This is a note to let you know that I've just added the patch titled
ptr_ring: use kmalloc_array()
to the 4.12-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ptr_ring-use-kmalloc_array.patch
and it can be found in the queue-4.12 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Thu Aug 24 17:43:45 PDT 2017
From: Eric Dumazet <edumazet@xxxxxxxxxx>
Date: Wed, 16 Aug 2017 10:36:47 -0700
Subject: ptr_ring: use kmalloc_array()
From: Eric Dumazet <edumazet@xxxxxxxxxx>
[ Upstream commit 81fbfe8adaf38d4f5a98c19bebfd41c5d6acaee8 ]
As found by syzkaller, malicious users can set whatever tx_queue_len
on a tun device and eventually crash the kernel.
Lets remove the ALIGN(XXX, SMP_CACHE_BYTES) thing since a small
ring buffer is not fast anyway.
Fixes: 2e0ab8ca83c1 ("ptr_ring: array based FIFO for pointers")
Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
Cc: Jason Wang <jasowang@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
include/linux/ptr_ring.h | 9 +++++----
include/linux/skb_array.h | 3 ++-
2 files changed, 7 insertions(+), 5 deletions(-)
--- a/include/linux/ptr_ring.h
+++ b/include/linux/ptr_ring.h
@@ -371,9 +371,9 @@ static inline void *ptr_ring_consume_bh(
__PTR_RING_PEEK_CALL_v; \
})
-static inline void **__ptr_ring_init_queue_alloc(int size, gfp_t gfp)
+static inline void **__ptr_ring_init_queue_alloc(unsigned int size, gfp_t gfp)
{
- return kzalloc(ALIGN(size * sizeof(void *), SMP_CACHE_BYTES), gfp);
+ return kcalloc(size, sizeof(void *), gfp);
}
static inline void __ptr_ring_set_size(struct ptr_ring *r, int size)
@@ -462,7 +462,8 @@ static inline int ptr_ring_resize(struct
* In particular if you consume ring in interrupt or BH context, you must
* disable interrupts/BH when doing so.
*/
-static inline int ptr_ring_resize_multiple(struct ptr_ring **rings, int nrings,
+static inline int ptr_ring_resize_multiple(struct ptr_ring **rings,
+ unsigned int nrings,
int size,
gfp_t gfp, void (*destroy)(void *))
{
@@ -470,7 +471,7 @@ static inline int ptr_ring_resize_multip
void ***queues;
int i;
- queues = kmalloc(nrings * sizeof *queues, gfp);
+ queues = kmalloc_array(nrings, sizeof(*queues), gfp);
if (!queues)
goto noqueues;
--- a/include/linux/skb_array.h
+++ b/include/linux/skb_array.h
@@ -162,7 +162,8 @@ static inline int skb_array_resize(struc
}
static inline int skb_array_resize_multiple(struct skb_array **rings,
- int nrings, int size, gfp_t gfp)
+ int nrings, unsigned int size,
+ gfp_t gfp)
{
BUILD_BUG_ON(offsetof(struct skb_array, ring));
return ptr_ring_resize_multiple((struct ptr_ring **)rings,
Patches currently in stable-queue which might be from edumazet@xxxxxxxxxx are
queue-4.12/ipv4-fix-null-dereference-in-free_fib_info_rcu.patch
queue-4.12/tcp-when-rearming-rto-if-rto-time-is-in-past-then-fire-rto-asap.patch
queue-4.12/ipv4-better-ip_max_mtu-enforcement.patch
queue-4.12/dccp-defer-ccid_hc_tx_delete-at-dismantle-time.patch
queue-4.12/tun-handle-register_netdevice-failures-properly.patch
queue-4.12/tipc-fix-use-after-free.patch
queue-4.12/af_key-do-not-use-gfp_kernel-in-atomic-contexts.patch
queue-4.12/ipv6-repair-fib6-tree-in-failure-case.patch
queue-4.12/dccp-purge-write-queue-in-dccp_destroy_sock.patch
queue-4.12/ipv6-reset-fn-rr_ptr-when-replacing-route.patch
queue-4.12/ptr_ring-use-kmalloc_array.patch
queue-4.12/net_sched-sfq-update-hierarchical-backlog-when-drop-packet.patch