Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Commits on Nov 7, 2006
  1. @AdrianBunk

    Linux 2.6.16.31

    AdrianBunk authored
Commits on Nov 5, 2006
  1. @AdrianBunk

    Linux 2.6.16.31-rc1

    AdrianBunk authored
  2. @kaber @AdrianBunk

    [NETFILTER]: Fix ip6_tables extension header bypass bug (CVE-2006-4572)

    kaber authored AdrianBunk committed
    As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
    to a fragmentation attack causing false negatives on extension header
    matches.
    
    When extension headers occur in the non-first fragment after the fragment
    header (possibly with an incorrect nexthdr value in the fragment header)
    a rule looking for this extension header will never match.
    
    Drop fragments that are at offset 0 and don't contain the final protocol
    header regardless of the ruleset, since this should not happen normally.
    Since all extension headers are before the protocol header this makes sure
    an extension header is either not present or in the first fragment, where
    we can properly parse it.
    
    With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  3. @kaber @AdrianBunk

    [NETFILTER]: Fix ip6_tables protocol bypass bug (CVE-2006-4572)

    kaber authored AdrianBunk committed
    As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
    to a fragmentation attack causing false negatives on protocol matches.
    
    When the protocol header doesn't follow the fragment header immediately,
    the fragment header contains the protocol number of the next extension
    header. When the extension header and the protocol header are sent in
    a second fragment a rule like "ip6tables .. -p udp -j DROP" will never
    match.
    
    Drop fragments that are at offset 0 and don't contain the final protocol
    header regardless of the ruleset, since this should not happen normally.
    
    With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  4. @neilbrown @AdrianBunk

    knfsd: Fix race that can disable NFS server.

    neilbrown authored AdrianBunk committed
    This is a long standing bug that seems to have only recently become
    apparent, presumably due to increasing use of NFS over TCP - many
    distros seem to be making it the default.
    
    The SK_CONN bit gets set when a listening socket may be ready
    for an accept, just as SK_DATA is set when data may be available.
    
    It is entirely possible for svc_tcp_accept to be called with neither
    of these set.  It doesn't happen often but there is a small race in
    svc_sock_enqueue as SK_CONN and SK_DATA are tested outside the
    spin_lock.  They could be cleared immediately after the test and
    before the lock is gained.
    
    This normally shouldn't be a problem.  The sockets are non-blocking so
    trying to read() or accept() when ther is nothing to do is not a problem.
    
    However: svc_tcp_recvfrom makes the decision "Should I accept() or
    should I read()" based on whether SK_CONN is set or not.  This usually
    works but is not safe.  The decision should be based on whether it is
    a TCP_LISTEN socket or a TCP_CONNECTED socket.
    
    Signed-off-by: Neil Brown <neilb@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  5. @AdrianBunk

    posix-cpu-timers: prevent signal delivery starvation

    Thomas Gleixner authored AdrianBunk committed
    The integer divisions in the timer accounting code can round the result
    down to 0.  Adding 0 is without effect and the signal delivery stops.
    
    Clamp the division result to minimum 1 to avoid this.
    
    Problem was reported by Seongbae Park <spark@google.com>, who provided
    also an inital patch.
    
    Roland sayeth:
    
      I have had some more time to think about the problem, and to reproduce it
      using Toyo's test case.  For the record, if my understanding of the problem
      is correct, this happens only in one very particular case.  First, the
      expiry time has to be so soon that in cputime_t units (usually 1s/HZ ticks)
      it's < nthreads so the division yields zero.  Second, it only affects each
      thread that is so new that its CPU time accumulation is zero so now+0 is
      still zero and ->it_*_expires winds up staying zero.  For the VIRT and PROF
      clocks when cputime_t is tick granularity (or the SCHED clock on
      configurations where sched_clock's value only advances on clock ticks), this
      is not hard to arrange with new threads starting up and blocking before they
      accumulate a whole tick of CPU time.  That's what happens in Toyo's test
      case.
    
      Note that in general it is fine for that division to round down to zero,
      and set each thread's expiry time to its "now" time.  The problem only
      arises with thread's whose "now" value is still zero, so that now+0 winds up
      0 and is interpreted as "not set" instead of ">= now".  So it would be a
      sufficient and more precise fix to just use max(ticks, 1) inside the loop
      when setting each it_*_expires value.
    
      But, it does no harm to round the division up to one and always advance
      every thread's expiry time.  If the thread didn't already fire timers for
      the expiry time of "now", there is no expectation that it will do so before
      the next tick anyway.  So I followed Thomas's patch in lifting the max out
      of the loops.
    
      This patch also covers the reload cases, which are harder to write a test
      for (and I didn't try).  I've tested it with Toyo's case and it fixes that.
    
    [toyoa@mvista.com: fix: min_t -> max_t]
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Roland McGrath <roland@redhat.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  6. @AdrianBunk

    [IPV6]: fix lockup via /proc/net/ip6_flowlabel (CVE-2006-5619)

    James Morris authored AdrianBunk committed
    There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where,
    after finding a flowlabel, the code will loop forever not finding any
    further flowlabels, first traversing the rest of the hash bucket then just
    looping.
    
    This patch fixes the problem by breaking after the hash bucket has been
    traversed.
    
    Note that this bug can cause lockups and oopses, and is trivially invoked
    by an unpriveleged user.
    
    Signed-off-by: James Morris <jmorris@namei.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  7. @AdrianBunk

    ACPI: enable SMP C-states on x86_64

    Shaohua Li authored AdrianBunk committed
    http://bugzilla.kernel.org/show_bug.cgi?id=5653
    
    Signed-off-by: Shaohua Li <shaohua.li@intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  8. @AdrianBunk

    fix RARP ic_servaddr breakage

    Al Viro authored AdrianBunk committed
    memcpy 4 bytes to address of auto unsigned long variable followed
    by comparison with u32 is a bloody bad idea.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  9. @AdrianBunk

    [S390] fix user readable uninitialised kernel memory, take 2.

    Martin Schwidefsky authored AdrianBunk committed
    The previous patch to correct the copy_from_user padding is quite
    broken. The execute instruction needs to be done via the register %r4,
    not via %r2 and 31 bit doesn't know the instructions lgr and ahji.
    
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  10. @AdrianBunk

    [S390] fix user readable uninitialised kernel memory (CVE-2006-5174)

    Martin Schwidefsky authored AdrianBunk committed
    A user space program can read uninitialised kernel memory
    by appending to a file from a bad address and then reading
    the result back. The cause is the copy_from_user function
    that does not clear the remaining bytes of the kernel
    buffer after it got a fault on the user space address.
    
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
Commits on Nov 2, 2006
  1. @AdrianBunk

    Linux 2.6.16.30

    AdrianBunk authored
Commits on Oct 17, 2006
  1. @AdrianBunk

    Linux 2.6.16.30-rc1

    AdrianBunk authored
  2. @AdrianBunk

    [IA64] correct file descriptor reference counting in perfmon (CVE-200…

    Stephane Eranian authored AdrianBunk committed
    …6-3741)
    
    Fix a bug in sys_perfmonctl() whereby it was not correctly
    decrementing the file descriptor reference count.
    
    Signed-off-by: Stephane Eranian <eranian@hpl.hp.com>
    Signed-off-by: Tony Luck <tony.luck@intel.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
Commits on Oct 14, 2006
  1. @AdrianBunk

    [PPPOE]: Advertise PPPoE MTU

    Michal Ostrowski authored AdrianBunk committed
    PPPoE must advertise the underlying device's MTU via the ppp channel
    descriptor structure, as multilink functionality depends on it.
    
    Signed-off-by: Michal Ostrowski <mostrows@earthlink.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  2. @kinordlu @AdrianBunk

    PKT_SCHED: cls_basic: Use unsigned int when generating handle

    kinordlu authored AdrianBunk committed
    Prevents filters from being added if the first generated
    handle already exists.
    
    Signed-off-by: Kim Nordlund <kim.nordlund@nokia.com>
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  3. @davem330 @AdrianBunk

    [SPARC64]: Kill bogus check from bootmem_init().

    davem330 authored AdrianBunk committed
    There is an ancient and totally incorrect sanity check being
    done on the ramdisk location.  The check assumes that the
    kernel is always loaded to physical address zero, which is
    wrong.  It was trying to validate the ramdisk value by saying that
    if it fell within the kernel image address range it must be wrong.
    
