The following changes are present in Debian's kernel based on 2.6.32,
but not yet in 2.6.32.y. I would like to send these to
stable@kernel.org but I know you prefer to pick which networking changes
go into stable/longterm updates. Please could you have a look over the
log and let me know if you think any of these are not suitable.
The complete set of changes I'm intending to send to stable for 2.6.32.y
are on this branch:
git://git.debian.org/kernel/linux-2.6.git squeeze-to-stable
Ben.
commit 87682480611e0a2e882e6cf70d2622a107b72e12
Author: Vasiliy Kulikov <segoon@openwall.com>
Date: Thu Mar 17 01:40:10 2011 +0000
econet: 4 byte infoleak to the network
commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e upstream.
struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
x86_64. These bytes are not initialized in the variable 'ah' before
sending 'ah' to the network. This leads to 4 bytes kernel stack
infoleak.
This bug was introduced before the git epoch.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 790fef2371ff8b51126a0768402171299afdff19
Author: Vasiliy Kulikov <segoon@openwall.com>
Date: Tue Mar 15 13:37:13 2011 +0100
ipv6: netfilter: ip6_tables: fix infoleak to userspace
commit 6a8ab060779779de8aea92ce3337ca348f973f54 upstream.
Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
copied from userspace. Fields of these structs that are
zero-terminated strings are not checked. When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.
The first bug was introduced before the git epoch; the second was
introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by
6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
CAP_NET_ADMIN.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
commit 4139a777467f9b4b4b4a5371ea3e95d77c3420ac
Author: Vasiliy Kulikov <segoon@openwall.com>
Date: Tue Mar 15 13:36:05 2011 +0100
netfilter: ip_tables: fix infoleak to userspace
commit 78b79876761b86653df89c48a7010b5cbd41a84a upstream.
Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
copied from userspace. Fields of these structs that are
zero-terminated strings are not checked. When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.
The first and the third bugs were introduced before the git epoch; the
second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug
one should have CAP_NET_ADMIN.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
commit b4ea8d8c7665e2aeb34e85b61a6b67e6f30748cd
Author: Vasiliy Kulikov <segoon@openwall.com>
Date: Tue Mar 15 13:35:21 2011 +0100
netfilter: arp_tables: fix infoleak to userspace
commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143 upstream.
Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
copied from userspace. Fields of these structs that are
zero-terminated strings are not checked. When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.
The first bug was introduced before the git epoch; the second is
introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by
6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
CAP_NET_ADMIN.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
commit aba8723a70837c0ee7cde733831d1eacf590694f
Author: Vasiliy Kulikov <segoon@openwall.com>
Date: Mon Feb 14 16:49:23 2011 +0100
bridge: netfilter: fix information leak
commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream.
Struct tmp is copied from userspace. It is not checked whether the "name"
field is NULL terminated. This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline. It would be seen by all userspace
processes.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
commit 7f2784afb2a84464026e535f490156c979688267
Author: Vasiliy Kulikov <segoon@openwall.com>
Date: Mon Feb 14 13:54:31 2011 +0300
Bluetooth: bnep: fix buffer overflow
commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.
Struct ca is copied from userspace. It is not checked whether the "device"
field is NULL terminated. This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
commit e0638fa4136796406d12daf6750d809ca78a640c
Author: Vasiliy Kulikov <segoon@openwall.com>
Date: Mon Feb 14 13:54:26 2011 +0300
Bluetooth: sco: fix information leak to userspace
commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream.
struct sco_conninfo has one padding byte in the end. Local variable
cinfo of type sco_conninfo is copied to userspace with this uninizialized
one byte, leading to old stack contents leak.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
commit f68c5728a3332cde2e891cc9ad0bf6539cdda6ba
Author: Ron Murray <rjmx@rjmx.net>
Date: Tue Jan 19 08:02:48 2010 +0000
Please add support for Microsoft MN-120 PCMCIA network card
commit 60abe78279568a7109db2bcbc71131766a91c2e5 upstream.
Please add support for Microsoft MN-120 PCMCIA network card. It's an
old card, I know, but adding support is very easy. You just need to
get tulip_core.c to recognise its vendor/device ID.
Patch for kernel 2.6.32.4 (and many previous) attached.
.....Ron Murray
Signed-off-by: Ron Murray <rjmx@rjmx.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit ed1cd615b6fee5bbfb82b947f7abf23eebcce83e
Author: Romain Francoise <romain@orebokech.com>
Date: Mon Jan 17 07:59:18 2011 +0000
ipv6: Silence privacy extensions initialization
commit 2fdc1c8093255f9da877d7b9ce3f46c2098377dc upstream.
When a network namespace is created (via CLONE_NEWNET), the loopback
interface is automatically added to the new namespace, triggering a
printk in ipv6_add_dev() if CONFIG_IPV6_PRIVACY is set.
This is problematic for applications which use CLONE_NEWNET as
part of a sandbox, like Chromium's suid sandbox or recent versions of
vsftpd. On a busy machine, it can lead to thousands of useless
"lo: Disabled Privacy Extensions" messages appearing in dmesg.
It's easy enough to check the status of privacy extensions via the
use_tempaddr sysctl, so just removing the printk seems like the most
sensible solution.
Signed-off-by: Romain Francoise <romain@orebokech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 3ab6af06c2b9dabc501d2c44c76b3e738053e124
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date: Thu Nov 25 04:11:39 2010 +0000
af_unix: limit recursion level
commit 25888e30319f8896fc656fc68643e6a078263060 upstream.
Its easy to eat all kernel memory and trigger NMI watchdog, using an
exploit program that queues unix sockets on top of others.
lkml ref : http://lkml.org/lkml/2010/11/25/8
This mechanism is used in applications, one choice we have is to have a
recursion limit.
Other limits might be needed as well (if we queue other types of files),
since the passfd mechanism is currently limited by socket receive queue
sizes only.
Add a recursion_level to unix socket, allowing up to 4 levels.
Each time we send an unix socket through sendfd mechanism, we copy its
recursion level (plus one) to receiver. This recursion level is cleared
when socket receive queue is emptied.
Reported-by: Марк Коренберг <socketpair@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Adjust for 2.6.32]
commit 7d5e53d003fed5eec50790809b77f5f0ee561076
Author: Bruce Rogers <brogers@novell.com>
Date: Thu Feb 10 11:03:31 2011 -0800
virtio_net: Add schedule check to napi_enable call
commit 3e9d08ec0a68f6faf718d5a7e050fe5ca0ba004f upstream.
Under harsh testing conditions, including low memory, the guest would
stop receiving packets. With this patch applied we no longer see any
problems in the driver while performing these tests for extended periods
of time.
Make sure napi is scheduled subsequent to each napi_enable.
Signed-off-by: Bruce Rogers <brogers@novell.com>
Signed-off-by: Olaf Kirch <okir@suse.de>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[bwh: Adjust for 2.6.32]
commit 6ce022941dc9fed8679872b444004c8ea16b3589
Author: Rusty Russell <rusty@rustcorp.com.au>
Date: Fri Jul 2 16:34:01 2010 +0000
virtio_net: fix oom handling on tx
commit 58eba97d0774c69b1cf3e5a8ac74419409d1abbf upstream.
virtio net will never try to overflow the TX ring, so the only reason
add_buf may fail is out of memory. Thus, we can not stop the
device until some request completes - there's no guarantee anything
at all is outstanding.
Make the error message clearer as well: error here does not
indicate queue full.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> (...and avoid TX_BUSY)
Cc: stable@kernel.org # .34.x (s/virtqueue_/vi->svq->vq_ops->/)
Signed-off-by: David S. Miller <davem@davemloft.net>
commit f8be95c67247e4380121925a1c5740afce95310b
Author: Ondrej Zary <linux@rainbow-software.org>
Date: Wed Jun 23 12:57:15 2010 +0200
rt2500usb: fallback to SW encryption for TKIP+AES
commit 75f64dd54a185150ebfc45e99351c890d4a2252f upstream.
HW crypto in rt2500usb does not seem to support keys with different ciphers,
which breaks TKIP+AES mode. Fall back to software encryption to fix it.
This should fix long-standing problems with rt2500usb and WPA, such as:
http://rt2x00.serialmonkey.com/phpBB/viewtopic.php?f=4&t=4834
https://bugzilla.redhat.com/show_bug.cgi?id=484888
Also tested that it does not break WEP, TKIP-only and AES-only modes.
Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
[bwh: Adjust context for 2.6.32]
commit b3b1665efd26412aa425b0085943038d75dff568
Author: Neil Horman <nhorman@tuxdriver.com>
Date: Thu Jan 20 09:02:31 2011 +0000
bonding: Ensure that we unshare skbs prior to calling pskb_may_pull
commit b30532515f0a62bfe17207ab00883dd262497006 upstream.
