GitHub-Mirror/Star64_linux
2
0
Fork 0
mirror of https://github.com/Fishwaldo/Star64_linux.git synced 2025-06-26 08:31:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

packet: fix tp_reserve race in packet_set_ring

Browse source 
Updates to tp_reserve can race with reads of the field in
packet_set_ring. Avoid this by holding the socket lock during
updates in setsockopt PACKET_RESERVE.

This bug was discovered by syzkaller.

Fixes: 8913336a7e ("packet: add PACKET_RESERVE sockopt")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Willem de Bruijn 2017-08-10 12:41:58 -04:00 committed by David S. Miller
parent 85f1bd9a7b
commit c27927e372
1 changed files with 9 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

13
net/packet/af_packet.c
View file

@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
if (optlen != sizeof(val)) if (optlen != sizeof(val))
return -EINVAL; return -EINVAL;
if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
return -EBUSY;
if (copy_from_user(&val, optval, sizeof(val))) if (copy_from_user(&val, optval, sizeof(val)))
return -EFAULT; return -EFAULT;
if (val > INT_MAX) if (val > INT_MAX)
return -EINVAL; return -EINVAL;
po->tp_reserve = val; lock_sock(sk);
return 0; if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
ret = -EBUSY;
} else {
po->tp_reserve = val;
ret = 0;
}
release_sock(sk);
return ret;
} }
case PACKET_LOSS: case PACKET_LOSS:
{ {