Commit: 06f529d5fa3b8ea0b84d327b6fdda988d4b63a62 Author: Adrian Bunk Fri, 12 Oct 2007 17:27:10 +0200 Linux 2.6.16.55 Commit: 3a05e4826e0ec19fa9f805e81ea3589887922d9d Author: Adrian Bunk Fri, 12 Oct 2007 23:03:25 +0200 Revert "TCP: Fix TCP handling of SACK in bidirectional flows" This reverts commit 3198d0f16dec0c87071cf26f3f11af9c8f0a009b. Commit: 765157b1bb052f9dba3e0ba7820a9b3df1177a17 Author: Adrian Bunk Sun, 07 Oct 2007 01:01:31 +0200 Linux 2.6.16.55-rc1 Commit: 0de89fc504de8ce2e0aefc6b944a85cf97b3d265 Author: Takashi Iwai Sun, 07 Oct 2007 03:26:43 +0200 Convert snd-page-alloc proc file to use seq_file (CVE-2007-4571) Commit ccec6e2c4a74adf76ed4e2478091a311b1806212 in mainline. Use seq_file for the proc file read/write of snd-page-alloc module. This automatically fixes bugs in the old proc code. Adrian Bunk: Backported to 2.6.16. Signed-off-by: Takashi Iwai Signed-off-by: Adrian Bunk Commit: d98c1fe4557680dd52543db7716d2badd6701cf7 Author: Adrian Bunk Sun, 07 Oct 2007 00:58:15 +0200 snd_mem_proc_read(): convert to list_for_each_entry* Stolen from a patch by Johannes Berg . Signed-off-by: Adrian Bunk Commit: a578b99b87e77138219022179799f62c68018d74 Author: Eric Sandeen Sun, 07 Oct 2007 00:52:10 +0200 sysfs: store sysfs inode nrs in s_ino to avoid readdir oopses (CVE-2007-3104) Backport of ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.22-rc1/2.6.22-rc1-mm1/broken-out/gregkh-driver-sysfs-allocate-inode-number-using-ida.patch For regular files in sysfs, sysfs_readdir wants to traverse sysfs_dirent->s_dentry->d_inode->i_ino to get to the inode number. But, the dentry can be reclaimed under memory pressure, and there is no synchronization with readdir. This patch follows Tejun's scheme of allocating and storing an inode number in the new s_ino member of a sysfs_dirent, when dirents are created, and retrieving it from there for readdir, so that the pointer chain doesn't have to be traversed. Tejun's upstream patch uses a new-ish "ida" allocator which brings along some extra complexity; this -stable patch has a brain-dead incrementing counter which does not guarantee uniqueness, but because sysfs doesn't hash inodes as iunique expects, uniqueness wasn't guaranteed today anyway. Adrian Bunk: Backported to 2.6.16. Signed-off-by: Eric Sandeen Signed-off-by: Adrian Bunk Commit: 47d9c7762bd6e2d766cba697952f11fba9d5acf6 Author: Matt Mackall Sun, 07 Oct 2007 00:27:53 +0200 random: fix bound check ordering (CVE-2007-3105) If root raised the default wakeup threshold over the size of the output pool, the pool transfer function could overflow the stack with RNG bytes, causing a DoS or potential privilege escalation. (Bug reported by the PaX Team ) Signed-off-by: Matt Mackall Signed-off-by: Adrian Bunk Commit: 46f6fdb65fb9a80fa31ab25c5aad3d150bb7c398 Author: Matt Mackall Sun, 07 Oct 2007 00:24:49 +0200 random: fix seeding with zero entropy (CVE-2007-2453 2 of 2) Add data from zero-entropy random_writes directly to output pools to avoid accounting difficulties on machines without entropy sources. Tested on lguest with all entropy sources disabled. Signed-off-by: Matt Mackall Acked-by: Theodore Ts'o Signed-off-by: Adrian Bunk Commit: 5561123a8a3a55328174164901ef66f7a5ec2130 Author: Matt Mackall Sun, 07 Oct 2007 00:19:10 +0200 random: fix error in entropy extraction (CVE-2007-2453 1 of 2) Fix cast error in entropy extraction. Add comments explaining the magic 16. Remove extra confusing loop variable. Signed-off-by: Matt Mackall Acked-by: Theodore Ts'o Signed-off-by: Adrian Bunk Commit: 9236d592ceee5d4033cd90d2f7d02440aea9b778 Author: Marcel Holtmann Sun, 07 Oct 2007 00:03:26 +0200 Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848) This fixes a vulnerability in the "parent process death signal" implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd. and iSEC Security Research. http://marc.info/?l=bugtraq&m=118711306802632&w=2 Signed-off-by: Marcel Holtmann Signed-off-by: Adrian Bunk Commit: de9e88d512afbad9f7a5d73b28dbcc332894b81a Author: Dann Frazier Sat, 06 Oct 2007 23:51:05 +0200 fix buffer overflow in the moxa driver (CVE-2005-0504) Signed-off-by: Dann Frazier Signed-off-by: Andres Salomon Signed-off-by: Adrian Bunk Commit: cc6b1c0e31e1f639d3c5e161039c24edb41c4537 Author: Kumar Gala Sat, 06 Oct 2007 23:36:26 +0200 [POWERPC] Flush registers to proper task context When we flush register state for FP, Altivec, or SPE in flush_*_to_thread we need to respect the task_struct that the caller has passed to us. Most cases we are called with current, however sometimes (ptrace) we may be passed a different task_struct. This showed up when using gdbserver debugging a simple program