Linux v4.8-rc4-119-ge4e98c4
This commit is contained in:
		
							parent
							
								
									aaaae68f00
								
							
						
					
					
						commit
						a5b5f8c65c
					
				| @ -1,73 +0,0 @@ | |||||||
| From 9f30f83eb6347afa6b1d1df1065608c2b4485e2b Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Eric Dumazet <edumazet@google.com> |  | ||||||
| Date: Tue, 23 Aug 2016 13:59:33 -0700 |  | ||||||
| Subject: [PATCH] udp: fix poll() issue with zero sized packets |  | ||||||
| 
 |  | ||||||
| Laura tracked poll() [and friends] regression caused by commit |  | ||||||
| e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") |  | ||||||
| 
 |  | ||||||
| udp_poll() needs to know if there is a valid packet in receive queue, |  | ||||||
| even if its payload length is 0. |  | ||||||
| 
 |  | ||||||
| Change first_packet_length() to return an signed int, and use -1 |  | ||||||
| as the indication of an empty queue. |  | ||||||
| 
 |  | ||||||
| Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") |  | ||||||
| Reported-by: Laura Abbott <labbott@redhat.com> |  | ||||||
| Signed-off-by: Eric Dumazet <edumazet@google.com> |  | ||||||
| Tested-by: Laura Abbott <labbott@redhat.com> |  | ||||||
| ---
 |  | ||||||
|  net/ipv4/udp.c | 12 ++++++------ |  | ||||||
|  1 file changed, 6 insertions(+), 6 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
 |  | ||||||
| index e61f7cd..00d18c5 100644
 |  | ||||||
| --- a/net/ipv4/udp.c
 |  | ||||||
| +++ b/net/ipv4/udp.c
 |  | ||||||
| @@ -1182,13 +1182,13 @@ out:
 |  | ||||||
|   *	@sk: socket |  | ||||||
|   * |  | ||||||
|   *	Drops all bad checksum frames, until a valid one is found. |  | ||||||
| - *	Returns the length of found skb, or 0 if none is found.
 |  | ||||||
| + *	Returns the length of found skb, or -1 if none is found.
 |  | ||||||
|   */ |  | ||||||
| -static unsigned int first_packet_length(struct sock *sk)
 |  | ||||||
| +static int first_packet_length(struct sock *sk)
 |  | ||||||
|  { |  | ||||||
|  	struct sk_buff_head list_kill, *rcvq = &sk->sk_receive_queue; |  | ||||||
|  	struct sk_buff *skb; |  | ||||||
| -	unsigned int res;
 |  | ||||||
| +	int res;
 |  | ||||||
|   |  | ||||||
|  	__skb_queue_head_init(&list_kill); |  | ||||||
|   |  | ||||||
| @@ -1203,7 +1203,7 @@ static unsigned int first_packet_length(struct sock *sk)
 |  | ||||||
|  		__skb_unlink(skb, rcvq); |  | ||||||
|  		__skb_queue_tail(&list_kill, skb); |  | ||||||
|  	} |  | ||||||
| -	res = skb ? skb->len : 0;
 |  | ||||||
| +	res = skb ? skb->len : -1;
 |  | ||||||
|  	spin_unlock_bh(&rcvq->lock); |  | ||||||
|   |  | ||||||
|  	if (!skb_queue_empty(&list_kill)) { |  | ||||||
| @@ -1232,7 +1232,7 @@ int udp_ioctl(struct sock *sk, int cmd, unsigned long arg)
 |  | ||||||
|   |  | ||||||
|  	case SIOCINQ: |  | ||||||
|  	{ |  | ||||||
| -		unsigned int amount = first_packet_length(sk);
 |  | ||||||
| +		int amount = max_t(int, 0, first_packet_length(sk));
 |  | ||||||
|   |  | ||||||
|  		return put_user(amount, (int __user *)arg); |  | ||||||
|  	} |  | ||||||
| @@ -2184,7 +2184,7 @@ unsigned int udp_poll(struct file *file, struct socket *sock, poll_table *wait)
 |  | ||||||
|   |  | ||||||
|  	/* Check for false positives due to checksum errors */ |  | ||||||
|  	if ((mask & POLLRDNORM) && !(file->f_flags & O_NONBLOCK) && |  | ||||||
| -	    !(sk->sk_shutdown & RCV_SHUTDOWN) && !first_packet_length(sk))
 |  | ||||||
| +	    !(sk->sk_shutdown & RCV_SHUTDOWN) && first_packet_length(sk) == -1)
 |  | ||||||
|  		mask &= ~(POLLIN | POLLRDNORM); |  | ||||||
|   |  | ||||||
|  	return mask; |  | ||||||
| -- 
 |  | ||||||
| 2.7.4 |  | ||||||
| 
 |  | ||||||
							
