commit 4d3a89200a923ef066014b850dc9c53d810f78bb Author: Greg Kroah-Hartman Date: Fri Nov 16 10:27:09 2007 -0800 Linux 2.6.22.13 commit 1ca9e250e9f8675dc1db7fcd1cee8c0bf0bfc071 Author: Ilpo Järvinen Date: Wed Nov 14 15:47:18 2007 -0800 TCP: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501) patch 96a2d41a3e495734b63bff4e5dd0112741b93b38 in mainline. NULL ptr can be returned from tcp_write_queue_head to cached_skb and then assigned to skb if packets_out was zero. Without this, system is vulnerable to a carefully crafted ACKs which obviously is remotely triggerable. Besides, there's very little that needs to be done in sacktag if there weren't any packets outstanding, just skipping the rest doesn't hurt. Signed-off-by: Ilpo Järvinen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5ef016ad9ba96a77a7249a2bd8d3196af5bfd920 Author: Roland McGrath Date: Tue Nov 13 22:11:50 2007 -0800 wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500) patch a3474224e6a01924be40a8255636ea5522c1023a in mainline The original meaning of the old test (p->state > TASK_STOPPED) was "not dead", since it was before TASK_TRACED existed and before the state/exit_state split. It was a wrong correction in commit 14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for TASK_TRACED instead. It should have been changed when TASK_TRACED was introducted and again when exit_state was introduced. Signed-off-by: Roland McGrath Cc: Oleg Nesterov Cc: Alexey Dobriyan Cc: Kees Cook Acked-by: Scott James Remnant Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman