Permalink
Commits on Jul 15, 2006
  1. @gregkh

    Linux 2.6.17.6

    gregkh committed Jul 15, 2006
  2. @gregkh

    [PATCH] Relax /proc fix a bit

    Relax /proc fix a bit
    
    Clearign all of i_mode was a bit draconian. We only really care about
    S_ISUID/ISGID, after all.
    
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Linus Torvalds committed with gregkh Jul 15, 2006
  3. @gregkh

    Linux 2.6.17.5

    gregkh committed Jul 15, 2006
  4. @gregkh

    [PATCH] Fix nasty /proc vulnerability (CVE-2006-3626)

    Fix nasty /proc vulnerability
    
    We have a bad interaction with both the kernel and user space being able
    to change some of the /proc file status.  This fixes the most obvious
    part of it, but I expect we'll also make it harder for users to modify
    even their "own" files in /proc.
    
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Linus Torvalds committed with gregkh Jul 14, 2006
Commits on Jul 6, 2006
  1. @gregkh

    Linux 2.6.17.4

    gregkh committed Jul 6, 2006
  2. @gregkh

    fix prctl privilege escalation and suid_dumpable (CVE-2006-2451)

    Based on a patch from Ernie Petrides
    
    During security research, Red Hat discovered a behavioral flaw in core
    dump handling. A local user could create a program that would cause a
    core file to be dumped into a directory they would not normally have
    permissions to write to. This could lead to a denial of service (disk
    consumption), or allow the local user to gain root privileges.
    
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    gregkh committed Jul 6, 2006
Commits on Jun 30, 2006
  1. @chriswright

    Linux 2.6.17.3

    chriswright committed Jun 30, 2006
  2. @kaber @chriswright

    [PATCH] NETFILTER: SCTP conntrack: fix crash triggered by packet with…

    …out chunks [CVE-2006-2934]
    
    When a packet without any chunks is received, the newconntrack variable
    in sctp_packet contains an out of bounds value that is used to look up an
    pointer from the array of timeouts, which is then dereferenced, resulting
    in a crash. Make sure at least a single chunk is present.
    
    Problem noticed by George A. Theall <theall@tenablesecurity.com>
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    kaber committed with chriswright Jun 30, 2006
  3. @chriswright

    Linux 2.6.17.2

    chriswright committed Jun 30, 2006
  4. @rpurdie @chriswright

    [PATCH] Input: return correct size when reading modalias attribute

    Input: return correct size when reading modalias attribute
    
    Signed-off-by: Richard Purdie <rpurdie@rpsys.net>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    rpurdie committed with chriswright Jun 27, 2006
  5. @chriswright

    [PATCH] idr: fix race in idr code

    From: Sonny Rao <sonny@burdell.org>
    
    I ran into a bug where the kernel died in the idr code:
    
    cpu 0x1d: Vector: 300 (Data Access) at [c000000b7096f710]
        pc: c0000000001f8984: .idr_get_new_above_int+0x140/0x330
        lr: c0000000001f89b4: .idr_get_new_above_int+0x170/0x330
        sp: c000000b7096f990
       msr: 800000000000b032
       dar: 0
     dsisr: 40010000
      current = 0xc000000b70d43830
      paca    = 0xc000000000556900
        pid   = 2022, comm = hwup
    1d:mon> t
    [c000000b7096f990] c0000000000d2ad8 .expand_files+0x2e8/0x364 (unreliable)
    [c000000b7096faa0] c0000000001f8bf8 .idr_get_new_above+0x18/0x68
    [c000000b7096fb20] c00000000002a054 .init_new_context+0x5c/0xf0
    [c000000b7096fbc0] c000000000049dc8 .copy_process+0x91c/0x1404
    [c000000b7096fcd0] c00000000004a988 .do_fork+0xd8/0x224
    [c000000b7096fdc0] c00000000000ebdc .sys_clone+0x5c/0x74
    [c000000b7096fe30] c000000000008950 .ppc_clone+0x8/0xc
    -- Exception: c00 (System Call) at 000000000fde887c
    SP (f8b4e7a0) is in userspace
    
    Turned out to be a race-condition and NULL ptr deref, here's my fix:
    
    Users of the idr code are supposed to call idr_pre_get without locking, so the
    idr code must serialize itself with respect to layer allocations.  However, it
    fails to do so in an error path in idr_get_new_above_int().  I added the
    missing locking to fix this.
    
