[linux] 01/01: tipc: Fix kfree_skb() of uninitialised pointer (regression in 4.3.3)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Dec 15 21:27:01 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit ca0bbf698bc9aa54344cddaea34a689be14892be
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Dec 15 21:25:16 2015 +0000
tipc: Fix kfree_skb() of uninitialised pointer (regression in 4.3.3)
---
debian/changelog | 1 +
...pc-fix-kfree_skb-of-uninitialised-pointer.patch | 29 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 31 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index b8807f8..1fe0a77 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -76,6 +76,7 @@ linux (4.3.3-1) UNRELEASED; urgency=medium
register_netdevice failure" in 4.3.3
* net: Ignore ABI changes due to "ipv6: add complete rcu protection around
np->opt", which don't appear to affect out-of-tree modules
+ * tipc: Fix kfree_skb() of uninitialised pointer (regression in 4.3.3)
-- Ben Hutchings <ben at decadent.org.uk> Mon, 14 Dec 2015 20:59:37 +0000
diff --git a/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch b/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
new file mode 100644
index 0000000..a584e73
--- /dev/null
+++ b/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
@@ -0,0 +1,29 @@
+Date: Tue, 15 Dec 2015 21:21:56 +0000
+From: Ben Hutchings <ben at decadent.org.uk>
+Subject: tipc: Fix kfree_skb() of uninitialised pointer
+Forwarded: http://mid.gmane.org/20151215212156.GQ28542@decadent.org.uk
+
+Commit 7098356baca7 ("tipc: fix error handling of expanding buffer
+headroom") added a "goto tx_error". This is fine upstream, but
+when backported to 4.3 it results in attempting to free the clone
+before it has been allocated. In this early error case, no
+cleanup is needed.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/tipc/udp_media.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index 86f2e7c..73bdf1b 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
+ if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
+ err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
+ if (err)
+- goto tx_error;
++ return err;
+ }
+
+ clone = skb_clone(skb, GFP_ATOMIC);
diff --git a/debian/patches/series b/debian/patches/series
index 0bb4f4e..f46bc86 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -103,3 +103,4 @@ features/arm/arm-dts-split-audio-configuration-to-separate-exynos.patch
features/arm/arm-dts-add-support-odroid-xu4-board-for-exynos5422-.patch
bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch
bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch
+bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list