ChangeSet@1.1482, 2005-03-25 19:39:09-03:00, marcelo@logos.cnet CAN-2005-0794: Potential DOS in load_elf_library From: Herbert Xu Yichen Xie points out that load_elf_library can modify `elf_phdata' before freeing it. CAN-2005-0749 is assigned to this issue. Signed-off-by: Andrew Morton Signed-off-by: Chris Wright ChangeSet@1.1481, 2005-03-25 17:23:04-03:00, mlafon@arkoon.net [PATCH] CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak I think I have discovered a potential security problem in ext2: when a new directory is created, the ext2 block written to disk is not initialized. An information leak can then be found after the two directory entries ('.' and '..') or in the name buffer of each entry (struct ext2_dir_entry_2). The following script can easily show the problem on Linux 2.4 and 2.6: #!/bin/sh FILE=foo dd if=/dev/zero of=$FILE bs=1k count=8192 mke2fs -F -b 1024 -m0 $FILE mount -o loop $FILE mnt for D in `seq 500` ; do mkdir mnt/$D ; done umount mnt Using 'strings foo' will reveal the information leak in the file. ChangeSet@1.1480, 2005-03-25 17:15:59-03:00, marcel@holtmann.org [PATCH] CAN-2005-0750: Fix af_bluetooth range checking bug, discovered by Ilja van Sprundel Fix range checking ChangeSet@1.1479, 2005-03-25 17:05:21-03:00, magnus.damm@gmail.com [PATCH] eepro100: fix module parameter description typo I'm a bit late, but here's a patch that fixes a module parameter description typo in eepro100. The problem was located in the 2.6 source and a fix should be in 2.6-mm soon. ChangeSet@1.1478, 2005-03-25 16:58:30-03:00, gnb@melbourne.sgi.com [PATCH] link_path_walk refcount problem allows umount of active filesystem --=-fPp/ESy58Gj/36RjsLWj Content-Transfer-Encoding: 7bit Content-Type: text/plain G'day, The attached patch fixes a bug in the VFS code which causes "Busy inodes after unmount" and a subsequent oops. Greg. -- Greg Banks, R&D Software Engineer, SGI Australian Software Group. I don't speak for SGI. --=-fPp/ESy58Gj/36RjsLWj Content-Transfer-Encoding: 7bit Content-Type: text/x-patch; name=sgi932676-fix-link-following-vfsmount-refcount-bug.patch; charset=ISO-8859-1 Content-Disposition: attachment; filename=sgi932676-fix-link-following-vfsmount-refcount-bug.patch Following an absolute symlink opens a window during which the filesystem containing the symlink has an outstanding dentry count and no outstanding vfsmount count. A umount() of the filesystem can (incorrectly) proceed, resulting in the "Busy inodes after unmount" message and an oops shortly thereafter. Systems using autofs-controlled NFS mounts are especially vulnerable, as autofs both increases the number of unmounts happening and does NFS mounting in response to lookups which can result in multiple-second vulnerability windows. However the bug could happen on any filesystem. This patch adds a mntget()/mntput() pair around the link following code (as the 2.6 code does). Attempts to umount() during link following now return EBUSY. Signed-off-by: Greg Banks ChangeSet@1.1477, 2005-03-25 16:43:25-03:00, horms@verge.net.au [PATCH] earlyquirk.o is needed for CONFIG_ACPI_BOOT I think that this patch to the Makefile is needed to ensure earlyquirk.c is compiled if CONFIG_ACPI_BOOT is enabled. Signed-off-by: Horms ChangeSet@1.1448.128.1, 2005-03-24 14:06:27-06:00, shaggy@austin.ibm.com JFS: remove aops from directory inodes jfs no longer uses a directory inode's address space. Clean up the code by removing aops for directories altogether Signed-off-by: Dave Kleikamp ChangeSet@1.1475, 2005-03-24 10:27:54-08:00, davem@sunset.davemloft.net [TG3]: Update driver version and reldate. Signed-off-by: David S. Miller ChangeSet@1.1474, 2005-03-24 10:11:46-08:00, davem@sunset.davemloft.net