1 files changed, 46 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch
new file mode 100644
index 0000000..6750cd5
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch
@@ -0,0 +1,46 @@
+From 00eff2ebbd229758e90659907724c14dd5a18339 Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Mon, 6 Feb 2017 18:10:31 -0200
+Subject: [PATCH] sctp: avoid BUG_ON on sctp_wait_for_sndbuf
+[ Upstream commit 2dcab598484185dea7ec22219c76dcdd59e3cb90 ]
+Alexander Popov reported that an application may trigger a BUG_ON in
+sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
+waiting on it to queue more data and meanwhile another thread peels off
+the association being used by the first thread.
+This patch replaces the BUG_ON call with a proper error handling. It
+will return -EPIPE to the original sendmsg call, similarly to what would
+have been done if the association wasn't found in the first place.
+CVE: CVE-2017-5986
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+Acked-by: Alexander Popov <alex.popov@linux.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/sctp/socket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index ca12aa3..6cbe5bd 100644
+--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
+@@ -7427,7 +7427,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+                 */
+                release_sock(sk);
+                current_timeo = schedule_timeout(current_timeo);
+-               BUG_ON(sk != asoc->base.sk);
+               if (sk != asoc->base.sk)
+                       goto do_error;
+                lock_sock(sk);
+ 
+                *timeo_p = current_timeo;
+-- 
+1.9.1

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch new file mode 100644 index 0000000..6750cd5 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch
@@ -0,0 +1,46 @@
	1	From 00eff2ebbd229758e90659907724c14dd5a18339 Mon Sep 17 00:00:00 2001
	2	From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
	3	Date: Mon, 6 Feb 2017 18:10:31 -0200
	4	Subject: [PATCH] sctp: avoid BUG_ON on sctp_wait_for_sndbuf
	5
	6	[ Upstream commit 2dcab598484185dea7ec22219c76dcdd59e3cb90 ]
	7
	8	Alexander Popov reported that an application may trigger a BUG_ON in
	9	sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
	10	waiting on it to queue more data and meanwhile another thread peels off
	11	the association being used by the first thread.
	12
	13	This patch replaces the BUG_ON call with a proper error handling. It
	14	will return -EPIPE to the original sendmsg call, similarly to what would
	15	have been done if the association wasn't found in the first place.
	16
	17	CVE: CVE-2017-5986
	18	Upstream-Status: Backport [from kernel.org longterm 4.9.52]
	19
	20	Acked-by: Alexander Popov <alex.popov@linux.com>
	21	Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
	22	Reviewed-by: Xin Long <lucien.xin@gmail.com>
	23	Signed-off-by: David S. Miller <davem@davemloft.net>
	24	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	25	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	26	---
	27	net/sctp/socket.c \| 3 ++-
	28	1 file changed, 2 insertions(+), 1 deletion(-)
	29
	30	diff --git a/net/sctp/socket.c b/net/sctp/socket.c
	31	index ca12aa3..6cbe5bd 100644
	32	--- a/net/sctp/socket.c
	33	+++ b/net/sctp/socket.c
	34	@@ -7427,7 +7427,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association asoc, long timeo_p,
	35	*/
	36	release_sock(sk);
	37	current_timeo = schedule_timeout(current_timeo);
	38	- BUG_ON(sk != asoc->base.sk);
	39	+ if (sk != asoc->base.sk)
	40	+ goto do_error;
	41	lock_sock(sk);
	42
	43	*timeo_p = current_timeo;
	44	--
	45	1.9.1
	46