that used floating point. When gdb tried to show the FP regs they all showed up as 0, because the child's FP registers were never properly flushed to memory. Signed-off-by: Kumar Gala Signed-off-by: Adrian Bunk Commit: bffb5afd17f7f791f627ef65425f3c4cb9e43095 Author: Andi Kleen Sat, 06 Oct 2007 23:32:18 +0200 x86_64: Zero extend all registers after ptrace in 32bit entry path (CVE-2007-4573) Strictly it's only needed for eax. It actually does a little more than strictly needed -- the other registers are already zero extended. Also remove the now unnecessary and non functional compat task check in ptrace. Found by Wojciech Purczynski Signed-off-by: Andi Kleen Signed-off-by: Adrian Bunk Commit: 3c76887f91c711636844c413266b8678f557ff90 Author: Adrian Bunk Sat, 06 Oct 2007 22:38:04 +0200 unexport ip_conntrack_{,un}register_notifier Static functions mustn't be exported. Signed-off-by: Adrian Bunk Commit: b352b876c9540f42c9d76a4acd9f6d82308c1fbb Author: Adrian Bunk Sat, 06 Oct 2007 22:29:05 +0200 sound/core/pcm_lib.c: don't export static functions Static functions mustn't be exported. Signed-off-by: Adrian Bunk Commit: 3f5514bf3e051044e91d17aab46ee2191a4cace2 Author: Adrian Bunk Sat, 06 Oct 2007 22:05:29 +0200 unexport csr1212_release_keyval A static function mustn't be exported. Signed-off-by: Adrian Bunk Commit: 44e0a3a2850a75f1c677492b29db40a85abc9186 Author: Adrian Bunk Sat, 06 Oct 2007 21:59:38 +0200 unexport cpufreq_parse_governor A static function mustn't be exported. Signed-off-by: Adrian Bunk Commit: 47f972b3361d2a64942d3eb4e759c8a5b9b91396 Author: Adrian Bunk Sat, 06 Oct 2007 21:13:06 +0200 unexport neigh_update_hhs A static function mustn't be exported. Signed-off-by: Adrian Bunk Commit: 952d5c18910cfa0ec43ab15607099fa1c5c254dd Author: Mikael Pettersson Sat, 06 Oct 2007 21:05:23 +0200 [SPARC]: fix sparc64 gcc 4.2 compile failure Compiling 2.6.21-rc5 with gcc-4.2.0 20070317 (prerelease) for sparc64 fails as follows: gcc -Wp,-MD,arch/sparc64/kernel/.time.o.d -nostdinc -isystem /home/mikpe/pkgs/linux-sparc64/gcc-4.2.0/lib/gcc/sparc64-unknown-linux-gnu/4.2.0/include -D__KERNEL__ -Iinclude -include include/linux/autoconf.h -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Os -m64 -pipe -mno-fpu -mcpu=ultrasparc -mcmodel=medlow -ffixed-g4 -ffixed-g5 -fcall-used-g7 -Wno-sign-compare -Wa,--undeclared-regs -fomit-frame-pointer -fno-stack-protector -Wdeclaration-after-statement -Wno-pointer-sign -Werror -D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(time)" -D"KBUILD_MODNAME=KBUILD_STR(time)" -c -o arch/sparc64/kernel/time.o arch/sparc64/kernel/time.c cc1: warnings being treated as errors arch/sparc64/kernel/time.c: In function 'kick_start_clock': arch/sparc64/kernel/time.c:559: warning: overflow in implicit constant conversion make[1]: *** [arch/sparc64/kernel/time.o] Error 1 make: *** [arch/sparc64/kernel] Error 2 gcc gets unhappy when the MSTK_SET macro's u8 __val variable is updated with &= ~0xff (MSTK_YEAR_MASK). Making the constant unsigned fixes the problem. [ I fixed up the sparc32 side as well -DaveM ] Signed-off-by: Mikael Pettersson Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 9b30f6d3f241699d9215c0f96e2d46f38064bb32 Author: Adrian Bunk Sat, 06 Oct 2007 21:14:55 +0200 unexport ktime_get_real A static function mustn't be exported. Signed-off-by: Adrian Bunk Commit: 1104012f7911f1b46a4cdd23c4b949337211920f Author: Nick Bowler Sat, 06 Oct 2007 20:34:18 +0200 [IPSEC] AH4: Update IPv4 options handling to conform to RFC 4302. In testing our ESP/AH offload hardware, I discovered an issue with how AH handles mutable fields in IPv4. RFC 4302 (AH) states the following on the subject: For IPv4, the entire option is viewed as a unit; so even though the type and length fields within most options are immutable in transit, if an option is classified as mutable, the entire option is zeroed for ICV computation purposes. The current implementation does not zero the type and length fields, resulting in authentication failures when communicating with hosts that do (i.e. FreeBSD). I have tested record route and timestamp options (ping -R and ping -T) on a small network involving Windows XP, FreeBSD 6.2, and Linux hosts, with one router. In the presence of these options, the FreeBSD and Linux hosts (with the patch or with the hardware) can communicate. The Windows XP host simply fails to accept these packets with or without the patch. I have also been trying to test source routing options (using traceroute -g), but haven't had much luck getting this option to work *without* AH, let alone with. Signed-off-by: Nick Bowler Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk