From 77ea0ce82b45bf59506d20cf344140d5e60558f6 Mon Sep 17 00:00:00 2001
From: Justin M. Forbes <jforbes@redhat.com>
Date: Aug 17 2016 13:48:00 +0000
Subject: cp fix use after free in tcp_xmit_retransmit_queue (rhbz 1367091 1367092)


---

diff --git a/kernel.spec b/kernel.spec
index b1de678..8aa3084 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -650,6 +650,9 @@ Patch843: kvm-ppc-Book3S-HV-Save-restore-TM-state.patch
 #rhbz 1361414
 Patch844: openstack_fix.patch
 
+#rhbz 1367091,1367092
+Patch855: tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2170,7 +2173,10 @@ fi
 #
 # 
 %changelog
-* Tue Aug 16 2016 Laura Abbott <labbott@fedoraproject.org> - 4.6.7-200
+* Wed Aug 17 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.6.7-200
+- tcp fix use after free in tcp_xmit_retransmit_queue (rhbz 1367091 1367092)
+
+* Tue Aug 16 2016 Laura Abbott <labbott@fedoraproject.org>
 - Linux v4.6.7
 - Fix for crash seen with Open Stack (rhbz 1361414)
 
diff --git a/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch b/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
new file mode 100644
index 0000000..36ada7a
--- /dev/null
+++ b/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
@@ -0,0 +1,46 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: 2016-08-17 12:56:26
+Subject: [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue()
+
+When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
+tail of the write queue using tcp_add_write_queue_tail()
+
+Then it attempts to copy user data into this fresh skb.
+
+If the copy fails, we undo the work and remove the fresh skb.
+
+Unfortunately, this undo lacks the change done to tp->highest_sack and
+we can leave a dangling pointer (to a freed skb)
+
+Later, tcp_xmit_retransmit_queue() can dereference this pointer and
+access freed memory. For regular kernels where memory is not unmapped,
+this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
+returning garbage instead of tp->snd_nxt, but with various debug
+features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
+
+This bug was found by Marco Grassi thanks to syzkaller.
+
+Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
+Reported-by: Marco Grassi <marco.gra@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+---
+ include/net/tcp.h |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index c00e7d51bb18..7717302cab91 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
+ {
+ 	if (sk->sk_send_head == skb_unlinked)
+ 		sk->sk_send_head = NULL;
++	if (tcp_sk(sk)->highest_sack == skb_unlinked)
++		tcp_sk(sk)->highest_sack = NULL;
+ }
+ 
+ static inline void tcp_init_send_head(struct sock *sk)
+