From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail333.us4.mandrillapp.com ([205.201.137.77]:45909 "EHLO
	mail333.us4.mandrillapp.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1752752AbcB2Wpc (ORCPT
	<rfc822;stable@vger.kernel.org>); Mon, 29 Feb 2016 17:45:32 -0500
Received: from pmta03.dal05.mailchimp.com (127.0.0.1) by mail333.us4.mandrillapp.com id hqj50o174no8 for <stable@vger.kernel.org>; Mon, 29 Feb 2016 22:45:15 +0000 (envelope-from <bounce-md_30481620.56d4c9fa.v1-f531a960f73b47059f27a6f657c389e9@mandrillapp.com>)
From: <gregkh@linuxfoundation.org>
Subject: Patch "tcp: md5: release request socket instead of listener" has been added to the 4.4-stable tree
To: <edumazet@google.com>, <davem@davemloft.net>,
	<gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
Message-Id: <14567859133122@kroah.com>
Date: Mon, 29 Feb 2016 22:45:15 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    tcp: md5: release request socket instead of listener

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tcp-md5-release-request-socket-instead-of-listener.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From foo@baz Mon Feb 29 14:33:50 PST 2016
From: Eric Dumazet <edumazet@google.com>
Date: Thu, 11 Feb 2016 22:50:29 -0800
Subject: tcp: md5: release request socket instead of listener

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 729235554d805c63e5e274fcc6a98e71015dd847 ]

If tcp_v4_inbound_md5_hash() returns an error, we must release
the refcount on the request socket, not on the listener.

The bug was added for IPv4 only.

Fixes: 079096f103fac ("tcp/dccp: install syn_recv requests into ehash table")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_ipv4.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1597,8 +1597,10 @@ process:
 		struct sock *nsk = NULL;
 
 		sk = req->rsk_listener;
-		if (tcp_v4_inbound_md5_hash(sk, skb))
-			goto discard_and_relse;
+		if (unlikely(tcp_v4_inbound_md5_hash(sk, skb))) {
+			reqsk_put(req);
+			goto discard_it;
+		}
 		if (likely(sk->sk_state == TCP_LISTEN)) {
 			nsk = tcp_check_req(sk, skb, req, false);
 		} else {


Patches currently in stable-queue which might be from edumazet@google.com are

queue-4.4/ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch
queue-4.4/tcp-dccp-fix-another-race-at-listener-dismantle.patch
queue-4.4/ipv6-fix-a-lockdep-splat.patch
queue-4.4/ipv6-addrconf-fix-recursive-spin-lock-call.patch
queue-4.4/tcp-do-not-drop-syn_recv-on-all-icmp-reports.patch
queue-4.4/tcp-beware-of-alignments-in-tcp_get_info.patch
queue-4.4/tcp-md5-release-request-socket-instead-of-listener.patch
queue-4.4/gro-make-gro-aware-of-lightweight-tunnels.patch
queue-4.4/tcp-fix-null-deref-in-tcp_v4_send_ack.patch
queue-4.4/af_unix-fix-struct-pid-memory-leak.patch
queue-4.4/net-add-sysctl_max_skb_frags.patch