diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2010-03-30 06:53:25 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2010-03-31 07:58:46 +0000 |
commit | a352cc182f54d4367de4a0edd4ba64eecd6af843 (patch) | |
tree | 503b51088ef7fe125b4a22766925e271d9b74328 | |
parent | 6ace2d1d9b9d16c6deda1187a9379381cbb45129 (diff) | |
download | alpine_aports-a352cc182f54d4367de4a0edd4ba64eecd6af843.tar.bz2 alpine_aports-a352cc182f54d4367de4a0edd4ba64eecd6af843.tar.xz alpine_aports-a352cc182f54d4367de4a0edd4ba64eecd6af843.zip |
main/linux-grsec: r8169 fixes
(cherry picked from commit 2765bc9d5159f67b92404c120173cea2091b2adb)
3 files changed, 175 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index f54026e0b3..4d3765468d 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD | |||
@@ -4,7 +4,7 @@ _flavor=grsec | |||
4 | pkgname=linux-${_flavor} | 4 | pkgname=linux-${_flavor} |
5 | pkgver=2.6.32.10 | 5 | pkgver=2.6.32.10 |
6 | _kernver=2.6.32 | 6 | _kernver=2.6.32 |
7 | pkgrel=0 | 7 | pkgrel=1 |
8 | pkgdesc="Linux kernel with grsecurity" | 8 | pkgdesc="Linux kernel with grsecurity" |
9 | url=http://grsecurity.net | 9 | url=http://grsecurity.net |
10 | depends="mkinitfs linux-firmware" | 10 | depends="mkinitfs linux-firmware" |
@@ -19,6 +19,8 @@ source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2 | |||
19 | ip_gre2.patch | 19 | ip_gre2.patch |
20 | arp.patch | 20 | arp.patch |
21 | xfrm-cache-size-revert.patch | 21 | xfrm-cache-size-revert.patch |
22 | net-git-78f1cd-r8169-fix-broken-register-writes.patch | ||
23 | net-git-c0cd88-r8169-offical-fix-for-CVE-2009-4537-overlength-frame-DMAs.patch | ||
22 | kernelconfig.x86 | 24 | kernelconfig.x86 |
23 | " | 25 | " |
24 | subpackages="$pkgname-dev linux-firmware:firmware" | 26 | subpackages="$pkgname-dev linux-firmware:firmware" |
@@ -129,4 +131,6 @@ a1959ececf64be61488ed84d0252c053 grsecurity-2.1.14-2.6.32.10-201003211638.patch | |||
129 | 13ca9e91700e459da269c957062bbea7 ip_gre2.patch | 131 | 13ca9e91700e459da269c957062bbea7 ip_gre2.patch |
130 | 4c39a161d918e7f274292ecfd168b891 arp.patch | 132 | 4c39a161d918e7f274292ecfd168b891 arp.patch |
131 | 329fcab881425e001d3243caa4648478 xfrm-cache-size-revert.patch | 133 | 329fcab881425e001d3243caa4648478 xfrm-cache-size-revert.patch |
134 | 21ed38773d846097b7315e1e0801d87a net-git-78f1cd-r8169-fix-broken-register-writes.patch | ||
135 | 962a6dd7c639612fc8bdaeb836388b0b net-git-c0cd88-r8169-offical-fix-for-CVE-2009-4537-overlength-frame-DMAs.patch | ||
132 | 7f442049b29ab749180e54ff8f20f1d0 kernelconfig.x86" | 136 | 7f442049b29ab749180e54ff8f20f1d0 kernelconfig.x86" |
diff --git a/main/linux-grsec/net-git-78f1cd-r8169-fix-broken-register-writes.patch b/main/linux-grsec/net-git-78f1cd-r8169-fix-broken-register-writes.patch new file mode 100644 index 0000000000..f5f72acc4b --- /dev/null +++ b/main/linux-grsec/net-git-78f1cd-r8169-fix-broken-register-writes.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 78f1cd02457252e1ffbc6caa44a17424a45286b8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Francois Romieu <romieu@fr.zoreil.com> | ||
3 | Date: Sat, 27 Mar 2010 19:35:46 -0700 | ||
4 | Subject: [PATCH] r8169: fix broken register writes | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | This is quite similar to b39fe41f481d20c201012e4483e76c203802dda7 | ||
10 | though said registers are not even documented as 64-bit registers | ||
11 | - as opposed to the initial TxDescStartAddress ones - but as single | ||
12 | bytes which must be combined into 32 bits at the MMIO read/write | ||
13 | level before being merged into a 64 bit logical entity. | ||
14 | |||
15 | Credits go to Ben Hutchings <ben@decadent.org.uk> for the MAR | ||
16 | registers (aka "multicast is broken for ages on ARM) and to | ||
