The following changes are present in Debian's kernel based on 2.6.32, but not yet in 2.6.32.y. I would like to send these to sta...@kernel.org but I know you prefer to pick which networking changes go into stable/longterm updates. Please could you have a look over the log and let me know if you think any of these are not suitable.
The complete set of changes I'm intending to send to stable for 2.6.32.y are on this branch: git://git.debian.org/kernel/linux-2.6.git squeeze-to-stable Ben. commit 87682480611e0a2e882e6cf70d2622a107b72e12 Author: Vasiliy Kulikov <seg...@openwall.com> Date: Thu Mar 17 01:40:10 2011 +0000 econet: 4 byte infoleak to the network commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e upstream. struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on x86_64. These bytes are not initialized in the variable 'ah' before sending 'ah' to the network. This leads to 4 bytes kernel stack infoleak. This bug was introduced before the git epoch. Signed-off-by: Vasiliy Kulikov <seg...@openwall.com> Acked-by: Phil Blundell <ph...@gnu.org> Signed-off-by: David S. Miller <da...@davemloft.net> commit 790fef2371ff8b51126a0768402171299afdff19 Author: Vasiliy Kulikov <seg...@openwall.com> Date: Tue Mar 15 13:37:13 2011 +0100 ipv6: netfilter: ip6_tables: fix infoleak to userspace commit 6a8ab060779779de8aea92ce3337ca348f973f54 upstream. Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first bug was introduced before the git epoch; the second was introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have CAP_NET_ADMIN. Signed-off-by: Vasiliy Kulikov <seg...@openwall.com> Signed-off-by: Patrick McHardy <ka...@trash.net> commit 4139a777467f9b4b4b4a5371ea3e95d77c3420ac Author: Vasiliy Kulikov <seg...@openwall.com> Date: Tue Mar 15 13:36:05 2011 +0100 netfilter: ip_tables: fix infoleak to userspace commit 78b79876761b86653df89c48a7010b5cbd41a84a upstream. Structures ipt_replace, compat_ipt_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first and the third bugs were introduced before the git epoch; the second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug one should have CAP_NET_ADMIN. Signed-off-by: Vasiliy Kulikov <seg...@openwall.com> Signed-off-by: Patrick McHardy <ka...@trash.net> commit b4ea8d8c7665e2aeb34e85b61a6b67e6f30748cd Author: Vasiliy Kulikov <seg...@openwall.com> Date: Tue Mar 15 13:35:21 2011 +0100 netfilter: arp_tables: fix infoleak to userspace commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143 upstream. Structures ipt_replace, compat_ipt_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first bug was introduced before the git epoch; the second is introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have CAP_NET_ADMIN. Signed-off-by: Vasiliy Kulikov <seg...@openwall.com> Signed-off-by: Patrick McHardy <ka...@trash.net> commit aba8723a70837c0ee7cde733831d1eacf590694f Author: Vasiliy Kulikov <seg...@openwall.com> Date: Mon Feb 14 16:49:23 2011 +0100 bridge: netfilter: fix information leak commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream. Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <seg...@openwall.com> Signed-off-by: Patrick McHardy <ka...@trash.net> commit 7f2784afb2a84464026e535f490156c979688267 Author: Vasiliy Kulikov <seg...@openwall.com> Date: Mon Feb 14 13:54:31 2011 +0300 Bluetooth: bnep: fix buffer overflow commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream. Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. Signed-off-by: Vasiliy Kulikov <seg...@openwall.com> Signed-off-by: Gustavo F. Padovan <pado...@profusion.mobi> commit e0638fa4136796406d12daf6750d809ca78a640c Author: Vasiliy Kulikov <seg...@openwall.com> Date: Mon Feb 14 13:54:26 2011 +0300 Bluetooth: sco: fix information leak to userspace commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream. struct sco_conninfo has one padding byte in the end. Local variable cinfo of type sco_conninfo is copied to userspace with this uninizialized one byte, leading to old stack contents leak. Signed-off-by: Vasiliy Kulikov <seg...@openwall.com> Signed-off-by: Gustavo F. Padovan <pado...@profusion.mobi> commit f68c5728a3332cde2e891cc9ad0bf6539cdda6ba Author: Ron Murray <r...@rjmx.net> Date: Tue Jan 19 08:02:48 2010 +0000 Please add support for Microsoft MN-120 PCMCIA network card commit 60abe78279568a7109db2bcbc71131766a91c2e5 upstream. Please add support for Microsoft MN-120 PCMCIA network card. It's an old card, I know, but adding support is very easy. You just need to get tulip_core.c to recognise its vendor/device ID. Patch for kernel 2.6.32.4 (and many previous) attached. .....Ron Murray Signed-off-by: Ron Murray <r...