Permalink
Commits on Apr 24, 2006
  1. Linux 2.6.16.10

    gregkh committed Apr 24, 2006
  2. [PATCH] IPC: access to unmapped vmalloc area in grow_ary()

    grow_ary() should not copy struct ipc_id_ary (it copies new->p, not
    new). Due to this, memcpy() src pointer could hit unmapped vmalloc page
    when near page boundary.
    
    Found during OpenVZ stress testing
    
    Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
    Signed-off-by: Kirill Korotaev <dev@openvz.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Alexey Kuznetsov committed with gregkh Apr 18, 2006
  3. [PATCH] Add more prevent_tail_call()

    Those also break userland regs like following.
    
       00000000 <sys_chown16>:
          0:	0f b7 44 24 0c       	movzwl 0xc(%esp),%eax
          5:	83 ca ff             	or     $0xffffffff,%edx
          8:	0f b7 4c 24 08       	movzwl 0x8(%esp),%ecx
          d:	66 83 f8 ff          	cmp    $0xffffffff,%ax
         11:	0f 44 c2             	cmove  %edx,%eax
         14:	66 83 f9 ff          	cmp    $0xffffffff,%cx
         18:	0f 45 d1             	cmovne %ecx,%edx
         1b:	89 44 24 0c          	mov    %eax,0xc(%esp)
         1f:	89 54 24 08          	mov    %edx,0x8(%esp)
         23:	e9 fc ff ff ff       	jmp    24 <sys_chown16+0x24>
    
    where the tailcall at the end overwrites the incoming stack-frame.
    
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    OGAWAHirofumi committed with gregkh Apr 19, 2006
  4. [PATCH] alim15x3: ULI M-1573 south Bridge support

    >From http://bugzilla.kernel.org/show_bug.cgi?id=6358
    
    The alim15x3.c havn't been update for 3 years.  Recently when we use this
    "ULI M1573" south bridge chip found that can't mount CDROM(VCD) smoothly,
    must waiting for a long time.  After I check the "ULI M1573" south bridge
    datasheet, I found the reason.  The reason is the "ULI M1573" version in
    the Linux is "0xC7" not "0xC4" anymore So I was modified the source than it
    was successed.
    
    Cc: Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl>
    Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    KAI.HSU committed with gregkh Apr 19, 2006
  5. [PATCH] apm: fix Armada laptops again

    Fix the "apm: set display: Interface not engaged" error on Armada laptops
    again.
    
    Jordan said:
    
      I think this is fine.  It seems to me that this may be the fault of one or
      both of the APM solutions handling this situation in a non-standard way, but
      since APM is used very little on the Geode, and I have direct access to our
      BIOS folks, if this problem comes up with a customer again, we'll solve it
      from the firmware.
    
    Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
    Cc: "Jordan Crouse" <jordan.crouse@amd.com>
    Cc: Zachary Amsden <zach@vmware.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    sthibaul committed with gregkh Apr 19, 2006
  6. [PATCH] fbdev: Fix return error of fb_write

    Fix return code of fb_write():
    
    If at least 1 byte was transferred to the device, return number of bytes,
    otherwise:
    
        - return -EFBIG - if file offset is past the maximum allowable offset or
          size is greater than framebuffer length
        - return -ENOSPC - if size is greater than framebuffer length - offset
    
    Signed-off-by: Antonino Daplas <adaplas@pol.net>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Antonino A. Daplas committed with gregkh Apr 19, 2006
  7. [PATCH] Fix file lookup without ref

    There are places in the kernel where we look up files in fd tables and
    access the file structure without holding refereces to the file.  So, we
    need special care to avoid the race between looking up files in the fd
    table and tearing down of the file in another CPU.  Otherwise, one might
    see a NULL f_dentry or such torn down version of the file.  This patch
    fixes those special places where such a race may happen.
    
    Signed-off-by: Dipankar Sarma <dipankar@in.ibm.com>
    Acked-by: "Paul E. McKenney" <paulmck@us.ibm.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    dipankarsarma committed with gregkh Apr 19, 2006
  8. [PATCH] m41t00: fix bitmasks when writing to chip

    Fix the bitmasks used when writing to the M41T00 registers.
    
    The original code used a mask of 0x7f when writing to each register,
    this is incorrect and probably the result of a copy-paste error.  As a
    result years from 1980 to 1999 will be read back as 2000 to 2019.
    
