Google Git
Sign in
android / kernel / msm / a5f8e5fd9865dc50f6d6568cbcc298fbd5fc0577
commita5f8e5fd9865dc50f6d6568cbcc298fbd5fc0577[log] [tgz]
authorWillem de Bruijn <willemb@google.com>Wed Dec 15 09:39:37 2021 -0500
committerHarrison Lingren <hlingren@google.com>Thu Jan 06 20:35:46 2022 +0000
tree3361971baa38c24db3c0e0456488213622753cea
parentf7d5a078033f0d855050a3668ea341629de6f1cc [diff]
net/packet: rx_owner_map depends on pg_vec

[ Upstream commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 ]

Packet sockets may switch ring versions. Avoid misinterpreting state
between versions, whose fields share a union. rx_owner_map is only
allocated with a packet ring (pg_vec) and both are swapped together.
If pg_vec is NULL, meaning no packet ring was allocated, then neither
was rx_owner_map. And the field may be old state from a tpacket_v3.

Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition")
Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121@syzkaller.appspotmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Harrison Lingren <hlingren@google.com>

Bug: 213464034
Change-Id: Iafc2a65428cf31247c4d679494c2a978898c852c
1 file changed
tree: 3361971baa38c24db3c0e0456488213622753cea
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. techpack/
  21. test/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .cocciconfig
  27. .get_maintainer.ignore
  28. .gitattributes
  29. .gitignore
  30. .mailmap
  31. Androidbp
  32. AndroidKernel.mk
  33. build.config
  34. build.config.aarch64
  35. build.config.boundsan
  36. build.config.common
  37. build.config.common.clang
  38. build.config.cuttlefish.aarch64
  39. build.config.cuttlefish.x86_64
  40. build.config.debug_api
  41. build.config.debug_hang
  42. build.config.debug_locking
  43. build.config.debug_memory
  44. build.config.floral
  45. build.config.floral.common
  46. build.config.floral.common.clang
  47. build.config.floral_debug_api
  48. build.config.floral_debug_hang
  49. build.config.floral_debug_locking
  50. build.config.floral_debug_memory
  51. build.config.floral_debug_memory_accounting
  52. build.config.floral_kasan
  53. build.config.floral_khwasan
  54. build.config.floral_no-cfi
  55. build.config.floral_performance
  56. build.config.gcc
  57. build.config.kasan
  58. build.config.khwasan
  59. build.config.no-cfi
  60. build.config.performance
  61. build.config.sunfish
  62. build.config.sunfish.common
  63. build.config.sunfish.common.clang
  64. build.config.sunfish_debug_api
  65. build.config.sunfish_debug_hang
  66. build.config.sunfish_debug_locking
  67. build.config.sunfish_debug_memory
  68. build.config.sunfish_debug_memory_accounting
  69. build.config.sunfish_kasan
  70. build.config.sunfish_khwasan
  71. build.config.sunfish_no-cfi
  72. build.config.sunfish_performance
  73. build_floral.sh
  74. build_sunfish.sh
  75. COPYING
  76. CREDITS
  77. disable_dbgfs.sh
  78. gen_headers_arm.bp
  79. gen_headers_arm64.bp
  80. Kbuild
  81. Kconfig
  82. kernel_headers.py
  83. MAINTAINERS
  84. Makefile
  85. PREUPLOAD.cfg
  86. README
  87. verity_dev_keys.x509