bonding: Incorrect TX queue offset, CVE-2011-1581
authorPhil Oester <kernel@linuxace.com>
Mon, 6 Jun 2011 10:35:23 +0000 (11:35 +0100)
committerTim Gardner <tim.gardner@canonical.com>
Mon, 6 Jun 2011 13:52:32 +0000 (07:52 -0600)
commitb5c38131532b066587711b910bf06cfcb68c4749
treecd9bb718bb9ab94dc4cbbe3ca871fb037b779afb
parente001fc1f8340837021509bfc482c039c0d5700a7
bonding: Incorrect TX queue offset, CVE-2011-1581

When packets come in from a device with >= 16 receive queues
headed out a bonding interface, syslog gets filled with this:

    kernel: bond0 selects TX queue 16, but real number of TX queues is 16

because queue_mapping is offset by 1.  Adjust return value
to account for the offset.

This is a revision of my earlier patch (which did not use the
skb_rx_queue_* helpers - thanks to Ben for the suggestion).
Andy submitted a similar patch which emits a pr_warning on
invalid queue selection, but I believe the log spew is
not useful.  We can revisit that question in the future,
but in the interim I believe fixing the core problem is
worthwhile.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit fd0e435b0fe85622f167b84432552885a4856ac8)
CVE-2011-1581
BugLink: http://bugs.launchpad.net/bugs/792312
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
drivers/net/bonding/bond_main.c