Recently reported oops:
kernel BUG at net/core/skbuff.c:813!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/virtual/net/bond0/broadcast
CPU 8
Modules linked in: sit tunnel4 cpufreq_ondemand acpi_cpufreq freq_table bonding
ipv6 dm_mirror dm_region_hash dm_log cdc_ether usbnet mii serio_raw i2c_i801
i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma i7core_edac edac_core bnx2
ixgbe dca mdio sg ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase
scsi_transport_sas dm_mod [last unloaded: microcode]
Modules linked in: sit tunnel4 cpufreq_ondemand acpi_cpufreq freq_table bonding
ipv6 dm_mirror dm_region_hash dm_log cdc_ether usbnet mii serio_raw i2c_i801
i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma i7core_edac edac_core bnx2
ixgbe dca mdio sg ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase
scsi_transport_sas dm_mod [last unloaded: microcode]
Pid: 0, comm: swapper Not tainted 2.6.32-71.el6.x86_64 #1 BladeCenter HS22
-[7870AC1]-
RIP: 0010:[<ffffffff81405b16>] [<ffffffff81405b16>]
pskb_expand_head+0x36/0x1e0
RSP: 0018:ffff880028303b70 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffff880c6458ec80 RCX: 0000000000000020
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880c6458ec80
RBP: ffff880028303bc0 R08: ffffffff818a6180 R09: ffff880c6458ed64
R10: ffff880c622b36c0 R11: 0000000000000400 R12: 0000000000000000
R13: 0000000000000180 R14: ffff880c622b3000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff880028300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 00000038653452a4 CR3: 0000000001001000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 0, threadinfo ffff8806649c2000, task ffff880c64f16ab0)
Stack:
ffff880028303bc0 ffffffff8104fff9 000000000000001c 0000000100000000
<0> ffff880000047d80 ffff880c6458ec80 000000000000001c ffff880c6223da00
<0> ffff880c622b3000 0000000000000000 ffff880028303c10 ffffffff81407f7a
Call Trace:
<IRQ>
[<ffffffff8104fff9>] ? __wake_up_common+0x59/0x90
[<ffffffff81407f7a>] __pskb_pull_tail+0x2aa/0x360
[<ffffffffa0244530>] bond_arp_rcv+0x2c0/0x2e0 [bonding]
[<ffffffff814a0857>] ? packet_rcv+0x377/0x440
[<ffffffff8140f21b>] netif_receive_skb+0x2db/0x670
[<ffffffff8140f788>] napi_skb_finish+0x58/0x70
[<ffffffff8140fc89>] napi_gro_receive+0x39/0x50
[<ffffffffa01286eb>] ixgbe_clean_rx_irq+0x35b/0x900 [ixgbe]
[<ffffffffa01290f6>] ixgbe_clean_rxtx_many+0x136/0x240 [ixgbe]
[<ffffffff8140fe53>] net_rx_action+0x103/0x210
[<ffffffff81073bd7>] __do_softirq+0xb7/0x1e0
[<ffffffff810d8740>] ? handle_IRQ_event+0x60/0x170
[<ffffffff810142cc>] call_softirq+0x1c/0x30
[<ffffffff81015f35>] do_softirq+0x65/0xa0
[<ffffffff810739d5>] irq_exit+0x85/0x90
[<ffffffff814cf915>] do_IRQ+0x75/0xf0
[<ffffffff81013ad3>] ret_from_intr+0x0/0x11
<EOI>
[<ffffffff8101bc01>] ? mwait_idle+0x71/0xd0
[<ffffffff814cd80a>] ? atomic_notifier_call_chain+0x1a/0x20
[<ffffffff81011e96>] cpu_idle+0xb6/0x110
[<ffffffff814c17c8>] start_secondary+0x1fc/0x23f
Resulted from bonding driver registering packet handlers via dev_add_pack and
then trying to call pskb_may_pull. If another packet handler (like for AF_PACKET
sockets) gets called first, the delivered skb will have a user count > 1, which
causes pskb_may_pull to BUG halt when it does its skb_shared check. Fix this by
calling skb_share_check prior to the may_pull call sites in the bonding driver
to clone the skb when needed. Tested by myself and the reported successfully.
Signed-off-by: Neil Horman
CC: Andy Gospodarek <andy@greyhouse.net>
CC: Jay Vosburgh <fubar@us.ibm.com>
CC: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 17a82eb15502fa9df66b6c8ac62630015ffb849e
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu Oct 28 15:40:55 2010 +0000
net: fix rds_iovec page count overflow
commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream.
