Contents of /trunk/kernel26-alx/patches-2.6.27-r3/0126-2.6.27.27-all-fixes.patch
Parent Directory | Revision Log
Revision 1176 -
(show annotations)
(download)
Thu Oct 14 15:11:06 2010 UTC (13 years, 11 months ago) by niro
File size: 17113 byte(s)
Thu Oct 14 15:11:06 2010 UTC (13 years, 11 months ago) by niro
File size: 17113 byte(s)
-2.6.27-alx-r3: new magellan 0.5.2 kernel
1 | diff --git a/Makefile b/Makefile |
2 | index 90764ee..387a5fd 100644 |
3 | --- a/Makefile |
4 | +++ b/Makefile |
5 | @@ -340,7 +340,8 @@ KBUILD_CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE) |
6 | |
7 | KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \ |
8 | -fno-strict-aliasing -fno-common \ |
9 | - -Werror-implicit-function-declaration |
10 | + -Werror-implicit-function-declaration \ |
11 | + -fno-delete-null-pointer-checks |
12 | KBUILD_AFLAGS := -D__ASSEMBLY__ |
13 | |
14 | # Read KERNELRELEASE from include/config/kernel.release (if it exists) |
15 | @@ -556,7 +557,7 @@ KBUILD_CFLAGS += $(call cc-option,-Wdeclaration-after-statement,) |
16 | KBUILD_CFLAGS += $(call cc-option,-Wno-pointer-sign,) |
17 | |
18 | # disable invalid "can't wrap" optimzations for signed / pointers |
19 | -KBUILD_CFLAGS += $(call cc-option,-fwrapv) |
20 | +KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow) |
21 | |
22 | # Add user supplied CPPFLAGS, AFLAGS and CFLAGS as the last assignments |
23 | # But warn user when we do so |
24 | diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c |
25 | index 615fcd3..5900f76 100644 |
26 | --- a/drivers/block/floppy.c |
27 | +++ b/drivers/block/floppy.c |
28 | @@ -3320,7 +3320,10 @@ static inline int set_geometry(unsigned int cmd, struct floppy_struct *g, |
29 | if (!capable(CAP_SYS_ADMIN)) |
30 | return -EPERM; |
31 | mutex_lock(&open_lock); |
32 | - LOCK_FDC(drive, 1); |
33 | + if (lock_fdc(drive, 1)) { |
34 | + mutex_unlock(&open_lock); |
35 | + return -EINTR; |
36 | + } |
37 | floppy_type[type] = *g; |
38 | floppy_type[type].name = "user format"; |
39 | for (cnt = type << 2; cnt < (type << 2) + 4; cnt++) |
40 | diff --git a/drivers/md/dm.c b/drivers/md/dm.c |
41 | index 925efaf..ace998c 100644 |
42 | --- a/drivers/md/dm.c |
43 | +++ b/drivers/md/dm.c |
44 | @@ -265,10 +265,6 @@ static int dm_blk_open(struct inode *inode, struct file *file) |
45 | goto out; |
46 | } |
47 | |
48 | - if (test_bit(DMF_FREEING, &md->flags) || |
49 | - test_bit(DMF_DELETING, &md->flags)) |
50 | - return NULL; |
51 | - |
52 | dm_get(md); |
53 | atomic_inc(&md->open_count); |
54 | |
55 | diff --git a/drivers/net/tulip/interrupt.c b/drivers/net/tulip/interrupt.c |
56 | index c6bad98..7faf84f 100644 |
57 | --- a/drivers/net/tulip/interrupt.c |
58 | +++ b/drivers/net/tulip/interrupt.c |
59 | @@ -140,6 +140,7 @@ int tulip_poll(struct napi_struct *napi, int budget) |
60 | /* If we own the next entry, it is a new packet. Send it up. */ |
61 | while ( ! (tp->rx_ring[entry].status & cpu_to_le32(DescOwned))) { |
62 | s32 status = le32_to_cpu(tp->rx_ring[entry].status); |
63 | + short pkt_len; |
64 | |
65 | if (tp->dirty_rx + RX_RING_SIZE == tp->cur_rx) |
66 | break; |
67 | @@ -151,8 +152,28 @@ int tulip_poll(struct napi_struct *napi, int budget) |
68 | if (++work_done >= budget) |
69 | goto not_done; |
70 | |
71 | - if ((status & 0x38008300) != 0x0300) { |
72 | - if ((status & 0x38000300) != 0x0300) { |
73 | + /* |
74 | + * Omit the four octet CRC from the length. |
75 | + * (May not be considered valid until we have |
76 | + * checked status for RxLengthOver2047 bits) |
77 | + */ |
78 | + pkt_len = ((status >> 16) & 0x7ff) - 4; |
79 | + |
80 | + /* |
81 | + * Maximum pkt_len is 1518 (1514 + vlan header) |
82 | + * Anything higher than this is always invalid |
83 | + * regardless of RxLengthOver2047 bits |
