]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - src/patches/suse-2.6.27.39/patches.kernel.org/patch-2.6.27.26-27
projects / people / teissler / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Imported linux-2.6.27.39 suse/xen patches.
[people/teissler/ipfire-2.x.git] / src / patches / suse-2.6.27.39 / patches.kernel.org / patch-2.6.27.26-27
1 From: Greg Kroah-Hartman <gregkh@suse.de>
2 Subject: Linux 2.6.27.27
3
4 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
5
6 diff --git a/Makefile b/Makefile
7 index 90764ee..387a5fd 100644
8 --- a/Makefile
9 +++ b/Makefile
10 @@ -1,7 +1,7 @@
11 VERSION = 2
12 PATCHLEVEL = 6
13 SUBLEVEL = 27
14 -EXTRAVERSION = .26
15 +EXTRAVERSION = .27
16 NAME = Trembling Tortoise
17
18 # *DOCUMENTATION*
19 @@ -340,7 +340,8 @@ KBUILD_CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
20
21 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
22 -fno-strict-aliasing -fno-common \
23 - -Werror-implicit-function-declaration
24 + -Werror-implicit-function-declaration \
25 + -fno-delete-null-pointer-checks
26 KBUILD_AFLAGS := -D__ASSEMBLY__
27
28 # Read KERNELRELEASE from include/config/kernel.release (if it exists)
29 @@ -556,7 +557,7 @@ KBUILD_CFLAGS += $(call cc-option,-Wdeclaration-after-statement,)
30 KBUILD_CFLAGS += $(call cc-option,-Wno-pointer-sign,)
31
32 # disable invalid "can't wrap" optimzations for signed / pointers
33 -KBUILD_CFLAGS += $(call cc-option,-fwrapv)
34 +KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow)
35
36 # Add user supplied CPPFLAGS, AFLAGS and CFLAGS as the last assignments
37 # But warn user when we do so
38 diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
39 index 615fcd3..5900f76 100644
40 --- a/drivers/block/floppy.c
41 +++ b/drivers/block/floppy.c
42 @@ -3320,7 +3320,10 @@ static inline int set_geometry(unsigned int cmd, struct floppy_struct *g,
43 if (!capable(CAP_SYS_ADMIN))
44 return -EPERM;
45 mutex_lock(&open_lock);
46 - LOCK_FDC(drive, 1);
47 + if (lock_fdc(drive, 1)) {
48 + mutex_unlock(&open_lock);
49 + return -EINTR;
50 + }
51 floppy_type[type] = *g;
52 floppy_type[type].name = "user format";
53 for (cnt = type << 2; cnt < (type << 2) + 4; cnt++)
54 diff --git a/drivers/md/dm.c b/drivers/md/dm.c
55 index 925efaf..ace998c 100644
56 --- a/drivers/md/dm.c
57 +++ b/drivers/md/dm.c
58 @@ -265,10 +265,6 @@ static int dm_blk_open(struct inode *inode, struct file *file)
59 goto out;
60 }
61
62 - if (test_bit(DMF_FREEING, &md->flags) ||
63 - test_bit(DMF_DELETING, &md->flags))
64 - return NULL;
65 -
66 dm_get(md);
67 atomic_inc(&md->open_count);
68
69 diff --git a/drivers/net/tulip/interrupt.c b/drivers/net/tulip/interrupt.c
70 index c6bad98..7faf84f 100644
71 --- a/drivers/net/tulip/interrupt.c
72 +++ b/drivers/net/tulip/interrupt.c
73 @@ -140,6 +140,7 @@ int tulip_poll(struct napi_struct *napi, int budget)
74 /* If we own the next entry, it is a new packet. Send it up. */
75 while ( ! (tp->rx_ring[entry].status & cpu_to_le32(DescOwned))) {
76 s32 status = le32_to_cpu(tp->rx_ring[entry].status);
77 + short pkt_len;
78
79 if (tp->dirty_rx + RX_RING_SIZE == tp->cur_rx)
80 break;
81 @@ -151,8 +152,28 @@ int tulip_poll(struct napi_struct *napi, int budget)
82 if (++work_done >= budget)
83 goto not_done;
84
85 - if ((status & 0x38008300) != 0x0300) {
86 - if ((status & 0x38000300) != 0x0300) {
87 + /*
88 + * Omit the four octet CRC from the length.
89 + * (May not be considered valid until we have
90 + * checked status for RxLengthOver2047 bits)
91 + */
92 + pkt_len = ((status >> 16) & 0x7ff) - 4;
93 +
94 + /*
95 + * Maximum pkt_len is 1518 (1514 + vlan header)
96 + * Anything higher than this is always invalid
97 + * regardless of RxLengthOver2047 bits
98 + */
99 +
100 + if ((status & (RxLengthOver2047 |
101 + RxDescCRCError |
102 + RxDescCollisionSeen |
103 + RxDescRunt |
104 + RxDescDescErr |
105 + RxWholePkt)) != RxWholePkt
106 + || pkt_len > 1518) {
107 + if ((status & (RxLengthOver2047 |
108 + RxWholePkt)) != RxWholePkt) {
109 /* Ingore earlier buffers. */
110 if ((status & 0xffff) != 0x7fff) {
111 if (tulip_debug > 1)
112 @@ -161,30 +182,23 @@ int tulip_poll(struct napi_struct *napi, int budget)
113 dev->name, status);
114 tp->stats.rx_length_errors++;
115 }
116 - } else if (status & RxDescFatalErr) {
117 + } else {
118 /* There was a fatal error. */
119 if (tulip_debug > 2)
120 printk(KERN_DEBUG "%s: Receive error, Rx status %8.8x.\n",
121 dev->name, status);
122 tp->stats.rx_errors++; /* end of a packet.*/
123 - if (status & 0x0890) tp->stats.rx_length_errors++;
124 + if (pkt_len > 1518 ||
125 + (status & RxDescRunt))
126 + tp->stats.rx_length_errors++;
127 +
128 if (status & 0x0004) tp->stats.rx_frame_errors++;
129 if (status & 0x0002) tp->stats.rx_crc_errors++;
130 if (status & 0x0001) tp->stats.rx_fifo_errors++;
131 }
132 } else {
133 - /* Omit the four octet CRC from the length. */
134 - short pkt_len = ((status >> 16) & 0x7ff) - 4;
135 struct sk_buff *skb;
136
137 -#ifndef final_version
138 - if (pkt_len > 1518) {
139 - printk(KERN_WARNING "%s: Bogus packet size of %d (%#x).\n",
140 - dev->name, pkt_len, pkt_len);
141 - pkt_len = 1518;
142 - tp->stats.rx_length_errors++;
143 - }
144 -#endif
145 /* Check if the packet is long enough to accept without copying
146 to a minimally-sized skbuff. */
147 if (pkt_len < tulip_rx_copybreak
148 @@ -357,14 +371,35 @@ static int tulip_rx(struct net_device *dev)
149 /* If we own the next entry, it is a new packet. Send it up. */
150 while ( ! (tp->rx_ring[entry].status & cpu_to_le32(DescOwned))) {
151 s32 status = le32_to_cpu(tp->rx_ring[entry].status);
152 + short pkt_len;
153
154 if (tulip_debug > 5)
155 printk(KERN_DEBUG "%s: In tulip_rx(), entry %d %8.8x.\n",
156 dev->name, entry, status);
157 if (--rx_work_limit < 0)
158 break;
159 - if ((status & 0x38008300) != 0x0300) {
160 - if ((status & 0x38000300) != 0x0300) {
161 +
162 + /*
163 + Omit the four octet CRC from the length.
164 + (May not be considered valid until we have
165 + checked status for RxLengthOver2047 bits)
166 + */
167 + pkt_len = ((status >> 16) & 0x7ff) - 4;
168 + /*
169 + Maximum pkt_len is 1518 (1514 + vlan header)
170 + Anything higher than this is always invalid
171 + regardless of RxLengthOver2047 bits
172 + */
173 +
174 + if ((status & (RxLengthOver2047 |
175 + RxDescCRCError |
176 + RxDescCollisionSeen |
177 + RxDescRunt |
178 + RxDescDescErr |
179 + RxWholePkt)) != RxWholePkt
180 + || pkt_len > 1518) {
181 + if ((status & (RxLengthOver2047 |
182 + RxWholePkt)) != RxWholePkt) {
183 /* Ingore earlier buffers. */
184 if ((status & 0xffff) != 0x7fff) {
185 if (tulip_debug > 1)
186 @@ -373,31 +408,22 @@ static int tulip_rx(struct net_device *dev)
187 dev->name, status);
188 tp->stats.rx_length_errors++;
189 }
190 - } else if (status & RxDescFatalErr) {
191 + } else {
192 /* There was a fatal error. */
193 if (tulip_debug > 2)
194 printk(KERN_DEBUG "%s: Receive error, Rx status %8.8x.\n",
195 dev->name, status);
196 tp->stats.rx_errors++; /* end of a packet.*/
197 - if (status & 0x0890) tp->stats.rx_length_errors++;
198 + if (pkt_len > 1518 ||
199 + (status & RxDescRunt))
200 + tp->stats.rx_length_errors++;
201 if (status & 0x0004) tp->stats.rx_frame_errors++;
202 if (status & 0x0002) tp->stats.rx_crc_errors++;
203 if (status & 0x0001) tp->stats.rx_fifo_errors++;
204 }
205 } else {
206 - /* Omit the four octet CRC from the length. */
207 - short pkt_len = ((status >> 16) & 0x7ff) - 4;
208 struct sk_buff *skb;
209
210 -#ifndef final_version
211 - if (pkt_len > 1518) {
212 - printk(KERN_WARNING "%s: Bogus packet size of %d (%#x).\n",
213 - dev->name, pkt_len, pkt_len);
214 - pkt_len = 1518;
215 - tp->stats.rx_length_errors++;
216 - }
217 -#endif
218 -
219 /* Check if the packet is long enough to accept without copying
220 to a minimally-sized skbuff. */
221 if (pkt_len < tulip_rx_copybreak
222 diff --git a/drivers/net/tulip/tulip.h b/drivers/net/tulip/tulip.h
223 index 19abbc3..0afa2d4 100644
224 --- a/drivers/net/tulip/tulip.h
225 +++ b/drivers/net/tulip/tulip.h
226 @@ -201,8 +201,38 @@ enum desc_status_bits {
227 DescStartPkt = 0x20000000,
228 DescEndRing = 0x02000000,
229 DescUseLink = 0x01000000,
230 - RxDescFatalErr = 0x008000,
231 +
232 + /*
233 + * Error summary flag is logical or of 'CRC Error', 'Collision Seen',
234 + * 'Frame Too Long', 'Runt' and 'Descriptor Error' flags generated
235 + * within tulip chip.
236 + */
237 + RxDescErrorSummary = 0x8000,
238 + RxDescCRCError = 0x0002,
239 + RxDescCollisionSeen = 0x0040,
240 +
241 + /*
242 + * 'Frame Too Long' flag is set if packet length including CRC exceeds
243 + * 1518. However, a full sized VLAN tagged frame is 1522 bytes
244 + * including CRC.
245 + *
246 + * The tulip chip does not block oversized frames, and if this flag is
247 + * set on a receive descriptor it does not indicate the frame has been
248 + * truncated. The receive descriptor also includes the actual length.
249 + * Therefore we can safety ignore this flag and check the length
250 + * ourselves.
251 + */
252 + RxDescFrameTooLong = 0x0080,
253 + RxDescRunt = 0x0800,
254 + RxDescDescErr = 0x4000,
255 RxWholePkt = 0x00000300,
256 + /*
257 + * Top three bits of 14 bit frame length (status bits 27-29) should
258 + * never be set as that would make frame over 2047 bytes. The Receive
259 + * Watchdog flag (bit 4) may indicate the length is over 2048 and the
260 + * length field is invalid.
261 + */
262 + RxLengthOver2047 = 0x38000010
263 };
264
265
266 diff --git a/drivers/pci/iova.c b/drivers/pci/iova.c
267 index 3ef4ac0..078bf8b 100644
268 --- a/drivers/pci/iova.c
269 +++ b/drivers/pci/iova.c
270 @@ -1,9 +1,19 @@
271 /*
272 - * Copyright (c) 2006, Intel Corporation.
273 + * Copyright © 2006-2009, Intel Corporation.
274 *
275 - * This file is released under the GPLv2.
276 + * This program is free software; you can redistribute it and/or modify it
277 + * under the terms and conditions of the GNU General Public License,
278 + * version 2, as published by the Free Software Foundation.
279 + *
280 + * This program is distributed in the hope it will be useful, but WITHOUT
281 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
282 + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
283 + * more details.
284 + *
285 + * You should have received a copy of the GNU General Public License along with
286 + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
287 + * Place - Suite 330, Boston, MA 02111-1307 USA.
288 *
289 - * Copyright (C) 2006-2008 Intel Corporation
290 * Author: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
291 */
292
293 @@ -123,7 +133,15 @@ move_left:
294 /* Insert the new_iova into domain rbtree by holding writer lock */
295 /* Add new node and rebalance tree. */
296 {
297 - struct rb_node **entry = &((prev)), *parent = NULL;
298 + struct rb_node **entry, *parent = NULL;
299 +
300 + /* If we have 'prev', it's a valid place to start the
301 + insertion. Otherwise, start from the root. */
302 + if (prev)
303 + entry = &prev;
304 + else
305 + entry = &iovad->rbroot.rb_node;
306 +
307 /* Figure out where to put new node */
308 while (*entry) {
309 struct iova *this = container_of(*entry,
310 diff --git a/include/linux/mm.h b/include/linux/mm.h
311 index ae9775d..eeb7e56 100644
312 --- a/include/linux/mm.h
313 +++ b/include/linux/mm.h
314 @@ -572,12 +572,10 @@ static inline void set_page_links(struct page *page, enum zone_type zone,
315 */
316 static inline unsigned long round_hint_to_min(unsigned long hint)
317 {
318 -#ifdef CONFIG_SECURITY
319 hint &= PAGE_MASK;
320 if (((void *)hint != NULL) &&
321 (hint < mmap_min_addr))
322 return PAGE_ALIGN(mmap_min_addr);
323 -#endif
324 return hint;
325 }
326
327 diff --git a/include/linux/personality.h b/include/linux/personality.h
328 index a84e9ff..1261208 100644
329 --- a/include/linux/personality.h
330 +++ b/include/linux/personality.h
331 @@ -40,7 +40,10 @@ enum {
332 * Security-relevant compatibility flags that must be
333 * cleared upon setuid or setgid exec:
334 */
335 -#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
336 +#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
337 + ADDR_NO_RANDOMIZE | \
338 + ADDR_COMPAT_LAYOUT | \
339 + MMAP_PAGE_ZERO)
340
341 /*
342 * Personality types.
343 diff --git a/include/linux/security.h b/include/linux/security.h
344 index 80c4d00..1638afd 100644
345 --- a/include/linux/security.h
346 +++ b/include/linux/security.h
347 @@ -2134,6 +2134,8 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot,
348 unsigned long addr,
349 unsigned long addr_only)
350 {
351 + if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
352 + return -EACCES;
353 return 0;
354 }
355
356 diff --git a/kernel/resource.c b/kernel/resource.c
357 index 03d796c..87f675a 100644
358 --- a/kernel/resource.c
359 +++ b/kernel/resource.c
360 @@ -741,7 +741,7 @@ static int __init reserve_setup(char *str)
361 static struct resource reserve[MAXRESERVE];
362
363 for (;;) {
364 - int io_start, io_num;
365 + unsigned int io_start, io_num;
366 int x = reserved;
367
368 if (get_option (&str, &io_start) != 2)
369 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
370 index 6816e6d..1228d65 100644
371 --- a/kernel/sysctl.c
372 +++ b/kernel/sysctl.c
373 @@ -1132,7 +1132,6 @@ static struct ctl_table vm_table[] = {
374 .strategy = &sysctl_jiffies,
375 },
376 #endif
377 -#ifdef CONFIG_SECURITY
378 {
379 .ctl_name = CTL_UNNUMBERED,
380 .procname = "mmap_min_addr",
381 @@ -1141,7 +1140,6 @@ static struct ctl_table vm_table[] = {
382 .mode = 0644,
383 .proc_handler = &proc_doulongvec_minmax,
384 },
385 -#endif
386 #ifdef CONFIG_NUMA
387 {
388 .ctl_name = CTL_UNNUMBERED,
389 diff --git a/mm/Kconfig b/mm/Kconfig
390 index 0bd9c2d..07b4ec4 100644
391 --- a/mm/Kconfig
392 +++ b/mm/Kconfig
393 @@ -208,3 +208,21 @@ config VIRT_TO_BUS
394
395 config MMU_NOTIFIER
396 bool
397 +
398 +config DEFAULT_MMAP_MIN_ADDR
399 + int "Low address space to protect from user allocation"
400 + default 4096
401 + help
402 + This is the portion of low virtual memory which should be protected
403 + from userspace allocation. Keeping a user from writing to low pages
404 + can help reduce the impact of kernel NULL pointer bugs.
405 +
406 + For most ia64, ppc64 and x86 users with lots of address space
407 + a value of 65536 is reasonable and should cause no problems.
408 + On arm and other archs it should not be higher than 32768.
409 + Programs which use vm86 functionality would either need additional
410 + permissions from either the LSM or the capabilities module or have
411 + this protection disabled.
412 +
413 + This value can be changed after boot using the
414 + /proc/sys/vm/mmap_min_addr tunable.
415 diff --git a/mm/mmap.c b/mm/mmap.c
416 index 2ae093e..d330758 100644
417 --- a/mm/mmap.c
418 +++ b/mm/mmap.c
419 @@ -86,6 +86,9 @@ int sysctl_overcommit_ratio = 50; /* default is 50% */
420 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
421 atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0);
422
423 +/* amount of vm to protect from userspace access */
424 +unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
425 +
426 /*
427 * Check that a process has enough memory to allocate a new virtual
428 * mapping. 0 means there is enough memory for the allocation to
429 diff --git a/security/Kconfig b/security/Kconfig
430 index 5592939..38411dd 100644
431 --- a/security/Kconfig
432 +++ b/security/Kconfig
433 @@ -92,28 +92,8 @@ config SECURITY_ROOTPLUG
434
435 See <http://www.linuxjournal.com/article.php?sid=6279> for
436 more information about this module.
437 -
438 - If you are unsure how to answer this question, answer N.
439 -
440 -config SECURITY_DEFAULT_MMAP_MIN_ADDR
441 - int "Low address space to protect from user allocation"
442 - depends on SECURITY
443 - default 0
444 - help
445 - This is the portion of low virtual memory which should be protected
446 - from userspace allocation. Keeping a user from writing to low pages
447 - can help reduce the impact of kernel NULL pointer bugs.
448 -
449 - For most ia64, ppc64 and x86 users with lots of address space
450 - a value of 65536 is reasonable and should cause no problems.
451 - On arm and other archs it should not be higher than 32768.
452 - Programs which use vm86 functionality would either need additional
453 - permissions from either the LSM or the capabilities module or have
454 - this protection disabled.
455 -
456 - This value can be changed after boot using the
457 - /proc/sys/vm/mmap_min_addr tunable.
458
459 + If you are unsure how to answer this question, answer N.
460
461 source security/selinux/Kconfig
462 source security/smack/Kconfig
463 diff --git a/security/security.c b/security/security.c
464 index 3a4b4f5..27a315d 100644
465 --- a/security/security.c
466 +++ b/security/security.c
467 @@ -26,9 +26,6 @@ extern void security_fixup_ops(struct security_operations *ops);
468
469 struct security_operations *security_ops; /* Initialized to NULL */
470
471 -/* amount of vm to protect from userspace access */
472 -unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
473 -
474 static inline int verify(struct security_operations *ops)
475 {
476 /* verify the security_operations structure exists */
Timo's tree of IPFire 2.x