linux-toradex.git, branch v2.6.16.61 Linux kernel for Apalis and Colibri modules Linux 2.6.16.61 2008-07-16T21:59:20+00:00 Adrian Bunk bunk@kernel.org 2008-07-16T21:59:20+00:00 ca891ff02547982647997d7d0eb1071d94fe4e86 






Linux 2.6.16.61-rc1
2008-07-14T18:09:24+00:00

Adrian Bunk
bunk@kernel.org

2008-07-14T18:09:24+00:00

bf05449fd715e07f967114e7469197e4e7895472












3w-xxxx: Prevent data corruption
2008-07-14T18:09:24+00:00

3ware Inc
bunk@kernel.org

2008-07-14T18:09:24+00:00

797fbc12708d07601ac379c92bd1ba777d79d66c

Use default DMA data direction to prevent data corruption
when using SWIOTLB with 4GB+ on EM64T.

http://www.3ware.com/KB/article.aspx?id=15243&cNode=6I1C6S

Acked-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>





Use default DMA data direction to prevent data corruption
when using SWIOTLB with 4GB+ on EM64T.

http://www.3ware.com/KB/article.aspx?id=15243&cNode=6I1C6S

Acked-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>







fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)
2008-07-14T18:09:23+00:00

Al Viro
viro@zeniv.linux.org.uk

2008-07-14T18:09:23+00:00

89ebd169dd1e8be2c11c100c4decbffdcbd6466b

fcntl_setlk()/close() race prevention has a subtle hole - we need to
make sure that if we *do* have an fcntl/close race on SMP box, the
access to descriptor table and inode->i_flock won't get reordered.

As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
STORE descriptor table entry, LOAD inode->i_flock with not a single
lock in common on both sides.  We do have BKL around the first STORE,
but check in locks_remove_posix() is outside of BKL and for a good
reason - we don't want BKL on common path of close(2).

Solution is to hold ->file_lock around fcheck() in there; that orders
us wrt removal from descriptor table that preceded locks_remove_posix()
on close path and we either come first (in which case eviction will be
handled by the close side) or we'll see the effect of close and do
eviction ourselves.  Note that even though it's read-only access,
we do need ->file_lock here - rcu_read_lock() won't be enough to
order the things.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Adrian Bunk <bunk@kernel.org>





fcntl_setlk()/close() race prevention has a subtle hole - we need to
make sure that if we *do* have an fcntl/close race on SMP box, the
access to descriptor table and inode->i_flock won't get reordered.

As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
STORE descriptor table entry, LOAD inode->i_flock with not a single
lock in common on both sides.  We do have BKL around the first STORE,
but check in locks_remove_posix() is outside of BKL and for a good
reason - we don't want BKL on common path of close(2).

Solution is to hold ->file_lock around fcheck() in there; that orders
us wrt removal from descriptor table that preceded locks_remove_posix()
on close path and we either come first (in which case eviction will be
handled by the close side) or we'll see the effect of close and do
eviction ourselves.  Note that even though it's read-only access,
we do need ->file_lock here - rcu_read_lock() won't be enough to
order the things.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Adrian Bunk <bunk@kernel.org>







sit: Add missing kfree_skb() on pskb_may_pull() failure. (CVE-2008-2136)
2008-07-14T18:09:23+00:00

David S. Miller
davem@davemloft.net

2008-07-14T18:09:23+00:00

873496a3485950402ee0436c9d17eeb789157b10

Noticed by Paul Marks <paul@pmarks.net>.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>





Noticed by Paul Marks <paul@pmarks.net>.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>







[NETFILTER]: Fix warnings in ip_nat_snmp_basic.c
2008-07-14T18:09:23+00:00

David S. Miller
davem@davemloft.net

2008-07-14T18:09:23+00:00

952ba4e3bd0b3587c4f6f844c0903370e0ec2ac0

net/ipv4/netfilter/ip_nat_snmp_basic.c: In function 'asn1_header_decode':
net/ipv4/netfilter/ip_nat_snmp_basic.c:248: warning: 'len' may be used unini
net/ipv4/netfilter/ip_nat_snmp_basic.c:248: warning: 'def' may be used unini
net/ipv4/netfilter/ip_nat_snmp_basic.c: In function 'snmp_translate':
net/ipv4/netfilter/ip_nat_snmp_basic.c:672: warning: 'l' may be used uniniti
net/ipv4/netfilter/ip_nat_snmp_basic.c:668: warning: 'type' may be used unin

