ACK: [SRU v2][F/gke][PATCH] net/packet: rx_owner_map depends on pg_vec
Tim Gardner
tim.gardner at canonical.com
Thu Jan 27 12:46:19 UTC 2022
Acked-by: Tim Gardner <tim.gardner at canonical.com>
On 1/27/22 1:00 AM, Khalid Elmously wrote:
> From: Willem de Bruijn <willemb at google.com>
>
> BugLink: https://bugs.launchpad.net/bugs/1959173
>
> Packet sockets may switch ring versions. Avoid misinterpreting state
> between versions, whose fields share a union. rx_owner_map is only
> allocated with a packet ring (pg_vec) and both are swapped together.
> If pg_vec is NULL, meaning no packet ring was allocated, then neither
> was rx_owner_map. And the field may be old state from a tpacket_v3.
>
> Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition")
> Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121 at syzkaller.appspotmail.com>
> Signed-off-by: Willem de Bruijn <willemb at google.com>
> Reviewed-by: Eric Dumazet <edumazet at google.com>
> Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com
> Signed-off-by: Jakub Kicinski <kuba at kernel.org>
> (cherry picked from commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755)
> Signed-off-by: Khalid Elmously <khalid.elmously at canonical.com>
> ---
> net/packet/af_packet.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> index 46943a18a10d..76c2dca7f0a5 100644
> --- a/net/packet/af_packet.c
> +++ b/net/packet/af_packet.c
> @@ -4492,9 +4492,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
> }
>
> out_free_pg_vec:
> - bitmap_free(rx_owner_map);
> - if (pg_vec)
> + if (pg_vec) {
> + bitmap_free(rx_owner_map);
> free_pg_vec(pg_vec, order, req->tp_block_nr);
> + }
> out:
> return err;
> }
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list