    Signed-off-by: Sonny Rao <sonny@burdell.org>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Sonny Rao committed with chriswright Jun 25, 2006
  6. @antonblanchard @chriswright

    [PATCH] Link error when futexes are disabled on 64bit architectures

    From: Anton Blanchard <anton@samba.org>
    
    If futexes are disabled we fail to link on ppc64.
    
    Signed-off-by: Anton Blanchard <anton@samba.org>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    antonblanchard committed with chriswright Jun 25, 2006
  7. @chriswright

    [PATCH] kbuild: bugfix with initramfs

    This patch fix double inclusion of ramfs-input.
    
    Signed-off-by: Nickolay Vinogradov <nickolay@protei.ru>
    Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Nickolay committed with chriswright Jun 9, 2006
  8. @chriswright

    [PATCH] ide-io: increase timeout value to allow for slave wakeup

    During an STR resume cycle, the ide master disk times-out when there is
    also a slave present (especially CD).  Increasing the timeout in ide-io
    from 10,000 to 100,000 fixes this problem.
    
    Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Cc: Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Al Boldi committed with chriswright Jun 26, 2006
  9. @htejun @chriswright

    [PATCH] libata: minor patch for ATA_DFLAG_PIO

    Problem:
     - With 2.6.17 libata, some PIO-only devices are given DMA commands.
    
    Changes:
     - Do not clear the ATA_DFLAG_PIO flag in ata_dev_configure().
    
    Signed-off-by: Tejun Heo <htejun@gmail.com>
    Signed-off-by: Albert Lee <albertcc@tw.ibm.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    htejun committed with chriswright Jun 23, 2006
  10. @chriswright

    [PATCH] ohci1394: Fix broken suspend/resume in ohci1394

    I've been experimenting to track down the cause of suspend/resume
    problems on my Compaq Presario X1050 laptop:
    
    http://bugzilla.kernel.org/show_bug.cgi?id=6075
    
    Essentially the ACPI Embedded Controller and keyboard controller would
    get into a bizarre, confused state after resume.
    
    I found that unloading the ohci1394 module before suspend and reloading
    it after resume made the problem go away. Diffing the dmesg output from
    resume, with and without the module loaded, I found that with the module
    loaded I was missing these:
    
    PM: Writing back config space on device 0000:02:00.0 at offset 1. (Was
    2100080, writing 2100007)
    PM: Writing back config space on device 0000:02:00.0 at offset 3. (Was
    0, writing 8008)
    PM: Writing back config space on device 0000:02:00.0 at offset 4. (Was
    0, writing 90200000)
    PM: Writing back config space on device 0000:02:00.0 at offset 5. (Was
    1, writing 2401)
    PM: Writing back config space on device 0000:02:00.0 at offset f. (Was
    20000100, writing 2000010a)
    
    The default PCI driver performs the pci_restore_state when no driver is
    loaded for the device. When the ohci1394 driver is loaded, it is
    supposed to do this, however it appears not to do so.
    
    I created the patch below and tested it, and it appears to resolve the
    suspend problems I was having with the module loaded. I only added in
    the pci_save_state and pci_restore_state - however, though I know little
    of this hardware, surely the driver should really be doing more than
    this when suspending and resuming? Currently it does almost nothing,
    what if there are commands in progress, etc?
    