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>





net/ipv4/netfilter/ip_nat_snmp_basic.c: In function 'asn1_header_decode':
net/ipv4/netfilter/ip_nat_snmp_basic.c:248: warning: 'len' may be used unini
net/ipv4/netfilter/ip_nat_snmp_basic.c:248: warning: 'def' may be used unini
net/ipv4/netfilter/ip_nat_snmp_basic.c: In function 'snmp_translate':
net/ipv4/netfilter/ip_nat_snmp_basic.c:672: warning: 'l' may be used uniniti
net/ipv4/netfilter/ip_nat_snmp_basic.c:668: warning: 'type' may be used unin

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>







asn1: additional sanity checking during BER decoding (CVE-2008-1673)
2008-07-14T18:09:23+00:00

Chris Wright
chrisw@sous-sol.org

2008-07-14T18:09:23+00:00

ce76a6f4392d1f1ca37fe9514daa69a99db2fcb7

- Don't trust a length which is greater than the working buffer.
  An invalid length could cause overflow when calculating buffer size
  for decoding oid.

- An oid length of zero is invalid and allows for an off-by-one error when
  decoding oid because the first subid actually encodes first 2 subids.

- A primitive encoding may not have an indefinite length.

Thanks to Wei Wang from McAfee for report.

Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>





- Don't trust a length which is greater than the working buffer.
  An invalid length could cause overflow when calculating buffer size
  for decoding oid.

- An oid length of zero is invalid and allows for an off-by-one error when
  decoding oid because the first subid actually encodes first 2 subids.

- A primitive encoding may not have an indefinite length.

Thanks to Wei Wang from McAfee for report.

Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>







TCP: Fix shrinking windows with window scaling
2008-07-14T18:09:22+00:00

Patrick McHardy
kaber@trash.net

2008-07-14T18:09:22+00:00

b9954f3d67c9f9e8611ec6c94955eecc0e309a26

Upstream commit: 607bfbf2d55dd1cfe5368b41c2a81a8c9ccf4723

When selecting a new window, tcp_select_window() tries not to shrink
the offered window by using the maximum of the remaining offered window
size and the newly calculated window size. The newly calculated window
size is always a multiple of the window scaling factor, the remaining
window size however might not be since it depends on rcv_wup/rcv_nxt.
This means we're effectively shrinking the window when scaling it down.

The dump below shows the problem (scaling factor 2^7):

- Window size of 557 (71296) is advertised, up to 3111907257:

IP 172.2.2.3.33000 > 172.2.2.2.33000: . ack 3111835961 win 557 <...>

- New window size of 514 (65792) is advertised, up to 3111907217, 40 bytes
  below the last end:

IP 172.2.2.3.33000 > 172.2.2.2.33000: . 3113575668:3113577116(1448) ack 3111841425 win 514 <...>

The number 40 results from downscaling the remaining window:

3111907257 - 3111841425 = 65832
65832 / 2^7 = 514
65832 % 2^7 = 40

If the sender uses up the entire window before it is shrunk, this can have
chaotic effects on the connection. When sending ACKs, tcp_acceptable_seq()
will notice that the window has been shrunk since tcp_wnd_end() is before
tp->snd_nxt, which makes it choose tcp_wnd_end() as sequence number.
This will fail the receivers checks in tcp_sequence() however since it
is before it's tp->rcv_wup, making it respond with a dupack.

If both sides are in this condition, this leads to a constant flood of
ACKs until the connection times out.

Make sure the window is never shrunk by aligning the remaining window to
the window scaling factor.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>





Upstream commit: 607bfbf2d55dd1cfe5368b41c2a81a8c9ccf4723

When selecting a new window, tcp_select_window() tries not to shrink
the offered window by using the maximum of the remaining offered window
size and the newly calculated window size. The newly calculated window
size is always a multiple of the window scaling factor, the remaining
window size however might not be since it depends on rcv_wup/rcv_nxt.
This means we're effectively shrinking the window when scaling it down.

