kernel26-alx/patches-2.6.27-r3/0126-2.6.27.27-all-fixes.patch

diff --git a/Makefile b/Makefile
index 90764ee..387a5fd 100644
--- a/Makefile
+++ b/Makefile
@@ -340,7 +340,8 @@ KBUILD_CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
 
 KBUILD_CFLAGS   := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
 		   -fno-strict-aliasing -fno-common \
-		   -Werror-implicit-function-declaration
+		   -Werror-implicit-function-declaration \
+		   -fno-delete-null-pointer-checks
 KBUILD_AFLAGS   := -D__ASSEMBLY__
 
 # Read KERNELRELEASE from include/config/kernel.release (if it exists)
@@ -556,7 +557,7 @@ KBUILD_CFLAGS += $(call cc-option,-Wdeclaration-after-statement,)
 KBUILD_CFLAGS += $(call cc-option,-Wno-pointer-sign,)
 
 # disable invalid "can't wrap" optimzations for signed / pointers
-KBUILD_CFLAGS	+= $(call cc-option,-fwrapv)
+KBUILD_CFLAGS	+= $(call cc-option,-fno-strict-overflow)
 
 # Add user supplied CPPFLAGS, AFLAGS and CFLAGS as the last assignments
 # But warn user when we do so
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 615fcd3..5900f76 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3320,7 +3320,10 @@ static inline int set_geometry(unsigned int cmd, struct floppy_struct *g,
 		if (!capable(CAP_SYS_ADMIN))
 			return -EPERM;
 		mutex_lock(&open_lock);
-		LOCK_FDC(drive, 1);
+		if (lock_fdc(drive, 1)) {
+			mutex_unlock(&open_lock);
+			return -EINTR;
+		}
 		floppy_type[type] = *g;
 		floppy_type[type].name = "user format";
 		for (cnt = type << 2; cnt < (type << 2) + 4; cnt++)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 925efaf..ace998c 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -265,10 +265,6 @@ static int dm_blk_open(struct inode *inode, struct file *file)
 		goto out;
 	}
 
-	if (test_bit(DMF_FREEING, &md->flags) ||
-	    test_bit(DMF_DELETING, &md->flags))
-		return NULL;
-
 	dm_get(md);
 	atomic_inc(&md->open_count);
 
diff --git a/drivers/net/tulip/interrupt.c b/drivers/net/tulip/interrupt.c
index c6bad98..7faf84f 100644
--- a/drivers/net/tulip/interrupt.c
+++ b/drivers/net/tulip/interrupt.c
@@ -140,6 +140,7 @@ int tulip_poll(struct napi_struct *napi, int budget)
                /* If we own the next entry, it is a new packet. Send it up. */
                while ( ! (tp->rx_ring[entry].status & cpu_to_le32(DescOwned))) {
                        s32 status = le32_to_cpu(tp->rx_ring[entry].status);
+		       short pkt_len;
 
                        if (tp->dirty_rx + RX_RING_SIZE == tp->cur_rx)
                                break;
@@ -151,8 +152,28 @@ int tulip_poll(struct napi_struct *napi, int budget)
 		       if (++work_done >= budget)
                                goto not_done;
 
-                       if ((status & 0x38008300) != 0x0300) {
-                               if ((status & 0x38000300) != 0x0300) {
+		       /*
+			* Omit the four octet CRC from the length.
+			* (May not be considered valid until we have
+			* checked status for RxLengthOver2047 bits)
+			*/
+		       pkt_len = ((status >> 16) & 0x7ff) - 4;
+
+		       /*
+			* Maximum pkt_len is 1518 (1514 + vlan header)
+			* Anything higher than this is always invalid
+			* regardless of RxLengthOver2047 bits
+			*/
+
+		       if ((status & (RxLengthOver2047 |
+				      RxDescCRCError |
+				      RxDescCollisionSeen |
+				      RxDescRunt |
+				      RxDescDescErr |
+				      RxWholePkt)) != RxWholePkt
+			   || pkt_len > 1518) {
+			       if ((status & (RxLengthOver2047 |
+					      RxWholePkt)) != RxWholePkt) {
                                 /* Ingore earlier buffers. */
                                        if ((status & 0xffff) != 0x7fff) {
                                                if (tulip_debug > 1)
@@ -161,30 +182,23 @@ int tulip_poll(struct napi_struct *napi, int budget)
                                                               dev->name, status);
                                                tp->stats.rx_length_errors++;
                                        }
-                               } else if (status & RxDescFatalErr) {
+			       } else {
                                 /* There was a fatal error. */
                                        if (tulip_debug > 2)
                                                printk(KERN_DEBUG "%s: Receive error, Rx status %8.8x.\n",
                                                       dev->name, status);
                                        tp->stats.rx_errors++; /* end of a packet.*/
-                                       if (status & 0x0890) tp->stats.rx_length_errors++;
+				       if (pkt_len > 1518 ||
+					   (status & RxDescRunt))
+					       tp->stats.rx_length_errors++;
+
                                        if (status & 0x0004) tp->stats.rx_frame_errors++;
                                        if (status & 0x0002) tp->stats.rx_crc_errors++;
                                        if (status & 0x0001) tp->stats.rx_fifo_errors++;
                                }
                        } else {
-                               /* Omit the four octet CRC from the length. */
-                               short pkt_len = ((status >> 16) & 0x7ff) - 4;
                                struct sk_buff *skb;
 