As reported by Thomas Pollet, the rdma page counting can overflow. We
get the rdma sizes in 64-bit unsigned entities, but then limit it to
UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
an unaligned address).
So each individual page count fits comfortably in an 'unsigned int' (not
even close to overflowing into signed), but as they are added up, they
might end up resulting in a signed return value. Which would be wrong.
Catch the case of tot_pages turning negative, and return the appropriate
error code.
Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Backported to 2.6.32 by Moritz Muehlenhoff <jmm@inutil.org>]
commit 1a8915d42428390198cb1c19913c3915f5702aea
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed Nov 24 09:15:27 2010 -0800
af_unix: limit unix_tot_inflight
commit 9915672d41273f5b77f1b3c29b391ffb7732b84b upstream.
Vegard Nossum found a unix socket OOM was possible, posting an exploit
program.
My analysis is we can eat all LOWMEM memory before unix_gc() being
called from unix_release_sock(). Moreover, the thread blocked in
unix_gc() can consume huge amount of time to perform cleanup because of
huge working set.
One way to handle this is to have a sensible limit on unix_tot_inflight,
tested from wait_for_unix_gc() and to force a call to unix_gc() if this
limit is hit.
This solves the OOM and also reduce overall latencies, and should not
slowdown normal workloads.
Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 49e85317ced395c31111ab51566b164c1fd5ce57
Author: David S. Miller <davem@davemloft.net>
Date: Wed Dec 8 18:42:23 2010 -0800
econet: Fix crash in aun_incoming().
commit 4e085e76cbe558b79b54cbab772f61185879bc64 upstream.
Unconditional use of skb->dev won't work here,
try to fetch the econet device via skb_dst()->dev
instead.
Suggested by Eric Dumazet.
Reported-by: Nelson Elhage <nelhage@ksplice.com>
Tested-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[jmm: Slightly adapted for 2.6.32]
commit 2c5aa7f88fefee925c4badee136595494fc67567
Author: Nelson Elhage <nelhage@ksplice.com>
Date: Wed Nov 3 16:35:41 2010 +0000
inet_diag: Make sure we actually run the same bytecode we audited.
commit 22e76c849d505d87c5ecf3d3e6742a65f0ff4860 upstream.
We were using nlmsg_find_attr() to look up the bytecode by attribute when
auditing, but then just using the first attribute when actually running
bytecode. So, if we received a message with two attribute elements, where only
the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
bytecode strings.
Fix this by consistently using nlmsg_find_attr everywhere.
Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: Thomas Graf <tgraf@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[jmm: Slightly adapted to apply against 2.6.32]
commit 272fde5c715c81f328838d6642cfbc936a699b5f
Author: Kulikov Vasiliy <segooon@gmail.com>
Date: Sun Oct 31 07:10:32 2010 +0000
net: tipc: fix information leak to userland
commit 88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52 upstream.
Structure sockaddr_tipc is copied to userland with padding bytes after
"id" field in union field "name" unitialized. It leads to leaking of
contents of kernel stack memory. We have to initialize them to zero.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit ef0d4abcd3f9b184441f2c29ef9e57d7f8cea44a
Author: Vasiliy Kulikov <segooon@gmail.com>
Date: Wed Nov 10 12:09:10 2010 -0800
net: packet: fix information leak to userland
commit 67286640f638f5ad41a946b9a3dc75327950248f upstream.
packet_getname_spkt() doesn't initialize all members of sa_data field of
sockaddr struct if strlen(dev->name) < 13. This structure is then copied
to userland. It leads to leaking of contents of kernel stack memory.
We have to fully fill sa_data with strncpy() instead of strlcpy().
The same with packet_getname(): it doesn't initialize sll_pkttype field of
sockaddr_ll. Set it to zero.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[jmm: Backported to 2.6.32]
commit 88e9182e53b51e9242f9ad1d4f47040dae8a2f27
Author: Vasiliy Kulikov <segooon@gmail.com>
Date: Wed Nov 10 10:14:33 2010 -0800
net: ax25: fix information leak to userland
commit fe10ae53384e48c51996941b7720ee16995cbcb7 upstream.
Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
field of fsa struct, also the struct has padding bytes between
sax25_call and sax25_ndigis fields. This structure is then copied to
userland. It leads to leaking of contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 7e473d44d30fffaaf2240dc3cf6ed0b1556ab0d1
Author: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Wed Dec 22 13:58:27 2010 +0000
irda: prevent integer underflow in IRLMP_ENUMDEVICES
commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.
