Patch "xfrm: Copy policy family in clone_policy" has been added to the 4.9-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    xfrm: Copy policy family in clone_policy

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfrm-copy-policy-family-in-clone_policy.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Tue Dec 12 13:26:17 CET 2017
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Fri, 10 Nov 2017 14:14:06 +1100
Subject: xfrm: Copy policy family in clone_policy

From: Herbert Xu <herbert@gondor.apana.org.au>


[ Upstream commit 0e74aa1d79a5bbc663e03a2804399cae418a0321 ]

The syzbot found an ancient bug in the IPsec code.  When we cloned
a socket policy (for example, for a child TCP socket derived from a
listening socket), we did not copy the family field.  This results
in a live policy with a zero family field.  This triggers a BUG_ON
check in the af_key code when the cloned policy is retrieved.

This patch fixes it by copying the family field over.

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/xfrm/xfrm_policy.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1393,6 +1393,7 @@ static struct xfrm_policy *clone_policy(
 		newp->xfrm_nr = old->xfrm_nr;
 		newp->index = old->index;
 		newp->type = old->type;
+		newp->family = old->family;
 		memcpy(newp->xfrm_vec, old->xfrm_vec,
 		       newp->xfrm_nr*sizeof(struct xfrm_tmpl));
 		spin_lock_bh(&net->xfrm.xfrm_policy_lock);


Patches currently in stable-queue which might be from herbert@gondor.apana.org.au are

queue-4.9/xfrm-copy-policy-family-in-clone_policy.patch
queue-4.9/crypto-talitos-fix-aead-for-sha224-on-non-sha224-capable-chips.patch
queue-4.9/crypto-talitos-fix-memory-corruption-on-sec2.patch
queue-4.9/crypto-talitos-fix-use-of-sg_link_tbl_len.patch
queue-4.9/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch
queue-4.9/crypto-talitos-fix-setkey-to-check-key-weakness.patch
queue-4.9/crypto-talitos-fix-aead-test-failures.patch
queue-4.9/crypto-talitos-fix-ctr-aes-talitos.patch