From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 3 Jul 2017 15:54:44 +0000 (+0200)
Subject: 4.11-stable patches
X-Git-Tag: v3.18.60~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8abe44bfd5d39a1508c9f40b1aa05d4d682070f8;p=thirdparty%2Fkernel%2Fstable-queue.git

4.11-stable patches

added patches:
	esp4-fix-udpencap-for-local-tcp-packets.patch
---

diff --git a/queue-4.11/esp4-fix-udpencap-for-local-tcp-packets.patch b/queue-4.11/esp4-fix-udpencap-for-local-tcp-packets.patch
new file mode 100644
index 00000000000..02d51ab3cf1
--- /dev/null
+++ b/queue-4.11/esp4-fix-udpencap-for-local-tcp-packets.patch
@@ -0,0 +1,59 @@
+From 20218ba11828773f48fad8fcf23d9ba7b6cfb711 Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Fri, 9 Jun 2017 11:35:46 +0200
+Subject: [PATCH] esp4: Fix udpencap for local TCP packets.
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 0e78a87306a6f55b1c7bbafad1de62c3975953ca ]
+
+Locally generated TCP packets are usually cloned, so we
+do skb_cow_data() on this packets. After that we need to
+reload the pointer to the esp header. On udpencap this
+header has an offset to skb_transport_header, so take this
+offset into account.
+
+This is a backport of:
+commit 0e78a87306a ("esp4: Fix udpencap for local TCP packets.")
+
+Fixes: 67d349ed603 ("net/esp4: Fix invalid esph pointer crash")
+Fixes: fca11ebde3f0 ("esp4: Reorganize esp_output")
+Reported-by: Don Bowman <db@donbowman.ca>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/esp4.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
+index b1e2444..9708a32 100644
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -212,6 +212,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
+ 	u8 *iv;
+ 	u8 *tail;
+ 	u8 *vaddr;
++	int esph_offset;
+ 	int blksize;
+ 	int clen;
+ 	int alen;
+@@ -392,12 +393,14 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
+ 	}
+ 
+ cow:
++	esph_offset = (unsigned char *)esph - skb_transport_header(skb);
++
+ 	err = skb_cow_data(skb, tailen, &trailer);
+ 	if (err < 0)
+ 		goto error;
+ 	nfrags = err;
+ 	tail = skb_tail_pointer(trailer);
+-	esph = ip_esp_hdr(skb);
++	esph = (struct ip_esp_hdr *)(skb_transport_header(skb) + esph_offset);
+ 
+ skip_cow:
+ 	esp_output_fill_trailer(tail, tfclen, plen, proto);
+-- 
+2.9.4
+
diff --git a/queue-4.11/series b/queue-4.11/series
index 6c00b50ee1f..9885ec1763c 100644
--- a/queue-4.11/series
+++ b/queue-4.11/series
@@ -82,3 +82,4 @@ kvm-x86-fix-emulation-of-rsm-and-iret-instructions.patch
 kvm-x86-vpmu-fix-undefined-shift-in-intel_pmu_refresh.patch
 kvm-x86-zero-base3-of-unusable-segments.patch
 kvm-nvmx-fix-exception-injection.patch
+esp4-fix-udpencap-for-local-tcp-packets.patch