    Signed-off-by: David Barksdale <amatus@ocgnet.org>
    Acked-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    David Barksdale committed with gregkh Apr 19, 2006
  9. [PATCH] Open IPMI BT overflow

    I was looking into random driver code and found a suspicious looking
    memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:
    
    	if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
    		return -1;
    	...
    	memcpy(bt->write_data + 3, data + 1, size - 1);
    
    where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
    memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
    attached to limit size to (IPMI_MAX_LENGTH - 2).
    
    Cc: Corey Minyard <minyard@acm.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Heikki Orsila committed with gregkh Apr 19, 2006
  10. [PATCH] x86: be careful about tailcall breakage for sys_open[at] too

    x86: be careful about tailcall breakage for sys_open[at] too
    
    Came up through a quick grep for other cases similar to the ftruncate()
    one in commit 0a489cb.
    
    Also, add a comment, so that people who read the code understand why we
    do what looks like a no-op.
    
    (Again, this won't actually matter to any sane user, since libc will
    save and restore the register gcc stomps on, but it's still wrong to
    stomp on it)
    
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Linus Torvalds committed with gregkh Apr 18, 2006
  11. [PATCH] x86: don't allow tail-calls in sys_ftruncate[64]()

    x86: don't allow tail-calls in sys_ftruncate[64]()
    
    Gcc thinks it owns the incoming argument stack, but that's not true for
    "asmlinkage" functions, and it corrupts the caller-set-up argument stack
    when it pushes the third argument onto the stack.  Which can result in
    %ebx getting corrupted in user space.
    
    Now, normally nobody sane would ever notice, since libc will save and
    restore %ebx anyway over the system call, but it's still wrong.
    
    I'd much rather have "asmlinkage" tell gcc directly that it doesn't own
    the stack, but no such attribute exists, so we're stuck with our hacky
    manual "prevent_tail_call()" macro once more (we've had the same issue
    before with sys_waitpid() and sys_wait4()).
    
    Thanks to Hans-Werner Hilse <hilse@sub.uni-goettingen.de> for reporting
    the issue and testing the fix.
    
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Linus Torvalds committed with gregkh Apr 18, 2006
  12. [PATCH] IPV6: XFRM: Fix decoding session with preceding extension hea…

    …der(s).
    
    [IPV6] XFRM: Fix decoding session with preceding extension header(s).
    
    We did not correctly decode session with preceding extension
    header(s).  This was because we had already pulled preceding
    headers, skb->nh.raw + 40 + 1 - skb->data was minus, and
    pskb_may_pull() failed.
    
    We now have IP6CB(skb)->nhoff and skb->h.raw, and we can
    start parsing / decoding upper layer protocol from current
    position.
    
    Tracked down by Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
    and tested by Kazunori Miyazawa <kazunori@miyazawa.org>.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    YOSHIFUJI Hideaki / $B5HF#1QL@(B committed with gregkh Apr 19, 2006
  13. [PATCH] IPV6: XFRM: Don't use old copy of pointer after pskb_may_pull().

    [IPV6] XFRM: Don't use old copy of pointer after pskb_may_pull().
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    YOSHIFUJI Hideaki / $B5HF#1QL@(B committed with gregkh Apr 19, 2006
  14. [PATCH] IPV6: Ensure to have hop-by-hop options in our header of &sk_…

    …buff.
    
    [IPV6]: Ensure to have hop-by-hop options in our header of &sk_buff.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    YOSHIFUJI Hideaki / $B5HF#1QL@(B committed with gregkh Apr 19, 2006
  15. [PATCH] selinux: Fix MLS compatibility off-by-one bug

    Fix an off-by-one error in the MLS compatibility code that was causing
    contexts with a MLS suffix to be rejected, preventing sharing partitions
    between FC4 and FC5.  Bug reported in
    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188068
    
    Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
    Acked-by: James Morris <jmorris@redhat.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Ron Yorston committed with gregkh Apr 19, 2006
  16. [PATCH] PPC: fix oops in alsa powermac driver

    this fixes an oops in 2.6.16.X when loading the snd_powermac module. The
    name of the requested module changed during the 2.6.16 development cycle
    from i2c-keylargo to i2c-powermac:
    
    Signed-off-by: Guido Guenther <agx@sigxcpu.org>
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    agx committed with gregkh Apr 20, 2006
  17. [PATCH] MTD_NAND_SHARPSL and MTD_NAND_NANDSIM should be tristate's

    MTD_NAND=m and MTD_NAND_SHARPSL=y or MTD_NAND_NANDSIM=y are illegal
    combinations that mustn't be allowed.
    
