[packages/kernel.git] / kernel-small_fixes.patch

--- linux-2.6.33/scripts/mod/modpost.c~	2010-02-24 19:52:17.000000000 +0100
+++ linux-2.6.33/scripts/mod/modpost.c	2010-03-07 14:26:47.242168558 +0100
@@ -15,7 +15,8 @@
 #include <stdio.h>
 #include <ctype.h>
 #include "modpost.h"
-#include "../../include/generated/autoconf.h"
+// PLD architectures don't use CONFIG_SYMBOL_PREFIX
+//#include "../../include/generated/autoconf.h"
 #include "../../include/linux/license.h"
 
 /* Some toolchains use a `_' prefix for all user symbols. */

--- linux-3.0/scripts/kconfig/lxdialog/check-lxdialog.sh~	2011-07-22 04:17:23.000000000 +0200
+++ linux-3.0/scripts/kconfig/lxdialog/check-lxdialog.sh	2011-08-25 21:26:04.799150642 +0200
@@ -9,6 +9,12 @@
 			$cc -print-file-name=lib${lib}.${ext} | grep -q /
 			if [ $? -eq 0 ]; then
 				echo "-l${lib}"
+				for libt in tinfow tinfo ; do
+					$cc -print-file-name=lib${libt}.${ext} | grep -q /
+					if [ $? -eq 0 ]; then
+						echo "-l${libt}"
+					fi
+				done
 				exit
 			fi
 		done

From 84ac7260236a49c79eede91617700174c2c19b0c Mon Sep 17 00:00:00 2001
From: Philip Pettersson <philip.pettersson@gmail.com>
Date: Wed, 30 Nov 2016 14:55:36 -0800
Subject: packet: fix race condition in packet_set_ring

When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.

This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.

Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/packet/af_packet.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index d2238b2..dd23323 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
 
 		if (optlen != sizeof(val))
 			return -EINVAL;
-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-			return -EBUSY;
 		if (copy_from_user(&val, optval, sizeof(val)))
 			return -EFAULT;
 		switch (val) {
 		case TPACKET_V1:
 		case TPACKET_V2:
 		case TPACKET_V3:
-			po->tp_version = val;
-			return 0;
+			break;
 		default:
 			return -EINVAL;
 		}
+		lock_sock(sk);
+		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+			ret = -EBUSY;
+		} else {
+			po->tp_version = val;
+			ret = 0;
+		}
+		release_sock(sk);
+		return ret;
 	}
 	case PACKET_RESERVE:
 	{
@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 	/* Added to avoid minimal code churn */
 	struct tpacket_req *req = &req_u->req;
 
+	lock_sock(sk);
 	/* Opening a Tx-ring is NOT supported in TPACKET_V3 */
 	if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
 		net_warn_ratelimited("Tx-ring is not supported.\n");
@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 			goto out;
 	}
 
-	lock_sock(sk);
 
 	/* Detach socket from network */
 	spin_lock(&po->bind_lock);
@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 		if (!tx_ring)
 			prb_shutdown_retire_blk_timer(po, rb_queue);
 	}
-	release_sock(sk);
 
 	if (pg_vec)
 		free_pg_vec(pg_vec, order, req->tp_block_nr);
 out:
+	release_sock(sk);
 	return err;
 }
 