-#ifndef final_version
-                               if (pkt_len > 1518) {
-                                       printk(KERN_WARNING "%s: Bogus packet size of %d (%#x).\n",
-                                              dev->name, pkt_len, pkt_len);
-                                       pkt_len = 1518;
-                                       tp->stats.rx_length_errors++;
-                               }
-#endif
                                /* Check if the packet is long enough to accept without copying
                                   to a minimally-sized skbuff. */
                                if (pkt_len < tulip_rx_copybreak
@@ -357,14 +371,35 @@ static int tulip_rx(struct net_device *dev)
 	/* If we own the next entry, it is a new packet. Send it up. */
 	while ( ! (tp->rx_ring[entry].status & cpu_to_le32(DescOwned))) {
 		s32 status = le32_to_cpu(tp->rx_ring[entry].status);
+		short pkt_len;
 
 		if (tulip_debug > 5)
 			printk(KERN_DEBUG "%s: In tulip_rx(), entry %d %8.8x.\n",
 				   dev->name, entry, status);
 		if (--rx_work_limit < 0)
 			break;
-		if ((status & 0x38008300) != 0x0300) {
-			if ((status & 0x38000300) != 0x0300) {
+
+		/*
+		  Omit the four octet CRC from the length.
+		  (May not be considered valid until we have
+		  checked status for RxLengthOver2047 bits)
+		*/
+		pkt_len = ((status >> 16) & 0x7ff) - 4;
+		/*
+		  Maximum pkt_len is 1518 (1514 + vlan header)
+		  Anything higher than this is always invalid
+		  regardless of RxLengthOver2047 bits
+		*/
+
+		if ((status & (RxLengthOver2047 |
+			       RxDescCRCError |
+			       RxDescCollisionSeen |
+			       RxDescRunt |
+			       RxDescDescErr |
+			       RxWholePkt))        != RxWholePkt
+		     || pkt_len > 1518) {
+			if ((status & (RxLengthOver2047 |
+			     RxWholePkt))         != RxWholePkt) {
 				/* Ingore earlier buffers. */
 				if ((status & 0xffff) != 0x7fff) {
 					if (tulip_debug > 1)
@@ -373,31 +408,22 @@ static int tulip_rx(struct net_device *dev)
 							   dev->name, status);
 					tp->stats.rx_length_errors++;
 				}
-			} else if (status & RxDescFatalErr) {
+			} else {
 				/* There was a fatal error. */
 				if (tulip_debug > 2)
 					printk(KERN_DEBUG "%s: Receive error, Rx status %8.8x.\n",
 						   dev->name, status);
 				tp->stats.rx_errors++; /* end of a packet.*/
-				if (status & 0x0890) tp->stats.rx_length_errors++;
+				if (pkt_len > 1518 ||
+				    (status & RxDescRunt))
+					tp->stats.rx_length_errors++;
 				if (status & 0x0004) tp->stats.rx_frame_errors++;
 				if (status & 0x0002) tp->stats.rx_crc_errors++;
 				if (status & 0x0001) tp->stats.rx_fifo_errors++;
 			}
 		} else {
-			/* Omit the four octet CRC from the length. */
-			short pkt_len = ((status >> 16) & 0x7ff) - 4;
 			struct sk_buff *skb;
 
