From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 3 Jul 2014 19:19:47 +0000 (-0700)
Subject: 3.10-stable patches
X-Git-Tag: v3.4.97~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a4629c722a0f8b542bdae73c216b96ba42c8f520;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	ipvs-fix-panic-due-to-non-linear-skb.patch
---

diff --git a/queue-3.10/ipvs-fix-panic-due-to-non-linear-skb.patch b/queue-3.10/ipvs-fix-panic-due-to-non-linear-skb.patch
new file mode 100644
index 00000000000..b54685864a8
--- /dev/null
+++ b/queue-3.10/ipvs-fix-panic-due-to-non-linear-skb.patch
@@ -0,0 +1,74 @@
+From f44a5f45f544561302e855e7bd104e5f506ec01b Mon Sep 17 00:00:00 2001
+From: Peter Christensen <pch@ordbogen.com>
+Date: Sat, 24 May 2014 21:40:12 +0200
+Subject: ipvs: Fix panic due to non-linear skb
+
+From: Peter Christensen <pch@ordbogen.com>
+
+commit f44a5f45f544561302e855e7bd104e5f506ec01b upstream.
+
+Receiving a ICMP response to an IPIP packet in a non-linear skb could
+cause a kernel panic in __skb_pull.
+
+The problem was introduced in
+commit f2edb9f7706dcb2c0d9a362b2ba849efe3a97f5e ("ipvs: implement
+passive PMTUD for IPIP packets").
+
+Signed-off-by: Peter Christensen <pch@ordbogen.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_core.c |   15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1384,15 +1384,19 @@ ip_vs_in_icmp(struct sk_buff *skb, int *
+ 
+ 	if (ipip) {
+ 		__be32 info = ic->un.gateway;
++		__u8 type = ic->type;
++		__u8 code = ic->code;
+ 
+ 		/* Update the MTU */
+ 		if (ic->type == ICMP_DEST_UNREACH &&
+ 		    ic->code == ICMP_FRAG_NEEDED) {
+ 			struct ip_vs_dest *dest = cp->dest;
+ 			u32 mtu = ntohs(ic->un.frag.mtu);
++			__be16 frag_off = cih->frag_off;
+ 
+ 			/* Strip outer IP and ICMP, go to IPIP header */
+-			__skb_pull(skb, ihl + sizeof(_icmph));
++			if (pskb_pull(skb, ihl + sizeof(_icmph)) == NULL)
++				goto ignore_ipip;
+ 			offset2 -= ihl + sizeof(_icmph);
+ 			skb_reset_network_header(skb);
+ 			IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
+@@ -1400,7 +1404,7 @@ ip_vs_in_icmp(struct sk_buff *skb, int *
+ 			ipv4_update_pmtu(skb, dev_net(skb->dev),
+ 					 mtu, 0, 0, 0, 0);
+ 			/* Client uses PMTUD? */
+-			if (!(cih->frag_off & htons(IP_DF)))
++			if (!(frag_off & htons(IP_DF)))
+ 				goto ignore_ipip;
+ 			/* Prefer the resulting PMTU */
+ 			if (dest) {
+@@ -1419,12 +1423,13 @@ ip_vs_in_icmp(struct sk_buff *skb, int *
+ 		/* Strip outer IP, ICMP and IPIP, go to IP header of
+ 		 * original request.
+ 		 */
+-		__skb_pull(skb, offset2);
++		if (pskb_pull(skb, offset2) == NULL)
++			goto ignore_ipip;
+ 		skb_reset_network_header(skb);
+ 		IP_VS_DBG(12, "Sending ICMP for %pI4->%pI4: t=%u, c=%u, i=%u\n",
+ 			&ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr,
+-			ic->type, ic->code, ntohl(info));
+-		icmp_send(skb, ic->type, ic->code, info);
++			type, code, ntohl(info));
++		icmp_send(skb, type, code, info);
+ 		/* ICMP can be shorter but anyways, account it */
+ 		ip_vs_out_stats(cp, skb);
+ 
diff --git a/queue-3.10/series b/queue-3.10/series
index aa61a8a4ab8..e7382738f28 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -34,3 +34,4 @@ powerpc-add-at_hwcap2-to-indicate-v.crypto-category-support.patch
 reiserfs-call-truncate_setsize-under-tailpack-mutex.patch
 mips-kvm-remove-redundant-null-checks-before-kfree.patch
 mips-kvm-fix-memory-leak-on-vcpu.patch
+ipvs-fix-panic-due-to-non-linear-skb.patch