The dump below shows the problem (scaling factor 2^7):

- Window size of 557 (71296) is advertised, up to 3111907257:

IP 172.2.2.3.33000 > 172.2.2.2.33000: . ack 3111835961 win 557 <...>

- New window size of 514 (65792) is advertised, up to 3111907217, 40 bytes
  below the last end:

IP 172.2.2.3.33000 > 172.2.2.2.33000: . 3113575668:3113577116(1448) ack 3111841425 win 514 <...>

The number 40 results from downscaling the remaining window:

3111907257 - 3111841425 = 65832
65832 / 2^7 = 514
65832 % 2^7 = 40

If the sender uses up the entire window before it is shrunk, this can have
chaotic effects on the connection. When sending ACKs, tcp_acceptable_seq()
will notice that the window has been shrunk since tcp_wnd_end() is before
tp->snd_nxt, which makes it choose tcp_wnd_end() as sequence number.
This will fail the receivers checks in tcp_sequence() however since it
is before it's tp->rcv_wup, making it respond with a dupack.

If both sides are in this condition, this leads to a constant flood of
ACKs until the connection times out.

Make sure the window is never shrunk by aligning the remaining window to
the window scaling factor.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>







x86: Replace NSC/Cyrix specific chipset access macros by inlined functions.
2008-07-14T18:08:34+00:00

Juergen Beisert
juergen@kreuzholzen.de

2008-07-06T15:17:23+00:00

69731ebbb3d2283c2c33a2bf262d785e2362b876

Due to index register access ordering problems, when using macros a line
like this fails (and does nothing):

    setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88);

With inlined functions this line will work as expected.

Note about a side effect: Seems on Geode GX1 based systems the
"suspend on halt power saving feature" was never enabled due to this
wrong macro expansion. With inlined functions it will be enabled, but
this will stop the TSC when the CPU runs into a HLT instruction.
Kernel output something like this:
    Clocksource tsc unstable (delta = -472746897 ns)

This is the 3rd version of this patch.

 - Adding missed arch/i386/kernel/cpu/mtrr/state.c
    Thanks to Andres Salomon
 - Adding some big fat comments into the new header file
    Suggested by Andi Kleen

AK: fixed x86-64 compilation

Adrian Bunk:
Added workaround for x86_64 compilation.

Signed-off-by: Juergen Beisert <juergen@kreuzholzen.de>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>





Due to index register access ordering problems, when using macros a line
like this fails (and does nothing):

    setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88);

With inlined functions this line will work as expected.

Note about a side effect: Seems on Geode GX1 based systems the
"suspend on halt power saving feature" was never enabled due to this
wrong macro expansion. With inlined functions it will be enabled, but
this will stop the TSC when the CPU runs into a HLT instruction.
Kernel output something like this:
    Clocksource tsc unstable (delta = -472746897 ns)

This is the 3rd version of this patch.

 - Adding missed arch/i386/kernel/cpu/mtrr/state.c
    Thanks to Andres Salomon
 - Adding some big fat comments into the new header file
    Suggested by Andi Kleen

AK: fixed x86-64 compilation

Adrian Bunk:
Added workaround for x86_64 compilation.

Signed-off-by: Juergen Beisert <juergen@kreuzholzen.de>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Adrian Bunk <bunk@kernel.org>







Disable DETECT_SOFTLOCKUP for s390
2008-04-10T21:33:23+00:00

Heiko Carstens
heiko.carstens@de.ibm.com

2008-04-10T21:33:23+00:00

8b828b3c8e88d9c462f5389654c84aae3e42392e

From: Heiko Carstens <heiko.carstens@de.ibm.com>

We got several false bug reports because of enabled
CONFIG_DETECT_SOFTLOCKUP.  Disable soft lockup detection on s390, since it
doesn't work on a virtualized architecture.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>





From: Heiko Carstens <heiko.carstens@de.ibm.com>

We got several false bug reports because of enabled
CONFIG_DETECT_SOFTLOCKUP.  Disable soft lockup detection on s390, since it
doesn't work on a virtualized architecture.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>