Permalink
Commits on May 31, 2006
  1. Linux 2.6.16.19

    chriswright committed May 31, 2006
  2. [PATCH] NETFILTER: Fix small information leak in SO_ORIGINAL_DST (CVE…

    …-2006-1343)
    
    It appears that sockaddr_in.sin_zero is not zeroed during
    getsockopt(...SO_ORIGINAL_DST...) operation. This can lead
    to an information leak (CVE-2006-1343).
    
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    holtmann committed with chriswright May 26, 2006
Commits on May 22, 2006
  1. Linux 2.6.16.18

    chriswright committed May 22, 2006
  2. [PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444)

    CVE-2006-2444 - Potential remote DoS in SNMP NAT helper.
    
    Fix memory corruption caused by snmp_trap_decode:
    
    - When snmp_trap_decode fails before the id and address are allocated,
      the pointers contain random memory, but are freed by the caller
      (snmp_parse_mangle).
    
    - When snmp_trap_decode fails after allocating just the ID, it tries
      to free both address and ID, but the address pointer still contains
      random memory. The caller frees both ID and random memory again.
    
    - When snmp_trap_decode fails after allocating both, it frees both,
      and the callers frees both again.
    
    The corruption can be triggered remotely when the ip_nat_snmp_basic
    module is loaded and traffic on port 161 or 162 is NATed.
    
    Found by multiple testcases of the trap-app and trap-enc groups of the
    PROTOS c06-snmpv1 testsuite.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    kaber committed with chriswright May 20, 2006
Commits on May 20, 2006
  1. Linux 2.6.16.17

    chriswright committed May 20, 2006
  2. [PATCH] SCTP: Validate the parameter length in HB-ACK chunk (CVE-2006…

    …-1857)
    
    If SCTP receives a badly formatted HB-ACK chunk, it is possible
    that we may access invalid memory and potentially have a buffer
    overflow.  We should really make sure that the chunk format is
    what we expect, before attempting to touch the data.
    
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Vladislav Yasevich committed with chriswright May 19, 2006
  3. [PATCH] SCTP: Respect the real chunk length when walking parameters (…

    …CVE-2006-1858)
    
    When performing bound checks during the parameter processing, we
    want to use the real chunk and paramter lengths for bounds instead
    of the rounded ones.  This prevents us from potentially walking of
    the end if the chunk length was miscalculated.  We still use rounded
    lengths when advancing the pointer. This was found during a
    conformance test that changed the chunk length without modifying
    parameters.
    
    (Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem
    is parameter dependent).
    
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Vladislav Yasevich committed with chriswright May 19, 2006
  4. [PATCH] ptrace_attach: fix possible deadlock schenario with irqs

    Eric Biederman points out that we can't take the task_lock while holding
    tasklist_lock for writing, because another CPU that holds the task lock
    might take an interrupt that then tries to take tasklist_lock for writing.
    
    Which would be a nasty deadlock, with one CPU spinning forever in an
    interrupt handler (although admittedly you need to really work at
    triggering it ;)
    
    Since the ptrace_attach() code is special and very unusual, just make it
    be extra careful, and use trylock+repeat to avoid the possible deadlock.
    
    Cc: Oleg Nesterov <oleg@tv-sign.ru>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Roland McGrath <roland@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Linus Torvalds committed with chriswright May 11, 2006
  5. [PATCH] Fix ptrace_attach()/ptrace_traceme()/de_thread() race

    This holds the task lock (and, for ptrace_attach, the tasklist_lock)
    over the actual attach event, which closes a race between attacking to a
    thread that is either doing a PTRACE_TRACEME or getting de-threaded.
    
    Thanks to Oleg Nesterov for reminding me about this, and Chris Wright
    for noticing a lost return value in my first version.
    
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Linus Torvalds committed with chriswright May 7, 2006
  6. [PATCH] page migration: Fix fallback behavior for dirty pages

    Currently we check PageDirty() in order to make the decision to swap out
    the page.  However, the dirty information may be only be contained in the
    ptes pointing to the page.  We need to first unmap the ptes before checking
    for PageDirty().  If unmap is successful then the page count of the page
    will also be decreased so that pageout() works properly.
    
    This is a fix necessary for 2.6.17.  Without this fix we may migrate dirty
    pages for filesystems without migration functions.  Filesystems may keep
    pointers to dirty pages.  Migration of dirty pages can result in the
    filesystem keeping pointers to freed pages.
    
    Unmapping is currently not be separated out from removing all the
    references to a page and moving the mapping.  Therefore try_to_unmap will
    be called again in migrate_page() if the writeout is successful.  However,
    it wont do anything since the ptes are already removed.
    
    The coming updates to the page migration code will restructure the code
    so that this is no longer necessary.
    
    Signed-off-by: Christoph Lameter <clameter@sgi.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Christoph Lameter committed with chriswright May 1, 2006
  7. [PATCH] add migratepage address space op to shmem

    Basic problem: pages of a shared memory segment can only be migrated once.
    
    In 2.6.16 through 2.6.17-rc1, shared memory mappings do not have a
    migratepage address space op.  Therefore, migrate_pages() falls back to
    default processing.  In this path, it will try to pageout() dirty pages.
    Once a shared memory page has been migrated it becomes dirty, so
    migrate_pages() will try to page it out.  However, because the page count
    is 3 [cache + current + pte], pageout() will return PAGE_KEEP because
    is_page_cache_freeable() returns false.  This will abort all subsequent
    migrations.
    
    This patch adds a migratepage address space op to shared memory segments to
    avoid taking the default path.  We use the "migrate_page()" function
    because it knows how to migrate dirty pages.  This allows shared memory
    segment pages to migrate, subject to other conditions such as # pte's
    referencing the page [page_mapcount(page)], when requested.
    
    I think this is safe.  If we're migrating a shared memory page, then we
    found the page via a page table, so it must be in memory.
    
    Can be verified with memtoy and the shmem-mbind-test script, both
    available at:  http://free.linux.hp.com/~lts/Tools/
    
    Signed-off-by: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Acked-by: Christoph Lameter <clameter@sgi.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Lee Schermerhorn committed with chriswright Apr 22, 2006
  8. [PATCH] Remove cond_resched in gather_stats()

    gather_stats() is called with a spinlock held from check_pte_range.  We
    cannot reschedule with a lock held.
    
    Signed-off-by: Christoph Lameter <clameter@sgi.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Christoph Lameter committed with chriswright Apr 20, 2006
  9. [PATCH] VIA quirk fixup, additional PCI IDs

    An earlier commit (75cf745) changed an
    overly-zealous PCI quirk to only poke those VIA devices that need it.
    However, some PCI devices were not included in what I hope is now the full
    list.  Consequently we're failing to run the quirk on all machines which need
    it, causing IRQ routing failures.
    
    This should I hope correct this.
    
    Thanks to Masoud Sharbiani <masouds@masoud.ir> for pointing this out
    and testing the fix.
    
    Signed-off-by: Chris Wedgwood <cw@f00f.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    cwedgwood committed with chriswright May 15, 2006
  10. [PATCH] PCI quirk: VIA IRQ fixup should only run for VIA southbridges

    Alan Cox pointed out that the VIA 'IRQ fixup' was erroneously running
    on my system which has no VIA southbridge (but I do have a VIA IEEE
    1394 device).
    
    This should address that.  I also changed "Via IRQ" to "VIA IRQ"
    (initially I read Via as a capitalized via (by way/means of).
    
    Signed-off-by: Chris Wedgwood <cw@f00f.org>
    Acked-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    cwedgwood committed with chriswright Apr 19, 2006
  11. [PATCH] Fix udev device creation

    This patch corrects the order of the calls to register_chrdev() and
    pcmcia_register_driver().  Now udev correctly creates userspace device
    files /dev/cmmN and /dev/cmxN respectively.
    
    Based on an earlier patch by Jan Niehusmann <jan@gondor.com>.
    
