Skip to content

Commit 509c7a1

Browse files
Eric Dumazetdavem330
Eric Dumazet
authored and
davem330
committed
packet: avoid panic in packet_getsockopt()
syzkaller got crashes in packet_getsockopt() processing PACKET_ROLLOVER_STATS command while another thread was managing to change po->rollover Using RCU will fix this bug. We might later add proper RCU annotations for sparse sake. In v2: I replaced kfree(rollover) in fanout_add() to kfree_rcu() variant, as spotted by John. Fixes: a9b6391 ("packet: rollover statistics") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Willem de Bruijn <willemb@google.com> Cc: John Sperbeck <jsperbeck@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent c92e8c0 commit 509c7a1

File tree

1 file changed

+16
-8
lines changed

1 file changed

+16
-8
lines changed

net/packet/af_packet.c

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1769,7 +1769,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
17691769

17701770
out:
17711771
if (err && rollover) {
1772-
kfree(rollover);
1772+
kfree_rcu(rollover, rcu);
17731773
po->rollover = NULL;
17741774
}
17751775
mutex_unlock(&fanout_mutex);
@@ -1796,8 +1796,10 @@ static struct packet_fanout *fanout_release(struct sock *sk)
17961796
else
17971797
f = NULL;
17981798

1799-
if (po->rollover)
1799+
if (po->rollover) {
18001800
kfree_rcu(po->rollover, rcu);
1801+
po->rollover = NULL;
1802+
}
18011803
}
18021804
mutex_unlock(&fanout_mutex);
18031805

@@ -3851,6 +3853,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
38513853
void *data = &val;
38523854
union tpacket_stats_u st;
38533855
struct tpacket_rollover_stats rstats;
3856+
struct packet_rollover *rollover;
38543857

38553858
if (level != SOL_PACKET)
38563859
return -ENOPROTOOPT;
@@ -3929,13 +3932,18 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
39293932
0);
39303933
break;
39313934
case PACKET_ROLLOVER_STATS:
3932-
if (!po->rollover)
3935+
rcu_read_lock();
3936+
rollover = rcu_dereference(po->rollover);
3937+
if (rollover) {
3938+
rstats.tp_all = atomic_long_read(&rollover->num);
3939+
rstats.tp_huge = atomic_long_read(&rollover->num_huge);
3940+
rstats.tp_failed = atomic_long_read(&rollover->num_failed);
3941+
data = &rstats;
3942+
lv = sizeof(rstats);
3943+
}
3944+
rcu_read_unlock();
3945+
if (!rollover)
39333946
return -EINVAL;
3934-
rstats.tp_all = atomic_long_read(&po->rollover->num);
3935-
rstats.tp_huge = atomic_long_read(&po->rollover->num_huge);
3936-
rstats.tp_failed = atomic_long_read(&po->rollover->num_failed);
3937-
data = &rstats;
3938-
lv = sizeof(rstats);
39393947
break;
39403948
case PACKET_TX_HAS_OFF:
39413949
val = po->tp_tx_has_off;

0 commit comments

Comments
 (0)