From: Greg KH <gregkh@linuxfoundation.org>
To: Thomas Deutschmann <whissi@gentoo.org>
Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>,
andreyknvl@google.com, edumazet@google.com, davem@davemloft.net
Subject: Re: Please cherry-pick 5edabca9d4cf (CVE-2017-6074) for all stable kernels
Date: Thu, 23 Feb 2017 18:57:45 +0100 [thread overview]
Message-ID: <20170223175745.GA13067@kroah.com> (raw)
In-Reply-To: <c89c3a47-dd27-f749-deb4-2a1f348f86e5@gentoo.org>
On Thu, Feb 23, 2017 at 06:35:04PM +0100, Thomas Deutschmann wrote:
> Hi,
>
> haven't seen commit
>
> > From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
> > From: Andrey Konovalov <andreyknvl@google.com>
> > Date: Thu, 16 Feb 2017 17:22:46 +0100
> > Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
> >
> > In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
> > is forcibly freed via __kfree_skb in dccp_rcv_state_process if
> > dccp_v6_conn_request successfully returns.
> >
> > However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
> > is saved to ireq->pktopts and the ref count for skb is incremented in
> > dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
> > in dccp_rcv_state_process.
> >
> > Fix by calling consume_skb instead of doing goto discard and therefore
> > calling __kfree_skb.
> >
> > Similar fixes for TCP:
> >
> > fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
> > 0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
> > simply consumed
> >
> > Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
> > Acked-by: Eric Dumazet <edumazet@google.com>
> > Signed-off-by: David S. Miller <davem@davemloft.net>
>
> in recent LTS kernel releases (3.2.85, 3.16.40, 4.4.51, 4.9.12...) nor
> found any information that this patch is queued.
That's because it was released after those kernels were under review :)
Also, networking patches for stable trees come from the networking
maintainer, you can always check:
http://patchwork.ozlabs.org/bundle/davem/stable/?submitter=&state=*&q=&archive=
to see what has been marked to be sent for stable kernels.
Hope this helps,
greg k-h
prev parent reply other threads:[~2017-02-23 17:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-23 17:35 Please cherry-pick 5edabca9d4cf (CVE-2017-6074) for all stable kernels Thomas Deutschmann
2017-02-23 17:55 ` Please cherry-pick 5edabca9d4cf (CVE-2017-6074) for all stable kernels,Please " David Miller
2017-02-23 17:57 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170223175745.GA13067@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=stable@vger.kernel.org \
--cc=whissi@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.