    Signed-off-by: Harald Welte <laforge@netfilter.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    laf0rge committed with chriswright May 10, 2006
  12. [PATCH] limit request_fn recursion

    Don't recurse back into the driver even if the unplug threshold is met,
    when the driver asks for a requeue. This is both silly from a logical
    point of view (requeues typically happen due to driver/hardware
    shortage), and also dangerous since we could hit an endless request_fn
    -> requeue -> unplug -> request_fn loop and crash on stack overrun.
    
    Also limit blk_run_queue() to one level of recursion, similar to how
    blk_start_queue() works.
    
    This patch fixed a real problem with SLES10 and lpfc, and it could hit
    any SCSI lld that returns non-zero from it's ->queuecommand() handler.
    
    Signed-off-by: Jens Axboe <axboe@suse.de>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Jens Axboe committed with chriswright May 11, 2006
  13. [PATCH] PCI: correctly allocate return buffers for osc calls

    The OSC set and query functions do not allocate enough space for return values,
    and set the output buffer length to a false, too large value.  This causes the
    acpi-ca code to assume that the output buffer is larger than it actually is,
    and overwrite memory when copying acpi return buffers into this caller provided
    buffer.  In some cases this can cause kernel oops if the memory that is
    overwritten is a pointer.  This patch will change these calls to use a
    dynamically allocated output buffer, thus allowing the acpi-ca code to decide
    how much space is needed.
    
    Signed-off-by: Kristen Carlson Accardi <kristen.c.accardi@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    kaccardi committed with chriswright May 17, 2006
  14. [PATCH] selinux: check for failed kmalloc in security_sid_to_context()

    Check for NULL kmalloc return value before writing to it.
    
    Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
    Acked-by: James Morris <jmorris@namei.org>
    Cc: Stephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Serge E. Hallyn committed with chriswright May 15, 2006
  15. [PATCH] TG3: ethtool always report port is TP.

    Even with fiber cards ethtool reports that the connected port is TP,
    the patch fix this.
    
    Signed-off-by: Karsten Keil <kkeil@suse.de>
    Acked-by: Michael Chan <mchan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Karsten Keil committed with chriswright May 12, 2006
  16. [PATCH] Netfilter: do_add_counters race, possible oops or info leak (…

    …CVE-2006-0039)
    
    Solar Designer found a race condition in do_add_counters(). The beginning
    of paddc is supposed to be the same as tmp which was sanity-checked
    above, but it might not be the same in reality. In case the integer
    overflow and/or the race condition are triggered, paddc->num_counters
    might not match the allocation size for paddc. If the check below
    (t->private->number != paddc->num_counters) nevertheless passes (perhaps
    this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
    would read kernel memory beyond the allocation size, potentially causing
    an oops or leaking sensitive data (e.g., passwords from host system or
    from another VPS) via counter increments.  This requires CAP_NET_ADMIN.
    
    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698
    
    Cc: Solar Designer <solar@openwall.com>
    Cc: Kirill Korotaev <dev@sw.ru>
    Cc: Patrick McHardy <kaber@trash.net>
    (chrisw: rebase of Kirill's patch to 2.6.16.16)
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    chriswright committed May 16, 2006
  17. [PATCH] scx200_acb: Fix resource name use after free

    We can't pass a string on the stack to request_region. As soon as we
    leave the function that stack is gone and the string is lost. Let's
    use the same string we identify the i2c_adapter with instead, it's
    more simple, more consistent, and just works.
    
    This is the second half of fix to bug #6445.
    
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jean Delvare committed with chriswright May 13, 2006
  18. [PATCH] smbus unhiding kills thermal management

    Do not enable the SMBus device on Asus boards if suspend is used.  We do
    not reenable the device on resume, leading to all sorts of undesirable
    effects, the worst being a total fan failure after resume on Samsung P35
    laptop.
    
    This fixes bug #6449 at bugzilla.kernel.org.
    
    Signed-off-by: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>
    Signed-off-by: Pavel Machek <pavel@suse.cz>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    hailfinger committed with chriswright May 15, 2006
  19. [PATCH] fs/compat.c: fix 'if (a |= b )' typo

    Mentioned by Mark Armbrust somewhere on Usenet.
    
