diff options
| author |   Eric Dumazet <edumazet@google.com> | 2017-08-16 10:36:47 -0700 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2017-08-16 16:28:47 -0700 |
| commit | 81fbfe8adaf38d4f5a98c19bebfd41c5d6acaee8 (patch) | |
| tree | d6b6fc17c19f0df3e916e55726dee279c055deb6 /include/linux/skb_array.h | |
| parent | dccp: defer ccid_hc_tx_delete() at dismantle time (diff) | |
| download | wireguard-linux-81fbfe8adaf38d4f5a98c19bebfd41c5d6acaee8.tar.xz wireguard-linux-81fbfe8adaf38d4f5a98c19bebfd41c5d6acaee8.zip | |
ptr_ring: use kmalloc_array()
As found by syzkaller, malicious users can set whatever tx_queue_len
on a tun device and eventually crash the kernel.
Lets remove the ALIGN(XXX, SMP_CACHE_BYTES) thing since a small
ring buffer is not fast anyway.
Fixes: 2e0ab8ca83c1 ("ptr_ring: array based FIFO for pointers")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/skb_array.h')
| -rw-r--r-- | include/linux/skb_array.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/include/linux/skb_array.h b/include/linux/skb_array.h index 35226cd4efb0..8621ffdeecbf 100644 --- a/include/linux/skb_array.h +++ b/include/linux/skb_array.h @@ -193,7 +193,8 @@ static inline int skb_array_resize(struct skb_array *a, int size, gfp_t gfp) } static inline int skb_array_resize_multiple(struct skb_array **rings, - int nrings, int size, gfp_t gfp) + int nrings, unsigned int size, + gfp_t gfp) { BUILD_BUG_ON(offsetof(struct skb_array, ring)); return ptr_ring_resize_multiple((struct ptr_ring **)rings, |