CVE-2014-0100 net: inet frag race condition use-after-free (rhbz 1072026 1070618)

kernel.spec

@@ -785,6 +785,9 @@ Patch25029: audit-don-t-generate-loginuid-log-when-audit-disable.patch
 #CVE-2014-0101 rhbz 1072029 1070705
 Patch25030: net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
 
+#CVE-2014-0100 rhbz 1072026 1070618
+Patch25031: net-fix-for-a-race-condition-in-the-inet-frag-code.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1516,6 +1519,9 @@ ApplyPatch audit-don-t-generate-loginuid-log-when-audit-disable.patch
 #CVE-2014-0101 rhbz 1072029 1070705
 ApplyPatch net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capable.patch
 
+#CVE-2014-0100 rhbz 1072026 1070618
+ApplyPatch net-fix-for-a-race-condition-in-the-inet-frag-code.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2329,6 +2335,7 @@ fi
 
 %changelog
 * Mon Mar 03 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-0100 net: inet frag race condition use-after-free (rhbz 1072026 1070618)
 - CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705)
 - Fix overly verbose audit logs (rhbz 1066064)
 

net-fix-for-a-race-condition-in-the-inet-frag-code.patch

@@ -0,0 +1,19 @@
+Bugzilla: 1070618
+Upstream-status: submitted http://patchwork.ozlabs.org/patch/325844/
+
+diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
+index bb075fc9a14f..322dcebfc588 100644
+--- a/net/ipv4/inet_fragment.c
++++ b/net/ipv4/inet_fragment.c
+@@ -278,9 +278,10 @@ static struct inet_frag_queue *inet_frag_intern(struct netns_frags *nf,
+ 
+ 	atomic_inc(&qp->refcnt);
+ 	hlist_add_head(&qp->list, &hb->chain);
++	inet_frag_lru_add(nf, qp);
+ 	spin_unlock(&hb->chain_lock);
+ 	read_unlock(&f->lock);
+-	inet_frag_lru_add(nf, qp);
++
+ 	return qp;
+ }
+