tag bd94524ed4c2c32eb64ec3fc7f51e2267ddb82a2
tagger Todd Kjos <tkjos@google.com> Mon Mar 05 12:39:49 2018 -0800
object 1dd1f75276afb159c5b1d428ef0c798871312ac1

https://source.android.com/security/bulletin/2018-03-01
CVE-2016-8405
CVE-2017-13216
CVE-2017-17770
CVE-2017-15129
CVE-2017-16530
CVE-2017-16525
CVE-2017-5754
CVE-2017-16535
CVE-2017-16533
CVE-2017-16531
CVE-2017-16529

commit 1dd1f75276afb159c5b1d428ef0c798871312ac1
author Willem de Bruijn <willemb@google.com> Thu Aug 10 12:41:58 2017 -0400
committer Todd Kjos <tkjos@google.com> Wed Feb 28 15:21:04 2018 -0800
tree 51012303cc73fa7d77fb7b4e79e8087e6bc64dcd
parent c421ebb27fe6195bb6b4fd3de70d80273fe5162e

packet: fix tp_reserve race in packet_set_ring


[ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ]

Updates to tp_reserve can race with reads of the field in
packet_set_ring. Avoid this by holding the socket lock during
updates in setsockopt PACKET_RESERVE.

This bug was discovered by syzkaller.

Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>