tree 060a9d58187a16ae6a0422b22775f1fe601da695
parent c38078fae79007a8798067bff1d115ef54094861
author Willem de Bruijn <willemb@google.com> 1502383318 -0400
committer ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> 1510001367 +0000

UPSTREAM: packet: fix tp_reserve race in packet_set_ring

[ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ]

Updates to tp_reserve can race with reads of the field in
packet_set_ring. Avoid this by holding the socket lock during
updates in setsockopt PACKET_RESERVE.

This bug was discovered by syzkaller.

BUG=chromium:780782
TEST=Run syszcaller reproducer

Change-Id: I1006e6d4716f912aee319ebb0491330bcebd9c23
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/751810
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>
(cherry picked from commit 712116d40a530fc68a25f7feec756202c223c325)
Reviewed-on: https://chromium-review.googlesource.com/753961
(cherry picked from commit eb7f086c814368e30ee838b7a7893774be182ceb)
Reviewed-on: https://chromium-review.googlesource.com/755737