Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-02-14 11:39:11 +0100
committerTakashi Iwai <tiwai@suse.de>2019-02-14 11:39:18 +0100
commit80527b00df6e894fc6bb664cfa7319bc7348d99f (patch)
tree4b64dce306b491958c7e92377d3b13a999407b5d
parent953f241148b9240eac5476c549ccc99f60d21cee (diff)
esp: Fix locking on page fragment allocation (bsc#1051510).
-rw-r--r--patches.fixes/esp-Fix-locking-on-page-fragment-allocation.patch73
-rw-r--r--series.conf1
2 files changed, 74 insertions, 0 deletions
diff --git a/patches.fixes/esp-Fix-locking-on-page-fragment-allocation.patch b/patches.fixes/esp-Fix-locking-on-page-fragment-allocation.patch
new file mode 100644
index 0000000000..1e1b0536f3
--- /dev/null
+++ b/patches.fixes/esp-Fix-locking-on-page-fragment-allocation.patch
@@ -0,0 +1,73 @@
+From 36ff0dd39f9b88ca83e1733b735e9f22b7be893b Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Fri, 25 Aug 2017 07:16:07 +0200
+Subject: [PATCH] esp: Fix locking on page fragment allocation
+Git-commit: 36ff0dd39f9b88ca83e1733b735e9f22b7be893b
+Patch-mainline: v4.13
+References: bsc#1051510
+
+We allocate the page fragment for the ESP trailer inside
+a spinlock, but consume it outside of the lock. This
+is racy as some other cou could get the same page fragment
+then. Fix this by consuming the page fragment inside the
+lock too.
+
+Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/ipv4/esp4.c | 5 +++--
+ net/ipv6/esp6.c | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
+index dbb31a942dfa..a8ddb95e7f06 100644
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -292,8 +292,6 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
+
+ kunmap_atomic(vaddr);
+
+- spin_unlock_bh(&x->lock);
+-
+ nfrags = skb_shinfo(skb)->nr_frags;
+
+ __skb_fill_page_desc(skb, nfrags, page, pfrag->offset,
+@@ -301,6 +299,9 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
+ skb_shinfo(skb)->nr_frags = ++nfrags;
+
+ pfrag->offset = pfrag->offset + allocsize;
++
++ spin_unlock_bh(&x->lock);
++
+ nfrags++;
+
+ skb->len += tailen;
+diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
+index 392def1fcf21..4e3fdc888943 100644
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -260,8 +260,6 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
+
+ kunmap_atomic(vaddr);
+
+- spin_unlock_bh(&x->lock);
+-
+ nfrags = skb_shinfo(skb)->nr_frags;
+
+ __skb_fill_page_desc(skb, nfrags, page, pfrag->offset,
+@@ -269,6 +267,9 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
+ skb_shinfo(skb)->nr_frags = ++nfrags;
+
+ pfrag->offset = pfrag->offset + allocsize;
++
++ spin_unlock_bh(&x->lock);
++
+ nfrags++;
+
+ skb->len += tailen;
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 47f3149a4c..a9a6683bf2 100644
--- a/series.conf
+++ b/series.conf
@@ -4433,6 +4433,7 @@
patches.drivers/nfp-fix-supported-key-layers-calculation.patch
patches.drivers/nfp-remove-incorrect-mask-check-for-vlan-matching.patch
patches.fixes/net-xfrm-don-t-double-hold-dst-when-sk_policy-in-use.patch
+ patches.fixes/esp-Fix-locking-on-page-fragment-allocation.patch
patches.fixes/xfrm_user-fix-info-leak-in-copy_user_offload.patch
patches.fixes/xfrm_user-fix-info-leak-in-xfrm_notify_sa.patch
patches.fixes/xfrm_user-fix-info-leak-in-build_aevent.patch