From patchwork Thu Aug 10 16:41:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Willem de Bruijn X-Patchwork-Id: 800274 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="HAUIegSV"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3xSv7W6vhcz9rxj for ; Fri, 11 Aug 2017 02:42:31 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753399AbdHJQm2 (ORCPT ); Thu, 10 Aug 2017 12:42:28 -0400 Received: from mail-qt0-f194.google.com ([209.85.216.194]:38471 "EHLO mail-qt0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753396AbdHJQm1 (ORCPT ); Thu, 10 Aug 2017 12:42:27 -0400 Received: by mail-qt0-f194.google.com with SMTP id p3so1225737qtg.5 for ; Thu, 10 Aug 2017 09:42:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=wq+jGyF9bdD49dpQi/ou847rowY5eSchb2cdTQIxMdo=; b=HAUIegSVQERMp5PYnFO3ZwIpxbkjmn3/b3Ibg5kr2bEESFRlqPVRZtgHKFnRjJHYc0 TkWAZF/7Opu9Zmpw6a2sM0OiXQ98HyUJ4VSDoqY5H0AQXS9ReEFROf6peM2UYDWcJ9oD Yilec/j8vdCb0HFkczW09NDhkaeIDl197IydQbMlnSeVhVZlGU8CiQ3cYm42upxa/L54 1zcY7YV5behZ5LiMCiRVEncFTCCnoX/8T5dIqVyK8PQarrmuR9tq6YknJlrOXeUDULIu W+0A0BAkDsBiBa7fpJmvPkozumKojSbY/bRZ2w8PZJuY+3e2lzhNOEUJgeeZ+ODLsmWn Oq0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=wq+jGyF9bdD49dpQi/ou847rowY5eSchb2cdTQIxMdo=; b=GfG9QdaaLvV/noTq58gvdZxDa0NewcR1GDrmnnHDObhZ/sYORhiNPN9dErumZPI609 aLrC03n69kL9DY5+jEOnq+EOfOY4A7QcPg5psvN05XcHQuwfya3jYgCK2st2e4cn5dMH JeUGyOmm4lJBwnxMBK/o7HBIiANSMURC2Hz0z/k7VyrZgJGoEPdNWdXUN3IlA2AbnJEZ 6iWb7kTI3PLnDk31vMIm5KDMEDz09xPIYYq6vPxOQl4ph/paDyFxtYNULdZ1s+oeorcm Ryc57PheRz2tmSKl5ls9ByntVm5Jw6ynGaVTDh8oeQYrxxRXVfuYzcqMrmYDgDcm7v/t X5/g== X-Gm-Message-State: AHYfb5iiMtmkHG1SAxQI/GqmKlvajypO5uWb5vFgK8Gje5A/LDjerEnA Hir6kcgIUTsuyeOIg2o= X-Received: by 10.200.39.212 with SMTP id x20mr17383707qtx.157.1502383346119; Thu, 10 Aug 2017 09:42:26 -0700 (PDT) Received: from willemb1.nyc.corp.google.com ([100.101.212.81]) by smtp.gmail.com with ESMTPSA id t72sm3780134qkt.33.2017.08.10.09.42.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 10 Aug 2017 09:42:25 -0700 (PDT) From: Willem de Bruijn To: netdev@vger.kernel.org Cc: davem@davemloft.net, andreyknvl@gmail.com, Willem de Bruijn Subject: [PATCH net] packet: fix tp_reserve race in packet_set_ring Date: Thu, 10 Aug 2017 12:41:58 -0400 Message-Id: <20170810164158.52213-1-willemdebruijn.kernel@gmail.com> X-Mailer: git-send-email 2.14.0.434.g98096fd7a8-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Willem de Bruijn Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov Signed-off-by: Willem de Bruijn --- net/packet/af_packet.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 0615c2a950fa..008a45ca3112 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv if (optlen != sizeof(val)) return -EINVAL; - if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) - return -EBUSY; if (copy_from_user(&val, optval, sizeof(val))) return -EFAULT; if (val > INT_MAX) return -EINVAL; - po->tp_reserve = val; - return 0; + lock_sock(sk); + if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { + ret = -EBUSY; + } else { + po->tp_reserve = val; + ret = 0; + } + release_sock(sk); + return ret; } case PACKET_LOSS: {