Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedorakernel-4.9.12-200.vanilla.knurd.1.fc25

3 files changed, 58 insertions, 2 deletions

diff --git a/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch b/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
new file mode 100644
index 000000000..433fd4b2b
--- /dev/null
+++ b/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
@@ -0,0 +1,47 @@
+From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Thu, 16 Feb 2017 17:22:46 +0100
+Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
+
+In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
+is forcibly freed via __kfree_skb in dccp_rcv_state_process if
+dccp_v6_conn_request successfully returns.
+
+However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
+is saved to ireq->pktopts and the ref count for skb is incremented in
+dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
+in dccp_rcv_state_process.
+
+Fix by calling consume_skb instead of doing goto discard and therefore
+calling __kfree_skb.
+
+Similar fixes for TCP:
+
+fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
+0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
+simply consumed
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/dccp/input.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/dccp/input.c b/net/dccp/input.c
+index ba34718..8fedc2d 100644
+--- a/net/dccp/input.c
++++ b/net/dccp/input.c
+@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ 			if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
+ 								    skb) < 0)
+ 				return 1;
+-			goto discard;
++			consume_skb(skb);
++			return 0;
+ 		}
+ 		if (dh->dccph_type == DCCP_PKT_RESET)
+ 			goto discard;
+-- 
+cgit v0.12
+
diff --git a/kernel.spec b/kernel.spec
index d0f47f820..358cf1446 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -58,7 +58,7 @@ Summary: The Linux kernel
 %define stable_rc 0
 
 # Do we have a -stable update to apply?
-%define stable_update 11
+%define stable_update 12
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -663,6 +663,9 @@ Patch861: w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch
 #rhbz 1422969
 Patch862: rt2800-warning.patch
 
+#CVE-2017-6074
+Patch863: dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2213,6 +2216,12 @@ fi
 #
 #
 %changelog
+* Thu Feb 23 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.12-200
+- Linux v4.9.12
+
+* Wed Feb 22 2017 Justin M. Forbes <jforbes@fedoraproject.org> 
+- CVE-2017-6074 DCCP double-free vulnerability
+
 * Mon Feb 20 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.11-200
 - Linux v4.9.11
 - Fix rt2800 warning (rhbz 1422969)
diff --git a/sources b/sources
index d34f194b7..20f1904fb 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
 SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
-SHA512 (patch-4.9.11.xz) = 7683628b011fa1462b5838301ebabc3eebaefcd50f65600be55bcf0102578ca07589c7683ef84b8d5300bd05795655fb21e1c145f5663d30593fc1801c163bc3
+SHA512 (patch-4.9.12.xz) = 52314315fe960b3b4b11021a5a8a6271bd8a7e3f9f63cd983f72cf7585ac95408872ab48074d2cd578d681a64e10607ba69157a3fed14663736f20c5c2a78b0a