From 9153dc5fdbd86cc4d3559930c9d5ca978fcf825a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 2 Mar 2009 11:39:18 -0800 Subject: [PATCH] .27 patches --- ...ilter-fix-update_pmtu-crash-with-gre.patch | 58 +++++++++++++ ...-fix-for-so_bsdcompat-gsopt-infoleak.patch | 35 ++++++++ ...heck-it-only-catches-false-positives.patch | 84 +++++++++++++++++++ queue-2.6.27/series | 6 ++ ...e-need-to-implement-arch_ptrace_stop.patch | 79 +++++++++++++++++ ...ing-via-userspace-access-from-kernel.patch | 56 +++++++++++++ ...or-cables-to-go-usb-ethernet-adapter.patch | 32 +++++++ 7 files changed, 350 insertions(+) create mode 100644 queue-2.6.27/bridge-netfilter-fix-update_pmtu-crash-with-gre.patch create mode 100644 queue-2.6.27/net-amend-the-fix-for-so_bsdcompat-gsopt-infoleak.patch create mode 100644 queue-2.6.27/net-kill-skb_truesize_check-it-only-catches-false-positives.patch create mode 100644 queue-2.6.27/series create mode 100644 queue-2.6.27/sparc-we-need-to-implement-arch_ptrace_stop.patch create mode 100644 queue-2.6.27/sparc64-fix-dax-handling-via-userspace-access-from-kernel.patch create mode 100644 queue-2.6.27/usb-net-asix-add-support-for-cables-to-go-usb-ethernet-adapter.patch diff --git a/queue-2.6.27/bridge-netfilter-fix-update_pmtu-crash-with-gre.patch b/queue-2.6.27/bridge-netfilter-fix-update_pmtu-crash-with-gre.patch new file mode 100644 index 00000000000..29917070a46 --- /dev/null +++ b/queue-2.6.27/bridge-netfilter-fix-update_pmtu-crash-with-gre.patch @@ -0,0 +1,58 @@ +From d30def6019a6815abb3109f836d982529851e98b Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Mon, 24 Nov 2008 16:06:50 -0800 +Subject: bridge: netfilter: fix update_pmtu crash with GRE + +From: Herbert Xu + +[ Upstream commit 631339f1e544a4d39a63cfe6708c5bddcd5a2c48 ] + +As GRE tries to call the update_pmtu function on skb->dst and +bridge supplies an skb->dst that has a NULL ops field, all is +not well. + +This patch fixes this by giving the bridge device an ops field +with an update_pmtu function. For the moment I've left all +other fields blank but we can fill them in later should the +need arise. + +Based on report and patch by Philip Craig. + +Signed-off-by: Herbert Xu +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_netfilter.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/bridge/br_netfilter.c ++++ b/net/bridge/br_netfilter.c +@@ -101,6 +101,18 @@ static inline __be16 pppoe_proto(const s + pppoe_proto(skb) == htons(PPP_IPV6) && \ + brnf_filter_pppoe_tagged) + ++static void fake_update_pmtu(struct dst_entry *dst, u32 mtu) ++{ ++} ++ ++static struct dst_ops fake_dst_ops = { ++ .family = AF_INET, ++ .protocol = __constant_htons(ETH_P_IP), ++ .update_pmtu = fake_update_pmtu, ++ .entry_size = sizeof(struct rtable), ++ .entries = ATOMIC_INIT(0), ++}; ++ + /* + * Initialize bogus route table used to keep netfilter happy. + * Currently, we fill in the PMTU entry because netfilter +@@ -117,6 +129,7 @@ void br_netfilter_rtable_init(struct net + rt->u.dst.path = &rt->u.dst; + rt->u.dst.metrics[RTAX_MTU - 1] = 1500; + rt->u.dst.flags = DST_NOXFRM; ++ rt->u.dst.ops = &fake_dst_ops; + } + + static inline struct rtable *bridge_parent_rtable(const struct net_device *dev) diff --git a/queue-2.6.27/net-amend-the-fix-for-so_bsdcompat-gsopt-infoleak.patch b/queue-2.6.27/net-amend-the-fix-for-so_bsdcompat-gsopt-infoleak.patch new file mode 100644 index 00000000000..b917b7ad3c3 --- /dev/null +++ b/queue-2.6.27/net-amend-the-fix-for-so_bsdcompat-gsopt-infoleak.patch @@ -0,0 +1,35 @@ +From b10b5ba7587cd6e2af36edb495091855fb3b1a4e Mon Sep 17 00:00:00 2001 +From: Eugene Teo +Date: Mon, 23 Feb 2009 15:38:41 -0800 +Subject: net: amend the fix for SO_BSDCOMPAT gsopt infoleak + +From: Eugene Teo + +[ Upstream commit 50fee1dec5d71b8a14c1b82f2f42e16adc227f8b ] + +The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note +that the same problem of leaking kernel memory will reappear if someone +on some architecture uses struct timeval with some internal padding (for +example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to +leak the padded bytes to userspace. + +Signed-off-by: Eugene Teo +Reported-by: Mikulas Patocka +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -695,7 +695,7 @@ int sock_getsockopt(struct socket *sock, + if (len < 0) + return -EINVAL; + +- v.val = 0; ++ memset(&v, 0, sizeof(v)); + + switch(optname) { + case SO_DEBUG: diff --git a/queue-2.6.27/net-kill-skb_truesize_check-it-only-catches-false-positives.patch b/queue-2.6.27/net-kill-skb_truesize_check-it-only-catches-false-positives.patch new file mode 100644 index 00000000000..14296ae6066 --- /dev/null +++ b/queue-2.6.27/net-kill-skb_truesize_check-it-only-catches-false-positives.patch @@ -0,0 +1,84 @@ +From fdfaac1e3c05e73b6ccd416a6a8abd5ec124e557 Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Wed, 25 Feb 2009 23:09:34 -0800 +Subject: net: Kill skb_truesize_check(), it only catches false-positives. + +From: David S. Miller + +[ Upstream commit 92a0acce186cde8ead56c6915d9479773673ea1a ] + +A long time ago we had bugs, primarily in TCP, where we would modify +skb->truesize (for TSO queue collapsing) in ways which would corrupt +the socket memory accounting. + +skb_truesize_check() was added in order to try and catch this error +more systematically. + +However this debugging check has morphed into a Frankenstein of sorts +and these days it does nothing other than catch false-positives. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/skbuff.h | 9 --------- + include/net/sock.h | 1 - + net/core/skbuff.c | 8 -------- + net/core/sock.c | 1 - + 4 files changed, 19 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -395,15 +395,6 @@ extern void skb_over_panic(struct + void *here); + extern void skb_under_panic(struct sk_buff *skb, int len, + void *here); +-extern void skb_truesize_bug(struct sk_buff *skb); +- +-static inline void skb_truesize_check(struct sk_buff *skb) +-{ +- int len = sizeof(struct sk_buff) + skb->len; +- +- if (unlikely((int)skb->truesize < len)) +- skb_truesize_bug(skb); +-} + + extern int skb_append_datato_frags(struct sock *sk, struct sk_buff *skb, + int getfrag(void *from, char *to, int offset, +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -777,7 +777,6 @@ static inline void sk_mem_uncharge(struc + + static inline void sk_wmem_free_skb(struct sock *sk, struct sk_buff *skb) + { +- skb_truesize_check(skb); + sock_set_flag(sk, SOCK_QUEUE_SHRUNK); + sk->sk_wmem_queued -= skb->truesize; + sk_mem_uncharge(sk, skb->truesize); +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -143,14 +143,6 @@ void skb_under_panic(struct sk_buff *skb + BUG(); + } + +-void skb_truesize_bug(struct sk_buff *skb) +-{ +- printk(KERN_ERR "SKB BUG: Invalid truesize (%u) " +- "len=%u, sizeof(sk_buff)=%Zd\n", +- skb->truesize, skb->len, sizeof(struct