Home Home > GIT Browse > packaging
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Kubecek <mkubecek@suse.cz>2018-08-02 16:28:37 +0200
committerMichal Kubecek <mkubecek@suse.cz>2018-08-02 16:29:23 +0200
commitb01b19a87acb29b2e36b5a79dcbf140b7fb5c639 (patch)
treefdd94e4397adbf5ccb79664336eb600f55a50380
parentce20133201e35e2e1d3030112b8a257a51b0951f (diff)
tcp: add tcp_ooo_try_coalesce() helper (CVE-2018-5390
bsc#1102340).
-rw-r--r--patches.fixes/tcp-add-tcp_ooo_try_coalesce-helper.patch76
-rw-r--r--series.conf1
2 files changed, 77 insertions, 0 deletions
diff --git a/patches.fixes/tcp-add-tcp_ooo_try_coalesce-helper.patch b/patches.fixes/tcp-add-tcp_ooo_try_coalesce-helper.patch
new file mode 100644
index 0000000000..892f80ab5b
--- /dev/null
+++ b/patches.fixes/tcp-add-tcp_ooo_try_coalesce-helper.patch
@@ -0,0 +1,76 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 23 Jul 2018 09:28:21 -0700
+Subject: tcp: add tcp_ooo_try_coalesce() helper
+Patch-mainline: v4.18-rc7
+Git-commit: 58152ecbbcc6a0ce7fddd5bf5f6ee535834ece0c
+References: CVE-2018-5390 bsc#1102340
+
+In case skb in out_or_order_queue is the result of
+multiple skbs coalescing, we would like to get a proper gso_segs
+counter tracking, so that future tcp_drop() can report an accurate
+number.
+
+I chose to not implement this tracking for skbs in receive queue,
+since they are not dropped, unless socket is disconnected.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv4/tcp_input.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index ff05616420b7..85881e5e5d8e 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4300,6 +4300,23 @@ static bool tcp_try_coalesce(struct sock *sk,
+ return true;
+ }
+
++static bool tcp_ooo_try_coalesce(struct sock *sk,
++ struct sk_buff *to,
++ struct sk_buff *from,
++ bool *fragstolen)
++{
++ bool res = tcp_try_coalesce(sk, to, from, fragstolen);
++
++ /* In case tcp_drop() is called later, update to->gso_segs */
++ if (res) {
++ u32 gso_segs = max_t(u16, 1, skb_shinfo(to)->gso_segs) +
++ max_t(u16, 1, skb_shinfo(from)->gso_segs);
++
++ skb_shinfo(to)->gso_segs = min_t(u32, gso_segs, 0xFFFF);
++ }
++ return res;
++}
++
+ static void tcp_drop(struct sock *sk, struct sk_buff *skb)
+ {
+ sk_drops_add(sk, skb);
+@@ -4423,7 +4440,8 @@ static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb)
+ /* In the typical case, we are adding an skb to the end of the list.
+ * Use of ooo_last_skb avoids the O(Log(N)) rbtree lookup.
+ */
+- if (tcp_try_coalesce(sk, tp->ooo_last_skb, skb, &fragstolen)) {
++ if (tcp_ooo_try_coalesce(sk, tp->ooo_last_skb,
++ skb, &fragstolen)) {
+ coalesce_done:
+ tcp_grow_window(sk, skb);
+ kfree_skb_partial(skb, fragstolen);
+@@ -4473,7 +4491,8 @@ static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb)
+ tcp_drop(sk, skb1);
+ goto merge_right;
+ }
+- } else if (tcp_try_coalesce(sk, skb1, skb, &fragstolen)) {
++ } else if (tcp_ooo_try_coalesce(sk, skb1,
++ skb, &fragstolen)) {
+ goto coalesce_done;
+ }
+ p = &parent->rb_right;
+--
+2.18.0
+
diff --git a/series.conf b/series.conf
index 0809f151dd..2ca0f26b76 100644
--- a/series.conf
+++ b/series.conf
@@ -15237,6 +15237,7 @@
patches.fixes/tcp-avoid-collapses-in-tcp_prune_queue-if-possible.patch
patches.fixes/tcp-detect-malicious-patterns-in-tcp_collapse_ofo_qu.patch
patches.fixes/tcp-call-tcp_drop-from-tcp_data_queue_ofo.patch
+ patches.fixes/tcp-add-tcp_ooo_try_coalesce-helper.patch
patches.drivers/net-mlx4_core-Save-the-qpn-from-the-input-modifier-i.patch
patches.drivers/qmi_wwan-fix-interface-number-for-DW5821e-production
patches.drivers/driver-core-Partially-revert-driver-core-correct-dev