commit 5bf7b33598dee28b7d3603cfcdc8de55c349a4c8 Author: Greg Kroah-Hartman Date: Mon Mar 14 14:30:16 2011 -0700 Linux 2.6.32.33 commit 9b61fc720621a6836dcf7fc98457f6c08c86a93b Author: stephen hemminger Date: Thu Mar 10 11:43:19 2011 +0000 ip6ip6: autoload ip6 tunnel commit 6dfbd87a20a737641ef228230c77f4262434fa24 upstream ip6ip6: autoload ip6 tunnel Add necessary alias to autoload ip6ip6 tunnel module. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit af4a02bb1eede764c1db87575462cbe1c023e164 Author: Vasiliy Kulikov Date: Wed Mar 2 00:33:13 2011 +0300 net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules commit 8909c9ad8ff03611c9c96c9a92656213e4bb495b upstream. Since a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c any process with CAP_NET_ADMIN may load any module from /lib/modules/. This doesn't mean that CAP_NET_ADMIN is a superset of CAP_SYS_MODULE as modules are limited to /lib/modules/**. However, CAP_NET_ADMIN capability shouldn't allow anybody load any module not related to networking. This patch restricts an ability of autoloading modules to netdev modules with explicit aliases. This fixes CVE-2011-1019. Arnd Bergmann suggested to leave untouched the old pre-v2.6.32 behavior of loading netdev modules by name (without any prefix) for processes with CAP_SYS_MODULE to maintain the compatibility with network scripts that use autoloading netdev modules by aliases like "eth0", "wlan0". Currently there are only three users of the feature in the upstream kernel: ipip, ip_gre and sit. root@albatros:~# capsh --drop=$(seq -s, 0 11),$(seq -s, 13 34) -- root@albatros:~# grep Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: fffffff800001000 CapEff: fffffff800001000 CapBnd: fffffff800001000 root@albatros:~# modprobe xfs FATAL: Error inserting xfs (/lib/modules/2.6.38-rc6-00001-g2bf4ca3/kernel/fs/xfs/xfs.ko): Operation not permitted root@albatros:~# lsmod | grep xfs root@albatros:~# ifconfig xfs xfs: error fetching interface information: Device not found root@albatros:~# lsmod | grep xfs root@albatros:~# lsmod | grep sit root@albatros:~# ifconfig sit sit: error fetching interface information: Device not found root@albatros:~# lsmod | grep sit root@albatros:~# ifconfig sit0 sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 root@albatros:~# lsmod | grep sit sit 10457 0 tunnel4 2957 1 sit For CAP_SYS_MODULE module loading is still relaxed: root@albatros:~# grep Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: ffffffffffffffff CapEff: ffffffffffffffff CapBnd: ffffffffffffffff root@albatros:~# ifconfig xfs xfs: error fetching interface information: Device not found root@albatros:~# lsmod | grep xfs xfs 745319 0 Reference: https://lkml.org/lkml/2011/2/24/203 Signed-off-by: Vasiliy Kulikov Signed-off-by: Michael Tokarev Acked-by: David S. Miller Acked-by: Kees Cook Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 102123644979069c61d694375991aa6793e4da57 Author: Ian Abbott Date: Mon Nov 30 10:59:27 2009 +0000 Staging: comedi: jr3_pci: Don't ioremap too much space. Check result. commit fa5c5f4ce0c9ba03a670c640cad17e14cb35678b upstream. For the JR3/PCI cards, the size of the PCIBAR0 region depends on the number of channels. Don't try and ioremap space for 4 channels if the card has fewer channels. Also check for ioremap failure. Thanks to Anders Blomdell for input and Sami Hussein for testing. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 649f25c389e9498923b459bbffff41a2fd1d7a64 Author: Ivan Vecera Date: Thu Jan 27 12:24:11 2011 +0100 r8169: use RxFIFO overflow workaround for 8168c chipset. commit b5ba6d12bdac21bc0620a5089e0f24e362645efd upstream. I found that one of the 8168c chipsets (concretely XID 1c4000c0) starts generating RxFIFO overflow errors. The result is an infinite loop in interrupt handler as the RxFIFOOver is handled only for ...MAC_VER_11. With the workaround everything goes fine. Signed-off-by: Ivan Vecera Acked-by: Francois Romieu Cc: Hayes Signed-off-by: Greg Kroah-Hartman commit f97fe117a46513bd5393f5f821169ece6355133c Author: roel Date: Tue Mar 8 22:32:26 2011 +0100 nfsd: wrong index used in inner loop commit 3ec07aa9522e3d5e9d5ede7bef946756e623a0a0 upstream. Index i was already used in the outer loop Signed-off-by: Roel Kluin Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 0d122be36b4d7b9a6cb5464c872f37e8dd2ea044 Author: Jan Engelhardt Date: Wed Mar 2 12:10:13 2011 +0100 netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values commit 9ef0298a8e5730d9a46d640014c727f3b4152870 upstream. Like many other places, we have to check that the array index is within allowed limits, or otherwise, a kernel oops and other nastiness can ensue when we access memory beyond the end of the array. [ 5954.115381] BUG: unable to handle kernel paging request at 0000004000000000 [ 5954.120014] IP: __find_logger+0x6f/0xa0 [ 5954.123979] nf_log_bind_pf+0x2b/0x70 [ 5954.123979] nfulnl_recv_config+0xc0/0x4a0 [nfnetlink_log] [ 5954.123979] nfnetlink_rcv_msg+0x12c/0x1b0 [nfnetlink] ... The problem goes back to v2.6.30-rc1~1372~1342~31 where nf_log_bind was decoupled from nf_log_register. Reported-by: Miguel Di Ciurcio Filho , via irc.freenode.net/#netfilter Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit cdfb2881023413742e545893e1b84ba96135d8b8 Author: Matt Evans Date: Mon Mar 7 17:26:04 2011 +0530 powerpc/kexec: Fix orphaned offline CPUs across kexec Commit: e8e5c2155b0035b6e04f29be67f6444bc914005b upstream When CPU hotplug is used, some CPUs may be offline at the time a kexec is performed. The subsequent kernel may expect these CPUs to be already running, and will declare them stuck. On pseries, there's also a soft-offline (cede) state that CPUs may be in; this can also cause problems as the kexeced kernel may ask RTAS if they're online -- and RTAS would say they are. The CPU will either appear stuck, or will cause a crash as we replace its cede loop beneath it. This patch kicks each present offline CPU awake before the kexec, so that none are forever lost to these assumptions in the subsequent kernel. Now, the behaviour is that all available CPUs that were offlined are now online & usable after the kexec. This mimics the behaviour of a full reboot (on which all CPUs will be restarted). Signed-off-by: Matt Evans Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Kamalesh babulal cc: Anton Blanchard Signed-off-by: Greg Kroah-Hartman commit 692d5ec1c7bf51e51bf87d0118c9dfd91b77f133 Author: Maxim Uvarov Date: Tue May 11 05:41:08 2010 +0000 powerpc/crashdump: Do not fail on NULL pointer dereferencing commit 426b6cb478e60352a463a0d1ec75c1c9fab30b13 upstream. Signed-off-by: Maxim Uvarov Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Kamalesh babulal cc: Anton Blanchard Signed-off-by: Greg Kroah-Hartman commit 553c9ca59794cff92d010fadc1aed89f47b47a20 Author: Michael Neuling Date: Mon May 10 20:28:26 2010 +0000 powerpc/kexec: Speedup kexec hash PTE tear down commit d504bed676caad29a3dba3d3727298c560628f5c upstream. Currently for kexec the PTE tear down on 1TB segment systems normally requires 3 hcalls for each PTE removal. On a machine with 32GB of memory it can take around a minute to remove all the PTEs. This optimises the path so that we only remove PTEs that are valid. It also uses the read 4 PTEs at once HCALL. For the common case where a PTEs is invalid in a 1TB segment, this turns the 3 HCALLs per PTE down to 1 HCALL per 4 PTEs. This gives an > 10x speedup in kexec times on PHYP, taking a 32GB machine from around 1 minute down to a few seconds. Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Kamalesh babulal cc: Anton Blanchard Signed-off-by: Greg Kroah-Hartman commit 2059788cc18e6e2ed634de4fed649a3ea31323ed Author: Michael Neuling Date: Mon May 10 20:28:26 2010 +0000 powerpc/pseries: Add hcall to read 4 ptes at a time in real mode commit f90ece28c1f5b3ec13fe481406857fe92f4bc7d1 upstream. This adds plpar_pte_read_4_raw() which can be used read 4 PTEs from PHYP at a time, while in real mode. It also creates a new hcall9 which can be used in real mode. It's the same as plpar_hcall9 but minus the tracing hcall statistics which may require variables outside the RMO. Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Kamalesh babulal Cc: Anton Blanchard Signed-off-by: Greg Kroah-Hartman commit 17b08650ffabf7d025ceb608748dc12d4dc2928d Author: Anton Blanchard Date: Mon May 10 18:59:18 2010 +0000 powerpc: Use more accurate limit for first segment memory allocations commit 095c7965f4dc870ed2b65143b1e2610de653416c upstream. Author: Milton Miller On large machines we are running out of room below 256MB. In some cases we only need to ensure the allocation is in the first segment, which may be 256MB or 1TB. Add slb0_limit and use it to specify the upper limit for the irqstack and emergency stacks. On a large ppc64 box, this fixes a panic at boot when the crashkernel= option is specified (previously we would run out of memory below 256MB). Signed-off-by: Milton Miller Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt Cc: Kamalesh Babulal Signed-off-by: Greg Kroah-Hartman commit 9644dbc889ae788130d967d4f4e7f95253440be6 Author: Anton Blanchard Date: Mon May 10 16:27:38 2010 +0000 powerpc/kdump: Use chip->shutdown to disable IRQs commit 5d7a87217de48b234b3c8ff8a73059947d822e07 upstream. I saw this in a kdump kernel: IOMMU table initialized, virtual merging enabled Interrupt 155954 (real) is invalid, disabling it. Interrupt 155953 (real) is invalid, disabling it. ie we took some spurious interrupts. default_machine_crash_shutdown tries to disable all interrupt sources but uses chip->disable which maps to the default action of: static void default_disable(unsigned int irq) { } If we use chip->shutdown, then we actually mask the IRQ: static void default_shutdown(unsigned int irq) { struct irq_desc *desc = irq_to_desc(irq); desc->chip->mask(irq); desc->status |= IRQ_MASKED; } Not sure why we don't implement a ->disable action for xics.c, or why default_disable doesn't mask the interrupt. Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Kamalesh babulal Signed-off-by: Greg Kroah-Hartman commit 12fa3aa8baf621f24661101c1406bf77a4d3501e Author: Anton Blanchard Date: Mon May 10 16:25:51 2010 +0000 powerpc/kdump: CPUs assume the context of the oopsing CPU commit 0644079410065567e3bb31fcb8e6441f2b7685a9 upstream. We wrap the crash_shutdown_handles[] calls with longjmp/setjmp, so if any of them fault we can recover. The problem is we add a hook to the debugger fault handler hook which calls longjmp unconditionally. This first part of kdump is run before we marshall the other CPUs, so there is a very good chance some CPU on the box is going to page fault. And when it does it hits the longjmp code and assumes the context of the oopsing CPU. The machine gets very confused when it has 10 CPUs all with the same stack, all thinking they have the same CPU id. I get even more confused trying to debug it. The patch below adds crash_shutdown_cpu and uses it to specify which cpu is in the protected region. Since it can only be -1 or the oopsing CPU, we don't need to use memory barriers since it is only valid on the local CPU - no other CPU will ever see a value that matches it's local CPU id. Eventually we should switch the order and marshall all CPUs before doing the crash_shutdown_handles[] calls, but that is a bigger fix. Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt Cc: Kamalesh babulal Signed-off-by: Greg Kroah-Hartman commit e466d3b572bf868fe9a5d9688d8d2ec19cddb46f Author: Hugh Dickins Date: Wed Feb 23 21:39:49 2011 -0800 mm: fix possible cause of a page_mapped BUG commit a3e8cc643d22d2c8ed36b9be7d9c9ca21efcf7f7 upstream. Robert Swiecki reported a BUG_ON(page_mapped) from a fuzzer, punching a hole with madvise(,, MADV_REMOVE). That path is under mutex, and cannot be explained by lack of serialization in unmap_mapping_range(). Reviewing the code, I found one place where vm_truncate_count handling should have been updated, when I switched at the last minute from one way of managing the restart_addr to another: mremap move changes the virtual addresses, so it ought to adjust the restart_addr. But rather than exporting the notion of restart_addr from memory.c, or converting to restart_pgoff throughout, simply reset vm_truncate_count to 0 to force a rescan if mremap move races with preempted truncation. We have no confirmation that this fixes Robert's BUG, but it is a fix that's worth making anyway. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds Cc: Kerin Millar Signed-off-by: Greg Kroah-Hartman commit d7a0289987f9fda051854f5201d77f4ce7095036 Author: Don Skidmore Date: Tue Jan 18 22:53:47 2011 +0000 ixgbe: fix for 82599 erratum on Header Splitting commit a124339ad28389093ed15eca990d39c51c5736cc upstream. We have found a hardware erratum on 82599 hardware that can lead to unpredictable behavior when Header Splitting mode is enabled. So we are no longer enabling this feature on affected hardware. Please see the 82599 Specification Update for more information. Signed-off-by: Don Skidmore Tested-by: Stephen Ko Signed-off-by: Jeff Kirsher Signed-off-by: Greg Kroah-Hartman commit a33be6e69f2527f2e8f0bcfe3b77a51c8210ad3f Author: Anton Blanchard Date: Mon Feb 28 03:27:53 2011 +0000 RxRPC: Fix v1 keys commit f009918a1c1bbf8607b8aab3959876913a30193a upstream. commit 339412841d7 (RxRPC: Allow key payloads to be passed in XDR form) broke klog for me. I notice the v1 key struct had a kif_version field added: -struct rxkad_key { - u16 security_index; /* RxRPC header security index */ - u16 ticket_len; /* length of ticket[] */ - u32 expiry; /* time at which expires */ - u32 kvno; /* key version number */ - u8 session_key[8]; /* DES session key */ - u8 ticket[0]; /* the encrypted ticket */ -}; +struct rxrpc_key_data_v1 { + u32 kif_version; /* 1 */ + u16 security_index; + u16 ticket_length; + u32 expiry; /* time_t */ + u32 kvno; + u8 session_key[8]; + u8 ticket[0]; +}; However the code in rxrpc_instantiate strips it away: data += sizeof(kver); datalen -= sizeof(kver); Removing kif_version fixes my problem. Signed-off-by: Anton Blanchard Signed-off-by: David Howells Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d5719ed81492a21fa0ba5b10ba366153f2b49fb3 Author: Dan Carpenter Date: Thu Mar 3 17:56:06 2011 +0100 keyboard: integer underflow bug commit b652277b09d3d030cb074cc6a98ba80b34244c03 upstream. The "ct" variable should be an unsigned int. Both struct kbdiacrs ->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints. Making it signed causes a problem in KBDIACRUC because the user could set the signed bit and cause a buffer overflow. Signed-off-by: Dan Carpenter Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit cf666a4bfee9de4378566819081e9451a0fe6f1f Author: Li Zefan Date: Fri Mar 4 17:36:21 2011 -0800 cpuset: add a missing unlock in cpuset_write_resmask() commit b75f38d659e6fc747eda64cb72f3920e29dd44a4 upstream. Don't forget to release cgroup_mutex if alloc_trial_cpuset() fails. [akpm@linux-foundation.org: avoid multiple return points] Signed-off-by: Li Zefan Cc: Paul Menage Acked-by: David Rientjes Cc: Miao Xie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman