Linux v4.9.13
This commit is contained in:
parent
0a79c585b4
commit
0e485e9d06
|
@ -1,47 +0,0 @@
|
|||
From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
|
||||
From: Andrey Konovalov <andreyknvl@google.com>
|
||||
Date: Thu, 16 Feb 2017 17:22:46 +0100
|
||||
Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
|
||||
|
||||
In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
|
||||
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
|
||||
dccp_v6_conn_request successfully returns.
|
||||
|
||||
However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
|
||||
is saved to ireq->pktopts and the ref count for skb is incremented in
|
||||
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
|
||||
in dccp_rcv_state_process.
|
||||
|
||||
Fix by calling consume_skb instead of doing goto discard and therefore
|
||||
calling __kfree_skb.
|
||||
|
||||
Similar fixes for TCP:
|
||||
|
||||
fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
|
||||
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
|
||||
simply consumed
|
||||
|
||||
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Acked-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/dccp/input.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/dccp/input.c b/net/dccp/input.c
|
||||
index ba34718..8fedc2d 100644
|
||||
--- a/net/dccp/input.c
|
||||
+++ b/net/dccp/input.c
|
||||
@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
|
||||
if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
|
||||
skb) < 0)
|
||||
return 1;
|
||||
- goto discard;
|
||||
+ consume_skb(skb);
|
||||
+ return 0;
|
||||
}
|
||||
if (dh->dccph_type == DCCP_PKT_RESET)
|
||||
goto discard;
|
||||
--
|
||||
cgit v0.12
|
||||
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 12
|
||||
%define stable_update 13
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -646,9 +646,6 @@ Patch861: w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch
|
|||
#rhbz 1422969
|
||||
Patch862: rt2800-warning.patch
|
||||
|
||||
#CVE-2017-6074
|
||||
Patch863: dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2196,6 +2193,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Feb 27 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.13-200
|
||||
- Linux v4.9.13
|
||||
|
||||
* Thu Feb 23 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.12-200
|
||||
- Linux v4.9.12
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
|
||||
SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
|
||||
SHA512 (patch-4.9.12.xz) = 52314315fe960b3b4b11021a5a8a6271bd8a7e3f9f63cd983f72cf7585ac95408872ab48074d2cd578d681a64e10607ba69157a3fed14663736f20c5c2a78b0a
|
||||
SHA512 (patch-4.9.13.xz) = d7956cc8a4ab11514789af4f1f7023268e4b003216766c153f0f09aac659aabda5de634b363d53f8daeddfcf5820619c5bca31ff5f9aeb187c1df016c05f68d5
|
||||
|
|
Loading…
Reference in New Issue