From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:46956 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754227AbdHYAsV (ORCPT ); Thu, 24 Aug 2017 20:48:21 -0400 Subject: Patch "ptr_ring: use kmalloc_array()" has been added to the 4.9-stable tree To: edumazet@google.com, davem@davemloft.net, dvyukov@google.com, gregkh@linuxfoundation.org, jasowang@redhat.com, mst@redhat.com Cc: , From: Date: Thu, 24 Aug 2017 17:45:54 -0700 Message-ID: <150362195415150@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled ptr_ring: use kmalloc_array() to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ptr_ring-use-kmalloc_array.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Thu Aug 24 17:44:02 PDT 2017 From: Eric Dumazet Date: Wed, 16 Aug 2017 10:36:47 -0700 Subject: ptr_ring: use kmalloc_array() From: Eric Dumazet [ Upstream commit 81fbfe8adaf38d4f5a98c19bebfd41c5d6acaee8 ] As found by syzkaller, malicious users can set whatever tx_queue_len on a tun device and eventually crash the kernel. Lets remove the ALIGN(XXX, SMP_CACHE_BYTES) thing since a small ring buffer is not fast anyway. Fixes: 2e0ab8ca83c1 ("ptr_ring: array based FIFO for pointers") Signed-off-by: Eric Dumazet Reported-by: Dmitry Vyukov Cc: Michael S. Tsirkin Cc: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- include/linux/ptr_ring.h | 9 +++++---- include/linux/skb_array.h | 3 ++- 2 files changed, 7 insertions(+), 5 deletions(-) --- a/include/linux/ptr_ring.h +++ b/include/linux/ptr_ring.h @@ -340,9 +340,9 @@ static inline void *ptr_ring_consume_bh( __PTR_RING_PEEK_CALL_v; \ }) -static inline void **__ptr_ring_init_queue_alloc(int size, gfp_t gfp) +static inline void **__ptr_ring_init_queue_alloc(unsigned int size, gfp_t gfp) { - return kzalloc(ALIGN(size * sizeof(void *), SMP_CACHE_BYTES), gfp); + return kcalloc(size, sizeof(void *), gfp); } static inline int ptr_ring_init(struct ptr_ring *r, int size, gfp_t gfp) @@ -417,7 +417,8 @@ static inline int ptr_ring_resize(struct * In particular if you consume ring in interrupt or BH context, you must * disable interrupts/BH when doing so. */ -static inline int ptr_ring_resize_multiple(struct ptr_ring **rings, int nrings, +static inline int ptr_ring_resize_multiple(struct ptr_ring **rings, + unsigned int nrings, int size, gfp_t gfp, void (*destroy)(void *)) { @@ -425,7 +426,7 @@ static inline int ptr_ring_resize_multip void ***queues; int i; - queues = kmalloc(nrings * sizeof *queues, gfp); + queues = kmalloc_array(nrings, sizeof(*queues), gfp); if (!queues) goto noqueues; --- a/include/linux/skb_array.h +++ b/include/linux/skb_array.h @@ -162,7 +162,8 @@ static inline int skb_array_resize(struc } static inline int skb_array_resize_multiple(struct skb_array **rings, - int nrings, int size, gfp_t gfp) + int nrings, unsigned int size, + gfp_t gfp) { BUILD_BUG_ON(offsetof(struct skb_array, ring)); return ptr_ring_resize_multiple((struct ptr_ring **)rings, Patches currently in stable-queue which might be from edumazet@google.com are queue-4.9/ipv4-fix-null-dereference-in-free_fib_info_rcu.patch queue-4.9/tcp-when-rearming-rto-if-rto-time-is-in-past-then-fire-rto-asap.patch queue-4.9/ipv4-better-ip_max_mtu-enforcement.patch queue-4.9/dccp-defer-ccid_hc_tx_delete-at-dismantle-time.patch queue-4.9/tipc-fix-use-after-free.patch queue-4.9/af_key-do-not-use-gfp_kernel-in-atomic-contexts.patch queue-4.9/ipv6-repair-fib6-tree-in-failure-case.patch queue-4.9/dccp-purge-write-queue-in-dccp_destroy_sock.patch queue-4.9/ipv6-reset-fn-rr_ptr-when-replacing-route.patch queue-4.9/ptr_ring-use-kmalloc_array.patch queue-4.9/net_sched-sfq-update-hierarchical-backlog-when-drop-packet.patch