Commit: ec97dff7309a7dfb403bf76512e0636a6627ff87 Author: Adrian Bunk Sun, 11 Mar 2007 08:11:10 +0100 Linux 2.6.16.44-rc1 Commit: 3c872db41104b651851b10784b0a99c8e268c89c Author: Chris Wright Sun, 11 Mar 2007 07:43:46 +0100 [IPV6] fix ipv6_getsockopt_sticky copy_to_user leak User supplied len < 0 can cause leak of kernel memory. Use unsigned compare instead. Signed-off-by: Chris Wright Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 6d2c0df71d1ecc0ed52f0631c6aee8d7f992cc43 Author: Olaf Kirch Sun, 11 Mar 2007 07:42:33 +0100 [IPV6]: Fix for ipv6_setsockopt NULL dereference I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155 Signed-off-by: Olaf Kirch Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: dfe67217aea3eb4ecbab736903f6ecee3458b8a8 Author: Marcel Holtmann Sun, 11 Mar 2007 07:39:14 +0100 Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005) Based on a patch from Don Howard When calling write() with a buffer larger than 512 bytes, the driver's write buffer overflows, allowing to overwrite the EIP and execute arbitrary code with kernel privileges. In read(), there exists a similar problem, but coming from the device. A malicous or buggy device sending more than 512 bytes can overflow of the driver's read buffer, with the same effects as above. Signed-off-by: Marcel Holtmann Signed-off-by: Adrian Bunk Commit: 59d2b001518d200ba99d213e41c892f5fe750d07 Author: Michael S. Tsirkin Sun, 11 Mar 2007 07:37:12 +0100 IB/mthca: Fix off-by-one in FMR handling on memfree From: Michael S. Tsirkin mthca_table_find() will return the wrong address when the table entry being searched for is exactly at the beginning of a sglist entry (other than the first), because it uses >= when it should use >. Example: assume we have 2 entries in scatterlist, 4K each, offset is 4K. The current code will return first entry + 4K when we really want the second entry. In particular this means mapping an FMR on a memfree HCA may end up writing the page table into the wrong place, leading to memory corruption and also causing the HCA to use an incorrect address translation table. Signed-off-by: Michael S. Tsirkin Signed-off-by: Roland Dreier Signed-off-by: Adrian Bunk Commit: 4b3c56f0239d50fff032d3ff53f7b7509d10b53b Author: Eli Cohen Sun, 11 Mar 2007 07:36:27 +0100 IPoIB: Rejoin all multicast groups after a port event When ipoib_ib_dev_flush() is called because of a port event, the driver needs to rejoin all multicast groups, since the flush will call ipoib_mcast_dev_flush() (via ipoib_ib_dev_down()). Otherwise no (non-broadcast) multicast groups will be rejoined until the networking core calls ->set_multicast_list again, and so multicast reception will be broken for potentially a long time. Signed-off-by: Eli Cohen Signed-off-by: Michael S. Tsirkin Signed-off-by: Roland Dreier Signed-off-by: Adrian Bunk Commit: 11bb9d392c1d5b63e2b9a0c8cc8a64cf49808757 Author: Arthur Kepner Sun, 11 Mar 2007 07:35:15 +0100 IB/mthca: Use mmiowb after doorbell ring We discovered a problem when running IPoIB applications on multiple CPUs on an Altix system. Many messages such as: ib_mthca 0002:01:00.0: SQ 000014 full (19941644 head, 19941707 tail, 64 max, 0 nreq) appear in syslog, and the driver wedges up. Apparently this is because writes to the doorbells from different CPUs reach the device out of order. The following patch adds mmiowb() calls after doorbell rings to ensure the doorbell writes are ordered. Signed-off-by: Arthur Kepner Signed-off-by: Roland Dreier Signed-off-by: Adrian Bunk Commit: ec333318b748e4f4ac3679a197620503b6d19d20 Author: David S. Miller Fri, 09 Mar 2007 10:41:04 +0100 SPARC64: Fix memory corruption in pci_4u_free_consistent() The second argument to free_npages() was being incorrectly calculated, which would thus access far past the end of the arena->map[] bitmap. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 0096623513107562ede3254df8d50d86474e5a7a Author: Hugh Dickins Fri, 09 Mar 2007 08:42:48 +0100 make ppc64 current preempt-safe Repeated -j20 kernel builds on a G5 Quad running an SMP PREEMPT kernel would often collapse within a day, some exec failing with "Bad address". In each case examined, load_elf_binary was doing a kernel_read, but generic_file_aio_read's access_ok saw current->thread.fs.seg as USER_DS instead of KERNEL_DS. objdump of filemap.o shows gcc 4.1.0 emitting "mr r5,r13 ... ld r9,416(r5)" here for get_paca()->__current, instead of the expected and much more usual "ld r9,416(r13)"; I've seen other gcc4s do the same, but perhaps not gcc3s. So, if the task is preempted and rescheduled on a different cpu in between the mr and the ld, r5 will be looking at a different paca_struct from the one it's now on, pick up the wrong __current, and perhaps the wrong seg. Presumably much worse could happen elsewhere, though that split is rare. Other architectures appear to be safe (x86_64's read_pda is more limiting than get_paca), but ppc64 needs to force "current" into one instruction. Signed-off-by: Hugh Dickins Signed-off-by: Adrian Bunk Commit: 90aab35b1626fce37326ea18cc54d7ff5ffa5ab6 Author: Ang Way Chuang Fri, 09 Mar 2007 08:32:38 +0100 dvb-core: fix bug in CRC-32 checking on 64-bit systems CRC-32 checking during ULE decapsulation always failed on x86_64 systems due to the size of a variable used to store CRC. This bug was discovered on Fedora Core 6 with kernel-2.6.18-1.2849. The i386 counterpart has no such problem. This patch has been tested on 64-bit system as well as 32-bit system. Signed-off-by: Ang Way Chuang Signed-off-by: Michael Krufky Signed-off-by: Adrian Bunk Commit: 5edf0f4dfbc697487add3c6eaecca1c9bf285d84 Author: David S. Miller Fri, 09 Mar 2007 07:15:40 +0100 [IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky(). (CVE-2007-1000) Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: e62a305abfd6ec65c6d5aab05ed94109408f4c5c Author: Arnaldo Carvalho de Melo Thu, 08 Mar 2007 08:43:47 +0100 [TCP]: Fix minisock tcp_create_openreq_child() typo. On 2/28/07, KOVACS Krisztian wrote: > > Hi, > > While reading TCP minisock code I've found this suspiciously looking > code fragment: > > - 8< - > struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req, struct sk_buff *skb) > { > struct sock *newsk = inet_csk_clone(sk, req, GFP_ATOMIC); > > if (newsk != NULL) { > const struct inet_request_sock *ireq = inet_rsk(req); > struct tcp_request_sock *treq = tcp_rsk(req); > struct inet_connection_sock *newicsk = inet_csk(sk); > struct tcp_sock *newtp; > - 8< - > > The above code initializes newicsk to inet_csk(sk), isn't that supposed > to be inet_csk(newsk)? As far as I can tell this might leave > icsk_ack.last_seg_size zero even if we do have received data. Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 8cf5c27708b395705f9878e3b444dd9378e14f60 Author: Jin-Bong lee Thu, 08 Mar 2007 08:41:19 +0100 DVB: cxusb: fix firmware patch for big endian systems Without this patch, the device will not be detected after firmware download on big endian systems. Signed-off-by: Jin-Bong lee Signed-off-by: Michael Krufky Signed-off-by: Adrian Bunk Commit: 42e1e229bad37376acf033f14baad9fca2e8584f Author: David Stevens Thu, 08 Mar 2007 08:40:07 +0100 [IPV6]: /proc/net/anycast6 unbalanced inet6_dev refcnt Reading /proc/net/anycast6 when there is no anycast address on an interface results in an ever-increasing inet6_dev reference count, as well as a reference to the netdevice you can't get rid of. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 6ba50d10b7b7d8d0b6ef7150b705897dbfd05507 Author: Michal Wrobel Thu, 08 Mar 2007 08:38:52 +0100 [IPV6]: anycast refcnt fix This patch fixes a bug in Linux IPv6 stack which caused anycast address to be added to a device prior DAD has been completed. This led to incorrect reference count which resulted in infinite wait for unregister_netdevice completion on interface removal. Signed-off-by: Michal Wrobel Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: e61f6a0e0627eeaaaae5cef83f877e77f64cc607 Author: David S. Miller Thu, 08 Mar 2007 08:36:44 +0100 [SPARC64] bbc_i2c: Fix kenvctrld eating %100 cpu. Based almost entirely upon a patch by Joerg Friedrich Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 822f952f2ab27ca3f06d6fb3e57c34195b1e0583 Author: Herbert Xu Thu, 08 Mar 2007 08:21:15 +0100 [UDP]: Reread uh pointer after pskb_trim The header may have moved when trimming. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 763eec030da398d17ebd85c54b1020b93435e55d Author: Eric Dumazet Thu, 08 Mar 2007 08:19:00 +0100 [INET]: twcal_jiffie should be unsigned long, not int Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 2d3bc628ad9b9c883f94a2d5a9ad48b0a95101a3 Author: David S. Miller Thu, 08 Mar 2007 08:17:20 +0100 video/aty/mach64_ct.c: fix bogus delay loop CT based mach64 cards were reported to hang on sparc64 boxes when compiled with gcc-4.1.x and later. Looking at this piece of code, it's no surprise. A critical delay was implemented as an empty for() loop, and gcc 4.0.x and previous did not optimize it away, so we did get a delay. But gcc-4.1.x and later can optimize it away, and we get crashes. Use a real udelay() to fix this. Fix verified on SunBlade100. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 1a6b8d666d090d821cbc9c07d788ac85639d74c8 Author: Komuro Thu, 08 Mar 2007 08:13:04 +0100 modify 3c589_cs to be SMP safe 1. EL3WINDOW is always 1 when lock is not held. 2. The second argument of el3_interrupt is 'void *dev_id', not 'struct el3_private *lp'. Adrian Bunk: backported to 2.6.16 Signed-off-by: Komuro Signed-off-by: Adrian Bunk Commit: d4705d6dc74016619a1a6565dd54c7c5269c25d0 Author: David Moore Thu, 08 Mar 2007 08:10:34 +0100 Missing critical phys_to_virt in lib/swiotlb.c Adds missing call to phys_to_virt() in the lib/swiotlb.c:swiotlb_sync_sg() function. Without this change, a kernel panic will always occur whenever a SWIOTLB bounce buffer from a scatter-gather list gets synced. Signed-off-by: David Moore Signed-off-by: Stefan Richter Signed-off-by: Adrian Bunk Commit: 4a990d10083535d9f0927cd81dcc3b18d0ec3cac Author: Dan Yeisley Thu, 08 Mar 2007 08:01:53 +0100 init_reap_node() initialization fix It looks like there is a bug in init_reap_node() in slab.c that can cause multiple oops's on certain ES7000 configurations. The variable reap_node is defined per cpu, but only initialized on a single CPU. This causes an oops in next_reap_node() when __get_cpu_var(reap_node) returns the wrong value. Fix is below. Signed-off-by: Dan Yeisley Signed-off-by: Adrian Bunk Commit: a9cbeddd48ff51399d93b8e60e97875c893a89d0 Author: Sergey Vlasov Thu, 08 Mar 2007 07:59:05 +0100 Input: psmouse - fix attribute access on 64-bit systems psmouse_show_int_attr() and psmouse_set_int_attr() were accessing unsigned int fields as unsigned long, which gave garbage on x86_64. Signed-off-by: Sergey Vlasov Signed-off-by: Adrian Bunk