Commit 5b653b2a authored Jan 18, 2013 by Michal Kubecek Committed by Steffen Klassert Jan 21, 2013

xfrm: fix freed block size calculation in xfrm_policy_fini()



Missing multiplication of block size by sizeof(struct hlist_head)
can cause xfrm_hash_free() to be called with wrong second argument
so that kfree() is called on a block allocated with vzalloc() or
__get_free_pages() or free_pages() is called with wrong order when
a namespace with enough policies is removed.

Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are
affected.

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

parent e2f67259

net/xfrm/xfrm_policy.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -2656,7 +2656,7 @@ static void xfrm_policy_fini(struct net *net)
	WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));		WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));

	htab = &net->xfrm.policy_bydst[dir];		htab = &net->xfrm.policy_bydst[dir];
	sz = (htab->hmask + 1);		sz = (htab->hmask + 1) * sizeof(struct hlist_head);
	WARN_ON(!hlist_empty(htab->table));		WARN_ON(!hlist_empty(htab->table));
	xfrm_hash_free(htab->table, sz);		xfrm_hash_free(htab->table, sz);
	}		}