packet: fix race condition in packet_set_ring
[ Upstream commit
84ac7260236a49c79eede91617700174c2c19b0c ]
When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.
This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.
The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
[mainline backport of commit
5c120b79dd6601a987eb33214f2686e5b75f3c3e to resolve CVE-2016-8655]
Change-Id: I587603ef7796a4b227aa992a873fd6d5ec22774a
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>
projects / profile / wearable / platform / kernel / linux-3.18-exynos7270.git / commit