summaryrefslogtreecommitdiff
path: root/include/linux/skb_array.h
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2017-08-16 20:36:47 +0300
committerDavid S. Miller <davem@davemloft.net>2017-08-17 02:28:47 +0300
commit81fbfe8adaf38d4f5a98c19bebfd41c5d6acaee8 (patch)
treed6b6fc17c19f0df3e916e55726dee279c055deb6 /include/linux/skb_array.h
parent120e9dabaf551c6dc03d3a10a1f026376cb1811c (diff)
downloadlinux-81fbfe8adaf38d4f5a98c19bebfd41c5d6acaee8.tar.xz
ptr_ring: use kmalloc_array()
As found by syzkaller, malicious users can set whatever tx_queue_len on a tun device and eventually crash the kernel. Lets remove the ALIGN(XXX, SMP_CACHE_BYTES) thing since a small ring buffer is not fast anyway. Fixes: 2e0ab8ca83c1 ("ptr_ring: array based FIFO for pointers") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/skb_array.h')
-rw-r--r--include/linux/skb_array.h3
1 files changed, 2 insertions, 1 deletions
diff --git a/include/linux/skb_array.h b/include/linux/skb_array.h
index 35226cd4efb0..8621ffdeecbf 100644
--- a/include/linux/skb_array.h
+++ b/include/linux/skb_array.h
@@ -193,7 +193,8 @@ static inline int skb_array_resize(struct skb_array *a, int size, gfp_t gfp)
}
static inline int skb_array_resize_multiple(struct skb_array **rings,
- int nrings, int size, gfp_t gfp)
+ int nrings, unsigned int size,
+ gfp_t gfp)
{
BUILD_BUG_ON(offsetof(struct skb_array, ring));
return ptr_ring_resize_multiple((struct ptr_ring **)rings,