If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value. While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures. In any event, this patch fixes it.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[dannf: Backport to 2.6.32]
commit 1296fdd1c627efdb20a9e8e7948db8f6f11fc904
Author: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Date: Tue Nov 23 17:10:24 2010 +0100
wireless: b43: fix error path in SDIO
commit e476a5a41ad67d0e2b4a652820c49a3923eb936b upstream.
Fix unbalanced call to sdio_release_host() on the error path.
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
commit 75132022f0579f8187280cce09c655d5777cea59
Author: Larry Finger <Larry.Finger@lwfinger.net>
Date: Thu Oct 28 10:43:26 2010 -0500
b43: Fix warning at drivers/mmc/core/core.c:237 in mmc_wait_for_cmd
commit 9f2a0fac625bcef9c579bcf0b0c904ab1a56e7c4 upstream.
On module removal, the sdio version of b43 generates the following warning:
[ 851.560519] ------------[ cut here ]------------
[ 851.560531] WARNING: at drivers/mmc/core/core.c:237 mmc_wait_for_cmd+0x88/0x90()
[ 851.560534] Hardware name: 20552PG
[ 851.560536] Modules linked in: b43(-) ssb mmc_block binfmt_misc rfcomm sco bnep ppdev l2cap ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp kvm_intel kvm arc4 iwlagn snd_hda_codec_conexant snd_hda_intel snd_hda_codec iwlcore snd_hwdep snd_pcm thinkpad_acpi mac80211 snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq r852 joydev snd_timer sm_common pcmcia nand snd_seq_device cfg80211 sdhci_pci btusb psmouse tpm_tis yenta_socket nand_ids lp snd pcmcia_rsrc nand_ecc bluetooth sdhci tpm pcmcia_core parport mtd snd_page_alloc serio_raw tpm_bios soundcore nvram led_class sha256_generic aes_i586 aes_generic dm_crypt i915 drm_kms_helper drm ahci intel_agp i2c_algo_bit intel_gtt e1000e libahci video agpgart output
[ 851.560620] Pid: 2504, comm: rmmod Not tainted 2.6.36-titan0+ #1
[ 851.560622] Call Trace:
[ 851.560631] [<c014a102>] warn_slowpath_common+0x72/0xa0
[ 851.560636] [<c04d94c8>] ? mmc_wait_for_cmd+0x88/0x90
[ 851.560641] [<c04d94c8>] ? mmc_wait_for_cmd+0x88/0x90
[ 851.560645] [<c014a152>] warn_slowpath_null+0x22/0x30
[ 851.560649] [<c04d94c8>] mmc_wait_for_cmd+0x88/0x90
[ 851.560655] [<c0401585>] ? device_release+0x25/0x80
[ 851.560660] [<c04df210>] mmc_io_rw_direct_host+0xa0/0x150
[ 851.560665] [<c04df370>] mmc_io_rw_direct+0x30/0x40
[ 851.560669] [<c04e06e7>] sdio_disable_func+0x37/0xa0
[ 851.560683] [<f8dfcb80>] b43_sdio_remove+0x30/0x50 [b43]
[ 851.560687] [<c04df8cc>] sdio_bus_remove+0x1c/0x60
[ 851.560692] [<c016d39f>] ? blocking_notifier_call_chain+0x1f/0x30
[ 851.560697] [<c0404991>] __device_release_driver+0x51/0xb0
[ 851.560701] [<c0404a7f>] driver_detach+0x8f/0xa0
[ 851.560705] [<c0403c83>] bus_remove_driver+0x63/0xa0
[ 851.560709] [<c0405039>] driver_unregister+0x49/0x80
[ 851.560713] [<c0405039>] ? driver_unregister+0x49/0x80
[ 851.560718] [<c04dfad7>] sdio_unregister_driver+0x17/0x20
[ 851.560727] [<f8dfcb42>] b43_sdio_exit+0x12/0x20 [b43]
[ 851.560734] [<f8dfe76f>] b43_exit+0x17/0x3c [b43]
[ 851.560740] [<c017fb8d>] sys_delete_module+0x13d/0x200
[ 851.560747] [<c01fd7d2>] ? do_munmap+0x212/0x300
[ 851.560752] [<c010311f>] sysenter_do_call+0x12/0x28
[ 851.560757] ---[ end trace 31e14488072d2f7d ]---
[ 851.560759] ------------[ cut here ]------------
The warning is caused by b43 not claiming the device before calling
sdio_disable_func().
