From: Eric Dumazet <eric.duma...@gmail.com>
Date: Tue, 28 Nov 2017 08:03:30 -0800
> From: Eric Dumazet <eduma...@google.com>
>
> syzbot reported crashes [1] and provided a C repro easing bug hunting.
>
> When/if packet_do_bind() calls __unregister_prot_hook() and releases
> po->bind_lock, another thread can run packet_notifier() and process an
> NETDEV_UP event.
>
> This calls register_prot_hook() and hooks again the socket right before
> first thread is able to grab again po->bind_lock.
>
> Fixes this issue by temporarily setting po->num to 0, as suggested by
> David Miller.
>
> [1]
...
> Fixes: 30f7ea1c2b5f ("packet: race condition in packet_bind")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: syzbot <syzkal...@googlegroups.com>
> Cc: Francesco Ruggeri <frugg...@aristanetworks.com>
Applied and queued up for -stable.
