ptr_ring: wrap back ->producer in __ptr_ring_swap_queue()

__ptr_ring_swap_queue() tries to move pointers from the old
ring to the new one, but it forgets to check if ->producer
is beyond the new size at the end of the operation. This leads
to an out-of-bound access in __ptr_ring_produce() as reported
by syzbot.

Reported-by: [email protected]
Fixes: 5d49de5 ("ptr_ring: resize support")
Cc: "Michael S. Tsirkin" <[email protected]>
Cc: John Fastabend <[email protected]>
Cc: Jason Wang <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
Acked-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

Author: congwang

include/linux/ptr_ring.h

@@ -573,6 +573,8 @@ static inline void **__ptr_ring_swap_queue(struct ptr_ring *r, void **queue,
 		else if (destroy)
 			destroy(ptr);
 
+	if (producer >= size)
+		producer = 0;
 	__ptr_ring_set_size(r, size);
 	r->producer = producer;
 	r->consumer_head = 0;