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-by: Arnd Hannemann <arnd@arndnet.de>
Tested-by: Arnd Hannemann <arnd@arndnet.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
commit 3856a248f8d99e13f046d9b182a3ac898ec7d08d
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Fri Dec 17 10:16:23 2010 -0800
tehuti: Firmware filename is tehuti/bdx.bin
commit 46814e08d80f87449b5adb3d549a3cae6f9f8148 upstream.
My conversion of tehuti to use request_firmware() was confused about
the filename of the firmware blob. Change the driver to match the
blob.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 810ba56ef912ffebe1f160ddf58c24a6f692ab51
Author: James Chapman <jchapman@katalix.com>
Date: Tue Mar 16 06:29:20 2010 +0000
l2tp: Fix UDP socket reference count bugs in the pppol2tp driver
commit c3259c8a7060d480e8eb2166da0a99d6879146b4 upstream.
This patch fixes UDP socket refcnt bugs in the pppol2tp driver.
A bug can cause a kernel stack trace when a tunnel socket is closed.
A way to reproduce the issue is to prepare the UDP socket for L2TP (by
opening a tunnel pppol2tp socket) and then close it before any L2TP
sessions are added to it. The sequence is
Create UDP socket
Create tunnel pppol2tp socket to prepare UDP socket for L2TP
pppol2tp_connect: session_id=0, peer_session_id=0
L2TP SCCRP control frame received (tunnel_id==0)
pppol2tp_recv_core: sock_hold()
pppol2tp_recv_core: sock_put
L2TP ZLB control frame received (tunnel_id=nnn)
pppol2tp_recv_core: sock_hold()
pppol2tp_recv_core: sock_put
Close tunnel management socket
pppol2tp_release: session_id=0, peer_session_id=0
Close UDP socket
udp_lib_close: BUG
The addition of sock_hold() in pppol2tp_connect() solves the problem.
For data frames, two sock_put() calls were added to plug a refcnt leak
per received data frame. The ref that is grabbed at the top of
pppol2tp_recv_core() must always be released, but this wasn't done for
accepted data frames or data frames discarded because of bad UDP
checksums. This leak meant that any UDP socket that had passed L2TP
data traffic (i.e. L2TP data frames, not just L2TP control frames)
using pppol2tp would not be released by the kernel.
WARNING: at include/net/sock.h:435 udp_lib_unhash+0x117/0x120()
Pid: 1086, comm: openl2tpd Not tainted 2.6.33-rc1 #8
Call Trace:
[<c119e9b7>] ? udp_lib_unhash+0x117/0x120
[<c101b871>] ? warn_slowpath_common+0x71/0xd0
[<c119e9b7>] ? udp_lib_unhash+0x117/0x120
[<c101b8e3>] ? warn_slowpath_null+0x13/0x20
[<c119e9b7>] ? udp_lib_unhash+0x117/0x120
[<c11598a7>] ? sk_common_release+0x17/0x90
[<c11a5e33>] ? inet_release+0x33/0x60
[<c11577b0>] ? sock_release+0x10/0x60
[<c115780f>] ? sock_close+0xf/0x30
[<c106e542>] ? __fput+0x52/0x150
[<c106b68e>] ? filp_close+0x3e/0x70
[<c101d2e2>] ? put_files_struct+0x62/0xb0
[<c101eaf7>] ? do_exit+0x5e7/0x650
[<c1081623>] ? mntput_no_expire+0x13/0x70
[<c106b68e>] ? filp_close+0x3e/0x70
[<c101eb8a>] ? do_group_exit+0x2a/0x70
[<c101ebe1>] ? sys_exit_group+0x11/0x20
[<c10029b0>] ? sysenter_do_call+0x12/0x26
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 7e60fc2e38fbafba07ff670ef3d16e613e154e18
Author: Phil Blundell <philb@gnu.org>
Date: Wed Nov 24 11:51:47 2010 -0800
econet: fix CVE-2010-3848
commit a27e13d370415add3487949c60810e36069a23a6 upstream.
Don't declare variable sized array of iovecs on the stack since this
could cause stack overflow if msg->msgiovlen is large. Instead, coalesce
the user-supplied data into a new buffer and use a single iovec for it.
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Adjusted to apply to 2.6.32 by dann frazier <dannf@debian.org>]
commit 8395756afa87ea6e2c6248e024464bed376643ca
Author: Hagen Paul Pfeifer <hagen@jauu.net>
Date: Wed Oct 7 14:43:04 2009 -0700
econet: Fix redeclaration of symbol len
commit 9e8342971d44ce86d8567047f5366fc1c06a75ed upstream.