-#ifndef final_version
-			if (pkt_len > 1518) {
-				printk(KERN_WARNING "%s: Bogus packet size of %d (%#x).\n",
-					   dev->name, pkt_len, pkt_len);
-				pkt_len = 1518;
-				tp->stats.rx_length_errors++;
-			}
-#endif
-
 			/* Check if the packet is long enough to accept without copying
 			   to a minimally-sized skbuff. */
 			if (pkt_len < tulip_rx_copybreak
diff --git a/drivers/net/tulip/tulip.h b/drivers/net/tulip/tulip.h
index 19abbc3..0afa2d4 100644
--- a/drivers/net/tulip/tulip.h
+++ b/drivers/net/tulip/tulip.h
@@ -201,8 +201,38 @@ enum desc_status_bits {
 	DescStartPkt = 0x20000000,
 	DescEndRing  = 0x02000000,
 	DescUseLink  = 0x01000000,
-	RxDescFatalErr = 0x008000,
+
+	/*
+	 * Error summary flag is logical or of 'CRC Error', 'Collision Seen',
+	 * 'Frame Too Long', 'Runt' and 'Descriptor Error' flags generated
+	 * within tulip chip.
+	 */
+	RxDescErrorSummary = 0x8000,
+	RxDescCRCError = 0x0002,
+	RxDescCollisionSeen = 0x0040,
+
+	/*
+	 * 'Frame Too Long' flag is set if packet length including CRC exceeds
+	 * 1518.  However, a full sized VLAN tagged frame is 1522 bytes
+	 * including CRC.
+	 *
+	 * The tulip chip does not block oversized frames, and if this flag is
+	 * set on a receive descriptor it does not indicate the frame has been
+	 * truncated.  The receive descriptor also includes the actual length.
+	 * Therefore we can safety ignore this flag and check the length
+	 * ourselves.
+	 */
+	RxDescFrameTooLong = 0x0080,
+	RxDescRunt = 0x0800,
+	RxDescDescErr = 0x4000,
 	RxWholePkt   = 0x00000300,
+	/*
+	 * Top three bits of 14 bit frame length (status bits 27-29) should
+	 * never be set as that would make frame over 2047 bytes. The Receive
+	 * Watchdog flag (bit 4) may indicate the length is over 2048 and the
+	 * length field is invalid.
+	 */
+	RxLengthOver2047 = 0x38000010
 };
 
 
diff --git a/drivers/pci/iova.c b/drivers/pci/iova.c
index 3ef4ac0..078bf8b 100644
--- a/drivers/pci/iova.c
+++ b/drivers/pci/iova.c
@@ -1,9 +1,19 @@
 /*
- * Copyright (c) 2006, Intel Corporation.
+ * Copyright © 2006-2009, Intel Corporation.
  *
- * This file is released under the GPLv2.
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307 USA.
  *
- * Copyright (C) 2006-2008 Intel Corporation
  * Author: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
  */
 
@@ -123,7 +133,15 @@ move_left:
 	/* Insert the new_iova into domain rbtree by holding writer lock */
 	/* Add new node and rebalance tree. */
 	{
-		struct rb_node **entry = &((prev)), *parent = NULL;
+		struct rb_node **entry, *parent = NULL;
+
+		/* If we have 'prev', it's a valid place to start the
+		   insertion. Otherwise, start from the root. */
+		if (prev)
+			entry = &prev;
+		else
+			entry = &iovad->rbroot.rb_node;
+
 		/* Figure out where to put new node */
 		while (*entry) {
 			struct iova *this = container_of(*entry,
diff --git a/include/linux/mm.h b/include/linux/mm.h
index ae9775d..eeb7e56 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -572,12 +572,10 @@ static inline void set_page_links(struct page *page, enum zone_type zone,
  */
 static inline unsigned long round_hint_to_min(unsigned long hint)
 {
-#ifdef CONFIG_SECURITY
 	hint &= PAGE_MASK;
 	if (((void *)hint != NULL) &&
 	    (hint < mmap_min_addr))
 		return PAGE_ALIGN(mmap_min_addr);
-#endif
 	return hint;
 }
 
diff --git a/include/linux/personality.h b/include/linux/personality.h
index a84e9ff..1261208 100644
--- a/include/linux/personality.h
+++ b/include/linux/personality.h
@@ -40,7 +40,10 @@ enum {
  * Security-relevant compatibility flags that must be
  * cleared upon setuid or setgid exec:
  */
-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
+#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC  | \
+			    ADDR_NO_RANDOMIZE  | \
+			    ADDR_COMPAT_LAYOUT | \
+			    MMAP_PAGE_ZERO)
 
 /*
  * Personality types.
diff --git a/include/linux/security.h b/include/linux/security.h
index 80c4d00..1638afd 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2134,6 +2134,8 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot,
 				     unsigned long addr,
 				     unsigned long addr_only)
 {
+	if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
+		return -EACCES;
 	return 0;
 }
 
diff --git a/kernel/resource.c b/kernel/resource.c
index 03d796c..87f675a 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -741,7 +741,7 @@ static int __init reserve_setup(char *str)
 	static struct resource reserve[MAXRESERVE];
 
 	for (;;) {
-		int io_start, io_num;
+		unsigned int io_start, io_num;
 		int x = reserved;
 
