From 8889aba8174e77c4c0027951b76a858e33699492 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Feb 18 2016 13:21:11 +0000
Subject: CVE-2015-8812 cxgb3 use after free (rhbz 1303532 1309548)


---

diff --git a/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch b/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
new file mode 100644
index 0000000..9c517cf
--- /dev/null
+++ b/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
@@ -0,0 +1,41 @@
+From 67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 Mon Sep 17 00:00:00 2001
+From: Hariprasad S <hariprasad@chelsio.com>
+Date: Fri, 11 Dec 2015 13:59:17 +0530
+Subject: [PATCH] iw_cxgb3: Fix incorrectly returning error on success
+
+The cxgb3_*_send() functions return NET_XMIT_ values, which are
+positive integers values. So don't treat positive return values
+as an error.
+
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+---
+ drivers/infiniband/hw/cxgb3/iwch_cm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c
+index cb78b1e9bcd9..f504ba73e5dc 100644
+--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c
++++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
+@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en
+ 	error = l2t_send(tdev, skb, l2e);
+ 	if (error < 0)
+ 		kfree_skb(skb);
+-	return error;
++	return error < 0 ? error : 0;
+ }
+ 
+ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
+@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
+ 	error = cxgb3_ofld_send(tdev, skb);
+ 	if (error < 0)
+ 		kfree_skb(skb);
+-	return error;
++	return error < 0 ? error : 0;
+ }
+ 
+ static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb)
+-- 
+2.5.0
+
diff --git a/kernel.spec b/kernel.spec
index ce97e19..d2db5aa 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -717,6 +717,9 @@ Patch651: Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch
 #rhbz 1305181 1299901
 Patch652: drm-mgag200-fix-kernel-hang-in-cursor-code.patch
 
+#CVE-2015-8812 rhbz 1303532 1309548
+Patch653: iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1498,6 +1501,9 @@ ApplyPatch Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch
 #rhbz 1305181 1299901
 ApplyPatch drm-mgag200-fix-kernel-hang-in-cursor-code.patch
 
+#CVE-2015-8812 rhbz 1303532 1309548
+ApplyPatch iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2347,6 +2353,9 @@ fi
 #
 # 
 %changelog
+* Thu Feb 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-8812 cxgb3 use after free (rhbz 1303532 1309548)
+
 * Wed Feb 17 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - Backport mgag200 cursor hang fix (rhbz 1305181 1299901)