Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Jul 6, 2006
  1. @gregkh

    Linux 2.6.17.4

    gregkh authored
  2. @gregkh

    fix prctl privilege escalation and suid_dumpable (CVE-2006-2451)

    gregkh authored
    Based on a patch from Ernie Petrides
    
    During security research, Red Hat discovered a behavioral flaw in core
    dump handling. A local user could create a program that would cause a
    core file to be dumped into a directory they would not normally have
    permissions to write to. This could lead to a denial of service (disk
    consumption), or allow the local user to gain root privileges.
    
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Jun 30, 2006
  1. @chriswright

    Linux 2.6.17.3

    chriswright authored
  2. @kaber @chriswright

    [PATCH] NETFILTER: SCTP conntrack: fix crash triggered by packet with…

    kaber authored chriswright committed
    …out chunks [CVE-2006-2934]
    
    When a packet without any chunks is received, the newconntrack variable
    in sctp_packet contains an out of bounds value that is used to look up an
    pointer from the array of timeouts, which is then dereferenced, resulting
    in a crash. Make sure at least a single chunk is present.
    
    Problem noticed by George A. Theall <theall@tenablesecurity.com>
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  3. @chriswright

    Linux 2.6.17.2

    chriswright authored
  4. @rpurdie @chriswright

    [PATCH] Input: return correct size when reading modalias attribute

    rpurdie authored chriswright committed
    Input: return correct size when reading modalias attribute
    
    Signed-off-by: Richard Purdie <rpurdie@rpsys.net>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  5. @chriswright

    [PATCH] idr: fix race in idr code

    Sonny Rao authored chriswright committed
    From: Sonny Rao <sonny@burdell.org>
    
    I ran into a bug where the kernel died in the idr code:
    
    cpu 0x1d: Vector: 300 (Data Access) at [c000000b7096f710]
        pc: c0000000001f8984: .idr_get_new_above_int+0x140/0x330
        lr: c0000000001f89b4: .idr_get_new_above_int+0x170/0x330
        sp: c000000b7096f990
       msr: 800000000000b032
       dar: 0
     dsisr: 40010000
      current = 0xc000000b70d43830
      paca    = 0xc000000000556900
        pid   = 2022, comm = hwup
    1d:mon> t
    [c000000b7096f990] c0000000000d2ad8 .expand_files+0x2e8/0x364 (unreliable)
    [c000000b7096faa0] c0000000001f8bf8 .idr_get_new_above+0x18/0x68
    [c000000b7096fb20] c00000000002a054 .init_new_context+0x5c/0xf0
    [c000000b7096fbc0] c000000000049dc8 .copy_process+0x91c/0x1404
    [c000000b7096fcd0] c00000000004a988 .do_fork+0xd8/0x224
    [c000000b7096fdc0] c00000000000ebdc .sys_clone+0x5c/0x74
    [c000000b7096fe30] c000000000008950 .ppc_clone+0x8/0xc
    -- Exception: c00 (System Call) at 000000000fde887c
    SP (f8b4e7a0) is in userspace
    
    Turned out to be a race-condition and NULL ptr deref, here's my fix:
    
    Users of the idr code are supposed to call idr_pre_get without locking, so the
    idr code must serialize itself with respect to layer allocations.  However, it
    fails to do so in an error path in idr_get_new_above_int().  I added the
    missing locking to fix this.
    
    Signed-off-by: Sonny Rao <sonny@burdell.org>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  6. @antonblanchard @chriswright

    [PATCH] Link error when futexes are disabled on 64bit architectures

    antonblanchard authored chriswright committed
    From: Anton Blanchard <anton@samba.org>
    
    If futexes are disabled we fail to link on ppc64.
    
    Signed-off-by: Anton Blanchard <anton@samba.org>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  7. @chriswright

    [PATCH] kbuild: bugfix with initramfs

    Nickolay authored chriswright committed
    This patch fix double inclusion of ramfs-input.
    
    Signed-off-by: Nickolay Vinogradov <nickolay@protei.ru>
    Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  8. @chriswright

    [PATCH] ide-io: increase timeout value to allow for slave wakeup

    Al Boldi authored chriswright committed
    During an STR resume cycle, the ide master disk times-out when there is
    also a slave present (especially CD).  Increasing the timeout in ide-io
    from 10,000 to 100,000 fixes this problem.
    
    Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Cc: Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  9. @htejun @chriswright

    [PATCH] libata: minor patch for ATA_DFLAG_PIO

    htejun authored chriswright committed
    Problem:
     - With 2.6.17 libata, some PIO-only devices are given DMA commands.
    
    Changes:
     - Do not clear the ATA_DFLAG_PIO flag in ata_dev_configure().
    
    Signed-off-by: Tejun Heo <htejun@gmail.com>
    Signed-off-by: Albert Lee <albertcc@tw.ibm.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  10. @chriswright

    [PATCH] ohci1394: Fix broken suspend/resume in ohci1394

    Robert Hancock authored chriswright committed
    I've been experimenting to track down the cause of suspend/resume
    problems on my Compaq Presario X1050 laptop:
    
    http://bugzilla.kernel.org/show_bug.cgi?id=6075
    
    Essentially the ACPI Embedded Controller and keyboard controller would
    get into a bizarre, confused state after resume.
    
    I found that unloading the ohci1394 module before suspend and reloading
    it after resume made the problem go away. Diffing the dmesg output from
    resume, with and without the module loaded, I found that with the module
    loaded I was missing these:
    
    PM: Writing back config space on device 0000:02:00.0 at offset 1. (Was
    2100080, writing 2100007)
    PM: Writing back config space on device 0000:02:00.0 at offset 3. (Was
    0, writing 8008)
    PM: Writing back config space on device 0000:02:00.0 at offset 4. (Was
    0, writing 90200000)
    PM: Writing back config space on device 0000:02:00.0 at offset 5. (Was
    1, writing 2401)
    PM: Writing back config space on device 0000:02:00.0 at offset f. (Was
    20000100, writing 2000010a)
    
    The default PCI driver performs the pci_restore_state when no driver is
    loaded for the device. When the ohci1394 driver is loaded, it is
    supposed to do this, however it appears not to do so.
    
    I created the patch below and tested it, and it appears to resolve the
    suspend problems I was having with the module loaded. I only added in
    the pci_save_state and pci_restore_state - however, though I know little
    of this hardware, surely the driver should really be doing more than
    this when suspending and resuming? Currently it does almost nothing,
    what if there are commands in progress, etc?
    
    Signed-off-by: Robert Hancock <hancockr@shaw.ca>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  11. @chriswright

    [PATCH] IPV6 ADDRCONF: Fix default source address selection without C…

    YOSHIFUJI Hideaki authored chriswright committed
    …ONFIG_IPV6_PRIVACY
    
    We need to update hiscore.rule even if we don't enable CONFIG_IPV6_PRIVACY,
    because we have more less significant rule; longest match.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  12. @steelman @chriswright

    [PATCH] IPV6: Fix source address selection.

    steelman authored chriswright committed
    Two additional labels (RFC 3484, sec. 10.3) for IPv6 addreses
    are defined to make a distinction between global unicast
    addresses and Unique Local Addresses (fc00::/7, RFC 4193) and
    Teredo (2001::/32, RFC 4380). It is necessary to avoid attempts
    of connection that would either fail (eg. fec0:: to 2001:feed::)
    or be sub-optimal (2001:0:: to 2001:feed::).
    
    Signed-off-by: Łukasz Stelmach <stlman@poczta.fm>
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  13. @chriswright

    [PATCH] UML: fix uptime

    Jeff Dike authored chriswright committed
    The use of signed instead of unsigned here broke the calculations on
    negative numbers that are involved in calculating wall_to_monotonic.
    
    Signed-off-by: Jeff Dike <jdike@addtoit.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  14. @chriswright

    [PATCH] bcm43xx: init fix for possible Machine Check

    Michael Buesch authored chriswright committed
    Place the Init-vs-IRQ workaround before any card register
    access, because we might not have the wireless core mapped
    at all times in init. So this will result in a Machine Check
    caused by a bus error.
    