 		if (get_option (&str, &io_start) != 2)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 6816e6d..1228d65 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1132,7 +1132,6 @@ static struct ctl_table vm_table[] = {
 		.strategy	= &sysctl_jiffies,
 	},
 #endif
-#ifdef CONFIG_SECURITY
 	{
 		.ctl_name	= CTL_UNNUMBERED,
 		.procname	= "mmap_min_addr",
@@ -1141,7 +1140,6 @@ static struct ctl_table vm_table[] = {
 		.mode		= 0644,
 		.proc_handler	= &proc_doulongvec_minmax,
 	},
-#endif
 #ifdef CONFIG_NUMA
 	{
 		.ctl_name	= CTL_UNNUMBERED,
diff --git a/mm/Kconfig b/mm/Kconfig
index 0bd9c2d..07b4ec4 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -208,3 +208,21 @@ config VIRT_TO_BUS
 
 config MMU_NOTIFIER
 	bool
+
+config DEFAULT_MMAP_MIN_ADDR
+        int "Low address space to protect from user allocation"
+        default 4096
+        help
+	  This is the portion of low virtual memory which should be protected
+	  from userspace allocation.  Keeping a user from writing to low pages
+	  can help reduce the impact of kernel NULL pointer bugs.
+
+	  For most ia64, ppc64 and x86 users with lots of address space
+	  a value of 65536 is reasonable and should cause no problems.
+	  On arm and other archs it should not be higher than 32768.
+	  Programs which use vm86 functionality would either need additional
+	  permissions from either the LSM or the capabilities module or have
+	  this protection disabled.
+
+	  This value can be changed after boot using the
+	  /proc/sys/vm/mmap_min_addr tunable.
diff --git a/mm/mmap.c b/mm/mmap.c
index 2ae093e..d330758 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -86,6 +86,9 @@ int sysctl_overcommit_ratio = 50;	/* default is 50% */
 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
 atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0);
 
+/* amount of vm to protect from userspace access */
+unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
+
 /*
  * Check that a process has enough memory to allocate a new virtual
  * mapping. 0 means there is enough memory for the allocation to
diff --git a/security/Kconfig b/security/Kconfig
index 5592939..38411dd 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -92,28 +92,8 @@ config SECURITY_ROOTPLUG
 
 	  See <http://www.linuxjournal.com/article.php?sid=6279> for
 	  more information about this module.
-	  
-	  If you are unsure how to answer this question, answer N.
-
-config SECURITY_DEFAULT_MMAP_MIN_ADDR
-        int "Low address space to protect from user allocation"
-        depends on SECURITY
-        default 0
-        help
-	  This is the portion of low virtual memory which should be protected
-	  from userspace allocation.  Keeping a user from writing to low pages
-	  can help reduce the impact of kernel NULL pointer bugs.
-
-	  For most ia64, ppc64 and x86 users with lots of address space
-	  a value of 65536 is reasonable and should cause no problems.
-	  On arm and other archs it should not be higher than 32768.
-	  Programs which use vm86 functionality would either need additional
-	  permissions from either the LSM or the capabilities module or have
-	  this protection disabled.
-
-	  This value can be changed after boot using the
-	  /proc/sys/vm/mmap_min_addr tunable.
 
+	  If you are unsure how to answer this question, answer N.
 
 source security/selinux/Kconfig
 source security/smack/Kconfig
diff --git a/security/security.c b/security/security.c
index 3a4b4f5..27a315d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -26,9 +26,6 @@ extern void security_fixup_ops(struct security_operations *ops);
 
 struct security_operations *security_ops;	/* Initialized to NULL */
 
-/* amount of vm to protect from userspace access */
-unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
-
 static inline int verify(struct security_operations *ops)
 {
 	/* verify the security_operations structure exists */
1	niro	1176	diff --git a/Makefile b/Makefile
2			index 90764ee..387a5fd 100644
3			--- a/Makefile
4			+++ b/Makefile
5			@@ -340,7 +340,8 @@ KBUILD_CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
6
7			KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
8			-fno-strict-aliasing -fno-common \
9			- -Werror-implicit-function-declaration
10			+ -Werror-implicit-function-declaration \
11			+ -fno-delete-null-pointer-checks
12			KBUILD_AFLAGS := -D__ASSEMBLY__
13
14			# Read KERNELRELEASE from include/config/kernel.release (if it exists)
15			@@ -556,7 +557,7 @@ KBUILD_CFLAGS += $(call cc-option,-Wdeclaration-after-statement,)
16			KBUILD_CFLAGS += $(call cc-option,-Wno-pointer-sign,)
17
18			# disable invalid "can't wrap" optimzations for signed / pointers
19			-KBUILD_CFLAGS += $(call cc-option,-fwrapv)
20			+KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow)
21
22			# Add user supplied CPPFLAGS, AFLAGS and CFLAGS as the last assignments
23			# But warn user when we do so
24			diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
25			index 615fcd3..5900f76 100644
26			--- a/drivers/block/floppy.c
27			+++ b/drivers/block/floppy.c
28			@@ -3320,7 +3320,10 @@ static inline int set_geometry(unsigned int cmd, struct floppy_struct *g,
29			if (!capable(CAP_SYS_ADMIN))
30			return -EPERM;
31			mutex_lock(&open_lock);
32			- LOCK_FDC(drive, 1);
33			+ if (lock_fdc(drive, 1)) {
34			+ mutex_unlock(&open_lock);
35			+ return -EINTR;
36			+ }
37			floppy_type[type] = *g;
38			floppy_type[type].name = "user format";
39			for (cnt = type << 2; cnt < (type << 2) + 4; cnt++)
40			diff --git a/drivers/md/dm.c b/drivers/md/dm.c
41			index 925efaf..ace998c 100644
42			--- a/drivers/md/dm.c
43			+++ b/drivers/md/dm.c
44			@@ -265,10 +265,6 @@ static int dm_blk_open(struct inode inode, struct file file)
45			goto out;
46			}
47
48			- if (test_bit(DMF_FREEING, &md->flags) \|\|
49			- test_bit(DMF_DELETING, &md->flags))
50			- return NULL;
51			-
52			dm_get(md);
53			atomic_inc(&md->open_count);
54
55			diff --git a/drivers/net/tulip/interrupt.c b/drivers/net/tulip/interrupt.c
56			index c6bad98..7faf84f 100644
57			--- a/drivers/net/tulip/interrupt.c
58			+++ b/drivers/net/tulip/interrupt.c
59			@@ -140,6 +140,7 @@ int tulip_poll(struct napi_struct *napi, int budget)
60			/* If we own the next entry, it is a new packet. Send it up. */
61			while ( ! (tp->rx_ring[entry].status & cpu_to_le32(DescOwned))) {
62			s32 status = le32_to_cpu(tp->rx_ring[entry].status);
63			+ short pkt_len;
64
65			if (tp->dirty_rx + RX_RING_SIZE == tp->cur_rx)
66			break;
67			@@ -151,8 +152,28 @@ int tulip_poll(struct napi_struct *napi, int budget)
68			if (++work_done >= budget)
69			goto not_done;
70
71			- if ((status & 0x38008300) != 0x0300) {
72			- if ((status & 0x38000300) != 0x0300) {
73			+ /*
74			+ * Omit the four octet CRC from the length.
75			+ * (May not be considered valid until we have
76			+ * checked status for RxLengthOver2047 bits)
77			+ */
78			+ pkt_len = ((status >> 16) & 0x7ff) - 4;
79			+
80			+ /*
81			+ * Maximum pkt_len is 1518 (1514 + vlan header)
82			+ * Anything higher than this is always invalid
83			+ * regardless of RxLengthOver2047 bits
84			+ */
85			+
86			+ if ((status & (RxLengthOver2047 \|
87			+ RxDescCRCError \|
88			+ RxDescCollisionSeen \|
89			+ RxDescRunt \|
90			+ RxDescDescErr \|
91			+ RxWholePkt)) != RxWholePkt
92			+ \|\| pkt_len > 1518) {
93			+ if ((status & (RxLengthOver2047 \|
94			+ RxWholePkt)) != RxWholePkt) {
95			/* Ingore earlier buffers. */
96			if ((status & 0xffff) != 0x7fff) {
97			if (tulip_debug > 1)
98			@@ -161,30 +182,23 @@ int tulip_poll(struct napi_struct *napi, int budget)
99			dev->name, status);
100			tp->stats.rx_length_errors++;
101			}
102			- } else if (status & RxDescFatalErr) {
103			+ } else {
104			/* There was a fatal error. */
105			if (tulip_debug > 2)
106			printk(KERN_DEBUG "%s: Receive error, Rx status %8.8x.\n",
107			dev->name, status);
108			tp->stats.rx_errors++; /* end of a packet.*/
109			- if (status & 0x0890) tp->stats.rx_length_errors++;
110			+ if (pkt_len > 1518 \|\|
