This is a note to let you know that I've just added the patch titled net/packet: rx_owner_map depends on pg_vec to the 5.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: net-packet-rx_owner_map-depends-on-pg_vec.patch and it can be found in the queue-5.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 0b057ccfaa19d2bcf7cd2de44ebfed33a00c07ba Author: Willem de Bruijn <willemb@xxxxxxxxxx> Date: Wed Dec 15 09:39:37 2021 -0500 net/packet: rx_owner_map depends on pg_vec [ Upstream commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 ] Packet sockets may switch ring versions. Avoid misinterpreting state between versions, whose fields share a union. rx_owner_map is only allocated with a packet ring (pg_vec) and both are swapped together. If pg_vec is NULL, meaning no packet ring was allocated, then neither was rx_owner_map. And the field may be old state from a tpacket_v3. Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition") Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121@xxxxxxxxxxxxxxxxxxxxxxxxx> Signed-off-by: Willem de Bruijn <willemb@xxxxxxxxxx> Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx> Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@xxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 2a2bc64f75cfd..1bc7ef49e1487 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -4457,9 +4457,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, } out_free_pg_vec: - bitmap_free(rx_owner_map); - if (pg_vec) + if (pg_vec) { + bitmap_free(rx_owner_map); free_pg_vec(pg_vec, order, req->tp_block_nr); + } out: return err; }