提交 e912b114 编写于 作者: E Eric Dumazet 提交者: David S. Miller

net: sk_prot_alloc() should not blindly overwrite memory

Some sockets use SLAB_DESTROY_BY_RCU, and our RCU code correctness
depends on sk->sk_nulls_node.next being always valid. A NULL
value is not allowed as it might fault a lockless reader.

Current sk_prot_alloc() implementation doesnt respect this hypothesis,
calling kmem_cache_alloc() with __GFP_ZERO. Just call memset() around
the forbidden field.
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 e594e96e
...@@ -939,8 +939,23 @@ static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority, ...@@ -939,8 +939,23 @@ static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
struct kmem_cache *slab; struct kmem_cache *slab;
slab = prot->slab; slab = prot->slab;
if (slab != NULL) if (slab != NULL) {
sk = kmem_cache_alloc(slab, priority); sk = kmem_cache_alloc(slab, priority & ~__GFP_ZERO);
if (!sk)
return sk;
if (priority & __GFP_ZERO) {
/*
* caches using SLAB_DESTROY_BY_RCU should let
* sk_node.next un-modified. Special care is taken
* when initializing object to zero.
*/
if (offsetof(struct sock, sk_node.next) != 0)
memset(sk, 0, offsetof(struct sock, sk_node.next));
memset(&sk->sk_node.pprev, 0,
prot->obj_size - offsetof(struct sock,
sk_node.pprev));
}
}
else else
sk = kmalloc(prot->obj_size, priority); sk = kmalloc(prot->obj_size, priority);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册