    Anyways, kill this because it actually creates problems.  The
    'ramdisk_image' should always be adjusted down by KERNBASE.
    SILO can easily put the ramdisk in a location which causes
    this test to trigger, breaking things.
    
    [ Based almost entirely upon a patch from Ben Collins. ]
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  4. @davem330 @AdrianBunk

    [SPARC64]: Fix sched_clock() wrapping every ~17 seconds.

    davem330 authored AdrianBunk committed
    Unfortunately, sparc64 doesn't have an easy way to do a "64 X 64 -->
    128" bit multiply like PowerPC and IA64 do.  We were doing a
    "64 X 64 --> 64" bit multiple which causes overflow very quickly with
    a 30-bit quotient shift.
    
    So use a quotientshift count of 10 instead of 30, just like x86 and
    ARM do.
    
    This also fixes the wrapping of printk timestamp values every ~17
    seconds.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  5. @rjwysocki @AdrianBunk

    [CIFS] Allow cifsd to suspend if connection is lost

    rjwysocki authored AdrianBunk committed
    Make cifsd allow us to suspend if it has lost the connection with a server
    
    Ref: http://bugzilla.kernel.org/show_bug.cgi?id=6811
    
    Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
    Signed-off-by: Steve French <sfrench@us.ibm.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  6. @AdrianBunk

    [CIFS] Fix typo in earlier cifs_unlink change and protect one extra p…

    Steve French authored AdrianBunk committed
    …ath.
    
    Since cifs_unlink can also be called from rename path and there
    was one report of oops am making the extra check for null inode.
    
    Signed-off-by: Steve French <sfrench@us.ibm.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  7. @AdrianBunk

    [CIFS] Fix unlink oops when indirectly called in rename error path un…

    Steve French authored AdrianBunk committed
    …der heavy stress.
    
    Signed-off-by: Steve French <sfrench@us.ibm.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  8. @AdrianBunk

    [CIFS] fs/cifs/dir.c: fix possible NULL dereference

    Steve French authored AdrianBunk committed
    Signed-off-by: Steve French <sfrench@us.ibm.com>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
Commits on Oct 13, 2006
  1. @AdrianBunk

    [ATM] CLIP: Do not refer freed skbuff in clip_mkip() (CVE-2006-4997)

    YOSHIFUJI Hideaki authored AdrianBunk committed
    In clip_mkip(), skb->dev is dereferenced after clip_push(),
    which frees up skb.
    
    Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>).
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  2. @olafhering @AdrianBunk

    fbdev: add modeline for 1680x1050@60

    olafhering authored AdrianBunk committed
    Add a modeline for the Philips 200W display.  aty128fb does not do DDC, it
    picks 1920x1440 or similar.  It works ok with nvidiafb because it can ask
    for DDC data.
    
    mode "1680x1050-60"
        # D: 146.028 MHz, H: 65.191 kHz, V: 59.863 Hz
        geometry 1680 1050 1680 1050 16
        timings 6848 280 104 30 3 176 6
        hsync high
        vsync high
        rgba 5/11,6/5,5/0,0/0
    endmode
    
    hwinfo --monitor
    20: None 00.0: 10000 Monitor
    [Created at monitor.206]
      Unique ID: rdCR.pzUFTofo1S4
      Parent ID: 002j.bJRsY88eNSC
      Hardware Class: monitor
      Model: "PHILIPS Philips 200W"
      Vendor: PHL "PHILIPS"
      Device: eisa 0x0832 "Philips 200W"
      Serial ID: "VN  016596"
      Resolution: 720x400@70Hz
      Resolution: 640x480@60Hz
      Resolution: 640x480@67Hz
      Resolution: 640x480@72Hz
      Resolution: 640x480@75Hz
      Resolution: 800x600@56Hz
      Resolution: 800x600@60Hz
      Resolution: 800x600@72Hz
      Resolution: 800x600@75Hz
      Resolution: 832x624@75Hz
      Resolution: 1024x768@60Hz
      Resolution: 1024x768@70Hz
      Resolution: 1024x768@75Hz
      Resolution: 1280x1024@75Hz
      Resolution: 1152x864@70Hz
      Resolution: 1152x864@75Hz
      Resolution: 1280x960@60Hz
      Resolution: 1280x1024@60Hz
      Resolution: 1680x1050@60Hz
      Size: 433x271 mm
      Driver Info #0:
        Max. Resolution: 1680x1050
        Vert. Sync Range: 56-85 Hz
        Hor. Sync Range: 30-93 kHz
      Config Status: cfg=new, avail=yes, need=no, active=unknown
      Attached to: #5 (VGA compatible controller)
    
