| commit | bf945a4e17d9a0c73881d4a6ac2ac8e7e5f85ca0 | [log] [tgz] |
|---|---|---|
| author | Willem de Bruijn <[email protected]> | Wed Dec 15 09:39:37 2021 -0500 |
| committer | Robert Kolchmeyer <[email protected]> | Mon Jan 10 22:21:01 2022 +0000 |
| tree | be73f1465c25a69b8897c2095cf85f854cb99d0b | |
| parent | ff08cf6a8fce6c0aa39cb50fdba5698b37984107 [diff] |
net/packet: rx_owner_map depends on pg_vec
[ Upstream commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 ]
Packet sockets may switch ring versions. Avoid misinterpreting state
between versions, whose fields share a union. rx_owner_map is only
allocated with a packet ring (pg_vec) and both are swapped together.
If pg_vec is NULL, meaning no packet ring was allocated, then neither
was rx_owner_map. And the field may be old state from a tpacket_v3.
Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition")
Reported-by: Syzbot <[email protected]>
Signed-off-by: Willem de Bruijn <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
(cherry picked from commit 7da349f07e457cad135df0920a3f670e423fb5e9)
Signed-off-by: Robert Kolchmeyer <[email protected]>
BUG=b/213408300,b/213920404
TEST=presubmit
RELEASE_NOTE=Fixed a double-free issue in packet_set_ring in the Linux kernel.
cos-patch: bug
Change-Id: Ida77996f5bcbdf5441eb3bf8b15a9025809f2d35
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/27240
Reviewed-by: Vaibhav Rustagi <[email protected]>
Reviewed-by: Oleksandr Tymoshenko <[email protected]>
Tested-by: Robert Kolchmeyer <[email protected]>