Merge sunset.davemloft.net:/home/davem/src/BK/network-2.4 into sunset.davemloft.net:/home/davem/src/BK/net-2.4 ChangeSet@1.1473, 2005-03-24 09:17:10-03:00, horms@verge.net.au [PATCH] Backport v2.6 ATM copy-to-user signedness fix Applologies if this is already pending, but the signdness fix for atm_get_addr() in 2.6 seems to be needed for 2.4 as well. This relates to the bugs reported in this document http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html Backport of ATM copy-to-user signedness fix from 2.6 Signed-off-by: Simon Horman ===== net/atm/addr.h 1.2 vs edited ===== ChangeSet@1.1472, 2005-03-24 09:13:38-03:00, relf@os2.ru [PATCH] fs/hpfs/*: fix HPFS support under 64-bit kernel The provided patch fixes HPFS filesystem support under 64-bit Linux kernel and closes the bugreport http://bugme.osdl.org/show_bug.cgi?id=4333 The problem is in 'time_t' size which is 8 bytes on 64-bit systems (comparing to 4 bytes on 32-bit systems). The patch introduces local 'time32_t' type of the fixed size 4 and uses it where required. Signed-off-by: Andrew Morton ChangeSet@1.1471, 2005-03-24 09:00:35-03:00, neilb@cse.unsw.edu.au [PATCH] [PATCH md: allow degraded raid1 array to resync after an unclean shutdown. The following is (I think) appropriate for 2.4.30. The bug it fixes can result in data corruption in a fairly unusual circumstance (having a 3 drive raid1 array running in degraded mode, and suffering a system crash). ### Comments for Changeset If a raid1 array has more than two devices, and not all are working, then it will not resync after an unclean shutdown (as it will think that it should reconstruct a failed drive, and will find there aren't any spares...) This patch fixes the problem. Problem found by Mario Holbe (thanks!) Signed-off-by: Neil Brown ChangeSet@1.1470, 2005-03-24 09:00:05-03:00, neilb@cse.unsw.edu.au [PATCH] nlm: fix f_count leak The following patch is probably appropriate for 2.4.30. The problem it fixes is not a major one (no security or data corruption issues) but is an occasional annoyance, and the fix is trivial (and tested). ### Comments for Changeset I can't see any reason for this file->f_count++. Removing it fixes a bug which leaves an exported filesystem busy (and so unmountable) if a callback for a lock held on that filesystem ever failed. Found by Terence Rokop. Signed-off-by: J. Bruce Fields Signed-off-by: Neil Brown ChangeSet@1.1448.127.15, 2005-03-23 12:28:00-08:00, davem@sunset.davemloft.net [TG3]: Missing counter bump in tigon3_4gb_hwbug_workaround(). Signed-off-by: David S. Miller ChangeSet@1.1448.127.14, 2005-03-23 11:46:55-08:00, davem@sunset.davemloft.net [TG3]: Add missing CHIPREV_5750_{A,B}X defines. Signed-off-by: David S. Miller ChangeSet@1.1448.127.13, 2005-03-23 11:14:24-08:00, mchan@broadcom.com [TG3]: Add Broadcom copyright. Signed-off-by: Michael Chan ACKed-by: Jeff Garzik Signed-off-by: David S. Miller ChangeSet@1.1448.127.12, 2005-03-23 11:12:50-08:00, mchan@broadcom.com [TG3]: Fix ethtool set functions Fix all relevant ethtool set functions to properly handle the not-netif_running() case. In most cases, the new settings are accepted without setting the hardware if not-netif_running(). The new settings will take effect when the device is subsequently brought up. tg3_nway_reset() is the exception where it will return -EAGAIN if not-netif_running(). Signed-off-by: Michael Chan ACKed-by: Jeff Garzik Signed-off-by: David S. Miller ChangeSet@1.1448.127.11, 2005-03-23 11:10:16-08:00, mchan@broadcom.com [TG3]: Fix jumbo frames phy settings Fix jumbo frame settings on all copper phys that support jumbo frames by setting the fifo elasticity bit. This setting is for the phy's tx fifo to properly handle jumbo frames. Note that a similar jumbo frame fix for the phy's rx fifo was made to tg3 in the past. Signed-off-by: Michael Chan ACKed-by: Jeff Garzik Signed-off-by: David S. Miller ChangeSet@1.1448.127.10, 2005-03-23 11:07:57-08:00, mchan@broadcom.com [TG3]: Add unstable PLL workaround for 5750 Add unstable PLL clock workaround for 5750 Ax and Bx devices. The workaround code is run just before entering D3hot state. Signed-off-by: Michael Chan ACKed-by: Jeff Garzik Signed-off-by: David S. Miller ChangeSet@1.1448.127.9, 2005-03-23 11:05:37-08:00, mchan@broadcom.com [TG3]: Flush status block in tg3_interrupt() Add register read of PCI state register in tg3_interrupt() if status block's updated bit is not set. This will flush the status block and confirm whether the interrupt is ours or not. PCI ordering rules allow the interrupt to arrive at the CPU ahead of the status block that may be posted at the chipset. Signed-off-by: Michael Chan ACKed-by: Jeff Garzik Signed-off-by: David S. Miller ChangeSet@1.1448.127.8, 2005-03-23 11:02:16-08:00, mchan@broadcom.com [TG3]: Add 5705_plus flag Add a 5705_plus flag to indicate the device is 5705, 5750, or future chips that all share the same basic architecture. This makes it easier to add support for future devices. Signed-off-by: Michael Chan ACKed-by: Jeff Garzik Signed-off-by: David S. Miller ChangeSet@1.1469, 2005-03-23 13:00:39-03:00, zaitcev@redhat.com [PATCH] USB: Fix baud selection in mct_u232 This is an obvious fix by Hansjoerg Lipp, which fixes baud rate selection for one of two types of MCT adapters. Unfortunately, I only have the other type, and so I let it slip in. I have tested this to build and not break my type. This fix is not yet present in Linus's 2.6, but I am confident that it will make it in due time. I keep MCT synched between 2.4 and 2.6, this patch applies to both trees. ChangeSet@1.1448.127.7, 2005-03-22 19:06:48-08:00, shemminger@osdl.org [TCP]: BIC not binary searching correctly 2.4 version of same fix as 2.6.11. The problem is that BIC is supposed to reset the cwnd to the last loss value rather than ssthresh when loss is detected. The correct code (from the BIC TCP code for Web100) is in this patch. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller ChangeSet@1.1448.127.6, 2005-03-22 18:42:38-08:00, kaber@trash.net [TUN]: Fix check for underflow. Backport fix from 2.6.x Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller ChangeSet@1.1468, 2005-03-22 14:30:33-03:00, zaitcev@redhat.com [PATCH] USB: fix oops in serial_write When I split the __serial_write off serial_write, the former took the NULL check away with it. However, the new serial_write still has an reference remaining in down(&port->sem). Joachim Nilsson corrected me. ChangeSet@1.1466, 2005-03-18 13:47:58-07:00, kaos@sgi.com [IA64] Tighten up unw_unwind_to_user check Detect user space by the unwind frame with predicate PRED_USER_STACK set, instead of a user space IP. Tighten up the last ditch check for running off the top of the kernel stack. Based on a suggestion by David Mosberger, reworked to fit the current tree. This survives my stress test which used to break 2.6.9 kernels. Unlike 2.6.11, the stress test now unwinds to the correct point, so gdb can get the user space registers. Signed-off-by: Keith Owens Signed-off-by: Tony Luck ChangeSet@1.1448.1.137, 2005-03-18 14:09:27-03:00, shemminger@osdl.org [PATCH] TCP BIC not binary searching correctly 2.4 version of same fix as 2.6.11. The problem is that BIC is supposed to reset the cwnd to the last loss value rather than ssthresh when loss is detected. The correct code (from the BIC TCP code for Web100) is in this patch. Signed-off-by: Stephen Hemminger TAG: v2.4.30-rc1