    Signed-off-by: Olaf Hering <olh@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  3. @AdrianBunk

    sky2: accept flow control

    Stephen Hemminger authored AdrianBunk committed
    Don't program the GMAC to reject flow control packets.
    This maybe the cause of some of the transmit hangs.
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  4. @AdrianBunk

    sky2: fix fiber support

    Stephen Hemminger authored AdrianBunk committed
    Fix support for fiber based devices.  Needed to keep track of PMD type to
    add workaround in setup. Add support for gigabit half duplex fiber.
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  5. @AdrianBunk

    sky2: use dev_alloc_skb for receive buffers

    Stephen Hemminger authored AdrianBunk committed
    Several code paths assume an additional 16 bytes of header padding
    on the receive path. Use dev_alloc_skb to get that padding.
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  6. @AdrianBunk

    v4l/dvb: Backport the budget driver DISEQC instability fix

    Oliver Endriss authored AdrianBunk committed
    Backport the budget driver DISEQC instability fix.
    
    Signed-off-by: Oliver Endriss <o.endriss@gmx.de>
    Signed-off-by: Andrew de Quincey <adq_dvb@lidskialf.net>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
  7. @AdrianBunk

    v4l/dvb: Backport fix to artec USB DVB devices

    Andrew de Quincey authored AdrianBunk committed
    Backport fix to artec USB DVB devices
    
    Signed-off-by: Andrew de Quincey <adq_dvb@lidskialf.net>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  8. @AdrianBunk

    v4l/dvb: Fix budget-av frontend detection

    Andrew de Quincey authored AdrianBunk committed
    The budget-av needs this GPIO set low for most cards to work.
    
    Signed-off-by: Andrew de Quincey <adq_dvb@lidskialf.net>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  9. @AdrianBunk

    dvb-core: Proper handling ULE SNDU length of 0 (CVE-2006-4623)

    Ang Way Chuang authored AdrianBunk committed
    ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
    code has a bug that allows an attacker to send a malformed ULE packet
    with SNDU length of 0 and bring down the receiving machine. This patch
    fix the bug and has been tested on version 2.6.17.11. This bug is 100%
    reproducible and the modified source code (GPL) used to produce this bug
    will be posted on http://nrg.cs.usm.my/downloads.htm shortly.  The
    kernel will produce a dump during CRC32 checking on faulty ULE packet.
    
    Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  10. @AdrianBunk

    IPV6: Sum real space for RTAs.

    YOSHIFUJI Hideaki authored AdrianBunk committed
    This patch fixes RTNLGRP_IPV6_IFINFO netlink notifications.  Issue
    pointed out by Patrick McHardy <kaber@trash.net>.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Acked-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
  11. @AdrianBunk

    fix fdset leakage

    Kirill Korotaev authored AdrianBunk committed
    When found, it is obvious.  nfds calculated when allocating fdsets is
    rewritten by calculation of size of fdtable, and when we are unlucky, we
    try to free fdsets of wrong size.
    
    Found due to OpenVZ resource management (User Beancounters).
    
    Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
    Signed-off-by: Kirill Korotaev <dev@openvz.org>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
Commits on Sep 22, 2006
  1. @AdrianBunk

    Linux 2.6.16.30-pre1

    AdrianBunk authored
  2. @hvegh @AdrianBunk

    USB: add YEALINK phones to the HID_QUIRK_IGNORE blacklist

    hvegh authored AdrianBunk committed
    Keys on Yealink based phones will not function properly when using the
    generic HID driver. This patch prevents the generic HID code from
    grabbing the device before the regular yealink driver can get a grip on
    it.
    
    Signed-off-by: Henk Vergonet <Henk.Vergonet@gmail.com>
    Signed-off-by: Vojtech Pavlik <vojtech@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
Something went wrong with that request. Please try again.