net/packet: rx_owner_map depends on pg_vec

[ Upstream commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 ] Packet sockets may switch ring versions. Avoid misinterpreting state between versions, whose fields share a union. rx_owner_map is only allocated with a packet ring (pg_vec) and both are swapped together. If pg_vec is NULL, meaning no packet ring was allocated, then neither was rx_owner_map. And the field may be old state from a tpacket_v3. Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition") Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121@syzkaller.appspotmail.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Willem de Bruijn <willemb@google.com> 2021-12-15 09:39:37 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-22 09:30:55 +0100
commit: 7da349f07e457cad135df0920a3f670e423fb5e9 (patch)
tree: e6121bee59f47ecc6d05b44fc71d3f8dd8312497 /net/packet
parent: 1a34fb9e2bf3029f7c0882069d67ff69cbd645d8 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 08144559eed5..f78097aa403a 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4461,9 +4461,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 	}
 
 out_free_pg_vec:
-	bitmap_free(rx_owner_map);
-	if (pg_vec)
+	if (pg_vec) {
+		bitmap_free(rx_owner_map);
 		free_pg_vec(pg_vec, order, req->tp_block_nr);
+	}
 out:
 	return err;
 }
author	Willem de Bruijn <willemb@google.com>	2021-12-15 09:39:37 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-12-22 09:30:55 +0100
commit	7da349f07e457cad135df0920a3f670e423fb5e9 (patch)
tree	e6121bee59f47ecc6d05b44fc71d3f8dd8312497 /net/packet
parent	1a34fb9e2bf3029f7c0882069d67ff69cbd645d8 (diff)