[linux] 02/02: Add fixes for CVE-2015-8812

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Feb 13 19:10:56 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch squeeze-security
in repository linux.

commit 1b62117b4ca601a2d06437f778982144e8e85587
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Feb 13 19:08:37 2016 +0000

    Add fixes for CVE-2015-8812
---
 debian/changelog                                   |  3 ++
 ...ix-incorrectly-returning-error-on-success.patch | 36 ++++++++++++++++++++++
 ...don-t-free-skbs-on-net_xmit_-indications-.patch | 36 ++++++++++++++++++++++
 debian/patches/series/48squeeze20                  |  2 ++
 4 files changed, 77 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index d161089..ea2bacb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 linux-2.6 (2.6.32-48squeeze20) UNRELEASED; urgency=medium
 
   * pipe: Fix buffer offset after partially failed read (CVE-2016-0774)
+  * RDMA/cxgb3: Don't free skbs on NET_XMIT_* indications from LLD
+    (CVE-2015-8812)
+  * iw_cxgb3: Fix incorrectly returning error on success (CVE-2015-8812)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 13 Feb 2016 18:55:35 +0000
 
diff --git a/debian/patches/bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch b/debian/patches/bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
new file mode 100644
index 0000000..2cd099f
--- /dev/null
+++ b/debian/patches/bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
@@ -0,0 +1,36 @@
+From: Hariprasad S <hariprasad at chelsio.com>
+Date: Fri, 11 Dec 2015 13:59:17 +0530
+Subject: iw_cxgb3: Fix incorrectly returning error on success
+Origin: https://git.kernel.org/linus/67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3
+
+The cxgb3_*_send() functions return NET_XMIT_ values, which are
+positive integers values. So don't treat positive return values
+as an error.
+
+Signed-off-by: Steve Wise <swise at opengridcomputing.com>
+Signed-off-by: Hariprasad Shenai <hariprasad at chelsio.com>
+Signed-off-by: Doug Ledford <dledford at redhat.com>
+---
+ drivers/infiniband/hw/cxgb3/iwch_cm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c
++++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
+@@ -150,7 +150,7 @@ static int iwch_l2t_send(struct t3cdev *
+ 	error = l2t_send(tdev, skb, l2e);
+ 	if (error < 0)
+ 		kfree_skb(skb);
+-	return error;
++	return error < 0 ? error : 0;
+ }
+ 
+ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
+@@ -166,7 +166,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *
+ 	error = cxgb3_ofld_send(tdev, skb);
+ 	if (error < 0)
+ 		kfree_skb(skb);
+-	return error;
++	return error < 0 ? error : 0;
+ }
+ 
+ static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb)
diff --git a/debian/patches/bugfix/all/rdma-cxgb3-don-t-free-skbs-on-net_xmit_-indications-.patch b/debian/patches/bugfix/all/rdma-cxgb3-don-t-free-skbs-on-net_xmit_-indications-.patch
new file mode 100644
index 0000000..cd668c0
--- /dev/null
+++ b/debian/patches/bugfix/all/rdma-cxgb3-don-t-free-skbs-on-net_xmit_-indications-.patch
@@ -0,0 +1,36 @@
+From: Steve Wise <swise at opengridcomputing.com>
+Date: Mon, 5 Apr 2010 19:59:57 +0000
+Subject: RDMA/cxgb3: Don't free skbs on NET_XMIT_* indications from LLD
+Origin: https://git.kernel.org/linus/73a203d2014f50d874b9e40083ad481ca70408e8
+
+The low level cxgb3 driver can return NET_XMIT_CN and friends.
+The iw_cxgb3 driver should _not_ treat these as errors.
+
+Signed-off-by: Steve Wise <swise at opengridcomputing.com>
+Signed-off-by: Roland Dreier <rolandd at cisco.com>
+---
+ drivers/infiniband/hw/cxgb3/iwch_cm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c
+index 4fef03296276..cfd6db019f1e 100644
+--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c
++++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
+@@ -151,7 +151,7 @@ int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_entry *l2
+ 		return -EIO;
+ 	}
+ 	error = l2t_send(tdev, skb, l2e);
+-	if (error)
++	if (error < 0)
+ 		kfree_skb(skb);
+ 	return error;
+ }
+@@ -167,7 +167,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
+ 		return -EIO;
+ 	}
+ 	error = cxgb3_ofld_send(tdev, skb);
+-	if (error)
++	if (error < 0)
+ 		kfree_skb(skb);
+ 	return error;
+ }
diff --git a/debian/patches/series/48squeeze20 b/debian/patches/series/48squeeze20
index 3cbc8dd..69020d7 100644
--- a/debian/patches/series/48squeeze20
+++ b/debian/patches/series/48squeeze20
@@ -1 +1,3 @@
 + bugfix/all/pipe-fix-buffer-offset-after-partially-failed-read.patch
++ bugfix/all/rdma-cxgb3-don-t-free-skbs-on-net_xmit_-indications-.patch
++ bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list