From 6d12c5fb7620570980632d87aee190a3d470937b Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 30 Mar 2014 22:55:38 +0000 Subject: [PATCH] Use committed version of CVE-2014-2568 fix svn path=/dists/trunk/linux/; revision=21199 --- ...gs-in-skb_zerocopy-and-handle-errors.patch | 28 ++++++++++++------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/debian/patches/bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch b/debian/patches/bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch index f317645ca..2c4ec4a5c 100644 --- a/debian/patches/bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch +++ b/debian/patches/bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch @@ -1,7 +1,8 @@ -Subject: [v4] core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors From: Zoltan Kiss -Date: Fri, 21 Mar 2014 10:31:34 +0000 -Origin: https://patchwork.ozlabs.org/patch/332544/ +Date: Wed, 26 Mar 2014 22:37:45 +0000 +Subject: core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle + errors +Origin: https://git.kernel.org/linus/36d5fe6a000790f56039afe26834265db0a3ad4c skb_zerocopy can copy elements of the frags array between skbs, but it doesn't orphan them. Also, it doesn't handle errors, so this patch takes care of that @@ -10,25 +11,31 @@ the callers so they will signal the failed delivery towards the creator of the skb. Signed-off-by: Zoltan Kiss -Acked-by: Thomas Graf +Signed-off-by: David S. Miller --- + include/linux/skbuff.h | 4 ++-- + net/core/skbuff.c | 27 ++++++++++++++++++++------- + net/netfilter/nfnetlink_queue_core.c | 9 +++++++-- + net/openvswitch/datapath.c | 6 +++++- + 4 files changed, 34 insertions(+), 12 deletions(-) + diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index 03db95a..35c4e85 100644 +index 5e1e6f2..15ede6a 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h -@@ -2508,8 +2508,8 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset, +@@ -2451,8 +2451,8 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset, unsigned int flags); void skb_copy_and_csum_dev(const struct sk_buff *skb, u8 *to); unsigned int skb_zerocopy_headlen(const struct sk_buff *from); -void skb_zerocopy(struct sk_buff *to, const struct sk_buff *from, - int len, int hlen); -+int skb_zerocopy(struct sk_buff *to, const struct sk_buff *from, ++int skb_zerocopy(struct sk_buff *to, struct sk_buff *from, + int len, int hlen); void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len); int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen); void skb_scrub_packet(struct sk_buff *skb, bool xnet); diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 3f14c63..4cf0ee5 100644 +index 869c7af..97e5a2c 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2127,25 +2127,31 @@ EXPORT_SYMBOL_GPL(skb_zerocopy_headlen); @@ -42,8 +49,9 @@ index 3f14c63..4cf0ee5 100644 + * -EFAULT: skb_copy_bits() found some problem with skb geometry */ -void +-skb_zerocopy(struct sk_buff *to, const struct sk_buff *from, int len, int hlen) +int - skb_zerocopy(struct sk_buff *to, const struct sk_buff *from, int len, int hlen) ++skb_zerocopy(struct sk_buff *to, struct sk_buff *from, int len, int hlen) { int i, j = 0; int plen = 0; /* length of skb->head fragment */ @@ -130,7 +138,7 @@ index f072fe8..108120f 100644 net_err_ratelimited("nf_queue: error creating packet message\n"); return NULL; diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c -index c53fe0c..9230223 100644 +index 8601b32..270b77d 100644 --- a/net/openvswitch/datapath.c +++ b/net/openvswitch/datapath.c @@ -464,7 +464,9 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,