Function argument len was redeclarated within the
function. This patch fix the redeclaration of symbol 'len'.
Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Adjusted to apply to 2.6.32 by dann frazier <dannf@debian.org>]
commit babc16c81219c8f5b07e39461208fbf4c4669d14
Author: Andy Chittenden <andyc.bluearc@gmail.com>
Date: Tue Aug 10 10:19:53 2010 -0400
SUNRPC: fix NFS client over TCP hangs due to packet loss (Bug 16494)
commit 669502ff31d7dba1849aec7ee2450a3c61f57d39 upstream.
When reusing a TCP connection, ensure that it's aborted if a previous
shutdown attempt has been made on that connection so that the RPC over
TCP recovery mechanism succeeds.
Signed-off-by: Andy Chittenden <andyc.bluearc@gmail.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
commit ebbec2da3cc8af0815da0ff38ab2f3cbb356c6bb
Author: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Date: Mon Oct 25 10:43:32 2010 +0300
Phonet: device notifier only runs on initial namespace
[bwh: This is only applicable to 2.6.32. Phonet was fixed upstream to
work with multiple net namespaces.]
This should really fix the OOPS when doing:
unshare(CLONE_NEWNET);
exit(0);
while the phonet module is loaded.
Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
commit 4663726b0fc4c80f02cb4a62ad6f7722e3acead2
Author: Bruce Allan <bruce.w.allan@intel.com>
Date: Wed May 5 22:00:27 2010 +0000
e1000e: Reset 82577/82578 PHY before first PHY register read
commit 627c8a041f7aaaea93c766f69bd61d952a277586 upstream.
Reset the PHY before first accessing it. Doing so, ensure that the PHY is
in a known good state before we read/write PHY registers. This fixes a
driver probe failure.
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Backported to 2.6.32 by dann frazier <dannf@debian.org>]
commit 423be158ade9500346697b33467115b92da6cd71
Author: Ben Hutchings <bhutchings@solarflare.com>
Date: Tue Sep 7 04:35:19 2010 +0000
niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL
commit ee9c5cfad29c8a13199962614b9b16f1c4137ac9 upstream.
niu_get_ethtool_tcam_all() assumes that its output buffer is the right
size, and warns before returning if it is not. However, the output
buffer size is under user control and ETHTOOL_GRXCLSRLALL is an
unprivileged ethtool command. Therefore this is at least a local
denial-of-service vulnerability.
Change it to check before writing each entry and to return an error if
the buffer is already full.
Compile-tested only.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Adjusted to apply to 2.6.32 by dann frazier <dannf@debian.org>]
commit eadf18bc57ff2367fd4274c1440bd7b384ffbfd2
Author: Gertjan van Wingerde <gwingerde@gmail.com>
Date: Wed Dec 30 11:36:30 2009 +0100
rt2x00: Properly request tx headroom for alignment operations.
commit 7a4a77b7771164d61ce702a588067d1e1d66db7c upstream.
Current rt2x00 drivers may result in a "ieee80211_tx_status: headroom too
small" error message when a frame needs to be properly aligned before
transmitting it.
This is because the space needed to ensure proper alignment isn't
requested from mac80211.
Fix this by adding sufficient amount of alignment space to the amount
of headroom requested for TX frames.
Reported-by: David Ellingsworth <david@identd.dyndns.org>
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Ivo van Doorn <ivdoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
commit 9d61b9f4bf70b282bc19f7f1acff492601b93cf3
Author: Pavel Roskin <proski@gnu.org>
Date: Wed Dec 30 11:36:29 2009 +0100
rt2x00: use correct headroom for transmission
commit b59a52f12e483b79e7d32da7ec30dcf3b2e0210b upstream.
Use rt2x00dev->ops->extra_tx_headroom, not rt2x00dev->hw->extra_tx_headroom
in the tx code, as the later may include other headroom not to be used in
the chipset driver.
Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
commit a2480ca26f6a26dea8c4903bce4d14abbc23a7bc
Author: Gertjan van Wingerde <gwingerde@gmail.com>
Date: Mon Nov 23 22:44:52 2009 +0100
rt2x00: Centralize setting of extra TX headroom requested by rt2x00.
commit e6218cc47bd54710dc523e8c983ceddba625e3ae upstream.
Set the value of extra_tx_headroom in a central place, rather than in each
of the drivers. This is preparatory for taking alignment space into account
in the TX headroom requested by rt2x00.