84 | + */ |
85 | + |
86 | + if ((status & (RxLengthOver2047 | |
87 | + RxDescCRCError | |
88 | + RxDescCollisionSeen | |
89 | + RxDescRunt | |
90 | + RxDescDescErr | |
91 | + RxWholePkt)) != RxWholePkt |
92 | + || pkt_len > 1518) { |
93 | + if ((status & (RxLengthOver2047 | |
94 | + RxWholePkt)) != RxWholePkt) { |
95 | /* Ingore earlier buffers. */ |
96 | if ((status & 0xffff) != 0x7fff) { |
97 | if (tulip_debug > 1) |
98 | @@ -161,30 +182,23 @@ int tulip_poll(struct napi_struct *napi, int budget) |
99 | dev->name, status); |
100 | tp->stats.rx_length_errors++; |
101 | } |
102 | - } else if (status & RxDescFatalErr) { |
103 | + } else { |
104 | /* There was a fatal error. */ |
105 | if (tulip_debug > 2) |
106 | printk(KERN_DEBUG "%s: Receive error, Rx status %8.8x.\n", |
107 | dev->name, status); |
108 | tp->stats.rx_errors++; /* end of a packet.*/ |
109 | - if (status & 0x0890) tp->stats.rx_length_errors++; |
110 | + if (pkt_len > 1518 || |
111 | + (status & RxDescRunt)) |
112 | + tp->stats.rx_length_errors++; |
113 | + |
114 | if (status & 0x0004) tp->stats.rx_frame_errors++; |
115 | if (status & 0x0002) tp->stats.rx_crc_errors++; |
116 | if (status & 0x0001) tp->stats.rx_fifo_errors++; |
117 | } |
118 | } else { |
119 | - /* Omit the four octet CRC from the length. */ |
120 | - short pkt_len = ((status >> 16) & 0x7ff) - 4; |
121 | struct sk_buff *skb; |
122 | |
123 | -#ifndef final_version |
124 | - if (pkt_len > 1518) { |
125 | - printk(KERN_WARNING "%s: Bogus packet size of %d (%#x).\n", |
126 | - dev->name, pkt_len, pkt_len); |
127 | - pkt_len = 1518; |
128 | - tp->stats.rx_length_errors++; |
129 | - } |
130 | -#endif |
131 | /* Check if the packet is long enough to accept without copying |
132 | to a minimally-sized skbuff. */ |
133 | if (pkt_len < tulip_rx_copybreak |
134 | @@ -357,14 +371,35 @@ static int tulip_rx(struct net_device *dev) |
135 | /* If we own the next entry, it is a new packet. Send it up. */ |
136 | while ( ! (tp->rx_ring[entry].status & cpu_to_le32(DescOwned))) { |
137 | s32 status = le32_to_cpu(tp->rx_ring[entry].status); |
138 | + short pkt_len; |
139 | |
140 | if (tulip_debug > 5) |
141 | printk(KERN_DEBUG "%s: In tulip_rx(), entry %d %8.8x.\n", |
142 | dev->name, entry, status); |
143 | if (--rx_work_limit < 0) |
144 | break; |
145 | - if ((status & 0x38008300) != 0x0300) { |
146 | - if ((status & 0x38000300) != 0x0300) { |
147 | + |
148 | + /* |
149 | + Omit the four octet CRC from the length. |
150 | + (May not be considered valid until we have |
151 | + checked status for RxLengthOver2047 bits) |
152 | + */ |
153 | + pkt_len = ((status >> 16) & 0x7ff) - 4; |
154 | + /* |
155 | + Maximum pkt_len is 1518 (1514 + vlan header) |
156 | + Anything higher than this is always invalid |
157 | + regardless of RxLengthOver2047 bits |
158 | + */ |
159 | + |
160 | + if ((status & (RxLengthOver2047 | |
161 | + RxDescCRCError | |
162 | + RxDescCollisionSeen | |
163 | + RxDescRunt | |
164 | + RxDescDescErr | |
165 | + RxWholePkt)) != RxWholePkt |
166 | + || pkt_len > 1518) { |
167 | + if ((status & (RxLengthOver2047 | |
168 | + RxWholePkt)) != RxWholePkt) { |
169 | /* Ingore earlier buffers. */ |
170 | if ((status & 0xffff) != 0x7fff) { |
171 | if (tulip_debug > 1) |
172 | @@ -373,31 +408,22 @@ static int tulip_rx(struct net_device *dev) |
173 | dev->name, status); |
174 | tp->stats.rx_length_errors++; |
175 | } |
176 | - } else if (status & RxDescFatalErr) { |
177 | + } else { |
178 | /* There was a fatal error. */ |
179 | if (tulip_debug > 2) |
180 | printk(KERN_DEBUG "%s: Receive error, Rx status %8.8x.\n", |
181 | dev->name, status); |
182 | tp->stats.rx_errors++; /* end of a packet.*/ |
183 | - if (status & 0x0890) tp->stats.rx_length_errors++; |
184 | + if (pkt_len > 1518 || |
185 | + (status & RxDescRunt)) |
186 | + tp->stats.rx_length_errors++; |
187 | if (status & 0x0004) tp->stats.rx_frame_errors++; |
188 | if (status & 0x0002) tp->stats.rx_crc_errors++; |
189 | if (status & 0x0001) tp->stats.rx_fifo_errors++; |
190 | } |
191 | } else { |
192 | - /* Omit the four octet CRC from the length. */ |
193 | - short pkt_len = ((status >> 16) & 0x7ff) - 4; |
194 | struct sk_buff *skb; |
195 | |
196 | -#ifndef final_version |
197 | - if (pkt_len > 1518) { |
198 | - printk(KERN_WARNING "%s: Bogus packet size of %d (%#x).\n", |
199 | - dev->name, pkt_len, pkt_len); |
200 | - pkt_len = 1518; |
201 | - tp->stats.rx_length_errors++; |
202 | - } |
203 | -#endif |
204 | - |
205 | /* Check if the packet is long enough to accept without copying |
206 | to a minimally-sized skbuff. */ |
207 | if (pkt_len < tulip_rx_copybreak |
208 | diff --git a/drivers/net/tulip/tulip.h b/drivers/net/tulip/tulip.h |
209 | index 19abbc3..0afa2d4 100644 |
210 | --- a/drivers/net/tulip/tulip.h |
211 | +++ b/drivers/net/tulip/tulip.h |
212 | @@ -201,8 +201,38 @@ enum desc_status_bits { |
213 | DescStartPkt = 0x20000000, |
214 | DescEndRing = 0x02000000, |
215 | DescUseLink = 0x01000000, |
216 | - RxDescFatalErr = 0x008000, |
217 | + |
218 | + /* |
219 | + * Error summary flag is logical or of 'CRC Error', 'Collision Seen', |
220 | + * 'Frame Too Long', 'Runt' and 'Descriptor Error' flags generated |
221 | + * within tulip chip. |
222 | + */ |
223 | + RxDescErrorSummary = 0x8000, |
224 | + RxDescCRCError = 0x0002, |
225 | + RxDescCollisionSeen = 0x0040, |
226 | + |
227 | + /* |
228 | + * 'Frame Too Long' flag is set if packet length including CRC exceeds |
229 | + * 1518. However, a full sized VLAN tagged frame is 1522 bytes |
230 | + * including CRC. |
231 | + * |
232 | + * The tulip chip does not block oversized frames, and if this flag is |
233 | + * set on a receive descriptor it does not indicate the frame has been |
234 | + * truncated. The receive descriptor also includes the actual length. |
235 | + * Therefore we can safety ignore this flag and check the length |
236 | + * ourselves. |
237 | + */ |
238 | + RxDescFrameTooLong = 0x0080, |
239 | + RxDescRunt = 0x0800, |
240 | + RxDescDescErr = 0x4000, |
241 | RxWholePkt = 0x00000300, |
242 | + /* |
243 | + * Top three bits of 14 bit frame length (status bits 27-29) should |
244 | + * never be set as that would make frame over 2047 bytes. The Receive |
245 | + * Watchdog flag (bit 4) may indicate the length is over 2048 and the |
246 | + * length field is invalid. |
247 | + */ |
248 | + RxLengthOver2047 = 0x38000010 |
249 | }; |
250 | |
251 | |
252 | diff --git a/drivers/pci/iova.c b/drivers/pci/iova.c |
253 | index 3ef4ac0..078bf8b 100644 |
254 | --- a/drivers/pci/iova.c |
255 | +++ b/drivers/pci/iova.c |
256 | @@ -1,9 +1,19 @@ |
257 | /* |
258 | - * Copyright (c) 2006, Intel Corporation. |
259 | + * Copyright © 2006-2009, Intel Corporation. |
260 | * |
261 | - * This file is released under the GPLv2. |
262 | + * This program is free software; you can redistribute it and/or modify it |
263 | + * under the terms and conditions of the GNU General Public License, |
264 | + * version 2, as published by the Free Software Foundation. |
265 | + * |
266 | + * This program is distributed in the hope it will be useful, but WITHOUT |
267 | + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
268 | + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for |
269 | + * more details. |
270 | + * |
271 | + * You should have received a copy of the GNU General Public License along with |
272 | + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple |
273 | + * Place - Suite 330, Boston, MA 02111-1307 USA. |
274 | * |
