--- /dev/null
+From d30def6019a6815abb3109f836d982529851e98b Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Mon, 24 Nov 2008 16:06:50 -0800
+Subject: bridge: netfilter: fix update_pmtu crash with GRE
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 631339f1e544a4d39a63cfe6708c5bddcd5a2c48 ]
+
+As GRE tries to call the update_pmtu function on skb->dst and
+bridge supplies an skb->dst that has a NULL ops field, all is
+not well.
+
+This patch fixes this by giving the bridge device an ops field
+with an update_pmtu function. For the moment I've left all
+other fields blank but we can fill them in later should the
+need arise.
+
+Based on report and patch by Philip Craig.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/br_netfilter.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/net/bridge/br_netfilter.c
++++ b/net/bridge/br_netfilter.c
+@@ -101,6 +101,18 @@ static inline __be16 pppoe_proto(const s
+ pppoe_proto(skb) == htons(PPP_IPV6) && \
+ brnf_filter_pppoe_tagged)
+
++static void fake_update_pmtu(struct dst_entry *dst, u32 mtu)
++{
++}
++
++static struct dst_ops fake_dst_ops = {
++ .family = AF_INET,
++ .protocol = __constant_htons(ETH_P_IP),
++ .update_pmtu = fake_update_pmtu,
++ .entry_size = sizeof(struct rtable),
++ .entries = ATOMIC_INIT(0),
++};
++
+ /*
+ * Initialize bogus route table used to keep netfilter happy.
+ * Currently, we fill in the PMTU entry because netfilter
+@@ -117,6 +129,7 @@ void br_netfilter_rtable_init(struct net
+ rt->u.dst.path = &rt->u.dst;
+ rt->u.dst.metrics[RTAX_MTU - 1] = 1500;
+ rt->u.dst.flags = DST_NOXFRM;
++ rt->u.dst.ops = &fake_dst_ops;
+ }
+
+ static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
--- /dev/null
+From b10b5ba7587cd6e2af36edb495091855fb3b1a4e Mon Sep 17 00:00:00 2001
+From: Eugene Teo <eugeneteo@kernel.sg>
+Date: Mon, 23 Feb 2009 15:38:41 -0800
+Subject: net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+
+From: Eugene Teo <eugeneteo@kernel.sg>
+
+[ Upstream commit 50fee1dec5d71b8a14c1b82f2f42e16adc227f8b ]
+
+The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note
+that the same problem of leaking kernel memory will reappear if someone
+on some architecture uses struct timeval with some internal padding (for
+example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to
+leak the padded bytes to userspace.
+
+Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -695,7 +695,7 @@ int sock_getsockopt(struct socket *sock,
+ if (len < 0)
+ return -EINVAL;
+
+- v.val = 0;
++ memset(&v, 0, sizeof(v));
+
+ switch(optname) {
+ case SO_DEBUG:
--- /dev/null
+From fdfaac1e3c05e73b6ccd416a6a8abd5ec124e557 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Wed, 25 Feb 2009 23:09:34 -0800
+Subject: net: Kill skb_truesize_check(), it only catches false-positives.
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 92a0acce186cde8ead56c6915d9479773673ea1a ]
+
+A long time ago we had bugs, primarily in TCP, where we would modify
+skb->truesize (for TSO queue collapsing) in ways which would corrupt
+the socket memory accounting.
+
+skb_truesize_check() was added in order to try and catch this error
+more systematically.