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Signed-off-by: David Woodhouse <dwmw2@infradead.org>
    Cc: Ulrich Drepper <drepper@redhat.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Alexey Dobriyan committed with chriswright May 15, 2006
  20. [PATCH] smbfs: Fix slab corruption in samba error path

    Yesterday, I got the following error with 2.6.16.13 during a file copy from
    a smb filesystem over a wireless link.  I guess there was some error on the
    wireless link, which in turn caused an error condition for the smb
    filesystem.
    
    In the log, smb_file_read reports error=4294966784 (0xfffffe00), which also
    shows up in the slab dumps, and also is -ERESTARTSYS.  Error code 27499
    corresponds to 0x6b6b, so the rq_errno field seems to be the only one being
    set after freeing the slab.
    
    In smb_add_request (which is the only place in smbfs where I found
    ERESTARTSYS), I found the following:
    
            if (!timeleft || signal_pending(current)) {
                    /*
                     * On timeout or on interrupt we want to try and remove the
                     * request from the recvq/xmitq.
                     */
                    smb_lock_server(server);
                    if (!(req->rq_flags & SMB_REQ_RECEIVED)) {
                            list_del_init(&req->rq_queue);
                            smb_rput(req);
                    }
                    smb_unlock_server(server);
            }
    	[...]
            if (signal_pending(current))
                    req->rq_errno = -ERESTARTSYS;
    
    I guess that some codepath like smbiod_flush() caused the request to be
    removed from the queue, and smb_rput(req) be called, without
    SMB_REQ_RECEIVED being set.  This violates an asumption made by the quoted
    code.
    
    Then, the above code calls smb_rput(req) again, the req gets freed, and
    req->rq_errno = -ERESTARTSYS writes into the already freed slab.  As
    list_del_init doesn't cause an error if called multiple times, that does
    cause the observed behaviour (freed slab with rq_errno=-ERESTARTSYS).
    
    If this observation is correct, the following patch should fix it.
    
    I wonder why the smb code uses list_del_init everywhere - using list_del
    instead would catch such situations by poisoning the next and prev
    pointers.
    
    May  4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Firmware error detected.  Restarting.
    May  4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Sysfs 'error' log captured.
    May  4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Firmware error detected.  Restarting.
    May  4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Sysfs 'error' log already exists.
    May  4 23:33:02 knautsch kernel: [17180306.968000] smb_file_read: //some_file validation failed, error=4294966784
    May  4 23:34:18 knautsch kernel: [17180383.256000] smb_file_read: //some_file validation failed, error=4294966784
    May  4 23:34:18 knautsch kernel: [17180383.284000] SMB connection re-established (-5)
    May  4 23:37:19 knautsch kernel: [17180563.956000] smb_file_read: //some_file validation failed, error=4294966784
    May  4 23:40:09 knautsch kernel: [17180733.636000] smb_file_read: //some_file validation failed, error=4294966784
    May  4 23:40:26 knautsch kernel: [17180750.700000] smb_file_read: //some_file validation failed, error=4294966784
    May  4 23:43:02 knautsch kernel: [17180907.304000] smb_file_read: //some_file validation failed, error=4294966784
    May  4 23:43:08 knautsch kernel: [17180912.324000] smb_file_read: //some_file validation failed, error=4294966784
    May  4 23:43:34 knautsch kernel: [17180938.416000] smb_errno: class Unknown, code 27499 from command 0x6b
    May  4 23:43:34 knautsch kernel: [17180938.416000] Slab corruption: start=c4ebe09c, len=244
    May  4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
    May  4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
    May  4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
    May  4 23:43:34 knautsch kernel: [17180938.416000] 0f0: 00 fe ff ff
    May  4 23:43:34 knautsch kernel: [17180938.416000] Next obj: start=c4ebe19c, len=244
    May  4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
    May  4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
    May  4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
    May  4 23:43:34 knautsch kernel: [17180938.416000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
    May  4 23:43:34 knautsch kernel: [17180938.460000] SMB connection re-established (-5)
    May  4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Firmware error detected.  Restarting.
    May  4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Sysfs 'error' log already exists.
    May  4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Firmware error detected.  Restarting.
    May  4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Sysfs 'error' log already exists.
    May  4 23:45:05 knautsch kernel: [17181029.868000] smb_file_read: //some_file validation failed, error=4294966784
    May  4 23:45:36 knautsch kernel: [17181060.984000] smb_errno: class Unknown, code 27499 from command 0x6b
    May  4 23:45:36 knautsch kernel: [17181060.984000] Slab corruption: start=c4ebe09c, len=244
    May  4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
    May  4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
    May  4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
    May  4 23:45:36 knautsch kernel: [17181060.984000] 0f0: 00 fe ff ff
    May  4 23:45:36 knautsch kernel: [17181060.984000] Next obj: start=c4ebe19c, len=244
    May  4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
    May  4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
    May  4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
    May  4 23:45:36 knautsch kernel: [17181060.984000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
    May  4 23:45:36 knautsch kernel: [17181061.024000] SMB connection re-established (-5)
    May  4 23:46:17 knautsch kernel: [17181102.132000] smb_file_read: //some_file validation failed, error=4294966784
    May  4 23:47:46 knautsch kernel: [17181190.468000] smb_errno: class Unknown, code 27499 from command 0x6b
    May  4 23:47:46 knautsch kernel: [17181190.468000] Slab corruption: start=c4ebe09c, len=244
    May  4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
    May  4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
    May  4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
    May  4 23:47:46 knautsch kernel: [17181190.468000] 0f0: 00 fe ff ff
    May  4 23:47:46 knautsch kernel: [17181190.468000] Next obj: start=c4ebe19c, len=244
    May  4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
    May  4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
    May  4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
    May  4 23:47:46 knautsch kernel: [17181190.468000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
    May  4 23:47:46 knautsch kernel: [17181190.492000] SMB connection re-established (-5)
    May  4 23:49:20 knautsch kernel: [17181284.828000] smb_file_read: //some_file validation failed, error=4294966784
    May  4 23:49:39 knautsch kernel: [17181303.896000] smb_file_read: //some_file validation failed, error=4294966784
    
