releases/3.18.77/packet-in-packet_do_bind-test-fanout-with-bind_lock-held.patch

   1 From foo@baz Thu Oct 19 14:44:13 CEST 2017
   2 From: Willem de Bruijn <willemb@google.com>
   3 Date: Tue, 26 Sep 2017 12:19:37 -0400
   4 Subject: packet: in packet_do_bind, test fanout with bind_lock held
   5
   6 From: Willem de Bruijn <willemb@google.com>
   7
   8
   9 [ Upstream commit 4971613c1639d8e5f102c4e797c3bf8f83a5a69e ]
  10
  11 Once a socket has po->fanout set, it remains a member of the group
  12 until it is destroyed. The prot_hook must be constant and identical
  13 across sockets in the group.
  14
  15 If fanout_add races with packet_do_bind between the test of po->fanout
  16 and taking the lock, the bind call may make type or dev inconsistent
  17 with that of the fanout group.
  18
  19 Hold po->bind_lock when testing po->fanout to avoid this race.
  20
  21 I had to introduce artificial delay (local_bh_enable) to actually
  22 observe the race.
  23
  24 Fixes: dc99f600698d ("packet: Add fanout support.")
  25 Signed-off-by: Willem de Bruijn <willemb@google.com>
  26 Reviewed-by: Eric Dumazet <edumazet@google.com>
  27 Signed-off-by: David S. Miller <davem@davemloft.net>
  28 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  29 ---
  30  net/packet/af_packet.c |    8 +++++---
  31  1 file changed, 5 insertions(+), 3 deletions(-)
  32
  33 --- a/net/packet/af_packet.c
  34 +++ b/net/packet/af_packet.c
  35 @@ -2662,13 +2662,15 @@ static int packet_do_bind(struct sock *s
  36         int ret = 0;
  37         bool unlisted = false;
  38
  39 -       if (po->fanout)
  40 -               return -EINVAL;
  41 -
  42         lock_sock(sk);
  43         spin_lock(&po->bind_lock);
  44         rcu_read_lock();
  45
  46 +       if (po->fanout) {
  47 +               ret = -EINVAL;
  48 +               goto out_unlock;
  49 +       }
  50 +
  51         if (name) {
  52                 dev = dev_get_by_name_rcu(sock_net(sk), name);
  53                 if (!dev) {