275 | - * Copyright (C) 2006-2008 Intel Corporation |
276 | * Author: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com> |
277 | */ |
278 | |
279 | @@ -123,7 +133,15 @@ move_left: |
280 | /* Insert the new_iova into domain rbtree by holding writer lock */ |
281 | /* Add new node and rebalance tree. */ |
282 | { |
283 | - struct rb_node **entry = &((prev)), *parent = NULL; |
284 | + struct rb_node **entry, *parent = NULL; |
285 | + |
286 | + /* If we have 'prev', it's a valid place to start the |
287 | + insertion. Otherwise, start from the root. */ |
288 | + if (prev) |
289 | + entry = &prev; |
290 | + else |
291 | + entry = &iovad->rbroot.rb_node; |
292 | + |
293 | /* Figure out where to put new node */ |
294 | while (*entry) { |
295 | struct iova *this = container_of(*entry, |
296 | diff --git a/include/linux/mm.h b/include/linux/mm.h |
297 | index ae9775d..eeb7e56 100644 |
298 | --- a/include/linux/mm.h |
299 | +++ b/include/linux/mm.h |
300 | @@ -572,12 +572,10 @@ static inline void set_page_links(struct page *page, enum zone_type zone, |
301 | */ |
302 | static inline unsigned long round_hint_to_min(unsigned long hint) |
303 | { |
304 | -#ifdef CONFIG_SECURITY |
305 | hint &= PAGE_MASK; |
306 | if (((void *)hint != NULL) && |
307 | (hint < mmap_min_addr)) |
308 | return PAGE_ALIGN(mmap_min_addr); |
309 | -#endif |
310 | return hint; |
311 | } |
312 | |
313 | diff --git a/include/linux/personality.h b/include/linux/personality.h |
314 | index a84e9ff..1261208 100644 |
315 | --- a/include/linux/personality.h |
316 | +++ b/include/linux/personality.h |
317 | @@ -40,7 +40,10 @@ enum { |
318 | * Security-relevant compatibility flags that must be |
319 | * cleared upon setuid or setgid exec: |
320 | */ |
321 | -#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE) |
322 | +#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \ |
323 | + ADDR_NO_RANDOMIZE | \ |
324 | + ADDR_COMPAT_LAYOUT | \ |
325 | + MMAP_PAGE_ZERO) |
326 | |
327 | /* |
328 | * Personality types. |
329 | diff --git a/include/linux/security.h b/include/linux/security.h |
330 | index 80c4d00..1638afd 100644 |
331 | --- a/include/linux/security.h |
332 | +++ b/include/linux/security.h |
333 | @@ -2134,6 +2134,8 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot, |
334 | unsigned long addr, |
335 | unsigned long addr_only) |
336 | { |
337 | + if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO)) |
338 | + return -EACCES; |
339 | return 0; |
340 | } |
341 | |
342 | diff --git a/kernel/resource.c b/kernel/resource.c |
343 | index 03d796c..87f675a 100644 |
344 | --- a/kernel/resource.c |
345 | +++ b/kernel/resource.c |
346 | @@ -741,7 +741,7 @@ static int __init reserve_setup(char *str) |
347 | static struct resource reserve[MAXRESERVE]; |
348 | |
349 | for (;;) { |
350 | - int io_start, io_num; |
351 | + unsigned int io_start, io_num; |
352 | int x = reserved; |
353 | |
354 | if (get_option (&str, &io_start) != 2) |
355 | diff --git a/kernel/sysctl.c b/kernel/sysctl.c |
356 | index 6816e6d..1228d65 100644 |
357 | --- a/kernel/sysctl.c |
358 | +++ b/kernel/sysctl.c |
359 | @@ -1132,7 +1132,6 @@ static struct ctl_table vm_table[] = { |
360 | .strategy = &sysctl_jiffies, |
361 | }, |
362 | #endif |
363 | -#ifdef CONFIG_SECURITY |
364 | { |
365 | .ctl_name = CTL_UNNUMBERED, |
366 | .procname = "mmap_min_addr", |
367 | @@ -1141,7 +1140,6 @@ static struct ctl_table vm_table[] = { |
368 | .mode = 0644, |
369 | .proc_handler = &proc_doulongvec_minmax, |
370 | }, |
371 | -#endif |
372 | #ifdef CONFIG_NUMA |
373 | { |
374 | .ctl_name = CTL_UNNUMBERED, |
375 | diff --git a/mm/Kconfig b/mm/Kconfig |
376 | index 0bd9c2d..07b4ec4 100644 |
377 | --- a/mm/Kconfig |
378 | +++ b/mm/Kconfig |
