rpms/kernel/F-11 linux-2.6-net-r8169-improved-rx-length-check-errors.patch, NONE, 1.1.2.1 kernel.spec, 1.1784.2.7, 1.1784.2.8
Chuck Ebbert
cebbert at fedoraproject.org
Sat Jan 30 17:00:43 UTC 2010
- Previous message: rpms/portmidi/devel portmidi.spec,1.5,1.6
- Next message: rpms/stringtemplate/F-12 sources, 1.2, 1.3 stringtemplate-3.1-build-junit.patch, 1.1, 1.2 stringtemplate.spec, 1.4, 1.5 stringtemplate-3.1-disable-broken-test.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2724
Modified Files:
Tag: private-fedora-11-2_6_30
kernel.spec
Added Files:
Tag: private-fedora-11-2_6_30
linux-2.6-net-r8169-improved-rx-length-check-errors.patch
Log Message:
CVE-2009-4537 kernel: r8169 issue reported at 26c3
(fix taken from Red Hat/CentOS 5.4)
linux-2.6-net-r8169-improved-rx-length-check-errors.patch:
r8169.c | 31 +++++++++++++++++++++++++------
1 file changed, 25 insertions(+), 6 deletions(-)
--- NEW FILE linux-2.6-net-r8169-improved-rx-length-check-errors.patch ---
From: Neil Horman <nhorman at redhat.com>
Date: Tue, 5 Jan 2010 09:43:37 -0500
Subject: [net] r8169: imporved rx length check errors
Message-id: 20100105144337.GB24293 at hmsreliant.think-freely.org
O-Subject: [kernel team] [RHEL 5.5 PATCH] imporved r8169 patch for rx length check errors (bz 522438)
Bugzilla: 552438
RH-Acked-by: No One <noone at redhat.com>
Hey-
So we've been going back and forth about these r8169 changes( bz 550915).
We have a hardware ideosyncracy that seems to dictate that we disable frame
filtering, and as a result we are forced to allocate very large buffers, which
Dave correctly points out are a major performance impact. This is further
compllicated by the fact that we don't know which subset of hardware is affected
by this bug. As such I've come up with this fix that I _think_ makes everyone
as happy as possible given what we know (or more specifically, what we don't
know). Anywho, I've posted this upstream and am waiting for comments.
Basically, it does the following things
1) Modifies the setrxbuf routine to accept an mtu paramter
2) Changes the drivers open routine to force the mtu pased to the function in
(1) a size of 16383-VLAN_ETH_HLEN-ETH_FCS_LEN
3) raises the copybreak value so that we always allocate frames on rx to pass to
the network stack.
4) Adds a warning about changing the mtu to a size that is not 16383
The effective result of these changes are that by default, we allocate at device
open a ring of 16k buffers which disables filtering, and set the copybreak value
to that size, so that instead of constantly allocating 16k buffers, we just
allocate frame size appropriate buffers. This is still a big performance hit,
but better than constant 16k allocations, which would quickly fail.
We also (and this is the improved part), allow for user space to set mtu's
smaller than 16383, which results in the driver reverting back to the
pre-patched behavior. A loud warning is issued to this effect, so that people
will realize what their doing, but if a user is in a situation where the can
guarantee frame sizes with other equipment (switch filtering, etc), then this
allows them the old performance levels
Satisfies bz 522438
Neil
diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
index 063d949..c241338 100644
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -181,7 +181,12 @@ static struct pci_device_id rtl8169_pci_tbl[] = {
MODULE_DEVICE_TABLE(pci, rtl8169_pci_tbl);
-static int rx_copybreak = 200;
+/*
+ * we set our copybreak very high so that we don't have
+ * to allocate 16k frames all the time (see note in
+ * rtl8169_open()
+ */
+static int rx_copybreak = 16383;
static int use_dac;
static struct {
u32 msg_enable;
@@ -2209,11 +2214,15 @@ static void __devexit rtl8169_remove_one(struct pci_dev *pdev)
}
static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
- struct net_device *dev)
+ unsigned int mtu)
{
- unsigned int mtu = dev->mtu;
+ unsigned int max_frame = mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
+
+ if (max_frame != 16383)
+ printk(KERN_WARNING "WARNING! Changing of MTU on this NIC "
+ "May lead to frame reception errors!\n");
- tp->rx_buf_sz = (mtu > RX_BUF_SIZE) ? mtu + ETH_HLEN + 8 : RX_BUF_SIZE;
+ tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
}
static int rtl8169_open(struct net_device *dev)
@@ -2223,7 +2232,17 @@ static int rtl8169_open(struct net_device *dev)
int retval = -ENOMEM;
- rtl8169_set_rxbufsize(tp, dev);
+ /*
+ * Note that we use a magic value here, its wierd I know
+ * its done because, some subset of rtl8169 hardware suffers from
+ * a problem in which frames received that are longer than
+ * the size set in RxMaxSize register return garbage sizes
+ * when received. To avoid this we need to turn off filtering,
+ * which is done by setting a value of 16383 in the RxMaxSize register
+ * and allocating 16k frames to handle the largest possible rx value
+ * thats what the magic math below does.
+ */
+ rtl8169_set_rxbufsize(tp, 16383 - VLAN_ETH_HLEN - ETH_FCS_LEN);
/*
* Rx and Tx desscriptors needs 256 bytes alignment.
@@ -2874,7 +2893,7 @@ static int rtl8169_change_mtu(struct net_device *dev, int new_mtu)
rtl8169_down(dev);
- rtl8169_set_rxbufsize(tp, dev);
+ rtl8169_set_rxbufsize(tp, dev->mtu);
ret = rtl8169_init_ring(dev);
if (ret < 0)
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1784.2.7
retrieving revision 1.1784.2.8
diff -u -p -r1.1784.2.7 -r1.1784.2.8
--- kernel.spec 30 Jan 2010 15:11:24 -0000 1.1784.2.7
+++ kernel.spec 30 Jan 2010 17:00:42 -0000 1.1784.2.8
@@ -865,6 +865,8 @@ Patch16503: fasync-split-fasync_helper-i
Patch16511: e1000-enhance-frame-fragment-detection.patch
Patch16512: e1000e-enhance-frame-fragment-detection.patch
Patch16513: e1000-e1000e-don-t-use-small-hardware-rx-buffers.patch
+# cve-2009-4537
+Patch16514: linux-2.6-net-r8169-improved-rx-length-check-errors.patch
%endif
@@ -1626,6 +1628,8 @@ ApplyPatch fasync-split-fasync_helper-in
ApplyPatch e1000-enhance-frame-fragment-detection.patch
ApplyPatch e1000e-enhance-frame-fragment-detection.patch
ApplyPatch e1000-e1000e-don-t-use-small-hardware-rx-buffers.patch
+# cve-2009-4537
+ApplyPatch linux-2.6-net-r8169-improved-rx-length-check-errors.patch
# END OF PATCH APPLICATIONS
@@ -2215,6 +2219,10 @@ fi
# and build.
%changelog
+* Sat Jan 30 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.30.10-105.2.8
+- CVE-2009-4537 kernel: r8169 issue reported at 26c3
+ (fix taken from Red Hat/CentOS 5.4)
+
* Sat Jan 30 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.30.10-105.2.7
- Fix acpi-cpufreq on VIA processors
- Previous message: rpms/portmidi/devel portmidi.spec,1.5,1.6
- Next message: rpms/stringtemplate/F-12 sources, 1.2, 1.3 stringtemplate-3.1-build-junit.patch, 1.1, 1.2 stringtemplate.spec, 1.4, 1.5 stringtemplate-3.1-disable-broken-test.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list