r8169 patch for rx length check errors. (CVE-2009-4537)
patch seen on fedora: "r8169 issue reported at 26c3 (fix taken from Red Hat/CentOS 5.4)" not yet seen upstream. svn path=/dists/sid/linux-2.6/; revision=15230
This commit is contained in:
parent
6670f5d628
commit
eeba5295fa
|
@ -23,6 +23,7 @@ linux-2.6 (2.6.32-9) UNRELEASED; urgency=low
|
||||||
- futex_lock_pi() key refcnt fix. (CVE-2010-0623)
|
- futex_lock_pi() key refcnt fix. (CVE-2010-0623)
|
||||||
- Staging: fix rtl8187se compilation errors with mac80211.
|
- Staging: fix rtl8187se compilation errors with mac80211.
|
||||||
(closes: #566726)
|
(closes: #566726)
|
||||||
|
* r8169 patch for rx length check errors. (CVE-2009-4537)
|
||||||
|
|
||||||
[ Bastian Blank ]
|
[ Bastian Blank ]
|
||||||
* Restrict access to sensitive SysRq keys by default.
|
* Restrict access to sensitive SysRq keys by default.
|
||||||
|
|
|
@ -0,0 +1,113 @@
|
||||||
|
From: Neil Horman <nhorman@redhat.com>
|
||||||
|
Date: Tue, 5 Jan 2010 09:43:37 -0500
|
||||||
|
Subject: [net] r8169: imporved rx length check errors
|
||||||
|
Message-id: 20100105144337.GB24293@hmsreliant.think-freely.org
|
||||||
|
O-Subject: [kernel team] [RHEL 5.5 PATCH] imporved r8169 patch for rx length check errors (bz 522438)
|
||||||
|
Bugzilla: 552438
|
||||||
|
RH-Acked-by: No One <noone@redhat.com>
|
||||||
|
|
||||||
|
[ cebbert : ported to 2.6.32 ]
|
||||||
|
|
||||||
|
Hey-
|
||||||
|
So we've been going back and forth about these r8169 changes( bz 550915).
|
||||||
|
We have a hardware ideosyncracy that seems to dictate that we disable frame
|
||||||
|
filtering, and as a result we are forced to allocate very large buffers, which
|
||||||
|
Dave correctly points out are a major performance impact. This is further
|
||||||
|
compllicated by the fact that we don't know which subset of hardware is affected
|
||||||
|
by this bug. As such I've come up with this fix that I _think_ makes everyone
|
||||||
|
as happy as possible given what we know (or more specifically, what we don't
|
||||||
|
know). Anywho, I've posted this upstream and am waiting for comments.
|
||||||
|
Basically, it does the following things
|
||||||
|
|
||||||
|
1) Modifies the setrxbuf routine to accept an mtu paramter
|
||||||
|
|
||||||
|
2) Changes the drivers open routine to force the mtu pased to the function in
|
||||||
|
(1) a size of 16383-VLAN_ETH_HLEN-ETH_FCS_LEN
|
||||||
|
|
||||||
|
3) raises the copybreak value so that we always allocate frames on rx to pass to
|
||||||
|
the network stack.
|
||||||
|
|
||||||
|
4) Adds a warning about changing the mtu to a size that is not 16383
|
||||||
|
|
||||||
|
The effective result of these changes are that by default, we allocate at device
|
||||||
|
open a ring of 16k buffers which disables filtering, and set the copybreak value
|
||||||
|
to that size, so that instead of constantly allocating 16k buffers, we just
|
||||||
|
allocate frame size appropriate buffers. This is still a big performance hit,
|
||||||
|
but better than constant 16k allocations, which would quickly fail.
|
||||||
|
|
||||||
|
We also (and this is the improved part), allow for user space to set mtu's
|
||||||
|
smaller than 16383, which results in the driver reverting back to the
|
||||||
|
pre-patched behavior. A loud warning is issued to this effect, so that people
|
||||||
|
will realize what their doing, but if a user is in a situation where the can
|
||||||
|
guarantee frame sizes with other equipment (switch filtering, etc), then this
|
||||||
|
allows them the old performance levels
|
||||||
|
|
||||||
|
Satisfies bz 522438
|
||||||
|
|
||||||
|
Neil
|
||||||
|
|
||||||
|
diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
|
||||||
|
index 063d949..c241338 100644
|
||||||
|
--- a/drivers/net/r8169.c
|
||||||
|
+++ b/drivers/net/r8169.c
|
||||||
|
@@ -181,7 +181,12 @@ static struct pci_device_id rtl8169_pci_tbl[] = {
|
||||||
|
|
||||||
|
MODULE_DEVICE_TABLE(pci, rtl8169_pci_tbl);
|
||||||
|
|
||||||
|
-static int rx_copybreak = 200;
|
||||||
|
+/*
|
||||||
|
+ * we set our copybreak very high so that we don't have
|
||||||
|
+ * to allocate 16k frames all the time (see note in
|
||||||
|
+ * rtl8169_open()
|
||||||
|
+ */
|
||||||
|
+static int rx_copybreak = 16383;
|
||||||
|
static int use_dac;
|
||||||
|
static struct {
|
||||||
|
u32 msg_enable;
|
||||||
|
@@ -2209,11 +2214,15 @@ static void __devexit rtl8169_remove_one(struct pci_dev *pdev)
|
||||||
|
}
|
||||||
|
|
||||||
|
static void rtl8169_set_rxbufsize(struct rtl8169_private *tp,
|
||||||
|
- struct net_device *dev)
|
||||||
|
+ unsigned int mtu)
|
||||||
|
{
|
||||||
|
- unsigned int max_frame = dev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
|
||||||
|
+ unsigned int max_frame = mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
|
||||||
|
+
|
||||||
|
+ if (max_frame != 16383)
|
||||||
|
+ printk(KERN_WARNING "WARNING! Changing of MTU on this NIC "
|
||||||
|
+ "May lead to frame reception errors!\n");
|
||||||
|
|
||||||
|
- tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
|
||||||
|
+ tp->rx_buf_sz = (max_frame > RX_BUF_SIZE) ? max_frame : RX_BUF_SIZE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int rtl8169_open(struct net_device *dev)
|
||||||
|
@@ -2223,7 +2232,17 @@ static int rtl8169_open(struct net_device *dev)
|
||||||
|
int retval = -ENOMEM;
|
||||||
|
|
||||||
|
|
||||||
|
- rtl8169_set_rxbufsize(tp, dev);
|
||||||
|
+ /*
|
||||||
|
+ * Note that we use a magic value here, its wierd I know
|
||||||
|
+ * its done because, some subset of rtl8169 hardware suffers from
|
||||||
|
+ * a problem in which frames received that are longer than
|
||||||
|
+ * the size set in RxMaxSize register return garbage sizes
|
||||||
|
+ * when received. To avoid this we need to turn off filtering,
|
||||||
|
+ * which is done by setting a value of 16383 in the RxMaxSize register
|
||||||
|
+ * and allocating 16k frames to handle the largest possible rx value
|
||||||
|
+ * thats what the magic math below does.
|
||||||
|
+ */
|
||||||
|
+ rtl8169_set_rxbufsize(tp, 16383 - VLAN_ETH_HLEN - ETH_FCS_LEN);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Rx and Tx desscriptors needs 256 bytes alignment.
|
||||||
|
@@ -2874,7 +2893,7 @@ static int rtl8169_change_mtu(struct net_device *dev, int new_mtu)
|
||||||
|
|
||||||
|
rtl8169_down(dev);
|
||||||
|
|
||||||
|
- rtl8169_set_rxbufsize(tp, dev);
|
||||||
|
+ rtl8169_set_rxbufsize(tp, dev->mtu);
|
||||||
|
|
||||||
|
ret = rtl8169_init_ring(dev);
|
||||||
|
if (ret < 0)
|
|
@ -12,3 +12,4 @@
|
||||||
- bugfix/all/fix-potential-crash-with-sys_move_pages.patch
|
- bugfix/all/fix-potential-crash-with-sys_move_pages.patch
|
||||||
- bugfix/x86/kvm-pit-control-word-is-write-only.patch
|
- bugfix/x86/kvm-pit-control-word-is-write-only.patch
|
||||||
+ bugfix/all/stable/2.6.32.9-rc1.patch
|
+ bugfix/all/stable/2.6.32.9-rc1.patch
|
||||||
|
+ bugfix/all/net-r8169-improved-rx-length-check-errors.patch
|
||||||
|
|
Loading…
Reference in New Issue