Commits on Oct 19, 2007
  1. Linux 2.6.16.56-rc1

    Adrian Bunk committed Oct 19, 2007
  2. Don't allow the stack to grow into hugetlb reserved regions (CVE-2007…

    …-3739)
    
    When expanding the stack, we don't currently check if the VMA will cross
    into an area of the address space that is reserved for hugetlb pages.
    Subsequent faults on the expanded portion of such a VMA will confuse the
    low-level MMU code, resulting in an OOPS.  Check for this.
    
    Signed-off-by: Adam Litke <agl@us.ibm.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Adam Litke committed with Adrian Bunk Oct 19, 2007
  3. drivers/video/macmodes.c:mac_find_mode() mustn't be __init

    If it's EXPORT_SYMBOL'ed it can't be __devinit.
    
    Reported by Mikael Pettersson.
    
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Adrian Bunk committed Oct 19, 2007
  4. hugetlb: fix prio_tree unit (CVE-2007-4133)

    hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in
    units of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas
    its radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be
    absurdly sparse).
    
    At first I thought the error benign, just calling __unmap_hugepage_range on
    more vmas than necessary; but on 32-bit machines, when the prio_tree is
    searched correctly, it happens to ensure the v_offset calculation won't
    overflow.  As it stood, when truncating at or beyond 4GB, it was liable to
    discard pages COWed from lower offsets; or even to clear pmd entries of
    preceding vmas, triggering exit_mmap's BUG_ON(nr_ptes).
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Hugh Dickins committed with Adrian Bunk Oct 19, 2007
  5. hugetlbfs: add Kconfig help text

    In kernel bugzilla #6248 (http://bugzilla.kernel.org/show_bug.cgi?id=6248),
    Adrian Bunk <bunk@stusta.de> notes that CONFIG_HUGETLBFS is missing Kconfig
    help text.
    
    Signed-off-by: Arthur Othieno <apgo@patchbomb.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Arthur Othieno committed with Adrian Bunk Oct 19, 2007
  6. hugetlbfs doc. update

    Fix typos, spelling, etc., in Doc/vm/hugetlbpage.txt.
    
    Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Randy Dunlap committed with Adrian Bunk Oct 19, 2007
Commits on Oct 18, 2007
  1. x86: HUGETLBFS and DEBUG_PAGEALLOC are incompatible

    DEBUG_PAGEALLOC is not compatible with hugetlb page support.  That debug
    option turns off PSE.  Once it is turned off in CR4, the cpu will ignore
    pse bit in the pmd and causing infinite page-not- present faults.
    
    So disable DEBUG_PAGEALLOC if the user selected hugetlbfs.
    
    Signed-off-by: Ken Chen <kenneth.w.chen@intel.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Ken Chen committed with Adrian Bunk Oct 19, 2007
  2. [IA64] lazy_mmu_prot_update needs to be aware of huge pages

    Function lazy_mmu_prot_update is also used on huge pages when it is called
    by set_huge_ptep_writable, but it isn't aware of huge pages.
    
    Signed-off-by: Zhang Yanmin <yanmin.zhang@intel.com>
    Acked-by: Ken Chen <kenneth.w.chen@intel.com>
    Signed-off-by: Tony Luck <tony.luck@intel.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Zhang Yanmin committed with Adrian Bunk Oct 19, 2007
  3. @stephensmalley

    SELinux: clear parent death signal on SID transitions

    Clear parent death signal on SID transitions to prevent unauthorized
    signaling between SIDs.
    
    Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
    Acked-by: Eric Paris <eparis@parisplace.org>
    Signed-off-by: James Morris <jmorris@localhost.localdomain>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    stephensmalley committed with Adrian Bunk Oct 19, 2007
  4. make UML compile (FC6/x86-64)

    I need this patch to get a UML kernel to compile.  This is with the
    kernel headers in FC6 which are automatically generated from the kernel
    tree.  Some headers are missing but those files don't need them.  At
    least it appears so since the resuling kernel works fine.
    
    Tested on x86-64.
    
    Signed-off-by: Ulrich Drepper <drepper@redhat.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Ulrich Drepper committed with Adrian Bunk Oct 18, 2007
  5. DVB: get_dvb_firmware: update script for new location of tda10046 fir…

    …mware
    
    cherry picked from commit c545d6a
    
    Update get_dvb_firmware script for the new location of the
    tda10046 firmware.
    
    The old location doesn't work anymore.
    