-- 
cgit v0.12
Commit	Line	Data
08aa9d92	1	--- linux-2.6.33/scripts/mod/modpost.c~ 2010-02-24 19:52:17.000000000 +0100
	2	+++ linux-2.6.33/scripts/mod/modpost.c 2010-03-07 14:26:47.242168558 +0100
	3	@@ -15,7 +15,8 @@
	4	#include <stdio.h>
	5	#include <ctype.h>
	6	#include "modpost.h"
	7	-#include "../../include/generated/autoconf.h"
	8	+// PLD architectures don't use CONFIG_SYMBOL_PREFIX
	9	+//#include "../../include/generated/autoconf.h"
	10	#include "../../include/linux/license.h"
	11
	12	/* Some toolchains use a `_' prefix for all user symbols. */
	13
2136e199 AM	14	--- linux-3.0/scripts/kconfig/lxdialog/check-lxdialog.sh~ 2011-07-22 04:17:23.000000000 +0200
	15	+++ linux-3.0/scripts/kconfig/lxdialog/check-lxdialog.sh 2011-08-25 21:26:04.799150642 +0200
	16	@@ -9,6 +9,12 @@
	17	$cc -print-file-name=lib${lib}.${ext} \| grep -q /
	18	if [ $? -eq 0 ]; then
	19	echo "-l${lib}"
	20	+ for libt in tinfow tinfo ; do
	21	+ $cc -print-file-name=lib${libt}.${ext} \| grep -q /
	22	+ if [ $? -eq 0 ]; then
	23	+ echo "-l${libt}"
	24	+ fi
	25	+ done
	26	exit
	27	fi
	28	done
746b5ec8	29
ad2822a3 AM	30	From 84ac7260236a49c79eede91617700174c2c19b0c Mon Sep 17 00:00:00 2001
	31	From: Philip Pettersson <philip.pettersson@gmail.com>
	32	Date: Wed, 30 Nov 2016 14:55:36 -0800
	33	Subject: packet: fix race condition in packet_set_ring
	34
	35	When packet_set_ring creates a ring buffer it will initialize a
	36	struct timer_list if the packet version is TPACKET_V3. This value
	37	can then be raced by a different thread calling setsockopt to
	38	set the version to TPACKET_V1 before packet_set_ring has finished.
	39
	40	This leads to a use-after-free on a function pointer in the
	41	struct timer_list when the socket is closed as the previously
	42	initialized timer will not be deleted.
	43
	44	The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
	45	changing the packet version while also taking the lock at the start
	46	of packet_set_ring.
	47
	48	Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
	49	Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
	50	Signed-off-by: Eric Dumazet <edumazet@google.com>
	51	Signed-off-by: David S. Miller <davem@davemloft.net>
	52	---
	53	net/packet/af_packet.c \| 18 ++++++++++++------
	54	1 file changed, 12 insertions(+), 6 deletions(-)
	55
	56	diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
	57	index d2238b2..dd23323 100644
	58	--- a/net/packet/af_packet.c
	59	+++ b/net/packet/af_packet.c
	60	@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket sock, int level, int optname, char __user optv
	61
	62	if (optlen != sizeof(val))
	63	return -EINVAL;
	64	- if (po->rx_ring.pg_vec \|\| po->tx_ring.pg_vec)
	65	- return -EBUSY;
	66	if (copy_from_user(&val, optval, sizeof(val)))
	67	return -EFAULT;
	68	switch (val) {
	69	case TPACKET_V1:
	70	case TPACKET_V2:
	71	case TPACKET_V3:
	72	- po->tp_version = val;
	73	- return 0;
	74	+ break;
	75	default:
	76	return -EINVAL;
	77	}
	78	+ lock_sock(sk);
	79	+ if (po->rx_ring.pg_vec \|\| po->tx_ring.pg_vec) {
	80	+ ret = -EBUSY;
	81	+ } else {
	82	+ po->tp_version = val;
	83	+ ret = 0;
	84	+ }
	85	+ release_sock(sk);
	86	+ return ret;
	87	}
	88	case PACKET_RESERVE:
	89	{
	90	@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock sk, union tpacket_req_u req_u,
	91	/* Added to avoid minimal code churn */
	92	struct tpacket_req *req = &req_u->req;
	93
94	+ lock_sock(sk);
95	/* Opening a Tx-ring is NOT supported in TPACKET_V3 */
96	if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
97	net_warn_ratelimited("Tx-ring is not supported.\n");
98	@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock sk, union tpacket_req_u req_u,
99	goto out;
100	}
101
102	- lock_sock(sk);
103
104	/* Detach socket from network */
105	spin_lock(&po->bind_lock);
106	@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock sk, union tpacket_req_u req_u,
107	if (!tx_ring)
108	prb_shutdown_retire_blk_timer(po, rb_queue);
109	}
110	- release_sock(sk);
111
112	if (pg_vec)
113	free_pg_vec(pg_vec, order, req->tp_block_nr);
114	out:
115	+ release_sock(sk);
116	return err;
117	}
118
119	--
120	cgit v0.12
121