From 8cee7d36ea80853357b96a4a86373b7985fdea49 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 19 Aug 2019 23:22:01 -0400 Subject: [PATCH] drop tcp-clear-sk_send_head-after-purging-the-write-queue.patch from 4.4 Signed-off-by: Sasha Levin --- queue-4.4/series | 1 - ...d_head-after-purging-the-write-queue.patch | 56 ------------------- 2 files changed, 57 deletions(-) delete mode 100644 queue-4.4/tcp-clear-sk_send_head-after-purging-the-write-queue.patch diff --git a/queue-4.4/series b/queue-4.4/series index 6b32cac7847..cd9823f972c 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,6 +1,5 @@ usb-iowarrior-fix-deadlock-on-disconnect.patch sound-fix-a-memory-leak-bug.patch -tcp-clear-sk_send_head-after-purging-the-write-queue.patch x86-mm-check-for-pfn-instead-of-page-in-vmalloc_sync_one.patch x86-mm-sync-also-unmappings-in-vmalloc_sync_all.patch mm-vmalloc-sync-unmappings-in-__purge_vmap_area_lazy.patch diff --git a/queue-4.4/tcp-clear-sk_send_head-after-purging-the-write-queue.patch b/queue-4.4/tcp-clear-sk_send_head-after-purging-the-write-queue.patch deleted file mode 100644 index 490574f60d3..00000000000 --- a/queue-4.4/tcp-clear-sk_send_head-after-purging-the-write-queue.patch +++ /dev/null @@ -1,56 +0,0 @@ -From ben@decadent.org.uk Tue Aug 13 20:28:54 2019 -From: Ben Hutchings -Date: Tue, 13 Aug 2019 12:53:17 +0100 -Subject: tcp: Clear sk_send_head after purging the write queue -To: Greg Kroah-Hartman , Sasha Levin -Cc: stable@vger.kernel.org, Denis Andzakovic , Salvatore Bonaccorso , Eric Dumazet -Message-ID: <20190813115317.6cgml2mckd3c6u7z@decadent.org.uk> -Content-Disposition: inline - -From: Ben Hutchings - -Denis Andzakovic discovered a potential use-after-free in older kernel -versions, using syzkaller. tcp_write_queue_purge() frees all skbs in -the TCP write queue and can leave sk->sk_send_head pointing to freed -memory. tcp_disconnect() clears that pointer after calling -tcp_write_queue_purge(), but tcp_connect() does not. It is -(surprisingly) possible to add to the write queue between -disconnection and reconnection, so this needs to be done in both -places. - -This bug was introduced by backports of commit 7f582b248d0a ("tcp: -purge write queue in tcp_connect_init()") and does not exist upstream -because of earlier changes in commit 75c119afe14f ("tcp: implement -rb-tree based retransmit queue"). The latter is a major change that's -not suitable for stable. - -Reported-by: Denis Andzakovic -Bisected-by: Salvatore Bonaccorso -Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()") -Cc: # before 4.15 -Cc: Eric Dumazet -Signed-off-by: Ben Hutchings -Signed-off-by: Greg Kroah-Hartman ---- - include/net/tcp.h | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1455,6 +1455,8 @@ struct tcp_fastopen_context { - struct rcu_head rcu; - }; - -+static inline void tcp_init_send_head(struct sock *sk); -+ - /* write queue abstraction */ - static inline void tcp_write_queue_purge(struct sock *sk) - { -@@ -1462,6 +1464,7 @@ static inline void tcp_write_queue_purge - - while ((skb = __skb_dequeue(&sk->sk_write_queue)) != NULL) - sk_wmem_free_skb(sk, skb); -+ tcp_init_send_head(sk); - sk_mem_reclaim(sk); - tcp_clear_all_retrans_hints(tcp_sk(sk)); - tcp_init_send_head(sk); -- 2.47.3