mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-29 22:02:02 +00:00
net: cgroup: fix out of bounds accesses
dev->priomap is allocated by extend_netdev_table() called from update_netdev_tables(). And this is only called if write_priomap() is called. But if write_priomap() is not called, it seems we can have out of bounds accesses in cgrp_destroy(), read_priomap() & skb_update_prio() With help from Gao Feng Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Neil Horman <nhorman@tuxdriver.com> Cc: Gao feng <gaofeng@cn.fujitsu.com> Acked-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
96ca7ffe74
commit
91c68ce2b2
2 changed files with 8 additions and 4 deletions
|
@ -2444,8 +2444,12 @@ static void skb_update_prio(struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap);
|
struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap);
|
||||||
|
|
||||||
if ((!skb->priority) && (skb->sk) && map)
|
if (!skb->priority && skb->sk && map) {
|
||||||
skb->priority = map->priomap[skb->sk->sk_cgrp_prioidx];
|
unsigned int prioidx = skb->sk->sk_cgrp_prioidx;
|
||||||
|
|
||||||
|
if (prioidx < map->priomap_len)
|
||||||
|
skb->priority = map->priomap[prioidx];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
#define skb_update_prio(skb)
|
#define skb_update_prio(skb)
|
||||||
|
|
|
@ -142,7 +142,7 @@ static void cgrp_destroy(struct cgroup *cgrp)
|
||||||
rtnl_lock();
|
rtnl_lock();
|
||||||
for_each_netdev(&init_net, dev) {
|
for_each_netdev(&init_net, dev) {
|
||||||
map = rtnl_dereference(dev->priomap);
|
map = rtnl_dereference(dev->priomap);
|
||||||
if (map)
|
if (map && cs->prioidx < map->priomap_len)
|
||||||
map->priomap[cs->prioidx] = 0;
|
map->priomap[cs->prioidx] = 0;
|
||||||
}
|
}
|
||||||
rtnl_unlock();
|
rtnl_unlock();
|
||||||
|
@ -166,7 +166,7 @@ static int read_priomap(struct cgroup *cont, struct cftype *cft,
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
for_each_netdev_rcu(&init_net, dev) {
|
for_each_netdev_rcu(&init_net, dev) {
|
||||||
map = rcu_dereference(dev->priomap);
|
map = rcu_dereference(dev->priomap);
|
||||||
priority = map ? map->priomap[prioidx] : 0;
|
priority = (map && prioidx < map->priomap_len) ? map->priomap[prioidx] : 0;
|
||||||
cb->fill(cb, dev->name, priority);
|
cb->fill(cb, dev->name, priority);
|
||||||
}
|
}
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
|
|
Loading…
Reference in a new issue