commit 9b288acb26059e30e66f14bf8b1b75c9f3a208f1 Author: Greg Kroah-Hartman Date: Mon Dec 26 16:26:33 2005 -0800 Linux 2.6.14.5 commit 0a63dca5ae2f975e08deae7e6c743a477af04367 Author: Andreas Gruenbacher Date: Tue Dec 20 16:29:05 2005 +0100 [PATCH] setting ACLs on readonly mounted NFS filesystems (CVE-2005-3623) We must check for MAY_SATTR before setting acls, which includes checking for read-only exports: the lower-level setxattr operation that eventually sets the acl cannot check export-level restrictions. Bug reported by Martin Walter . Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit 841f70676036b309f7102e2c8024dc68c3946990 Author: Stefan Richter Date: Wed Dec 14 23:34:11 2005 +0100 [PATCH] SCSI: fix transfer direction in scsi_lib and st SCSI: fix transfer direction in scsi_lib and st scsi_prep_fn and st_init_command could issue WRITE requests with zero buffer length. This may lead to kernel panic or oops with some SCSI low-level drivers. Derived from -rc patches from Jens Axboe and James Bottomley. Patch is reassembled for -stable from patches: [SCSI] fix panic when ejecting ieee1394 ipod [SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic) Depends on patch "SCSI: fix transfer direction in sd (kernel panic when ejecting iPod)". Also modifies the already correct sr_init_command to fully match the corresponding -rc patch. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 8e58cb47ade0e69f3c953a41b67913c430c67879 Author: Stefan Richter Date: Wed Dec 14 23:32:33 2005 +0100 [PATCH] SCSI: fix transfer direction in sd (kernel panic when ejecting iPod) SCSI: fix transfer direction in sd (kernel panic when ejecting iPod) sd_init_command could issue WRITE requests with zero buffer length. This may lead to kernel panic or oops with some SCSI low-level drivers. Seen with the command "eject /dev/sdX" when disconnecting an iPod: http://marc.theaimsgroup.com/?l=linux1394-devel&m=113399994920181 http://marc.theaimsgroup.com/?l=linux1394-user&m=112152701817435 Derived from -rc patches from Jens Axboe and James Bottomley. Patch is reassembled for -stable from patches: [SCSI] fix panic when ejecting ieee1394 ipod [SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic) Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit eec59235580a82f31ec66e066666332b804b0714 Author: Jason Wessel Date: Tue Dec 20 23:41:02 2005 +0100 [PATCH] kernel/params.c: fix sysfs access with CONFIG_MODULES=n All the work was done to setup the file and maintain the file handles but the access functions were zeroed out due to the #ifdef. Removing the #ifdef allows full access to all the parameters when CONFIG_MODULES=n. akpm: put it back again, but use CONFIG_SYSFS instead. This patch has already been included in Linus' tree. Signed-off-by: Jason Wessel Signed-off-by: Andrew Morton Signed-off-by: Adrian Bunk Signed-off-by: Greg Kroah-Hartman commit dcf588a64b8c1ba57d2430363a6d0050e8d18072 Author: Dmitry Torokhov Date: Wed Dec 21 23:13:17 2005 -0500 [PATCH] Input: fix an OOPS in HID driver This patch fixes an OOPS in HID driver when connecting simulation devices generating unknown simulation events. Signed-off-by: Dmitry Torokhov Acked-by: Vojtech Pavlik Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 5bc50c7bd333ab656acc16c1539c29d3d9a65600 Author: David S. Miller Date: Mon Dec 19 17:03:02 2005 -0800 [PATCH] Perform SA switchover immediately. When we insert a new xfrm_state which potentially subsumes an existing one, make sure all cached bundles are flushed so that the new SA is used immediately. Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 974674b84fe907035254bc0a5257a4e1c511f156 Author: YOSHIFUJI Hideaki Date: Mon Dec 19 17:01:49 2005 -0800 [PATCH] Fix route lifetime. The route expiration time is stored in rt6i_expires in jiffies. The argument of rt6_route_add() for adding a route is not the expiration time in jiffies nor in clock_t, but the lifetime (or time left before expiration) in clock_t. Because of the confusion, we sometimes saw several strange errors (FAILs) in TAHI IPv6 Ready Logo Phase-2 Self Test. The symptoms were analyzed by Mitsuru Chinen . Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit a7508849e7d21b89010539d54359ef8f3d89e8ec Author: Bart De Schuymer Date: Mon Dec 19 17:00:13 2005 -0800 [PATCH] Fix bridge-nf ipv6 length check A typo caused some bridged IPv6 packets to get dropped randomly, as reported by Sebastien Chaumontet. The patch below fixes this (using skb->nh.raw instead of raw) and also makes the jumbo packet length checking up-to-date with the code in net/ipv6/exthdrs.c::ipv6_hop_jumbo. Signed-off-by: Bart De Schuymer Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 101d4c3fd9466a43e7c43e627979246c53cdf33c Author: Kristian Slavov Date: Mon Dec 19 16:59:18 2005 -0800 [PATCH] Fix RTNLGRP definitions in rtnetlink.h I reported a problem and gave hints to the solution, but nobody seemed to react. So I prepared a patch against 2.6.14.4. Tested on 2.6.14.4 with "ip monitor addr" and with the program attached, while adding and removing IPv6 address. Both programs didn't receive any messages. Tested 2.6.14.4 + this patch, and both programs received add and remove messages. Signed-off-by: Kristian Slavov Acked-by: Jamal Hadi salim ACKed-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit d7709473c4a79ea3e90a8e44d81733ec2dc302de Author: Patrick McHardy Date: Mon Dec 19 16:58:12 2005 -0800 [PATCH] Fix incorrect dependency for IP6_NF_TARGET_NFQUEUE IP6_NF_TARGET_NFQUEUE depends on IP6_NF_IPTABLES, not IP_NF_IPTABLES. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 9eda9ffc608c2a200754905ceeb68fda1d2b5873 Author: Patrick McHardy Date: Mon Dec 19 16:57:21 2005 -0800 [PATCH] Fix NAT init order As noticed by Phil Oester, the GRE NAT protocol helper is initialized before the NAT core, which makes registration fail. Change the linking order to make NAT be initialized first. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit ed67d6e838c2203a64d815596e400822d5283875 Author: Stephen Hemminger Date: Wed Dec 14 16:29:02 2005 -0800 [PATCH] Fix hardware rx csum errors Receiving VLAN packets over a device (without VLAN assist) that is doing hardware checksumming (CHECKSUM_HW), causes errors because the VLAN code forgets to adjust the hardware checksum. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 53e2254fe13b88de5957b22a5264e8e01e599f51 Author: Herbert Xu Date: Wed Dec 14 13:02:35 2005 -0800 [PATCH] Fix hardware checksum modification The skb_postpull_rcsum introduced a bug to the checksum modification. Although the length pulled is offset bytes, the origin of the pulling is the GRE header, not the IP header. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit fe2e17a405a58ec8a7138fee4ebe101858b636e0 Author: Salyzyn, Mark Date: Sat Dec 17 19:26:30 2005 -0800 [PATCH] dpt_i2o fix for deadlock condition Miquel van Smoorenburg forwarded me this fix to resolve a deadlock condition that occurs due to the API change in 2.6.13+ kernels dropping the host locking when entering the error handling. They all end up calling adpt_i2o_post_wait(), which if you call it unlocked, might return with host_lock locked anyway and that causes a deadlock. Signed-off-by: Mark Salyzyn Cc: James Bottomley Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 6968ecfca8822055cfe121214c0786e4eecc038e Author: Yu Luming Date: Sat Nov 19 15:53:56 2005 -0800 [PATCH] apci: fix NULL deref in video/lcd/brightness Fix Null pointer deref in video/lcd/brightness http://bugzilla.kernel.org/show_bug.cgi?id=5571 Signed-off-by: Yu Luming Cc: "Brown, Len" Signed-off-by: Thomas Renninger Signed-off-by: Nishanth Aravamudan Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit b72c1d0c14634506a2ff740033ab1bda3c3d5d7f Author: Patrick McHardy Date: Tue Dec 13 12:26:07 2005 +0100 [PATCH] Fix unbalanced read_unlock_bh in ctnetlink NFA_NEST calls NFA_PUT which jumps to nfattr_failure if the skb has no room left. We call read_unlock_bh at nfattr_failure for the NFA_PUT inside the locked section, so move NFA_NEST inside the locked section too. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Krzysztof Piotr Oledzki Signed-off-by: Greg Kroah-Hartman commit 1e7d00170b9215692eee2628c2a7d6af86cabfa7 Author: Krzysztof Oledzki Date: Tue Dec 13 10:56:08 2005 +0100 [PATCH] Fix CTA_PROTO_NUM attribute size in ctnetlink CTA_PROTO_NUM is a u_int8_t. Based on oryginal patch by Patrick McHardy Signed-off-by: Krzysztof Piotr Oledzki Signed-off-by: Greg Kroah-Hartman