From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:58138 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752338AbcKRKhi (ORCPT
        <rfc822;stable@vger.kernel.org>); Fri, 18 Nov 2016 05:37:38 -0500
Subject: Patch "tcp: fix potential memory corruption" has been added to the 4.8-stable tree
To: edumazet@google.com, davem@davemloft.net,
        gregkh@linuxfoundation.org, haakon.bugge@oracle.com,
        hans.westgaard.ry@oracle.com
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Fri, 18 Nov 2016 11:37:15 +0100
Message-ID: <147946543548156@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    tcp: fix potential memory corruption

to the 4.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tcp-fix-potential-memory-corruption.patch
and it can be found in the queue-4.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From foo@baz Fri Nov 18 11:35:46 CET 2016
From: Eric Dumazet <edumazet@google.com>
Date: Wed, 2 Nov 2016 07:53:17 -0700
Subject: tcp: fix potential memory corruption

From: Eric Dumazet <edumazet@google.com>


[ Upstream commit ac9e70b17ecd7c6e933ff2eaf7ab37429e71bf4d ]

Imagine initial value of max_skb_frags is 17, and last
skb in write queue has 15 frags.

Then max_skb_frags is lowered to 14 or smaller value.

tcp_sendmsg() will then be allowed to add additional page frags
and eventually go past MAX_SKB_FRAGS, overflowing struct
skb_shared_info.

Fixes: 5f74f82ea34c ("net:Add sysctl_max_skb_frags")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Hans Westgaard Ry <hans.westgaard.ry@oracle.com>
Cc: Håkon Bugge <haakon.bugge@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1219,7 +1219,7 @@ new_segment:
 
 			if (!skb_can_coalesce(skb, i, pfrag->page,
 					      pfrag->offset)) {
-				if (i == sysctl_max_skb_frags || !sg) {
+				if (i >= sysctl_max_skb_frags || !sg) {
 					tcp_mark_push(tp, skb);
 					goto new_segment;
 				}


Patches currently in stable-queue which might be from edumazet@google.com are

queue-4.8/net-__skb_flow_dissect-must-cap-its-return-value.patch
queue-4.8/tcp-take-care-of-truncations-done-by-sk_filter.patch
queue-4.8/net-clear-sk_err_soft-in-sk_clone_lock.patch
queue-4.8/dccp-do-not-release-listeners-too-soon.patch
queue-4.8/net-mangle-zero-checksum-in-skb_checksum_help.patch
queue-4.8/tcp-fix-return-value-for-partial-writes.patch
queue-4.8/ipv6-dccp-fix-out-of-bound-access-in-dccp_v6_err.patch
queue-4.8/ipv6-dccp-add-missing-bind_conflict-to-dccp_ipv6_mapped.patch
queue-4.8/tcp-fix-potential-memory-corruption.patch
queue-4.8/dccp-do-not-send-reset-to-already-closed-sockets.patch
queue-4.8/dccp-fix-out-of-bound-access-in-dccp_v4_err.patch
queue-4.8/sock-fix-sendmmsg-for-partial-sendmsg.patch