From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [PATCH net] packet: fix crash in fanout_demux_rollover()
Date: Tue, 28 Nov 2017 11:14:29 -0500 (EST)
Message-ID: <20171128.111429.1528029123202775549.davem@davemloft.net>
References: <20171128154429.84833-1-maloneykernel@gmail.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, willemdebruijn.kernel@gmail.com,
        eric.dumazet@gmail.com, maloney@google.com
To: maloneykernel@gmail.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([184.105.139.130]:43962 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752607AbdK1QOb (ORCPT
        <rfc822;netdev@vger.kernel.org>); Tue, 28 Nov 2017 11:14:31 -0500
In-Reply-To: <20171128154429.84833-1-maloneykernel@gmail.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Mike Maloney <maloneykernel@gmail.com>
Date: Tue, 28 Nov 2017 10:44:29 -0500

> From: Mike Maloney <maloney@google.com>
> 
> syzkaller found a race condition fanout_demux_rollover() while removing
> a packet socket from a fanout group.
> 
> po->rollover is read and operated on during packet_rcv_fanout(), via
> fanout_demux_rollover(), but the pointer is currently cleared before the
> synchronization in packet_release().   It is safer to delay the cleanup
> until after synchronize_net() has been called, ensuring all calls to
> packet_rcv_fanout() for this socket have finished.
> 
> To further simplify synchronization around the rollover structure, set
> po->rollover in fanout_add() only if there are no errors.  This removes
> the need for rcu in the struct and in the call to
> packet_getsockopt(..., PACKET_ROLLOVER_STATS, ...).
> 
> Crashing stack trace:
...
> Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
> Fixes: 509c7a1ecc860 ("packet: avoid panic in packet_getsockopt()")
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: Mike Maloney <maloney@google.com>

Applied and queued up for -stable.