diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-08-20 09:21:06 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-08-20 09:21:06 -0700 |
| commit | 9b6f72efa19e65b7bf716e61933c771b6bb182fb (patch) | |
| tree | 28155cee6903f6aa00cc4e42ae3fa2df0b78f440 | |
| parent | ed0894e877d31e882b07bfa7bbf31a9abcb51a65 (diff) | |
| download | queue-3.18-9b6f72efa19e65b7bf716e61933c771b6bb182fb.tar.gz | |
drop patch
| -rw-r--r-- | series | 1 | ||||
| -rw-r--r-- | tcp-clear-sk_send_head-after-purging-the-write-queue.patch | 56 |
2 files changed, 0 insertions, 57 deletions
@@ -1,6 +1,5 @@ usb-iowarrior-fix-deadlock-on-disconnect.patch sound-fix-a-memory-leak-bug.patch -tcp-clear-sk_send_head-after-purging-the-write-queue.patch perf-db-export-fix-thread__exec_comm.patch usb-yurex-fix-use-after-free-in-yurex_delete.patch can-peak_usb-fix-potential-double-kfree_skb.patch diff --git a/tcp-clear-sk_send_head-after-purging-the-write-queue.patch b/tcp-clear-sk_send_head-after-purging-the-write-queue.patch deleted file mode 100644 index 91a6c72..0000000 --- a/tcp-clear-sk_send_head-after-purging-the-write-queue.patch +++ /dev/null @@ -1,56 +0,0 @@ -From ben@decadent.org.uk Tue Aug 13 20:28:54 2019 -From: Ben Hutchings <ben@decadent.org.uk> -Date: Tue, 13 Aug 2019 12:53:17 +0100 -Subject: tcp: Clear sk_send_head after purging the write queue -To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org> -Cc: stable@vger.kernel.org, Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz>, Salvatore Bonaccorso <carnil@debian.org>, Eric Dumazet <edumazet@google.com> -Message-ID: <20190813115317.6cgml2mckd3c6u7z@decadent.org.uk> -Content-Disposition: inline - -From: Ben Hutchings <ben@decadent.org.uk> - -Denis Andzakovic discovered a potential use-after-free in older kernel -versions, using syzkaller. tcp_write_queue_purge() frees all skbs in -the TCP write queue and can leave sk->sk_send_head pointing to freed -memory. tcp_disconnect() clears that pointer after calling -tcp_write_queue_purge(), but tcp_connect() does not. It is -(surprisingly) possible to add to the write queue between -disconnection and reconnection, so this needs to be done in both -places. - -This bug was introduced by backports of commit 7f582b248d0a ("tcp: -purge write queue in tcp_connect_init()") and does not exist upstream -because of earlier changes in commit 75c119afe14f ("tcp: implement -rb-tree based retransmit queue"). The latter is a major change that's -not suitable for stable. - -Reported-by: Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz> -Bisected-by: Salvatore Bonaccorso <carnil@debian.org> -Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()") -Cc: <stable@vger.kernel.org> # before 4.15 -Cc: Eric Dumazet <edumazet@google.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - include/net/tcp.h | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1375,6 +1375,8 @@ struct tcp_fastopen_context { - struct rcu_head rcu; - }; - -+static inline void tcp_init_send_head(struct sock *sk); -+ - /* write queue abstraction */ - static inline void tcp_write_queue_purge(struct sock *sk) - { -@@ -1382,6 +1384,7 @@ static inline void tcp_write_queue_purge - - while ((skb = __skb_dequeue(&sk->sk_write_queue)) != NULL) - sk_wmem_free_skb(sk, skb); -+ tcp_init_send_head(sk); - sk_mem_reclaim(sk); - tcp_clear_all_retrans_hints(tcp_sk(sk)); - inet_csk(sk)->icsk_backoff = 0; |