releases/4.0.8/packet-avoid-out-of-bounds-read-in-round-robin-fanout.patch

   1 From foo@baz Fri Jul  3 19:59:52 PDT 2015
   2 From: Willem de Bruijn <willemb@google.com>
   3 Date: Wed, 17 Jun 2015 15:59:34 -0400
   4 Subject: packet: avoid out of bounds read in round robin fanout
   5
   6 From: Willem de Bruijn <willemb@google.com>
   7
   8 [ Upstream commit 468479e6043c84f5a65299cc07cb08a22a28c2b1 ]
   9
  10 PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
  11 f->num_members. It returns the old value unconditionally, but
  12 f->num_members may have changed since the last store. Ensure
  13 that the return value is always < num.
  14
  15 When modifying the logic, simplify it further by replacing the loop
  16 with an unconditional atomic increment.
  17
  18 Fixes: dc99f600698d ("packet: Add fanout support.")
  19 Suggested-by: Eric Dumazet <edumazet@google.com>
  20 Signed-off-by: Willem de Bruijn <willemb@google.com>
  21 Acked-by: Eric Dumazet <edumazet@google.com>
  22 Signed-off-by: David S. Miller <davem@davemloft.net>
  23 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  24 ---
  25  net/packet/af_packet.c |   18 ++----------------
  26  1 file changed, 2 insertions(+), 16 deletions(-)
  27
  28 --- a/net/packet/af_packet.c
  29 +++ b/net/packet/af_packet.c
  30 @@ -1266,16 +1266,6 @@ static void packet_sock_destruct(struct
  31         sk_refcnt_debug_dec(sk);
  32  }
  33
  34 -static int fanout_rr_next(struct packet_fanout *f, unsigned int num)
  35 -{
  36 -       int x = atomic_read(&f->rr_cur) + 1;
  37 -
  38 -       if (x >= num)
  39 -               x = 0;
  40 -
  41 -       return x;
  42 -}
  43 -
  44  static unsigned int fanout_demux_hash(struct packet_fanout *f,
  45                                       struct sk_buff *skb,
  46                                       unsigned int num)
  47 @@ -1287,13 +1277,9 @@ static unsigned int fanout_demux_lb(stru
  48                                     struct sk_buff *skb,
  49                                     unsigned int num)
  50  {
  51 -       int cur, old;
  52 +       unsigned int val = atomic_inc_return(&f->rr_cur);
  53
  54 -       cur = atomic_read(&f->rr_cur);
  55 -       while ((old = atomic_cmpxchg(&f->rr_cur, cur,
  56 -                                    fanout_rr_next(f, num))) != cur)
  57 -               cur = old;
  58 -       return cur;
  59 +       return val % num;
  60  }
  61
  62  static unsigned int fanout_demux_cpu(struct packet_fanout *f,