Use committed version of CVE-2014-2568 fix

svn path=/dists/trunk/linux/; revision=21199

debian/patches/bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch

@@ -1,7 +1,8 @@
-Subject: [v4] core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors
 From: Zoltan Kiss <zoltan.kiss@citrix.com>
-Date: Fri, 21 Mar 2014 10:31:34 +0000
-Origin: https://patchwork.ozlabs.org/patch/332544/
+Date: Wed, 26 Mar 2014 22:37:45 +0000
+Subject: core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle
+ errors
+Origin: https://git.kernel.org/linus/36d5fe6a000790f56039afe26834265db0a3ad4c
 
 skb_zerocopy can copy elements of the frags array between skbs, but it doesn't
 orphan them. Also, it doesn't handle errors, so this patch takes care of that
@@ -10,25 +11,31 @@ the callers so they will signal the failed delivery towards the creator of the
 skb.
 
 Signed-off-by: Zoltan Kiss <zoltan.kiss@citrix.com>
-Acked-by: Thomas Graf <tgraf@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
 ---
+ include/linux/skbuff.h               |  4 ++--
+ net/core/skbuff.c                    | 27 ++++++++++++++++++++-------
+ net/netfilter/nfnetlink_queue_core.c |  9 +++++++--
+ net/openvswitch/datapath.c           |  6 +++++-
+ 4 files changed, 34 insertions(+), 12 deletions(-)
+
 diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
-index 03db95a..35c4e85 100644
+index 5e1e6f2..15ede6a 100644
 --- a/include/linux/skbuff.h
 +++ b/include/linux/skbuff.h
-@@ -2508,8 +2508,8 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset,
+@@ -2451,8 +2451,8 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset,
  		    unsigned int flags);
  void skb_copy_and_csum_dev(const struct sk_buff *skb, u8 *to);
  unsigned int skb_zerocopy_headlen(const struct sk_buff *from);
 -void skb_zerocopy(struct sk_buff *to, const struct sk_buff *from,
 -		  int len, int hlen);
-+int skb_zerocopy(struct sk_buff *to, const struct sk_buff *from,
++int skb_zerocopy(struct sk_buff *to, struct sk_buff *from,
 +		 int len, int hlen);
  void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len);
  int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen);
  void skb_scrub_packet(struct sk_buff *skb, bool xnet);
 diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index 3f14c63..4cf0ee5 100644
+index 869c7af..97e5a2c 100644
 --- a/net/core/skbuff.c
 +++ b/net/core/skbuff.c
 @@ -2127,25 +2127,31 @@ EXPORT_SYMBOL_GPL(skb_zerocopy_headlen);
@@ -42,8 +49,9 @@ index 3f14c63..4cf0ee5 100644
 + *	-EFAULT: skb_copy_bits() found some problem with skb geometry
   */
 -void
+-skb_zerocopy(struct sk_buff *to, const struct sk_buff *from, int len, int hlen)
 +int
- skb_zerocopy(struct sk_buff *to, const struct sk_buff *from, int len, int hlen)
++skb_zerocopy(struct sk_buff *to, struct sk_buff *from, int len, int hlen)
  {
  	int i, j = 0;
  	int plen = 0; /* length of skb->head fragment */
@@ -130,7 +138,7 @@ index f072fe8..108120f 100644
  	net_err_ratelimited("nf_queue: error creating packet message\n");
  	return NULL;
 diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
-index c53fe0c..9230223 100644
+index 8601b32..270b77d 100644
 --- a/net/openvswitch/datapath.c
 +++ b/net/openvswitch/datapath.c
 @@ -464,7 +464,9 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,