From: Eric Dumazet <eduma...@google.com>
Date: Wed, 14 Aug 2019 02:11:57 -0700
> packet_sendmsg() checks tx_ring.pg_vec to decide
> if it must call tpacket_snd().
>
> Problem is that the check is lockless, meaning another thread
> can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
> tx_ring.pg_vec back to NULL.
>
> Given that tpacket_snd() grabs pg_vec_lock mutex, we can
> perform the check again to solve the race.
>
> syzbot reported :
...
> Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: syzbot <syzkal...@googlegroups.com>
Applied and queued up for -stable.
