diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-10-10 23:17:52 -0600 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-10-10 23:17:52 -0600 |
commit | 41202e4d9625d25815ad331ba5466e5b5f4e79b8 (patch) | |
tree | c2ae87da8f4eab171c8b90bc22240f8ed3c52631 | |
parent | 171d0389ae01af629cb54fb8fd24dce20366e616 (diff) | |
download | stable-queue-41202e4d9625d25815ad331ba5466e5b5f4e79b8.tar.gz |
3.0 patches
-rw-r--r-- | queue-3.0/ipv6-fix-null-dereference-in-udp6_ufo_fragment.patch | 103 | ||||
-rw-r--r-- | queue-3.0/series | 1 |
2 files changed, 104 insertions, 0 deletions
diff --git a/queue-3.0/ipv6-fix-null-dereference-in-udp6_ufo_fragment.patch b/queue-3.0/ipv6-fix-null-dereference-in-udp6_ufo_fragment.patch new file mode 100644 index 0000000000..52369424ff --- /dev/null +++ b/queue-3.0/ipv6-fix-null-dereference-in-udp6_ufo_fragment.patch @@ -0,0 +1,103 @@ +From jasowang@redhat.com Sat Oct 8 20:56:54 2011 +Subject: ipv6: fix NULL dereference in udp6_ufo_fragment() +To: gregkh@suse.de, stable@kernel.org +From: Jason Wang <jasowang@redhat.com> +Cc: davem@davemloft.net, eric.dumazet@gmail.com +Date: Sun, 09 Oct 2011 10:56:44 +0800 +Message-ID: <20111009025644.9437.53281.stgit@dhcp-8-146.nay.redhat.com> + +From: Jason Wang <jasowang@redhat.com> + +This patch fixes the issue caused by ef81bb40bf15f350fe865f31fa42f1082772a576 +which is a backport of upstream 87c48fa3b4630905f98268dde838ee43626a060c. The +problem does not exist in upstream. + +We do not check whether route is attached before trying to assign ip +identification through route dest which lead NULL pointer dereference. This +happens when host bridge transmit a packet from guest. + +This patch changes ipv6_select_ident() to accept in6_addr as its paramter and +fix the issue by using the destination address in ipv6 header when no route is +attached. + +Signed-off-by: Jason Wang <jasowang@redhat.com> +Acked-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + include/net/ipv6.h | 2 +- + net/ipv6/ip6_output.c | 10 +++++----- + net/ipv6/udp.c | 4 +++- + 3 files changed, 9 insertions(+), 7 deletions(-) + +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -463,7 +463,7 @@ static inline int ipv6_addr_diff(const s + return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr)); + } + +-extern void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt); ++extern void ipv6_select_ident(struct frag_hdr *fhdr, struct in6_addr *addr); + + /* + * Prototypes exported by ipv6 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -620,9 +620,9 @@ static u32 __ipv6_select_ident(const str + return hash + newid; + } + +-void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) ++void ipv6_select_ident(struct frag_hdr *fhdr, struct in6_addr *addr) + { +- fhdr->identification = htonl(__ipv6_select_ident(&rt->rt6i_dst.addr)); ++ fhdr->identification = htonl(__ipv6_select_ident(addr)); + } + + int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) +@@ -709,7 +709,7 @@ int ip6_fragment(struct sk_buff *skb, in + skb_reset_network_header(skb); + memcpy(skb_network_header(skb), tmp_hdr, hlen); + +- ipv6_select_ident(fh, rt); ++ ipv6_select_ident(fh, &rt->rt6i_dst.addr); + fh->nexthdr = nexthdr; + fh->reserved = 0; + fh->frag_off = htons(IP6_MF); +@@ -855,7 +855,7 @@ slow_path: + fh->nexthdr = nexthdr; + fh->reserved = 0; + if (!frag_id) { +- ipv6_select_ident(fh, rt); ++ ipv6_select_ident(fh, &rt->rt6i_dst.addr); + frag_id = fh->identification; + } else + fh->identification = frag_id; +@@ -1146,7 +1146,7 @@ static inline int ip6_ufo_append_data(st + skb_shinfo(skb)->gso_size = (mtu - fragheaderlen - + sizeof(struct frag_hdr)) & ~7; + skb_shinfo(skb)->gso_type = SKB_GSO_UDP; +- ipv6_select_ident(&fhdr, rt); ++ ipv6_select_ident(&fhdr, &rt->rt6i_dst.addr); + skb_shinfo(skb)->ip6_frag_id = fhdr.identification; + __skb_queue_tail(&sk->sk_write_queue, skb); + +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1309,6 +1309,7 @@ static struct sk_buff *udp6_ufo_fragment + u8 frag_hdr_sz = sizeof(struct frag_hdr); + int offset; + __wsum csum; ++ struct rt6_info *rt = (struct rt6_info *)skb_dst(skb); + + mss = skb_shinfo(skb)->gso_size; + if (unlikely(skb->len <= mss)) +@@ -1359,7 +1360,8 @@ static struct sk_buff *udp6_ufo_fragment + fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); + fptr->nexthdr = nexthdr; + fptr->reserved = 0; +- ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb)); ++ ipv6_select_ident(fptr, ++ rt ? &rt->rt6i_dst.addr : &ipv6_hdr(skb)->daddr); + + /* Fragment the skb. ipv6 header and the remaining fields of the + * fragment header are updated in ipv6_gso_segment() diff --git a/queue-3.0/series b/queue-3.0/series index 99d0b521be..b7eaa79d57 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -31,3 +31,4 @@ exec-do-not-call-request_module-twice-from-search_binary_handler.patch arm-mach-ux500-enable-fix-for-arm-errata-754322.patch drm-radeon-kms-retry-aux-transactions-if-there-are-status-flags.patch drm-radeon-kms-use-hardcoded-dig-encoder-to-transmitter-mapping-for-dce4.1.patch +ipv6-fix-null-dereference-in-udp6_ufo_fragment.patch |