@rjmx.net> Signed-off-by: David S. Miller <da...@davemloft.net> commit ed1cd615b6fee5bbfb82b947f7abf23eebcce83e Author: Romain Francoise <rom...@orebokech.com> Date: Mon Jan 17 07:59:18 2011 +0000 ipv6: Silence privacy extensions initialization commit 2fdc1c8093255f9da877d7b9ce3f46c2098377dc upstream. When a network namespace is created (via CLONE_NEWNET), the loopback interface is automatically added to the new namespace, triggering a printk in ipv6_add_dev() if CONFIG_IPV6_PRIVACY is set. This is problematic for applications which use CLONE_NEWNET as part of a sandbox, like Chromium's suid sandbox or recent versions of vsftpd. On a busy machine, it can lead to thousands of useless "lo: Disabled Privacy Extensions" messages appearing in dmesg. It's easy enough to check the status of privacy extensions via the use_tempaddr sysctl, so just removing the printk seems like the most sensible solution. Signed-off-by: Romain Francoise <rom...@orebokech.com> Signed-off-by: David S. Miller <da...@davemloft.net> commit 3ab6af06c2b9dabc501d2c44c76b3e738053e124 Author: Eric Dumazet <eric.duma...@gmail.com> Date: Thu Nov 25 04:11:39 2010 +0000 af_unix: limit recursion level commit 25888e30319f8896fc656fc68643e6a078263060 upstream. Its easy to eat all kernel memory and trigger NMI watchdog, using an exploit program that queues unix sockets on top of others. lkml ref : http://lkml.org/lkml/2010/11/25/8 This mechanism is used in applications, one choice we have is to have a recursion limit. Other limits might be needed as well (if we queue other types of files), since the passfd mechanism is currently limited by socket receive queue sizes only. Add a recursion_level to unix socket, allowing up to 4 levels. Each time we send an unix socket through sendfd mechanism, we copy its recursion level (plus one) to receiver. This recursion level is cleared when socket receive queue is emptied. Reported-by: Марк Коренберг <socketp...@gmail.com> Signed-off-by: Eric Dumazet <eric.duma...@gmail.com> Signed-off-by: David S. Miller <da...@davemloft.net> [bwh: Adjust for 2.6.32] commit 7d5e53d003fed5eec50790809b77f5f0ee561076 Author: Bruce Rogers <brog...@novell.com> Date: Thu Feb 10 11:03:31 2011 -0800 virtio_net: Add schedule check to napi_enable call commit 3e9d08ec0a68f6faf718d5a7e050fe5ca0ba004f upstream. Under harsh testing conditions, including low memory, the guest would stop receiving packets. With this patch applied we no longer see any problems in the driver while performing these tests for extended periods of time. Make sure napi is scheduled subsequent to each napi_enable. Signed-off-by: Bruce Rogers <brog...@novell.com> Signed-off-by: Olaf Kirch <o...@suse.de> Signed-off-by: Rusty Russell <ru...@rustcorp.com.au> Signed-off-by: David S. Miller <da...@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gre...@suse.de> [bwh: Adjust for 2.6.32] commit 6ce022941dc9fed8679872b444004c8ea16b3589 Author: Rusty Russell <ru...@rustcorp.com.au> Date: Fri Jul 2 16:34:01 2010 +0000 virtio_net: fix oom handling on tx commit 58eba97d0774c69b1cf3e5a8ac74419409d1abbf upstream. virtio net will never try to overflow the TX ring, so the only reason add_buf may fail is out of memory. Thus, we can not stop the device until some request completes - there's no guarantee anything at all is outstanding. Make the error message clearer as well: error here does not indicate queue full. Signed-off-by: Michael S. Tsirkin <m...@redhat.com> Signed-off-by: Rusty Russell <ru...@rustcorp.com.au> (...and avoid TX_BUSY) Cc: sta...@kernel.org # .34.x (s/virtqueue_/vi->svq->vq_ops->/) Signed-off-by: David S. Miller <da...@davemloft.net> commit f8be95c67247e4380121925a1c5740afce95310b Author: Ondrej Zary <li...@rainbow-software.org> Date: Wed Jun 23 12:57:15 2010 +0200 rt2500usb: fallback to SW encryption for TKIP+AES commit 75f64dd54a185150ebfc45e99351c890d4a2252f upstream. HW crypto in rt2500usb does not seem to support keys with different ciphers, which breaks TKIP+AES mode. Fall back to software encryption to fix it. This should fix long-standing problems with rt2500usb and WPA, such as: http://rt2x00.serialmonkey.com/phpBB/viewtopic.php?f=4&t=4834 https://bugzilla.redhat.com/show_bug.cgi?id=484888 Also tested that it does not break WEP, TKIP-only and AES-only modes. Signed-off-by: Ondrej Zary <li...@rainbow-software.org> Acked-by: Gertjan van Wingerde <gwinge...@gmail.com> Signed-off-by: John W. Linville <linvi...@tuxdriver.com> [bwh: Adjust context for 2.6.32] commit b3b1665efd26412aa425b0085943038d75dff568 Author: Neil Horman <nhor...@tuxdriver.com> Date: Thu Jan 20 09:02:31 2011 +0000 bonding: Ensure that we unshare skbs prior to calling pskb_may_pull commit b30532515f0a62bfe17207ab00883dd262497006 upstream. Recently reported oops: kernel BUG at net/core/skbuff.c:813! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/virtual/net/bond0/broadcast CPU 8 Modules linked in: sit tunnel4 cpufreq_ondemand acpi_cpufreq freq_table bonding ipv6 dm_mirror dm_region_hash dm_log cdc_ether usbnet mii serio_raw i2c_i801 i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma i7core_edac edac_core bnx2 ixgbe dca mdio sg ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase scsi_transport_sas dm_mod [last unloaded: microcode] Modules linked in: sit tunnel4 cpufreq_ondemand acpi_cpufreq freq_table bonding ipv6 dm_mirror dm_region_hash dm_log cdc_ether usbnet mii serio_raw i2c_i801 i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma i7core_edac edac_core bnx2 ixgbe dca mdio sg ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase scsi_transport_sas dm_mod [last unloaded: microcode] Pid: 0, comm: swapper Not tainted 2.6.32-71.el6.x86_64 #1 BladeCenter HS22 -[7870AC1]- RIP: 0010:[<ffffffff81405b16>] [<ffffffff81405b16>] pskb_expand_head+0x36/0x1e0 RSP: 0018:ffff880028303b70 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff880c6458ec80 RCX: 0000000000000020 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880c6458ec80 RBP: ffff880028303bc0 R08: ffffffff818a6180 R09: ffff880c6458ed64 R10: ffff880c622b36c0 R11: 0000000000000400 R12: 0000000000000000 R13: 0000000000000180 R14: ffff880c622b3000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff880028300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 00000038653452a4 CR3: 0000000001001000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper (pid: 0, threadinfo ffff8806649c2000, task ffff880c64f16ab0) Stack: ffff880028303bc0 ffffffff8104fff9 000000000000001c 0000000100000000 <0> ffff880000047d80 ffff880c6458ec80 000000000000001c ffff880c6223da00 <0> ffff880c622b3000 0000000000000000 ffff880028303c10 ffffffff81407f7a Call Trace: <IRQ> [<ffffffff8104fff9>] ? __wake_up_common+0x59/0x90 [<ffffffff81407f7a>] __pskb_pull_tail+0x2aa/0x360 [<ffffffffa0244530>] bond_arp_rcv+0x2c0/0x2e0 [bonding] [<ffffffff814a0857>] ? packet_rcv+0x377/0x440 [<ffffffff8140f21b>] netif_receive_skb+0x2db/0x670 [<ffffffff8140f788>] napi_skb_finish+0x58/0x70 [<ffffffff8140fc89>] napi_gro_receive+0x39/0x50 [<ffffffffa01286eb>] ixgbe_clean_rx_irq+0x35b/0x900 [ixgbe] [<ffffffffa01290f6>] ixgbe_clean_rxtx_many+0x136/0x240 [ixgbe] [<ffffffff8140fe53>] net_rx_action+0x103/0x210 [<ffffffff81073bd7>] __do_softirq+0xb7/0x1e0 [<ffffffff810d8740>] ? handle_IRQ_event+0x60/0x170 [<ffffffff810142cc>] call_softirq+0x1c/0x30 [<ffffffff81015f35>] do_softirq+0x65/0xa0 [<ffffffff810739d5>] irq_exit+0x85/0x90 [<ffffffff814cf915>] do_IRQ+0x75/0xf0 [<ffffffff81013ad3>] ret_from_intr+0x0/0x11 <EOI> [<ffffffff8101bc01>] ? mwait_idle+0x71/0xd0 [<ffffffff814cd80a>] ? atomic_notifier_call_chain+0x1a/0x20 [<ffffffff81011e96>] cpu_idle+0xb6/0x110 [<ffffffff814c17c8>] start_secondary+0x1fc/0x23f Resulted from bonding driver registering packet handlers via dev_add_pack and then trying to call pskb_may_pull. If another packet handler (like for AF_PACKET sockets) gets called first, the delivered skb will have a user count > 1, which causes pskb_may_pull to BUG halt when it does its skb_shared check. Fix this by calling skb_share_check prior to the may_pull call sites in the bonding driver to clone the skb when needed. Tested by myself and the reported successfully. Signed-off-by: Neil Horman CC: Andy Gospodarek <a...@greyhouse.net> CC: Jay Vosburgh <fu...@us.ibm.com> CC: "David S. Miller" <da...@davemloft.net> Signed-off-by: Jay Vosburgh <fu...@us.ibm.com> Signed-off-by: Andy Gospodarek <a...@greyhouse.net> Signed-off-by: David S. Miller <da...@davemloft.net> commit 17a82eb15502fa9df66b6c8ac62630015ffb849e Author: Linus Torvalds <torva...@linux-foundation.org> Date: Thu Oct 28 15:40:55 2010 +0000 net: fix rds_iovec page count overflow commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream. As reported by Thomas Pollet, the rdma page counting can overflow. We get the rdma sizes in 64-bit unsigned entities, but then limit it to UINT_MAX bytes and shift them down to pages (so with a possible "+1" for an unaligned address). So each individual page count fits comfortably in an 'unsigned int' (not even close to overflowing into signed), but as they are added up, they might end up resulting in a signed return value. Which would be wrong. Catch the case of tot_pages turning negative, and return the appropriate error code. Reported-by: Thomas Pollet <thomas.pol...@gmail.com> Signed-off-by: Linus Torvalds <torva...@linux-foundation.org> Signed-off-by: Andy Grover <andy.gro...@oracle.com> Signed-off-by: David S. Miller <da...@davemloft.net> [Backported to 2.6.32 by Moritz Muehlenhoff <j...@inutil.org>] commit 1a8915d42428390198cb1c19913c3915f5702aea Author: Eric Dumazet <eric.duma...@gmail.com> Date: Wed Nov 24 09:15:27 2010 -0800 af_unix: limit unix_tot_inflight commit 9915672d41273f5b77f1b3c29b391ffb7732b84b upstream. Vegard Nossum found a unix socket OOM was possible, posting an exploit program. My analysis is we can eat all LOWMEM memory before unix_gc() being called from unix_release_sock(). Moreover, the thread blocked in unix_gc() can consume huge amount of time to perform cleanup because of huge working set. One way to handle this is to have a sensible limit on unix_tot_inflight, tested from wait_for_unix_gc() and to force a call to unix_gc() if this limit is hit. This solves the OOM and also reduce overall latencies, and should not slowdown normal workloads. Reported-by: Vegard Nossum <vegard.nos...@gmail.com> Signed-off-by: Eric Dumazet <eric.duma...@gmail.com> Signed-off-by: David S. Miller <da...@davemloft.net> commit 49e85317ced395c31111ab51566b164c1fd5ce57 Author: David S. Miller <da...@davemloft.net> Date: Wed Dec 8 18:42:23 2010 -0800 econet: Fix crash in aun_incoming(). commit 4e085e76cbe558b79b54cbab772f61185879bc64 upstream. Unconditional use of skb->dev won't work here, try to fetch the econet device via skb_dst()->dev instead. Suggested by Eric Dumazet. Reported-by: Nelson Elhage <nelh...@ksplice.com> Tested-by: Nelson Elhage <nelh...@ksplice.com> Signed-off-by: David S. Miller <da...@davemloft.net> [jmm: Slightly adapted for 2.6.32] commit 2c5aa7f88fefee925c4badee136595494fc67567 Author: Nelson Elhage <nelh...@ksplice.com> Date: Wed Nov 3 16:35:41 2010 +0000 inet_diag: Make sure we actually run the same bytecode we audited. commit 22e76c849d505d87c5ecf3d3e6742a65f0ff4860 upstream. We were using nlmsg_find_attr() to look up the bytecode by attribute when auditing, but then just using the first attribute when actually running bytecode. So, if we received a message with two attribute elements, where only the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different bytecode strings. Fix this by consistently using nlmsg_find_attr everywhere. Signed-off-by: Nelson Elhage <nelh...@ksplice.com> Signed-off-by: Thomas Graf <tg...@infradead.org> Signed-off-by: David S. Miller <da...@davemloft.net> [jmm: Slightly adapted to apply against 2.6.32] commit 272fde5c715c81f328838d6642cfbc936a699b5f Author: Kulikov Vasiliy <sego...@gmail.com> Date: Sun Oct 31 07:10:32 2010 +0000 net: tipc: fix information leak to userland commit 88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52 upstream. Structure sockaddr_tipc is copied to userland with padding bytes after "id" field in union field "name" unitialized. It leads to leaking of contents of kernel stack memory. We have to initialize them to zero. Signed-off-by: Vasiliy Kulikov <sego...@gmail.com> Signed-off-by: David S. Miller <da...@davemloft.net> commit ef0d4abcd3f9b184441f2c29ef9e57d7f8cea44a Author: Vasiliy Kulikov <sego...@gmail.com> Date: Wed Nov 10 12:09:10 2010 -0800 net: packet: fix information leak to userland commit 67286640f638f5ad41a946b9a3dc75327950248f upstream. packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll. Set it to zero. Signed-off-by: Vasiliy Kulikov <sego...@gmail.com> Signed-off-by: David S. Miller <da...@davemloft.net> [jmm: Backported to 2.6.32] commit 88e9182e53b51e9242f9ad1d4f47040dae8a2f27 Author: Vasiliy Kulikov <sego...@gmail.com> Date: Wed Nov 10 10:14:33 2010 -0800 net: ax25: fix information leak to userland commit fe10ae53384e48c51996941b7720ee16995cbcb7 upstream. Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater field of fsa struct, also the struct has padding bytes between sax25_call and sax25_ndigis fields. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <sego...@gmail.com> Signed-off-by: David S. Miller <da...@davemloft.net> commit 7e473d44d30fffaaf2240dc3cf6ed0b1556ab0d1 Author: Dan Rosenberg <drosenb...