diff options
| author | Eric Dumazet <edumazet@google.com> | 2015-06-16 07:59:11 -0700 |
|---|---|---|
| committer | Zefan Li <lizefan@huawei.com> | 2015-10-22 09:20:05 +0800 |
| commit | 2fb9a78c44b0801fb17f3f73f553b8416b96abe0 (patch) | |
| tree | 0fa3049732e55c3340dbf3a1048ce775b47c55b8 | |
| parent | b80954b45832fbd665c2a8bc545601716942ce78 (diff) | |
| download | lwn-2fb9a78c44b0801fb17f3f73f553b8416b96abe0.tar.gz lwn-2fb9a78c44b0801fb17f3f73f553b8416b96abe0.zip | |
packet: read num_members once in packet_rcv_fanout()
commit f98f4514d07871da7a113dd9e3e330743fd70ae4 upstream.
We need to tell compiler it must not read f->num_members multiple
times. Otherwise testing if num is not zero is flaky, and we could
attempt an invalid divide by 0 in fanout_demux_cpu()
Note bug was present in packet_rcv_fanout_hash() and
packet_rcv_fanout_lb() but final 3.1 had a simple location
after commit 95ec3eb417115fb ("packet: Add 'cpu' fanout policy.")
Fixes: dc99f600698dc ("packet: Add fanout support.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[lizf: Backported to 3.4: use ACCESS_ONCE() instead of READ_ONCE()]
Signed-off-by: Zefan Li <lizefan@huawei.com>
| -rw-r--r-- | net/packet/af_packet.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index dbe1715c629f..af067d72dff3 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1210,7 +1210,7 @@ static int packet_rcv_fanout(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev) { struct packet_fanout *f = pt->af_packet_priv; - unsigned int num = f->num_members; + unsigned int num = ACCESS_ONCE(f->num_members); struct packet_sock *po; struct sock *sk; |