111			+ (status & RxDescRunt))
112			+ tp->stats.rx_length_errors++;
113			+
114			if (status & 0x0004) tp->stats.rx_frame_errors++;
115			if (status & 0x0002) tp->stats.rx_crc_errors++;
116			if (status & 0x0001) tp->stats.rx_fifo_errors++;
117			}
118			} else {
119			- /* Omit the four octet CRC from the length. */
120			- short pkt_len = ((status >> 16) & 0x7ff) - 4;
121			struct sk_buff *skb;
122
123			-#ifndef final_version
124			- if (pkt_len > 1518) {
125			- printk(KERN_WARNING "%s: Bogus packet size of %d (%#x).\n",
126			- dev->name, pkt_len, pkt_len);
127			- pkt_len = 1518;
128			- tp->stats.rx_length_errors++;
129			- }
130			-#endif
131			/* Check if the packet is long enough to accept without copying
132			to a minimally-sized skbuff. */
133			if (pkt_len < tulip_rx_copybreak
134			@@ -357,14 +371,35 @@ static int tulip_rx(struct net_device *dev)
135			/* If we own the next entry, it is a new packet. Send it up. */
136			while ( ! (tp->rx_ring[entry].status & cpu_to_le32(DescOwned))) {
137			s32 status = le32_to_cpu(tp->rx_ring[entry].status);
138			+ short pkt_len;
139
140			if (tulip_debug > 5)
141			printk(KERN_DEBUG "%s: In tulip_rx(), entry %d %8.8x.\n",
142			dev->name, entry, status);
143			if (--rx_work_limit < 0)
144			break;
145			- if ((status & 0x38008300) != 0x0300) {
146			- if ((status & 0x38000300) != 0x0300) {
147			+
148			+ /*
149			+ Omit the four octet CRC from the length.
150			+ (May not be considered valid until we have
151			+ checked status for RxLengthOver2047 bits)
152			+ */
153			+ pkt_len = ((status >> 16) & 0x7ff) - 4;
154			+ /*
155			+ Maximum pkt_len is 1518 (1514 + vlan header)
156			+ Anything higher than this is always invalid
157			+ regardless of RxLengthOver2047 bits
158			+ */
159			+
160			+ if ((status & (RxLengthOver2047 \|
161			+ RxDescCRCError \|
162			+ RxDescCollisionSeen \|
163			+ RxDescRunt \|
164			+ RxDescDescErr \|
165			+ RxWholePkt)) != RxWholePkt
166			+ \|\| pkt_len > 1518) {
167			+ if ((status & (RxLengthOver2047 \|
168			+ RxWholePkt)) != RxWholePkt) {
169			/* Ingore earlier buffers. */
170			if ((status & 0xffff) != 0x7fff) {
171			if (tulip_debug > 1)
172			@@ -373,31 +408,22 @@ static int tulip_rx(struct net_device *dev)
173			dev->name, status);
174			tp->stats.rx_length_errors++;
175			}
176			- } else if (status & RxDescFatalErr) {
177			+ } else {
178			/* There was a fatal error. */
179			if (tulip_debug > 2)
180			printk(KERN_DEBUG "%s: Receive error, Rx status %8.8x.\n",
181			dev->name, status);
182			tp->stats.rx_errors++; /* end of a packet.*/
183			- if (status & 0x0890) tp->stats.rx_length_errors++;
184			+ if (pkt_len > 1518 \|\|
185			+ (status & RxDescRunt))
186			+ tp->stats.rx_length_errors++;
187			if (status & 0x0004) tp->stats.rx_frame_errors++;
188			if (status & 0x0002) tp->stats.rx_crc_errors++;
189			if (status & 0x0001) tp->stats.rx_fifo_errors++;
190			}
191			} else {
192			- /* Omit the four octet CRC from the length. */
193			- short pkt_len = ((status >> 16) & 0x7ff) - 4;
194			struct sk_buff *skb;
195
196			-#ifndef final_version
197			- if (pkt_len > 1518) {
198			- printk(KERN_WARNING "%s: Bogus packet size of %d (%#x).\n",
199			- dev->name, pkt_len, pkt_len);
200			- pkt_len = 1518;
201			- tp->stats.rx_length_errors++;
202			- }
203			-#endif
204			-
205			/* Check if the packet is long enough to accept without copying
206			to a minimally-sized skbuff. */
207			if (pkt_len < tulip_rx_copybreak
208			diff --git a/drivers/net/tulip/tulip.h b/drivers/net/tulip/tulip.h
209			index 19abbc3..0afa2d4 100644
210			--- a/drivers/net/tulip/tulip.h
211			+++ b/drivers/net/tulip/tulip.h
212			@@ -201,8 +201,38 @@ enum desc_status_bits {
213			DescStartPkt = 0x20000000,
214			DescEndRing = 0x02000000,
215			DescUseLink = 0x01000000,
216			- RxDescFatalErr = 0x008000,
217			+
218			+ /*
219			+ * Error summary flag is logical or of 'CRC Error', 'Collision Seen',
220			+ * 'Frame Too Long', 'Runt' and 'Descriptor Error' flags generated
221			+ * within tulip chip.
222			+ */
223			+ RxDescErrorSummary = 0x8000,
224			+ RxDescCRCError = 0x0002,
225			+ RxDescCollisionSeen = 0x0040,
226			+
227			+ /*
228			+ * 'Frame Too Long' flag is set if packet length including CRC exceeds
229			+ * 1518. However, a full sized VLAN tagged frame is 1522 bytes
230			+ * including CRC.
231			+ *
232			+ * The tulip chip does not block oversized frames, and if this flag is
