queue-5.1/packet-unconditionally-free-po-rollover.patch

   1 From foo@baz Sun 09 Jun 2019 09:24:16 AM CEST
   2 From: Willem de Bruijn <willemb@google.com>
   3 Date: Fri, 31 May 2019 12:37:23 -0400
   4 Subject: packet: unconditionally free po->rollover
   5
   6 From: Willem de Bruijn <willemb@google.com>
   7
   8 [ Upstream commit afa0925c6fcc6a8f610e996ca09bc3215048033c ]
   9
  10 Rollover used to use a complex RCU mechanism for assignment, which had
  11 a race condition. The below patch fixed the bug and greatly simplified
  12 the logic.
  13
  14 The feature depends on fanout, but the state is private to the socket.
  15 Fanout_release returns f only when the last member leaves and the
  16 fanout struct is to be freed.
  17
  18 Destroy rollover unconditionally, regardless of fanout state.
  19
  20 Fixes: 57f015f5eccf2 ("packet: fix crash in fanout_demux_rollover()")
  21 Reported-by: syzbot <syzkaller@googlegroups.com>
  22 Diagnosed-by: Dmitry Vyukov <dvyukov@google.com>
  23 Signed-off-by: Willem de Bruijn <willemb@google.com>
  24 Signed-off-by: David S. Miller <davem@davemloft.net>
  25 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26 ---
  27  net/packet/af_packet.c |    2 +-
  28  1 file changed, 1 insertion(+), 1 deletion(-)
  29
  30 --- a/net/packet/af_packet.c
  31 +++ b/net/packet/af_packet.c
  32 @@ -3016,8 +3016,8 @@ static int packet_release(struct socket
  33
  34         synchronize_net();
  35
  36 +       kfree(po->rollover);
  37         if (f) {
  38 -               kfree(po->rollover);
  39                 fanout_release_data(f);
  40                 kfree(f);
  41         }