Skip to content
Commits on Jul 17, 2006
  1. @gregkh

    Linux 2.6.16.27

    gregkh committed Jul 17, 2006
  2. @ian-abbott @gregkh

    [PATCH] USB serial ftdi_sio: Prevent userspace DoS (CVE-2006-2936)

    This patch limits the amount of outstanding 'write' data that can be
    queued up for the ftdi_sio driver, to prevent userspace DoS attacks (or
    simple accidents) that use up all the system memory by writing lots of
    data to the serial port.
    
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    ian-abbott committed with gregkh Jun 26, 2006
  3. @gregkh

    [PATCH] IPV6 ADDRCONF: Fix default source address selection without C…

    …ONFIG_IPV6_PRIVACY
    
    We need to update hiscore.rule even if we don't enable CONFIG_IPV6_PRIVACY,
    because we have more less significant rule; longest match.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    YOSHIFUJI Hideaki committed with gregkh Jun 22, 2006
  4. @steelman @gregkh

    [PATCH] IPV6: Fix source address selection.

    Two additional labels (RFC 3484, sec. 10.3) for IPv6 addreses
    are defined to make a distinction between global unicast
    addresses and Unique Local Addresses (fc00::/7, RFC 4193) and
    Teredo (2001::/32, RFC 4380). It is necessary to avoid attempts
    of connection that would either fail (eg. fec0:: to 2001:feed::)
    or be sub-optimal (2001:0:: to 2001:feed::).
    
    Signed-off-by: $,1 aukasz Stelmach <stlman@poczta.fm>
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    steelman committed with gregkh Jun 22, 2006
Commits on Jul 15, 2006
  1. @gregkh

    Linux 2.6.16.25

    gregkh committed Jul 15, 2006
  2. @gregkh

    [PATCH] Relax /proc fix a bit

    Relax /proc fix a bit
    
    Clearign all of i_mode was a bit draconian. We only really care about
    S_ISUID/ISGID, after all.
    
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Linus Torvalds committed with gregkh Jul 15, 2006
  3. @gregkh

    Linux 2.6.16.25

    gregkh committed Jul 14, 2006
  4. @gregkh

    [PATCH] Fix nasty /proc vulnerability (CVE-2006-3626)

    Fix nasty /proc vulnerability
    
    We have a bad interaction with both the kernel and user space being able
    to change some of the /proc file status.  This fixes the most obvious
    part of it, but I expect we'll also make it harder for users to modify
    even their "own" files in /proc.
    
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Linus Torvalds committed with gregkh Jul 14, 2006
Commits on Jul 6, 2006
  1. @gregkh

    Linux 2.6.16.24

    gregkh committed Jul 6, 2006
  2. @gregkh

    fix prctl privilege escalation and suid_dumpable (CVE-2006-2451)

    Based on a patch from Ernie Petrides
    
    During security research, Red Hat discovered a behavioral flaw in core
    dump handling. A local user could create a program that would cause a
    core file to be dumped into a directory they would not normally have
    permissions to write to. This could lead to a denial of service (disk
    consumption), or allow the local user to gain root privileges.
    
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    gregkh committed Jul 6, 2006
Commits on Jun 30, 2006
  1. @gregkh

    Linux 2.6.16.23

    gregkh committed Jun 30, 2006
  2. @chriswright @gregkh

    [PATCH] revert PARPORT_SERIAL should depend on SERIAL_8250_PCI patch

    Should have not been applied to 2.6.16
    
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    chriswright committed with gregkh Jun 30, 2006
  3. @kaber @gregkh

    [PATCH] NETFILTER: SCTP conntrack: fix crash triggered by packet with…

    …out chunks [CVE-2006-2934]
    
    When a packet without any chunks is received, the newconntrack variable
    in sctp_packet contains an out of bounds value that is used to look up an
    pointer from the array of timeouts, which is then dereferenced, resulting
    in a crash. Make sure at least a single chunk is present.
    
    Problem noticed by George A. Theall <theall@tenablesecurity.com>
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    kaber committed with gregkh Jun 30, 2006
Commits on Jun 22, 2006
  1. @chriswright

    Linux 2.6.16.22

    chriswright committed Jun 22, 2006
  2. @chriswright

    [PATCH] NTFS: Critical bug fix (affects MIPS and possibly others)

    It fixes a crash in NTFS on architectures where flush_dcache_page()
    is a real function.  I never noticed this as all my testing is done on
    i386 where flush_dcache_page() is NULL.
    
    http://bugzilla.kernel.org/show_bug.cgi?id=6700
    
    Many thanks to Pauline Ng for the detailed bug report and analysis!
    
    Signed-off-by: Anton Altaparmakov <aia21@cantab.net>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Anton Altaparmakov committed with chriswright Jun 20, 2006
  3. @chriswright

    [PATCH] powernow-k8 crash workaround

    Work around the oops reported in
    http://bugzilla.kernel.org/show_bug.cgi?id=6478.
    
    Thanks to Ralf Hildebrandt <ralf.hildebrandt@charite.de> for testing and
    reporting.
    
    Acked-by: Dave Jones <davej@codemonkey.org.uk>
    Cc: "Brown, Len" <len.brown@intel.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Andrew Morton committed with chriswright Jun 10, 2006
  4. @chriswright

    [PATCH] I2O: Bugfixes to get I2O working again

    - Fixed locking of struct i2o_exec_wait in Executive-OSM
    
    - Removed LCT Notify in i2o_exec_probe() which caused freeing memory and
      accessing freed memory during first enumeration of I2O devices
    
    - Added missing locking in i2o_exec_lct_notify()
    
    - removed put_device() of I2O controller in i2o_iop_remove() which caused
      the controller structure get freed to early
    
    - Fixed size of mempool in i2o_iop_alloc()
    
    - Fixed access to freed memory in i2o_msg_get()
    
    See http://bugzilla.kernel.org/show_bug.cgi?id=6561
    
    Signed-off-by: Markus Lidel <Markus.Lidel@shadowconnect.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Markus Lidel committed with chriswright Jun 10, 2006
  5. @chriswright

    [PATCH] scsi_lib.c: properly count the number of pages in scsi_req_ma…

    …p_sg()
    
    The calculation of nr_pages in scsi_req_map_sg() doesn't account for
    the fact that the first page could have an offset that pushes the end
    of the buffer onto a new page.
    
    Signed-off-by: Bryan Holty <lgeek@frontiernet.net>
    Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    James Bottomley committed with chriswright Jun 8, 2006
  6. @chriswright

    [PATCH] JFS: Fix multiple errors in metapage_releasepage

    It looks like metapage_releasepage was making in invalid assumption that
    the releasepage method would not be called on a dirty page.  Instead of
    issuing a warning and releasing the metapage, it should return 0, indicating
    that the private data for the page cannot be released.
    
    I also realized that metapage_releasepage had the return code all wrong.  If
    it is successful in releasing the private data, it should return 1, otherwise
    it needs to return 0.
    
    Lastly, there is no need to call wait_on_page_writeback, since
    try_to_release_page will not call us with a page in writback state.
    
    Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Dave Kleikamp committed with chriswright Jun 6, 2006
  7. @chriswright

    [PATCH] fs/namei.c: Call to file_permission() under a spinlock in do_…

    …lookup_path()
    
    We're presently running lock_kernel() under fs_lock via nfs's ->permission
    handler.  That's a ranking bug and sometimes a sleep-in-spinlock bug.  This
    problem was introduced in the openat() patchset.
    
    We should not need to hold the current->fs->lock for a codepath that doesn't
    use current->fs.
    
    [vsu@altlinux.ru: fix error path]
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: Al Viro <viro@ftp.linux.org.uk>
    Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Trond Myklebust committed with chriswright Jun 6, 2006
  8. @robbat2 @chriswright

    [PATCH] tmpfs: time granularity fix for [acm]time going backwards

    I noticed a strange behavior in a tmpfs file system the other day, while
    building packages - occasionally, and seemingly at random, make decided to
    rebuild a target. However, only on tmpfs.
    
    A file would be created, and if checked, it had a sub-second timestamp.
    However, after an utimes related call where sub-seconds should be set, they
    were zeroed instead. In the case that a file was created, and utimes(...,NULL)
    was used on it in the same second, the timestamp on the file moved backwards.
    
    After some digging, I found that this was being caused by tmpfs not having a
    time granularity set, thus inheriting the default 1 second granularity.
    