    Signed-off-by: Michael Buesch <mb@bu3sch.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  15. @chriswright

    [PATCH] x86: compile fix for asm-i386/alternatives.h

    Kirill Smelkov authored chriswright committed
    compile fix:  <asm-i386/alternative.h>  needs  <asm/types.h> for 'u8' --
    just look at struct alt_instr.
    
    My module includes <asm/bitops.h> as the first header, and as of 2.6.17 this
    leads to compilation errors.
    
    Signed-off-by: Kirill Smelkov <kirr@mns.spb.ru>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  16. @chriswright

    [PATCH] NTFS: Critical bug fix (affects MIPS and possibly others)

    Anton Altaparmakov authored chriswright committed
    It fixes a crash in NTFS on architectures where flush_dcache_page()
    is a real function.  I never noticed this as all my testing is done on
    i386 where flush_dcache_page() is NULL.
    
    http://bugzilla.kernel.org/show_bug.cgi?id=6700
    
    Many thanks to Pauline Ng for the detailed bug report and analysis!
    
    Signed-off-by: Anton Altaparmakov <aia21@cantab.net>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  17. @davem330 @chriswright

    [PATCH] SPARC32: Fix iommu_flush_iotlb end address

    davem330 authored chriswright committed
    Fix the calculation of the end address when flushing iotlb entries to
    ram.  This bug has been a cause of esp dma errors, and it affects
    HyperSPARC systems much worse than SuperSPARC systems.
    
    Signed-off-by: Bob Breuer <breuerr@mc.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  18. @herbertx @chriswright

    [PATCH] ETHTOOL: Fix UFO typo

    herbertx authored chriswright committed
    The function ethtool_get_ufo was referring to ETHTOOL_GTSO instead of
    ETHTOOL_GUFO.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  19. @chriswright

    [PATCH] SCTP: Fix persistent slowdown in sctp when a gap ack consumes…

    Neil Horman authored chriswright committed
    … rx buffer.
    
    In the event that our entire receive buffer is full with a series of
    chunks that represent a single gap-ack, and then we accept a chunk
    (or chunks) that fill in the gap between the ctsn and the first gap,
    we renege chunks from the end of the buffer, which effectively does
    nothing but move our gap to the end of our received tsn stream. This
    does little but move our missing tsns down stream a little, and, if the
    sender is sending sufficiently large retransmit frames, the result is a
    perpetual slowdown which can never be recovered from, since the only
    chunk that can be accepted to allow progress in the tsn stream necessitates
    that a new gap be created to make room for it. This leads to a constant
    need for retransmits, and subsequent receiver stalls. The fix I've come up
    with is to deliver the frame without reneging if we have a full receive
    buffer and the receiving sockets sk_receive_queue is empty(indicating that
    the receive buffer is being blocked by a missing tsn).
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  20. @chriswright

    [PATCH] SCTP: Send only 1 window update SACK per message.

    Tsutomu Fujii authored chriswright committed
    Right now, every time we increase our rwnd by more then MTU bytes, we
    trigger a SACK.  When processing large messages, this will generate a
    SACK for almost every other SCTP fragment. However since we are freeing
    the entire message at the same time, we might as well collapse the SACK
    generation to 1.
    
    Signed-off-by: Tsutomu Fujii <t-fujii@nb.jp.nec.com>
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  21. @davem330 @chriswright

    [PATCH] SCTP: Reset rtt_in_progress for the chunk when processing its…

    davem330 authored chriswright committed
    … sack.
    
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  22. @chriswright

    [PATCH] SCTP: Reject sctp packets with broadcast addresses.

    Vlad Yasevich authored chriswright committed
    Make SCTP handle broadcast properly
    
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  23. @chriswright

    [PATCH] SCTP: Limit association max_retrans setting in setsockopt.

    Vlad Yasevich authored chriswright committed
    When using ASSOCINFO socket option, we need to limit the number of
    maximum association retransmissions to be no greater than the sum
    of all the path retransmissions. This is specified in Section 7.1.2
    of the SCTP socket API draft.
    However, we only do this if the association has multiple paths. If
    there is only one path, the protocol stack will use the
    assoc_max_retrans setting when trying to retransmit packets.
    
