Skip to content

Commit 3af2ec1

Browse files
quanglex97smb49
quanglex97
authored and
smb49
committed
net/packet: fix a race in packet_set_ring() and packet_notifier()
When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076 ("net/packet: fix a race in packet_bind() and packet_notifier()"). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history. Fixes: 1da177e ("Linux-2.6.12-rc2") Cc:stable@vger.kernel.org Signed-off-by: Quang Le<quanglex97@gmail.com> Signed-off-by: Willem de Bruijn<willemb@google.com> Link:https://patch.msgid.link/20250801175423.2970334-1-willemdebruijn.kernel@gmail.com Signed-off-by: Jakub Kicinski<kuba@kernel.org> CVE-2025-38617 (cherry picked from commit 01d3c8417b9c1b884a8a981a3b886da556512f36) Signed-off-by: Tim Whisonant<tim.whisonant@canonical.com> Acked-by: Bethany Jamison <bethany.jamison@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
1 parent 381ee88 commit 3af2ec1

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

net/packet/af_packet.c

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4564,10 +4564,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
45644564
spin_lock(&po->bind_lock);
45654565
was_running = packet_sock_flag(po, PACKET_SOCK_RUNNING);
45664566
num = po->num;
4567-
if (was_running) {
4568-
WRITE_ONCE(po->num, 0);
4567+
WRITE_ONCE(po->num, 0);
4568+
if (was_running)
45694569
__unregister_prot_hook(sk, false);
4570-
}
4570+
45714571
spin_unlock(&po->bind_lock);
45724572

45734573
synchronize_net();
@@ -4599,10 +4599,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
45994599
mutex_unlock(&po->pg_vec_lock);
46004600

46014601
spin_lock(&po->bind_lock);
4602-
if (was_running) {
4603-
WRITE_ONCE(po->num, num);
4602+
WRITE_ONCE(po->num, num);
4603+
if (was_running)
46044604
register_prot_hook(sk);
4605-
}
4605+
46064606
spin_unlock(&po->bind_lock);
46074607
if (pg_vec && (po->tp_version > TPACKET_V2)) {
46084608
/* Because we don't support block-based V3 on tx-ring */

0 commit comments

Comments
 (0)