@vsecurity.com> Date: Wed Dec 22 13:58:27 2010 +0000 irda: prevent integer underflow in IRLMP_ENUMDEVICES commit fdac1e0697356ac212259f2147aa60c72e334861 upstream. If the user-provided len is less than the expected offset, the IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large size value. While this isn't be a security issue on x86 because it will get caught by the access_ok() check, it may leak large amounts of kernel heap on other architectures. In any event, this patch fixes it. Signed-off-by: Dan Rosenberg <drosenb...@vsecurity.com> Signed-off-by: David S. Miller <da...@davemloft.net> [dannf: Backport to 2.6.32] commit 1296fdd1c627efdb20a9e8e7948db8f6f11fc904 Author: Guennadi Liakhovetski <g.liakhovet...@gmx.de> Date: Tue Nov 23 17:10:24 2010 +0100 wireless: b43: fix error path in SDIO commit e476a5a41ad67d0e2b4a652820c49a3923eb936b upstream. Fix unbalanced call to sdio_release_host() on the error path. Signed-off-by: Guennadi Liakhovetski <g.liakhovet...@gmx.de> Acked-by: Larry Finger <larry.fin...@lwfinger.net> Signed-off-by: John W. Linville <linvi...@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gre...@suse.de> Signed-off-by: Andi Kleen <a...@linux.intel.com> commit 75132022f0579f8187280cce09c655d5777cea59 Author: Larry Finger <larry.fin...@lwfinger.net> Date: Thu Oct 28 10:43:26 2010 -0500 b43: Fix warning at drivers/mmc/core/core.c:237 in mmc_wait_for_cmd commit 9f2a0fac625bcef9c579bcf0b0c904ab1a56e7c4 upstream. On module removal, the sdio version of b43 generates the following warning: [ 851.560519] ------------[ cut here ]------------ [ 851.560531] WARNING: at drivers/mmc/core/core.c:237 mmc_wait_for_cmd+0x88/0x90() [ 851.560534] Hardware name: 20552PG [ 851.560536] Modules linked in: b43(-) ssb mmc_block binfmt_misc rfcomm sco bnep ppdev l2cap ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp kvm_intel kvm arc4 iwlagn snd_hda_codec_conexant snd_hda_intel snd_hda_codec iwlcore snd_hwdep snd_pcm thinkpad_acpi mac80211 snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq r852 joydev snd_timer sm_common pcmcia nand snd_seq_device cfg80211 sdhci_pci btusb psmouse tpm_tis yenta_socket nand_ids lp snd pcmcia_rsrc nand_ecc bluetooth sdhci tpm pcmcia_core parport mtd snd_page_alloc serio_raw tpm_bios soundcore nvram led_class sha256_generic aes_i586 aes_generic dm_crypt i915 drm_kms_helper drm ahci intel_agp i2c_algo_bit intel_gtt e1000e libahci video agpgart output [ 851.560620] Pid: 2504, comm: rmmod Not tainted 2.6.36-titan0+ #1 [ 851.560622] Call Trace: [ 851.560631] [<c014a102>] warn_slowpath_common+0x72/0xa0 [ 851.560636] [<c04d94c8>] ? mmc_wait_for_cmd+0x88/0x90 [ 851.560641] [<c04d94c8>] ? mmc_wait_for_cmd+0x88/0x90 [ 851.560645] [<c014a152>] warn_slowpath_null+0x22/0x30 [ 851.560649] [<c04d94c8>] mmc_wait_for_cmd+0x88/0x90 [ 851.560655] [<c0401585>] ? device_release+0x25/0x80 [ 851.560660] [<c04df210>] mmc_io_rw_direct_host+0xa0/0x150 [ 851.560665] [<c04df370>] mmc_io_rw_direct+0x30/0x40 [ 851.560669] [<c04e06e7>] sdio_disable_func+0x37/0xa0 [ 851.560683] [<f8dfcb80>] b43_sdio_remove+0x30/0x50 [b43] [ 851.560687] [<c04df8cc>] sdio_bus_remove+0x1c/0x60 [ 851.560692] [<c016d39f>] ? blocking_notifier_call_chain+0x1f/0x30 [ 851.560697] [<c0404991>] __device_release_driver+0x51/0xb0 [ 851.560701] [<c0404a7f>] driver_detach+0x8f/0xa0 [ 851.560705] [<c0403c83>] bus_remove_driver+0x63/0xa0 [ 851.560709] [<c0405039>] driver_unregister+0x49/0x80 [ 851.560713] [<c0405039>] ? driver_unregister+0x49/0x80 [ 851.560718] [<c04dfad7>] sdio_unregister_driver+0x17/0x20 [ 851.560727] [<f8dfcb42>] b43_sdio_exit+0x12/0x20 [b43] [ 851.560734] [<f8dfe76f>] b43_exit+0x17/0x3c [b43] [ 851.560740] [<c017fb8d>] sys_delete_module+0x13d/0x200 [ 851.560747] [<c01fd7d2>] ? do_munmap+0x212/0x300 [ 851.560752] [<c010311f>] sysenter_do_call+0x12/0x28 [ 851.560757] ---[ end trace 31e14488072d2f7d ]--- [ 851.560759] ------------[ cut here ]------------ The warning is caused by b43 not claiming the device before calling sdio_disable_func(). Signed-off-by: Larry Finger <larry.fin...@lwfinger.net> Reported-by: Arnd Hannemann <a...@arndnet.de> Tested-by: Arnd Hannemann <a...@arndnet.de> Signed-off-by: John W. Linville <linvi...@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gre...@suse.de> Signed-off-by: Andi Kleen <a...@linux.intel.com> commit 3856a248f8d99e13f046d9b182a3ac898ec7d08d Author: Ben Hutchings <b...@decadent.org.uk> Date: Fri Dec 17 10:16:23 2010 -0800 tehuti: Firmware filename is tehuti/bdx.bin commit 46814e08d80f87449b5adb3d549a3cae6f9f8148 upstream. My conversion of tehuti to use request_firmware() was confused about the filename of the firmware blob. Change the driver to match the blob. Signed-off-by: Ben Hutchings <b...