commit 37579d1574f6c18f1f648201c6b0850ac94094cd Author: Greg Kroah-Hartman Date: Mon Feb 25 15:59:40 2008 -0800 Linux 2.6.22.19 commit 98d047714d208a6f8a933175a32d7d33931198ad Author: Jozsef Kadlecsik Date: Tue Feb 19 16:24:01 2008 +0100 NETFILTER: nf_conntrack_tcp: conntrack reopening fix [NETFILTER]: nf_conntrack_tcp: conntrack reopening fix [Upstream commits b2155e7f + d0c1fd7a] TCP connection tracking in netfilter did not handle TCP reopening properly: active close was taken into account for one side only and not for any side, which is fixed now. The patch includes more comments to explain the logic how the different cases are handled. The bug was discovered by Jeff Chua. Signed-off-by: Jozsef Kadlecsik Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 3b62bc1363411799eac3d7dab2412b2df3fa9ac0 Author: James Bottomley Date: Sat Feb 2 16:06:23 2008 -0600 SCSI: sd: handle bad lba in sense information patch 366c246de9cec909c5eba4f784c92d1e75b4dc38 in mainline. Some devices report medium error locations incorrectly. Add guards to make sure the reported bad lba is actually in the request that caused it. Additionally remove the large case statment for sector sizes and replace it with the proper u64 divisions. Tested-by: Mike Snitzer Cc: Stable Tree Cc: Tony Battersby Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 07a854c8eeb63498124ea760dc1ffa4335627f75 Author: Jonathan Corbet Date: Sun Feb 17 18:18:36 2008 +0100 Be more robust about bad arguments in get_user_pages() MAINLINE: 900cf086fd2fbad07f72f4575449e0d0958f860f So I spent a while pounding my head against my monitor trying to figure out the vmsplice() vulnerability - how could a failure to check for *read* access turn into a root exploit? It turns out that it's a buffer overflow problem which is made easy by the way get_user_pages() is coded. In particular, "len" is a signed int, and it is only checked at the *end* of a do {} while() loop. So, if it is passed in as zero, the loop will execute once and decrement len to -1. At that point, the loop will proceed until the next invalid address is found; in the process, it will likely overflow the pages array passed in to get_user_pages(). I think that, if get_user_pages() has been asked to grab zero pages, that's what it should do. Thus this patch; it is, among other things, enough to block the (already fixed) root exploit and any others which might be lurking in similar code. I also think that the number of pages should be unsigned, but changing the prototype of this function probably requires some more careful review. Signed-off-by: Jonathan Corbet Signed-off-by: Linus Torvalds CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit 7d495f4f808c8625900d9e52cb531992b350458d Author: Christoph Lameter Date: Sun Feb 17 18:18:24 2008 +0100 quicklists: Only consider memory that can be used with GFP_KERNEL patch 96990a4ae979df9e235d01097d6175759331e88c in mainline. Quicklists calculates the size of the quicklists based on the number of free pages. This must be the number of free pages that can be allocated with GFP_KERNEL. node_page_state() includes the pages in ZONE_HIGHMEM and ZONE_MOVABLE which may lead the quicklists to become too large causing OOM. Signed-off-by: Christoph Lameter Tested-by: Dhaval Giani Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Oliver Pinter commit ad14c9bb60583f9eac5e7b33c052d2a9614d113f Author: J. Bruce Fields Date: Thu Feb 7 21:03:57 2008 +0100 knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME mainline: a16e92edcd0a2846455a30823e1bac964e743baa Without this we always return 2^32-1 as the the maximum namelength. Signed-off-by: J. Bruce Fields Signed-off-by: Andreas Gruenbacher CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit 29301cef1b0106eb400d83c971bdccf7e5bd6d46 Author: Trond Myklebust Date: Thu Feb 7 21:03:49 2008 +0100 NFS: Fix an Oops in encode_lookup() mainline: 54af3bb543c071769141387a42deaaab5074da55 It doesn't look as if the NFS file name limit is being initialised correctly in the struct nfs_server. Make sure that we limit whatever is being set in nfs_probe_fsinfo() and nfs_init_server(). Also ensure that readdirplus and nfs4_path_walk respect our file name limits. Signed-off-by: Trond Myklebust Signed-off-by: Linus Torvalds Acked-by: Neil Brown CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit f3442df1495a8d424a47c735afa937a74651aa7c Author: Trond Myklebust Date: Thu Feb 7 21:03:52 2008 +0100 NFSv2/v3: Fix a memory leak when using -onolock mainline: 5cef338b30c110daf547fb13d99f0c77f2a79fbc Neil Brown said: > Hi Trond, > > We found that a machine which made moderately heavy use of > 'automount' was leaking some nfs data structures - particularly the > 4K allocated by rpc_alloc_iostats. > It turns out that this only happens with filesystems with -onolock > set. > The problem is that if NFS_MOUNT_NONLM is set, nfs_start_lockd doesn't > set server->destroy, so when the filesystem is unmounted, the > ->client_acl is not shutdown, and so several resources are still > held. Multiple mount/umount cycles will slowly eat away memory > several pages at a time. Signed-off-by: Trond Myklebust Acked-by: Neil Brown Signed-off-by: Neil Brown CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit 89f2dc01cfed1c24b3f32af748698de35c3a0cae Author: Trond Myklebust Date: Thu Feb 7 21:03:45 2008 +0100 NFS: Fix nfs_reval_fsid() mainline: a0356862bcbeb20acf64bc1a82d28a4c5bb957a7 We don't need to revalidate the fsid on the root directory. It suffices to revalidate it on the current directory. Signed-off-by: Trond Myklebust Acked-by: Neil Brown CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit e48a28b355edad0cdc75c3bb8f78bd818bddcddc Author: J. Bruce Fields Date: Thu Feb 7 21:03:41 2008 +0100 knfsd: fix spurious EINVAL errors on first access of new filesystem mainline: ac8587dcb58e40dd336d99d60f852041e06cc3dd The v2/v3 acl code in nfsd is translating any return from fh_verify() to nfserr_inval. This is particularly unfortunate in the case of an nfserr_dropit return, which is an internal error meant to indicate to callers that this request has been deferred and should just be dropped pending the results of an upcall to mountd. Thanks to Roland for bug report and data collection. Cc: Roland Acked-by: Andreas Gruenbacher Signed-off-by: J. Bruce Fields Reviewed-By: NeilBrown Signed-off-by: Linus Torvalds CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit 9b61cf92939ca83052fc8fe9ec814af0b837aa7b Author: Stephen Hemminger Date: Thu Feb 7 21:03:38 2008 +0100 via-velocity: don't oops on MTU change (resend) mainline: 48f6b053613b62fed7a2fe3255e5568260a8d615 The VIA veloicty driver needs the following to allow changing MTU when down. The buffer size needs to be computed when device is brought up, not when device is initialized. This also fixes a bug where the buffer size was computed differently on change_mtu versus initial setting. Signed-off-by: Stephen Hemminger Signed-off-by: Jeff Garzik Acked-by: Jeff Mahoney CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit b370032cf7f9f8fc85d7a7a5fb1fb4edd3e90f1e Author: Stephen Hemminger Date: Thu Feb 7 21:03:34 2008 +0100 VIA_VELOCITY: Don't oops on MTU change. mainline: bd7b3f34198071d8bec05180530c362f1800ba46 Simple mtu change when device is down. Fix http://bugzilla.kernel.org/show_bug.cgi?id=9382. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Acked-by: Jeff Mahoney CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit 63afcbcd514fd9ea2a762ed64e33093ab45cc56d Author: Mattia Dongili Date: Thu Feb 7 21:03:29 2008 +0100 sony-laptop: call sonypi_compat_init earlier mainline: 015a916fbbf105bb15f4bbfd80c3b9b2f2e0d7db sonypi_compat uses a kfifo that needs to be present before _SRS is called to be able to cope with the IRQs triggered when setting resources. Signed-off-by: Mattia Dongili Signed-off-by: Len Brown Acked-by: Jeff Mahoney CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit 366f6bc3be23358dd9796129373eeebfeffb79e1 Author: Kees Cook Date: Thu Feb 7 21:03:26 2008 +0100 pci: fix unterminated pci_device_id lists mainline: 248bdd5efca5a113cbf443a993c69e53d370236b Fix a couple drivers that do not correctly terminate their pci_device_id lists. This results in garbage being spewed into modules.pcimap when the module happens to not have 28 NULL bytes following the table, and/or the last PCI ID is actually truncated from the table when calculating the modules.alias PCI aliases, cause those unfortunate device IDs to not auto-load. Signed-off-by: Kees Cook Acked-by: Corey Minyard Cc: David Woodhouse Acked-by: Jeff Garzik Cc: Greg KH Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Acked-by: Jeff Mahoney CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit 03f75e32447ea0de96cdb18e9a4383af39ae1b14 Author: Wang Zhenyu Date: Thu Feb 7 21:03:21 2008 +0100 Intel_agp: really fix 945/965GME mainline: dde4787642ee3cb85aef80bdade04b6f8ddc3df8 Fix some missing places to check with device id info, which should probe the device gart correctly. Signed-off-by: Wang Zhenyu Signed-off-by: Dave Airlie Acked-by: Takashi Iwai CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit 40606733c750e2ce350490cac151188c97fae229 Author: Peter Zijlstra Date: Thu Feb 7 21:03:18 2008 +0100 i386: fixup TRACE_IRQ breakage (CVE-2007-3731) mainline: a10d9a71bafd3a283da240d2868e71346d2aef6f The TRACE_IRQS_ON function in iret_exc: calls a C function without ensuring that the segments are set properly. Move the trace function and the enabling of interrupt into the C stub. Signed-off-by: Peter Zijlstra Signed-off-by: Linus Torvalds Acked-by: Jeff Mahoney CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit 318d99d5da9c2f90eb436b2e9cbc38a3ef0d2e39 Author: Roland McGrath Date: Thu Feb 7 21:03:16 2008 +0100 Handle bogus %cs selector in single-step instruction decoding (CVE-2007-3731) Handle bogus %cs selector in single-step instruction decoding mainline: 29eb51101c02df517ca64ec472d7501127ad1da8 The code for LDT segment selectors was not robust in the face of a bogus selector set in %cs via ptrace before the single-step was done. Signed-off-by: Roland McGrath Signed-off-by: Linus Torvalds Acked-by: Jeff Mahoney CC: Oliver Pinter Signed-off-by: Greg Kroah-Hartman commit 0c2154ad89908b1e5f851687906782e825d9ad29 Author: Trond Myklebust Date: Fri Feb 8 14:23:35 2008 -0500 NFS: Fix a potential file corruption issue when writing patch 5d47a35600270e7115061cb1320ee60ae9bcb6b8 in mainline. If the inode is flagged as having an invalid mapping, then we can't rely on the PageUptodate() flag. Ensure that we don't use the "anti-fragmentation" write optimisation in nfs_updatepage(), since that will cause NFS to write out areas of the page that are no longer guaranteed to be up to date. A potential corruption could occur in the following scenario: client 1 client 2 =============== =============== fd=open("f",O_CREAT|O_WRONLY,0644); write(fd,"fubar\n",6); // cache last page close(fd); fd=open("f",O_WRONLY|O_APPEND); write(fd,"foo\n",4); close(fd); fd=open("f",O_WRONLY|O_APPEND); write(fd,"bar\n",4); close(fd); ----- The bug may lead to the file "f" reading 'fubar\n\0\0\0\nbar\n' because client 2 does not update the cached page after re-opening the file for write. Instead it keeps it marked as PageUptodate() until someone calls invalidate_inode_pages2() (typically by calling read()). The bug was introduced by commit 44b11874ff583b6e766a05856b04f3c492c32b84 "NFS: Separate metadata and page cache revalidation mechanisms" Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 116b64c43df306c3770a52118effdd5d96f51fd5 Author: Christoph Lameter Date: Sat Dec 22 14:03:23 2007 -0800 quicklists: do not release off node pages early dhaval@linux.vnet.ibm.com, clameter@sgi.com Message-ID: <200712222203.lBMM3Nsk021922@imap1.linux-foundation.org> From: Christoph Lameter patch ed367fc3a7349b17354c7acef551533337764859 in mainline. quicklists must keep even off node pages on the quicklists until the TLB flush has been completed. Signed-off-by: Christoph Lameter Cc: Dhaval Giani Cc: Oliver Pinter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e7df3e44961ced101d56895acd896bf9d6382275 Author: Ian Abbott Date: Mon Feb 4 13:56:36 2008 +0000 PCI: Fix fakephp deadlock This patch works around a problem in the fakephp driver when a process writing "0" to a "power" sysfs file to fake removal of a PCI device ends up deadlocking itself in the sysfs code. The patch is functionally identical to the one in Linus' tree post 2.6.24: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5c796ae7a7ebe56967ed9b9963d7c16d733635ff I have tested it on a 2.6.22 kernel. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 671beaa8438051f80672ce665b25169b9ab2e766 Author: Mikael Pettersson Date: Wed Jan 16 10:32:17 2008 +0100 sata_promise: ASIC PRD table bug workaround patch b9ccd4a90bbb964506f01b4bdcff4f50f8d5d334 in mainline. Second-generation Promise SATA controllers have an ASIC bug which can trigger if the last PRD entry is larger than 164 bytes, resulting in intermittent errors and possible data corruption. Work around this by replacing calls to ata_qc_prep() with a private version that fills the PRD, checks the size of the last entry, and if necessary splits it to avoid the bug. Also reduce sg_tablesize by 1 to accommodate the new entry. Tested on the second-generation SATA300 TX4 and SATA300 TX2plus, and the first-generation PDC20378. Thanks to Alexander Sabourenkov for verifying the bug by studying the vendor driver, and for writing the initial patch upon which this one is based. Signed-off-by: Mikael Pettersson Cc: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit ce0ec12c7cd4b01e5137fdfe58fb91f7663744f6 Author: Mikael Pettersson Date: Wed Jan 16 10:31:22 2008 +0100 sata_promise: FastTrack TX4200 is a second-generation chip patch 7f9992a23190418592f0810900e4f91546ec41da in mainline. This patch corrects sata_promise to classify FastTrack TX4200 (DID 3515/3519) as a second-generation chip. Promise's partial- source FT TX4200 driver confirms this classification. Treating it as a first-generation chip causes several problems: 1. Detection failures. This is a recent regression triggered by the hotplug-enabling changes in 2.6.23-rc1. 2. Various "failed to resume link for reset" warnings. This patch fixes . Thanks to Stephen Ziemba for reporting the bug and for testing the fix. Signed-off-by: Mikael Pettersson Signed-off-by: Greg Kroah-Hartman commit bc0fb02f5fd30a518b659320b89ee58ea78fb979 Author: Jesper Juhl Date: Thu Feb 7 21:03:11 2008 +0100 cciss: fix memory leak mainline: f2912a1223c0917a7b4e054f18086209137891ea There's a memory leak in the cciss driver. in alloc_cciss_hba() we may leak sizeof(ctlr_info_t) bytes if a call to alloc_disk(1 << NWD_SHIFT) fails. This patch should fix the issue. Spotted by the Coverity checker. Signed-off-by: Jesper Juhl Acked-by: Mike Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Oliver Pinter Signed-off-by: Greg Kroah-Hartman