Patch "packet: fix tp_reserve race in packet_set_ring" has been added to the 4.9-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Fri, 11 Aug 2017 09:21:09 -0700

This is a note to let you know that I've just added the patch titled

    packet: fix tp_reserve race in packet_set_ring

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     packet-fix-tp_reserve-race-in-packet_set_ring.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From foo@baz Fri Aug 11 09:10:20 PDT 2017
From: Willem de Bruijn <willemb@xxxxxxxxxx>
Date: Thu, 10 Aug 2017 12:41:58 -0400
Subject: packet: fix tp_reserve race in packet_set_ring

From: Willem de Bruijn <willemb@xxxxxxxxxx>


[ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ]

Updates to tp_reserve can race with reads of the field in
packet_set_ring. Avoid this by holding the socket lock during
updates in setsockopt PACKET_RESERVE.

This bug was discovered by syzkaller.

Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Signed-off-by: Willem de Bruijn <willemb@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/packet/af_packet.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3698,14 +3698,19 @@ packet_setsockopt(struct socket *sock, i
 
 		if (optlen != sizeof(val))
 			return -EINVAL;
-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-			return -EBUSY;
 		if (copy_from_user(&val, optval, sizeof(val)))
 			return -EFAULT;
 		if (val > INT_MAX)
 			return -EINVAL;
-		po->tp_reserve = val;
-		return 0;
+		lock_sock(sk);
+		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+			ret = -EBUSY;
+		} else {
+			po->tp_reserve = val;
+			ret = 0;
+		}
+		release_sock(sk);
+		return ret;
 	}
 	case PACKET_LOSS:
 	{


Patches currently in stable-queue which might be from willemb@xxxxxxxxxx are

queue-4.9/net-avoid-skb_warn_bad_offload-false-positives-on-ufo.patch
queue-4.9/packet-fix-tp_reserve-race-in-packet_set_ring.patch
queue-4.9/udp-consistently-apply-ufo-or-fragmentation.patch






