Commit: bdc864e5ae0a15bde369171960fb12ac6270271e Author: Adrian Bunk Mon, 05 Nov 2007 21:27:33 +0100 Linux 2.6.16.57 Commit: d2a51c3a5ff9029d8f96fdc9c838ac79c95db8c9 Author: Adrian Bunk Fri, 02 Nov 2007 23:11:56 +0100 Linux 2.6.16.57-rc1 Commit: 776a0f3d4b4b79ec8eb85af188bed1f6ad47143c Author: Neil Brown Fri, 02 Nov 2007 23:08:36 +0100 knfsd: allow nfsd READDIR to return 64bit cookies ->readdir passes lofft_t offsets (used as nfs cookies) to nfs3svc_encode_entry{,_plus}, but when they pass it on to encode_entry it becomes an 'off_t', which isn't good. So filesystems that returned 64bit offsets would lose. Signed-off-by: Neil Brown Signed-off-by: Adrian Bunk Commit: 5ef24c6873e39aec57239e4623e6bc0182cc8954 Author: Nick Piggin Fri, 02 Nov 2007 23:07:14 +0100 buffer: memorder fix unlock_buffer(), like unlock_page(), must not clear the lock without ensuring that the critical section is closed. Mingming later sent the same patch, saying: We are running SDET benchmark and saw double free issue for ext3 extended attributes block, which complains the same xattr block already being freed (in ext3_xattr_release_block()). The problem could also been triggered by multiple threads loop untar/rm a kernel tree. The race is caused by missing a memory barrier at unlock_buffer() before the lock bit being cleared, resulting in possible concurrent h_refcounter update. That causes a reference counter leak, then later leads to the double free that we have seen. Inside unlock_buffer(), there is a memory barrier is placed *after* the lock bit is being cleared, however, there is no memory barrier *before* the bit is cleared. On some arch the h_refcount update instruction and the clear bit instruction could be reordered, thus leave the critical section re-entered. The race is like this: For example, if the h_refcount is initialized as 1, cpu 0: cpu1 -------------------------------------- ----------------------------------- lock_buffer() /* test_and_set_bit */ clear_buffer_locked(bh); lock_buffer() /* test_and_set_bit */ h_refcount = h_refcount+1; /* = 2*/ h_refcount = h_refcount + 1; /*= 2 */ clear_buffer_locked(bh); .... ...... We lost a h_refcount here. We need a memory barrier before the buffer head lock bit being cleared to force the order of the two writes. Please apply. Signed-off-by: Nick Piggin Signed-off-by: Adrian Bunk Commit: 09e1acaea2074c5ae5d6d81f53f8c7f50c53593c Author: Adit Ranadive Fri, 02 Nov 2007 23:05:27 +0100 [PKTGEN]: srcmac fix Signed-off-by: Andrew Morton Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: a52dfa535d04a5246927b9863a5e6209c5832582 Author: David S. Miller Fri, 02 Nov 2007 22:56:18 +0100 [SPARC64]: Fix show_stack() when stack argument is NULL. It didn't handle that case at all, and now dump_stack() can be implemented directly as show_stack(current, NULL) Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 4c94bf7f6f414af1ac449d3d6741522311b1fc07 Author: Herbert Xu Fri, 02 Nov 2007 22:53:44 +0100 [SNAP]: Check packet length before reading The snap_rcv code reads 5 bytes so we should make sure that we have 5 bytes in the head before proceeding. Based on diagnosis and fix by Evgeniy Polyakov, reported by Alan J. Wylie. Patch also kills the skb->sk assignment before kfree_skb since it's redundant. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 2ba6064c00a38885e8997059908f9aed5299e196 Author: Ranko Zivojnovic Fri, 02 Nov 2007 22:51:48 +0100 [NET]: gen_estimator deadlock fix -Fixes ABBA deadlock noted by Patrick McHardy : > There is at least one ABBA deadlock, est_timer() does: > read_lock(&est_lock) > spin_lock(e->stats_lock) (which is dev->queue_lock) > > and qdisc_destroy calls htb_destroy under dev->queue_lock, which > calls htb_destroy_class, then gen_kill_estimator and this > write_locks est_lock. To fix the ABBA deadlock the rate estimators are now kept on an rcu list. -The est_lock changes the use from protecting the list to protecting the update to the 'bstat' pointer in order to avoid NULL dereferencing. -The 'interval' member of the gen_estimator structure removed as it is not needed. Signed-off-by: Ranko Zivojnovic Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 464aa9b9720276ed68162bbd86e346538e515c59 Author: Patrick McHardy Fri, 02 Nov 2007 22:42:48 +0100 [ICMP]: Fix icmp_errors_use_inbound_ifaddr sysctl Currently when icmp_errors_use_inbound_ifaddr is set and an ICMP error is sent after the packet passed through ip_output(), an address from the outgoing interface is chosen as ICMP source address since skb->dev doesn't point to the incoming interface anymore. Fix this by doing an interface lookup on rt->dst.iif and using that device. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 9ebf0663c8af671f9d37f9d51eb80e26a5b1fe2b Author: Ohad Ben-Cohen Fri, 02 Nov 2007 04:41:26 +0100 [Bluetooth] Fix NULL pointer dereference in HCI line discipline Normally a serial Bluetooth device is opened, TIOSETD'ed to N_HCI line discipline, HCIUARTSETPROTO'ed and finally closed. In case the device fails to HCIUARTSETPROTO, closing it produces a NULL pointer dereference. Signed-off-by: Ohad Ben-Cohen Signed-off-by: Marcel Holtmann Signed-off-by: Adrian Bunk Commit: 8e99f6e590f3b3790697bb324ba3d59f1a99f08a Author: Ohad Ben-Cohen Fri, 02 Nov 2007 04:39:41 +0100 [Bluetooth] Fix unintentional fall-through in HCI line discipline A trivial fix to (what looks like) an unintentional fall-through in the HCI line discipline. Signed-off-by: Ohad Ben-Cohen Signed-off-by: Marcel Holtmann Signed-off-by: Adrian Bunk Commit: 4bf758b67ba133be643f5965ce29f7dca1347538 Author: Danny Kukawka Fri, 02 Nov 2007 04:19:29 +0100 ide: add "optical" to sysfs "media" attribute Add "optical" to sysfs "media" attribute as already in /proc Signed-off-by: Danny Kukawka Signed-off-by: Adrian Bunk Commit: ee1fb2ba7420c20d9b68dd4aab0ff3f2572d6cc0 Author: Alexey Dobriyan Fri, 02 Nov 2007 04:17:40 +0100 optical /proc/ide/*/media Sergey Vlasov reported that his "FUJITSU MCC3064AP, ATAPI OPTICAL drive" pops up as UNKNOWN in /proc/ide/*/media . Closes kernel Bugzilla #4145. Signed-off-by: Alexey Dobriyan Signed-off-by: Adrian Bunk Commit: 401ef3d54cde6967c856b8fb362a91f406750767 Author: Alan Cox Fri, 02 Nov 2007 03:41:27 +0100 aacraid: fix security hole (CVE-2007-4308) On the SCSI layer ioctl path there is no implicit permissions check for ioctls (and indeed other drivers implement unprivileged ioctls). aacraid however allows all sorts of very admin only things to be done so should check. Signed-off-by: Alan Cox Acked-by: Mark Salyzyn Signed-off-by: Adrian Bunk Commit: da8262844e325cc9361114c55e8507c1fee54941 Author: Steve French Fri, 02 Nov 2007 03:30:35 +0100 CIFS should honour umask (CVE-2007-3740) This patch makes CIFS honour a process' umask like other filesystems. Of course the server is still free to munge the permissions if it wants to; but the client will send the "right" permissions to begin with. A few caveats: 1) It only applies to filesystems that have CAP_UNIX (aka support unix extensions) 2) It applies the correct mode to the follow up CIFSSMBUnixSetPerms() after remote creation When mode to CIFS/NTFS ACL mapping is complete we can do the same thing for that case for servers which do not support the Unix Extensions. Signed-off-by: Matt Keenen Signed-off-by: Steve French Signed-off-by: Adrian Bunk Commit: c515d9db76c3fe82243677ecfbff559d05f9e852 Author: John W. Linville Fri, 02 Nov 2007 03:13:03 +0100 [IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997) Reported by Chris Evans : > The summary is that an evil 80211 frame can crash out a victim's > machine. It only applies to drivers using the 80211 wireless code, and > only then to certain drivers (and even then depends on a card's > firmware not dropping a dubious packet). I must confess I'm not > keeping track of Linux wireless support, and the different protocol > stacks etc. > > Details are as follows: > > ieee80211_rx() does not explicitly check that "skb->len >= hdrlen". > There are other skb->len checks, but not enough to prevent a subtle > off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag > set. > > This leads to integer underflow and crash here: > > if (frag != 0) > flen -= hdrlen; > > (flen is subsequently used as a memcpy length parameter). How about this? Signed-off-by: John W. Linville Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: d33e2f267f57e415d8d3fdca375652eb5767e908 Author: Oliver Neukum Thu, 01 Nov 2007 04:30:09 +0100 Fix oops in pwc v4l driver The pwc driver is defficient in locking, which can trigger an oops when disconnecting. Adrian Bunk: Backported to 2.6.16. Signed-off-by: Oliver Neukum Signed-off-by: Adrian Bunk Commit: 402a199dab7513f1f38fe3a0e0e8dd72a2de83f5 Author: Oliver Neukum Sat, 27 Oct 2007 23:36:46 +0200 USB: fix DoS in pwc USB video driver (CVE-2007-5093) The pwc driver has a disconnect method that waits for user space to close the device. This opens up an opportunity for a DoS attack, blocking the USB subsystem and making khubd's task busy wait in kernel space. This patch shifts freeing resources to close if an opened device is disconnected. Adrian Bunk: Backported to 2.6.16. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman Signed-off-by: Adrian Bunk Commit: 9c456953203c95a8a9f959aa8d650a9be32d3e48 Author: Chris Wright Wed, 24 Oct 2007 21:54:41 +0200 [SPARC64] pass correct addr in get_fb_unmapped_area(MAP_FIXED) Looks like the MAP_FIXED case is using the wrong address hint. I'd expect the comment "don't mess with it" means pass the request straight on through, not change the address requested to -ENOMEM. Signed-off-by: Chris Wright Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk