| Message ID | 20130118153446.3AE05C1AFE@unicorn.suse.cz |
|---|---|
| State | Awaiting Upstream, archived |
| Delegated to: | David Miller |
| Headers | show |
From: Michal Kubecek <mkubecek@suse.cz> Date: Fri, 18 Jan 2013 16:03:48 +0100 > Missing multiplication of block size by sizeof(struct hlist_head) > can cause xfrm_hash_free() to be called with wrong second argument > so that kfree() is called on a block allocated with vzalloc() or > __get_free_pages() or free_pages() is called with wrong order when > a namespace with enough policies is removed. > > Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are > affected. > > Signed-off-by: Michal Kubecek <mkubecek@suse.cz> I'll let Steffen pick this one up. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Jan 18, 2013 at 04:03:48PM +0100, Michal Kubecek wrote: > Missing multiplication of block size by sizeof(struct hlist_head) > can cause xfrm_hash_free() to be called with wrong second argument > so that kfree() is called on a block allocated with vzalloc() or > __get_free_pages() or free_pages() is called with wrong order when > a namespace with enough policies is removed. > > Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are > affected. > > Signed-off-by: Michal Kubecek <mkubecek@suse.cz> Applied, Thanks! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 41eabc4..07c5857 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2656,7 +2656,7 @@ static void xfrm_policy_fini(struct net *net) WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir])); htab = &net->xfrm.policy_bydst[dir]; - sz = (htab->hmask + 1); + sz = (htab->hmask + 1) * sizeof(struct hlist_head); WARN_ON(!hlist_empty(htab->table)); xfrm_hash_free(htab->table, sz); }
Missing multiplication of block size by sizeof(struct hlist_head) can cause xfrm_hash_free() to be called with wrong second argument so that kfree() is called on a block allocated with vzalloc() or __get_free_pages() or free_pages() is called with wrong order when a namespace with enough policies is removed. Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are affected. Signed-off-by: Michal Kubecek <mkubecek@suse.cz> --- net/xfrm/xfrm_policy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)