    This patch fixes this bug by making MTD_NAND_SHARPSL and MTD_NAND_NANDSIM
    tristate's.
    
    Additionally, it fixes some whitespace damage at these options.
    
    This patch was already included in Linus' tree.
    
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    AdrianBunk committed with gregkh Apr 18, 2006
  18. [PATCH] i2c-i801: Fix resume when PEC is used

    Fix for bug #6395:
    Fail to resume on Tecra M2 with ADM1032 and Intel 82801DBM
    
    The BIOS of the Tecra M2 doesn't like it when it has to reboot or
    resume after the i2c-i801 driver has left the SMBus in PEC mode.
    I have a more complete fix for 2.6.17 but the simple approach of
    leaving the SMBus in non-PEC mode after every transaction should do
    for -stable. That's what the i2c-i801 driver was doing up to 2.6.15
    (inclusive).
    
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jean Delvare committed with gregkh Apr 18, 2006
  19. [PATCH] Fix hotplug race during device registration

    On Sun, 9 Apr 2006 21:56:59 +0400,
    Sergey Vlasov <vsu@altlinux.ru> wrote:
    > However, show_address() does not output anything unless
    > dev->reg_state == NETREG_REGISTERED - and this state is set by
    > netdev_run_todo() only after netdev_register_sysfs() returns, so in
    > the meantime (while netdev_register_sysfs() is busy adding the
    > "statistics" attribute group) some process may see an empty "address"
    > attribute.
    
    I've tried the attached patch, suggested by Sergey Vlasov on
    hotplug-devel@, and as far as i can test it works just fine.
    
    Signed-off-by: Alexander Patrakov <patrakov@ums.usu.ru>
    Signed-off-by: David Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Thomas de Grenier de Latour committed with gregkh Apr 19, 2006
  20. [PATCH] Fix truesize underflow

    [TCP]: Fix truesize underflow
    
    There is a problem with the TSO packet trimming code.  The cause of
    this lies in the tcp_fragment() function.
    
    When we allocate a fragment for a completely non-linear packet the
    truesize is calculated for a payload length of zero.  This means that
    truesize could in fact be less than the real payload length.
    
    When that happens the TSO packet trimming can cause truesize to become
    negative.  This in turn can cause sk_forward_alloc to be -n * PAGE_SIZE
    which would trigger the warning.
    
    I've copied the code DaveM used in tso_fragment which should work here.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    herbertx committed with gregkh Apr 19, 2006
  21. [PATCH] efficeon-agp: Add missing memory mask

    Original patch by Benjamin Herrenschmidt after debugging by Brian Hinz.
    
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Cc: Brian Hinz <bphinz@hotmail.com>
    Signed-off-by: H Peter Anvin <hpa@zytor.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    H. Peter Anvin committed with gregkh Apr 15, 2006
  22. [PATCH] 3ware 9000 disable local irqs during kmap_atomic

    The attached patch for 2.6.17-rc2 updates the 3ware 9000 driver:
    
    - Disable local interrupts during kmap/unmap_atomic().
    
    Signed-off-by: Adam Radford <linuxraid@amcc.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    adam radford committed with gregkh Apr 11, 2006
  23. [PATCH] 3ware: kmap_atomic() fix

    We must disable local IRQs while holding KM_IRQ0 or KM_IRQ1.  Otherwise, an
    IRQ handler could use those kmap slots while this code is using them,
    resulting in memory corruption.
    
    Thanks to Nick Orlov <bugfixer@list.ru> for reporting.
    
    Cc: <linuxraid@amcc.com>
    Cc: James Bottomley <James.Bottomley@SteelEye.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Andrew Morton committed with gregkh Apr 14, 2006
Commits on Apr 19, 2006
  1. Linux 2.6.16.9

    gregkh committed Apr 19, 2006
  2. [PATCH] i386/x86-64: Fix x87 information leak between processes (CVE-…

    …2006-1056)
    
    AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE
    when an exception is pending.  This means the value leak through context
    switches and allow processes to observe some x87 instruction state of
    other processes.
    
    This was actually documented by AMD, but nobody recognized it as being
    different from Intel before.
    
    The fix first adds an optimization: instead of unconditionally calling
    FNCLEX after each FXSAVE test if ES is pending and skip it when not
    needed. Then do a x87 load from a kernel variable to clear FOP/FIP/FDP.
    
    This means other processes always will only see a constant value defined
    by the kernel in their FP state.
    
    I took some pain to make sure to chose a variable that's already in L1
    during context switch to make the overhead of this low.
    
    Also alternative() is used to patch away the new code on CPUs who don't
    need it.
    
    Patch for both i386/x86-64.
    
    The problem was discovered originally by Jan Beulich. Richard Brunner
    provided the basic code for the workarounds, with contribution from Jan.
    
    This is CVE-2006-1056
    
    Cc: richard.brunner@amd.com
    Cc: jbeulich@novell.com
    Signed-off-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Andi Kleen committed with gregkh Apr 19, 2006
Commits on Apr 18, 2006
  1. Linux 2.6.16.8

    gregkh committed Apr 18, 2006
  2. [PATCH] ip_route_input panic fix (CVE-2006-1525)

    This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
    The bug is caused by ip_route_input dereferencing skb->nh.protocol of
    the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing
    it). It only happens if the route requested is for a multicast IP
    address.
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Stephen Hemminger committed with gregkh Apr 18, 2006
Commits on Apr 17, 2006
  1. Linux 2.6.16.7

    gregkh committed Apr 17, 2006
  2. [PATCH] fix MADV_REMOVE vulnerability (CVE-2006-1524 for real this time)

    madvise_remove needs to respect file and mmap protections.
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Hugh Dickins committed with gregkh Apr 17, 2006
  3. Linux 2.6.16.6

    gregkh committed Apr 17, 2006
  4. [PATCH] shmat: stop mprotect from giving write permission to a readon…

    …ly attachment (CVE-2006-1524)
    
    I found that all of 2.4 and 2.6 have been letting mprotect give write
    permission to a readonly attachment of shared memory, whether or not IPC
    would give the caller that permission.
    
    SUS says "The behaviour of this function [mprotect] is unspecified if the
    mapping was not established by a call to mmap", but I don't think we can
    interpret that as allowing it to subvert IPC permissions.
    
    I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and
    the patch below reproduces that behaviour - mprotect cannot be used to add
    write permission to a shared memory segment attached readonly.
    
    This patch is simple, and I'm sure it's what we should have done in 2.4.0:
    if you want to go on to switch write permission on and off with mprotect,
    just don't attach the segment readonly in the first place.
    
    However, we could have accumulated apps which attach readonly (even though
    they would be permitted to attach read/write), and which subsequently use
    mprotect to switch write permission on and off: it's not unreasonable.
    
    I was going to add a second ipcperms check in do_shmat, to check for
    writable when readonly, and if not writable find_vma and clear VM_MAYWRITE.
     But security_ipc_permission might do auditing, and it seems wrong to
    report an attempt for write permission when there has been none.  Or we
    could flag the vma as SHM, note the shmid or shp in vm_private_data, and
    then get mprotect to check.
    
    But the patch below is a lot simpler: I'd rather stick with it, if we can
    convince ourselves somehow that it'll be safe.
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Hugh Dickins committed with gregkh Apr 12, 2006
  5. [PATCH] atm: clip causes unregister hang

    If Classical IP over ATM module is loaded, its neighbor table gets
    populated when permanent neighbor entries are created; but these entries
    are not flushed when the device is removed. Since the entry never gets
    flushed the unregister of the network device never completes.
    
    This version of the patch also adds locking around the reference to
    the atm arp daemon to avoid races with events and daemon state changes.
    (Note: barrier() was never really safe)
    
    Bug-reference: http://bugzilla.kernel.org/show_bug.cgi?id=6295
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Stephen Hemminger committed with gregkh Apr 12, 2006
  6. [PATCH] fix non-leader exec under ptrace

    This reverts most of commit 30e0fca.
    It broke the case of non-leader MT exec when ptraced.
    I think the bug it was intended to fix was already addressed by commit
    788e05a.
    
    Signed-off-by: Roland McGrath <roland@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Roland McGrath committed with gregkh Apr 12, 2006
  7. [PATCH] USB: remove __init from usb_console_setup

    This prevents an Oops if booted with "console=ttyUSB0" but without a
    USB-serial dongle, and plugged one in afterwards.
    
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Paul Fulghum committed with gregkh Apr 12, 2006
  8. [PATCH] Fix suspend with traced tasks

    strace /bin/bash misbehaves after resume; this fixes it.
    
    (akpm: it's scary calling refrigerator() in state TASK_TRACED, but it seems to
    do the right thing).
    
    Signed-off-by: Pavel Machek <pavel@suse.cz>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Pavel Machek committed with gregkh Mar 31, 2006