1 From foo@baz Fri Jul 3 19:59:52 PDT 2015
2 From: Willem de Bruijn <willemb@google.com>
3 Date: Wed, 17 Jun 2015 15:59:34 -0400
4 Subject: packet: avoid out of bounds read in round robin fanout
6 From: Willem de Bruijn <willemb@google.com>
8 [ Upstream commit 468479e6043c84f5a65299cc07cb08a22a28c2b1 ]
10 PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
11 f->num_members. It returns the old value unconditionally, but
12 f->num_members may have changed since the last store. Ensure
13 that the return value is always < num.
15 When modifying the logic, simplify it further by replacing the loop
16 with an unconditional atomic increment.
18 Fixes: dc99f600698d ("packet: Add fanout support.")
19 Suggested-by: Eric Dumazet <edumazet@google.com>
20 Signed-off-by: Willem de Bruijn <willemb@google.com>
21 Acked-by: Eric Dumazet <edumazet@google.com>
22 Signed-off-by: David S. Miller <davem@davemloft.net>
23 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
25 net/packet/af_packet.c | 18 ++----------------
26 1 file changed, 2 insertions(+), 16 deletions(-)
28 --- a/net/packet/af_packet.c
29 +++ b/net/packet/af_packet.c
30 @@ -1266,16 +1266,6 @@ static void packet_sock_destruct(struct
31 sk_refcnt_debug_dec(sk);
34 -static int fanout_rr_next(struct packet_fanout *f, unsigned int num)
36 - int x = atomic_read(&f->rr_cur) + 1;
44 static unsigned int fanout_demux_hash(struct packet_fanout *f,
47 @@ -1287,13 +1277,9 @@ static unsigned int fanout_demux_lb(stru
52 + unsigned int val = atomic_inc_return(&f->rr_cur);
54 - cur = atomic_read(&f->rr_cur);
55 - while ((old = atomic_cmpxchg(&f->rr_cur, cur,
56 - fanout_rr_next(f, num))) != cur)
62 static unsigned int fanout_demux_cpu(struct packet_fanout *f,