |
28 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
29 | ||
30 | --- a/net/packet/af_packet.c | |
31 | +++ b/net/packet/af_packet.c | |
32 | @@ -3016,8 +3016,8 @@ static int packet_release(struct socket | |
33 | ||
34 | synchronize_net(); | |
35 | ||
36 | + kfree(po->rollover); | |
37 | if (f) { | |
38 | - kfree(po->rollover); | |
39 | fanout_release_data(f); | |
40 | kfree(f); | |
41 | } |