[PATCH net] net/packet: fix a race in packet_set_ring() and packet_notifier()

[PATCH net] net/packet: fix a race in packet_set_ring() and packet_notifier()

[Willem de Bruijn]

From: Willem de Bruijn <willemb@google.com>

When packet_set_ring() releases po->bind_lock, another thread can
run packet_notifier() and process an NETDEV_UP event.

This race and the fix are both similar to that of commit 15fe076edea7
("net/packet: fix a race in packet_bind() and packet_notifier()").

There too the packet_notifier NETDEV_UP event managed to run while a
po->bind_lock critical section had to be temporarily released. And
the fix was similarly to temporarily set po->num to zero to keep
the socket unhooked until the lock is retaken.

The po->bind_lock in packet_set_ring and packet_notifier precede the
introduction of git history.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Quang Le <quanglex97@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
 net/packet/af_packet.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index bc438d0d96a7..a7017d7f0927 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4573,10 +4573,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 	spin_lock(&po->bind_lock);
 	was_running = packet_sock_flag(po, PACKET_SOCK_RUNNING);
 	num = po->num;
-	if (was_running) {
-		WRITE_ONCE(po->num, 0);
+	WRITE_ONCE(po->num, 0);
+	if (was_running)
 		__unregister_prot_hook(sk, false);
-	}
+
 	spin_unlock(&po->bind_lock);
 
 	synchronize_net();
@@ -4608,10 +4608,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 	mutex_unlock(&po->pg_vec_lock);
 
 	spin_lock(&po->bind_lock);
-	if (was_running) {
-		WRITE_ONCE(po->num, num);
+	WRITE_ONCE(po->num, num);
+	if (was_running)
 		register_prot_hook(sk);
-	}
+
 	spin_unlock(&po->bind_lock);
 	if (pg_vec && (po->tp_version > TPACKET_V2)) {
 		/* Because we don't support block-based V3 on tx-ring */
-- 
2.50.1.565.gc32cd1483b-goog

Re: [PATCH net] net/packet: fix a race in packet_set_ring() and packet_notifier()

[Willem de Bruijn]

Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@google.com>
> 
> When packet_set_ring() releases po->bind_lock, another thread can
> run packet_notifier() and process an NETDEV_UP event.
> 
> This race and the fix are both similar to that of commit 15fe076edea7
> ("net/packet: fix a race in packet_bind() and packet_notifier()").
> 
> There too the packet_notifier NETDEV_UP event managed to run while a
> po->bind_lock critical section had to be temporarily released. And
> the fix was similarly to temporarily set po->num to zero to keep
> the socket unhooked until the lock is retaken.
> 
> The po->bind_lock in packet_set_ring and packet_notifier precede the
> introduction of git history.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Quang Le <quanglex97@gmail.com>
> Signed-off-by: Willem de Bruijn <willemb@google.com>

The From: author attribution is incorrect.

I will resubmit (after the customary 24 hrs).