    Signed-off-by: Andreas Arens <ari@goron.de>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Andreas Arens committed with Adrian Bunk Oct 18, 2007
  6. @mkrufky

    DVB: get_dvb_firmware: update script for new location of sp8870 firmware

    cherry picked from commit 302170a
    
    get_dvb_firmware: update script for new location of sp8870 firmware
    
    This url is no longer valid:
    http://www.technotrend.de/new/217g/tt_Premium_217g.zip
    
    Replace with:
    http://www.softwarepatch.pl/9999ccd06a4813cb827dbb0005071c71/tt_Premium_217g.zip
    
    Thanks-to: Tobias Stoeber <tobi@to-st.de>
    
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    mkrufky committed with Adrian Bunk Oct 18, 2007
  7. @vapier

    alpha: fix epoll syscall enumerations

    We went and named them __NR_sys_foo instead of __NR_foo.
    
    It may be too late to change this, but we can at least add the proper names
    now.
    
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    vapier committed with Adrian Bunk Oct 18, 2007
  8. m68knommu: ptrace.h typo fix

    Signed-off-by: Jan Altenberg <tb10alj@tglx.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Jan Altenberg committed with Adrian Bunk Oct 18, 2007
  9. [TCP]: Fix fastpath_cnt_hint when GSO skb is partially ACKed

    When only GSO skb was partially ACKed, no hints are reset,
    therefore fastpath_cnt_hint must be tweaked too or else it can
    corrupt fackets_out. The corruption to occur, one must have
    non-trivial ACK/SACK sequence, so this bug is not very often
    that harmful. There's a fackets_out state reset in TCP because
    fackets_out is known to be inaccurate and that fixes the issue
    eventually anyway.
    
    In case there was also at least one skb that got fully ACKed,
    the fastpath_skb_hint is set to NULL which causes a recount for
    fastpath_cnt_hint (the old value won't be accessed anymore),
    thus it can safely be decremented without additional checking.
    
    Reported by Cedric Le Goater <clg@fr.ibm.com>
    
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Ilpo Järvinen committed with Adrian Bunk Oct 18, 2007
  10. @davem330

    [SPARC64]: Fix bugs in SYSV IPC handling in 64-bit processes.

    Thanks to Tom Callaway for the excellent bug report and
    test case.
    
    sys_ipc() has several problems, most to due with semaphore
    call handling:
    
    1) 'err' return should be a 'long'
    2) "union semun" is passed in a register on 64-bit compared
       to 32-bit which provides it on the stack and therefore
       by reference
    3) Second and third arguments to SEMCTL are swapped compared
       to 32-bit.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    davem330 committed with Adrian Bunk Oct 18, 2007
  11. @davem330

    [NET]: Zero length write() on socket should not simply return 0.

    This fixes kernel bugzilla #5731
    
    It should generate an empty packet for datagram protocols when the
    socket is connected, for one.
    
    The check is doubly-wrong because all that a write() can be is a
    sendmsg() call with a NULL msg_control and a single entry iovec.  No
    special semantics should be assigned to it, therefore the zero length
    check should be removed entirely.
    
    This matches the behavior of BSD and several other systems.
    
    Alan Cox notes that SuSv3 says the behavior of a zero length write on
    non-files is "unspecified", but that's kind of useless since BSD has
    defined this behavior for a quarter century and BSD is essentially
    what application folks code to.
    
    Based upon a patch from Stephen Hemminger.
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    davem330 committed with Adrian Bunk Oct 18, 2007
  12. [PKT_SCHED] cls_u32: error code isn't been propogated properly

    Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Stephen Hemminger committed with Adrian Bunk Oct 18, 2007
  13. @kumargala

    [POWERPC] Fix handling of stfiwx math emulation

    Its legal for the stfiwx instruction to have RA = 0 as part of its
    effective address calculation.  This is illegal for all other XE
    form instructions.
    
    Add code to compute the proper effective address for stfiwx if
    RA = 0 rather than treating it as illegal.
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    kumargala committed with Adrian Bunk Oct 18, 2007
  14. [PKT_SCHED] RED: Fix overflow in calculation of queue average

    Overflow can occur very easily with 32 bits, e.g., with 1 second
    us_idle is approx. 2^20, which leaves only 11-Wlog bits for queue
    length. Since the EWMA exponent is typically around 9, queue
    lengths larger than 2^2 cause overflow. Whether the affected
    branch is taken when us_idle is as high as 1 second, depends on
    Scell_log, but with rather reasonable configuration Scell_log is
    large enough to cause p->Stab to have zero index, which always
    results zero shift (typically also few other small indices result
    in zero shift).
    
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Ilpo Järvinen committed with Adrian Bunk Oct 18, 2007
Commits on Oct 12, 2007
  1. Linux 2.6.16.55

    Adrian Bunk committed Oct 12, 2007
  2. Revert "TCP: Fix TCP handling of SACK in bidirectional flows"

    This reverts commit 3198d0f.
    Adrian Bunk committed Oct 12, 2007
Commits on Oct 7, 2007
  1. Linux 2.6.16.55-rc1

    Adrian Bunk committed Oct 7, 2007
  2. @tiwai

    Convert snd-page-alloc proc file to use seq_file (CVE-2007-4571)

    Commit ccec6e2 in mainline.
    
