commit 430adffc974f48193d84419c46c4791ac55ae079 Author: Greg Kroah-Hartman Date: Thu May 1 14:50:00 2008 -0700 Linux 2.6.24.6 commit 344fb8a49535f2392811eadd6f942303f48694ea Author: Al Viro Date: Thu May 1 03:52:22 2008 +0100 Fix dnotify/close race (CVE-2008-1375) commit 214b7049a7929f03bbd2786aaef04b8b79db34e2 upstream. We have a race between fcntl() and close() that can lead to dnotify_struct inserted into inode's list *after* the last descriptor had been gone from current->files. Since that's the only point where dnotify_struct gets evicted, we are screwed - it will stick around indefinitely. Even after struct file in question is gone and freed. Worse, we can trigger send_sigio() on it at any later point, which allows to send an arbitrary signal to arbitrary process if we manage to apply enough memory pressure to get the page that used to host that struct file and fill it with the right pattern... Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ce5fb29181362dbb2d0506f6f0150b6643d7f5e1 Author: Paul Bolle Date: Sun Apr 13 22:44:20 2008 -0700 ISDN: Do not validate ISDN net device address prior to interface-up Commit bada339 (Validate device addr prior to interface-up) caused a regression in the ISDN network code, see: http://bugzilla.kernel.org/show_bug.cgi?id=9923 The trivial fix is to remove the pointer to eth_validate_addr() in the net_device struct in isdn_net_init(). Signed-off-by: Paul Bolle Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dcd8f5bca3782f180c028446710edc16ebce73f6 Author: Steven Toth Date: Thu Apr 24 20:52:42 2008 -0400 V4L: cx88: enable radio GPIO correctly This patch fixes an issue on the HVR1300, where GPIO is blown away due to the radio input being undefined, breaking the functionality of the DVB demodulator and MPEG2 encoder used on the cx8802 mpeg TS port. This is a minimal patch for 2.6.26 and the -stable series. This must be fixed a better way for 2.6.27. Signed-off-by: Steven Toth Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky (cherry picked from commit 6b92b3bd7ac91b7e255541f4be9bfd55b12dae41) Signed-off-by: Greg Kroah-Hartman commit ef4fe7f473ba8edf4fb6931fab80fec45fbfbf01 Author: Alan Cox Date: Thu Apr 24 20:52:26 2008 -0400 V4L: Fix VIDIOCGAP corruption in ivtv Frank Bennett reported that ivtv was causing skype to crash. With help from one of their developers he showed it was a kernel problem. VIDIOCGCAP copies a name into a fixed length buffer - ivtv uses names that are too long and does not truncate them so corrupts a few bytes of the app data area. Possibly the names also want trimming but for now this should fix the corruption case. Signed-off-by: Alan Cox Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky (cherry picked from commit d2b213f7b76f187c4391079c7581d3a08b940133) Signed-off-by: Greg Kroah-Hartman commit 31ae1b20f94c8628b1db1eb417bf87ad44c92fc9 Author: Greg Kroah-Hartman Date: Thu Apr 17 03:05:15 2008 +0000 USB: remove broken usb-serial num_endpoints check commit: 07c3b1a1001614442c665570942a3107a722c314 The num_interrupt_in, num_bulk_in, and other checks in the usb-serial code are just wrong, there are too many different devices out there with different numbers of endpoints. We need to just be sticking with the device ids instead of trying to catch this kind of thing. It broke too many different devices. This fixes a large number of usb-serial devices to get them working properly again. Cc: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 085b9f23e255e984b771660eca2aa737f72dbc00 Author: John Heffner Date: Fri Apr 25 01:43:57 2008 -0700 Increase the max_burst threshold from 3 to tp->reordering. [ Upstream commit: dd9e0dda66ba38a2ddd1405ac279894260dc5c36 ] This change is necessary to allow cwnd to grow during persistent reordering. Cwnd moderation is applied when in the disorder state and an ack that fills the hole comes in. If the hole was greater than 3 packets, but less than tp->reordering, cwnd will shrink when it should not have. Signed-off-by: John Heffner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c3648f834964ad96b9f567776088ebb28f241172 