    Hugh adds: yes, we missed tmpfs when the s_time_gran mods went into 2.6.11.
    Unfortunately, the granularity of CURRENT_TIME, often used in filesystems,
    does not match the default granularity set by alloc_super.  A few more such
    discrepancies have been found, but this is the most important to fix now.
    
    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
    Acked-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    robbat2 committed with chriswright Jun 13, 2006
  9. @verygreen @chriswright

    [PATCH] Missed error checking for intent's filp in open_namei().

    It seems there is error check missing in open_namei for errors returned
    through intent.open.file (from lookup_instantiate_filp).
    
    If there is plain open performed, then such a check done inside
    __path_lookup_intent_open called from path_lookup_open(), but when the open
    is performed with O_CREAT flag set, then __path_lookup_intent_open is only
    called with LOOKUP_PARENT set where no file opening can occur yet.
    
    Later on lookup_hash is called where exact opening might take place and
    intent.open.file may be filled.  If it is filled with error value of some
    sort, then we get kernel attempting to dereference this error value as
    address (and corresponding oops) in nameidata_to_filp() called from
    filp_open().
    
    While this is relatively simple to workaround in ->lookup() method by just
    checking lookup_instantiate_filp() return value and returning error as
    needed, this is not so easy in ->d_revalidate(), where we can only return
    "yes, dentry is valid" or "no, dentry is invalid, perform full lookup
    again", and just returning 0 on error would cause extra lookup (with
    potential extra costly RPCs).
    
    So in short, I believe that there should be no difference in error handling
    for opening a file and creating a file in open_namei() and propose this
    simple patch as a solution.
    
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    verygreen committed with chriswright Mar 25, 2006
  10. @davem330 @chriswright

    [PATCH] SPARC64: Fix missing fold at end of checksums.

    Both csum_partial() and the csum_partial_copy*() family of routines
    forget to do a final fold on the computed checksum value on sparc64.
    So do the standard Sparc "add + set condition codes, add carry"
    sequence, then make sure the high 32-bits of the return value are
    clear.
    
    Based upon some excellent detective work and debugging done by
    Richard Braun and Samuel Thibault.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    davem330 committed with chriswright Jun 5, 2006
  11. @davem330 @chriswright

    [PATCH] SPARC64: Respect gfp_t argument to dma_alloc_coherent().

    Using asm-generic/dma-mapping.h does not work because pushing
    the call down to pci_alloc_coherent() causes the gfp_t argument
    of dma_alloc_coherent() to be ignored.
    
    Fix this by implementing things directly, and adding a gfp_t
    argument we can use in the internal call down to the PCI DMA
    implementation of pci_alloc_coherent().
    
    This fixes massive memory corruption when using the sound driver
    layer, which passes things like __GFP_COMP down into these
    routines and (correctly) expects that to work.
    
    This is a disk eater when sound is used, so it's pretty critical.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    davem330 committed with chriswright Jun 4, 2006
  12. @davem330 @chriswright

    [PATCH] SPARC64: Fix D-cache corruption in mremap

    If we move a mapping from one virtual address to another,
    and this changes the virtual color of the mapping to those
    pages, we can see corrupt data due to D-cache aliasing.
    
    Check for and deal with this by overriding the move_pte()
    macro.  Set things up so that other platforms can cleanly
    override the move_pte() macro too.
    
    This long standing bug corrupts user memory, and in particular
    has been notorious for corrupting Debian package database
    files on sparc64 boxes.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    davem330 committed with chriswright Jun 2, 2006
  13. @chriswright

    [PATCH] USB: Whiteheat: fix firmware spurious errors

    Attached patch fixes spurious errors during firmware load.
    
    Signed-off-by: Stuart MacDonald <stuartm@connecttech.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Stuart MacDonald committed with chriswright May 31, 2006
Commits on Jun 20, 2006
  1. @chriswright

    Linux 2.6.16.21

    chriswright committed Jun 20, 2006
  2. @kaber @chriswright

    [PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-…

    …3085)
    
    Fix endless loop in the SCTP match similar to those already fixed in the
    SCTP conntrack helper (was CVE-2006-1527).
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    kaber committed with chriswright Jun 19, 2006
  3. @chriswright

    [PATCH] run_posix_cpu_timers: remove a bogus BUG_ON() (CVE-2006-2445)

    do_exit() clears ->it_##clock##_expires, but nothing prevents
    another cpu to attach the timer to exiting process after that.
    arm_timer() tries to protect against this race, but the check
    is racy.
    
