rpms/kernel/F-12 linux-2.6-net-r8169-improved-rx-length-check-errors.patch, 1.1, 1.2 kernel.spec, 1.2015, 1.2016
Chuck Ebbert
cebbert at fedoraproject.org
Wed Feb 17 17:31:55 UTC 2010
- Previous message: rpms/shutter/F-13 shutter.spec,1.4,1.5
- Next message: rpms/ghostscript/F-11 .cvsignore, 1.29, 1.30 ghostscript-jbig2dec-nullderef.patch, 1.2, 1.3 ghostscript-vsnprintf.patch, 1.1, 1.2 ghostscript.spec, 1.198, 1.199 sources, 1.33, 1.34
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21560
Modified Files:
kernel.spec
Added Files:
linux-2.6-net-r8169-improved-rx-length-check-errors.patch
Log Message:
CVE-2009-4537 kernel: r8169 issue reported at 26c3
(fix taken from Red Hat/CentOS 5.4)
linux-2.6-net-r8169-improved-rx-length-check-errors.patch:
r8169.c | 31 +++++++++++++++++++++++++------
1 file changed, 25 insertions(+), 6 deletions(-)
Index: linux-2.6-net-r8169-improved-rx-length-check-errors.patch
===================================================================
RCS file: linux-2.6-net-r8169-improved-rx-length-check-errors.patch
diff -N linux-2.6-net-r8169-improved-rx-length-check-errors.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ linux-2.6-net-r8169-improved-rx-length-check-errors.patch 17 Feb 2010 17:31:54 -0000 1.2
@@ -0,0 +1,113 @@
+From: Neil Horman <nhorman at redhat.com>
+Date: Tue, 5 Jan 2010 09:43:37 -0500
+Subject: [net] r8169: imporved rx length check errors
+Message-id: 20100105144337.GB24293 at hmsreliant.think-freely.org
+O-Subject: [kernel team] [RHEL 5.5 PATCH] imporved r8169 patch for rx length check errors (bz 522438)
+Bugzilla: 552438
+RH-Acked-by: No One <noone at redhat.com>
+
+[ cebbert : ported to 2.6.32 ]
+
+Hey-
+ So we've been going back and forth about these r8169 changes( bz 550915).
+We have a hardware ideosyncracy that seems to dictate that we disable frame
+filtering, and as a result we are forced to allocate very large buffers, which
+Dave correctly points out are a major performance impact. This is further
+compllicated by the fact that we don't know which subset of hardware is affected
+by this bug. As such I've come up with this fix that I _think_ makes everyone
+as happy as possible given what we know (or more specifically, what we don't
+know). Anywho, I've posted this upstream and am waiting for comments.
+Basically, it does the following things
+
+1) Modifies the setrxbuf routine to accept an mtu paramter
+
+2) Changes the drivers open routine to force the mtu pased to the function in
+(1) a size of 16383-VLAN_ETH_HLEN-ETH_FCS_LEN
+
+3) raises the copybreak value so that we always allocate frames on rx to pass to
+the network stack.
+
+4) Adds a warning about changing the mtu to a size that is not 16383
+
+The effective result of these changes are that by default, we allocate at device
+open a ring of 16k buffers which disables filtering, and set the copybreak value
+to that size, so that instead of constantly allocating 16k buffers, we just
+allocate frame size appropriate buffers. This is still a big performance hit,
+but better than constant 16k allocations, which would quickly fail.