@decadent.org.uk> Signed-off-by: Andy Gospodarek <a...@greyhouse.net> Signed-off-by: David S. Miller <da...@davemloft.net> commit 810ba56ef912ffebe1f160ddf58c24a6f692ab51 Author: James Chapman <jchap...@katalix.com> Date: Tue Mar 16 06:29:20 2010 +0000 l2tp: Fix UDP socket reference count bugs in the pppol2tp driver commit c3259c8a7060d480e8eb2166da0a99d6879146b4 upstream. This patch fixes UDP socket refcnt bugs in the pppol2tp driver. A bug can cause a kernel stack trace when a tunnel socket is closed. A way to reproduce the issue is to prepare the UDP socket for L2TP (by opening a tunnel pppol2tp socket) and then close it before any L2TP sessions are added to it. The sequence is Create UDP socket Create tunnel pppol2tp socket to prepare UDP socket for L2TP pppol2tp_connect: session_id=0, peer_session_id=0 L2TP SCCRP control frame received (tunnel_id==0) pppol2tp_recv_core: sock_hold() pppol2tp_recv_core: sock_put L2TP ZLB control frame received (tunnel_id=nnn) pppol2tp_recv_core: sock_hold() pppol2tp_recv_core: sock_put Close tunnel management socket pppol2tp_release: session_id=0, peer_session_id=0 Close UDP socket udp_lib_close: BUG The addition of sock_hold() in pppol2tp_connect() solves the problem. For data frames, two sock_put() calls were added to plug a refcnt leak per received data frame. The ref that is grabbed at the top of pppol2tp_recv_core() must always be released, but this wasn't done for accepted data frames or data frames discarded because of bad UDP checksums. This leak meant that any UDP socket that had passed L2TP data traffic (i.e. L2TP data frames, not just L2TP control frames) using pppol2tp would not be released by the kernel. WARNING: at include/net/sock.h:435 udp_lib_unhash+0x117/0x120() Pid: 1086, comm: openl2tpd Not tainted 2.6.33-rc1 #8 Call Trace: [<c119e9b7>] ? udp_lib_unhash+0x117/0x120 [<c101b871>] ? warn_slowpath_common+0x71/0xd0 [<c119e9b7>] ? udp_lib_unhash+0x117/0x120 [<c101b8e3>] ? warn_slowpath_null+0x13/0x20 [<c119e9b7>] ? udp_lib_unhash+0x117/0x120 [<c11598a7>] ? sk_common_release+0x17/0x90 [<c11a5e33>] ? inet_release+0x33/0x60 [<c11577b0>] ? sock_release+0x10/0x60 [<c115780f>] ? sock_close+0xf/0x30 [<c106e542>] ? __fput+0x52/0x150 [<c106b68e>] ? filp_close+0x3e/0x70 [<c101d2e2>] ? put_files_struct+0x62/0xb0 [<c101eaf7>] ? do_exit+0x5e7/0x650 [<c1081623>] ? mntput_no_expire+0x13/0x70 [<c106b68e>] ? filp_close+0x3e/0x70 [<c101eb8a>] ? do_group_exit+0x2a/0x70 [<c101ebe1>] ? sys_exit_group+0x11/0x20 [<c10029b0>] ? sysenter_do_call+0x12/0x26 Signed-off-by: James Chapman <jchap...@katalix.com> Signed-off-by: David S. Miller <da...@davemloft.net> commit 7e60fc2e38fbafba07ff670ef3d16e613e154e18 Author: Phil Blundell <ph...@gnu.org> Date: Wed Nov 24 11:51:47 2010 -0800 econet: fix CVE-2010-3848 commit a27e13d370415add3487949c60810e36069a23a6 upstream. Don't declare variable sized array of iovecs on the stack since this could cause stack overflow if msg->msgiovlen is large. Instead, coalesce the user-supplied data into a new buffer and use a single iovec for it. Signed-off-by: Phil Blundell <ph...@gnu.org> Signed-off-by: David S. Miller <da...@davemloft.net> [Adjusted to apply to 2.6.32 by dann frazier <da...@debian.org>] commit 8395756afa87ea6e2c6248e024464bed376643ca Author: Hagen Paul Pfeifer <ha...@jauu.net> Date: Wed Oct 7 14:43:04 2009 -0700 econet: Fix redeclaration of symbol len commit 9e8342971d44ce86d8567047f5366fc1c06a75ed upstream. Function argument len was redeclarated within the function. This patch fix the redeclaration of symbol 'len'. Signed-off-by: Hagen Paul Pfeifer <ha...@jauu.net> Signed-off-by: David S. Miller <da...@davemloft.net> [Adjusted to apply to 2.6.32 by dann frazier <da...@debian.org>] commit babc16c81219c8f5b07e39461208fbf4c4669d14 Author: Andy Chittenden <andyc.blue...@gmail.com> Date: Tue Aug 10 10:19:53 2010 -0400 SUNRPC: fix NFS client over TCP hangs due to packet loss (Bug 16494) commit 669502ff31d7dba1849aec7ee2450a3c61f57d39 upstream. When reusing a TCP connection, ensure that it's aborted if a previous shutdown attempt has been made on that connection so that the RPC over TCP recovery mechanism succeeds. Signed-off-by: Andy Chittenden <andyc.blue...@gmail.com> Signed-off-by: Trond Myklebust <trond.mykleb...@netapp.com> commit ebbec2da3cc8af0815da0ff38ab2f3cbb356c6bb Author: Rémi Denis-Courmont <remi.denis-courm...