diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-05-17 09:03:07 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-05-17 11:14:02 -0400 |
commit | 6116861edf2be2615467c0f189153f95badf7e58 (patch) | |
tree | 4cde55ba426e107151683f8b4356c2a1d9d97b84 /net-inet-fix-race-in-reqsk_queue_unlink.patch | |
parent | 59915d41e79894c3ddd27a6a83e74b3991b23451 (diff) | |
download | kernel-6116861edf2be2615467c0f189153f95badf7e58.tar.gz kernel-6116861edf2be2615467c0f189153f95badf7e58.tar.xz kernel-6116861edf2be2615467c0f189153f95badf7e58.zip |
Linux v4.6
- Disable CONFIG_DEBUG_VM_PGFLAGS on non debug kernels (rhbz 1335173)
- CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410)
Diffstat (limited to 'net-inet-fix-race-in-reqsk_queue_unlink.patch')
-rw-r--r-- | net-inet-fix-race-in-reqsk_queue_unlink.patch | 76 |
1 files changed, 0 insertions, 76 deletions
diff --git a/net-inet-fix-race-in-reqsk_queue_unlink.patch b/net-inet-fix-race-in-reqsk_queue_unlink.patch deleted file mode 100644 index 744084314..000000000 --- a/net-inet-fix-race-in-reqsk_queue_unlink.patch +++ /dev/null @@ -1,76 +0,0 @@ -From patchwork Thu Oct 1 12:39:26 2015 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [net] inet: fix race in reqsk_queue_unlink() -From: Eric Dumazet <eric.dumazet@gmail.com> -X-Patchwork-Id: 524966 -Message-Id: <1443703166.32531.47.camel@edumazet-glaptop2.roam.corp.google.com> -To: David Miller <davem@davemloft.net> -Cc: netdev <netdev@vger.kernel.org>, Yuchung Cheng <ycheng@google.com> -Date: Thu, 01 Oct 2015 05:39:26 -0700 - -From: Eric Dumazet <edumazet@google.com> - -reqsk_timer_handler() tests if icsk_accept_queue.listen_opt -is NULL at its beginning. - -By the time it calls inet_csk_reqsk_queue_drop() and -reqsk_queue_unlink(), listener might have been closed and -inet_csk_listen_stop() had called reqsk_queue_yank_acceptq() -which sets icsk_accept_queue.listen_opt to NULL - -We therefore need to correctly check listen_opt being NULL -after holding syn_wait_lock for proper synchronization. - -Fixes: fa76ce7328b2 ("inet: get rid of central tcp/dccp listener timer") -Fixes: b357a364c57c ("inet: fix possible panic in reqsk_queue_unlink()") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Cc: Yuchung Cheng <ycheng@google.com> ---- - net/ipv4/inet_connection_sock.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - - - --- -To unsubscribe from this list: send the line "unsubscribe netdev" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c -index 7bb9c39e0a4d..61b45a17fc73 100644 ---- a/net/ipv4/inet_connection_sock.c -+++ b/net/ipv4/inet_connection_sock.c -@@ -577,21 +577,22 @@ EXPORT_SYMBOL(inet_rtx_syn_ack); - static bool reqsk_queue_unlink(struct request_sock_queue *queue, - struct request_sock *req) - { -- struct listen_sock *lopt = queue->listen_opt; - struct request_sock **prev; -+ struct listen_sock *lopt; - bool found = false; - - spin_lock(&queue->syn_wait_lock); -- -- for (prev = &lopt->syn_table[req->rsk_hash]; *prev != NULL; -- prev = &(*prev)->dl_next) { -- if (*prev == req) { -- *prev = req->dl_next; -- found = true; -- break; -+ lopt = queue->listen_opt; -+ if (lopt) { -+ for (prev = &lopt->syn_table[req->rsk_hash]; *prev != NULL; -+ prev = &(*prev)->dl_next) { -+ if (*prev == req) { -+ *prev = req->dl_next; -+ found = true; -+ break; -+ } - } - } -- - spin_unlock(&queue->syn_wait_lock); - if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer)) - reqsk_put(req); |