Google Git
Sign in
cos / third_party / kernel / e795bcb500b8c3bbc3578c5839e27e77a063f568^! / .
commite795bcb500b8c3bbc3578c5839e27e77a063f568[log] [tgz]
authorHe Gao <hegao@google.com>Thu Aug 14 21:36:08 2025 +0000
committerHe Gao <hegao@google.com>Thu Aug 14 19:56:52 2025 -0700
tree7b80fcacb49ea539c788f6997b5a94ba91f52693
parentf3840362814ca21bfa6f70c6c38074ad51ecce48 [diff]
net/packet: fix a race in packet_set_ring() and packet_notifier()

upstream commit: 01d3c8417b9c1b884a8a981a3b886da556512f36

When packet_set_ring() releases po->bind_lock, another thread can
run packet_notifier() and process an NETDEV_UP event.

This race and the fix are both similar to that of commit 15fe076edea7
("net/packet: fix a race in packet_bind() and packet_notifier()").

There too the packet_notifier NETDEV_UP event managed to run while a
po->bind_lock critical section had to be temporarily released. And
the fix was similarly to temporarily set po->num to zero to keep
the socket unhooked until the lock is retaken.

The po->bind_lock in packet_set_ring and packet_notifier precede the
introduction of git history.

BUG=b/438677841
TEST=presubmit
RELEASE_NOTE=Fixed KCTF-01d3c84 in the Linux kernel.

cos-patch: security-high
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Change-Id: I7efa71cc24262d1658ab2669798793eb5954ad2c
Signed-off-by: Quang Le <quanglex97@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/109090
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Kevin Berry <kpberry@google.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index fc0dbbe..fcaa4c3 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c

@@ -4566,10 +4566,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 	spin_lock(&po->bind_lock);
 	was_running = packet_sock_flag(po, PACKET_SOCK_RUNNING);
 	num = po->num;
-	if (was_running) {
-		WRITE_ONCE(po->num, 0);
+	WRITE_ONCE(po->num, 0);
+	if (was_running)
 		__unregister_prot_hook(sk, false);
-	}
+
 	spin_unlock(&po->bind_lock);
 
 	synchronize_net();
@@ -4601,10 +4601,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 	mutex_unlock(&po->pg_vec_lock);
 
 	spin_lock(&po->bind_lock);
-	if (was_running) {
-		WRITE_ONCE(po->num, num);
+	WRITE_ONCE(po->num, num);
+	if (was_running)
 		register_prot_hook(sk);
-	}
+
 	spin_unlock(&po->bind_lock);
 	if (pg_vec && (po->tp_version > TPACKET_V2)) {
 		/* Because we don't support block-based V3 on tx-ring */