    Use seq_file for the proc file read/write of snd-page-alloc module.
    This automatically fixes bugs in the old proc code.
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    tiwai committed with Adrian Bunk Oct 7, 2007
Commits on Oct 6, 2007
  1. snd_mem_proc_read(): convert to list_for_each_entry*

    Stolen from a patch by Johannes Berg <johannes@sipsolutions.net>.
    
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Adrian Bunk committed Oct 7, 2007
  2. sysfs: store sysfs inode nrs in s_ino to avoid readdir oopses (CVE-20…

    …07-3104)
    
    Backport of
    ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.22-rc1/2.6.22-rc1-mm1/broken-out/gregkh-driver-sysfs-allocate-inode-number-using-ida.patch
    
    For regular files in sysfs, sysfs_readdir wants to traverse
    sysfs_dirent->s_dentry->d_inode->i_ino to get to the inode number.
    But, the dentry can be reclaimed under memory pressure, and there is
    no synchronization with readdir.  This patch follows Tejun's scheme of
    allocating and storing an inode number in the new s_ino member of a
    sysfs_dirent, when dirents are created, and retrieving it from there
    for readdir, so that the pointer chain doesn't have to be traversed.
    
    Tejun's upstream patch uses a new-ish "ida" allocator which brings
    along some extra complexity; this -stable patch has a brain-dead
    incrementing counter which does not guarantee uniqueness, but because
    sysfs doesn't hash inodes as iunique expects, uniqueness wasn't
    guaranteed today anyway.
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: Eric Sandeen <sandeen@redhat.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Eric Sandeen committed with Adrian Bunk Oct 7, 2007
  3. random: fix bound check ordering (CVE-2007-3105)

    If root raised the default wakeup threshold over the size of the
    output pool, the pool transfer function could overflow the stack with
    RNG bytes, causing a DoS or potential privilege escalation.
    
    (Bug reported by the PaX Team <pageexec@freemail.hu>)
    
    Signed-off-by: Matt Mackall <mpm@selenic.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Matt Mackall committed with Adrian Bunk Oct 7, 2007
  4. random: fix seeding with zero entropy (CVE-2007-2453 2 of 2)

    Add data from zero-entropy random_writes directly to output pools to
    avoid accounting difficulties on machines without entropy sources.
    
    Tested on lguest with all entropy sources disabled.
    
    Signed-off-by: Matt Mackall <mpm@selenic.com>
    Acked-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Matt Mackall committed with Adrian Bunk Oct 7, 2007
  5. random: fix error in entropy extraction (CVE-2007-2453 1 of 2)

    Fix cast error in entropy extraction.
    Add comments explaining the magic 16.
    Remove extra confusing loop variable.
    
    Signed-off-by: Matt Mackall <mpm@selenic.com>
    Acked-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Matt Mackall committed with Adrian Bunk Oct 7, 2007
  6. @holtmann

    Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848)

    This fixes a vulnerability in the "parent process death signal"
    implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
    and iSEC Security Research.
    
    http://marc.info/?l=bugtraq&m=118711306802632&w=2
    
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    holtmann committed with Adrian Bunk Oct 7, 2007
  7. fix buffer overflow in the moxa driver (CVE-2005-0504)

    Signed-off-by: Dann Frazier <dannf@hp.com>
    Signed-off-by: Andres Salomon <dilinger@debian.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Dann Frazier committed with Adrian Bunk Oct 6, 2007
  8. @kumargala

    [POWERPC] Flush registers to proper task context

    When we flush register state for FP, Altivec, or SPE in flush_*_to_thread
    we need to respect the task_struct that the caller has passed to us.
    
    Most cases we are called with current, however sometimes (ptrace) we may
    be passed a different task_struct.
    
    This showed up when using gdbserver debugging a simple program that used
    floating point. When gdb tried to show the FP regs they all showed up as 0,
    because the child's FP registers were never properly flushed to memory.
    
    Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    kumargala committed with Adrian Bunk Oct 6, 2007
  9. x86_64: Zero extend all registers after ptrace in 32bit entry path (C…

    …VE-2007-4573)
    
    Strictly it's only needed for eax.
    
    It actually does a little more than strictly needed -- the other registers
    are already zero extended.
    
    Also remove the now unnecessary and non functional compat task check
    in ptrace.
    
    Found by Wojciech Purczynski
    
    Signed-off-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Andi Kleen committed with Adrian Bunk Oct 6, 2007
  10. unexport ip_conntrack_{,un}register_notifier

    Static functions mustn't be exported.
    
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Adrian Bunk committed Oct 6, 2007
  11. sound/core/pcm_lib.c: don't export static functions

    Static functions mustn't be exported.
    
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
    Adrian Bunk committed Oct 6, 2007