CVE-2011-3347: be2net: promiscuous mode and non-member VLAN packets DoS

(rhbz 748691)

be2net-non-member-vlan-pkts-not-received-in-promisco.patch

@@ -0,0 +1,63 @@
+From c0e64ef4899df4cedc872871e54e2c069d29e519 Mon Sep 17 00:00:00 2001
+From: Sathya Perla <sathya.perla@emulex.com>
+Date: Tue, 2 Aug 2011 19:57:43 +0000
+Subject: [PATCH] be2net: non-member vlan pkts not received in promiscous mode
+
+While configuring promiscous mode, explicitly set the
+VLAN_PROMISCOUS bit to make this happen. When switching off
+promiscous mode, re-program the vids.
+
+Signed-off-by: Xavier Selvin <xavier.selvin@emulex.com>
+Signed-off-by: Sathya Perla <sathya.perla@emulex.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/benet/be_cmds.c |    6 ++++--
+ drivers/net/benet/be_main.c |    7 +++++++
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/benet/be_cmds.c b/drivers/net/benet/be_cmds.c
+index 1c25dbd..73fd949 100644
+--- a/drivers/net/benet/be_cmds.c
++++ b/drivers/net/benet/be_cmds.c
+@@ -1586,9 +1586,11 @@ int be_cmd_promiscuous_config(struct be_adapter *adapter, bool en)
+ 			OPCODE_COMMON_NTWK_RX_FILTER, sizeof(*req));
+ 
+ 	req->if_id = cpu_to_le32(adapter->if_handle);
+-	req->if_flags_mask = cpu_to_le32(BE_IF_FLAGS_PROMISCUOUS);
++	req->if_flags_mask = cpu_to_le32(BE_IF_FLAGS_PROMISCUOUS
++				| BE_IF_FLAGS_VLAN_PROMISCUOUS);
+ 	if (en)
+-		req->if_flags = cpu_to_le32(BE_IF_FLAGS_PROMISCUOUS);
++		req->if_flags = cpu_to_le32(BE_IF_FLAGS_PROMISCUOUS
++				| BE_IF_FLAGS_VLAN_PROMISCUOUS);
+ 
+ 	sge->pa_hi = cpu_to_le32(upper_32_bits(promiscous_cmd.dma));
+ 	sge->pa_lo = cpu_to_le32(promiscous_cmd.dma & 0xFFFFFFFF);
+diff --git a/drivers/net/benet/be_main.c b/drivers/net/benet/be_main.c
+index 3b2c5e6..32a5b11 100644
+--- a/drivers/net/benet/be_main.c
++++ b/drivers/net/benet/be_main.c
+@@ -728,6 +728,10 @@ static int be_vid_config(struct be_adapter *adapter, bool vf, u32 vf_num)
+ 		status = be_cmd_vlan_config(adapter, if_handle, vtag, 1, 1, 0);
+ 	}
+ 
++	/* No need to further configure vids if in promiscuous mode */
++	if (adapter->promiscuous)
++		return 0;
++
+ 	if (adapter->vlans_added <= adapter->max_vlans)  {
+ 		/* Construct VLAN Table to give to HW */
+ 		for (i = 0; i < VLAN_N_VID; i++) {
+@@ -787,6 +791,9 @@ static void be_set_multicast_list(struct net_device *netdev)
+ 	if (adapter->promiscuous) {
+ 		adapter->promiscuous = false;
+ 		be_cmd_promiscuous_config(adapter, false);
++
++		if (adapter->vlans_added)
++			be_vid_config(adapter, false, 0);
+ 	}
+ 
+ 	/* Enable multicast promisc if num configured exceeds what we support */
+-- 
+1.7.6.4
+

benet-remove-bogus-unlikely-on-vlan-check.patch

@@ -0,0 +1,39 @@
+From 82f15998fafe683add83f7a11b2e25f919b3cd2d Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jpirko@redhat.com>
+Date: Tue, 25 Oct 2011 13:47:16 -0400
+Subject: [PATCH] benet: remove bogus "unlikely" on vlan check
+
+Use of unlikely in this place is wrong. Remove it.
+
+Signed-off-by: Jiri Pirko <jpirko@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Backported-by: Josh Boyer <jwboyer@redhat.com>
+---
+ drivers/net/benet/be_main.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/benet/be_main.c b/drivers/net/benet/be_main.c
+index c411bb1..6df0c7e 100644
+--- a/drivers/net/benet/be_main.c
++++ b/drivers/net/benet/be_main.c
+@@ -1192,7 +1192,7 @@ static void be_rx_compl_process(struct be_adapter *adapter,
+ 		skb->rxhash = rxcp->rss_hash;
+ 
+ 
+-	if (unlikely(rxcp->vlanf))
++	if (rxcp->vlanf)
+ 		__vlan_hwaccel_put_tag(skb, rxcp->vlan_tag);
+ 
+ 	netif_receive_skb(skb);
+@@ -1249,7 +1249,7 @@ static void be_rx_compl_process_gro(struct be_adapter *adapter,
+ 	if (adapter->netdev->features & NETIF_F_RXHASH)
+ 		skb->rxhash = rxcp->rss_hash;
+ 
+-	if (unlikely(rxcp->vlanf))
++	if (rxcp->vlanf)
+ 		__vlan_hwaccel_put_tag(skb, rxcp->vlan_tag);
+ 
+ 	napi_gro_frags(&eq_obj->napi);
+-- 
+1.7.6.4
+

kernel.spec

@@ -756,6 +756,10 @@ Patch21002: mmc-Always-check-for-lower-base-frequency-quirk-for-.patch
 Patch21020: 0001-mm-vmscan-Limit-direct-reclaim-for-higher-order-allo.patch
 Patch21021: 0002-mm-Abort-reclaim-compaction-if-compaction-can-procee.patch
 
+#rhbz 748691
+Patch21030: be2net-non-member-vlan-pkts-not-received-in-promisco.patch
+Patch21031: benet-remove-bogus-unlikely-on-vlan-check.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1394,6 +1398,10 @@ ApplyPatch utrace.patch
 ApplyPatch 0001-mm-vmscan-Limit-direct-reclaim-for-higher-order-allo.patch
 ApplyPatch 0002-mm-Abort-reclaim-compaction-if-compaction-can-procee.patch
 
+#rhbz 748691
+ApplyPatch be2net-non-member-vlan-pkts-not-received-in-promisco.patch
+ApplyPatch benet-remove-bogus-unlikely-on-vlan-check.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2096,6 +2104,7 @@ fi
 
 %changelog
 * Tue Oct 25 2011 Josh Boyer <jwboyer@redhat.com>
+- CVE-2011-3347: be2net: promiscuous mode and non-member VLAN packets DoS (rhbz 748691)
 - CVE-2011-1083: excessive in kernel CPU consumption when creating large nested epoll structures (rhbz 748668)
 
 * Mon Oct 24 2011 Josh Boyer <jwboyer@redhat.com>