1 From foo@baz Sun 09 Jun 2019 09:24:16 AM CEST
2 From: Willem de Bruijn <willemb@google.com>
3 Date: Fri, 31 May 2019 12:37:23 -0400
4 Subject: packet: unconditionally free po->rollover
6 From: Willem de Bruijn <willemb@google.com>
8 [ Upstream commit afa0925c6fcc6a8f610e996ca09bc3215048033c ]
10 Rollover used to use a complex RCU mechanism for assignment, which had
11 a race condition. The below patch fixed the bug and greatly simplified
14 The feature depends on fanout, but the state is private to the socket.
15 Fanout_release returns f only when the last member leaves and the
16 fanout struct is to be freed.
18 Destroy rollover unconditionally, regardless of fanout state.
20 Fixes: 57f015f5eccf2 ("packet: fix crash in fanout_demux_rollover()")
21 Reported-by: syzbot <syzkaller@googlegroups.com>
22 Diagnosed-by: Dmitry Vyukov <dvyukov@google.com>
23 Signed-off-by: Willem de Bruijn <willemb@google.com>
24 Signed-off-by: David S. Miller <davem@davemloft.net>
25 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
27 net/packet/af_packet.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
30 --- a/net/packet/af_packet.c
31 +++ b/net/packet/af_packet.c
32 @@ -3016,8 +3016,8 @@ static int packet_release(struct socket
36 + kfree(po->rollover);
38 - kfree(po->rollover);
39 fanout_release_data(f);