From: Mike Maloney <maloneyker...@gmail.com>
Date: Tue, 28 Nov 2017 10:44:29 -0500
> From: Mike Maloney <malo...@google.com>
>
> syzkaller found a race condition fanout_demux_rollover() while removing
> a packet socket from a fanout group.
>
> po->rollover is read and operated on during packet_rcv_fanout(), via
> fanout_demux_rollover(), but the pointer is currently cleared before the
> synchronization in packet_release(). It is safer to delay the cleanup
> until after synchronize_net() has been called, ensuring all calls to
> packet_rcv_fanout() for this socket have finished.
>
> To further simplify synchronization around the rollover structure, set
> po->rollover in fanout_add() only if there are no errors. This removes
> the need for rcu in the struct and in the call to
> packet_getsockopt(..., PACKET_ROLLOVER_STATS, ...).
>
> Crashing stack trace:
...
> Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
> Fixes: 509c7a1ecc860 ("packet: avoid panic in packet_getsockopt()")
> Reported-by: syzbot <syzkal...@googlegroups.com>
> Signed-off-by: Mike Maloney <malo...@google.com>
Applied and queued up for -stable.