    Signed-off-by: Robert Hancock <hancockr@shaw.ca>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Robert Hancock committed with chriswright Jun 23, 2006
  11. @chriswright

    [PATCH] IPV6 ADDRCONF: Fix default source address selection without C…

    …ONFIG_IPV6_PRIVACY
    
    We need to update hiscore.rule even if we don't enable CONFIG_IPV6_PRIVACY,
    because we have more less significant rule; longest match.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    YOSHIFUJI Hideaki committed with chriswright Jun 22, 2006
  12. @steelman @chriswright

    [PATCH] IPV6: Fix source address selection.

    Two additional labels (RFC 3484, sec. 10.3) for IPv6 addreses
    are defined to make a distinction between global unicast
    addresses and Unique Local Addresses (fc00::/7, RFC 4193) and
    Teredo (2001::/32, RFC 4380). It is necessary to avoid attempts
    of connection that would either fail (eg. fec0:: to 2001:feed::)
    or be sub-optimal (2001:0:: to 2001:feed::).
    
    Signed-off-by: Łukasz Stelmach <stlman@poczta.fm>
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    steelman committed with chriswright Jun 22, 2006
  13. @chriswright

    [PATCH] UML: fix uptime

    The use of signed instead of unsigned here broke the calculations on
    negative numbers that are involved in calculating wall_to_monotonic.
    
    Signed-off-by: Jeff Dike <jdike@addtoit.com>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Jeff Dike committed with chriswright Jun 20, 2006
  14. @chriswright

    [PATCH] bcm43xx: init fix for possible Machine Check

    Place the Init-vs-IRQ workaround before any card register
    access, because we might not have the wireless core mapped
    at all times in init. So this will result in a Machine Check
    caused by a bus error.
    
    Signed-off-by: Michael Buesch <mb@bu3sch.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Michael Buesch committed with chriswright Jun 18, 2006
  15. @chriswright

    [PATCH] x86: compile fix for asm-i386/alternatives.h

    compile fix:  <asm-i386/alternative.h>  needs  <asm/types.h> for 'u8' --
    just look at struct alt_instr.
    
    My module includes <asm/bitops.h> as the first header, and as of 2.6.17 this
    leads to compilation errors.
    
    Signed-off-by: Kirill Smelkov <kirr@mns.spb.ru>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Kirill Smelkov committed with chriswright Jun 20, 2006
  16. @chriswright

    [PATCH] NTFS: Critical bug fix (affects MIPS and possibly others)

    It fixes a crash in NTFS on architectures where flush_dcache_page()
    is a real function.  I never noticed this as all my testing is done on
    i386 where flush_dcache_page() is NULL.
    
    http://bugzilla.kernel.org/show_bug.cgi?id=6700
    
    Many thanks to Pauline Ng for the detailed bug report and analysis!
    
    Signed-off-by: Anton Altaparmakov <aia21@cantab.net>
    Cc: <stable@kernel.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Anton Altaparmakov committed with chriswright Jun 20, 2006
  17. @davem330 @chriswright

    [PATCH] SPARC32: Fix iommu_flush_iotlb end address

    Fix the calculation of the end address when flushing iotlb entries to
    ram.  This bug has been a cause of esp dma errors, and it affects
    HyperSPARC systems much worse than SuperSPARC systems.
    
    Signed-off-by: Bob Breuer <breuerr@mc.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    davem330 committed with chriswright Jun 20, 2006
  18. @herbertx @chriswright

    [PATCH] ETHTOOL: Fix UFO typo

    The function ethtool_get_ufo was referring to ETHTOOL_GTSO instead of
    ETHTOOL_GUFO.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    herbertx committed with chriswright Jun 20, 2006
  19. @chriswright

    [PATCH] SCTP: Fix persistent slowdown in sctp when a gap ack consumes…

    … rx buffer.
    
    In the event that our entire receive buffer is full with a series of
    chunks that represent a single gap-ack, and then we accept a chunk
    (or chunks) that fill in the gap between the ctsn and the first gap,
    we renege chunks from the end of the buffer, which effectively does
    nothing but move our gap to the end of our received tsn stream. This
    does little but move our missing tsns down stream a little, and, if the
    sender is sending sufficiently large retransmit frames, the result is a
    perpetual slowdown which can never be recovered from, since the only
    chunk that can be accepted to allow progress in the tsn stream necessitates
    that a new gap be created to make room for it. This leads to a constant
    need for retransmits, and subsequent receiver stalls. The fix I've come up
    with is to deliver the frame without reneging if we have a full receive
    buffer and the receiving sockets sk_receive_queue is empty(indicating that
    the receive buffer is being blocked by a missing tsn).
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Neil Horman committed with chriswright Jun 20, 2006
  20. @chriswright

    [PATCH] SCTP: Send only 1 window update SACK per message.

    Right now, every time we increase our rwnd by more then MTU bytes, we
    trigger a SACK.  When processing large messages, this will generate a
    SACK for almost every other SCTP fragment. However since we are freeing
    the entire message at the same time, we might as well collapse the SACK
    generation to 1.
    
    Signed-off-by: Tsutomu Fujii <t-fujii@nb.jp.nec.com>
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Tsutomu Fujii committed with chriswright Jun 20, 2006
  21. @davem330 @chriswright

    [PATCH] SCTP: Reset rtt_in_progress for the chunk when processing its…

    … sack.
    
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    davem330 committed with chriswright Jun 20, 2006
  22. @chriswright

    [PATCH] SCTP: Reject sctp packets with broadcast addresses.

    Make SCTP handle broadcast properly
    
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Vlad Yasevich committed with chriswright Jun 20, 2006
  23. @chriswright

    [PATCH] SCTP: Limit association max_retrans setting in setsockopt.

    When using ASSOCINFO socket option, we need to limit the number of
    maximum association retransmissions to be no greater than the sum
    of all the path retransmissions. This is specified in Section 7.1.2
    of the SCTP socket API draft.
    However, we only do this if the association has multiple paths. If
    there is only one path, the protocol stack will use the
    assoc_max_retrans setting when trying to retransmit packets.
    
    Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Vlad Yasevich committed with chriswright Jun 20, 2006
  24. @chriswright

    [PATCH] PFKEYV2: Fix inconsistent typing in struct sadb_x_kmprivate.

    Fixes inconsistent use of "uint32_t" vs. "u_int32_t".
    Fix pfkeyv2 userspace builds.
    
    Signed-off-by: Tushar Gohad <tgohad@mvista.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Tushar Gohad committed with chriswright Jun 20, 2006
  25. @chriswright

    [PATCH] IPV6: Sum real space for RTAs.

    This patch fixes RTNLGRP_IPV6_IFINFO netlink notifications.  Issue
    pointed out by Patrick McHardy <kaber@trash.net>.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Acked-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    YOSHIFUJI Hideaki committed with chriswright Jun 20, 2006
  26. @chriswright

    [PATCH] USB: Whiteheat: fix firmware spurious errors

    Attached patch fixes spurious errors during firmware load.
    
    Signed-off-by: Stuart MacDonald <stuartm@connecttech.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    Stuart MacDonald committed with chriswright May 31, 2006
Commits on Jun 20, 2006
  1. @chriswright

    Linux 2.6.17.1

    chriswright committed Jun 20, 2006
  2. @kaber @chriswright

    [PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-…

    …3085)
    
    Fix endless loop in the SCTP match similar to those already fixed in the
    SCTP conntrack helper (was CVE-2006-1527).
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>
    kaber committed with chriswright Jun 19, 2006
Commits on Jun 18, 2006
  1. Linux v2.6.17

    Being named "Crazed Snow-Weasel" instills a lot of confidence in this
    release, so I'm sure this will be one of the better ones.
    Linus Torvalds committed Jun 18, 2006