Commit: ca634cfa84e5aed7b62af887d1bb921a8cb35e32 Author: Adrian Bunk Sat, 20 Jan 2007 18:54:03 +0100 Linux 2.6.16.38 Commit: e6e4dd3b1b952c4950809fabafb13defc856c9b1 Author: Adrian Bunk Thu, 18 Jan 2007 16:13:44 +0100 Linux 2.6.16.38-rc2 Commit: a615d90f7e20de92ff59d3825f62aa7c1199dba8 Author: YOSHIFUJI Hideaki Thu, 18 Jan 2007 16:11:56 +0100 [IPV6] Fix joining all-node multicast group. Signed-off-by: Adrian Bunk Commit: 12f5aa0834c6f2d55382daed856af509cd54b9f6 Author: Paolo 'Blaisorblade' Giarrusso Sun, 14 Jan 2007 15:42:49 +0100 UML: fix the MODE_TT compilation Signed-off-by: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Adrian Bunk Commit: ac5d18dff7078c79737f7ac3e8543b670f97444f Author: Adrian Bunk Tue, 09 Jan 2007 04:12:13 +0100 Linux 2.6.16.38-rc1 Commit: e02612a14b2b714e9d231d14c91e729f0f168299 Author: Adrian Bunk Tue, 09 Jan 2007 03:36:59 +0100 x86_64: re-add a newline to RESTORE_CONTEXT RESTORE_CONTEXT lost a newline: http://www.mail-archive.com/kgdb-bugreport@lists.sourceforge.net/msg00559.html Reported by Steven M. Christey. Signed-off-by: Adrian Bunk Commit: 7d83cf4b5fc61b4a890a03c912e3df2ad2914091 Author: Clemens Ladisch Mon, 08 Jan 2007 23:12:26 +0100 ALSA: snd_rtctimer: handle RTC interrupts with a tasklet The calls to rtc_control() from inside the interrupt handler can deadlock the RTC code, so move our interrupt handling code to a tasklet. Signed-off-by: Clemens Ladisch Acked-By: Takashi Iwai Signed-off-by: Adrian Bunk Commit: 8ae749cc41ff674b85afaa2e5b70ad35d2e79078 Author: Arnaud Patard Mon, 08 Jan 2007 23:09:59 +0100 ALSA: emu10k1: Fix outl() in snd_emu10k1_resume_regs() The emu10k1 driver saves the A_IOCFG and HCFG register on suspend and restores it on resumes. Unfortunately, this doesn't work as the arguments to outl() are reversed. Signed-off-by: Arnaud Patard Signed-off-by: Takashi Iwai Signed-off-by: Adrian Bunk Commit: 748edb446a1b261da8ae5d46210f2ff7f7d345f9 Author: Takashi Iwai Mon, 08 Jan 2007 23:09:11 +0100 ALSA: Fix initiailization of user-space controls Fix an assertion when accessing a user-defined control due to lack of initialization (appears only when CONFIG_SND_DEBUg is enabled). ALSA sound/core/control.c:660: BUG? (info->access == 0) Signed-off-by: Takashi Iwai Signed-off-by: Adrian Bunk Commit: f701db35660a6017bef6d6e911d095bcf8b74010 Author: Andrey Mirkin Mon, 08 Jan 2007 23:07:27 +0100 skip data conversion in compat_sys_mount when data_page is NULL OpenVZ Linux kernel team has found a problem with mounting in compat mode. Simple command "mount -t smbfs ..." on Fedora Core 5 distro in 32-bit mode leads to oops: Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: [] compat_sys_mount+0xd6/0x290 PGD 34d48067 PUD 34d03067 PMD 0 Oops: 0000 [1] SMP CPU: 0 Modules linked in: iptable_nat simfs smbfs ip_nat ip_conntrack vzdquota parport_pc lp parport 8021q bridge llc vznetdev vzmon nfs lockd sunrpc vzdev iptable_filter af_packet xt_length ipt_ttl xt_tcpmss ipt_TCPMSS iptable_mangle xt_limit ipt_tos ipt_REJECT ip_tables x_tables thermal processor fan button battery asus_acpi ac uhci_hcd ehci_hcd usbcore i2c_i801 i2c_core e100 mii floppy ide_cd cdrom Pid: 14656, comm: mount RIP: 0060:[] [] compat_sys_mount+0xd6/0x290 RSP: 0000:ffff810034d31f38 EFLAGS: 00010292 RAX: 000000000000002c RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff810034c86bc0 RSI: 0000000000000096 RDI: ffffffff8061fc90 RBP: ffff810034d31f78 R08: 0000000000000000 R09: 000000000000000d R10: ffff810034d31e58 R11: 0000000000000001 R12: ffff810039dc3000 R13: 000000000805ea48 R14: 0000000000000000 R15: 00000000c0ed0000 FS: 0000000000000000(0000) GS:ffffffff80749000(0033) knlGS:00000000b7d556b0 CS: 0060 DS: 007b ES: 