Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/include/net
History
Ben Hutchings 06dc1f3375 tcp: Clear sk_send_head after purging the write queue 
Denis Andzakovic discovered a potential use-after-free in older kernel
versions, using syzkaller.  tcp_write_queue_purge() frees all skbs in
the TCP write queue and can leave sk->sk_send_head pointing to freed
memory.  tcp_disconnect() clears that pointer after calling
tcp_write_queue_purge(), but tcp_connect() does not.  It is
(surprisingly) possible to add to the write queue between
disconnection and reconnection, so this needs to be done in both
places.

This bug was introduced by backports of commit 7f582b248d0a ("tcp:
purge write queue in tcp_connect_init()") and does not exist upstream
because of earlier changes in commit 75c119afe14f ("tcp: implement
rb-tree based retransmit queue").  The latter is a major change that's
not suitable for stable.

Change-Id: I97a1a1f3f753b950984e48af6c28cfd4a346db8a
Reported-by: Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz>
Bisected-by: Salvatore Bonaccorso <carnil@debian.org>
Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()")
Cc: <stable@vger.kernel.org> # before 4.15
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 		2019-08-21 03:27:36 +02:00
..
9p
bluetooth Bluetooth: Convert hci_conn->link_mode into flags 2019-07-27 22:11:13 +02:00
caif
irda
iucv
netfilter netfilter: Changes to handle segmentation in SIP ALG 2015-01-27 15:47:39 -08:00
netns netns: provide pure entropy for net_hash_mix() 2019-07-27 22:10:05 +02:00
nfc
phonet
sctp sctp: potential read out of bounds in sctp_ulpevent_type_enabled() 2019-07-27 21:44:28 +02:00
tc_act
act_api.h
activity_stats.h
addrconf.h ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf 2019-07-27 22:06:03 +02:00
af_ieee802154.h
af_rxrpc.h
af_unix.h This is the 3.10.99 stable release 2017-04-18 17:17:46 +02:00
ah.h
arp.h arp: make arp_invalidate static 2019-07-27 22:08:26 +02:00
atmclip.h
ax25.h
ax88796.h
cfg80211-wext.h
cfg80211.h BACKPORT: nl80211: Stop scheduled scan if netlink client disappears 2019-07-27 21:50:44 +02:00
checksum.h
cipso_ipv4.h netlabel: out of bound access in cipso_v4_validate() 2019-07-27 21:43:04 +02:00
cls_cgroup.h
cnss.h cnss: Expose dump stack functionality 2019-07-27 22:09:56 +02:00
cnss_nl.h Driver to create cld80211 nl family at bootup time 2019-07-27 22:09:31 +02:00
cnss_prealloc.h wcnss: Fix buffer overflow in wcnss_prealloc_get 2019-08-04 22:56:49 +02:00
codel.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
dn.h
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h
dn_route.h
dsa.h
dsfield.h
dst.h
dst_ops.h
esp.h
ethoc.h
fib_rules.h net: core: add UID to flows, rules, and routes 2019-07-27 21:50:59 +02:00
firewire.h
flow.h net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
flow_keys.h
garp.h
gen_stats.h
genetlink.h BACKPORT: netlink: add a start callback for starting a netlink dump 2019-07-27 21:51:36 +02:00
gre.h
gro_cells.h gro_cells: make sure device is up in gro_cells_receive() 2019-07-27 22:11:26 +02:00
icmp.h
ieee80211_radiotap.h
ieee802154.h
ieee802154_netdev.h
if_inet6.h BACKPORT: ipv6 addrconf: implement RFC7559 router solicitation backoff 2019-07-27 21:51:04 +02:00
inet6_connection_sock.h
inet6_hashtables.h
inet_common.h net: avoid NULL deref in inet_ctl_sock_destroy() 2015-12-09 13:40:06 -05:00
inet_connection_sock.h tcp: fix tcp_release_cb() to dispatch via address family for mtu_reduced() 2014-10-15 08:31:56 +02:00
inet_ecn.h
inet_frag.h
inet_hashtables.h
inet_sock.h
inet_timewait_sock.h soreuseport: initialise timewait reuseport field 2019-07-27 21:52:18 +02:00
inetpeer.h net: ipv4: use a dedicated counter for icmp_v4 redirect packets 2019-07-27 22:07:53 +02:00
ip.h ipv4: igmp: guard against silly MTU values 2019-07-27 22:08:52 +02:00
ip6_checksum.h
ip6_fib.h ipv6: fix sparse warning on rt6i_node 2019-07-27 21:45:09 +02:00
ip6_route.h ipv6: initialize route null entry in addrconf_init() 2019-07-27 22:06:02 +02:00
ip6_tunnel.h ip6_tunnel: Clear IP6CB in ip6tunnel_xmit() 2019-07-27 21:42:30 +02:00
ip_fib.h ipv4: fix a race in update_or_create_fnhe() 2019-07-27 22:10:30 +02:00
ip_tunnels.h
ip_vs.h
ipcomp.h
ipconfig.h
ipv6.h ANDROID: Revert "net: increase fragment memory usage limits" 2019-07-27 21:51:06 +02:00
ipx.h
iw_handler.h cfg80211/wext: fix message ordering 2019-07-27 22:06:02 +02:00
lapb.h
lib80211.h
llc.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
mac80211.h treewide: Fix typo in Documentation/DocBook 2019-07-27 22:10:20 +02:00
mac802154.h
mip6.h
mld.h
mrp.h
ndisc.h ipv6: don't call fib6_run_gc() until routing is ready 2019-07-27 21:42:27 +02:00
neighbour.h neighbour: Avoid writing before skb->head in neigh_hh_output() 2019-07-27 21:53:22 +02:00
net_namespace.h netns: provide pure entropy for net_hash_mix() 2019-07-27 22:10:05 +02:00
net_ratelimit.h
netdma.h
netevent.h
netlabel.h
netlink.h
netprio_cgroup.h
netrom.h
nexthop.h net: fix rtnh_ok() 2019-07-27 21:49:08 +02:00
nl802154.h
p8022.h
ping.h
pkt_cls.h
pkt_sched.h
protocol.h IPv4: early demux can return an error code 2019-07-27 22:07:51 +02:00
psnap.h
raw.h
rawv6.h
red.h
regulatory.h regulatory: add NUL to alpha2 2019-07-27 21:49:36 +02:00
request_sock.h
rose.h
route.h udp: perform source validation for mcast early demux 2019-07-27 22:07:52 +02:00
rtnetlink.h
sch_generic.h
scm.h Import latest Samsung release 2017-04-18 03:43:52 +02:00
secure_seq.h
slhc_vj.h
snmp.h
sock.h vxlan: Use RCU apis to access sk_user_data. 2019-08-15 21:02:28 +02:00
stp.h
tcp.h tcp: Clear sk_send_head after purging the write queue 2019-08-21 03:27:36 +02:00
tcp_memcontrol.h
tcp_states.h
timewait_sock.h
transp_v6.h
udp.h IPv4: early demux can return an error code 2019-07-27 22:07:51 +02:00
udplite.h
wext.h
wimax.h
wpan-phy.h
x25.h
x25device.h
xfrm.h BACKPORT: net: xfrm: support setting an output mark. 2019-07-27 21:51:33 +02:00