diff options
| author | Eric Dumazet <edumazet@google.com> | 2023-03-16 02:10:07 +0100 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2023-03-17 09:52:05 +0100 |
| commit | ee5675ecdf7a4e713ed21d98a70c2871d6ebed01 (patch) | |
| tree | be50e68015ab84229d2f3cd223e352be1df2bb2f /net/packet/af_packet.c | |
| parent | net/packet: annotate accesses to po->xmit (diff) | |
| download | linux-ee5675ecdf7a4e713ed21d98a70c2871d6ebed01.tar.xz linux-ee5675ecdf7a4e713ed21d98a70c2871d6ebed01.zip | |
net/packet: convert po->origdev to an atomic flag
syzbot/KCAN reported that po->origdev can be read
while another thread is changing its value.
We can avoid this splat by converting this field
to an actual bit.
Following patches will convert remaining 1bit fields.
Fixes: 80feaacb8a64 ("[AF_PACKET]: Add option to return orig_dev to userspace.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/packet/af_packet.c')
| -rw-r--r-- | net/packet/af_packet.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index d25dd9f63cc4..af7c44169b86 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2184,7 +2184,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, sll = &PACKET_SKB_CB(skb)->sa.ll; sll->sll_hatype = dev->type; sll->sll_pkttype = skb->pkt_type; - if (unlikely(po->origdev)) + if (unlikely(packet_sock_flag(po, PACKET_SOCK_ORIGDEV))) sll->sll_ifindex = orig_dev->ifindex; else sll->sll_ifindex = dev->ifindex; @@ -2461,7 +2461,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, sll->sll_hatype = dev->type; sll->sll_protocol = skb->protocol; sll->sll_pkttype = skb->pkt_type; - if (unlikely(po->origdev)) + if (unlikely(packet_sock_flag(po, PACKET_SOCK_ORIGDEV))) sll->sll_ifindex = orig_dev->ifindex; else sll->sll_ifindex = dev->ifindex; @@ -3914,9 +3914,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval, if (copy_from_sockptr(&val, optval, sizeof(val))) return -EFAULT; - lock_sock(sk); - po->origdev = !!val; - release_sock(sk); + packet_sock_flag_set(po, PACKET_SOCK_ORIGDEV, val); return 0; } case PACKET_VNET_HDR: @@ -4065,7 +4063,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, val = po->auxdata; break; case PACKET_ORIGDEV: - val = po->origdev; + val = packet_sock_flag(po, PACKET_SOCK_ORIGDEV); break; case PACKET_VNET_HDR: val = po->has_vnet_hdr; |