17 | Timo Teräs <timo.teras@iki.fi> for the MAC registers. | ||
18 | |||
19 | Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> | ||
20 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
21 | --- | ||
22 | drivers/net/r8169.c | 4 ++-- | ||
23 | 1 files changed, 2 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c | ||
26 | index b93fd23..7193afc 100644 | ||
27 | --- a/drivers/net/r8169.c | ||
28 | +++ b/drivers/net/r8169.c | ||
29 | @@ -2820,8 +2820,8 @@ static void rtl_rar_set(struct rtl8169_private *tp, u8 *addr) | ||
30 | spin_lock_irq(&tp->lock); | ||
31 | |||
32 | RTL_W8(Cfg9346, Cfg9346_Unlock); | ||
33 | - RTL_W32(MAC0, low); | ||
34 | RTL_W32(MAC4, high); | ||
35 | + RTL_W32(MAC0, low); | ||
36 | RTL_W8(Cfg9346, Cfg9346_Lock); | ||
37 | |||
38 | spin_unlock_irq(&tp->lock); | ||
39 | @@ -4747,8 +4747,8 @@ static void rtl_set_rx_mode(struct net_device *dev) | ||
40 | mc_filter[1] = swab32(data); | ||
41 | } | ||
42 | |||
43 | - RTL_W32(MAR0 + 0, mc_filter[0]); | ||
44 | RTL_W32(MAR0 + 4, mc_filter[1]); | ||
45 | + RTL_W32(MAR0 + 0, mc_filter[0]); | ||
46 | |||
47 | RTL_W32(RxConfig, tmp); | ||
48 | |||
49 | -- | ||
50 | 1.7.0.3 | ||
51 | |||
diff --git a/main/linux-grsec/net-git-c0cd88-r8169-offical-fix-for-CVE-2009-4537-overlength-frame-DMAs.patch b/main/linux-grsec/net-git-c0cd88-r8169-offical-fix-for-CVE-2009-4537-overlength-frame-DMAs.patch new file mode 100644 index 0000000000..250c85d678 --- /dev/null +++ b/main/linux-grsec/net-git-c0cd88-r8169-offical-fix-for-CVE-2009-4537-overlength-frame-DMAs.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | From c0cd884af045338476b8e69a61fceb3f34ff22f1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Neil Horman <nhorman@redhat.com> | ||
3 | Date: Mon, 29 Mar 2010 13:16:02 -0700 | ||
4 | Subject: [PATCH] r8169: offical fix for CVE-2009-4537 (overlength frame DMAs) | ||
5 | |||
6 | Official patch to fix the r8169 frame length check error. | ||
7 | |||
8 | Based on this initial thread: | ||
9 | http://marc.info/?l=linux-netdev&m=126202972828626&w=1 | ||
10 | This is the official patch to fix the frame length problems in the r8169 | ||
11 | driver. As noted in the previous thread, while this patch incurs a performance | ||
12 | hit on the driver, its possible to improve performance dynamically by updating | ||
13 | the mtu and rx_copybreak values at runtime to return performance to what it was | ||
14 | for those NICS which are unaffected by the ideosyncracy (if there are any). | ||
15 | |||
16 | Summary: | ||
17 | |||
18 | A while back Eric submitted a patch for r8169 in which the proper | ||
19 | allocated frame size was written to RXMaxSize to prevent the NIC from dmaing too | ||
20 | much data. This was done in commit fdd7b4c3302c93f6833e338903ea77245eb510b4. A | ||
21 | long time prior to that however, Francois posted | ||
22 | 126fa4b9ca5d9d7cb7d46f779ad3bd3631ca387c, which expiclitly disabled the MaxSize | ||
23 | setting due to the fact that the hardware behaved in odd ways when overlong | ||
24 | frames were received on NIC's supported by this driver. This was mentioned in a | ||
25 | security conference recently: | ||
26 | http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html | ||
27 | |||
28 | It seems that if we can't enable frame size filtering, then, as Eric correctly | ||
29 | noticed, we can find ourselves DMA-ing too much data to a buffer, causing | ||
30 | corruption. As a result is seems that we are forced to allocate a frame which | ||
31 | is ready to handle a maximally sized receive. | ||
32 | |||
33 | This obviously has performance issues with it, so to mitigate that issue, this | ||
34 | patch does two things: | ||
35 | |||
36 | 1) Raises the copybreak value to the frame allocation size, which should force | ||
37 | appropriately sized packets to get allocated on rx, rather than a full new 16k | ||
38 | buffer. | ||
39 | |||
40 | 2) This patch only disables frame filtering initially (i.e., during the NIC | ||
41 | open), changing the MTU results in ring buffer allocation of a size in relation | ||
42 | to the new mtu (along with a warning indicating that this is dangerous). | ||
43 | |||
44 | Because of item (2), individuals who can't cope with the performance hit (or can | ||
45 | otherwise filter frames to prevent the bug), or who have hardware they are sure | ||
46 | is unaffected by this issue, can manually lower the copybreak and reset the mtu | ||
47 | such that performance is restored easily. | ||
48 | |||
49 | Signed-off-by: Neil Horman <nhorman@redhat.com> | ||
50 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
51 | --- | ||
52 | drivers/net/r8169.c | 29 ++++++++++++++++++++++++----- | ||
53 | 1 files changed, 24 insertions(+), 5 deletions(-) | ||
54 | |||
55 | diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c | ||
56 | index 7193afc..9674005 100644 | ||
57 | --- a/drivers/net/r8169.c | ||
58 | +++ b/drivers/net/r8169.c | ||
59 | @@ -186,7 +186,12 @@ static DEFINE_PCI_DEVICE_TABLE(rtl8169_pci_tbl) = { | ||
60 | |||
61 | MODULE_DEVICE_TABLE(pci, rtl8169_pci_tbl); | ||
62 | |||
63 | -static int rx_copybreak = 200; | ||
64 | +/* | ||
65 | + * we set our copybreak very high so that we don't have | ||
66 | + * to allocate 16k frames all the time (see note in | ||
67 | + * rtl8169_open() | ||
68 | + */ | ||
69 | +static int rx_copybreak = 16383; | ||
70 | static int use_dac; | ||
71 | static struct { | ||
72 | u32 msg_enable; | ||
73 | @@ -3217,9 +3222,13 @@ static void __devexit rtl8169_remove_one(struct pci_dev *pdev) | ||
74 | } | ||
75 | |||
76 | static void rtl8169_set_rxbufsize(struct rtl8169_private *tp, | ||
77 | - struct net_device *dev) | ||
78 | + unsigned int mtu) | ||
79 | { | ||
80 | - unsigned int max_frame = dev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN; | ||
81 | + unsigned int max_frame = mtu + VLAN_ETH_HLEN + ETH_FCS_LEN; | ||
82 | + | ||
83 | + if (max_frame != 16383) | ||
84 | + printk(KERN_WARNING "WARNING! Changing of MTU on this NIC" | ||
85 | + "May lead to frame reception errors!\n"); | ||
86 | |||
87 | tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE; | ||
88 | } | ||
89 | @@ -3231,7 +3240,17 @@ static int rtl8169_open(struct net_device *dev) | ||
90 | int retval = -ENOMEM; | ||
91 | |||
92 | |||
93 | - rtl8169_set_rxbufsize(tp, dev); | ||
94 | + /* | ||
95 | + * Note that we use a magic value here, its wierd I know | ||
96 | + * its done because, some subset of rtl8169 hardware suffers from | ||
97 | + * a problem in which frames received that are longer than | ||
98 | + * the size set in RxMaxSize register return garbage sizes | ||
99 | + * when received. To avoid this we need to turn off filtering, | ||
100 | + * which is done by setting a value of 16383 in the RxMaxSize register | ||
101 | + * and allocating 16k frames to handle the largest possible rx value | ||
102 | + * thats what the magic math below does. | ||
103 | + */ | ||
104 | + rtl8169_set_rxbufsize(tp, 16383 - VLAN_ETH_HLEN - ETH_FCS_LEN); | ||
105 | |||
106 | /* | ||
107 | * Rx and Tx desscriptors needs 256 bytes alignment. | ||
108 | @@ -3884,7 +3903,7 @@ static int rtl8169_change_mtu(struct net_device *dev, int new_mtu) | ||
109 | |||
110 | rtl8169_down(dev); | ||
111 | |||
112 | - rtl8169_set_rxbufsize(tp, dev); | ||
113 | + rtl8169_set_rxbufsize(tp, dev->mtu); | ||
114 | |||
115 | ret = rtl8169_init_ring(dev); | ||
116 | if (ret < 0) | ||
117 | -- | ||
118 | 1.7.0.3 | ||
119 | |||