diff options
author | Michal Kubecek <mkubecek@suse.cz> | 2013-01-18 16:03:48 +0100 |
---|---|---|
committer | Steffen Klassert <steffen.klassert@secunet.com> | 2013-01-21 06:50:04 +0100 |
commit | 5b653b2a1c3b5634368fde2df958a1398481e580 (patch) | |
tree | 42b84b0a9cd9413e1335eb8925594ce60e9cae88 /net | |
parent | e2f6725917ed525f4111c33c31ab53397b70f9d2 (diff) | |
download | linux-stable-5b653b2a1c3b5634368fde2df958a1398481e580.tar.gz linux-stable-5b653b2a1c3b5634368fde2df958a1398481e580.tar.bz2 linux-stable-5b653b2a1c3b5634368fde2df958a1398481e580.zip |
xfrm: fix freed block size calculation in xfrm_policy_fini()
Missing multiplication of block size by sizeof(struct hlist_head)
can cause xfrm_hash_free() to be called with wrong second argument
so that kfree() is called on a block allocated with vzalloc() or
__get_free_pages() or free_pages() is called with wrong order when
a namespace with enough policies is removed.
Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are
affected.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/xfrm/xfrm_policy.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 41eabc46f110..07c585756d2a 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2656,7 +2656,7 @@ static void xfrm_policy_fini(struct net *net) WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir])); htab = &net->xfrm.policy_bydst[dir]; - sz = (htab->hmask + 1); + sz = (htab->hmask + 1) * sizeof(struct hlist_head); WARN_ON(!hlist_empty(htab->table)); xfrm_hash_free(htab->table, sz); } |