Author: David Woodhouse Date: Wed Apr 23 11:15:35 2008 +0100 JFFS2: Fix free space leak with in-band cleanmarkers We were accounting for the cleanmarker by calling jffs2_link_node_ref() (without locking!), which adjusted both superblock and per-eraseblock accounting, subtracting the size of the cleanmarker from {jeb,c}->free_size and adding it to {jeb,c}->used_size. But only _then_ were we adding the size of the newly-erased block back to the superblock counts, and we were adding each of jeb->{free,used}_size to the corresponding superblock counts. Thus, the size of the cleanmarker was effectively subtracted from the superblock's free_size _twice_. Fix this, by always adding a full eraseblock size to c->free_size when we've erased a block. And call jffs2_link_node_ref() under the proper lock, while we're at it. Thanks to Alexander Yurchenko and/or Damir Shayhutdinov for (almost) pinpointing the problem. [Backport of commit 014b164e1392a166fe96e003d2f0e7ad2e2a0bb7] Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit a086bcfa9947a04075f446fe4ee435070ced9bb9 Author: Jan Altenberg Date: Tue Feb 19 01:44:50 2008 +0100 USB: gadget: queue usb USB_CDC_GET_ENCAPSULATED_RESPONSE message backport of 41566bcf35a8b23ce4715dadb5acfd1098c1d3e4 commit 0cf4f2de0a0f4100795f38ef894d4910678c74f8 introduced a bug, which prevents sending an USB_CDC_GET_ENCAPSULATED_RESPONSE message. This breaks the RNDIS initialization (especially / only Windoze machines dislike this behavior...). Signed-off-by: Benedikt Spranger Signed-off-by: Jan Altenberg Acked-by: David Brownell Cc: Vernon Sauder Signed-off-by: Greg Kroah-Hartman commit f1b6098616f329d26199f278f228a7b27d36558d Author: Jeff Garzik Date: Fri Apr 25 03:11:31 2008 -0400 tehuti: move ioctl perm check closer to function start (CVE-2008-1675) Commit f946dffed6334f08da065a89ed65026ebf8b33b4 upstream Noticed by davem. Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit a30678eb8ce99a7b4c716ad41c8c10a04d731127 Author: Francois Romieu Date: Sun Apr 20 19:32:34 2008 +0200 tehuti: check register size (CVE-2008-1675) Signed-off-by: Francois Romieu Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 2d66f3a83fa0894cfa51669aa262dcbf1d4101ee Author: PJ Waskiewicz Date: Mon Apr 28 11:56:03 2008 -0700 x86: Fix 32-bit x86 MSI-X allocation leakage commit 9d9ad4b51d2b29b5bbeb4011f5e76f7538119cf9 upstream This bug was introduced in the 2.6.24 lguest tree merge, where MSI-X vector allocation will eventually fail. The cause is the new bit array tracking used vectors is not getting cleared properly on IRQ destruction on the 32-bit APIC code. This can be seen easily using the ixgbe 10 GbE driver on multi-core systems by simply loading and unloading the driver a few times. Depending on the number of available vectors on the host system, the MSI-X allocation will eventually fail, and the driver will only be able to use legacy interrupts. Signed-off-by: Peter P Waskiewicz Jr Signed-off-by: Greg Kroah-Hartman commit d86fc5ca7bb6b952151e7e671349d312060f20d7 Author: Karsten Keil Date: Fri Jan 25 11:55:28 2008 +0100 fix oops on rmmod capidrv commit eb36f4fc019835cecf0788907f6cab774508087b upstream. Fix overwriting the stack with the version string (it is currently 10 bytes + zero) when unloading the capidrv module. Safeguard against overwriting it should the version string grow in the future. Should fix Kernel Bug Tracker Bug 9696. Signed-off-by: Gerd v. Egidy Acked-by: Karsten Keil Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1a825fd5424d59bdd791491a952ede2f99dae24c Author: Hugh Dickins Date: Thu Apr 3 23:35:22 2008 +0100 splice: use mapping_gfp_mask upstream commit: 4cd13504652d28e16bf186c6bb2bbb3725369383 The loop block driver is careful to mask __GFP_IO|__GFP_FS out of its mapping_gfp_mask, to avoid hangs under memory pressure. But nowadays it uses splice, usually going through __generic_file_splice_read. That must use mapping_gfp_mask instead of GFP_KERNEL to avoid those hangs. Signed-off-by: Hugh Dickins Cc: Jens Axboe Cc: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright