From c5f3a05cb1f15fd276dbfd2e652cc228138c9acf Mon Sep 17 00:00:00 2001 From: André Fabian Silva Delgado Date: Sun, 8 Jan 2017 13:59:41 -0300 Subject: linux-libre-4.9.1_gnu-1: updating version --- .../net_handle_no_dst_on_skb_in_icmp6_send.patch | 68 ---------------------- 1 file changed, 68 deletions(-) delete mode 100644 libre/linux-libre/net_handle_no_dst_on_skb_in_icmp6_send.patch (limited to 'libre/linux-libre/net_handle_no_dst_on_skb_in_icmp6_send.patch') diff --git a/libre/linux-libre/net_handle_no_dst_on_skb_in_icmp6_send.patch b/libre/linux-libre/net_handle_no_dst_on_skb_in_icmp6_send.patch deleted file mode 100644 index 06448a90a..000000000 --- a/libre/linux-libre/net_handle_no_dst_on_skb_in_icmp6_send.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2 Mon Sep 17 00:00:00 2001 -From: David Ahern -Date: Sun, 27 Nov 2016 18:52:53 -0800 -Subject: [PATCH] net: handle no dst on skb in icmp6_send - -Andrey reported the following while fuzzing the kernel with syzkaller: - -kasan: CONFIG_KASAN_INLINE enabled -kasan: GPF could be caused by NULL-ptr deref or user memory access -general protection fault: 0000 [#1] SMP KASAN -Modules linked in: -CPU: 0 PID: 3859 Comm: a.out Not tainted 4.9.0-rc6+ #429 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 -task: ffff8800666d4200 task.stack: ffff880067348000 -RIP: 0010:[] [] -icmp6_send+0x5fc/0x1e30 net/ipv6/icmp.c:451 -RSP: 0018:ffff88006734f2c0 EFLAGS: 00010206 -RAX: ffff8800666d4200 RBX: 0000000000000000 RCX: 0000000000000000 -RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000018 -RBP: ffff88006734f630 R08: ffff880064138418 R09: 0000000000000003 -R10: dffffc0000000000 R11: 0000000000000005 R12: 0000000000000000 -R13: ffffffff84e7e200 R14: ffff880064138484 R15: ffff8800641383c0 -FS: 00007fb3887a07c0(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000000020000000 CR3: 000000006b040000 CR4: 00000000000006f0 -Stack: - ffff8800666d4200 ffff8800666d49f8 ffff8800666d4200 ffffffff84c02460 - ffff8800666d4a1a 1ffff1000ccdaa2f ffff88006734f498 0000000000000046 - ffff88006734f440 ffffffff832f4269 ffff880064ba7456 0000000000000000 -Call Trace: - [] icmpv6_param_prob+0x2c/0x40 net/ipv6/icmp.c:557 - [< inline >] ip6_tlvopt_unknown net/ipv6/exthdrs.c:88 - [] ip6_parse_tlv+0x555/0x670 net/ipv6/exthdrs.c:157 - [] ipv6_parse_hopopts+0x199/0x460 net/ipv6/exthdrs.c:663 - [] ipv6_rcv+0xfa3/0x1dc0 net/ipv6/ip6_input.c:191 - ... - -icmp6_send / icmpv6_send is invoked for both rx and tx paths. In both -cases the dst->dev should be preferred for determining the L3 domain -if the dst has been set on the skb. Fallback to the skb->dev if it has -not. This covers the case reported here where icmp6_send is invoked on -Rx before the route lookup. - -Fixes: 5d41ce29e ("net: icmp6_send should use dst dev to determine L3 domain") -Reported-by: Andrey Konovalov -Signed-off-by: David Ahern -Signed-off-by: David S. Miller ---- - net/ipv6/icmp.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c -index 7370ad2..2772004 100644 ---- a/net/ipv6/icmp.c -+++ b/net/ipv6/icmp.c -@@ -447,8 +447,10 @@ static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, - - if (__ipv6_addr_needs_scope_id(addr_type)) - iif = skb->dev->ifindex; -- else -- iif = l3mdev_master_ifindex(skb_dst(skb)->dev); -+ else { -+ dst = skb_dst(skb); -+ iif = l3mdev_master_ifindex(dst ? dst->dev : skb->dev); -+ } - - /* - * Must not send error if the source does not uniquely -- cgit v1.2.3