Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Jan 21, 2008
  1. Linux 2.6.16.60-rc1

    Adrian Bunk authored
  2. NFS: call nfs_wb_all() only on regular files

    Trond Myklebust authored Adrian Bunk committed
    It looks like nfs_setattr() and nfs_rename() also need to test whether the
    target is a regular file before calling nfs_wb_all()...
    
    It isn't technically needed since the version of nfs_wb_all() that exists
    on 2.6.16 should be safe to call on non-regular files (it will be a no-op).
    However it is a useful optimisation.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  3. NFS: writes should not clobber utimes() calls

    Trond Myklebust authored Adrian Bunk committed
    Ensure that we flush out writes in the case when someone calls utimes() in
    order to set the file times.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  4. vfs: coredumping fix (CVE-2007-6206)

    Ingo Molnar authored Adrian Bunk committed
    fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043
    
    only allow coredumping to the same uid that the coredumping
    task runs under.
    
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  5. I4L: fix isdn_ioctl memory overrun vulnerability (CVE-2007-6151)

    Karsten Keil authored Adrian Bunk committed
    Fix possible memory overrun issue in the isdn ioctl code.
    
    Found by ADLAB <adlab@venustech.com.cn>
    
    Signed-off-by: Karsten Keil <kkeil@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  6. isdn: avoid copying overly-long strings (CVE-2007-6063)

    Karsten Keil authored Adrian Bunk committed
    Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416
    
    Signed-off-by: Karsten Keil <kkeil@suse.de>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  7. [NET]: Generic checksum annotations and cleanups.

    Al Viro authored Adrian Bunk committed
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  8. drivers/scsi/BusLogic.c: #ifdef MODULE BusLogic_pci_tbl[]

    Adrian Bunk authored
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  9. @benmcollins

    [BusLogic] Add pci dev table for auto module loading.

    benmcollins authored Adrian Bunk committed
    Signed-off-by: Ben Collins <bcollins@ubuntu.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  10. @herbertx

    [ATM]: Check IP header validity in mpc_send_packet

    herbertx authored Adrian Bunk committed
    [ Upstream commit: 1c9b7aa ]
    
    Al went through the ip_fast_csum callers and found this piece of code
    that did not validate the IP header.  While root crashing the machine
    by sending bogus packets through raw or AF_PACKET sockets isn't that
    serious, it is still nice to react gracefully.
    
    This patch ensures that the skb has enough data for an IP header and
    that the header length field is valid.
    
    Adrian Bunk:
    Backported to 2.6.16 following instructions by David Miller.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
Commits on Jan 20, 2008
  1. [IPV4] ROUTE: ip_rt_dump() is unecessary slow

    Eric Dumazet authored Adrian Bunk committed
    [ Upstream commit: d8c9283 ]
    
    I noticed "ip route list cache x.y.z.t" can be *very* slow.
    
    While strace-ing -T it I also noticed that first part of route cache
    is fetched quite fast :
    
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) =
    +3772 <0.000047>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
    += 3736 <0.000042>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
    += 3740 <0.000055>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
    += 3712 <0.000043>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
    202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0)
    += 3732 <0.000053>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) =
    +3708 <0.000052>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
    GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) =
    +3680 <0.000041>
    
    while the part at the end of the table is more expensive:
    
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856>
    recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
    +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"...,
    +16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848>
    
    The following patch corrects this performance/latency problem,
    removing quadratic behavior.
    
    Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  2. [NET]: Introduce types for checksums.

    Al Viro authored Adrian Bunk committed
    New types - for 16bit checksums and "unfolded" 32bit variant.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  3. @davem330

    [CASSINI]: Set skb->truesize properly on receive packets.

    davem330 authored Adrian Bunk committed
    [ Upstream commit: d011a23 ]
    
    skb->truesize was not being incremented at all to
    reflect the page based data added to RX SKBs.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  4. [CASSINI]: Fix endianness bug.

    Al Viro authored Adrian Bunk committed
    [ Upstream commit: e5e0254 ]
    
    Here's proposed fix for RX checksum handling in cassini; it affects
    little-endian working with half-duplex gigabit, but obviously needs
    testing on big-endian too.
    