    Signed-off-by: Jan Niehusmann <jan@gondor.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jannic committed with chriswright May 15, 2006
  21. [PATCH] fs/locks.c: Fix sys_flock() race

    sys_flock() currently has a race which can result in a double free in the
    multi-thread case.
    
    Thread 1			Thread 2
    
    sys_flock(file, LOCK_EX)
    				sys_flock(file, LOCK_UN)
    
    If Thread 2 removes the lock from inode->i_lock before Thread 1 tests for
    list_empty(&lock->fl_link) at the end of sys_flock, then both threads will
    end up calling locks_free_lock for the same lock.
    
    Fix is to make flock_lock_file() do the same as posix_lock_file(), namely
    to make a copy of the request, so that the caller can always free the lock.
    
    This also has the side-effect of fixing up a reference problem in the
    lockd handling of flock.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Trond Myklebust committed with chriswright Mar 31, 2006
  22. [PATCH] USB: ub oops in block_uevent

    In kernel 2.6.16, if a mounted storage device is removed, an oops happens
    because ub supplies an interface device (and kobject) to the block layer,
    but neglects to pin it. And apparently, the block layer expects its users
    to pin device structures.
    
    The code in ub was broken this way for years. But the bug was exposed only
    by 2.6.16 when it started to call block_uevent on close, which traverses
    device structures (kobjects actually).
    
    Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Pete Zaitcev committed with chriswright May 3, 2006
  23. [PATCH] via-rhine: zero pad short packets on Rhine I ethernet cards

    Fixes Rhine I cards disclosing fragments of previously transmitted frames
    in new transmissions.
    
    Before transmission, any socket buffer (skb) shorter than the ethernet
    minimum length of 60 bytes was zero-padded.  On Rhine I cards the data can
    later be copied into an aligned transmission buffer without copying this
    padding.  This resulted in the transmission of the frame with the extra
    bytes beyond the provided content leaking the previous contents of this
    buffer on to the network.
    
    Now zero-padding is repeated in the local aligned buffer if one is used.
    
    Following a suggestion from the via-rhine maintainer, no attempt is made
    here to avoid the duplicated effort of padding the skb if it is known that
    an aligned buffer will definitely be used.  This is to make the change
    "obviously correct" and allow it to be applied to a stable kernel if
    necessary.  There is no change to the flow of control and the changes are
    only to the Rhine I code path.
    
    The patch has run on an in-service Rhine-I host without incident.  Frames
    shorter than 60 bytes are now correctly zero-padded when captured on a
    separate host.  I see no unusual stats reported by ifconfig, and no unusual
    log messages.
    
    Signed-off-by: Craig Brind <craigbrind@gmail.com>
    Signed-off-by: Roger Luethi <rl@hellgate.ch>
    Cc: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Jeff Garzik <jeff@garzik.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Craig Brind committed with chriswright May 2, 2006
  24. [PATCH] md: Avoid oops when attempting to fix read errors on raid10

    We should add to the counter for the rdev *after* checking if the rdev is
    NULL!!!
    
    Signed-off-by: Neil Brown <neilb@suse.de>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    neilbrown committed with chriswright May 1, 2006
Commits on May 11, 2006
  1. Linux 2.6.16.16

    chriswright committed May 11, 2006
  2. [PATCH] fs/locks.c: Fix lease_init (CVE-2006-1860)

    It is insane to be giving lease_init() the task of freeing the lock it is
    supposed to initialise, given that the lock is not guaranteed to be
    allocated on the stack. This causes lockups in fcntl_setlease().
    Problem diagnosed by Daniel Hokka Zakrisson <daniel@hozac.com>
    
    Also fix a slab leak in __setlease() due to an uninitialised return value.
    Problem diagnosed by Björn Steinbrink.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Tested-by: Daniel Hokka Zakrisson <daniel@hozac.com>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Cc: Björn Steinbrink <B.Steinbrink@gmx.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Trond Myklebust committed with chriswright May 8, 2006
Commits on May 9, 2006
  1. Linux 2.6.16.15

    chriswright committed May 9, 2006
  2. [PATCH] SCTP: Prevent possible infinite recursion with multiple bundl…

    …ed DATA. (CVE-2006-2274)
    
    There is a rare situation that causes lksctp to go into infinite recursion
    and crash the system.  The trigger is a packet that contains at least the
    first two DATA fragments of a message bundled together. The recursion is
    triggered when the user data buffer is smaller that the full data message.
    The problem is that we clone the skb for every fragment in the message.
    When reassembling the full message, we try to link skbs from the "first
    fragment" clone using the frag_list. However, since the frag_list is shared
    between two clones in this rare situation, we end up setting the frag_list
    pointer of the second fragment to point to itself.  This causes
    sctp_skb_pull() to potentially recurse indefinitely.
    
    Proposed solution is to make a copy of the skb when attempting to link
    things using frag_list.
    
    Signed-off-by: Vladislav Yasevich <vladsilav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Vladislav Yasevich committed with chriswright May 6, 2006
  3. [PATCH] SCTP: Allow spillover of receive buffer to avoid deadlock. (C…

    …VE-2006-2275)
    
    This patch fixes a deadlock situation in the receive path by allowing
    temporary spillover of the receive buffer.
    
    - If the chunk we receive has a tsn that immediately follows the ctsn,
      accept it even if we run out of receive buffer space and renege data with
      higher TSNs.
    - Once we accept one chunk in a packet, accept all the remaining chunks
      even if we run out of receive buffer space.
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Mark Butler <butlerm@middle.net>
    Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Neil Horman committed with chriswright May 6, 2006
  4. [PATCH] SCTP: Fix state table entries for chunks received in CLOSED s…

    …tate. (CVE-2006-2271)
    
    Discard an unexpected chunk in CLOSED state rather can calling BUG().
    
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Sridhar Samudrala committed with chriswright May 6, 2006
  5. [PATCH] SCTP: Fix panic's when receiving fragmented SCTP control chun…

    …ks. (CVE-2006-2272)
    
    Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that
    are received as skb's with fragment list.
    
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Sridhar Samudrala committed with chriswright May 6, 2006