@nokia.com> Date: Mon Oct 25 10:43:32 2010 +0300 Phonet: device notifier only runs on initial namespace [bwh: This is only applicable to 2.6.32. Phonet was fixed upstream to work with multiple net namespaces.] This should really fix the OOPS when doing: unshare(CLONE_NEWNET); exit(0); while the phonet module is loaded. Signed-off-by: Rémi Denis-Courmont <remi.denis-courm...@nokia.com> commit 4663726b0fc4c80f02cb4a62ad6f7722e3acead2 Author: Bruce Allan <bruce.w.al...@intel.com> Date: Wed May 5 22:00:27 2010 +0000 e1000e: Reset 82577/82578 PHY before first PHY register read commit 627c8a041f7aaaea93c766f69bd61d952a277586 upstream. Reset the PHY before first accessing it. Doing so, ensure that the PHY is in a known good state before we read/write PHY registers. This fixes a driver probe failure. Signed-off-by: Bruce Allan <bruce.w.al...@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirs...@intel.com> Signed-off-by: David S. Miller <da...@davemloft.net> [Backported to 2.6.32 by dann frazier <da...@debian.org>] commit 423be158ade9500346697b33467115b92da6cd71 Author: Ben Hutchings <bhutchi...@solarflare.com> Date: Tue Sep 7 04:35:19 2010 +0000 niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL commit ee9c5cfad29c8a13199962614b9b16f1c4137ac9 upstream. niu_get_ethtool_tcam_all() assumes that its output buffer is the right size, and warns before returning if it is not. However, the output buffer size is under user control and ETHTOOL_GRXCLSRLALL is an unprivileged ethtool command. Therefore this is at least a local denial-of-service vulnerability. Change it to check before writing each entry and to return an error if the buffer is already full. Compile-tested only. Signed-off-by: Ben Hutchings <bhutchi...@solarflare.com> Signed-off-by: David S. Miller <da...@davemloft.net> [Adjusted to apply to 2.6.32 by dann frazier <da...@debian.org>] commit eadf18bc57ff2367fd4274c1440bd7b384ffbfd2 Author: Gertjan van Wingerde <gwinge...@gmail.com> Date: Wed Dec 30 11:36:30 2009 +0100 rt2x00: Properly request tx headroom for alignment operations. commit 7a4a77b7771164d61ce702a588067d1e1d66db7c upstream. Current rt2x00 drivers may result in a "ieee80211_tx_status: headroom too small" error message when a frame needs to be properly aligned before transmitting it. This is because the space needed to ensure proper alignment isn't requested from mac80211. Fix this by adding sufficient amount of alignment space to the amount of headroom requested for TX frames. Reported-by: David Ellingsworth <da...@identd.dyndns.org> Signed-off-by: Gertjan van Wingerde <gwinge...@gmail.com> Acked-by: Ivo van Doorn <ivdo...@gmail.com> Signed-off-by: John W. Linville <linvi...@tuxdriver.com> commit 9d61b9f4bf70b282bc19f7f1acff492601b93cf3 Author: Pavel Roskin <pro...@gnu.org> Date: Wed Dec 30 11:36:29 2009 +0100 rt2x00: use correct headroom for transmission commit b59a52f12e483b79e7d32da7ec30dcf3b2e0210b upstream. Use rt2x00dev->ops->extra_tx_headroom, not rt2x00dev->hw->extra_tx_headroom in the tx code, as the later may include other headroom not to be used in the chipset driver. Signed-off-by: Pavel Roskin <pro...@gnu.org> Signed-off-by: Gertjan van Wingerde <gwinge...@gmail.com> Acked-by: Ivo van Doorn <ivdo...@gmail.com> Signed-off-by: John W. Linville <linvi...@tuxdriver.com> commit a2480ca26f6a26dea8c4903bce4d14abbc23a7bc Author: Gertjan van Wingerde <gwinge...@gmail.com> Date: Mon Nov 23 22:44:52 2009 +0100 rt2x00: Centralize setting of extra TX headroom requested by rt2x00. commit e6218cc47bd54710dc523e8c983ceddba625e3ae upstream. Set the value of extra_tx_headroom in a central place, rather than in each of the drivers. This is preparatory for taking alignment space into account in the TX headroom requested by rt2x00. Signed-off-by: Gertjan van Wingerde <gwinge...@gmail.com> Acked-by: Ivo van Doorn <ivdo...@gmail.com> Signed-off-by: John W. Linville <linvi...@tuxdriver.com> [bwh: Adjust for 2.6.32] commit 06855900b04f252ec6b8568b93a25b25201479cd Author: Jesse Brandeburg <jesse.brandeb...@intel.com> Date: Tue Sep 7 21:01:12 2010 +0000 e1000: fix Tx hangs by disabling 64-bit DMA commit e508be174ad36b0cf9b324cd04978c2b13c21502 upstream. Several users report issues with 32-bit adapters when plugged into PCI slots in machines with >= 4GB ram. In particular AMD systems with HyperTransport to PCI bridges seem to trigger the issue, but it isn't limited to only them. This issue is not easily reproducible here, yet still continues to occur in the field. For e1000 on PCI devices, just disable DMA addresses over the 4GB boundary when in PCI (not PCI-X) mode, to prevent the issue from continuing to pop up. The performance impact for this is negligible. The code was refactored to move the init of the hw struct to its own function. This allows the init to be called very early in probe, which then allows using hw-> members for this fix. A slight refactor to the DMA mask code was done for minor correctness based on the instructions in DMA-API-HOWTO. Signed-off-by: Jesse Brandeburg <jesse.brandeb...