    The problem is, we need to convert checksum to fixed-endian *before*
    correcting for (unstripped) FCS.  On big-endian it won't matter
    (conversion is no-op), on little-endian it will, but only if FCS is
    not stripped by hardware; i.e. in half-duplex gigabit mode when
    ->crc_size is set.
    
    cassini.c part is that fix, cassini.h one consists of trivial
    endianness annotations.  With that applied the sucker is endian-clean,
    according to sparse.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  5. [ATM]: [nicstar] delay irq setup until card is configured

    Chas Williams authored Adrian Bunk committed
    [ Upstream commit: 5296195 ]
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  6. @JeffMoyer

    raw: don't allow the creation of a raw device with minor number 0

    JeffMoyer authored Adrian Bunk committed
    Minor number 0 (under the raw major) is reserved for the rawctl device
    file, which is used to query, set, and unset raw device bindings.  However,
    the ioctl interface does not protect the user from specifying a raw device
    with minor number 0:
    
    $ sudo ./raw /dev/raw/raw0 /dev/VolGroup00/swap
    /dev/raw/raw0:  bound to major 253, minor 2
    $ ls -l /dev/rawctl
    ls: /dev/rawctl: No such file or directory
    $ ls -l /dev/raw/raw0
    crw------- 1 root root 162, 0 Jan 12 10:51 /dev/raw/raw0
    $ sudo ./raw -qa
    Cannot open master raw device '/dev/rawctl' (No such file or directory)
    
    As you can see, this prevents any further raw operations from
    succeeding.  The fix (from Steve Fernandez) is quite simple - do not
    allow the allocation of minor number 0.
    
    Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
Commits on Jan 19, 2008
  1. Linux 2.6.16.59

    Adrian Bunk authored
Commits on Jan 16, 2008
  1. Linux 2.6.16.59-rc1

    Adrian Bunk authored
  2. wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-20…

    Roland McGrath authored Adrian Bunk committed
    …07-5500)
    
    patch a347422 in mainline
    
    The original meaning of the old test (p->state > TASK_STOPPED) was
    "not dead", since it was before TASK_TRACED existed and before the
    state/exit_state split.  It was a wrong correction in commit
    14bf01b to make this test for
    TASK_TRACED instead.  It should have been changed when TASK_TRACED
    was introducted and again when exit_state was introduced.
    
    Signed-off-by: Roland McGrath <roland@redhat.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  3. limit minixfs printks on corrupted dir i_size (CVE-2006-6058)

    Eric Sandeen authored Adrian Bunk committed
    First reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
    
    Essentially a corrupted minix dir inode reporting a very large
    i_size will loop for a very long time in minix_readdir, minix_find_entry,
    etc, because on EIO they just move on to try the next page.  This is
    under the BKL, printk-storming as well.  This can lock up the machine
    for a very long time.  Simply ratelimiting the printks gets things back
    under control.  Make the message a bit more informative while we're here.
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: Eric Sandeen <sandeen@redhat.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  4. fix messages in fs/minix

    Denis Vlasenko authored Adrian Bunk committed
    Believe it or not, but in fs/minix/*, the oldest filesystem in the kernel,
    something still can be fixed:
    
        printk("new_inode: bit already set");
    
    "\n" is missing!
    
    While at it, I also removed periods from the end of error messages and made
    capitalization uniform.  Also s/i-node/inode/, s/printk (/printk(/
    
    Signed-off-by: Denis Vlasenko <vda@ilport.com.ua>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
Commits on Jan 15, 2008
  1. @torvalds

    Use access mode instead of open flags to determine needed permissions…

    torvalds authored Adrian Bunk committed
    … (CVE-2008-0001)
    
    patch 974a9f0 in mainline
    
    Way back when (in commit 834f2a4, aka
    "VFS: Allow the filesystem to return a full file pointer on open intent"
    to be exact), Trond changed the open logic to keep track of the original
    flags to a file open, in order to pass down the the intent of a dentry
    lookup to the low-level filesystem.
    
    However, when doing that reorganization, it changed the meaning of
    namei_flags, and thus inadvertently changed the test of access mode for
    directories (and RO filesystem) to use the wrong flag.  So fix those
    test back to use access mode ("acc_mode") rather than the open flag
    ("flag").
    
    Issue noticed by Bill Roman at Datalight.
    
    Reported-and-tested-by: Bill Roman <bill.roman@datalight.com>
    Acked-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  2. @herbertx

    [IPSEC]: Avoid undefined shift operation when testing algorithm ID

    herbertx authored Adrian Bunk committed
    [ Upstream commit: f398035 ]
    
    The aalgos/ealgos fields are only 32 bits wide.  However, af_key tries
    to test them with the expression 1 << id where id can be as large as
    253.  This produces different behaviour on different architectures.
    
    The following patch explicitly checks whether ID is greater than 31
    and fails the check if that's the case.
    