+
+We also (and this is the improved part), allow for user space to set mtu's
+smaller than 16383, which results in the driver reverting back to the
+pre-patched behavior. A loud warning is issued to this effect, so that people
+will realize what their doing, but if a user is in a situation where the can
+guarantee frame sizes with other equipment (switch filtering, etc), then this
+allows them the old performance levels
+
+Satisfies bz 522438
+
+Neil
+
+diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
+index 063d949..c241338 100644
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -181,7 +181,12 @@ static struct pci_device_id rtl8169_pci_tbl[] = {
+
+ MODULE_DEVICE_TABLE(pci, rtl8169_pci_tbl);
+
+-static int rx_copybreak = 200;
++/*
++ * we set our copybreak very high so that we don't have
++ * to allocate 16k frames all the time (see note in
++ * rtl8169_open()
++ */
++static int rx_copybreak = 16383;
+ static int use_dac;
+ static struct {
+ u32 msg_enable;
+@@ -2209,11 +2214,15 @@ static void __devexit rtl8169_remove_one(struct pci_dev *pdev)
+ }
+
+ static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
+- struct net_device *dev)
++ unsigned int mtu)
+ {
+- unsigned int max_frame = dev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
++ unsigned int max_frame = mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
++
++ if (max_frame != 16383)
++ printk(KERN_WARNING "WARNING! Changing of MTU on this NIC "
++ "May lead to frame reception errors!\n");
+
+- tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
++ tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
+ }
+
+ static int rtl8169_open(struct net_device *dev)
+@@ -2223,7 +2232,17 @@ static int rtl8169_open(struct net_device *dev)
+ int retval = -ENOMEM;
+
+
+- rtl8169_set_rxbufsize(tp, dev);
++ /*
++ * Note that we use a magic value here, its wierd I know
++ * its done because, some subset of rtl8169 hardware suffers from
++ * a problem in which frames received that are longer than
++ * the size set in RxMaxSize register return garbage sizes
++ * when received. To avoid this we need to turn off filtering,
++ * which is done by setting a value of 16383 in the RxMaxSize register
++ * and allocating 16k frames to handle the largest possible rx value
++ * thats what the magic math below does.
++ */
++ rtl8169_set_rxbufsize(tp, 16383 - VLAN_ETH_HLEN - ETH_FCS_LEN);
+
+ /*
+ * Rx and Tx desscriptors needs 256 bytes alignment.
+@@ -2874,7 +2893,7 @@ static int rtl8169_change_mtu(struct net_device *dev, int new_mtu)
+
+ rtl8169_down(dev);
+
+- rtl8169_set_rxbufsize(tp, dev);
++ rtl8169_set_rxbufsize(tp, dev->mtu);
+
+ ret = rtl8169_init_ring(dev);
+ if (ret < 0)
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.2015
retrieving revision 1.2016
diff -u -p -r1.2015 -r1.2016
--- kernel.spec 17 Feb 2010 05:31:06 -0000 1.2015
+++ kernel.spec 17 Feb 2010 17:31:54 -0000 1.2016
@@ -762,6 +762,9 @@ Patch12312: futex-handle-user-space-corr
Patch12313: fix-abrtd.patch
Patch12314: vgaarb-fix-userspace-ptr-deref.patch
+# cve-2009-4537
+Patch12320: linux-2.6-net-r8169-improved-rx-length-check-errors.patch
+
# ==============================================================================
%endif
@@ -1399,6 +1402,9 @@ ApplyPatch futex-handle-user-space-corru
ApplyPatch fix-abrtd.patch
ApplyPatch vgaarb-fix-userspace-ptr-deref.patch
+# cve-2009-4537
+ApplyPatch linux-2.6-net-r8169-improved-rx-length-check-errors.patch
+
# END OF PATCH APPLICATIONS ====================================================
%endif
@@ -2054,6 +2060,10 @@ fi
# and build.
%changelog
+* Wed Feb 17 2010 Chuck Ebbert <cebbert at redhat.com>
+- CVE-2009-4537 kernel: r8169 issue reported at 26c3
+ (fix taken from Red Hat/CentOS 5.4)
+
* Wed Feb 17 2010 Ben Skeggs <bskeggs at redhat.com> 2.6.32.8.55
- drm-nouveau-mutex.patch: add fix that didn't quite make it to linus yet
- Previous message: rpms/shutter/F-13 shutter.spec,1.4,1.5
- Next message: rpms/ghostscript/F-11 .cvsignore, 1.29, 1.30 ghostscript-jbig2dec-nullderef.patch, 1.2, 1.3 ghostscript-vsnprintf.patch, 1.1, 1.2 ghostscript.spec, 1.198, 1.199 sources, 1.33, 1.34
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list