								
								
									
										2
									
								
								gitrev
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								gitrev
									
									
									
									
									
								
							| @ -1 +1 @@ | |||||||
| 3eab887a55424fc2c27553b7bfe32330df83f7b8 | e4e98c460ad38c78498622a164fd5ef09a2dc9cb | ||||||
|  | |||||||
							
								
								
									
										13
									
								
								kernel.spec
									
									
									
									
									
								
							
							
						
						
									
										13
									
								
								kernel.spec
									
									
									
									
									
								
							| @ -42,7 +42,7 @@ Summary: The Linux kernel | |||||||
| # For non-released -rc kernels, this will be appended after the rcX and | # For non-released -rc kernels, this will be appended after the rcX and | ||||||
| # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" | # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" | ||||||
| # | # | ||||||
| %global baserelease 2 | %global baserelease 1 | ||||||
| %global fedora_build %{baserelease} | %global fedora_build %{baserelease} | ||||||
| 
 | 
 | ||||||
| # base_sublevel is the kernel version we're starting with and patching | # base_sublevel is the kernel version we're starting with and patching | ||||||
| @ -69,7 +69,7 @@ Summary: The Linux kernel | |||||||
| # The rc snapshot level | # The rc snapshot level | ||||||
| %define rcrev 4 | %define rcrev 4 | ||||||
| # The git snapshot level | # The git snapshot level | ||||||
| %define gitrev 0 | %define gitrev 1 | ||||||
| # Set rpm version accordingly | # Set rpm version accordingly | ||||||
| %define rpmversion 4.%{upstream_sublevel}.0 | %define rpmversion 4.%{upstream_sublevel}.0 | ||||||
| %endif | %endif | ||||||
| @ -605,12 +605,6 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch | |||||||
| #rhbz 1200901 (There should be something better upstream at some point) | #rhbz 1200901 (There should be something better upstream at some point) | ||||||
| Patch842: qxl-reapply-cursor-after-SetCrtc-calls.patch | Patch842: qxl-reapply-cursor-after-SetCrtc-calls.patch | ||||||
| 
 | 
 | ||||||
| #CVE-2016-6828 rhbz 1367091,1367092 |  | ||||||
| Patch843: tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch |  | ||||||
| 
 |  | ||||||
| #rhbz 1365940 |  | ||||||
| Patch844: 0001-udp-fix-poll-issue-with-zero-sized-packets.patch |  | ||||||
| 
 |  | ||||||
| # From kernel list, currently in linux-next | # From kernel list, currently in linux-next | ||||||
| Patch845: HID-microsoft-Add-Surface-4-type-cover-pro-4-JP.patch | Patch845: HID-microsoft-Add-Surface-4-type-cover-pro-4-JP.patch | ||||||
| 
 | 
 | ||||||
| @ -2156,6 +2150,9 @@ fi | |||||||
| # | # | ||||||
| # | # | ||||||
| %changelog | %changelog | ||||||
|  | * Tue Aug 30 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.0-0.rc4.git1.1 | ||||||
|  | - Linux v4.8-rc4-119-ge4e98c4 | ||||||
|  | 
 | ||||||
| * Mon Aug 29 2016 Laura Abbott <labbott@fedoraproject.org> | * Mon Aug 29 2016 Laura Abbott <labbott@fedoraproject.org> | ||||||
| - Add event decoding fix (rhbz 1360688) | - Add event decoding fix (rhbz 1360688) | ||||||
| 
 | 
 | ||||||
|  | |||||||
							
								
								
									
										1
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										1
									
								
								sources
									
									
									
									
									
								
							| @ -1,3 +1,4 @@ | |||||||
| 5276563eb1f39a048e4a8a887408c031  linux-4.7.tar.xz | 5276563eb1f39a048e4a8a887408c031  linux-4.7.tar.xz | ||||||
| fe259c02c75eec61d1aa4b1211f3c853  perf-man-4.7.tar.gz | fe259c02c75eec61d1aa4b1211f3c853  perf-man-4.7.tar.gz | ||||||
| a0c0753ff460ff35ef9908ecc97fa943  patch-4.8-rc4.xz | a0c0753ff460ff35ef9908ecc97fa943  patch-4.8-rc4.xz | ||||||
|  | 885fc3f5570fd07d2742dd75cb0c0aea  patch-4.8-rc4-git1.xz | ||||||
|  | |||||||
| @ -1,46 +0,0 @@ | |||||||
| From: Eric Dumazet <edumazet@google.com> |  | ||||||
| Date: 2016-08-17 12:56:26 |  | ||||||
| Subject: [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue() |  | ||||||
| 
 |  | ||||||
| When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the |  | ||||||
| tail of the write queue using tcp_add_write_queue_tail() |  | ||||||
| 
 |  | ||||||
| Then it attempts to copy user data into this fresh skb. |  | ||||||
| 
 |  | ||||||
| If the copy fails, we undo the work and remove the fresh skb. |  | ||||||
| 
 |  | ||||||
| Unfortunately, this undo lacks the change done to tp->highest_sack and |  | ||||||
| we can leave a dangling pointer (to a freed skb) |  | ||||||
| 
 |  | ||||||
| Later, tcp_xmit_retransmit_queue() can dereference this pointer and |  | ||||||
| access freed memory. For regular kernels where memory is not unmapped, |  | ||||||
| this might cause SACK bugs because tcp_highest_sack_seq() is buggy, |  | ||||||
| returning garbage instead of tp->snd_nxt, but with various debug |  | ||||||
| features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel. |  | ||||||
| 
 |  | ||||||
| This bug was found by Marco Grassi thanks to syzkaller. |  | ||||||
| 
 |  | ||||||
| Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb") |  | ||||||
| Reported-by: Marco Grassi <marco.gra@gmail.com> |  | ||||||
| Signed-off-by: Eric Dumazet <edumazet@google.com> |  | ||||||
| Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> |  | ||||||
| Cc: Yuchung Cheng <ycheng@google.com> |  | ||||||
| Cc: Neal Cardwell <ncardwell@google.com> |  | ||||||
| ---
 |  | ||||||
|  include/net/tcp.h |    2 ++ |  | ||||||
|  1 file changed, 2 insertions(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/include/net/tcp.h b/include/net/tcp.h
 |  | ||||||
| index c00e7d51bb18..7717302cab91 100644
 |  | ||||||
| --- a/include/net/tcp.h
 |  | ||||||
| +++ b/include/net/tcp.h
 |  | ||||||
| @@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
 |  | ||||||
|  { |  | ||||||
|  	if (sk->sk_send_head == skb_unlinked) |  | ||||||
|  		sk->sk_send_head = NULL; |  | ||||||
| +	if (tcp_sk(sk)->highest_sack == skb_unlinked)
 |  | ||||||
| +		tcp_sk(sk)->highest_sack = NULL;
 |  | ||||||
|  } |  | ||||||
|   |  | ||||||
|  static inline void tcp_init_send_head(struct sock *sk) |  | ||||||
| 
 |  | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user