From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 30 Apr 2017 14:31:03 +0000 (+0200)
Subject: remove queue-4.4/net-timestamp-avoid-use-after-free-in-ip_recv_error.patch
X-Git-Tag: v4.4.66~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2bbe61fe92fbbdca6a7503dae260e2b407489ff3;p=thirdparty%2Fkernel%2Fstable-queue.git

remove queue-4.4/net-timestamp-avoid-use-after-free-in-ip_recv_error.patch
---

diff --git a/queue-4.4/net-timestamp-avoid-use-after-free-in-ip_recv_error.patch b/queue-4.4/net-timestamp-avoid-use-after-free-in-ip_recv_error.patch
deleted file mode 100644
index cb431181d90..00000000000
--- a/queue-4.4/net-timestamp-avoid-use-after-free-in-ip_recv_error.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From foo@baz Sun Apr 30 15:46:17 CEST 2017
-From: Willem de Bruijn <willemb@google.com>
-Date: Wed, 12 Apr 2017 19:24:35 -0400
-Subject: net-timestamp: avoid use-after-free in ip_recv_error
-
-From: Willem de Bruijn <willemb@google.com>
-
-
-[ Upstream commit 1862d6208db0aeca9c8ace44915b08d5ab2cd667 ]
-
-Syzkaller reported a use-after-free in ip_recv_error at line
-
-    info->ipi_ifindex = skb->dev->ifindex;
-
-This function is called on dequeue from the error queue, at which
-point the device pointer may no longer be valid.
-
-Save ifindex on enqueue in __skb_complete_tx_timestamp, when the
-pointer is valid or NULL. Store it in temporary storage skb->cb.
-
-It is safe to reference skb->dev here, as called from device drivers
-or dev_queue_xmit. The exception is when called from tcp_ack_tstamp;
-in that case it is NULL and ifindex is set to 0 (invalid).
-
-Do not return a pktinfo cmsg if ifindex is 0. This maintains the
-current behavior of not returning a cmsg if skb->dev was NULL.
-
-On dequeue, the ipv4 path will cast from sock_exterr_skb to
-in_pktinfo. Both have ifindex as their first element, so no explicit
-conversion is needed. This is by design, introduced in commit
-0b922b7a829c ("net: original ingress device index in PKTINFO"). For
-ipv6 ip6_datagram_support_cmsg converts to in6_pktinfo.
-
-Fixes: 829ae9d61165 ("net-timestamp: allow reading recv cmsg on errqueue with origin tstamp")
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Willem de Bruijn <willemb@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/core/skbuff.c      |    1 +
- net/ipv4/ip_sockglue.c |    9 ++++-----
- net/ipv6/datagram.c    |   10 +---------
- 3 files changed, 6 insertions(+), 14 deletions(-)
-
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -3643,6 +3643,7 @@ static void __skb_complete_tx_timestamp(
- 	serr->ee.ee_errno = ENOMSG;
- 	serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
- 	serr->ee.ee_info = tstype;
-+	serr->header.h4.iif = skb->dev ? skb->dev->ifindex : 0;
- 	if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
- 		serr->ee.ee_data = skb_shinfo(skb)->tskey;
- 		if (sk->sk_protocol == IPPROTO_TCP &&
---- a/net/ipv4/ip_sockglue.c
-+++ b/net/ipv4/ip_sockglue.c
-@@ -463,16 +463,15 @@ static bool ipv4_datagram_support_cmsg(c
- 		return false;
- 
- 	/* Support IP_PKTINFO on tstamp packets if requested, to correlate
--	 * timestamp with egress dev. Not possible for packets without dev
-+	 * timestamp with egress dev. Not possible for packets without iif
- 	 * or without payload (SOF_TIMESTAMPING_OPT_TSONLY).
- 	 */
--	if ((!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_CMSG)) ||
--	    (!skb->dev))
-+	info = PKTINFO_SKB_CB(skb);
-+	if (!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_CMSG) ||
-+	    !info->ipi_ifindex)
- 		return false;
- 
--	info = PKTINFO_SKB_CB(skb);
- 	info->ipi_spec_dst.s_addr = ip_hdr(skb)->saddr;
--	info->ipi_ifindex = skb->dev->ifindex;
- 	return true;
- }
- 
---- a/net/ipv6/datagram.c
-+++ b/net/ipv6/datagram.c
-@@ -355,9 +355,6 @@ static inline bool ipv6_datagram_support
-  * At one point, excluding local errors was a quick test to identify icmp/icmp6
-  * errors. This is no longer true, but the test remained, so the v6 stack,
-  * unlike v4, also honors cmsg requests on all wifi and timestamp errors.
-- *
-- * Timestamp code paths do not initialize the fields expected by cmsg:
-- * the PKTINFO fields in skb->cb[]. Fill those in here.
-  */
- static bool ip6_datagram_support_cmsg(struct sk_buff *skb,
- 				      struct sock_exterr_skb *serr)
-@@ -369,14 +366,9 @@ static bool ip6_datagram_support_cmsg(st
- 	if (serr->ee.ee_origin == SO_EE_ORIGIN_LOCAL)
- 		return false;
- 
--	if (!skb->dev)
-+	if (!IP6CB(skb)->iif)
- 		return false;
- 
--	if (skb->protocol == htons(ETH_P_IPV6))
--		IP6CB(skb)->iif = skb->dev->ifindex;
--	else
--		PKTINFO_SKB_CB(skb)->ipi_ifindex = skb->dev->ifindex;
--
- 	return true;
- }
- 
diff --git a/queue-4.4/series b/queue-4.4/series
index b74ff62c247..419d4f43a85 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -25,7 +25,6 @@ l2tp-fix-ppp-pseudo-wire-auto-loading.patch
 net-ipv4-fix-multipath-rtm_getroute-behavior-when-iif-is-given.patch
 sctp-listen-on-the-sock-only-when-it-s-state-is-listening-or-closed.patch
 tcp-clear-saved_syn-in-tcp_disconnect.patch
-net-timestamp-avoid-use-after-free-in-ip_recv_error.patch
 dp83640-don-t-recieve-time-stamps-twice.patch
 net-ipv6-rtf_pcpu-should-not-be-settable-from-userspace.patch
 netpoll-check-for-skb-queue_mapping.patch