Commit: 3493bedf275fb45d7d545ca7b00d346d782f0638 Author: Adrian Bunk Wed, 16 Jan 2008 23:45:59 +0200 Linux 2.6.16.59-rc1 Commit: 7e628a288e4046f92892406a5a4dc86610035ecc Author: Roland McGrath Wed, 16 Jan 2008 23:41:47 +0200 wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500) patch a3474224e6a01924be40a8255636ea5522c1023a in mainline The original meaning of the old test (p->state > TASK_STOPPED) was "not dead", since it was before TASK_TRACED existed and before the state/exit_state split. It was a wrong correction in commit 14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for TASK_TRACED instead. It should have been changed when TASK_TRACED was introducted and again when exit_state was introduced. Signed-off-by: Roland McGrath Signed-off-by: Adrian Bunk Commit: 51828e03b3b5627ef6a102f75c565bec85cab040 Author: Eric Sandeen Wed, 16 Jan 2008 23:36:44 +0200 limit minixfs printks on corrupted dir i_size (CVE-2006-6058) First reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html Essentially a corrupted minix dir inode reporting a very large i_size will loop for a very long time in minix_readdir, minix_find_entry, etc, because on EIO they just move on to try the next page. This is under the BKL, printk-storming as well. This can lock up the machine for a very long time. Simply ratelimiting the printks gets things back under control. Make the message a bit more informative while we're here. Adrian Bunk: Backported to 2.6.16. Signed-off-by: Eric Sandeen Signed-off-by: Adrian Bunk Commit: bb32327b602955604574fbf1e5254b8756b0a151 Author: Denis Vlasenko Wed, 16 Jan 2008 23:25:08 +0200 fix messages in fs/minix Believe it or not, but in fs/minix/*, the oldest filesystem in the kernel, something still can be fixed: printk("new_inode: bit already set"); "\n" is missing! While at it, I also removed periods from the end of error messages and made capitalization uniform. Also s/i-node/inode/, s/printk (/printk(/ Signed-off-by: Denis Vlasenko Signed-off-by: Adrian Bunk Commit: fb7a7420ea718a6504e5c620ada0e42b23446b27 Author: Linus Torvalds Tue, 15 Jan 2008 23:39:01 +0200 Use access mode instead of open flags to determine needed permissions (CVE-2008-0001) patch 974a9f0b47da74e28f68b9c8645c3786aa5ace1a in mainline Way back when (in commit 834f2a4a1554dc5b2598038b3fe8703defcbe467, aka "VFS: Allow the filesystem to return a full file pointer on open intent" to be exact), Trond changed the open logic to keep track of the original flags to a file open, in order to pass down the the intent of a dentry lookup to the low-level filesystem. However, when doing that reorganization, it changed the meaning of namei_flags, and thus inadvertently changed the test of access mode for directories (and RO filesystem) to use the wrong flag. So fix those test back to use access mode ("acc_mode") rather than the open flag ("flag"). Issue noticed by Bill Roman at Datalight. Reported-and-tested-by: Bill Roman Acked-by: Trond Myklebust Acked-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Adrian Bunk Commit: 0c0b10ef376c7b320197160f21d6c626ab0a6f4d Author: Herbert Xu Tue, 15 Jan 2008 23:29:47 +0200 [IPSEC]: Avoid undefined shift operation when testing algorithm ID [ Upstream commit: f398035f2dec0a6150833b0bc105057953594edb ] The aalgos/ealgos fields are only 32 bits wide. However, af_key tries to test them with the expression 1 << id where id can be as large as 253. This produces different behaviour on different architectures. The following patch explicitly checks whether ID is greater than 31 and fails the check if that's the case. We cannot easily extend the mask to be longer than 32 bits due to exposure to user-space. Besides, this whole interface is obsolete anyway in favour of the xfrm_user interface which doesn't use this bit mask in templates (well not within the kernel anyway). Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 0b9ad3cb150e0fa7bb559e6664fb6c9458c3fd24 Author: Maximilian Attems Tue, 15 Jan 2008 23:26:52 +0200 [IRDA]: irda_create() nuke user triggable printk [ Upstream commit: 9e8d6f8959c356d8294d45f11231331c3e1bcae6 ] easy to trigger as user with sfuzz. irda_create() is quiet on unknown sock->type, match this behaviour for SOCK_DGRAM unknown protocol Signed-off-by: Maximilian Attems Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: ffcf747658eff56a00c1606b5d064ea9b6611668 Author: Mark McLoughlin Tue, 15 Jan 2008 23:25:01 +0200 [INET]: Fix netdev renaming and inet address labels [ Upstream commit: 44344b2a85f03326c7047a8c861b0c625c674839 ] When re-naming an interface, the previous secondary address labels get lost e.g. $> brctl addbr foo $> ip addr add 192.168.0.1 dev foo $> ip addr add 192.168.0.2 dev foo label foo:00 $> ip addr show dev foo | grep inet inet 192.168.0.1/32 scope global foo inet 192.168.0.2/32 scope global foo:00 $> ip link set foo name bar $> ip addr show dev bar | grep inet inet 192.168.0.1/32 scope global bar inet 192.168.0.2/32 scope global bar:2 Turns out to be a simple thinko in inetdev_changename() - clearly we want to look at the address label, rather than the device name, for a suffix to retain. Signed-off-by: Mark McLoughlin Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: d97b07efe475fc99271820c8c45db3092c99774d Author: Herbert Xu Wed, 16 Jan 2008 01:21:00 +0200 [IPV4] raw: Strengthen check on validity of iph->ihl [ Upstream commit: f844c74fe07321953e2dd227fe35280075f18f60 ] We currently check that iph->ihl is bounded by the real length and that the real length is greater than the minimum IP header length. However, we did not check the caes where iph->ihl is less than the minimum IP header length. This breaks because some ip_fast_csum implementations assume that which is quite reasonable. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: f9fdf12742cdc18ca30ff6c3bec3bf1748deffa7 Author: Li Zefan Wed, 16 Jan 2008 01:18:12 +0200 CONNECTOR: don't touch queue dev after decrement of ref count cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev), so it should be called before atomic_dec(&dev->refcnt). Signed-off-by: Li Zefan Signed-off-by: Adrian Bunk Commit: 2f248cf37ebe3cf9892905a5356f6f031751a477 Author: Russ Dill Wed, 16 Jan 2008 01:13:56 +0200 [NET] kaweth was forgotten in msec switchover of usb_start_wait_urb Back in 2.6.12-pre, usb_start_wait_urb was switched over to take milliseconds instead of jiffies. kaweth.c was never updated to match. Signed-off-by: Russ Dill Signed-off-by: Adrian Bunk Commit: 3902b59254456107f77820ad42c7f27640f648e9 Author: David S. Miller Tue, 15 Jan 2008 23:09:59 +0200 [SPARC64]: Fix endless loop in cheetah_xcall_deliver(). [ Upsteam commit: 0de56d1ab83323d604d95ca193dcbd28388dbabb ] We need to mask out the proper bits when testing the dispatch status register else we can see unrelated NACK bits from previous cross call sends. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 35336fa51a17088020720aa2dc4e5677227a4185 Author: Evgeniy Polyakov Wed, 16 Jan 2008 01:02:02 +0200 [IPV6]: Restore IPv6 when MTU is big enough [ Upstream commit: d31c7b8fa303eb81311f27b80595b8d2cbeef950 ] Avaid provided test application, so bug got fixed. IPv6 addrconf removes ipv6 inner device from netdev each time cmu changes and new value is less than IPV6_MIN_MTU (1280 bytes). When mtu is changed and new value is greater than IPV6_MIN_MTU, it does not add ipv6 addresses and inner device bac. This patch fixes that. Tested with Avaid's application, which works ok now. Signed-off-by: Evgeniy Polyakov Signed-off-by: Herbert Xu Signed-off-by: Adrian Bunk Commit: e8a69d24cf98dae9d5087503344cc28e2383f915 Author: Adrian Bunk Wed, 16 Jan 2008 00:44:33 +0200 struct input_device_id mustn't be userspace visible struct input_device_id mustn't be userspace visible since it uses kernel_ulong_t. Signed-off-by: Adrian Bunk Commit: 16770f51251ce5bc5593abdc5f6c5e4b240205fd Author: Al Viro Sun, 06 Jan 2008 20:38:18 +0200 missing dma_sync_single_range_for_{cpu,device} on alpha no-op as all dma_sync_... there. Adrian Bunk: Backported to 2.6.16. Signed-off-by: Al Viro Signed-off-by: Adrian Bunk Commit: f150bd4a52f5793813c92e9364195ccb8670d926 Author: Ivan Kokshaysky Sun, 06 Jan 2008 20:27:32 +0200 include/asm-alpha/io_trivial.h build fixes This patch cherry picks the following from commit 9548b209a37397f3036aa5bd3d5b4d3b725aa1: fix build failure with gcc-4.2.x: fix up casts in cia_io* routines to avoid warnings ('discards qualifiers from pointer target type'), which are failures, thanks to -Werror; Signed-off-by: Ivan Kokshaysky Signed-off-by: Adrian Bunk