[thirdparty/kernel/stable-queue.git] / queue-5.1 / packet-unconditionally-free-po-rollover.patch

From foo@baz Sun 09 Jun 2019 09:24:16 AM CEST
From: Willem de Bruijn <willemb@google.com>
Date: Fri, 31 May 2019 12:37:23 -0400
Subject: packet: unconditionally free po->rollover

From: Willem de Bruijn <willemb@google.com>

[ Upstream commit afa0925c6fcc6a8f610e996ca09bc3215048033c ]

Rollover used to use a complex RCU mechanism for assignment, which had
a race condition. The below patch fixed the bug and greatly simplified
the logic.

The feature depends on fanout, but the state is private to the socket.
Fanout_release returns f only when the last member leaves and the
fanout struct is to be freed.

Destroy rollover unconditionally, regardless of fanout state.

Fixes: 57f015f5eccf2 ("packet: fix crash in fanout_demux_rollover()")
Reported-by: syzbot <syzkaller@googlegroups.com>
Diagnosed-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/packet/af_packet.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3016,8 +3016,8 @@ static int packet_release(struct socket
 
 	synchronize_net();
 
+	kfree(po->rollover);
 	if (f) {
-		kfree(po->rollover);
 		fanout_release_data(f);
 		kfree(f);
 	}
Commit	Line	Data
8af540ce GKH	1	From foo@baz Sun 09 Jun 2019 09:24:16 AM CEST
	2	From: Willem de Bruijn <willemb@google.com>
	3	Date: Fri, 31 May 2019 12:37:23 -0400
	4	Subject: packet: unconditionally free po->rollover
	5
	6	From: Willem de Bruijn <willemb@google.com>
	7
	8	[ Upstream commit afa0925c6fcc6a8f610e996ca09bc3215048033c ]
	9
	10	Rollover used to use a complex RCU mechanism for assignment, which had
	11	a race condition. The below patch fixed the bug and greatly simplified
	12	the logic.
	13
	14	The feature depends on fanout, but the state is private to the socket.
	15	Fanout_release returns f only when the last member leaves and the
	16	fanout struct is to be freed.
	17
	18	Destroy rollover unconditionally, regardless of fanout state.
	19
	20	Fixes: 57f015f5eccf2 ("packet: fix crash in fanout_demux_rollover()")
	21	Reported-by: syzbot <syzkaller@googlegroups.com>
	22	Diagnosed-by: Dmitry Vyukov <dvyukov@google.com>
	23	Signed-off-by: Willem de Bruijn <willemb@google.com>
	24	Signed-off-by: David S. Miller <davem@davemloft.net>
	25	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	26	---
	27	net/packet/af_packet.c \| 2 +-
	28	1 file changed, 1 insertion(+), 1 deletion(-)
	29
	30	--- a/net/packet/af_packet.c
	31	+++ b/net/packet/af_packet.c
	32	@@ -3016,8 +3016,8 @@ static int packet_release(struct socket
	33
	34	synchronize_net();
	35
	36	+ kfree(po->rollover);
	37	if (f) {
	38	- kfree(po->rollover);
	39	fanout_release_data(f);
	40	kfree(f);
	41	}