From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 28 Apr 2017 08:00:03 +0000 (+0200)
Subject: 4.10-stable patches
X-Git-Tag: v4.4.65~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7809c692f9e015779e924529c57fdeeabe3f6ee0;p=thirdparty%2Fkernel%2Fstable-queue.git

4.10-stable patches

added patches:
	ping-implement-proper-locking.patch
---

diff --git a/queue-4.10/ping-implement-proper-locking.patch b/queue-4.10/ping-implement-proper-locking.patch
new file mode 100644
index 00000000000..99c6b476ee5
--- /dev/null
+++ b/queue-4.10/ping-implement-proper-locking.patch
@@ -0,0 +1,55 @@
+From 43a6684519ab0a6c52024b5e25322476cabad893 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 24 Mar 2017 19:36:13 -0700
+Subject: ping: implement proper locking
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 43a6684519ab0a6c52024b5e25322476cabad893 upstream.
+
+We got a report of yet another bug in ping
+
+http://www.openwall.com/lists/oss-security/2017/03/24/6
+
+->disconnect() is not called with socket lock held.
+
+Fix this by acquiring ping rwlock earlier.
+
+Thanks to Daniel, Alexander and Andrey for letting us know this problem.
+
+Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Daniel Jiang <danieljiang0415@gmail.com>
+Reported-by: Solar Designer <solar@openwall.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/ping.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
+ void ping_unhash(struct sock *sk)
+ {
+ 	struct inet_sock *isk = inet_sk(sk);
++
+ 	pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
++	write_lock_bh(&ping_table.lock);
+ 	if (sk_hashed(sk)) {
+-		write_lock_bh(&ping_table.lock);
+ 		hlist_nulls_del(&sk->sk_nulls_node);
+ 		sk_nulls_node_init(&sk->sk_nulls_node);
+ 		sock_put(sk);
+ 		isk->inet_num = 0;
+ 		isk->inet_sport = 0;
+ 		sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+-		write_unlock_bh(&ping_table.lock);
+ 	}
++	write_unlock_bh(&ping_table.lock);
+ }
+ EXPORT_SYMBOL_GPL(ping_unhash);
+ 
diff --git a/queue-4.10/series b/queue-4.10/series
index e69de29bb2d..6486ed51938 100644
--- a/queue-4.10/series
+++ b/queue-4.10/series
@@ -0,0 +1 @@
+ping-implement-proper-locking.patch