007b CR0: 000000008005003b CR2: 0000000000000000 CR3: 0000000034d43000 CR4: 00000000000006e0 Process mount (pid: 14656, veid=300, threadinfo ffff810034d30000, task ffff810034c86bc0) Stack: 0000000000000000 ffff810034dd0000 ffff810034e4a000 000000000805ea48 0000000000000000 0000000000000000 0000000000000000 0000000000000000 000000000805ea48 ffffffff8021e64e 0000000000000000 0000000000000000 Call Trace: [] ia32_sysret+0x0/0xa Code: 83 3b 06 0f 85 41 01 00 00 0f b7 43 0c 89 43 14 0f b7 43 0a RIP [] compat_sys_mount+0xd6/0x290 RSP CR2: 0000000000000000 The problem is that data_page pointer can be NULL, so we should skip data conversion in this case. Signed-off-by: Andrey Mirkin Signed-off-by: Adrian Bunk Commit: 80d0613d3f7076e5c478999f309d12d6ba46a220 Author: Peter Zijlstra Mon, 08 Jan 2007 09:09:15 +0100 rtc: lockdep fix/workaround BUG: warning at kernel/lockdep.c:1816/trace_hardirqs_on() (Not tainted) [] show_trace_log_lvl+0x58/0x171 [] show_trace+0xd/0x10 [] dump_stack+0x19/0x1b [] trace_hardirqs_on+0xa2/0x11e [] _spin_unlock_irq+0x22/0x26 [] rtc_get_rtc_time+0x32/0x176 [] hpet_rtc_interrupt+0x92/0x14d [] handle_IRQ_event+0x20/0x4d [] __do_IRQ+0x94/0xef [] do_IRQ+0x9e/0xbd [] common_interrupt+0x25/0x2c DWARF2 unwinder stuck at common_interrupt+0x25/0x2c Signed-off-by: Peter Zijlstra Signed-off-by: Adrian Bunk Commit: 028f0b0041f1bbd0a4f5cd1c4db452b276382115 Author: Chuck Ebbert <76306.1226@compuserve.com> Mon, 08 Jan 2007 07:11:50 +0100 ebtables: check struct type before computing gap Check struct type before dereferencing fields in ebt_entry. Failure to check can cause oops. Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Acked-by: Al Viro Signed-off-by: Adrian Bunk Commit: 55f645946c66b354a52d30b512f1af73c61dfb60 Author: Maxime Bizon Mon, 08 Jan 2007 07:07:36 +0100 i2c-mv64xxx: Fix random oops at boot I have a Marvell board which has the same i2c hw block than mv64xxx, so I'm trying to use i2c-mv64xxx driver. But I get the following random oops at boot: Unable to handle kernel NULL pointer dereference at virtual address 00000002 Backtrace: [] (mv64xxx_i2c_intr+0x0/0x2b8) from [] (__do_irq+0x4c/0x8c) [] (__do_irq+0x0/0x8c) from [] (do_level_IRQ+0x68/0xc0) r8 = C0501E08 r7 = 00000005 r6 = C0501E08 r5 = 00000005 r4 = C048BB78 [] (do_level_IRQ+0x0/0xc0) from [] (asm_do_IRQ+0x50/0x134) r6 = C0449C78 r5 = F1020000 r4 = FFFFFFFF [] (asm_do_IRQ+0x0/0x134) from [] (__irq_svc+0x24/0x100) r8 = C1CAC400 r7 = 00000005 r6 = 00000002 r5 = F1020000 r4 = FFFFFFFF [] (setup_irq+0x0/0x124) from [] (request_irq+0xb0/0xd0) r7 = C041B2AC r6 = C0397E4C r5 = 00000000 r4 = 00000005 [] (request_irq+0x0/0xd0) from [] (mv64xxx_i2c_probe+0x148/0x244) [] (mv64xxx_i2c_probe+0x0/0x244) from [] (platform_drv_probe+0x20/0x24) The oops is caused by a spurious interrupt that occurs when request_irq is called. mv64xxx_i2c_fsm() tries to read drv_data->msg, which is NULL. I noticed that hardware init is done after requesting irq. Thus any pending irq from previous hardware usage may cause this. Signed-off-by: Maxime Bizon Signed-off-by: Jean Delvare Signed-off-by: Adrian Bunk Commit: c5b35ed9d5afda73cf7b00115d6e578cfe42d298 Author: Jean Delvare Mon, 08 Jan 2007 07:05:19 +0100 V4L: cx88: Fix leadtek_eeprom tagging reference to .init.text: from .text between 'cx88_card_setup' (at offset 0x68c) and 'cx88_risc_field' Caused by leadtek_eeprom() being declared __devinit and called from a non-devinit context. Signed-off-by: Jean Delvare Signed-off-by: Marcel Holtmann Commit: d1f34c8e3fa155c1ae9599cd67a60debac66f6c0 Author: Phillip Lougher Mon, 08 Jan 2007 07:02:45 +0100 corrupted cramfs filesystems cause kernel oops (CVE-2006-5823) Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops is an unchecked corrupted block length field read by cramfs_readpage(). This patch adds a sanity check to cramfs_readpage() which checks that the block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is intentional, even though the uncompressed data is not going to be larger than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than the original source data. Mkcramfs checks that the compressed size is always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could use the original uncompressed data in this case, but it doesn't. Signed-off-by: Phillip Lougher Signed-off-by: Adrian Bunk Commit: 04900014a73e4275a44f58bf55bc6cca8a65bc4d Author: Eric Sandeen Mon, 08 Jan 2007 07:01:06 +0100 handle ext3 directory corruption better (CVE-2006-6053) I've been using Steve Grubb's purely evil "fsfuzzer" tool, at http://people.redhat.com/sgrubb/files/fsfuzzer-0.4.tar.gz Basically it makes a filesystem, splats some random bits over it, then tries to mount it and do some simple filesystem actions. At best, the filesystem catches the corruption gracefully. At worst, things spin out of control. As you might guess, we found a couple places in ext3 where things spin out of control :) First, we had a corrupted directory that was never checked for consistency... it was corrupt, and pointed to another bad "entry" of length 0. The for() loop looped forever, since the length of ext3_next_entry(de) was 0, and we kept looking at the same pointer over and over and over and over... I modeled this check and subsequent action on what is done for other directory types in ext3_readdir... (adding this check adds some computational expense; I am testing a followup patch to reduce the number of times we check and re-check these directory entries, in all cases. Thanks for the idea, Andreas). Next we had a root directory inode which had a corrupted size, claimed to be > 200M on a 4M filesystem. There was only really 1 block in the directory, but because the size was so large, readdir kept coming back for more, spewing thousands of printk's along the way. Per Andreas' suggestion, if we're in this read error condition and we're trying to read an offset which is greater than i_blocks worth of bytes, stop trying, and break out of the loop. With these two changes fsfuzz test survives quite well on ext3. Signed-off-by: Eric Sandeen Signed-off-by: Adrian Bunk Commit: b87d1a00d3eb7fb1eba6e7db2e26342724c0410e Author: Eric Sandeen Mon, 08 Jan 2007 06:59:28 +0100 ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054) This one was pointed out on the MOKB site: http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html If a directory's i_size is corrupted, ext2_find_entry() will keep processing pages until the i_size is reached, even if there are no more blocks associated with the directory inode. This patch puts in some minimal sanity-checking so that we don't keep checking pages (and issuing errors) if we know there can be no more data to read, based on the block count of the directory inode. This is somewhat similar in approach to the ext3 patch I sent earlier this year. Signed-off-by: Eric Sandeen Signed-off-by: Adrian Bunk Commit: ad3c43bb4a85be908332a2872b0ba9d368a7f329 Author: Eric Sandeen Mon, 08 Jan 2007 06:55:37 +0100 hfs_fill_super returns success even if no root inode (CVE-2006-6056) http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html mount that image... fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended. mounting read-only. hfs: get root inode failed. BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018 printing eip ... EIP is at superblock_doinit+0x21/0x767 ... [] selinux_sb_kern_mount+0xc/0x4b [] vfs_kern_mount+0x99/0xf6 [] do_kern_mount+0x2d/0x3e [] do_mount+0x5fa/0x66d [] sys_mount+0x77/0xae [] syscall_call+0x7/0xb DWARF2 unwinder stuck at syscall_call+0x7/0xb hfs_fill_super() returns success even if root_inode = hfs_iget(sb, &fd.search_key->cat, &rec); or sb->s_root = d_alloc_root(root_inode); fails. This superblock finds its way to superblock_doinit() which does: struct dentry *root = sb->s_root; struct inode *inode = root->d_inode; and boom. Need to make sure the error cases return an error, I think. [akpm@osdl.org: return -ENOMEM on oom] Signed-off-by: Eric Sandeen Signed-off-by: Andrew Morton Signed-off-by: Adrian Bunk Commit: 6a4121f687fa1236f2414bcaf78917d5804be587 Author: Adrian Bunk Sun, 07 Jan 2007 01:01:19 +0100 USB_RTL8150 must select MII to avoid link errors. Stolen from a patch by Randy Dunlap. Signed-off-by: Adrian Bunk Commit: ac7663f17a4b5dc08776eb71f870bde40a0e5a37 Author: Badari Pulavarty Sun, 07 Jan 2007 00:58:15 +0100 Fix for shmem_truncate_range() BUG_ON() Ran into BUG() while doing madvise(REMOVE) testing. If we are punching a hole into shared memory segment using madvise(REMOVE) and the entire hole is below the indirect blocks, we hit following assert. BUG_ON(limit <= SHMEM_NR_DIRECT); Signed-off-by: Badari Pulavarty Forwarded-by: Jordan Neumeyer Signed-off-by: Adrian Bunk Commit: 45c97a2582a6dc2a41fbb71b14fd4c61402ad926 Author: John Heffner Sat, 06 Jan 2007 22:31:44 +0100 TCP: Fix and simplify microsecond rtt sampling This changes the microsecond RTT sampling so that samples are taken in the same way that RTT samples are taken for the RTO calculator: on the last segment acknowledged, and only when the segment hasn't been retransmitted. Signed-off-by: John Heffner Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: b045ce09ba5d408725868d5d2e36f213c8a6ed02 Author: Paolo 'Blaisorblade' Giarrusso Sat, 06 Jan 2007 05:18:55 +0100 uml: fix processor selection Makes UML compile on any possible processor choice. The two problems were: *) x86 code, when 386 is selected, checks at runtime boot_cpuflags, which we not have. *) 3Dnow support for memcpy() et al. does not compile currently and fixing t is not trivial, so simply disable it; with this change, if one selects MK UML compiles (while it did not). Merged upstream. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Adrian Bunk Commit: 152ecd2726ff526aabf7510b379a1a8ffb05d3ec Author: Willy Tarreau Sat, 06 Jan 2007 02:31:24 +0100 rio: typo in bitwise AND expression. The line: hp->Mode &= !RIO_PCI_INT_ENABLE; is obviously wrong as RIO_PCI_INT_ENABLE=0x04 and is used as a bitmask 2 lines before. Getting no IRQ would not disable RIO_PCI_INT_ENABLE but rather RIO_PCI_BOOT_FROM_RAM which equals 0x01. Obvious fix is to change ! for ~. Signed-off-by: Willy Tarreau Signed-off-by: Adrian Bunk Commit: c6b135f0b02f2104475ce279ac3cb7442419cd2a Author: Chuck Short Sat, 06 Jan 2007 01:22:29 +0100 drm: allow detection of new VIA chipsets Update pci ids. Signed-off-by: Chuck Short Signed-off-by: Ben Collins Signed-off-by: Adrian Bunk Commit: c302289dadbc28fa0dbea3d05a5830200131adc9 Author: Dave Airlie Sat, 06 Jan 2007 01:21:40 +0100 drm: Add the P4VM800PRO PCI ID. Signed-off-by: Dave Airlie Signed-off-by: Adrian Bunk Commit: 95785f6cfc53d4d215a0acb90715e3cec727ad84 Author: Jason Gaston Sat, 06 Jan 2007 01:16:39 +0100 i2c-i801: SMBus patch for Intel ICH9 This updated patch adds the Intel ICH9 LPC and SMBus Controller DID's. Signed-off-by: Jason Gaston Signed-off-by: Adrian Bunk Commit: 5f943409cec633c81d506f43b4818e5f89b16d4e Author: Jason Gaston Sat, 06 Jan 2007 01:15:36 +0100 PCI: irq: irq and pci_ids patch for Intel ICH9 This updated patch adds the Intel ICH9 LPC and SMBus Controller DID's. Signed-off-by: Jason Gaston Signed-off-by: Adrian Bunk Commit: 2d353a7ec2db507b376aef5dca78726f16969a31 Author: Rudolf Marek Sat, 06 Jan 2007 01:13:13 +0100 i2c-viapro: Add support for the VT8237A and VT8251 Documentation update included. Compile tested. Signed-off-by: Rudolf Marek Signed-off-by: Jean Delvare Signed-off-by: Adrian Bunk Commit: 7f415f1af086422cc271f5e76f81bc1695ce126e Author: David Brownell Sat, 06 Jan 2007 01:08:47 +0100 SPI/MTD: mtd_dataflash oops prevention Return a fault code if the Dataflash driver runs into a "no device present" error when the MISO line has a pulldown (it currently expects a pullup), so that rmmod won't oops. Signed-off-by: David Brownell Signed-off-by: Adrian Bunk Commit: 30f1962cb4491cfaabcd98715535f4bd7eba4307 Author: David L Stevens Sat, 06 Jan 2007 01:06:28 +0100 [IPV4/IPV6]: Fix inet{,6} device initialization order. It is important that we only assign dev->ip{,6}_ptr only after all portions of the inet{,6} are setup. Otherwise we can receive packets before the multicast spinlocks et al. are initialized. Signed-off-by: David L Stevens Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: f6fce1f36022c103af046c5548c4eedb7f1c2f4e Author: David S. Miller Sat, 06 Jan 2007 01:00:48 +0100 [SOUND] Sparc CS4231: Use 64 for period_bytes_min This matches what the ISA cs4231 driver uses. Tested by Georg Chini. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 223aa24029ccd32230fd4509edfa50cf067fb919 Author: Georg Chini Sat, 06 Jan 2007 01:00:08 +0100 [SOUND] Sparc CS4231: Fix IRQ return value and initialization. SBUS: Change IRQ-handler return value from 0 to IRQ_HANDLED and fix some initialisation problems. Change period_bytes_min from 4096 to 256 to allow driver to work with low latency (VOIP) applications. Hope this does not break EBUS. Signed-off-by: Georg Chini Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 8059c0f97012c5bf881d9a158dcfd3843c025b9b Author: Mikael Pettersson Sat, 06 Jan 2007 00:54:18 +0100 USB: Fix alignment of buffer passed down to ->hub_control() Implementations assume the buffer is at least 4 byte aligned. Signed-off-by: Greg Kroah-Hartman Signed-off-by: Adrian Bunk Commit: 43aa2c34a65b64370635ac447994f99e7d410890 Author: Adrian Bunk Fri, 05 Jan 2007 03:17:11 +0100 fix the UML compilation Based on patches from Linus' tree. Signed-off-by: Adrian Bunk Commit: 614818937a458c7db7a34213f4f8084a64586f41 Author: Fabrice Knevez Fri, 05 Jan 2007 00:29:31 +0100 [SUNKBD]: Fix sunkbd_enable(sunkbd, 0); obvious. "sunkbd_enable(sunkbd, 0);" has no effect. Adding "sunkbd->enabled = enable" in sunkbd_enable (obvious) Signed-off-by: Fabrice Knevez Signed-off-by: Adrian Bunk Commit: 68ed364d2ef0ca4e7e4e217ffeecb52331b7151d Author: Andrew Morton Thu, 04 Jan 2007 23:29:51 +0100 ibmtr section fixes WARNING: drivers/net/tokenring/ibmtr.o - Section mismatch: reference to .init.data:ibmtr_mem_base from .text between 'ibmtr_probe1' (at offset 0x6e6) and 'ibmtr_probe_card' WARNING: drivers/net/tokenring/ibmtr.o - Section mismatch: reference to .init.data:ibmtr_mem_base from .text between 'ibmtr_probe1' (at offset 0x74a) and 'ibmtr_probe_card' WARNING: drivers/net/tokenring/ibmtr.o - Section mismatch: reference to .init.data:ibmtr_mem_base from .text between 'ibmtr_probe1' (at offset 0x7fd) and 'ibmtr_probe_card' Signed-off-by: Andrew Morton Signed-off-by: Adrian Bunk Commit: 493fa112a845d9ea5d24d429b0142090758f941b Author: Andi Kleen Mon, 08 Jan 2007 22:44:07 +0100 x86_64: Don't leak NT bit into next task (CVE-2006-5755) SYSENTER can cause a NT to be set which might cause crashes on the IRET in the next task. Following similar i386 patch from Linus. Backport to 2.6.16 by Chuck Ebbert <76306.1226@compuserve.com> [Changed 'set_debugreg' to the older 'set_debug' in setup64.c and added raw_local_save_flags() from 2.6.19 to system.h] Signed-off-by: Andi Kleen Signed-off-by: Adrian Bunk Commit: be7b264ae676589398f8bff7ea53b01851f17be2 Author: Chuck Ebbert <76306.1226@compuserve.com> Thu, 04 Jan 2007 23:01:18 +0100 x86_64: fix ia32 syscall count Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Signed-off-by: Adrian Bunk Commit: 044a3e96c42df125bbc046495d49a6b8f380aa5a Author: Marcel Holtmann Thu, 04 Jan 2007 22:57:52 +0100 Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106) With malformed packets it might be possible to overwrite internal CMTP and CAPI data structures. This patch adds additional length checks to prevent these kinds of remote attacks. Signed-off-by: Marcel Holtmann Signed-off-by: Adrian Bunk Commit: d9be428145481c9c23e02e25a49205fc9def5d36 Author: Andrew Morton Tue, 09 Jan 2007 03:23:15 +0100 grow_buffers() infinite loop fix (CVE-2006-5757/CVE-2006-6060) If grow_buffers() is for some reason passed a block number which wants to li outside the maximum-addressable pagecache range (PAGE_SIZE * 4G bytes) then will accidentally truncate `index' and will then instnatiate a page at the wrong pagecache offset. This causes __getblk_slow() to go into an infinite loop. This can happen with corrupted disks, or with software errors elsewhere. Detect that, and handle it. Signed-off-by: Andrew Morton Signed-off-by: Adrian Bunk Commit: 09d9056ce65466da2a4634c62fcfecfa70fc9605 Author: Linus Torvalds Thu, 04 Jan 2007 23:23:27 +0100 i386: save/restore eflags in context switch (CVE-2006-5173) (And reset it on new thread creation) It turns out that eflags is important to save and restore not just because of iopl, but due to the magic bits like the NT bit, which we don't want leaking between different threads. Backported to 2.6.16 by Chuck Ebbert <76306.1226@compuserve.com> [Backport consisted of removing the CFI annotations.] Signed-off-by: Linus Torvalds Signed-off-by: Adrian Bunk Commit: bb3e712f45f05c380ee6efed0afd588ed3ce18fb Author: Marcel Holtmann Thu, 04 Jan 2007 01:53:41 +0100 Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749) The function isdn_ppp_ccp_reset_alloc_state() sets ->timer.function and ->timer.data and later on calls add_timer() with no init_timer() ever done. Noted by Al Viro. Signed-off-by: Marcel Holtmann Signed-off-by: Adrian Bunk Commit: 7c876d457b5c7e949032a4ac7aec64af0136d52a Author: Linus Torvalds Thu, 04 Jan 2007 01:44:45 +0100 Fix incorrect user space access locking in mincore() (CVE-2006-4814) Doug Chapman noticed that mincore() will doa "copy_to_user()" of the result while holding the mmap semaphore for reading, which is a big no-no. While a recursive read-lock on a semaphore in the case of a page fault happens to work, we don't actually allow them due to deadlock schenarios with writers due to fairness issues. Doug and Marcel sent in a patch to fix it, but I decided to just rewrite the mess instead - not just fixing the locking problem, but making the code smaller and (imho) much easier to understand. Also included are two fixes for the original patch including one by Oleg Nesterov. Signed-off-by: Linus Torvalds Signed-off-by: Adrian Bunk Commit: 571525bb8f82493d0332aa8e31776a9fdc607b3b Author: Miklos Szeredi Thu, 04 Jan 2007 01:14:06 +0100 fuse: fix hang on SMP Fuse didn't always call i_size_write() with i_mutex held which caused rare hangs on SMP/32bit. This bug has been present since fuse-2.2, well before being merged into mainline. The simplest solution is to protect i_size_write() with the per-connection spinlock. Using i_mutex for this purpose would require some restructuring of the code and I'm not even sure it's always safe to acquire i_mutex in all places i_size needs to be set. Since most of vmtruncate is already duplicated for other reasons, duplicate the remaining part as well, making all i_size_write() calls internal to fuse. Using i_size_write() was unnecessary in fuse_init_inode(), since this function is only called on a newly created locked inode. Reported by a few people over the years, but special thanks to Dana Henriksen who was persistent enough in helping me debug it. Adrian Bunk: Backported to 2.6.16. Signed-off-by: Miklos Szeredi Signed-off-by: Adrian Bunk Commit: e79366b5564af42aa2449042c75630c16edbdb4d Author: Robert Olsson Thu, 04 Jan 2007 00:57:17 +0100 [PKTGEN]: Fix module load/unload races. Adrian Bunk: Backported to 2.6.16. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 51b73a030955179f236959eaedaf03f405b878a6 Author: Dirk Eibach Thu, 04 Jan 2007 00:42:01 +0100 i2c: fix broken ds1337 initialization On a custom board with ds1337 RTC I found that upgrade from 2.6.15 to 2.6.18 broke RTC support. The main problem are changes to ds1337_init_client(). When a ds1337 recognizes a problem (e.g. power or clock failure) bit 7 in status register is set. This has to be reset by writing 0 to status register. But since there are only 16 byte written to the chip and the first byte is interpreted as an address, the status register (which is the 16th) is never written. The other problem is, that initializing all registers to zero is not valid for day, date and month register. Funny enough this is checked by ds1337_detect(), which depends on this values not being zero. So then treated by ds1337_init_client() the ds1337 is not detected anymore, whereas the failure bit in the status register is still set. Broken by commit f9e8957937ebf60d22732a5ca9130f48a7603f60 (2.6.16-rc1, 2006-01-06). This fix is in Linus' tree since 2.6.20-rc1 (commit 763d9c046a2e511ec090a8986d3f85edf7448e7e). Signed-off-by: Dirk Stieler Signed-off-by: Dirk Eibach Signed-off-by: Jean Delvare Commit: 83d285a27720a4927ad1ca8e12b035ddcf1b5e38 Author: Patrick McHardy Thu, 04 Jan 2007 00:38:10 +0100 NET_SCHED: Fix fallout from dev->qdisc RCU change The move of qdisc destruction to a rcu callback broke locking in the entire qdisc layer by invalidating previously valid assumptions about the context in which changes to the qdisc tree occur. The two assumptions were: - since changes only happen in process context, read_lock doesn't need bottem half protection. Now invalid since destruction of inner qdiscs, classifiers, actions and estimators happens in the RCU callback unless they're manually deleted, resulting in dead-locks when read_lock in process context is interrupted by write_lock_bh in bottem half context. - since changes only happen under the RTNL, no additional locking is necessary for data not used during packet processing (f.e. u32_list). Again, since destruction now happens in the RCU callback, this assumption is not valid anymore, causing races while using this data, which can result in corruption or use-after-free. Instead of "fixing" this by disabling bottem halfs everywhere and adding new locks/refcounting, this patch makes these assumptions valid again by moving destruction back to process context. Since only the dev->qdisc pointer is protected by RCU, but ->enqueue and the qdisc tree are still protected by dev->qdisc_lock, destruction of the tree can be performed immediately and only the final free needs to happen in the rcu callback to make sure dev_queue_xmit doesn't access already freed memory. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk