diff --git a/core/linux-veyron/0001-use-chromiumos-mwifiex-drivers.patch b/core/linux-veyron/0001-use-chromiumos-mwifiex-drivers.patch
index cced69008..42636c64b 100644
--- a/core/linux-veyron/0001-use-chromiumos-mwifiex-drivers.patch
+++ b/core/linux-veyron/0001-use-chromiumos-mwifiex-drivers.patch
@@ -1,7 +1,7 @@
-From 2e7904c0c6d9d925c70accd700ecbd6cc758c695 Mon Sep 17 00:00:00 2001
+From c5a733c580e965955b293ecab06193461843f491 Mon Sep 17 00:00:00 2001
 From: Kevin Mihelich <kevin@archlinuxarm.org>
 Date: Thu, 25 Jun 2015 20:35:06 -0600
-Subject: [PATCH 1/4] use chromiumos mwifiex drivers
+Subject: [PATCH 1/5] use chromiumos mwifiex drivers
 
 Signed-off-by: Kevin Mihelich <kevin@archlinuxarm.org>
 ---
@@ -26,5 +26,5 @@ index f9ee413..9686025 100644
  
  #define BLOCK_MODE	1
 -- 
-2.6.1
+2.10.2
 
diff --git a/core/linux-veyron/0002-mwifiex-do-not-create-AP-and-P2P-interfaces-upon-dri.patch b/core/linux-veyron/0002-mwifiex-do-not-create-AP-and-P2P-interfaces-upon-dri.patch
index 80c346964..42f67092d 100644
--- a/core/linux-veyron/0002-mwifiex-do-not-create-AP-and-P2P-interfaces-upon-dri.patch
+++ b/core/linux-veyron/0002-mwifiex-do-not-create-AP-and-P2P-interfaces-upon-dri.patch
@@ -1,7 +1,7 @@
-From 2e45da7882fa7e8bce60b84310327a8a170a963a Mon Sep 17 00:00:00 2001
+From bde359ee42983c145ed4210c4d4ad0a95830da7c Mon Sep 17 00:00:00 2001
 From: Bing Zhao <bzhao@marvell.com>
 Date: Mon, 19 Aug 2013 16:10:21 -0700
-Subject: [PATCH 2/4] mwifiex: do not create AP and P2P interfaces upon driver
+Subject: [PATCH 2/5] mwifiex: do not create AP and P2P interfaces upon driver
  loading
 
 Bug 60747 - 1286:2044 [Microsoft Surface Pro]
@@ -62,5 +62,5 @@ index e43afc1..587f4ae 100644
  
  	mwifiex_drv_get_driver_version(adapter, fmt, sizeof(fmt) - 1);
 -- 
-2.6.1
+2.10.2
 
diff --git a/core/linux-veyron/0003-UPSTREAM-soc-rockchip-add-handler-for-usb-uart-funct.patch b/core/linux-veyron/0003-UPSTREAM-soc-rockchip-add-handler-for-usb-uart-funct.patch
index 43668ece8..5d130aa61 100644
--- a/core/linux-veyron/0003-UPSTREAM-soc-rockchip-add-handler-for-usb-uart-funct.patch
+++ b/core/linux-veyron/0003-UPSTREAM-soc-rockchip-add-handler-for-usb-uart-funct.patch
@@ -1,7 +1,7 @@
-From 276e58952f3f333bcd8dcca621d05499aa46ea6d Mon Sep 17 00:00:00 2001
+From fc3adbec0da5402a6a40291592b87cb91bd09ca9 Mon Sep 17 00:00:00 2001
 From: Heiko Stuebner <heiko@sntech.de>
 Date: Mon, 25 May 2015 16:38:07 +0200
-Subject: [PATCH 3/4] UPSTREAM: soc/rockchip: add handler for usb-uart
+Subject: [PATCH 3/5] UPSTREAM: soc/rockchip: add handler for usb-uart
  functionality
 
 Some Rockchip SoCs provide the possibility to use a usb-phy as passthru for
@@ -25,7 +25,7 @@ Signed-off-by: Alexandru M Stan <amstan@chromium.org>
  create mode 100644 drivers/soc/rockchip/rockchip_usb_uart.c
 
 diff --git a/drivers/soc/Kconfig b/drivers/soc/Kconfig
-index 1ee0b57..ad2f71a 100644
+index 1ee0b57..ad2f71ab 100644
 --- a/drivers/soc/Kconfig
 +++ b/drivers/soc/Kconfig
 @@ -2,6 +2,7 @@ menu "SOC (System On Chip) specific Drivers"
@@ -302,5 +302,5 @@ index 0000000..97754f9
 +}
 +early_param("rockchip.usb_uart", rockchip_usb_uart);
 -- 
-2.6.1
+2.10.2
 
diff --git a/core/linux-veyron/0004-fix-brcmfmac-oops-and-race-condition.patch b/core/linux-veyron/0004-fix-brcmfmac-oops-and-race-condition.patch
index 6947d8aef..098fb0a0f 100644
--- a/core/linux-veyron/0004-fix-brcmfmac-oops-and-race-condition.patch
+++ b/core/linux-veyron/0004-fix-brcmfmac-oops-and-race-condition.patch
@@ -1,7 +1,7 @@
-From a50240ffd6743509d23a673bb04710496c660860 Mon Sep 17 00:00:00 2001
+From 946a8583ff41dbafab2cd2447702bd3aa0df81af Mon Sep 17 00:00:00 2001
 From: Kevin Mihelich <kevin@archlinuxarm.org>
 Date: Thu, 2 Jul 2015 17:48:41 -0600
-Subject: [PATCH 4/4] fix brcmfmac oops and race condition
+Subject: [PATCH 4/5] fix brcmfmac oops and race condition
 
 This fixes a potential null pointer dereference by checking if null before
 freeing the vif struct.
@@ -89,5 +89,5 @@ index 05d4042..7006d19 100644
  
  	/*
 -- 
-2.6.1
+2.10.2
 
diff --git a/core/linux-veyron/0005-packet-fix-race-condition-in-packet_set_ring.patch b/core/linux-veyron/0005-packet-fix-race-condition-in-packet_set_ring.patch
new file mode 100644
index 000000000..c29fc728c
--- /dev/null
+++ b/core/linux-veyron/0005-packet-fix-race-condition-in-packet_set_ring.patch
@@ -0,0 +1,92 @@
+From 0cce8f784e9e13abfe1d4b2af0c217bed9529fd0 Mon Sep 17 00:00:00 2001
+From: Philip Pettersson <philip.pettersson@gmail.com>
+Date: Wed, 30 Nov 2016 14:55:36 -0800
+Subject: [PATCH 5/5] packet: fix race condition in packet_set_ring
+
+When packet_set_ring creates a ring buffer it will initialize a
+struct timer_list if the packet version is TPACKET_V3. This value
+can then be raced by a different thread calling setsockopt to
+set the version to TPACKET_V1 before packet_set_ring has finished.
+
+This leads to a use-after-free on a function pointer in the
+struct timer_list when the socket is closed as the previously
+initialized timer will not be deleted.
+
+The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
+changing the packet version while also taking the lock at the start
+of packet_set_ring.
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/packet/af_packet.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index c434589..5ea0bff 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3280,19 +3280,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ 
+ 		if (optlen != sizeof(val))
+ 			return -EINVAL;
+-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+-			return -EBUSY;
+ 		if (copy_from_user(&val, optval, sizeof(val)))
+ 			return -EFAULT;
+ 		switch (val) {
+ 		case TPACKET_V1:
+ 		case TPACKET_V2:
+ 		case TPACKET_V3:
+-			po->tp_version = val;
+-			return 0;
++			break;
+ 		default:
+ 			return -EINVAL;
+ 		}
++		lock_sock(sk);
++		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++			ret = -EBUSY;
++		} else {
++			po->tp_version = val;
++			ret = 0;
++		}
++		release_sock(sk);
++		return ret;
+ 	}
+ 	case PACKET_RESERVE:
+ 	{
+@@ -3755,6 +3761,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 	/* Added to avoid minimal code churn */
+ 	struct tpacket_req *req = &req_u->req;
+ 
++	lock_sock(sk);
+ 	/* Opening a Tx-ring is NOT supported in TPACKET_V3 */
+ 	if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
+ 		WARN(1, "Tx-ring is not supported.\n");
+@@ -3832,7 +3839,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 			goto out;
+ 	}
+ 
+-	lock_sock(sk);
+ 
+ 	/* Detach socket from network */
+ 	spin_lock(&po->bind_lock);
+@@ -3881,11 +3887,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 		if (!tx_ring)
+ 			prb_shutdown_retire_blk_timer(po, tx_ring, rb_queue);
+ 	}
+-	release_sock(sk);
+ 
+ 	if (pg_vec)
+ 		free_pg_vec(pg_vec, order, req->tp_block_nr);
+ out:
++	release_sock(sk);
+ 	return err;
+ }
+ 
+-- 
+2.10.2
+
diff --git a/core/linux-veyron/PKGBUILD b/core/linux-veyron/PKGBUILD
index 2aa18d948..310828d41 100644
--- a/core/linux-veyron/PKGBUILD
+++ b/core/linux-veyron/PKGBUILD
@@ -7,8 +7,8 @@ pkgbase=linux-veyron
 _kernelname=${pkgbase#linux}
 _desc="Veyron Chromebooks"
 pkgver=3.14.0
-pkgrel=22
-_commit=768362c86a0e84d52cde438effa1d7721b8f300a
+pkgrel=23
+_commit=2086ef885b4c29d03ebe8a1836def9f966d41593
 arch=('armv7h')
 url="https://chromium.googlesource.com/chromiumos/third_party/kernel/+/chromeos-3.14"
 license=('GPL2')
@@ -21,6 +21,7 @@ source=("https://chromium.googlesource.com/chromiumos/third_party/kernel/+archiv
         '0002-mwifiex-do-not-create-AP-and-P2P-interfaces-upon-dri.patch'
         '0003-UPSTREAM-soc-rockchip-add-handler-for-usb-uart-funct.patch'
         '0004-fix-brcmfmac-oops-and-race-condition.patch'
+        '0005-packet-fix-race-condition-in-packet_set_ring.patch'
         'config'
         'kernel.its'
         'kernel.keyblock'
@@ -28,15 +29,16 @@ source=("https://chromium.googlesource.com/chromiumos/third_party/kernel/+archiv
         'cmdline'
         'brcmfmac4354-sdio.txt'
         '99-veyron-brcm.rules')
-md5sums=('5f8b6fab02e9303e183753a200e8d3f0'
+md5sums=('395ad52e3059997ebc87fa4427019e21'
          'bda543cb5943eac34e16d12911f3ee99'
          '5e2d7cd74de07d13052de99411c13a2f'
          '1534c1dbfe5df35a5634072f7b912840'
          '20f8931f3795e5226829d48c3d470334'
-         'e8f97028325c3999285839e521bb0f6e'
-         '29ac9b84b8f84fbeb78ed32e049fcea5'
-         '0a923f72b30570ceae127cb82a0ea432'
-         '22ad496bbbece67f9a825a2d60d8dc25'
+         '16c6e2e181ff23623c1004951322b848'
+         '4677e9178fe6d3b043d03929cca029be'
+         '87e12764d5545b1fc0300f896ed4d368'
+         'f716682a9992b3b88841854575c851fd'
+         '8f03e6c72db84edb7b429a2a934f69c8'
          '2e57d5a525a9ec3ad0eb87178f0c4e9f'
          '761d2e8cef38584b9e2f478e8096e458'
          '61c5ff73c136ed07a7aadbf58db3d96a'
@@ -50,6 +52,7 @@ prepare() {
   git apply 0002-mwifiex-do-not-create-AP-and-P2P-interfaces-upon-dri.patch
   git apply 0003-UPSTREAM-soc-rockchip-add-handler-for-usb-uart-funct.patch
   git apply 0004-fix-brcmfmac-oops-and-race-condition.patch
+  git apply 0005-packet-fix-race-condition-in-packet_set_ring.patch
 
   cp config .config