diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-02-18 08:20:05 -0500 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-02-18 08:20:05 -0500 |
commit | 4f912db3d920283641b108676a81c3fc00612895 (patch) | |
tree | 5977aea0995e3b7d4dc0ef2c988acc5794dab299 | |
parent | 9f8ff56698ce20eb7e3a08c052ff5de45063c257 (diff) | |
download | kernel-4f912db3d920283641b108676a81c3fc00612895.tar.gz kernel-4f912db3d920283641b108676a81c3fc00612895.tar.xz kernel-4f912db3d920283641b108676a81c3fc00612895.zip |
CVE-2015-8812 cxgb3 use after free (rhbz 1303532 1309548)
-rw-r--r-- | iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch | 41 | ||||
-rw-r--r-- | kernel.spec | 6 |
2 files changed, 47 insertions, 0 deletions
diff --git a/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch b/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch new file mode 100644 index 000000000..9c517cf49 --- /dev/null +++ b/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch @@ -0,0 +1,41 @@ +From 67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 Mon Sep 17 00:00:00 2001 +From: Hariprasad S <hariprasad@chelsio.com> +Date: Fri, 11 Dec 2015 13:59:17 +0530 +Subject: [PATCH] iw_cxgb3: Fix incorrectly returning error on success + +The cxgb3_*_send() functions return NET_XMIT_ values, which are +positive integers values. So don't treat positive return values +as an error. + +Signed-off-by: Steve Wise <swise@opengridcomputing.com> +Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com> +Signed-off-by: Doug Ledford <dledford@redhat.com> +--- + drivers/infiniband/hw/cxgb3/iwch_cm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c +index cb78b1e9bcd9..f504ba73e5dc 100644 +--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c ++++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c +@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en + error = l2t_send(tdev, skb, l2e); + if (error < 0) + kfree_skb(skb); +- return error; ++ return error < 0 ? error : 0; + } + + int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) +@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) + error = cxgb3_ofld_send(tdev, skb); + if (error < 0) + kfree_skb(skb); +- return error; ++ return error < 0 ? error : 0; + } + + static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb) +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index 9d5670661..9442d63d2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -711,6 +711,9 @@ Patch651: Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch #rhbz 1305181 1299901 Patch652: drm-mgag200-fix-kernel-hang-in-cursor-code.patch +#CVE-2015-8812 rhbz 1303532 1309548 +Patch653: iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch + # END OF PATCH DEFINITIONS %endif @@ -2154,6 +2157,9 @@ fi # # %changelog +* Thu Feb 18 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8812 cxgb3 use after free (rhbz 1303532 1309548) + * Wed Feb 17 2016 Josh Boyer <jwboyer@fedoraproject.org> - Backport mgag200 cursor hang fix (rhbz 1305181 1299901) |