Patchwork [3.5.y.z,extended,stable] Patch "packet: fix leakage of tx_ring memory" has been added to staging queue

mail settings
Submitter Herton Ronaldo Krzesinski
Date Feb. 15, 2013, 3:11 a.m.
Message ID <>
Download mbox | patch
Permalink /patch/220602/
State New
Headers show


Herton Ronaldo Krzesinski - Feb. 15, 2013, 3:11 a.m.
This is a note to let you know that I have just added a patch titled

    packet: fix leakage of tx_ring memory

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From 17e1037df6f875be31e52f4a5532ceb97e725223 Mon Sep 17 00:00:00 2001
From: Phil Sutter <>
Date: Fri, 1 Feb 2013 07:21:41 +0000
Subject: [PATCH] packet: fix leakage of tx_ring memory

commit 9665d5d62487e8e7b1f546c00e11107155384b9a upstream.

When releasing a packet socket, the routine packet_set_ring() is reused
to free rings instead of allocating them. But when calling it for the
first time, it fills req->tp_block_nr with the value of rb->pg_vec_len
which in the second invocation makes it bail out since req->tp_block_nr
is greater zero but req->tp_block_size is zero.

This patch solves the problem by passing a zeroed auto-variable to
packet_set_ring() upon each invocation from packet_release().

As far as I can tell, this issue exists even since 69e3c75 (net: TX_RING
and packet mmap), i.e. the original inclusion of TX ring support into
af_packet, but applies only to sockets with both RX and TX ring
allocated, which is probably why this was unnoticed all the time.

Signed-off-by: Phil Sutter <>
Cc: Johann Baudy <>
Cc: Daniel Borkmann <>
Acked-by: Daniel Borkmann <>
Signed-off-by: David S. Miller <>
Signed-off-by: Herton Ronaldo Krzesinski <>
 net/packet/af_packet.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)



diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 901cffd..02b1ef8 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2450,13 +2450,15 @@  static int packet_release(struct socket *sock)


-	memset(&req_u, 0, sizeof(req_u));
-	if (po->rx_ring.pg_vec)
+	if (po->rx_ring.pg_vec) {
+		memset(&req_u, 0, sizeof(req_u));
 		packet_set_ring(sk, &req_u, 1, 0);
+	}

-	if (po->tx_ring.pg_vec)
+	if (po->tx_ring.pg_vec) {
+		memset(&req_u, 0, sizeof(req_u));
 		packet_set_ring(sk, &req_u, 1, 1);
+	}