APPLIED[J/F]/Cmnt: [SRU F/OEM-5.14/J/OEM-5.17 PATCH 0/3] CVE-2021-33061

Stefan Bader stefan.bader at canonical.com
Mon Aug 1 13:15:26 UTC 2022 

On 27.07.22 05:30, Cengiz Can wrote:
> [Impact]
> Insufficient control flow management for the Intel(R) 82599 Ethernet
> Controllers and Adapters may allow an authenticated user to potentially
> enable denial of service via local access.
> 
> [Fix]
> Patches were first introduced to net-next and were pulled to upstream.
> 
> Break commit has not been clearly identified so it's assumed that
> it existed for a while.
> 
> "ixgbe: add improvement for MDD response functionality" is the actual
> fix to the issue. Last patch in the series checks a flag that was
> renamed in 5.17. After discussions, I decided to put an alias into the
> header and keep the fragments untouched.
> 
> [Test case]
> Compile and boot tested on KVM only. Since I don't have access to the
> target ethernet chip, testing scope was limited.
> 
> [Potential regression]
> The checks that were added by the author are new and target specific
> hardware IDs. Regression potential should be minimal.
> 
> The alias lines added to `mbx.h` (for < 5.17) should be removed if
> commit 0edbecd57057 ever lands in on our kernels.
> 
> Slawomir Mrozowicz (3):
>    ixgbe: add the ability for the PF to disable VF link state
>    ixgbe: add improvement for MDD response functionality
>    ixgbevf: add disable link state
> 
>   drivers/net/ethernet/intel/ixgbe/ixgbe.h      |   6 +
>   .../net/ethernet/intel/ixgbe/ixgbe_ethtool.c  |  21 ++
>   drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |  39 +++-
>   drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h  |   2 +
>   .../net/ethernet/intel/ixgbe/ixgbe_sriov.c    | 207 ++++++++++++++----
>   .../net/ethernet/intel/ixgbe/ixgbe_sriov.h    |   4 +-
>   drivers/net/ethernet/intel/ixgbevf/ixgbevf.h  |   2 +
>   .../net/ethernet/intel/ixgbevf/ixgbevf_main.c |  11 +-
>   drivers/net/ethernet/intel/ixgbevf/mbx.h      |  12 +
>   drivers/net/ethernet/intel/ixgbevf/vf.c       |  42 ++++
>   drivers/net/ethernet/intel/ixgbevf/vf.h       |   1 +
>   11 files changed, 301 insertions(+), 46 deletions(-)
> 

I saw when applying this for Jammy, that only patch #2 of the 3 referred to the 
CVE. Note for future submissions, that all patches sent to fix a CVE need the 
annotation. For Jammy and Focal I have done that when applying.

Applied to jammy,focal:linux/master-next. Thanks.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220801/ed0ffad3/attachment.sig>

More information about the kernel-team mailing list