sk_buff)); +-} +-EXPORT_SYMBOL(skb_truesize_bug); +- + /* Allocate a new skbuff. We do this ourselves so we can fill in a few + * 'private' fields and also do memory statistics to find all the + * [BEEP] leaks. +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1136,7 +1136,6 @@ void sock_rfree(struct sk_buff *skb) + { + struct sock *sk = skb->sk; + +- skb_truesize_check(skb); + atomic_sub(skb->truesize, &sk->sk_rmem_alloc); + sk_mem_uncharge(skb->sk, skb->truesize); + } diff --git a/queue-2.6.27/series b/queue-2.6.27/series new file mode 100644 index 00000000000..fcbf1072de6 --- /dev/null +++ b/queue-2.6.27/series @@ -0,0 +1,6 @@ +usb-net-asix-add-support-for-cables-to-go-usb-ethernet-adapter.patch +bridge-netfilter-fix-update_pmtu-crash-with-gre.patch +net-amend-the-fix-for-so_bsdcompat-gsopt-infoleak.patch +net-kill-skb_truesize_check-it-only-catches-false-positives.patch +sparc64-fix-dax-handling-via-userspace-access-from-kernel.patch +sparc-we-need-to-implement-arch_ptrace_stop.patch diff --git a/queue-2.6.27/sparc-we-need-to-implement-arch_ptrace_stop.patch b/queue-2.6.27/sparc-we-need-to-implement-arch_ptrace_stop.patch new file mode 100644 index 00000000000..2e98d2f168e --- /dev/null +++ b/queue-2.6.27/sparc-we-need-to-implement-arch_ptrace_stop.patch @@ -0,0 +1,79 @@ +From fd985a17fb11cd9e805a3aa8819903cbe56c52c5 Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Mon, 19 Jan 2009 23:24:42 -0800 +Subject: sparc: We need to implement arch_ptrace_stop(). + +From: David S. Miller + +[ Upstream commit 878a5535957b563c447d32866a9e606c55fef091 ] + +In order to always provide fully synchronized state to the debugger, +we might need to do a synchronize_user_stack(). + +A pair of hooks, arch_ptrace_stop_needed() and arch_ptrace_stop(), +exist to handle this kind of situation. It was created for +the sake of IA64. + +Use them, to flush the kernel side cached register windows +to the user stack, when necessary. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc/include/asm/ptrace_32.h | 10 ++++++++++ + arch/sparc/include/asm/ptrace_64.h | 10 ++++++++++ + 2 files changed, 20 insertions(+) + +--- a/arch/sparc/include/asm/ptrace_32.h ++++ b/arch/sparc/include/asm/ptrace_32.h +@@ -62,6 +62,8 @@ struct sparc_stackf { + + #ifdef __KERNEL__ + ++#include ++ + static inline bool pt_regs_is_syscall(struct pt_regs *regs) + { + return (regs->psr & PSR_SYSCALL); +@@ -72,6 +74,14 @@ static inline bool pt_regs_clear_syscall + return (regs->psr &= ~PSR_SYSCALL); + } + ++#define arch_ptrace_stop_needed(exit_code, info) \ ++({ flush_user_windows(); \ ++ current_thread_info()->w_saved != 0; \ ++}) ++ ++#define arch_ptrace_stop(exit_code, info) \ ++ synchronize_user_stack() ++ + #define user_mode(regs) (!((regs)->psr & PSR_PS)) + #define instruction_pointer(regs) ((regs)->pc) + #define user_stack_pointer(regs) ((regs)->u_regs[UREG_FP]) +--- a/arch/sparc/include/asm/ptrace_64.h ++++ b/arch/sparc/include/asm/ptrace_64.h +@@ -113,6 +113,8 @@ struct sparc_trapf { + + #ifdef __KERNEL__ + ++#include ++ + static inline int pt_regs_trap_type(struct pt_regs *regs) + { + return regs->magic & 0x1ff; +@@ -128,6 +130,14 @@ static inline bool pt_regs_clear_syscall + return (regs->tstate &= ~TSTATE_SYSCALL); + } + ++#define arch_ptrace_stop_needed(exit_code, info) \ ++({ flush_user_windows(); \ ++ get_thread_wsaved() != 0; \ ++}) ++ ++#define arch_ptrace_stop(exit_code, info) \ ++ synchronize_user_stack() ++ + struct global_reg_snapshot { + unsigned long tstate; + unsigned long tpc; diff --git a/queue-2.6.27/sparc64-fix-dax-handling-via-userspace-access-from-kernel.patch b/queue-2.6.27/sparc64-fix-dax-handling-via-userspace-access-from-kernel.patch new file mode 100644 index 00000000000..dc556800332 --- /dev/null +++ b/queue-2.6.27/sparc64-fix-dax-handling-via-userspace-access-from-kernel.patch @@ -0,0 +1,56 @@ +From 93bdad1f5ea5a01b97638e3596defbc3d28984d2 Mon Sep 17 00:00:00 2001 +From: David S. Miller +Date: Mon, 19 Jan 2009 22:56:51 -0800 +Subject: sparc64: Fix DAX handling via userspace access from kernel. + +From: David S. Miller + +[ Upstream commit fcd26f7ae2ea5889134e8b3d60a42ce8b993c95f ] + +If we do a userspace access from kernel mode, and get a +data access exception, we need to check the exception +table just like a normal fault does. + +The spitfire DAX handler was doing this, but such logic +was missing from the sun4v DAX code. + +Reported-by: Dennis Gilmore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc64/kernel/traps.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/arch/sparc64/kernel/traps.c ++++ b/arch/sparc64/kernel/traps.c +@@ -1,6 +1,6 @@ + /* arch/sparc64/kernel/traps.c + * +- * Copyright (C) 1995,1997,2008 David S. Miller (davem@davemloft.net) ++ * Copyright (C) 1995,1997,2008,2009 David S. Miller (davem@davemloft.net) + * Copyright (C) 1997,1999,2000 Jakub Jelinek (jakub@redhat.com) + */ + +@@ -262,6 +262,21 @@ void sun4v_data_access_exception(struct + return; + + if (regs->tstate & TSTATE_PRIV) { ++ /* Test if this comes from uaccess places. */ ++ const struct exception_table_entry *entry; ++ ++ entry = search_exception_tables(regs->tpc); ++ if (entry) { ++ /* Ouch, somebody is trying VM hole tricks on us... */ ++#ifdef DEBUG_EXCEPTIONS ++ printk("Exception: PC<%016lx> faddr\n", regs->tpc); ++ printk("EX_TABLE: insn<%016lx> fixup<%016lx>\n", ++ regs->tpc, entry->fixup); ++#endif ++ regs->tpc = entry->fixup; ++ regs->tnpc = regs->tpc + 4; ++ return; ++ } + printk("sun4v_data_access_exception: ADDR[%016lx] " + "CTX[%04x] TYPE[%04x], going.\n", + addr, ctx, type); diff --git a/queue-2.6.27/usb-net-asix-add-support-for-cables-to-go-usb-ethernet-adapter.patch b/queue-2.6.27/usb-net-asix-add-support-for-cables-to-go-usb-ethernet-adapter.patch new file mode 100644 index 00000000000..e6496e2ddc0 --- /dev/null +++ b/queue-2.6.27/usb-net-asix-add-support-for-cables-to-go-usb-ethernet-adapter.patch @@ -0,0 +1,32 @@ +From ccf95402d0ae6f433f29ce88cfd589cec8fc81ad Mon Sep 17 00:00:00 2001 +From: Jason Cooper +Date: Tue, 11 Nov 2008 13:02:53 -0500 +Subject: USB: net: asix: add support for Cables-to-Go USB Ethernet adapter + +From: Jason Cooper + +commit ccf95402d0ae6f433f29ce88cfd589cec8fc81ad upstream. + +Add support to drivers/net/usb/asix.c for the Cables-to-Go "USB 2.0 to +10/100 Ethernet Adapter". USB id 0b95:772a. + +Signed-off-by: Jason Cooper +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/asix.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/usb/asix.c ++++ b/drivers/net/usb/asix.c +@@ -1444,6 +1444,10 @@ static const struct usb_device_id produc + // Apple USB Ethernet Adapter + USB_DEVICE(0x05ac, 0x1402), + .driver_info = (unsigned long) &ax88772_info, ++}, { ++ // Cables-to-Go USB Ethernet Adapter ++ USB_DEVICE(0x0b95, 0x772a), ++ .driver_info = (unsigned long) &ax88772_info, + }, + { }, // END + }; -- 2.47.3