linux-toradex.git, branch v2.6.30.4 Linux kernel for Apalis and Colibri modules Linux 2.6.30.4 2009-07-30T22:34:47+00:00 Greg Kroah-Hartman gregkh@suse.de 2009-07-30T22:34:47+00:00 a616b3e5a8c7a379f2fd4bc4e153868509fec94a 






eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size (CVE-2009-2407)
2009-07-30T21:40:36+00:00

Ramon de Carvalho Valle
ramon@risesecurity.org

2009-07-28T18:58:22+00:00

59a1c9b5b74e95eea73a6f85c574bd63031a0bcf

commit f151cd2c54ddc7714e2f740681350476cda03a28 upstream.

The parse_tag_3_packet function does not check if the tag 3 packet contains a
encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.

Signed-off-by: Ramon de Carvalho Valle <ramon@risesecurity.org>
[tyhicks@linux.vnet.ibm.com: Added printk newline and changed goto to out_free]
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit f151cd2c54ddc7714e2f740681350476cda03a28 upstream.

The parse_tag_3_packet function does not check if the tag 3 packet contains a
encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.

Signed-off-by: Ramon de Carvalho Valle <ramon@risesecurity.org>
[tyhicks@linux.vnet.ibm.com: Added printk newline and changed goto to out_free]
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








eCryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406)
2009-07-30T21:40:35+00:00

Tyler Hicks
tyhicks@linux.vnet.ibm.com

2009-07-28T18:57:01+00:00

4df9205138cd0c610b52eefe1ecdafdaf65cfb12

commit 6352a29305373ae6196491e6d4669f301e26492e upstream.

Tag 11 packets are stored in the metadata section of an eCryptfs file to
store the key signature(s) used to encrypt the file encryption key.
After extracting the packet length field to determine the key signature
length, a check is not performed to see if the length would exceed the
key signature buffer size that was passed into parse_tag_11_packet().

Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.

Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit 6352a29305373ae6196491e6d4669f301e26492e upstream.

Tag 11 packets are stored in the metadata section of an eCryptfs file to
store the key signature(s) used to encrypt the file encryption key.
After extracting the packet length field to determine the key signature
length, a check is not performed to see if the length would exceed the
key signature buffer size that was passed into parse_tag_11_packet().

Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.

Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








nommu: Provide mmap_min_addr definition.
2009-07-30T21:40:34+00:00

Paul Mundt
lethal@linux-sh.org

2009-06-09T08:48:56+00:00

57bee88245247744cd953ab3c410ba637ba6e0c3

commit 35f2c2f6f6ae13ef23c4f68e6d3073753077ca43 upstream.

With the "security: use mmap_min_addr indepedently of security models"
change, mmap_min_addr is used in common areas, which susbsequently blows
up the nommu build. This stubs in the definition in the nommu case as
well.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Cc: Mike Frysinger <vapier.adi@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: James Morris <jmorris@namei.org>






commit 35f2c2f6f6ae13ef23c4f68e6d3073753077ca43 upstream.

With the "security: use mmap_min_addr indepedently of security models"
change, mmap_min_addr is used in common areas, which susbsequently blows
up the nommu build. This stubs in the definition in the nommu case as
well.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Cc: Mike Frysinger <vapier.adi@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: James Morris <jmorris@namei.org>








libata: fix follow-up SRST failure path
2009-07-30T21:40:33+00:00

Tejun Heo
tj@kernel.org

2009-07-08T03:16:37+00:00

3b64409d582823106065a49882d653009de20828

commit fe2c4d018fc6127610fef677e020b3bb41cfaaaf upstream.

ata_eh_reset() was missing error return handling after follow-up SRST
allowing EH to continue the normal probing path after reset failure.
This was discovered while testing new WD 2TB drives which take longer
than 10 secs to spin up and cause the first follow-up SRST to time
out.

Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit fe2c4d018fc6127610fef677e020b3bb41cfaaaf upstream.

ata_eh_reset() was missing error return handling after follow-up SRST
allowing EH to continue the normal probing path after reset failure.
This was discovered while testing new WD 2TB drives which take longer
than 10 secs to spin up and cause the first follow-up SRST to time
out.

Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








Input: wistron_btns - recognize Maxdata Pro 7000 notebooks
2009-07-30T21:40:32+00:00

Giuseppe Mazzotta
g.mazzotta@iragan.com

2009-07-13T04:02:27+00:00

a5ed86d5af2d63f3edeab7e63f15aa3c34c5cc25

commit e705cee427e319665969ef7ac664f3612dec8899 upstream.

This patch adds DMI information to automatically load the correct
layout for the Maxdata Pro 7000X/DX notebook models. Such notebooks
are clones of Fujitsu Amilo V2000, the hook for the v2000 is being
used and I have tested that perfectly works.

The immediate result of integrating this patch is that the five
special buttons will work on these specific notebook models and that
the RF killswitch will not be activated after suspend. This patch
definitively obsoletes the fsam7400 module which I was still needing
to enable wifi and to fix the RF killswitch suspend problem; in the
current 2.6.30 kernel it is necessary to load the wistron_btns module
with options 'force=1 keymap=1557/MS2141', which was not anyway a
complete workaround.

