* [PATCH net] xfrm: fix freed block size calculation in xfrm_policy_fini()
@ 2013-01-18 15:03 Michal Kubecek
2013-01-18 19:43 ` David Miller
2013-01-21 12:02 ` Steffen Klassert
0 siblings, 2 replies; 3+ messages in thread
From: Michal Kubecek @ 2013-01-18 15:03 UTC (permalink / raw)
To: Steffen Klassert; +Cc: Herbert Xu, David S. Miller, netdev
Missing multiplication of block size by sizeof(struct hlist_head)
can cause xfrm_hash_free() to be called with wrong second argument
so that kfree() is called on a block allocated with vzalloc() or
__get_free_pages() or free_pages() is called with wrong order when
a namespace with enough policies is removed.
Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are
affected.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
net/xfrm/xfrm_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 41eabc4..07c5857 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2656,7 +2656,7 @@ static void xfrm_policy_fini(struct net *net)
WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));
htab = &net->xfrm.policy_bydst[dir];
- sz = (htab->hmask + 1);
+ sz = (htab->hmask + 1) * sizeof(struct hlist_head);
WARN_ON(!hlist_empty(htab->table));
xfrm_hash_free(htab->table, sz);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] xfrm: fix freed block size calculation in xfrm_policy_fini()
2013-01-18 15:03 [PATCH net] xfrm: fix freed block size calculation in xfrm_policy_fini() Michal Kubecek
@ 2013-01-18 19:43 ` David Miller
2013-01-21 12:02 ` Steffen Klassert
1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2013-01-18 19:43 UTC (permalink / raw)
To: mkubecek; +Cc: steffen.klassert, herbert, netdev
From: Michal Kubecek <mkubecek@suse.cz>
Date: Fri, 18 Jan 2013 16:03:48 +0100
> Missing multiplication of block size by sizeof(struct hlist_head)
> can cause xfrm_hash_free() to be called with wrong second argument
> so that kfree() is called on a block allocated with vzalloc() or
> __get_free_pages() or free_pages() is called with wrong order when
> a namespace with enough policies is removed.
>
> Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are
> affected.
>
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
I'll let Steffen pick this one up.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] xfrm: fix freed block size calculation in xfrm_policy_fini()
2013-01-18 15:03 [PATCH net] xfrm: fix freed block size calculation in xfrm_policy_fini() Michal Kubecek
2013-01-18 19:43 ` David Miller
@ 2013-01-21 12:02 ` Steffen Klassert
1 sibling, 0 replies; 3+ messages in thread
From: Steffen Klassert @ 2013-01-21 12:02 UTC (permalink / raw)
To: Michal Kubecek; +Cc: Herbert Xu, David S. Miller, netdev
On Fri, Jan 18, 2013 at 04:03:48PM +0100, Michal Kubecek wrote:
> Missing multiplication of block size by sizeof(struct hlist_head)
> can cause xfrm_hash_free() to be called with wrong second argument
> so that kfree() is called on a block allocated with vzalloc() or
> __get_free_pages() or free_pages() is called with wrong order when
> a namespace with enough policies is removed.
>
> Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are
> affected.
>
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Applied, Thanks!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-01-21 12:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-18 15:03 [PATCH net] xfrm: fix freed block size calculation in xfrm_policy_fini() Michal Kubecek
2013-01-18 19:43 ` David Miller
2013-01-21 12:02 ` Steffen Klassert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).