Commit: ae793603c3a69cf676d48233106e515fbdf4ceb2 Author: Adrian Bunk Sun, 27 Jan 2008 18:58:41 +0200 Linux 2.6.16.60 Commit: 29841b66d1ab6491d7fc6600ff760ad2c7082022 Author: Adrian Bunk Mon, 21 Jan 2008 21:06:04 +0200 Linux 2.6.16.60-rc1 Commit: 1ab450b035f18aca5bb219ba3de45ca04e2df2b9 Author: Trond Myklebust Mon, 21 Jan 2008 21:04:16 +0200 NFS: call nfs_wb_all() only on regular files It looks like nfs_setattr() and nfs_rename() also need to test whether the target is a regular file before calling nfs_wb_all()... It isn't technically needed since the version of nfs_wb_all() that exists on 2.6.16 should be safe to call on non-regular files (it will be a no-op). However it is a useful optimisation. Signed-off-by: Trond Myklebust Signed-off-by: Adrian Bunk Commit: 83005c1cb725c489abba78e08908d76bb248ef82 Author: Trond Myklebust Mon, 21 Jan 2008 21:02:11 +0200 NFS: writes should not clobber utimes() calls Ensure that we flush out writes in the case when someone calls utimes() in order to set the file times. Signed-off-by: Trond Myklebust Signed-off-by: Adrian Bunk Commit: 0b8a0a777d2d114f84716117ffb36a3d3644b7fe Author: Ingo Molnar Mon, 21 Jan 2008 02:20:19 +0200 vfs: coredumping fix (CVE-2007-6206) fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043 only allow coredumping to the same uid that the coredumping task runs under. Signed-off-by: Ingo Molnar Signed-off-by: Adrian Bunk Commit: b39c2791e24103cd13375843cb48a5046395902d Author: Karsten Keil Mon, 21 Jan 2008 00:10:25 +0200 I4L: fix isdn_ioctl memory overrun vulnerability (CVE-2007-6151) Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB Signed-off-by: Karsten Keil Signed-off-by: Adrian Bunk Commit: 85d24e1c313cba60ce2baf708b01a5d22e3f6e4a Author: Karsten Keil Mon, 21 Jan 2008 00:11:35 +0200 isdn: avoid copying overly-long strings (CVE-2007-6063) Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416 Signed-off-by: Karsten Keil Signed-off-by: Adrian Bunk Commit: b7894b17ce3e6bac25b827ea33ff16c476d4b992 Author: Al Viro Sun, 20 Jan 2008 20:41:26 +0200 [NET]: Generic checksum annotations and cleanups. Signed-off-by: Al Viro Signed-off-by: Adrian Bunk Commit: be960fae271c48371a3836f07c63f863f7f19a3d Author: Adrian Bunk Sun, 20 Jan 2008 20:29:06 +0200 drivers/scsi/BusLogic.c: #ifdef MODULE BusLogic_pci_tbl[] Signed-off-by: Adrian Bunk Commit: 05039306797df74dfb120a71d287ea640968665d Author: Ben Collins Sun, 20 Jan 2008 19:50:13 +0200 [BusLogic] Add pci dev table for auto module loading. Signed-off-by: Ben Collins Signed-off-by: Adrian Bunk Commit: 4bd7834e412c9f4478f9a17c5f7768d21b87fc63 Author: Herbert Xu Mon, 21 Jan 2008 02:14:02 +0200 [ATM]: Check IP header validity in mpc_send_packet [ Upstream commit: 1c9b7aa1eb40ab708ef3242f74b9a61487623168 ] Al went through the ip_fast_csum callers and found this piece of code that did not validate the IP header. While root crashing the machine by sending bogus packets through raw or AF_PACKET sockets isn't that serious, it is still nice to react gracefully. This patch ensures that the skb has enough data for an IP header and that the header length field is valid. Adrian Bunk: Backported to 2.6.16 following instructions by David Miller. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: d2c758a5fa26777d955fc2bade9c338d1aed5117 Author: Eric Dumazet Sun, 20 Jan 2008 22:12:16 +0200 [IPV4] ROUTE: ip_rt_dump() is unecessary slow [ Upstream commit: d8c9283089287341c85a0a69de32c2287a990e71 ] I noticed "ip route list cache x.y.z.t" can be *very* slow. While strace-ing -T it I also noticed that first part of route cache is fetched quite fast : recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = +3772 <0.000047> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) += 3736 <0.000042> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) += 3740 <0.000055> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) += 3712 <0.000043> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) += 3732 <0.000053> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = +3708 <0.000052> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = +3680 <0.000041> while the part at the end of the table is more expensive: recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, +msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., +16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848> The following patch corrects this performance/latency problem, removing quadratic behavior. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 9160766b83a51267e3cd2987ed3c2690e3d059f9 Author: Al Viro Sun, 20 Jan 2008 22:05:18 +0200 [NET]: Introduce types for checksums. New types - for 16bit checksums and "unfolded" 32bit variant. Signed-off-by: Al Viro Signed-off-by: Adrian Bunk Commit: fdd75e9bc2cb0a54bd435645dc7e8522b1c6a945 Author: David S. Miller Sun, 20 Jan 2008 22:02:20 +0200 [CASSINI]: Set skb->truesize properly on receive packets. [ Upstream commit: d011a231675b240157a3c335dd53e9b849d7d30d ] skb->truesize was not being incremented at all to reflect the page based data added to RX SKBs. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: cffb92d239bd8a236fea210f09a791aae222a50a Author: Al Viro Sun, 20 Jan 2008 22:00:26 +0200 [CASSINI]: Fix endianness bug. [ Upstream commit: e5e025401f6e926c1d9dc3f3f2813cf98a2d8708 ] Here's proposed fix for RX checksum handling in cassini; it affects little-endian working with half-duplex gigabit, but obviously needs testing on big-endian too. The problem is, we need to convert checksum to fixed-endian *before* correcting for (unstripped) FCS. On big-endian it won't matter (conversion is no-op), on little-endian it will, but only if FCS is not stripped by hardware; i.e. in half-duplex gigabit mode when ->crc_size is set. cassini.c part is that fix, cassini.h one consists of trivial endianness annotations. With that applied the sucker is endian-clean, according to sparse. Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 52f6ca5fd3ee8658e72a901bce6d91eaa7940c6b Author: Chas Williams Sun, 20 Jan 2008 21:43:46 +0200 [ATM]: [nicstar] delay irq setup until card is configured [ Upstream commit: 52961955aa180959158faeb9fd6b4f8a591450f5 ] Adrian Bunk: Backported to 2.6.16. Signed-off-by: Chas Williams Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: ac3cb3e487a980ccade6650b85ce845e875af91b Author: Jeff Moyer Sun, 20 Jan 2008 21:31:32 +0200 raw: don't allow the creation of a raw device with minor number 0 Minor number 0 (under the raw major) is reserved for the rawctl device file, which is used to query, set, and unset raw device bindings. However, the ioctl interface does not protect the user from specifying a raw device with minor number 0: $ sudo ./raw /dev/raw/raw0 /dev/VolGroup00/swap /dev/raw/raw0: bound to major 253, minor 2 $ ls -l /dev/rawctl ls: /dev/rawctl: No such file or directory $ ls -l /dev/raw/raw0 crw------- 1 root root 162, 0 Jan 12 10:51 /dev/raw/raw0 $ sudo ./raw -qa Cannot open master raw device '/dev/rawctl' (No such file or directory) As you can see, this prevents any further raw operations from succeeding. The fix (from Steve Fernandez) is quite simple - do not allow the allocation of minor number 0. Signed-off-by: Jeff Moyer Signed-off-by: Adrian Bunk