commit bf05449fd715e07f967114e7469197e4e7895472 Author: Adrian Bunk Date: Mon Jul 14 21:09:24 2008 +0300 Linux 2.6.16.61-rc1 commit 797fbc12708d07601ac379c92bd1ba777d79d66c Author: 3ware Inc Date: Mon Jul 14 21:09:24 2008 +0300 3w-xxxx: Prevent data corruption Use default DMA data direction to prevent data corruption when using SWIOTLB with 4GB+ on EM64T. http://www.3ware.com/KB/article.aspx?id=15243&cNode=6I1C6S Acked-by: Jean Delvare Signed-off-by: Adrian Bunk commit 89ebd169dd1e8be2c11c100c4decbffdcbd6466b Author: Al Viro Date: Mon Jul 14 21:09:23 2008 +0300 fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669) fcntl_setlk()/close() race prevention has a subtle hole - we need to make sure that if we *do* have an fcntl/close race on SMP box, the access to descriptor table and inode->i_flock won't get reordered. As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs. STORE descriptor table entry, LOAD inode->i_flock with not a single lock in common on both sides. We do have BKL around the first STORE, but check in locks_remove_posix() is outside of BKL and for a good reason - we don't want BKL on common path of close(2). Solution is to hold ->file_lock around fcheck() in there; that orders us wrt removal from descriptor table that preceded locks_remove_posix() on close path and we either come first (in which case eviction will be handled by the close side) or we'll see the effect of close and do eviction ourselves. Note that even though it's read-only access, we do need ->file_lock here - rcu_read_lock() won't be enough to order the things. Signed-off-by: Al Viro Signed-off-by: Adrian Bunk commit 873496a3485950402ee0436c9d17eeb789157b10 Author: David S. Miller Date: Mon Jul 14 21:09:23 2008 +0300 sit: Add missing kfree_skb() on pskb_may_pull() failure. (CVE-2008-2136) Noticed by Paul Marks . Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk commit 952ba4e3bd0b3587c4f6f844c0903370e0ec2ac0 Author: David S. Miller Date: Mon Jul 14 21:09:23 2008 +0300 [NETFILTER]: Fix warnings in ip_nat_snmp_basic.c net/ipv4/netfilter/ip_nat_snmp_basic.c: In function 'asn1_header_decode': net/ipv4/netfilter/ip_nat_snmp_basic.c:248: warning: 'len' may be used unini net/ipv4/netfilter/ip_nat_snmp_basic.c:248: warning: 'def' may be used unini net/ipv4/netfilter/ip_nat_snmp_basic.c: In function 'snmp_translate': net/ipv4/netfilter/ip_nat_snmp_basic.c:672: warning: 'l' may be used uniniti net/ipv4/netfilter/ip_nat_snmp_basic.c:668: warning: 'type' may be used unin Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk commit ce76a6f4392d1f1ca37fe9514daa69a99db2fcb7 Author: Chris Wright Date: Mon Jul 14 21:09:23 2008 +0300 asn1: additional sanity checking during BER decoding (CVE-2008-1673) - Don't trust a length which is greater than the working buffer. An invalid length could cause overflow when calculating buffer size for decoding oid. - An oid length of zero is invalid and allows for an off-by-one error when decoding oid because the first subid actually encodes first 2 subids. - A primitive encoding may not have an indefinite length. Thanks to Wei Wang from McAfee for report. Acked-by: Patrick McHardy Signed-off-by: Chris Wright Signed-off-by: Adrian Bunk commit b9954f3d67c9f9e8611ec6c94955eecc0e309a26 Author: Patrick McHardy Date: Mon Jul 14 21:09:22 2008 +0300 TCP: Fix shrinking windows with window scaling Upstream commit: 607bfbf2d55dd1cfe5368b41c2a81a8c9ccf4723 When selecting a new window, tcp_select_window() tries not to shrink the offered window by using the maximum of the remaining offered window size and the newly calculated window size. The newly calculated window size is always a multiple of the window scaling factor, the remaining window size however might not be since it depends on rcv_wup/rcv_nxt. This means we're effectively shrinking the window when scaling it down. The dump below shows the problem (scaling factor 2^7): - Window size of 557 (71296) is advertised, up to 3111907257: IP 172.2.2.3.33000 > 172.2.2.2.33000: . ack 3111835961 win 557 <...> - New window size of 514 (65792) is advertised, up to 3111907217, 40 bytes below the last end: IP 172.2.2.3.33000 > 172.2.2.2.33000: . 3113575668:3113577116(1448) ack 3111841425 win 514 <...> The number 40 results from downscaling the remaining window: 3111907257 - 3111841425 = 65832 65832 / 2^7 = 514 65832 % 2^7 = 40 If the sender uses up the entire window before it is shrunk, this can have chaotic effects on the connection. When sending ACKs, tcp_acceptable_seq() will notice that the window has been shrunk since tcp_wnd_end() is before tp->snd_nxt, which makes it choose tcp_wnd_end() as sequence number. This will fail the receivers checks in tcp_sequence() however since it is before it's tp->rcv_wup, making it respond with a dupack. If both sides are in this condition, this leads to a constant flood of ACKs until the connection times out. Make sure the window is never shrunk by aligning the remaining window to the window scaling factor. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk commit 69731ebbb3d2283c2c33a2bf262d785e2362b876 Author: Juergen Beisert Date: Sun Jul 6 18:17:23 2008 +0300 x86: Replace NSC/Cyrix specific chipset access macros by inlined functions. Due to index register access ordering problems, when using macros a line like this fails (and does nothing): setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88); With inlined functions this line will work as expected. Note about a side effect: Seems on Geode GX1 based systems the "suspend on halt power saving feature" was never enabled due to this wrong macro expansion. With inlined functions it will be enabled, but this will stop the TSC when the CPU runs into a HLT instruction. Kernel output something like this: Clocksource tsc unstable (delta = -472746897 ns) This is the 3rd version of this patch. - Adding missed arch/i386/kernel/cpu/mtrr/state.c Thanks to Andres Salomon - Adding some big fat comments into the new header file Suggested by Andi Kleen AK: fixed x86-64 compilation Adrian Bunk: Added workaround for x86_64 compilation. Signed-off-by: Juergen Beisert Signed-off-by: Andi Kleen Signed-off-by: Adrian Bunk commit 8b828b3c8e88d9c462f5389654c84aae3e42392e Author: Heiko Carstens Date: Fri Apr 11 00:33:23 2008 +0300 Disable DETECT_SOFTLOCKUP for s390 From: Heiko Carstens We got several false bug reports because of enabled CONFIG_DETECT_SOFTLOCKUP. Disable soft lockup detection on s390, since it doesn't work on a virtualized architecture. Signed-off-by: Heiko Carstens Signed-off-by: Adrian Bunk commit 363aae61f7124e3f4ecc19d150a69f701bc098fa Author: Thomas Graf Date: Wed Mar 19 23:14:34 2008 +0200 [DECNet] fib: Fix out of bound access of dn_fib_props[] Fixes a typo which caused fib_props[] to have the wrong size and makes sure the value used to index the array which is provided by userspace via netlink is checked to avoid out of bound access. Signed-off-by: Thomas Graf Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk commit 03b7f70b359bcf52ac57516d18fa0f956a5eacf7 Author: Oliver Neukum Date: Wed Mar 19 22:43:12 2008 +0200 USB: race on disconnect in mdc800 I overlooked one. Setting the flag and killing the URBs must be under the lo so that no URB is submitted after usb_kill_urb() Adrian Bunk: Backported to 2.6.16. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman Signed-off-by: Adrian Bunk commit 4743272d12d443e241e02e2361db2f4c2dcb480e Author: Adrian Bunk Date: Fri Mar 14 22:05:58 2008 +0200 gcc >= 4.3 is not supported Building kernel 2.6.16 with gcc 4.3 is completely untested, and you might run into both kernel and gcc problems (as always with new gcc versions). For making this obvious the kernel build now #error's when trying to build with gcc >= 4.3. The kernel might work fine when compiled with gcc 4.3 and it's therefore possible to remove the #error, but if someone really longs for regressions he can as well try a more recent kernel instead. Signed-off-by: Adrian Bunk