233			+ * set on a receive descriptor it does not indicate the frame has been
234			+ * truncated. The receive descriptor also includes the actual length.
235			+ * Therefore we can safety ignore this flag and check the length
236			+ * ourselves.
237			+ */
238			+ RxDescFrameTooLong = 0x0080,
239			+ RxDescRunt = 0x0800,
240			+ RxDescDescErr = 0x4000,
241			RxWholePkt = 0x00000300,
242			+ /*
243			+ * Top three bits of 14 bit frame length (status bits 27-29) should
244			+ * never be set as that would make frame over 2047 bytes. The Receive
245			+ * Watchdog flag (bit 4) may indicate the length is over 2048 and the
246			+ * length field is invalid.
247			+ */
248			+ RxLengthOver2047 = 0x38000010
249			};
250
251
252			diff --git a/drivers/pci/iova.c b/drivers/pci/iova.c
253			index 3ef4ac0..078bf8b 100644
254			--- a/drivers/pci/iova.c
255			+++ b/drivers/pci/iova.c
256			@@ -1,9 +1,19 @@
257			/*
258			- * Copyright (c) 2006, Intel Corporation.
259			+ * Copyright © 2006-2009, Intel Corporation.
260			*
261			- * This file is released under the GPLv2.
262			+ * This program is free software; you can redistribute it and/or modify it
263			+ * under the terms and conditions of the GNU General Public License,
264			+ * version 2, as published by the Free Software Foundation.
265			+ *
266			+ * This program is distributed in the hope it will be useful, but WITHOUT
267			+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
268			+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
269			+ * more details.
270			+ *
271			+ * You should have received a copy of the GNU General Public License along with
272			+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
273			+ * Place - Suite 330, Boston, MA 02111-1307 USA.
274			*
275			- * Copyright (C) 2006-2008 Intel Corporation
276			* Author: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
277			*/
278
279			@@ -123,7 +133,15 @@ move_left:
280			/* Insert the new_iova into domain rbtree by holding writer lock */
281			/* Add new node and rebalance tree. */
282			{
283			- struct rb_node *entry = &((prev)), parent = NULL;
284			+ struct rb_node *entry, parent = NULL;
285			+
286			+ /* If we have 'prev', it's a valid place to start the
287			+ insertion. Otherwise, start from the root. */
288			+ if (prev)
289			+ entry = &prev;
290			+ else
291			+ entry = &iovad->rbroot.rb_node;
292			+
293			/* Figure out where to put new node */
294			while (*entry) {
295			struct iova this = container_of(entry,
296			diff --git a/include/linux/mm.h b/include/linux/mm.h
297			index ae9775d..eeb7e56 100644
298			--- a/include/linux/mm.h
299			+++ b/include/linux/mm.h
300			@@ -572,12 +572,10 @@ static inline void set_page_links(struct page *page, enum zone_type zone,
301			*/
302			static inline unsigned long round_hint_to_min(unsigned long hint)
303			{
304			-#ifdef CONFIG_SECURITY
305			hint &= PAGE_MASK;
306			if (((void *)hint != NULL) &&
307			(hint < mmap_min_addr))
308			return PAGE_ALIGN(mmap_min_addr);
309			-#endif
310			return hint;
311			}
312
313			diff --git a/include/linux/personality.h b/include/linux/personality.h
314			index a84e9ff..1261208 100644
315			--- a/include/linux/personality.h
316			+++ b/include/linux/personality.h
317			@@ -40,7 +40,10 @@ enum {
318			* Security-relevant compatibility flags that must be
319			* cleared upon setuid or setgid exec:
320			*/
321			-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC\|ADDR_NO_RANDOMIZE)
322			+#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC \| \
323			+ ADDR_NO_RANDOMIZE \| \
324			+ ADDR_COMPAT_LAYOUT \| \
325			+ MMAP_PAGE_ZERO)
326
327			/*
328			* Personality types.
329			diff --git a/include/linux/security.h b/include/linux/security.h
330			index 80c4d00..1638afd 100644
331			--- a/include/linux/security.h
332			+++ b/include/linux/security.h
333			@@ -2134,6 +2134,8 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot,
334			unsigned long addr,
335			unsigned long addr_only)
336			{
337			+ if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
338			+ return -EACCES;
339			return 0;
340			}
341
342			diff --git a/kernel/resource.c b/kernel/resource.c
343			index 03d796c..87f675a 100644
344			--- a/kernel/resource.c
345			+++ b/kernel/resource.c
346			@@ -741,7 +741,7 @@ static int __init reserve_setup(char *str)
347			static struct resource reserve[MAXRESERVE];
348
349			for (;;) {
350			- int io_start, io_num;