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
[bwh: Adjust for 2.6.32]
commit 06855900b04f252ec6b8568b93a25b25201479cd
Author: Jesse Brandeburg <jesse.brandeburg@intel.com>
Date: Tue Sep 7 21:01:12 2010 +0000
e1000: fix Tx hangs by disabling 64-bit DMA
commit e508be174ad36b0cf9b324cd04978c2b13c21502 upstream.
Several users report issues with 32-bit adapters when plugged
into PCI slots in machines with >= 4GB ram. In particular AMD
systems with HyperTransport to PCI bridges seem to trigger the
issue, but it isn't limited to only them.
This issue is not easily reproducible here, yet still continues
to occur in the field. For e1000 on PCI devices, just disable DMA
addresses over the 4GB boundary when in PCI (not PCI-X) mode, to
prevent the issue from continuing to pop up. The performance
impact for this is negligible.
The code was refactored to move the init of the hw struct to its
own function. This allows the init to be called very early in
probe, which then allows using hw-> members for this fix.
A slight refactor to the DMA mask code was done for minor
correctness based on the instructions in DMA-API-HOWTO.
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Adjust for 2.6.32]
commit ce61b0429a77584bcbbf6b944dbf25696e522b90
Author: Jeff Mahoney <jeffm@suse.com>
Date: Thu Feb 11 10:26:38 2010 +0000
ipg: Remove device claimed by dl2k from pci id table
commit 25cca5352712561fba97bd37c495593d641c1d39 upstream.
This patch removes D-Link DGE-550T PCI ID (1186:4000) from the ipg
driver. The ipg driver is for IP2000-based cards and the DGE-550T is
a DL2000-based card. The driver loads and works for a few moments, but
once a real workload is applied it stops operating. The ipg driver
claimed this ID since it was introduced in 2.6.24 and it's forced many
users to blacklist it.
The correct driver for this hardware is the dl2k driver, which has been
claiming this PCI ID since the 2.4 days.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 6d7016414374610b0049792f8c0e5b7bc781f1d4
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sat Nov 7 12:04:09 2009 +0000
pcnet-cs: declare MODULE_FIRMWARE
commit 8489992e723b5def1a807e615854f51b75d10600 upstream.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 6b35277ffea8f6749fe9b5087b3112415190181a
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sat Nov 7 11:55:20 2009 +0000
tms380tr: declare MODULE_FIRMWARE
commit b3ccbb24e8914973be0d2ee7b66e44cecaed9bf5 upstream.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit f26c9183d5f9a2c0cdd57146501c54c931654133
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sat Nov 7 11:55:07 2009 +0000
spider-net: declare MODULE_FIRMWARE
commit 866691a21e8c9dfc58c5ab1ed77d5c41e779755b upstream.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 5c0d6fb8b643bf6824a6331103d839513040f9e6
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sat Nov 7 11:54:44 2009 +0000
myri10ge: declare MODULE_FIRMWARE
commit b9721d5a2fa00ad979c19a9511d43d2664d5381c upstream.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit c72b9d0bc10c4e67ab35196e266469563f68d93d
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sat Nov 7 11:53:52 2009 +0000
cxgb3: declare MODULE_FIRMWARE
commit 34336ec032878d1a32e7df881f16ce2145e53f83 upstream.
Replace run-time string formatting with preprocessor string
manipulation.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Acked-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit a5f3732bfa4d75eb8f44ac769e791c643a8cec42
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sat Nov 7 11:53:39 2009 +0000
bnx2x: declare MODULE_FIRMWARE
commit 45229b420f90bb6736dfeb7e491eb46cb02a3e9c upstream.
Replace run-time string formatting with preprocessor string
manipulation.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Acked-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 9865196fbbca943a7153feb26abd6af657b41524
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sat Nov 7 11:37:36 2009 +0000
netx: declare MODULE_FIRMWARE
commit 36c04a61f516742dad6f9bad8c6c1a7137a260f5 upstream.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 9b03a5f4febb698d1ae394883cb6e83971dab35f
Author: Dhananjay Phadke <dhananjay@netxen.com>
Date: Sat Oct 24 16:04:02 2009 +0000
netxen: module firmware hints
commit 7e8e5d9718744b817bfea6f020586d7035cc89f4 upstream.
Add MODULE_FIRMWARE hints for various firmware file types,
required by different chip revisions.
Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Adjust for 2.6.32]
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
Attachment:
signature.asc
Description: This is a digitally signed message part