+
+However this debugging check has morphed into a Frankenstein of sorts
+and these days it does nothing other than catch false-positives.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/skbuff.h | 9 ---------
+ include/net/sock.h | 1 -
+ net/core/skbuff.c | 8 --------
+ net/core/sock.c | 1 -
+ 4 files changed, 19 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -395,15 +395,6 @@ extern void skb_over_panic(struct
+ void *here);
+ extern void skb_under_panic(struct sk_buff *skb, int len,
+ void *here);
+-extern void skb_truesize_bug(struct sk_buff *skb);
+-
+-static inline void skb_truesize_check(struct sk_buff *skb)
+-{
+- int len = sizeof(struct sk_buff) + skb->len;
+-
+- if (unlikely((int)skb->truesize < len))
+- skb_truesize_bug(skb);
+-}
+
+ extern int skb_append_datato_frags(struct sock *sk, struct sk_buff *skb,
+ int getfrag(void *from, char *to, int offset,
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -777,7 +777,6 @@ static inline void sk_mem_uncharge(struc
+
+ static inline void sk_wmem_free_skb(struct sock *sk, struct sk_buff *skb)
+ {
+- skb_truesize_check(skb);
+ sock_set_flag(sk, SOCK_QUEUE_SHRUNK);
+ sk->sk_wmem_queued -= skb->truesize;
+ sk_mem_uncharge(sk, skb->truesize);
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -143,14 +143,6 @@ void skb_under_panic(struct sk_buff *skb
+ BUG();
+ }
+
+-void skb_truesize_bug(struct sk_buff *skb)
+-{
+- printk(KERN_ERR "SKB BUG: Invalid truesize (%u) "
+- "len=%u, sizeof(sk_buff)=%Zd\n",
+- skb->truesize, skb->len, sizeof(struct sk_buff));
+-}
+-EXPORT_SYMBOL(skb_truesize_bug);
+-
+ /* Allocate a new skbuff. We do this ourselves so we can fill in a few
+ * 'private' fields and also do memory statistics to find all the
+ * [BEEP] leaks.
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1136,7 +1136,6 @@ void sock_rfree(struct sk_buff *skb)
+ {
+ struct sock *sk = skb->sk;
+
+- skb_truesize_check(skb);
+ atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+ sk_mem_uncharge(skb->sk, skb->truesize);
+ }
--- /dev/null
+usb-net-asix-add-support-for-cables-to-go-usb-ethernet-adapter.patch
+bridge-netfilter-fix-update_pmtu-crash-with-gre.patch
+net-amend-the-fix-for-so_bsdcompat-gsopt-infoleak.patch
+net-kill-skb_truesize_check-it-only-catches-false-positives.patch
+sparc64-fix-dax-handling-via-userspace-access-from-kernel.patch
+sparc-we-need-to-implement-arch_ptrace_stop.patch
--- /dev/null
+From fd985a17fb11cd9e805a3aa8819903cbe56c52c5 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Mon, 19 Jan 2009 23:24:42 -0800
+Subject: sparc: We need to implement arch_ptrace_stop().
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 878a5535957b563c447d32866a9e606c55fef091 ]
+
+In order to always provide fully synchronized state to the debugger,
+we might need to do a synchronize_user_stack().
+
+A pair of hooks, arch_ptrace_stop_needed() and arch_ptrace_stop(),
+exist to handle this kind of situation. It was created for
+the sake of IA64.
+
+Use them, to flush the kernel side cached register windows
+to the user stack, when necessary.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc/include/asm/ptrace_32.h | 10 ++++++++++
+ arch/sparc/include/asm/ptrace_64.h | 10 ++++++++++
+ 2 files changed, 20 insertions(+)
+
+--- a/arch/sparc/include/asm/ptrace_32.h
++++ b/arch/sparc/include/asm/ptrace_32.h
+@@ -62,6 +62,8 @@ struct sparc_stackf {
+
+ #ifdef __KERNEL__
+
++#include <asm/system.h>
++
+ static inline bool pt_regs_is_syscall(struct pt_regs *regs)
+ {
+ return (regs->psr & PSR_SYSCALL);
+@@ -72,6 +74,14 @@ static inline bool pt_regs_clear_syscall
+ return (regs->psr &= ~PSR_SYSCALL);
+ }
+
++#define arch_ptrace_stop_needed(exit_code, info) \
++({ flush_user_windows(); \
++ current_thread_info()->w_saved != 0; \
++})
++
++#define arch_ptrace_stop(exit_code, info) \
++ synchronize_user_stack()
++
+ #define user_mode(regs) (!((regs)->psr & PSR_PS))
+ #define instruction_pointer(regs) ((regs)->pc)
+ #define user_stack_pointer(regs) ((regs)->u_regs[UREG_FP])
+--- a/arch/sparc/include/asm/ptrace_64.h
++++ b/arch/sparc/include/asm/ptrace_64.h
+@@ -113,6 +113,8 @@ struct sparc_trapf {
+
+ #ifdef __KERNEL__
+
++#include <asm/system.h>
++
+ static inline int pt_regs_trap_type(struct pt_regs *regs)
+ {
+ return regs->magic & 0x1ff;
+@@ -128,6 +130,14 @@ static inline bool pt_regs_clear_syscall
+ return (regs->tstate &= ~TSTATE_SYSCALL);
+ }
+
++#define arch_ptrace_stop_needed(exit_code, info) \
++({ flush_user_windows(); \
++ get_thread_wsaved() != 0; \
++})
++
++#define arch_ptrace_stop(exit_code, info) \
++ synchronize_user_stack()
++
+ struct global_reg_snapshot {
+ unsigned long tstate;
+ unsigned long tpc;
--- /dev/null
+From 93bdad1f5ea5a01b97638e3596defbc3d28984d2 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Mon, 19 Jan 2009 22:56:51 -0800
+Subject: sparc64: Fix DAX handling via userspace access from kernel.
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit fcd26f7ae2ea5889134e8b3d60a42ce8b993c95f ]
+
+If we do a userspace access from kernel mode, and get a
+data access exception, we need to check the exception
+table just like a normal fault does.
+
+The spitfire DAX handler was doing this, but such logic
+was missing from the sun4v DAX code.
+
+Reported-by: Dennis Gilmore <dgilmore@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sparc64/kernel/traps.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc64/kernel/traps.c
++++ b/arch/sparc64/kernel/traps.c
+@@ -1,6 +1,6 @@
+ /* arch/sparc64/kernel/traps.c
+ *
+- * Copyright (C) 1995,1997,2008 David S. Miller (davem@davemloft.net)
++ * Copyright (C) 1995,1997,2008,2009 David S. Miller (davem@davemloft.net)
+ * Copyright (C) 1997,1999,2000 Jakub Jelinek (jakub@redhat.com)
+ */
+
+@@ -262,6 +262,21 @@ void sun4v_data_access_exception(struct
+ return;
+
+ if (regs->tstate & TSTATE_PRIV) {
++ /* Test if this comes from uaccess places. */
++ const struct exception_table_entry *entry;
++
++ entry = search_exception_tables(regs->tpc);
++ if (entry) {
++ /* Ouch, somebody is trying VM hole tricks on us... */
++#ifdef DEBUG_EXCEPTIONS
++ printk("Exception: PC<%016lx> faddr<UNKNOWN>\n", regs->tpc);
++ printk("EX_TABLE: insn<%016lx> fixup<%016lx>\n",
++ regs->tpc, entry->fixup);
++#endif
++ regs->tpc = entry->fixup;
++ regs->tnpc = regs->tpc + 4;
++ return;
++ }
+ printk("sun4v_data_access_exception: ADDR[%016lx] "
+ "CTX[%04x] TYPE[%04x], going.\n",
+ addr, ctx, type);
--- /dev/null
+From ccf95402d0ae6f433f29ce88cfd589cec8fc81ad Mon Sep 17 00:00:00 2001
+From: Jason Cooper <jason@lakedaemon.net>
+Date: Tue, 11 Nov 2008 13:02:53 -0500
+Subject: USB: net: asix: add support for Cables-to-Go USB Ethernet adapter
+
+From: Jason Cooper <jason@lakedaemon.net>
+
+commit ccf95402d0ae6f433f29ce88cfd589cec8fc81ad upstream.
+
+Add support to drivers/net/usb/asix.c for the Cables-to-Go "USB 2.0 to
+10/100 Ethernet Adapter". USB id 0b95:772a.
+
+Signed-off-by: Jason Cooper <jason@lakedaemon.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/usb/asix.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/usb/asix.c
++++ b/drivers/net/usb/asix.c
+@@ -1444,6 +1444,10 @@ static const struct usb_device_id produc
+ // Apple USB Ethernet Adapter
+ USB_DEVICE(0x05ac, 0x1402),
+ .driver_info = (unsigned long) &ax88772_info,
++}, {
++ // Cables-to-Go USB Ethernet Adapter
++ USB_DEVICE(0x0b95, 0x772a),
++ .driver_info = (unsigned long) &ax88772_info,
+ },
+ { }, // END
+ };
projects / thirdparty / kernel / stable-queue.git / commitdiff