351			+ unsigned int io_start, io_num;
352			int x = reserved;
353
354			if (get_option (&str, &io_start) != 2)
355			diff --git a/kernel/sysctl.c b/kernel/sysctl.c
356			index 6816e6d..1228d65 100644
357			--- a/kernel/sysctl.c
358			+++ b/kernel/sysctl.c
359			@@ -1132,7 +1132,6 @@ static struct ctl_table vm_table[] = {
360			.strategy = &sysctl_jiffies,
361			},
362			#endif
363			-#ifdef CONFIG_SECURITY
364			{
365			.ctl_name = CTL_UNNUMBERED,
366			.procname = "mmap_min_addr",
367			@@ -1141,7 +1140,6 @@ static struct ctl_table vm_table[] = {
368			.mode = 0644,
369			.proc_handler = &proc_doulongvec_minmax,
370			},
371			-#endif
372			#ifdef CONFIG_NUMA
373			{
374			.ctl_name = CTL_UNNUMBERED,
375			diff --git a/mm/Kconfig b/mm/Kconfig
376			index 0bd9c2d..07b4ec4 100644
377			--- a/mm/Kconfig
378			+++ b/mm/Kconfig
379			@@ -208,3 +208,21 @@ config VIRT_TO_BUS
380
381			config MMU_NOTIFIER
382			bool
383			+
384			+config DEFAULT_MMAP_MIN_ADDR
385			+ int "Low address space to protect from user allocation"
386			+ default 4096
387			+ help
388			+ This is the portion of low virtual memory which should be protected
389			+ from userspace allocation. Keeping a user from writing to low pages
390			+ can help reduce the impact of kernel NULL pointer bugs.
391			+
392			+ For most ia64, ppc64 and x86 users with lots of address space
393			+ a value of 65536 is reasonable and should cause no problems.
394			+ On arm and other archs it should not be higher than 32768.
395			+ Programs which use vm86 functionality would either need additional
396			+ permissions from either the LSM or the capabilities module or have
397			+ this protection disabled.
398			+
399			+ This value can be changed after boot using the
400			+ /proc/sys/vm/mmap_min_addr tunable.
401			diff --git a/mm/mmap.c b/mm/mmap.c
402			index 2ae093e..d330758 100644
403			--- a/mm/mmap.c
404			+++ b/mm/mmap.c
405			@@ -86,6 +86,9 @@ int sysctl_overcommit_ratio = 50; /* default is 50% */
406			int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
407			atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0);
408
409			+/* amount of vm to protect from userspace access */
410			+unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
411			+
412			/*
413			* Check that a process has enough memory to allocate a new virtual
414			* mapping. 0 means there is enough memory for the allocation to
415			diff --git a/security/Kconfig b/security/Kconfig
416			index 5592939..38411dd 100644
417			--- a/security/Kconfig
418			+++ b/security/Kconfig
419			@@ -92,28 +92,8 @@ config SECURITY_ROOTPLUG
420
421			See <http://www.linuxjournal.com/article.php?sid=6279> for
422			more information about this module.
423			-
424			- If you are unsure how to answer this question, answer N.
425			-
426			-config SECURITY_DEFAULT_MMAP_MIN_ADDR
427			- int "Low address space to protect from user allocation"
428			- depends on SECURITY
429			- default 0
430			- help
431			- This is the portion of low virtual memory which should be protected
432			- from userspace allocation. Keeping a user from writing to low pages
433			- can help reduce the impact of kernel NULL pointer bugs.
434			-
435			- For most ia64, ppc64 and x86 users with lots of address space
436			- a value of 65536 is reasonable and should cause no problems.
437			- On arm and other archs it should not be higher than 32768.
438			- Programs which use vm86 functionality would either need additional
439			- permissions from either the LSM or the capabilities module or have
440			- this protection disabled.
441			-
442			- This value can be changed after boot using the
443			- /proc/sys/vm/mmap_min_addr tunable.
444
445			+ If you are unsure how to answer this question, answer N.
446
447			source security/selinux/Kconfig
448			source security/smack/Kconfig
449			diff --git a/security/security.c b/security/security.c
450			index 3a4b4f5..27a315d 100644
451			--- a/security/security.c
452			+++ b/security/security.c
453			@@ -26,9 +26,6 @@ extern void security_fixup_ops(struct security_operations *ops);
454
455			struct security_operations security_ops; / Initialized to NULL */
456
457			-/* amount of vm to protect from userspace access */
458			-unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
459			-
460			static inline int verify(struct security_operations *ops)
461			{
462			/* verify the security_operations structure exists */