    After exit_notify() does 'write_unlock_irq(&tasklist_lock)' and
    before do_exit() calls 'schedule() local timer interrupt can find
    tsk->exit_state != 0. If that state was EXIT_DEAD (or another cpu
    does sys_wait4) interrupted task has ->signal == NULL.
    
    At this moment exiting task has no pending cpu timers, they were
    cleanuped in __exit_signal()->posix_cpu_timers_exit{,_group}(),
    so we can just return from irq.
    
    John Stultz recently confirmed this bug, see
    
    	http://marc.theaimsgroup.com/?l=linux-kernel&m=115015841413687
    
    Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Oleg Nesterov committed with chriswright Jun 15, 2006
  4. @chriswright

    [PATCH] check_process_timers: fix possible lockup

    If the local timer interrupt happens just after do_exit() sets PF_EXITING
    (and before it clears ->it_xxx_expires) run_posix_cpu_timers() will call
    check_process_timers() with tasklist_lock + ->siglock held and
    
    	check_process_timers:
    
    		t = tsk;
    		do {
    			....
    
    			do {
    				t = next_thread(t);
    			} while (unlikely(t->flags & PF_EXITING));
    		} while (t != tsk);
    
    the outer loop will never stop.
    
    Actually, the window is bigger.  Another process can attach the timer
    after ->it_xxx_expires was cleared (see the next commit) and the 'if
    (PF_EXITING)' check in arm_timer() is racy (see the one after that).
    
    Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Oleg Nesterov committed with chriswright Jun 15, 2006
  5. @paulusmack @chriswright

    [PATCH] powerpc: Fix machine check problem on 32-bit kernels (CVE-200…

    …6-2448)
    
    This fixes a bug found by Dave Jones that means that it is possible
    for userspace to provoke a machine check on 32-bit kernels.  This
    also fixes a couple of other places where I found similar problems
    by inspection.
    
    Signed-off-by: Paul Mackerras <paulus@samba.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    paulusmack committed with chriswright Jun 9, 2006
Commits on Jun 5, 2006
  1. @chriswright

    Linux 2.6.16.20

    chriswright committed Jun 5, 2006
  2. @chriswright

    [PATCH] sbp2: fix check of return value of hpsb_allocate_and_register…

    …_addrspace
    
    I added a failure check in patch "sbp2: variable status FIFO address
    (fix login timeout)" --- alas for a wrong error value.  This is a bug
    since Linux 2.6.16.  Leads to NULL pointer dereference if the call
    failed, and bogus failure handling if call succeeded.
    
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Stefan Richter committed with chriswright Jun 3, 2006
  3. @chriswright

    [PATCH] sbp2: backport read_capacity workaround for iPod

    There is a firmware bug in several Apple iPods which prevents access to
    these iPods under certain conditions. The disk size reported by the iPod
    is one sector too big. Once access to the end of the disk is attempted,
    the iPod becomes inaccessible. This problem has been known for USB iPods
    for some time and has recently been discovered to exist with
    FireWire/USB combo iPods too.
    
    This patch is derived from the fix in Linux 2.6.17, commit
    e9a1c52, to be applicable to 2.6.16.x
    without prerequisite patches. It hard-wires a workaround for three known
    affected model numbers (those of 4th generation iPod, iPod Photo, iPod
    mini).
    
    Note: This patch lacks Linux 2.6.17's ability to enable and disable the
    workaround via a module parameter.
    
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Stefan Richter committed with chriswright Jun 2, 2006
  4. @chriswright

    [PATCH] x86_64: Don't do syscall exit tracing twice

    This fixes a regression from the earlier DOS fix for non canonical
    IRET addresses. It broke UML.
    
    int_ret_from_syscall already does syscall exit tracing, so
    no need to do it again in the caller.
    
    This caused problems for UML and some other special programs doing
    syscall interception.
    
    Signed-off-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Andi Kleen committed with chriswright Jun 1, 2006
Something went wrong with that request. Please try again.