Skip to content

Commit

Permalink
ptr_ring: wrap back ->producer in __ptr_ring_swap_queue()
Browse files Browse the repository at this point in the history 
__ptr_ring_swap_queue() tries to move pointers from the old
ring to the new one, but it forgets to check if ->producer
is beyond the new size at the end of the operation. This leads
to an out-of-bound access in __ptr_ring_produce() as reported
by syzbot.

Reported-by: [email protected]
Fixes: 5d49de5 ("ptr_ring: resize support")
Cc: "Michael S. Tsirkin" <[email protected]>
Cc: John Fastabend <[email protected]>
Cc: Jason Wang <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
Acked-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
  • Loading branch information
@congwang @davem330
congwang authored and davem330 committed Jan 1, 2019
1 parent 4087d2b commit aff6db4
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions include/linux/ptr_ring.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,6 +573,8 @@ static inline void **__ptr_ring_swap_queue(struct ptr_ring *r, void **queue,
else if (destroy)
destroy(ptr);

if (producer >= size)
producer = 0;
__ptr_ring_set_size(r, size);
r->producer = producer;
r->consumer_head = 0;
Expand Down

0 comments on commit aff6db4

Please sign in to comment.