CVE-2011-3347: be2net: promiscuous mode and non-member VLAN packets DoS

(rhbz 748691)
2011-10-25 13:52:02 -04:00 · 2011-10-25 13:52:02 -04:00 · 8cbfe5c222
parent 45fb06294a
commit 8cbfe5c222
4 changed files with 220 additions and 0 deletions
--- a/be2net-move-to-new-vlan-model.patch
+++ b/be2net-move-to-new-vlan-model.patch
@ -0,0 +1,107 @@
+From 1447378e3da1b56bb5c7fb1b1bc9b85e061447e7 Mon Sep 17 00:00:00 2001
+From: Ajit Khaparde <ajit.khaparde@emulex.com>
+Date: Tue, 12 Jul 2011 22:10:01 -0700
+Subject: [PATCH 1/3] be2net: move to new vlan model
+
+Signed-off-by: Ajit Khaparde <ajit.khaparde@emulex.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/benet/be.h      |    1 -
+ drivers/net/benet/be_main.c |   34 +++++++++-------------------------
+ 2 files changed, 9 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/net/benet/be.h b/drivers/net/benet/be.h
+index a7db870..5112000 100644
+--- a/drivers/net/benet/be.h
+++ b/drivers/net/benet/be.h
+@@ -332,7 +332,6 @@ struct be_adapter {
+ 	u8 eq_next_idx;
+ 	struct be_drv_stats drv_stats;
+ 
+-	struct vlan_group *vlan_grp;
+ 	u16 vlans_added;
+ 	u16 max_vlans;	/* Number of vlans supported */
+ 	u8 vlan_tag[VLAN_N_VID];
+diff --git a/drivers/net/benet/be_main.c b/drivers/net/benet/be_main.c
+index a485f7f..146e420 100644
+--- a/drivers/net/benet/be_main.c
+++ b/drivers/net/benet/be_main.c
+@@ -648,7 +648,7 @@ static void wrb_fill_hdr(struct be_adapter *adapter, struct be_eth_hdr_wrb *hdr,
+ 			AMAP_SET_BITS(struct amap_eth_hdr_wrb, udpcs, hdr, 1);
+ 	}
+ 
+-	if (adapter->vlan_grp && vlan_tx_tag_present(skb)) {
+	if (vlan_tx_tag_present(skb)) {
+ 		AMAP_SET_BITS(struct amap_eth_hdr_wrb, vlan, hdr, 1);
+ 		vlan_tag = vlan_tx_tag_get(skb);
+ 		vlan_prio = (vlan_tag & VLAN_PRIO_MASK) >> VLAN_PRIO_SHIFT;
+@@ -842,13 +842,6 @@ static int be_vid_config(struct be_adapter *adapter, bool vf, u32 vf_num)
+ 	return status;
+ }
+ 
+-static void be_vlan_register(struct net_device *netdev, struct vlan_group *grp)
+-{
+-	struct be_adapter *adapter = netdev_priv(netdev);
+-
+-	adapter->vlan_grp = grp;
+-}
+-
+ static void be_vlan_add_vid(struct net_device *netdev, u16 vid)
+ {
+ 	struct be_adapter *adapter = netdev_priv(netdev);
+@@ -867,7 +860,6 @@ static void be_vlan_rem_vid(struct net_device *netdev, u16 vid)
+ 	struct be_adapter *adapter = netdev_priv(netdev);
+ 
+ 	adapter->vlans_added--;
+-	vlan_group_set_device(adapter->vlan_grp, vid, NULL);
+ 
+ 	if (!be_physfn(adapter))
+ 		return;
+@@ -1196,16 +1188,10 @@ static void be_rx_compl_process(struct be_adapter *adapter,
+ 		skb->rxhash = rxcp->rss_hash;
+ 
+ 
+-	if (unlikely(rxcp->vlanf)) {
+-		if (!adapter->vlan_grp || adapter->vlans_added == 0) {
+-			kfree_skb(skb);
+-			return;
+-		}
+-		vlan_hwaccel_receive_skb(skb, adapter->vlan_grp,
+-					rxcp->vlan_tag);
+-	} else {
+-		netif_receive_skb(skb);
+-	}
+	if (unlikely(rxcp->vlanf))
+		__vlan_hwaccel_put_tag(skb, rxcp->vlan_tag);
+
+	netif_receive_skb(skb);
+ }
+ 
+ /* Process the RX completion indicated by rxcp when GRO is enabled */
+@@ -1259,11 +1245,10 @@ static void be_rx_compl_process_gro(struct be_adapter *adapter,
+ 	if (adapter->netdev->features & NETIF_F_RXHASH)
+ 		skb->rxhash = rxcp->rss_hash;
+ 
+-	if (likely(!rxcp->vlanf))
+-		napi_gro_frags(&eq_obj->napi);
+-	else
+-		vlan_gro_frags(&eq_obj->napi, adapter->vlan_grp,
+-				rxcp->vlan_tag);
+	if (unlikely(rxcp->vlanf))
+		__vlan_hwaccel_put_tag(skb, rxcp->vlan_tag);
+
+	napi_gro_frags(&eq_obj->napi);
+ }
+ 
+ static void be_parse_rx_compl_v1(struct be_adapter *adapter,
+@@ -2901,7 +2886,6 @@ static struct net_device_ops be_netdev_ops = {
+ 	.ndo_set_mac_address	= be_mac_addr_set,
+ 	.ndo_change_mtu		= be_change_mtu,
+ 	.ndo_validate_addr	= eth_validate_addr,
+-	.ndo_vlan_rx_register	= be_vlan_register,
+ 	.ndo_vlan_rx_add_vid	= be_vlan_add_vid,
+ 	.ndo_vlan_rx_kill_vid	= be_vlan_rem_vid,
+ 	.ndo_set_vf_mac		= be_set_vf_mac,
+-- 
+1.7.6.4
+
--- a/be2net-non-member-vlan-pkts-not-received-in-promisco.patch
+++ b/be2net-non-member-vlan-pkts-not-received-in-promisco.patch
@ -0,0 +1,63 @@
+From c0e64ef4899df4cedc872871e54e2c069d29e519 Mon Sep 17 00:00:00 2001
+From: Sathya Perla <sathya.perla@emulex.com>
+Date: Tue, 2 Aug 2011 19:57:43 +0000
+Subject: [PATCH] be2net: non-member vlan pkts not received in promiscous mode
+
+While configuring promiscous mode, explicitly set the
+VLAN_PROMISCOUS bit to make this happen. When switching off
+promiscous mode, re-program the vids.
+
+Signed-off-by: Xavier Selvin <xavier.selvin@emulex.com>
+Signed-off-by: Sathya Perla <sathya.perla@emulex.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/benet/be_cmds.c |    6 ++++--
+ drivers/net/benet/be_main.c |    7 +++++++
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/benet/be_cmds.c b/drivers/net/benet/be_cmds.c
+index 1c25dbd..73fd949 100644
+--- a/drivers/net/benet/be_cmds.c
+++ b/drivers/net/benet/be_cmds.c
+@@ -1586,9 +1586,11 @@ int be_cmd_promiscuous_config(struct be_adapter *adapter, bool en)
+ 			OPCODE_COMMON_NTWK_RX_FILTER, sizeof(*req));
+ 
+ 	req->if_id = cpu_to_le32(adapter->if_handle);
+-	req->if_flags_mask = cpu_to_le32(BE_IF_FLAGS_PROMISCUOUS);
+	req->if_flags_mask = cpu_to_le32(BE_IF_FLAGS_PROMISCUOUS
+				| BE_IF_FLAGS_VLAN_PROMISCUOUS);
+ 	if (en)
+-		req->if_flags = cpu_to_le32(BE_IF_FLAGS_PROMISCUOUS);
+		req->if_flags = cpu_to_le32(BE_IF_FLAGS_PROMISCUOUS
+				| BE_IF_FLAGS_VLAN_PROMISCUOUS);
+ 
+ 	sge->pa_hi = cpu_to_le32(upper_32_bits(promiscous_cmd.dma));
+ 	sge->pa_lo = cpu_to_le32(promiscous_cmd.dma & 0xFFFFFFFF);
+diff --git a/drivers/net/benet/be_main.c b/drivers/net/benet/be_main.c
+index 3b2c5e6..32a5b11 100644
+--- a/drivers/net/benet/be_main.c
+++ b/drivers/net/benet/be_main.c
+@@ -728,6 +728,10 @@ static int be_vid_config(struct be_adapter *adapter, bool vf, u32 vf_num)
+ 		status = be_cmd_vlan_config(adapter, if_handle, vtag, 1, 1, 0);
+ 	}
+ 
+	/* No need to further configure vids if in promiscuous mode */
+	if (adapter->promiscuous)
+		return 0;
+
+ 	if (adapter->vlans_added <= adapter->max_vlans)  {
+ 		/* Construct VLAN Table to give to HW */
+ 		for (i = 0; i < VLAN_N_VID; i++) {
+@@ -787,6 +791,9 @@ static void be_set_multicast_list(struct net_device *netdev)
+ 	if (adapter->promiscuous) {
+ 		adapter->promiscuous = false;
+ 		be_cmd_promiscuous_config(adapter, false);
+
+		if (adapter->vlans_added)
+			be_vid_config(adapter, false, 0);
+ 	}
+ 
+ 	/* Enable multicast promisc if num configured exceeds what we support */
+-- 
+1.7.6.4
+
--- a/benet-remove-bogus-unlikely-on-vlan-check.patch
+++ b/benet-remove-bogus-unlikely-on-vlan-check.patch
@ -0,0 +1,39 @@
+From 82f15998fafe683add83f7a11b2e25f919b3cd2d Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jpirko@redhat.com>
+Date: Tue, 25 Oct 2011 13:47:16 -0400
+Subject: [PATCH] benet: remove bogus "unlikely" on vlan check
+
+Use of unlikely in this place is wrong. Remove it.
+
+Signed-off-by: Jiri Pirko <jpirko@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Backported-by: Josh Boyer <jwboyer@redhat.com>
+---
+ drivers/net/benet/be_main.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/benet/be_main.c b/drivers/net/benet/be_main.c
+index c411bb1..6df0c7e 100644
+--- a/drivers/net/benet/be_main.c
+++ b/drivers/net/benet/be_main.c
+@@ -1192,7 +1192,7 @@ static void be_rx_compl_process(struct be_adapter *adapter,
+ 		skb->rxhash = rxcp->rss_hash;
+ 
+ 
+-	if (unlikely(rxcp->vlanf))
+	if (rxcp->vlanf)
+ 		__vlan_hwaccel_put_tag(skb, rxcp->vlan_tag);
+ 
+ 	netif_receive_skb(skb);
+@@ -1249,7 +1249,7 @@ static void be_rx_compl_process_gro(struct be_adapter *adapter,
+ 	if (adapter->netdev->features & NETIF_F_RXHASH)
+ 		skb->rxhash = rxcp->rss_hash;
+ 
+-	if (unlikely(rxcp->vlanf))
+	if (rxcp->vlanf)
+ 		__vlan_hwaccel_put_tag(skb, rxcp->vlan_tag);
+ 
+ 	napi_gro_frags(&eq_obj->napi);
+-- 
+1.7.6.4
+
--- a/kernel.spec
+++ b/kernel.spec
@ -709,6 +709,11 @@ Patch21021: 0002-mm-Abort-reclaim-compaction-if-compaction-can-procee.patch
 #rhbz 737108
 Patch21030: platform-fix-samsung-brightness-min-max-calculations.patch

+#rhbz 748691
+Patch21040: be2net-move-to-new-vlan-model.patch
+Patch21041: be2net-non-member-vlan-pkts-not-received-in-promisco.patch
+Patch21042: benet-remove-bogus-unlikely-on-vlan-check.patch
+
 %endif

 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@ -1285,6 +1290,11 @@ ApplyPatch 0002-mm-Abort-reclaim-compaction-if-compaction-can-procee.patch
 #rhbz 737108
 ApplyPatch platform-fix-samsung-brightness-min-max-calculations.patch

+#rhbz 748691
+ApplyPatch be2net-move-to-new-vlan-model.patch
+ApplyPatch be2net-non-member-vlan-pkts-not-received-in-promisco.patch
+ApplyPatch benet-remove-bogus-unlikely-on-vlan-check.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -1906,6 +1916,7 @@ fi

 %changelog
 * Tue Oct 25 2011 Josh Boyer <jwboyer@redhat.com>
+- CVE-2011-3347: be2net: promiscuous mode and non-member VLAN packets DoS (rhbz 748691)
 - CVE-2011-1083: excessive in kernel CPU consumption when creating large nested epoll structures (rhbz 748668)

 * Tue Oct 25 2011 Josh Boyer <jwboyer@redhat.com>