@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirs...@intel.com> Signed-off-by: David S. Miller <da...@davemloft.net> [bwh: Adjust for 2.6.32] commit ce61b0429a77584bcbbf6b944dbf25696e522b90 Author: Jeff Mahoney <je...@suse.com> Date: Thu Feb 11 10:26:38 2010 +0000 ipg: Remove device claimed by dl2k from pci id table commit 25cca5352712561fba97bd37c495593d641c1d39 upstream. This patch removes D-Link DGE-550T PCI ID (1186:4000) from the ipg driver. The ipg driver is for IP2000-based cards and the DGE-550T is a DL2000-based card. The driver loads and works for a few moments, but once a real workload is applied it stops operating. The ipg driver claimed this ID since it was introduced in 2.6.24 and it's forced many users to blacklist it. The correct driver for this hardware is the dl2k driver, which has been claiming this PCI ID since the 2.4 days. Signed-off-by: Jeff Mahoney <je...@suse.com> Signed-off-by: David S. Miller <da...@davemloft.net> commit 6d7016414374610b0049792f8c0e5b7bc781f1d4 Author: Ben Hutchings <b...@decadent.org.uk> Date: Sat Nov 7 12:04:09 2009 +0000 pcnet-cs: declare MODULE_FIRMWARE commit 8489992e723b5def1a807e615854f51b75d10600 upstream. Signed-off-by: Ben Hutchings <b...@decadent.org.uk> Signed-off-by: David S. Miller <da...@davemloft.net> commit 6b35277ffea8f6749fe9b5087b3112415190181a Author: Ben Hutchings <b...@decadent.org.uk> Date: Sat Nov 7 11:55:20 2009 +0000 tms380tr: declare MODULE_FIRMWARE commit b3ccbb24e8914973be0d2ee7b66e44cecaed9bf5 upstream. Signed-off-by: Ben Hutchings <b...@decadent.org.uk> Signed-off-by: David S. Miller <da...@davemloft.net> commit f26c9183d5f9a2c0cdd57146501c54c931654133 Author: Ben Hutchings <b...@decadent.org.uk> Date: Sat Nov 7 11:55:07 2009 +0000 spider-net: declare MODULE_FIRMWARE commit 866691a21e8c9dfc58c5ab1ed77d5c41e779755b upstream. Signed-off-by: Ben Hutchings <b...@decadent.org.uk> Signed-off-by: David S. Miller <da...@davemloft.net> commit 5c0d6fb8b643bf6824a6331103d839513040f9e6 Author: Ben Hutchings <b...@decadent.org.uk> Date: Sat Nov 7 11:54:44 2009 +0000 myri10ge: declare MODULE_FIRMWARE commit b9721d5a2fa00ad979c19a9511d43d2664d5381c upstream. Signed-off-by: Ben Hutchings <b...@decadent.org.uk> Signed-off-by: David S. Miller <da...@davemloft.net> commit c72b9d0bc10c4e67ab35196e266469563f68d93d Author: Ben Hutchings <b...@decadent.org.uk> Date: Sat Nov 7 11:53:52 2009 +0000 cxgb3: declare MODULE_FIRMWARE commit 34336ec032878d1a32e7df881f16ce2145e53f83 upstream. Replace run-time string formatting with preprocessor string manipulation. Signed-off-by: Ben Hutchings <b...@decadent.org.uk> Acked-by: Divy Le Ray <d...@chelsio.com> Signed-off-by: David S. Miller <da...@davemloft.net> commit a5f3732bfa4d75eb8f44ac769e791c643a8cec42 Author: Ben Hutchings <b...@decadent.org.uk> Date: Sat Nov 7 11:53:39 2009 +0000 bnx2x: declare MODULE_FIRMWARE commit 45229b420f90bb6736dfeb7e491eb46cb02a3e9c upstream. Replace run-time string formatting with preprocessor string manipulation. Signed-off-by: Ben Hutchings <b...@decadent.org.uk> Acked-by: Eilon Greenstein <eil...@broadcom.com> Signed-off-by: David S. Miller <da...@davemloft.net> commit 9865196fbbca943a7153feb26abd6af657b41524 Author: Ben Hutchings <b...@decadent.org.uk> Date: Sat Nov 7 11:37:36 2009 +0000 netx: declare MODULE_FIRMWARE commit 36c04a61f516742dad6f9bad8c6c1a7137a260f5 upstream. Signed-off-by: Ben Hutchings <b...@decadent.org.uk> Acked-by: Sascha Hauer <s.ha...@pengutronix.de> Signed-off-by: David S. Miller <da...@davemloft.net> commit 9b03a5f4febb698d1ae394883cb6e83971dab35f Author: Dhananjay Phadke <dhanan...@netxen.com> Date: Sat Oct 24 16:04:02 2009 +0000 netxen: module firmware hints commit 7e8e5d9718744b817bfea6f020586d7035cc89f4 upstream. Add MODULE_FIRMWARE hints for various firmware file types, required by different chip revisions. Signed-off-by: Dhananjay Phadke <dhanan...@netxen.com> Signed-off-by: David S. Miller <da...@davemloft.net> [bwh: Adjust for 2.6.32] -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
signature.asc
Description: This is a digitally signed message part