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  24. @chriswright

    [PATCH] PFKEYV2: Fix inconsistent typing in struct sadb_x_kmprivate.

    Tushar Gohad authored chriswright committed
    Fixes inconsistent use of "uint32_t" vs. "u_int32_t".
    Fix pfkeyv2 userspace builds.
    
    Signed-off-by: Tushar Gohad <tgohad@mvista.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  25. @chriswright

    [PATCH] IPV6: Sum real space for RTAs.

    YOSHIFUJI Hideaki authored chriswright committed
    This patch fixes RTNLGRP_IPV6_IFINFO netlink notifications.  Issue
    pointed out by Patrick McHardy <kaber@trash.net>.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Acked-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  26. @chriswright

    [PATCH] USB: Whiteheat: fix firmware spurious errors

    Stuart MacDonald authored chriswright committed
    Attached patch fixes spurious errors during firmware load.
    
    Signed-off-by: Stuart MacDonald <stuartm@connecttech.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Commits on Jun 20, 2006
  1. @chriswright

    Linux 2.6.17.1

    chriswright authored
  2. @kaber @chriswright

    [PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-…

    kaber authored chriswright committed
    …3085)
    
    Fix endless loop in the SCTP match similar to those already fixed in the
    SCTP conntrack helper (was CVE-2006-1527).
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Commits on Jun 18, 2006
  1. Linux v2.6.17

    Linus Torvalds authored
    Being named "Crazed Snow-Weasel" instills a lot of confidence in this
    release, so I'm sure this will be one of the better ones.
Commits on Jun 17, 2006
  1. [PATCH] powerpc: enable CPU_FTR_CI_LARGE_PAGE for cell

    Arnd Bergmann authored Linus Torvalds committed
    Reflect the fact that the Cell Broadband Engine supports 64k
    pages by adding the bit to the CPU features.
    
    Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
  2. [PATCH] powerpc: Fix 64k pages on non-partitioned machines

    Arnd Bergmann authored Linus Torvalds committed
    The page size encoding passed to tlbie is incorrect for new-style
    large pages.  This fixes it.  This doesn't affect anything on older
    machines because mmu_psize_defs[psize].penc (the page size encoding)
    is 0 for 4k and 16M pages (the two are distinguished by a separate "is
    a large page" bit).
    
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
    Signed-off-by: Paul Mackerras <paulus@samba.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
  3. [PATCH] arm_timer: remove a racy and obsolete PF_EXITING check

    Oleg Nesterov authored Linus Torvalds committed
    arm_timer() checks PF_EXITING to prevent BUG_ON(->exit_state)
    in run_posix_cpu_timers().
    
    However, for some reason it does so only for CPUCLOCK_PERTHREAD
    case (which is imho wrong).
    
    Also, this check is not reliable, PF_EXITING could be set on
    another cpu without any locks/barriers just after the check,
    so it can't prevent from attaching the timer to the exiting
    task.
    
    The previous patch makes this check unneeded.
    
    Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
  4. [PATCH] run_posix_cpu_timers: remove a bogus BUG_ON()

    Oleg Nesterov authored Linus Torvalds committed
    do_exit() clears ->it_##clock##_expires, but nothing prevents
    another cpu to attach the timer to exiting process after that.
    arm_timer() tries to protect against this race, but the check
    is racy.
    
    After exit_notify() does 'write_unlock_irq(&tasklist_lock)' and
    before do_exit() calls 'schedule() local timer interrupt can find
    tsk->exit_state != 0. If that state was EXIT_DEAD (or another cpu
    does sys_wait4) interrupted task has ->signal == NULL.
    
    At this moment exiting task has no pending cpu timers, they were
    cleanuped in __exit_signal()->posix_cpu_timers_exit{,_group}(),
    so we can just return from irq.
    
    John Stultz recently confirmed this bug, see
    
    	http://marc.theaimsgroup.com/?l=linux-kernel&m=115015841413687
    
    Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Something went wrong with that request. Please try again.