From: Michal Kubecek Date: Fri, 18 Jan 2013 15:03:48 +0000 (+0100) Subject: xfrm: fix freed block size calculation in xfrm_policy_fini() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=5b653b2a1c3b5634368fde2df958a1398481e580;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git xfrm: fix freed block size calculation in xfrm_policy_fini() Missing multiplication of block size by sizeof(struct hlist_head) can cause xfrm_hash_free() to be called with wrong second argument so that kfree() is called on a block allocated with vzalloc() or __get_free_pages() or free_pages() is called with wrong order when a namespace with enough policies is removed. Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are affected. Signed-off-by: Michal Kubecek Signed-off-by: Steffen Klassert --- diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 41eabc46f110..07c585756d2a 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2656,7 +2656,7 @@ static void xfrm_policy_fini(struct net *net) WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir])); htab = &net->xfrm.policy_bydst[dir]; - sz = (htab->hmask + 1); + sz = (htab->hmask + 1) * sizeof(struct hlist_head); WARN_ON(!hlist_empty(htab->table)); xfrm_hash_free(htab->table, sz); }