From: Greg Kroah-Hartman Date: Thu, 10 Mar 2011 22:33:41 +0000 (-0800) Subject: .37 patches X-Git-Tag: v2.6.37.4~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=f0b2f3da343e34fad1f9e8fef4bce10a310a2dd2;p=thirdparty%2Fkernel%2Fstable-queue.git .37 patches --- diff --git a/queue-2.6.37/cx23885-revert-check-for-slave-nack-on-all-transactions.patch b/queue-2.6.37/cx23885-revert-check-for-slave-nack-on-all-transactions.patch new file mode 100644 index 00000000000..7b363c7b844 --- /dev/null +++ b/queue-2.6.37/cx23885-revert-check-for-slave-nack-on-all-transactions.patch @@ -0,0 +1,53 @@ +From 67914b5c400d6c213f9e56d7547a2038ab5c06f4 Mon Sep 17 00:00:00 2001 +From: Andy Walls +Date: Sun, 13 Feb 2011 21:52:50 -0300 +Subject: [media] cx23885: Revert "Check for slave nack on all transactions" + +From: Andy Walls + +commit 67914b5c400d6c213f9e56d7547a2038ab5c06f4 upstream. + +This reverts commit 44835f197bf1e3f57464f23dfb239fef06cf89be. + +With the CX23885 hardware I2C master, checking for I2C slave ACK/NAK +is not valid when the I2C_EXTEND or I2C_NOSTOP bits are set. +Revert the commit that checks for I2C slave ACK/NAK on all transactions, +so that XC5000 tuners work with the CX23885 again. + +Thanks go to Mark Zimmerman for reporting and bisecting this problem. + +Bisected-by: Mark Zimmerman + +Reported-by: Mark Zimmerman +Signed-off-by: Andy Walls +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/cx23885/cx23885-i2c.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/drivers/media/video/cx23885/cx23885-i2c.c ++++ b/drivers/media/video/cx23885/cx23885-i2c.c +@@ -122,10 +122,6 @@ static int i2c_sendbytes(struct i2c_adap + + if (!i2c_wait_done(i2c_adap)) + goto eio; +- if (!i2c_slave_did_ack(i2c_adap)) { +- retval = -ENXIO; +- goto err; +- } + if (i2c_debug) { + printk(" addr << 1, msg->buf[0]); + if (!(ctrl & I2C_NOSTOP)) +@@ -209,10 +205,6 @@ static int i2c_readbytes(struct i2c_adap + + if (!i2c_wait_done(i2c_adap)) + goto eio; +- if (cnt == 0 && !i2c_slave_did_ack(i2c_adap)) { +- retval = -ENXIO; +- goto err; +- } + msg->buf[cnt] = cx_read(bus->reg_rdata) & 0xff; + if (i2c_debug) { + dprintk(1, " %02x", msg->buf[cnt]); diff --git a/queue-2.6.37/cx25840-fix-probing-of-cx2583x-chips.patch b/queue-2.6.37/cx25840-fix-probing-of-cx2583x-chips.patch new file mode 100644 index 00000000000..e2bb4007431 --- /dev/null +++ b/queue-2.6.37/cx25840-fix-probing-of-cx2583x-chips.patch @@ -0,0 +1,35 @@ +From 1e6406b8f0dc1ae7d7c39c9e1ac6ca78e016ebfb Mon Sep 17 00:00:00 2001 +From: Sven Barth +Date: Sun, 13 Feb 2011 22:09:43 -0300 +Subject: [media] cx25840: fix probing of cx2583x chips + +From: Sven Barth + +commit 1e6406b8f0dc1ae7d7c39c9e1ac6ca78e016ebfb upstream. + +Fix the probing of cx2583x chips, because two controls were clustered +that are not created for these chips. + +This regression was introduced in 2.6.36. + +Signed-off-by: Sven Barth +Signed-off-by: Andy Walls +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/cx25840/cx25840-core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/video/cx25840/cx25840-core.c ++++ b/drivers/media/video/cx25840/cx25840-core.c +@@ -2031,7 +2031,8 @@ static int cx25840_probe(struct i2c_clie + kfree(state); + return err; + } +- v4l2_ctrl_cluster(2, &state->volume); ++ if (!is_cx2583x(state)) ++ v4l2_ctrl_cluster(2, &state->volume); + v4l2_ctrl_handler_setup(&state->hdl); + + cx25840_ir_probe(sd); diff --git a/queue-2.6.37/dib7000m-add-pid-filtering.patch b/queue-2.6.37/dib7000m-add-pid-filtering.patch new file mode 100644 index 00000000000..7f3b1b95bbb --- /dev/null +++ b/queue-2.6.37/dib7000m-add-pid-filtering.patch @@ -0,0 +1,123 @@ +From e192a7cf0effe7680264a5bc35c0ad1bdcdc921c Mon Sep 17 00:00:00 2001 +From: Olivier Grenie +Date: Fri, 14 Jan 2011 13:58:59 -0300 +Subject: [media] DiB7000M: add pid filtering + +From: Olivier Grenie + +commit e192a7cf0effe7680264a5bc35c0ad1bdcdc921c upstream. + +This patch adds the pid filtering for the dib7000M demod. It also +corrects the pid filtering for the dib7700 based board. It should +prevent an oops, when using dib7700p based board. + +References: https://bugzilla.novell.com/show_bug.cgi?id=644807 + +Signed-off-by: Olivier Grenie +Signed-off-by: Patrick Boettcher +Tested-by: Pavel SKARKA +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb/dvb-usb/dib0700_devices.c | 21 +++++++++++++++++++-- + drivers/media/dvb/frontends/dib7000m.c | 19 +++++++++++++++++++ + drivers/media/dvb/frontends/dib7000m.h | 15 +++++++++++++++ + 3 files changed, 53 insertions(+), 2 deletions(-) + +--- a/drivers/media/dvb/dvb-usb/dib0700_devices.c ++++ b/drivers/media/dvb/dvb-usb/dib0700_devices.c +@@ -870,6 +870,23 @@ static int dib7070p_tuner_attach(struct + return 0; + } + ++static int stk7700p_pid_filter(struct dvb_usb_adapter *adapter, int index, ++ u16 pid, int onoff) ++{ ++ struct dib0700_state *st = adapter->dev->priv; ++ if (st->is_dib7000pc) ++ return dib7000p_pid_filter(adapter->fe, index, pid, onoff); ++ return dib7000m_pid_filter(adapter->fe, index, pid, onoff); ++} ++ ++static int stk7700p_pid_filter_ctrl(struct dvb_usb_adapter *adapter, int onoff) ++{ ++ struct dib0700_state *st = adapter->dev->priv; ++ if (st->is_dib7000pc) ++ return dib7000p_pid_filter_ctrl(adapter->fe, onoff); ++ return dib7000m_pid_filter_ctrl(adapter->fe, onoff); ++} ++ + static int stk70x0p_pid_filter(struct dvb_usb_adapter *adapter, int index, u16 pid, int onoff) + { + return dib7000p_pid_filter(adapter->fe, index, pid, onoff); +@@ -1875,8 +1892,8 @@ struct dvb_usb_device_properties dib0700 + { + .caps = DVB_USB_ADAP_HAS_PID_FILTER | DVB_USB_ADAP_PID_FILTER_CAN_BE_TURNED_OFF, + .pid_filter_count = 32, +- .pid_filter = stk70x0p_pid_filter, +- .pid_filter_ctrl = stk70x0p_pid_filter_ctrl, ++ .pid_filter = stk7700p_pid_filter, ++ .pid_filter_ctrl = stk7700p_pid_filter_ctrl, + .frontend_attach = stk7700p_frontend_attach, + .tuner_attach = stk7700p_tuner_attach, + +--- a/drivers/media/dvb/frontends/dib7000m.c ++++ b/drivers/media/dvb/frontends/dib7000m.c +@@ -1285,6 +1285,25 @@ struct i2c_adapter * dib7000m_get_i2c_ma + } + EXPORT_SYMBOL(dib7000m_get_i2c_master); + ++int dib7000m_pid_filter_ctrl(struct dvb_frontend *fe, u8 onoff) ++{ ++ struct dib7000m_state *state = fe->demodulator_priv; ++ u16 val = dib7000m_read_word(state, 294 + state->reg_offs) & 0xffef; ++ val |= (onoff & 0x1) << 4; ++ dprintk("PID filter enabled %d", onoff); ++ return dib7000m_write_word(state, 294 + state->reg_offs, val); ++} ++EXPORT_SYMBOL(dib7000m_pid_filter_ctrl); ++ ++int dib7000m_pid_filter(struct dvb_frontend *fe, u8 id, u16 pid, u8 onoff) ++{ ++ struct dib7000m_state *state = fe->demodulator_priv; ++ dprintk("PID filter: index %x, PID %d, OnOff %d", id, pid, onoff); ++ return dib7000m_write_word(state, 300 + state->reg_offs + id, ++ onoff ? (1 << 13) | pid : 0); ++} ++EXPORT_SYMBOL(dib7000m_pid_filter); ++ + #if 0 + /* used with some prototype boards */ + int dib7000m_i2c_enumeration(struct i2c_adapter *i2c, int no_of_demods, +--- a/drivers/media/dvb/frontends/dib7000m.h ++++ b/drivers/media/dvb/frontends/dib7000m.h +@@ -46,6 +46,8 @@ extern struct dvb_frontend *dib7000m_att + extern struct i2c_adapter *dib7000m_get_i2c_master(struct dvb_frontend *, + enum dibx000_i2c_interface, + int); ++extern int dib7000m_pid_filter(struct dvb_frontend *, u8 id, u16 pid, u8 onoff); ++extern int dib7000m_pid_filter_ctrl(struct dvb_frontend *fe, u8 onoff); + #else + static inline + struct dvb_frontend *dib7000m_attach(struct i2c_adapter *i2c_adap, +@@ -63,6 +65,19 @@ struct i2c_adapter *dib7000m_get_i2c_mas + printk(KERN_WARNING "%s: driver disabled by Kconfig\n", __func__); + return NULL; + } ++static inline int dib7000m_pid_filter(struct dvb_frontend *fe, u8 id, ++ u16 pid, u8 onoff) ++{ ++ printk(KERN_WARNING "%s: driver disabled by Kconfig\n", __func__); ++ return -ENODEV; ++} ++ ++static inline int dib7000m_pid_filter_ctrl(struct dvb_frontend *fe, ++ uint8_t onoff) ++{ ++ printk(KERN_WARNING "%s: driver disabled by Kconfig\n", __func__); ++ return -ENODEV; ++} + #endif + + /* TODO diff --git a/queue-2.6.37/drivers-net-call-netif_carrier_off-at-the-end-of-the-probe.patch b/queue-2.6.37/drivers-net-call-netif_carrier_off-at-the-end-of-the-probe.patch new file mode 100644 index 00000000000..9b1abb746f2 --- /dev/null +++ b/queue-2.6.37/drivers-net-call-netif_carrier_off-at-the-end-of-the-probe.patch @@ -0,0 +1,48 @@ +From 0d672e9f8ac320c6d1ea9103db6df7f99ea20361 Mon Sep 17 00:00:00 2001 +From: Ivan Vecera +Date: Tue, 15 Feb 2011 02:08:39 +0000 +Subject: drivers/net: Call netif_carrier_off at the end of the probe + +From: Ivan Vecera + +commit 0d672e9f8ac320c6d1ea9103db6df7f99ea20361 upstream. + +Without calling of netif_carrier_off at the end of the probe the operstate +is unknown when the device is initially opened. By default the carrier is +on so when the device is opened and netif_carrier_on is called the link +watch event is not fired and operstate remains zero (unknown). + +This patch fixes this behavior in forcedeth and r8169. + +Signed-off-by: Ivan Vecera +Acked-by: Francois Romieu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/forcedeth.c | 2 ++ + drivers/net/r8169.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/net/forcedeth.c ++++ b/drivers/net/forcedeth.c +@@ -5816,6 +5816,8 @@ static int __devinit nv_probe(struct pci + goto out_error; + } + ++ netif_carrier_off(dev); ++ + dev_printk(KERN_INFO, &pci_dev->dev, "ifname %s, PHY OUI 0x%x @ %d, " + "addr %2.2x:%2.2x:%2.2x:%2.2x:%2.2x:%2.2x\n", + dev->name, +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -3236,6 +3236,8 @@ rtl8169_init_one(struct pci_dev *pdev, c + if (pci_dev_run_wake(pdev)) + pm_runtime_put_noidle(&pdev->dev); + ++ netif_carrier_off(dev); ++ + out: + return rc; + diff --git a/queue-2.6.37/ipvs-fix-dst_lock-locking-on-dest-update.patch b/queue-2.6.37/ipvs-fix-dst_lock-locking-on-dest-update.patch new file mode 100644 index 00000000000..2d5ed8cef43 --- /dev/null +++ b/queue-2.6.37/ipvs-fix-dst_lock-locking-on-dest-update.patch @@ -0,0 +1,40 @@ +From ff75f40f44ae9b79d520bf32a05d35af74a805c0 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Tue, 22 Feb 2011 10:40:25 +0200 +Subject: ipvs: fix dst_lock locking on dest update + +From: Julian Anastasov + +commit ff75f40f44ae9b79d520bf32a05d35af74a805c0 upstream. + + Fix dst_lock usage in __ip_vs_update_dest. We need +_bh locking because destination is updated in user context. +Can cause lockups on frequent destination updates. +Problem reported by Simon Kirby. Bug was introduced +in 2.6.37 from the "ipvs: changes for local real server" +change. + +Signed-off-by: Julian Anastasov +Signed-off-by: Hans Schillstrom +Signed-off-by: Simon Horman +Cc: Simon Kirby +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_ctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -810,9 +810,9 @@ __ip_vs_update_dest(struct ip_vs_service + dest->u_threshold = udest->u_threshold; + dest->l_threshold = udest->l_threshold; + +- spin_lock(&dest->dst_lock); ++ spin_lock_bh(&dest->dst_lock); + ip_vs_dst_reset(dest); +- spin_unlock(&dest->dst_lock); ++ spin_unlock_bh(&dest->dst_lock); + + if (add) + ip_vs_new_estimator(&dest->stats); diff --git a/queue-2.6.37/ivtv-fix-corrective-action-taken-upon-dma-err-interrupt-to-avoid-hang.patch b/queue-2.6.37/ivtv-fix-corrective-action-taken-upon-dma-err-interrupt-to-avoid-hang.patch new file mode 100644 index 00000000000..d5e13774f10 --- /dev/null +++ b/queue-2.6.37/ivtv-fix-corrective-action-taken-upon-dma-err-interrupt-to-avoid-hang.patch @@ -0,0 +1,181 @@ +From d213ad08362909ab50fbd6568fcc9fd568268d29 Mon Sep 17 00:00:00 2001 +From: Michael +Date: Sat, 26 Feb 2011 01:56:34 -0300 +Subject: [media] ivtv: Fix corrective action taken upon DMA ERR interrupt to avoid hang + +From: Michael + +commit d213ad08362909ab50fbd6568fcc9fd568268d29 upstream. + +After upgrading the kernel from stock Ubuntu 7.10 to +10.04, with no hardware changes, I started getting the dreaded DMA +TIMEOUT errors, followed by inability to encode until the machine was +rebooted. + +I came across a post from Andy in March +(http://www.gossamer-threads.com/lists/ivtv/users/40943#40943) where he +speculates that perhaps the corrective actions being taken after a DMA +ERROR are not sufficient to recover the situation. After some testing +I suspect that this is indeed the case, and that in fact the corrective +action may be what hangs the card's DMA engine, rather than the +original error. + +Specifically these DMA ERROR IRQs seem to present with two different +values in the IVTV_REG_DMASTATUS register: 0x11 and 0x13. The current +corrective action is to clear that status register back to 0x01 or +0x03, and then issue the next DMA request. In the case of a 0x13 this +seems to result in a minor glitch in the encoded stream due to the +failed transfer that was not retried, but otherwise things continue OK. +In the case of a 0x11 the card's DMA write engine is never heard from +again, and a DMA TIMEOUT follows shortly after. 0x11 is the killer. + +I suspect that the two cases need to be handled differently. The +difference is in bit 1 (0x02), which is set when the error is about to +be successfully recovered, and clear when things are about to go bad. + +Bit 1 of DMASTATUS is described differently in different places either +as a positive "write finished", or an inverted "write busy". If we +take the first definition, then when an error arises with state 0x11, +it means that the write did not complete. It makes sense to start a +new transfer, as in the current code. But if we take the second +definition, then 0x11 means "an error but the write engine is still +busy". Trying to feed it a new transfer in this situation might not be +a good idea. + +As an experiment, I added code to ignore the DMA ERROR IRQ if DMASTATUS +is 0x11. I.e., don't start a new transfer, don't clear our flags, etc. +The hope was that the card would complete the transfer and issue a ENC +DMA COMPLETE, either successfully or with an error condition there. +However the card still hung. + +The only remaining corrective action being taken with a 0x11 status was +then the write back to the status register to clear the error, i.e. +DMASTATUS = DMASTATUS & ~3. This would have the effect of clearing the +error bit 4, while leaving the lower bits indicating DMA write busy. + +Strangely enough, removing this write to the status register solved the +problem! If the DMA ERROR IRQ with DMASTATUS=0x11 is completely +ignored, with no corrective action at all, then the card will complete +the transfer and issue a new IRQ. If the status register is written to +when it has the value 0x11, then the DMA engine hangs. Perhaps it's +illegal to write to +DMASTATUS while the read or write busy bit is set? At any rate, it +appears that the current corrective action is indeed making things +worse rather than better. + +I put together a patch that modifies ivtv_irq_dma_err to do the +following: + +- Don't write back to IVTV_REG_DMASTATUS. +- If write-busy is asserted, leave the card alone. Just extend the +timeout slightly. +- If write-busy is de-asserted, retry the current transfer. + +This has completely fixed my DMA TIMEOUT woes. DMA ERR events still +occur, but now they seem to be correctly handled. 0x11 events no +longer hang the card, and 0x13 events no longer result in a glitch in +the stream, as the failed transfer is retried. I'm happy. + +I've inlined the patch below in case it is of interest. As described +above, I have a theory about why it works (based on a different +interpretation of bit 1 of DMASTATUS), but I can't guarantee that my +theory is correct. There may be another explanation, or it may be a +fluke. Maybe ignoring that IRQ entirely would be equally effective? +Maybe the status register read/writeback sequence is race condition if +the card changes it in the mean time? Also as I am using a PVR-150 +only, I have not been able to test it on other cards, which may be +especially relevant for 350s that support concurrent decoding. +Hopefully the patch does not break the DMA READ path. + +Mike + +[awalls@md.metrocast.net: Modified patch to add a verbose comment, make minor +brace reformats, and clear the error flags in the IVTV_REG_DMASTATUS iff both +read and write DMA were not in progress. Mike's conjecture about a race +condition with the writeback is correct; it can confuse the DMA engine.] + +[Comment and analysis from the ML post by Michael ] +Signed-off-by: Andy Walls +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/ivtv/ivtv-irq.c | 58 +++++++++++++++++++++++++++++++----- + 1 file changed, 51 insertions(+), 7 deletions(-) + +--- a/drivers/media/video/ivtv/ivtv-irq.c ++++ b/drivers/media/video/ivtv/ivtv-irq.c +@@ -628,22 +628,66 @@ static void ivtv_irq_enc_pio_complete(st + static void ivtv_irq_dma_err(struct ivtv *itv) + { + u32 data[CX2341X_MBOX_MAX_DATA]; ++ u32 status; + + del_timer(&itv->dma_timer); ++ + ivtv_api_get_data(&itv->enc_mbox, IVTV_MBOX_DMA_END, 2, data); ++ status = read_reg(IVTV_REG_DMASTATUS); + IVTV_DEBUG_WARN("DMA ERROR %08x %08x %08x %d\n", data[0], data[1], +- read_reg(IVTV_REG_DMASTATUS), itv->cur_dma_stream); +- write_reg(read_reg(IVTV_REG_DMASTATUS) & 3, IVTV_REG_DMASTATUS); ++ status, itv->cur_dma_stream); ++ /* ++ * We do *not* write back to the IVTV_REG_DMASTATUS register to ++ * clear the error status, if either the encoder write (0x02) or ++ * decoder read (0x01) bus master DMA operation do not indicate ++ * completed. We can race with the DMA engine, which may have ++ * transitioned to completed status *after* we read the register. ++ * Setting a IVTV_REG_DMASTATUS flag back to "busy" status, after the ++ * DMA engine has completed, will cause the DMA engine to stop working. ++ */ ++ status &= 0x3; ++ if (status == 0x3) ++ write_reg(status, IVTV_REG_DMASTATUS); ++ + if (!test_bit(IVTV_F_I_UDMA, &itv->i_flags) && + itv->cur_dma_stream >= 0 && itv->cur_dma_stream < IVTV_MAX_STREAMS) { + struct ivtv_stream *s = &itv->streams[itv->cur_dma_stream]; + +- /* retry */ +- if (s->type >= IVTV_DEC_STREAM_TYPE_MPG) ++ if (s->type >= IVTV_DEC_STREAM_TYPE_MPG) { ++ /* retry */ ++ /* ++ * FIXME - handle cases of DMA error similar to ++ * encoder below, except conditioned on status & 0x1 ++ */ + ivtv_dma_dec_start(s); +- else +- ivtv_dma_enc_start(s); +- return; ++ return; ++ } else { ++ if ((status & 0x2) == 0) { ++ /* ++ * CX2341x Bus Master DMA write is ongoing. ++ * Reset the timer and let it complete. ++ */ ++ itv->dma_timer.expires = ++ jiffies + msecs_to_jiffies(600); ++ add_timer(&itv->dma_timer); ++ return; ++ } ++ ++ if (itv->dma_retries < 3) { ++ /* ++ * CX2341x Bus Master DMA write has ended. ++ * Retry the write, starting with the first ++ * xfer segment. Just retrying the current ++ * segment is not sufficient. ++ */ ++ s->sg_processed = 0; ++ itv->dma_retries++; ++ ivtv_dma_enc_start_xfer(s); ++ return; ++ } ++ /* Too many retries, give up on this one */ ++ } ++ + } + if (test_bit(IVTV_F_I_UDMA, &itv->i_flags)) { + ivtv_udma_start(itv); diff --git a/queue-2.6.37/net-don-t-allow-cap_net_admin-to-load-non-netdev-kernel-modules.patch b/queue-2.6.37/net-don-t-allow-cap_net_admin-to-load-non-netdev-kernel-modules.patch new file mode 100644 index 00000000000..e6f03735600 --- /dev/null +++ b/queue-2.6.37/net-don-t-allow-cap_net_admin-to-load-non-netdev-kernel-modules.patch @@ -0,0 +1,140 @@ +From 8909c9ad8ff03611c9c96c9a92656213e4bb495b Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Wed, 2 Mar 2011 00:33:13 +0300 +Subject: net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules + +From: Vasiliy Kulikov + +commit 8909c9ad8ff03611c9c96c9a92656213e4bb495b upstream. + +Since a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c any process with +CAP_NET_ADMIN may load any module from /lib/modules/. This doesn't mean +that CAP_NET_ADMIN is a superset of CAP_SYS_MODULE as modules are +limited to /lib/modules/**. However, CAP_NET_ADMIN capability shouldn't +allow anybody load any module not related to networking. + +This patch restricts an ability of autoloading modules to netdev modules +with explicit aliases. This fixes CVE-2011-1019. + +Arnd Bergmann suggested to leave untouched the old pre-v2.6.32 behavior +of loading netdev modules by name (without any prefix) for processes +with CAP_SYS_MODULE to maintain the compatibility with network scripts +that use autoloading netdev modules by aliases like "eth0", "wlan0". + +Currently there are only three users of the feature in the upstream +kernel: ipip, ip_gre and sit. + + root@albatros:~# capsh --drop=$(seq -s, 0 11),$(seq -s, 13 34) -- + root@albatros:~# grep Cap /proc/$$/status + CapInh: 0000000000000000 + CapPrm: fffffff800001000 + CapEff: fffffff800001000 + CapBnd: fffffff800001000 + root@albatros:~# modprobe xfs + FATAL: Error inserting xfs + (/lib/modules/2.6.38-rc6-00001-g2bf4ca3/kernel/fs/xfs/xfs.ko): Operation not permitted + root@albatros:~# lsmod | grep xfs + root@albatros:~# ifconfig xfs + xfs: error fetching interface information: Device not found + root@albatros:~# lsmod | grep xfs + root@albatros:~# lsmod | grep sit + root@albatros:~# ifconfig sit + sit: error fetching interface information: Device not found + root@albatros:~# lsmod | grep sit + root@albatros:~# ifconfig sit0 + sit0 Link encap:IPv6-in-IPv4 + NOARP MTU:1480 Metric:1 + + root@albatros:~# lsmod | grep sit + sit 10457 0 + tunnel4 2957 1 sit + +For CAP_SYS_MODULE module loading is still relaxed: + + root@albatros:~# grep Cap /proc/$$/status + CapInh: 0000000000000000 + CapPrm: ffffffffffffffff + CapEff: ffffffffffffffff + CapBnd: ffffffffffffffff + root@albatros:~# ifconfig xfs + xfs: error fetching interface information: Device not found + root@albatros:~# lsmod | grep xfs + xfs 745319 0 + +Reference: https://lkml.org/lkml/2011/2/24/203 + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Michael Tokarev +Acked-by: David S. Miller +Acked-by: Kees Cook +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netdevice.h | 3 +++ + net/core/dev.c | 12 ++++++++++-- + net/ipv4/ip_gre.c | 1 + + net/ipv4/ipip.c | 1 + + net/ipv6/sit.c | 2 +- + 5 files changed, 16 insertions(+), 3 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2336,6 +2336,9 @@ extern int netdev_notice(const struct ne + extern int netdev_info(const struct net_device *dev, const char *format, ...) + __attribute__ ((format (printf, 2, 3))); + ++#define MODULE_ALIAS_NETDEV(device) \ ++ MODULE_ALIAS("netdev-" device) ++ + #if defined(DEBUG) + #define netdev_dbg(__dev, format, args...) \ + netdev_printk(KERN_DEBUG, __dev, format, ##args) +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1116,13 +1116,21 @@ EXPORT_SYMBOL(netdev_bonding_change); + void dev_load(struct net *net, const char *name) + { + struct net_device *dev; ++ int no_module; + + rcu_read_lock(); + dev = dev_get_by_name_rcu(net, name); + rcu_read_unlock(); + +- if (!dev && capable(CAP_NET_ADMIN)) +- request_module("%s", name); ++ no_module = !dev; ++ if (no_module && capable(CAP_NET_ADMIN)) ++ no_module = request_module("netdev-%s", name); ++ if (no_module && capable(CAP_SYS_MODULE)) { ++ if (!request_module("%s", name)) ++ pr_err("Loading kernel module for a network device " ++"with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s " ++"instead\n", name); ++ } + } + EXPORT_SYMBOL(dev_load); + +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -1775,3 +1775,4 @@ module_exit(ipgre_fini); + MODULE_LICENSE("GPL"); + MODULE_ALIAS_RTNL_LINK("gre"); + MODULE_ALIAS_RTNL_LINK("gretap"); ++MODULE_ALIAS_NETDEV("gre0"); +--- a/net/ipv4/ipip.c ++++ b/net/ipv4/ipip.c +@@ -921,3 +921,4 @@ static void __exit ipip_fini(void) + module_init(ipip_init); + module_exit(ipip_fini); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS_NETDEV("tunl0"); +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1292,4 +1292,4 @@ static int __init sit_init(void) + module_init(sit_init); + module_exit(sit_cleanup); + MODULE_LICENSE("GPL"); +-MODULE_ALIAS("sit0"); ++MODULE_ALIAS_NETDEV("sit0"); diff --git a/queue-2.6.37/netfilter-arpt_mangle-fix-return-values-of-checkentry.patch b/queue-2.6.37/netfilter-arpt_mangle-fix-return-values-of-checkentry.patch new file mode 100644 index 00000000000..71f07fdf856 --- /dev/null +++ b/queue-2.6.37/netfilter-arpt_mangle-fix-return-values-of-checkentry.patch @@ -0,0 +1,45 @@ +From 9d0db8b6b1da9e3d4c696ef29449700c58d589db Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 1 Feb 2011 16:03:46 +0100 +Subject: netfilter: arpt_mangle: fix return values of checkentry + +From: Pablo Neira Ayuso + +commit 9d0db8b6b1da9e3d4c696ef29449700c58d589db upstream. + +In 135367b "netfilter: xtables: change xt_target.checkentry return type", +the type returned by checkentry was changed from boolean to int, but the +return values where not adjusted. + +arptables: Input/output error + +This broke arptables with the mangle target since it returns true +under success, which is interpreted by xtables as >0, thus +returning EIO. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Patrick McHardy +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/arpt_mangle.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/netfilter/arpt_mangle.c ++++ b/net/ipv4/netfilter/arpt_mangle.c +@@ -60,12 +60,12 @@ static int checkentry(const struct xt_tg + + if (mangle->flags & ~ARPT_MANGLE_MASK || + !(mangle->flags & ARPT_MANGLE_MASK)) +- return false; ++ return -EINVAL; + + if (mangle->target != NF_DROP && mangle->target != NF_ACCEPT && + mangle->target != XT_CONTINUE) +- return false; +- return true; ++ return -EINVAL; ++ return 0; + } + + static struct xt_target arpt_mangle_reg __read_mostly = { diff --git a/queue-2.6.37/r8169-prevent-rxfifo-induced-loops-in-the-irq-handler.patch b/queue-2.6.37/r8169-prevent-rxfifo-induced-loops-in-the-irq-handler.patch new file mode 100644 index 00000000000..a39148402e9 --- /dev/null +++ b/queue-2.6.37/r8169-prevent-rxfifo-induced-loops-in-the-irq-handler.patch @@ -0,0 +1,38 @@ +From f60ac8e7ab7cbb413a0131d5665b053f9f386526 Mon Sep 17 00:00:00 2001 +From: Francois Romieu +Date: Thu, 3 Feb 2011 17:27:52 +0100 +Subject: r8169: prevent RxFIFO induced loops in the irq handler. + +From: Francois Romieu + +commit f60ac8e7ab7cbb413a0131d5665b053f9f386526 upstream. + +While the RxFIFO interruption is masked for most 8168, nothing prevents +it to appear in the irq status word. This is no excuse to crash. + +Signed-off-by: Francois Romieu +Cc: Ivan Vecera +Cc: Hayes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/r8169.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -4613,6 +4613,14 @@ static irqreturn_t rtl8169_interrupt(int + netif_stop_queue(dev); + rtl8169_tx_timeout(dev); + goto done; ++ /* Testers needed. */ ++ case RTL_GIGA_MAC_VER_17: ++ case RTL_GIGA_MAC_VER_19: ++ case RTL_GIGA_MAC_VER_20: ++ case RTL_GIGA_MAC_VER_21: ++ case RTL_GIGA_MAC_VER_23: ++ case RTL_GIGA_MAC_VER_24: ++ case RTL_GIGA_MAC_VER_27: + /* Experimental science. Pktgen proof. */ + case RTL_GIGA_MAC_VER_12: + case RTL_GIGA_MAC_VER_25: diff --git a/queue-2.6.37/r8169-rxfifo-overflow-oddities-with-8168-chipsets.patch b/queue-2.6.37/r8169-rxfifo-overflow-oddities-with-8168-chipsets.patch new file mode 100644 index 00000000000..b396e27615d --- /dev/null +++ b/queue-2.6.37/r8169-rxfifo-overflow-oddities-with-8168-chipsets.patch @@ -0,0 +1,85 @@ +From 1519e57fe81c14bb8fa4855579f19264d1ef63b4 Mon Sep 17 00:00:00 2001 +From: Francois Romieu +Date: Thu, 3 Feb 2011 12:02:36 +0100 +Subject: r8169: RxFIFO overflow oddities with 8168 chipsets. + +From: Francois Romieu + +commit 1519e57fe81c14bb8fa4855579f19264d1ef63b4 upstream. + +Some experiment-based action to prevent my 8168 chipsets locking-up hard +in the irq handler under load (pktgen ~1Mpps). Apparently a reset is not +always mandatory (is it at all ?). + +- RTL_GIGA_MAC_VER_12 +- RTL_GIGA_MAC_VER_25 + Missed ~55% packets. Note: + - this is an old SiS 965L motherboard + - the 8168 chipset emits (lots of) control frames towards the sender + +- RTL_GIGA_MAC_VER_26 + The chipset does not go into a frenzy of mac control pause when it + crashes yet but it can still be crashed. It needs more work. + +Signed-off-by: Francois Romieu +Cc: Ivan Vecera +Cc: Hayes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/r8169.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -758,7 +758,8 @@ static void __rtl8169_check_link_status( + if (pm) + pm_request_resume(&tp->pci_dev->dev); + netif_carrier_on(dev); +- netif_info(tp, ifup, dev, "link up\n"); ++ if (net_ratelimit()) ++ netif_info(tp, ifup, dev, "link up\n"); + } else { + netif_carrier_off(dev); + netif_info(tp, ifdown, dev, "link down\n"); +@@ -4603,13 +4604,24 @@ static irqreturn_t rtl8169_interrupt(int + break; + } + +- /* Work around for rx fifo overflow */ +- if (unlikely(status & RxFIFOOver) && +- (tp->mac_version == RTL_GIGA_MAC_VER_11 || +- tp->mac_version == RTL_GIGA_MAC_VER_22)) { +- netif_stop_queue(dev); +- rtl8169_tx_timeout(dev); +- break; ++ if (unlikely(status & RxFIFOOver)) { ++ switch (tp->mac_version) { ++ /* Work around for rx fifo overflow */ ++ case RTL_GIGA_MAC_VER_11: ++ case RTL_GIGA_MAC_VER_22: ++ case RTL_GIGA_MAC_VER_26: ++ netif_stop_queue(dev); ++ rtl8169_tx_timeout(dev); ++ goto done; ++ /* Experimental science. Pktgen proof. */ ++ case RTL_GIGA_MAC_VER_12: ++ case RTL_GIGA_MAC_VER_25: ++ if (status == RxFIFOOver) ++ goto done; ++ break; ++ default: ++ break; ++ } + } + + if (unlikely(status & SYSErr)) { +@@ -4645,7 +4657,7 @@ static irqreturn_t rtl8169_interrupt(int + (status & RxFIFOOver) ? (status | RxOverflow) : status); + status = RTL_R16(IntrStatus); + } +- ++done: + return IRQ_RETVAL(handled); + } + diff --git a/queue-2.6.37/r8169-use-rxfifo-overflow-workaround-for-8168c-chipset.patch b/queue-2.6.37/r8169-use-rxfifo-overflow-workaround-for-8168c-chipset.patch new file mode 100644 index 00000000000..fd612e48c08 --- /dev/null +++ b/queue-2.6.37/r8169-use-rxfifo-overflow-workaround-for-8168c-chipset.patch @@ -0,0 +1,45 @@ +From b5ba6d12bdac21bc0620a5089e0f24e362645efd Mon Sep 17 00:00:00 2001 +From: Ivan Vecera +Date: Thu, 27 Jan 2011 12:24:11 +0100 +Subject: r8169: use RxFIFO overflow workaround for 8168c chipset. + +From: Ivan Vecera + +commit b5ba6d12bdac21bc0620a5089e0f24e362645efd upstream. + +I found that one of the 8168c chipsets (concretely XID 1c4000c0) starts +generating RxFIFO overflow errors. The result is an infinite loop in +interrupt handler as the RxFIFOOver is handled only for ...MAC_VER_11. +With the workaround everything goes fine. + +Signed-off-by: Ivan Vecera +Acked-by: Francois Romieu +Cc: Hayes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/r8169.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -3725,7 +3725,8 @@ static void rtl_hw_start_8168(struct net + RTL_W16(IntrMitigate, 0x5151); + + /* Work around for RxFIFO overflow. */ +- if (tp->mac_version == RTL_GIGA_MAC_VER_11) { ++ if (tp->mac_version == RTL_GIGA_MAC_VER_11 || ++ tp->mac_version == RTL_GIGA_MAC_VER_22) { + tp->intr_event |= RxFIFOOver | PCSTimeout; + tp->intr_event &= ~RxOverflow; + } +@@ -4604,7 +4605,8 @@ static irqreturn_t rtl8169_interrupt(int + + /* Work around for rx fifo overflow */ + if (unlikely(status & RxFIFOOver) && +- (tp->mac_version == RTL_GIGA_MAC_VER_11)) { ++ (tp->mac_version == RTL_GIGA_MAC_VER_11 || ++ tp->mac_version == RTL_GIGA_MAC_VER_22)) { + netif_stop_queue(dev); + rtl8169_tx_timeout(dev); + break; diff --git a/queue-2.6.37/sched-fix-sched-rt-group-scheduling-when-hierachy-is-enabled.patch b/queue-2.6.37/sched-fix-sched-rt-group-scheduling-when-hierachy-is-enabled.patch new file mode 100644 index 00000000000..a14a07d1241 --- /dev/null +++ b/queue-2.6.37/sched-fix-sched-rt-group-scheduling-when-hierachy-is-enabled.patch @@ -0,0 +1,86 @@ +From 0c3b9168017cbad2c4af3dd65ec93fe646eeaa62 Mon Sep 17 00:00:00 2001 +From: Balbir Singh +Date: Thu, 3 Mar 2011 17:04:35 +0530 +Subject: sched: Fix sched rt group scheduling when hierachy is enabled + +From: Balbir Singh + +commit 0c3b9168017cbad2c4af3dd65ec93fe646eeaa62 upstream. + +The current sched rt code is broken when it comes to hierarchical +scheduling, this patch fixes two problems + +1. It adds redundant enqueuing (harmless) when it finds a queue + has tasks enqueued, but it has no run time and it is not + throttled. + +2. The most important change is in sched_rt_rq_enqueue/dequeue. + The code just picks the rt_rq belonging to the current cpu + on which the period timer runs, the patch fixes it, so that + the correct rt_se is enqueued/dequeued. + +Tested with a simple hierarchy + +/c/d, c and d assigned similar runtimes of 50,000 and a while +1 loop runs within "d". Both c and d get throttled, without +the patch, the task just stops running and never runs (depends +on where the sched_rt b/w timer runs). With the patch, the +task is throttled and runs as expected. + +[ bharata, suggestions on how to pick the rt_se belong to the + rt_rq and correct cpu ] + +Signed-off-by: Balbir Singh +Acked-by: Bharata B Rao +Signed-off-by: Peter Zijlstra +LKML-Reference: <20110303113435.GA2868@balbir.in.ibm.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched_rt.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/kernel/sched_rt.c ++++ b/kernel/sched_rt.c +@@ -199,11 +199,12 @@ static void dequeue_rt_entity(struct sch + + static void sched_rt_rq_enqueue(struct rt_rq *rt_rq) + { +- int this_cpu = smp_processor_id(); + struct task_struct *curr = rq_of_rt_rq(rt_rq)->curr; + struct sched_rt_entity *rt_se; + +- rt_se = rt_rq->tg->rt_se[this_cpu]; ++ int cpu = cpu_of(rq_of_rt_rq(rt_rq)); ++ ++ rt_se = rt_rq->tg->rt_se[cpu]; + + if (rt_rq->rt_nr_running) { + if (rt_se && !on_rt_rq(rt_se)) +@@ -215,10 +216,10 @@ static void sched_rt_rq_enqueue(struct r + + static void sched_rt_rq_dequeue(struct rt_rq *rt_rq) + { +- int this_cpu = smp_processor_id(); + struct sched_rt_entity *rt_se; ++ int cpu = cpu_of(rq_of_rt_rq(rt_rq)); + +- rt_se = rt_rq->tg->rt_se[this_cpu]; ++ rt_se = rt_rq->tg->rt_se[cpu]; + + if (rt_se && on_rt_rq(rt_se)) + dequeue_rt_entity(rt_se); +@@ -546,8 +547,11 @@ static int do_sched_rt_period_timer(stru + if (rt_rq->rt_time || rt_rq->rt_nr_running) + idle = 0; + raw_spin_unlock(&rt_rq->rt_runtime_lock); +- } else if (rt_rq->rt_nr_running) ++ } else if (rt_rq->rt_nr_running) { + idle = 0; ++ if (!rt_rq_throttled(rt_rq)) ++ enqueue = 1; ++ } + + if (enqueue) + sched_rt_rq_enqueue(rt_rq); diff --git a/queue-2.6.37/series b/queue-2.6.37/series index 8bdeaf0543b..b245dd8b4cb 100644 --- a/queue-2.6.37/series +++ b/queue-2.6.37/series @@ -15,3 +15,15 @@ pcc-cpufreq-don-t-load-driver-if-get_freq-fails-during-init.patch nfsd-wrong-index-used-in-inner-loop.patch hid-hid-mosart-ignore-buttons-report.patch nfs-nfsv4-readdir-loses-entries.patch +ipvs-fix-dst_lock-locking-on-dest-update.patch +net-don-t-allow-cap_net_admin-to-load-non-netdev-kernel-modules.patch +netfilter-arpt_mangle-fix-return-values-of-checkentry.patch +r8169-use-rxfifo-overflow-workaround-for-8168c-chipset.patch +r8169-rxfifo-overflow-oddities-with-8168-chipsets.patch +r8169-prevent-rxfifo-induced-loops-in-the-irq-handler.patch +drivers-net-call-netif_carrier_off-at-the-end-of-the-probe.patch +sched-fix-sched-rt-group-scheduling-when-hierachy-is-enabled.patch +ivtv-fix-corrective-action-taken-upon-dma-err-interrupt-to-avoid-hang.patch +cx23885-revert-check-for-slave-nack-on-all-transactions.patch +cx25840-fix-probing-of-cx2583x-chips.patch +dib7000m-add-pid-filtering.patch