From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 4 May 2020 15:41:52 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.222~10
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=716132e41abdb19da3d1670ea55370c08bfaba71;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch
---

diff --git a/queue-4.4/ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch b/queue-4.4/ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch
new file mode 100644
index 00000000000..9945111e560
--- /dev/null
+++ b/queue-4.4/ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch
@@ -0,0 +1,65 @@
+From 59e3e4b52663a9d97efbce7307f62e4bc5c9ce91 Mon Sep 17 00:00:00 2001
+From: Olivier Matz <olivier.matz@6wind.com>
+Date: Thu, 6 Jun 2019 09:15:18 +0200
+Subject: ipv6: use READ_ONCE() for inet->hdrincl as in ipv4
+
+From: Olivier Matz <olivier.matz@6wind.com>
+
+commit 59e3e4b52663a9d97efbce7307f62e4bc5c9ce91 upstream.
+
+As it was done in commit 8f659a03a0ba ("net: ipv4: fix for a race
+condition in raw_sendmsg") and commit 20b50d79974e ("net: ipv4: emulate
+READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()") for ipv4, copy the
+value of inet->hdrincl in a local variable, to avoid introducing a race
+condition in the next commit.
+
+Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/raw.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -757,6 +757,7 @@ static int rawv6_sendmsg(struct sock *sk
+ 	int hlimit = -1;
+ 	int tclass = -1;
+ 	int dontfrag = -1;
++	int hdrincl;
+ 	u16 proto;
+ 	int err;
+ 
+@@ -770,6 +771,13 @@ static int rawv6_sendmsg(struct sock *sk
+ 	if (msg->msg_flags & MSG_OOB)
+ 		return -EOPNOTSUPP;
+ 
++	/* hdrincl should be READ_ONCE(inet->hdrincl)
++	 * but READ_ONCE() doesn't work with bit fields.
++	 * Doing this indirectly yields the same result.
++	 */
++	hdrincl = inet->hdrincl;
++	hdrincl = READ_ONCE(hdrincl);
++
+ 	/*
+ 	 *	Get and verify the address.
+ 	 */
+@@ -878,7 +886,7 @@ static int rawv6_sendmsg(struct sock *sk
+ 		fl6.flowi6_oif = np->ucast_oif;
+ 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
+ 
+-	if (inet->hdrincl)
++	if (hdrincl)
+ 		fl6.flowi6_flags |= FLOWI_FLAG_KNOWN_NH;
+ 
+ 	dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
+@@ -899,7 +907,7 @@ static int rawv6_sendmsg(struct sock *sk
+ 		goto do_confirm;
+ 
+ back_from_confirm:
+-	if (inet->hdrincl)
++	if (hdrincl)
+ 		err = rawv6_send_hdrinc(sk, msg, len, &fl6, &dst, msg->msg_flags);
+ 	else {
+ 		lock_sock(sk);
diff --git a/queue-4.4/series b/queue-4.4/series
index fb4088a775e..79d9b9892ad 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -14,3 +14,4 @@ perf-x86-fix-uninitialized-value-usage.patch
 exynos4-is-fix-a-format-string-bug.patch
 asoc-wm8960-fix-wm8960_sysclk_pll-mode.patch
 asoc-imx-spdif-fix-crash-on-suspend.patch
+ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch