4.4-stable patches

added patches:
	ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch

diff --git a/queue-4.4/ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch b/queue-4.4/ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch
new file mode 100644 (file)
index 0000000..9945111
--- /dev/null
+++ b/queue-4.4/ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch
@@ -0,0 +1,65 @@
+From 59e3e4b52663a9d97efbce7307f62e4bc5c9ce91 Mon Sep 17 00:00:00 2001
+From: Olivier Matz <olivier.matz@6wind.com>
+Date: Thu, 6 Jun 2019 09:15:18 +0200
+Subject: ipv6: use READ_ONCE() for inet->hdrincl as in ipv4
+
+From: Olivier Matz <olivier.matz@6wind.com>
+
+commit 59e3e4b52663a9d97efbce7307f62e4bc5c9ce91 upstream.
+
+As it was done in commit 8f659a03a0ba ("net: ipv4: fix for a race
+condition in raw_sendmsg") and commit 20b50d79974e ("net: ipv4: emulate
+READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()") for ipv4, copy the
+value of inet->hdrincl in a local variable, to avoid introducing a race
+condition in the next commit.
+
+Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/raw.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -757,6 +757,7 @@ static int rawv6_sendmsg(struct sock *sk
+       int hlimit = -1;
+       int tclass = -1;
+       int dontfrag = -1;
++      int hdrincl;
+       u16 proto;
+       int err;
+ 
+@@ -770,6 +771,13 @@ static int rawv6_sendmsg(struct sock *sk
+       if (msg->msg_flags & MSG_OOB)
+               return -EOPNOTSUPP;
+ 
++      /* hdrincl should be READ_ONCE(inet->hdrincl)
++       * but READ_ONCE() doesn't work with bit fields.
++       * Doing this indirectly yields the same result.
++       */
++      hdrincl = inet->hdrincl;
++      hdrincl = READ_ONCE(hdrincl);
++
+       /*
+        *      Get and verify the address.
+        */
+@@ -878,7 +886,7 @@ static int rawv6_sendmsg(struct sock *sk
+               fl6.flowi6_oif = np->ucast_oif;
+       security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
+ 
+-      if (inet->hdrincl)
++      if (hdrincl)
+               fl6.flowi6_flags |= FLOWI_FLAG_KNOWN_NH;
+ 
+       dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
+@@ -899,7 +907,7 @@ static int rawv6_sendmsg(struct sock *sk
+               goto do_confirm;
+ 
+ back_from_confirm:
+-      if (inet->hdrincl)
++      if (hdrincl)
+               err = rawv6_send_hdrinc(sk, msg, len, &fl6, &dst, msg->msg_flags);
+       else {
+               lock_sock(sk);

diff --git a/queue-4.4/series b/queue-4.4/series
index fb4088a775e49dd06e491c73e6d1bda5daf978bd..79d9b9892adfe2b4d8712f87ee8cb4c3135fc9ac 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -14,3 +14,4 @@ perf-x86-fix-uninitialized-value-usage.patch
 exynos4-is-fix-a-format-string-bug.patch
 asoc-wm8960-fix-wm8960_sysclk_pll-mode.patch
 asoc-imx-spdif-fix-crash-on-suspend.patch
+ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch