1. 02 Apr, 2010 15 commits
  2. 01 Apr, 2010 1 commit
  3. 31 Mar, 2010 5 commits
  4. 30 Mar, 2010 16 commits
  5. 29 Mar, 2010 3 commits
    • Neil Horman's avatar
      r8169: offical fix for CVE-2009-4537 (overlength frame DMAs) · c0cd884a
      Neil Horman authored
      Official patch to fix the r8169 frame length check error.
      
      Based on this initial thread:
      http://marc.info/?l=linux-netdev&m=126202972828626&w=1
      This is the official patch to fix the frame length problems in the r8169
      driver.  As noted in the previous thread, while this patch incurs a performance
      hit on the driver, its possible to improve performance dynamically by updating
      the mtu and rx_copybreak values at runtime to return performance to what it was
      for those NICS which are unaffected by the ideosyncracy (if there are any).
      
      Summary:
      
          A while back Eric submitted a patch for r8169 in which the proper
      allocated frame size was written to RXMaxSize to prevent the NIC from dmaing too
      much data.  This was done in commit fdd7b4c3.  A
      long time prior to that however, Francois posted
      126fa4b9, which expiclitly disabled the MaxSize
      setting due to the fact that the hardware behaved in odd ways when overlong
      frames were received on NIC's supported by this driver.  This was mentioned in a
      security conference recently:
      http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
      
      It seems that if we can't enable frame size filtering, then, as Eric correctly
      noticed, we can find ourselves DMA-ing too much data to a buffer, causing
      corruption.  As a result is seems that we are forced to allocate a frame which
      is ready to handle a maximally sized receive.
      
      This obviously has performance issues with it, so to mitigate that issue, this
      patch does two things:
      
      1) Raises the copybreak value to the frame allocation size, which should force
      appropriately sized packets to get allocated on rx, rather than a full new 16k
      buffer.
      
      2) This patch only disables frame filtering initially (i.e., during the NIC
      open), changing the MTU results in ring buffer allocation of a size in relation
      to the new mtu (along with a warning indicating that this is dangerous).
      
      Because of item (2), individuals who can't cope with the performance hit (or can
      otherwise filter frames to prevent the bug), or who have hardware they are sure
      is unaffected by this issue, can manually lower the copybreak and reset the mtu
      such that performance is restored easily.
      Signed-off-by: default avatarNeil Horman <nhorman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c0cd884a
    • YOSHIFUJI Hideaki / 吉藤英明's avatar
      ipv6: Don't drop cache route entry unless timer actually expired. · 54c1a859
      YOSHIFUJI Hideaki / 吉藤英明 authored
      This is ipv6 variant of the commit 5e016cbf.. ("ipv4: Don't drop
      redirected route cache entry unless PTMU actually expired")
      by Guenter Roeck <guenter.roeck@ericsson.com>.
      
      Remove cache route entry in ipv6_negative_advice() only if
      the timer is expired.
      Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      54c1a859
    • David S. Miller's avatar
      tulip: Add missing parens. · 7855f761
      David S. Miller authored
      As reported by Stephen Rothwell.
      
      drivers/net/tulip/uli526x.c: In function 'uli526x_rx_packet':
      drivers/net/tulip/uli526x.c:861: warning: assignment makes pointer from integer without a cast
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7855f761