diff options
author | Eric Dumazet <edumazet@google.com> | 2013-08-05 14:18:49 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-08-05 18:26:11 -0400 |
commit | aab515d7c32a34300312416c50314e755ea6f765 (patch) | |
tree | 74e52aee3e58a487d4cdb409c18cd421ea9d91ce /net | |
parent | 3b380877d58604686c2526c19154d656c25d2953 (diff) |
fib_trie: remove potential out of bound access
AddressSanitizer [1] dynamic checker pointed a potential
out of bound access in leaf_walk_rcu()
We could allocate one more slot in tnode_new() to leave the prefetch()
in-place but it looks not worth the pain.
Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
[1] :
https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/fib_trie.c | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c index 108a1e9c9eac..3df6d3edb2a1 100644 --- a/net/ipv4/fib_trie.c +++ b/net/ipv4/fib_trie.c | |||
@@ -71,7 +71,6 @@ | |||
71 | #include <linux/init.h> | 71 | #include <linux/init.h> |
72 | #include <linux/list.h> | 72 | #include <linux/list.h> |
73 | #include <linux/slab.h> | 73 | #include <linux/slab.h> |
74 | #include <linux/prefetch.h> | ||
75 | #include <linux/export.h> | 74 | #include <linux/export.h> |
76 | #include <net/net_namespace.h> | 75 | #include <net/net_namespace.h> |
77 | #include <net/ip.h> | 76 | #include <net/ip.h> |
@@ -1761,10 +1760,8 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct rt_trie_node *c) | |||
1761 | if (!c) | 1760 | if (!c) |
1762 | continue; | 1761 | continue; |
1763 | 1762 | ||
1764 | if (IS_LEAF(c)) { | 1763 | if (IS_LEAF(c)) |
1765 | prefetch(rcu_dereference_rtnl(p->child[idx])); | ||
1766 | return (struct leaf *) c; | 1764 | return (struct leaf *) c; |
1767 | } | ||
1768 | 1765 | ||
1769 | /* Rescan start scanning in new node */ | 1766 | /* Rescan start scanning in new node */ |
1770 | p = (struct tnode *) c; | 1767 | p = (struct tnode *) c; |