]>
Commit | Line | Data |
---|---|---|
08aa9d92 | 1 | --- linux-2.6.33/scripts/mod/modpost.c~ 2010-02-24 19:52:17.000000000 +0100 |
2 | +++ linux-2.6.33/scripts/mod/modpost.c 2010-03-07 14:26:47.242168558 +0100 | |
3 | @@ -15,7 +15,8 @@ | |
4 | #include <stdio.h> | |
5 | #include <ctype.h> | |
6 | #include "modpost.h" | |
7 | -#include "../../include/generated/autoconf.h" | |
8 | +// PLD architectures don't use CONFIG_SYMBOL_PREFIX | |
9 | +//#include "../../include/generated/autoconf.h" | |
10 | #include "../../include/linux/license.h" | |
11 | ||
12 | /* Some toolchains use a `_' prefix for all user symbols. */ | |
13 | ||
2136e199 AM |
14 | --- linux-3.0/scripts/kconfig/lxdialog/check-lxdialog.sh~ 2011-07-22 04:17:23.000000000 +0200 |
15 | +++ linux-3.0/scripts/kconfig/lxdialog/check-lxdialog.sh 2011-08-25 21:26:04.799150642 +0200 | |
16 | @@ -9,6 +9,12 @@ | |
17 | $cc -print-file-name=lib${lib}.${ext} | grep -q / | |
18 | if [ $? -eq 0 ]; then | |
19 | echo "-l${lib}" | |
20 | + for libt in tinfow tinfo ; do | |
21 | + $cc -print-file-name=lib${libt}.${ext} | grep -q / | |
22 | + if [ $? -eq 0 ]; then | |
23 | + echo "-l${libt}" | |
24 | + fi | |
25 | + done | |
26 | exit | |
27 | fi | |
28 | done | |
746b5ec8 | 29 | |
ad2822a3 AM |
30 | From 84ac7260236a49c79eede91617700174c2c19b0c Mon Sep 17 00:00:00 2001 |
31 | From: Philip Pettersson <philip.pettersson@gmail.com> | |
32 | Date: Wed, 30 Nov 2016 14:55:36 -0800 | |
33 | Subject: packet: fix race condition in packet_set_ring | |
34 | ||
35 | When packet_set_ring creates a ring buffer it will initialize a | |
36 | struct timer_list if the packet version is TPACKET_V3. This value | |
37 | can then be raced by a different thread calling setsockopt to | |
38 | set the version to TPACKET_V1 before packet_set_ring has finished. | |
39 | ||
40 | This leads to a use-after-free on a function pointer in the | |
41 | struct timer_list when the socket is closed as the previously | |
42 | initialized timer will not be deleted. | |
43 | ||
44 | The bug is fixed by taking lock_sock(sk) in packet_setsockopt when | |
45 | changing the packet version while also taking the lock at the start | |
46 | of packet_set_ring. | |
47 | ||
48 | Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") | |
49 | Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com> | |
50 | Signed-off-by: Eric Dumazet <edumazet@google.com> | |
51 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
52 | --- | |
53 | net/packet/af_packet.c | 18 ++++++++++++------ | |
54 | 1 file changed, 12 insertions(+), 6 deletions(-) | |
55 | ||
56 | diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c | |
57 | index d2238b2..dd23323 100644 | |
58 | --- a/net/packet/af_packet.c | |
59 | +++ b/net/packet/af_packet.c | |
60 | @@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv | |
61 | ||
62 | if (optlen != sizeof(val)) | |
63 | return -EINVAL; | |
64 | - if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) | |
65 | - return -EBUSY; | |
66 | if (copy_from_user(&val, optval, sizeof(val))) | |
67 | return -EFAULT; | |
68 | switch (val) { | |
69 | case TPACKET_V1: | |
70 | case TPACKET_V2: | |
71 | case TPACKET_V3: | |
72 | - po->tp_version = val; | |
73 | - return 0; | |
74 | + break; | |
75 | default: | |
76 | return -EINVAL; | |
77 | } | |
78 | + lock_sock(sk); | |
79 | + if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { | |
80 | + ret = -EBUSY; | |
81 | + } else { | |
82 | + po->tp_version = val; | |
83 | + ret = 0; | |
84 | + } | |
85 | + release_sock(sk); | |
86 | + return ret; | |
87 | } | |
88 | case PACKET_RESERVE: | |
89 | { | |
90 | @@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, | |
91 | /* Added to avoid minimal code churn */ | |
92 | struct tpacket_req *req = &req_u->req; | |
93 | ||
94 | + lock_sock(sk); | |
95 | /* Opening a Tx-ring is NOT supported in TPACKET_V3 */ | |
96 | if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) { | |
97 | net_warn_ratelimited("Tx-ring is not supported.\n"); | |
98 | @@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, | |
99 | goto out; | |
100 | } | |
101 | ||
102 | - lock_sock(sk); | |
103 | ||
104 | /* Detach socket from network */ | |
105 | spin_lock(&po->bind_lock); | |
106 | @@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, | |
107 | if (!tx_ring) | |
108 | prb_shutdown_retire_blk_timer(po, rb_queue); | |
109 | } | |
110 | - release_sock(sk); | |
111 | ||
112 | if (pg_vec) | |
113 | free_pg_vec(pg_vec, order, req->tp_block_nr); | |
114 | out: | |
115 | + release_sock(sk); | |
116 | return err; | |
117 | } | |
118 | ||
119 | -- | |
120 | cgit v0.12 | |
121 |