    We cannot easily extend the mask to be longer than 32 bits due to
    exposure to user-space.  Besides, this whole interface is obsolete
    anyway in favour of the xfrm_user interface which doesn't use this
    bit mask in templates (well not within the kernel anyway).
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  3. @brainflux

    [IRDA]: irda_create() nuke user triggable printk

    brainflux authored Adrian Bunk committed
    [ Upstream commit: 9e8d6f8 ]
    
    easy to trigger as user with sfuzz.
    
    irda_create() is quiet on unknown sock->type,
    match this behaviour for SOCK_DGRAM unknown protocol
    
    Signed-off-by: Maximilian Attems <max@stro.at>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  4. @markmc

    [INET]: Fix netdev renaming and inet address labels

    markmc authored Adrian Bunk committed
    [ Upstream commit: 44344b2 ]
    
    When re-naming an interface, the previous secondary address
    labels get lost e.g.
    
      $> brctl addbr foo
      $> ip addr add 192.168.0.1 dev foo
      $> ip addr add 192.168.0.2 dev foo label foo:00
      $> ip addr show dev foo | grep inet
        inet 192.168.0.1/32 scope global foo
        inet 192.168.0.2/32 scope global foo:00
      $> ip link set foo name bar
      $> ip addr show dev bar | grep inet
        inet 192.168.0.1/32 scope global bar
        inet 192.168.0.2/32 scope global bar:2
    
    Turns out to be a simple thinko in inetdev_changename() - clearly we
    want to look at the address label, rather than the device name, for
    a suffix to retain.
    
    Signed-off-by: Mark McLoughlin <markmc@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  5. @herbertx

    [IPV4] raw: Strengthen check on validity of iph->ihl

    herbertx authored Adrian Bunk committed
    [ Upstream commit: f844c74 ]
    
    We currently check that iph->ihl is bounded by the real length and that
    the real length is greater than the minimum IP header length.  However,
    we did not check the caes where iph->ihl is less than the minimum IP
    header length.
    
    This breaks because some ip_fast_csum implementations assume that which
    is quite reasonable.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  6. CONNECTOR: don't touch queue dev after decrement of ref count

    Li Zefan authored Adrian Bunk committed
    cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev),
    so it should be called before atomic_dec(&dev->refcnt).
    
    Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  7. [NET] kaweth was forgotten in msec switchover of usb_start_wait_urb

    Russ Dill authored Adrian Bunk committed
    Back in 2.6.12-pre, usb_start_wait_urb was switched over to take
    milliseconds instead of jiffies. kaweth.c was never updated to match.
    
    Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  8. @davem330

    [SPARC64]: Fix endless loop in cheetah_xcall_deliver().

    davem330 authored Adrian Bunk committed
    [ Upsteam commit: 0de56d1 ]
    
    We need to mask out the proper bits when testing the dispatch status
    register else we can see unrelated NACK bits from previous cross call
    sends.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  9. [IPV6]: Restore IPv6 when MTU is big enough

    Evgeniy Polyakov authored Adrian Bunk committed
    [ Upstream commit: d31c7b8 ]
    
    Avaid provided test application, so bug got fixed.
    
    IPv6 addrconf removes ipv6 inner device from netdev each time cmu
    changes and new value is less than IPV6_MIN_MTU (1280 bytes).
    When mtu is changed and new value is greater than IPV6_MIN_MTU,
    it does not add ipv6 addresses and inner device bac.
    
    This patch fixes that.
    
    Tested with Avaid's application, which works ok now.
    
    Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  10. struct input_device_id mustn't be userspace visible

    Adrian Bunk authored
    struct input_device_id mustn't be userspace visible since
    it uses kernel_ulong_t.
    
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
Commits on Jan 6, 2008
  1. missing dma_sync_single_range_for_{cpu,device} on alpha

    Al Viro authored Adrian Bunk committed
    no-op as all dma_sync_... there.
    
    Adrian Bunk:
    Backported to 2.6.16.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  2. include/asm-alpha/io_trivial.h build fixes

    Ivan Kokshaysky authored Adrian Bunk committed
    This patch cherry picks the following from
    commit 9548b20:
    
    fix build failure with gcc-4.2.x: fix up casts in cia_io* routines to avoid
    warnings ('discards qualifiers from pointer target type'), which are
    failures, thanks to -Werror;
    
    Signed-off-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
    Signed-off-by: Adrian Bunk <bunk@kernel.org>
  3. Linux 2.6.16.58

    Adrian Bunk authored
  4. Linux 2.6.16.58-rc1

    Adrian Bunk authored
Something went wrong with that request. Please try again.