379 | @@ -208,3 +208,21 @@ config VIRT_TO_BUS |
380 | |
381 | config MMU_NOTIFIER |
382 | bool |
383 | + |
384 | +config DEFAULT_MMAP_MIN_ADDR |
385 | + int "Low address space to protect from user allocation" |
386 | + default 4096 |
387 | + help |
388 | + This is the portion of low virtual memory which should be protected |
389 | + from userspace allocation. Keeping a user from writing to low pages |
390 | + can help reduce the impact of kernel NULL pointer bugs. |
391 | + |
392 | + For most ia64, ppc64 and x86 users with lots of address space |
393 | + a value of 65536 is reasonable and should cause no problems. |
394 | + On arm and other archs it should not be higher than 32768. |
395 | + Programs which use vm86 functionality would either need additional |
396 | + permissions from either the LSM or the capabilities module or have |
397 | + this protection disabled. |
398 | + |
399 | + This value can be changed after boot using the |
400 | + /proc/sys/vm/mmap_min_addr tunable. |
401 | diff --git a/mm/mmap.c b/mm/mmap.c |
402 | index 2ae093e..d330758 100644 |
403 | --- a/mm/mmap.c |
404 | +++ b/mm/mmap.c |
405 | @@ -86,6 +86,9 @@ int sysctl_overcommit_ratio = 50; /* default is 50% */ |
406 | int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT; |
407 | atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0); |
408 | |
409 | +/* amount of vm to protect from userspace access */ |
410 | +unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR; |
411 | + |
412 | /* |
413 | * Check that a process has enough memory to allocate a new virtual |
414 | * mapping. 0 means there is enough memory for the allocation to |
415 | diff --git a/security/Kconfig b/security/Kconfig |
416 | index 5592939..38411dd 100644 |
417 | --- a/security/Kconfig |
418 | +++ b/security/Kconfig |
419 | @@ -92,28 +92,8 @@ config SECURITY_ROOTPLUG |
420 | |
421 | See <http://www.linuxjournal.com/article.php?sid=6279> for |
422 | more information about this module. |
423 | - |
424 | - If you are unsure how to answer this question, answer N. |
425 | - |
426 | -config SECURITY_DEFAULT_MMAP_MIN_ADDR |
427 | - int "Low address space to protect from user allocation" |
428 | - depends on SECURITY |
429 | - default 0 |
430 | - help |
431 | - This is the portion of low virtual memory which should be protected |
432 | - from userspace allocation. Keeping a user from writing to low pages |
433 | - can help reduce the impact of kernel NULL pointer bugs. |
434 | - |
435 | - For most ia64, ppc64 and x86 users with lots of address space |
436 | - a value of 65536 is reasonable and should cause no problems. |
437 | - On arm and other archs it should not be higher than 32768. |
438 | - Programs which use vm86 functionality would either need additional |
439 | - permissions from either the LSM or the capabilities module or have |
440 | - this protection disabled. |
441 | - |
442 | - This value can be changed after boot using the |
443 | - /proc/sys/vm/mmap_min_addr tunable. |
444 | |
445 | + If you are unsure how to answer this question, answer N. |
446 | |
447 | source security/selinux/Kconfig |
448 | source security/smack/Kconfig |
449 | diff --git a/security/security.c b/security/security.c |
450 | index 3a4b4f5..27a315d 100644 |
451 | --- a/security/security.c |
452 | +++ b/security/security.c |
453 | @@ -26,9 +26,6 @@ extern void security_fixup_ops(struct security_operations *ops); |
454 | |
455 | struct security_operations *security_ops; /* Initialized to NULL */ |
456 | |
457 | -/* amount of vm to protect from userspace access */ |
458 | -unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR; |
459 | - |
460 | static inline int verify(struct security_operations *ops) |
461 | { |
462 | /* verify the security_operations structure exists */ |