From 8fd61b3a447c3ddd8aceafae6b4623bd36f95dda Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Tue, 23 Aug 2016 16:52:53 -0700 Subject: [PATCH] Fix for inabiltiy to send zero sized UDP packets (rhbz 1365940) --- ...x-poll-issue-with-zero-sized-packets.patch | 73 +++++++++++++++++++ kernel.spec | 6 ++ 2 files changed, 79 insertions(+) create mode 100644 0001-udp-fix-poll-issue-with-zero-sized-packets.patch diff --git a/0001-udp-fix-poll-issue-with-zero-sized-packets.patch b/0001-udp-fix-poll-issue-with-zero-sized-packets.patch new file mode 100644 index 000000000..f5edf2340 --- /dev/null +++ b/0001-udp-fix-poll-issue-with-zero-sized-packets.patch @@ -0,0 +1,73 @@ +From 9f30f83eb6347afa6b1d1df1065608c2b4485e2b Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 23 Aug 2016 13:59:33 -0700 +Subject: [PATCH] udp: fix poll() issue with zero sized packets + +Laura tracked poll() [and friends] regression caused by commit +e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") + +udp_poll() needs to know if there is a valid packet in receive queue, +even if its payload length is 0. + +Change first_packet_length() to return an signed int, and use -1 +as the indication of an empty queue. + +Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") +Reported-by: Laura Abbott +Signed-off-by: Eric Dumazet +Tested-by: Laura Abbott +--- + net/ipv4/udp.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index e61f7cd..00d18c5 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1182,13 +1182,13 @@ out: + * @sk: socket + * + * Drops all bad checksum frames, until a valid one is found. +- * Returns the length of found skb, or 0 if none is found. ++ * Returns the length of found skb, or -1 if none is found. + */ +-static unsigned int first_packet_length(struct sock *sk) ++static int first_packet_length(struct sock *sk) + { + struct sk_buff_head list_kill, *rcvq = &sk->sk_receive_queue; + struct sk_buff *skb; +- unsigned int res; ++ int res; + + __skb_queue_head_init(&list_kill); + +@@ -1203,7 +1203,7 @@ static unsigned int first_packet_length(struct sock *sk) + __skb_unlink(skb, rcvq); + __skb_queue_tail(&list_kill, skb); + } +- res = skb ? skb->len : 0; ++ res = skb ? skb->len : -1; + spin_unlock_bh(&rcvq->lock); + + if (!skb_queue_empty(&list_kill)) { +@@ -1232,7 +1232,7 @@ int udp_ioctl(struct sock *sk, int cmd, unsigned long arg) + + case SIOCINQ: + { +- unsigned int amount = first_packet_length(sk); ++ int amount = max_t(int, 0, first_packet_length(sk)); + + return put_user(amount, (int __user *)arg); + } +@@ -2184,7 +2184,7 @@ unsigned int udp_poll(struct file *file, struct socket *sock, poll_table *wait) + + /* Check for false positives due to checksum errors */ + if ((mask & POLLRDNORM) && !(file->f_flags & O_NONBLOCK) && +- !(sk->sk_shutdown & RCV_SHUTDOWN) && !first_packet_length(sk)) ++ !(sk->sk_shutdown & RCV_SHUTDOWN) && first_packet_length(sk) == -1) + mask &= ~(POLLIN | POLLRDNORM); + + return mask; +-- +2.7.4 + diff --git a/kernel.spec b/kernel.spec index 940c65a42..980ae3f7b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -612,6 +612,9 @@ Patch842: qxl-reapply-cursor-after-SetCrtc-calls.patch #CVE-2016-6828 rhbz 1367091,1367092 Patch843: tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch +#rhbz 1365940 +Patch844: 0001-udp-fix-poll-issue-with-zero-sized-packets.patch + # END OF PATCH DEFINITIONS %endif @@ -2146,6 +2149,9 @@ fi # # %changelog +* Tue Aug 23 2016 Laura Abbott +- Fix for inabiltiy to send zero sized UDP packets (rhbz 1365940) + * Tue Aug 23 2016 Peter Robinson - Qualcomm QDF2432 errata fix - Move to upstream patches for ACPI SPCR (serial console)