diff options
| author | Willem de Bruijn <willemb@google.com> | 2021-12-15 09:39:37 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-12-22 09:29:38 +0100 |
| commit | 027a13973dadb64ef4f19db56c9b619ee82c3375 (patch) | |
| tree | de633eeef6550932431ab6106aae2ea9b0b1a1e5 /net/packet | |
| parent | 699e794c12a3cd79045ff135bc87a53b97024e43 (diff) | |
net/packet: rx_owner_map depends on pg_vec
[ Upstream commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 ]
Packet sockets may switch ring versions. Avoid misinterpreting state
between versions, whose fields share a union. rx_owner_map is only
allocated with a packet ring (pg_vec) and both are swapped together.
If pg_vec is NULL, meaning no packet ring was allocated, then neither
was rx_owner_map. And the field may be old state from a tpacket_v3.
Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition")
Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121@syzkaller.appspotmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/packet')
| -rw-r--r-- | net/packet/af_packet.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 0ffbf3d17911..6062bd5bf132 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -4453,9 +4453,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, } out_free_pg_vec: - bitmap_free(rx_owner_map); - if (pg_vec) + if (pg_vec) { + bitmap_free(rx_owner_map); free_pg_vec(pg_vec, order, req->tp_block_nr); + } out: return err; } |