Signed-off-by: Giuseppe Mazzotta <g.mazzotta@iragan.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit e705cee427e319665969ef7ac664f3612dec8899 upstream.

This patch adds DMI information to automatically load the correct
layout for the Maxdata Pro 7000X/DX notebook models. Such notebooks
are clones of Fujitsu Amilo V2000, the hook for the v2000 is being
used and I have tested that perfectly works.

The immediate result of integrating this patch is that the five
special buttons will work on these specific notebook models and that
the RF killswitch will not be activated after suspend. This patch
definitively obsoletes the fsam7400 module which I was still needing
to enable wifi and to fix the RF killswitch suspend problem; in the
current 2.6.30 kernel it is necessary to load the wistron_btns module
with options 'force=1 keymap=1557/MS2141', which was not anyway a
complete workaround.

Signed-off-by: Giuseppe Mazzotta <g.mazzotta@iragan.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








netdev: restore MTU change operation
2009-07-30T21:40:31+00:00

Ben Hutchings
ben@decadent.org.uk

2009-07-12T22:56:27+00:00

05e7ae5cd53fad1a0f7b9617ee95e96d43e5e642

commit 635ecaa70e862f85f652581305fe0074810893be upstream

netdev: restore MTU change operation

alloc_etherdev() used to install a default implementation of this
operation, but it must now be explicitly installed in struct
net_device_ops.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit 635ecaa70e862f85f652581305fe0074810893be upstream

netdev: restore MTU change operation

alloc_etherdev() used to install a default implementation of this
operation, but it must now be explicitly installed in struct
net_device_ops.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








netdev: restore MAC address set and validate operations
2009-07-30T21:40:30+00:00

Ben Hutchings
ben@decadent.org.uk

2009-07-09T17:54:35+00:00

cc37bbfa8271d1b41d6c16e7e9c51763787f74e1

commit 240c102d9c54fee7fdc87a4ef2fabc7eb539e00a upstream.

alloc_etherdev() used to install default implementations of these
operations, but they must now be explicitly installed in struct
net_device_ops.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit 240c102d9c54fee7fdc87a4ef2fabc7eb539e00a upstream.

alloc_etherdev() used to install default implementations of these
operations, but they must now be explicitly installed in struct
net_device_ops.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








nf_conntrack: nf_conntrack_alloc() fixes
2009-07-30T21:40:29+00:00

Eric Dumazet
eric.dumazet@gmail.com

2009-07-23T14:15:34+00:00

f95d9271ff0e58fb12fc6f90c13f70d41eee8089

commit 941297f443f871b8c3372feccf27a8733f6ce9e9 upstream.

When a slab cache uses SLAB_DESTROY_BY_RCU, we must be careful when allocating
objects, since slab allocator could give a freed object still used by lockless
readers.

In particular, nf_conntrack RCU lookups rely on ct->tuplehash[xxx].hnnode.next
being always valid (ie containing a valid 'nulls' value, or a valid pointer to next
object in hash chain.)

kmem_cache_zalloc() setups object with NULL values, but a NULL value is not valid
for ct->tuplehash[xxx].hnnode.next.

Fix is to call kmem_cache_alloc() and do the zeroing ourself.

As spotted by Patrick, we also need to make sure lookup keys are committed to
memory before setting refcount to 1, or a lockless reader could get a reference
on the old version of the object. Its key re-check could then pass the barrier.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit 941297f443f871b8c3372feccf27a8733f6ce9e9 upstream.

When a slab cache uses SLAB_DESTROY_BY_RCU, we must be careful when allocating
objects, since slab allocator could give a freed object still used by lockless
readers.

In particular, nf_conntrack RCU lookups rely on ct->tuplehash[xxx].hnnode.next
being always valid (ie containing a valid 'nulls' value, or a valid pointer to next
object in hash chain.)

kmem_cache_zalloc() setups object with NULL values, but a NULL value is not valid
for ct->tuplehash[xxx].hnnode.next.

Fix is to call kmem_cache_alloc() and do the zeroing ourself.

As spotted by Patrick, we also need to make sure lookup keys are committed to
memory before setting refcount to 1, or a lockless reader could get a reference
on the old version of the object. Its key re-check could then pass the barrier.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








netfilter: tcp conntrack: fix unacknowledged data detection with NAT
2009-07-30T21:40:27+00:00

Patrick McHardy
kaber@trash.net

2009-06-29T12:07:56+00:00

7500f93f415a2fc07e0031d99fa3964bf8981cfc

commit a3a9f79e361e864f0e9d75ebe2a0cb43d17c4272 upstream.

When NAT helpers change the TCP packet size, the highest seen sequence
number needs to be corrected. This is currently only done upwards, when
the packet size is reduced the sequence number is unchanged. This causes
TCP conntrack to falsely detect unacknowledged data and decrease the
timeout.

Fix by updating the highest seen sequence number in both directions after
packet mangling.

Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit a3a9f79e361e864f0e9d75ebe2a0cb43d17c4272 upstream.

When NAT helpers change the TCP packet size, the highest seen sequence
number needs to be corrected. This is currently only done upwards, when
the packet size is reduced the sequence number is unchanged. This causes
TCP conntrack to falsely detect unacknowledged data and decrease the
timeout.

Fix by updating the highest seen sequence number in both directions after
packet mangling.

Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>