ChangeSet@1.1482, 2005-03-25 19:39:09-03:00, marcelo@logos.cnet
CAN-2005-0794: Potential DOS in load_elf_library
From: Herbert Xu <herbert@gondor.apana.org.au>
Yichen Xie <yxie@cs.stanford.edu> points out that load_elf_library can
modify `elf_phdata' before freeing it.
CAN-2005-0749 is assigned to this issue.
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
ChangeSet@1.1481, 2005-03-25 17:23:04-03:00, mlafon@arkoon.net
[PATCH] CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak
I think I have discovered a potential security problem in ext2: when a
new directory is created, the ext2 block written to disk is not
initialized.
An information leak can then be found after the two directory entries ('.'
and
'..') or in the name buffer of each entry (struct ext2_dir_entry_2).
The following script can easily show the problem on Linux 2.4 and 2.6:
#!/bin/sh
FILE=foo
dd if=/dev/zero of=$FILE bs=1k count=8192
mke2fs -F -b 1024 -m0 $FILE
mount -o loop $FILE mnt
for D in `seq 500` ; do mkdir mnt/$D ; done
umount mnt
Using 'strings foo' will reveal the information leak in the file.
ChangeSet@1.1480, 2005-03-25 17:15:59-03:00, marcel@holtmann.org
[PATCH] CAN-2005-0750: Fix af_bluetooth range checking bug, discovered by Ilja van Sprundel <ilja@suresec.org>
Fix range checking
ChangeSet@1.1479, 2005-03-25 17:05:21-03:00, magnus.damm@gmail.com
[PATCH] eepro100: fix module parameter description typo
I'm a bit late, but here's a patch that fixes a module parameter
description typo in eepro100. The problem was located in the 2.6
source and a fix should be in 2.6-mm soon.
ChangeSet@1.1478, 2005-03-25 16:58:30-03:00, gnb@melbourne.sgi.com
[PATCH] link_path_walk refcount problem allows umount of active filesystem
--=-fPp/ESy58Gj/36RjsLWj
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
G'day,
The attached patch fixes a bug in the VFS code which causes
"Busy inodes after unmount" and a subsequent oops.
Greg.
--
Greg Banks, R&D Software Engineer, SGI Australian Software Group.
I don't speak for SGI.
--=-fPp/ESy58Gj/36RjsLWj
Content-Transfer-Encoding: 7bit
Content-Type: text/x-patch; name=sgi932676-fix-link-following-vfsmount-refcount-bug.patch; charset=ISO-8859-1
Content-Disposition: attachment; filename=sgi932676-fix-link-following-vfsmount-refcount-bug.patch
Following an absolute symlink opens a window during which the
filesystem containing the symlink has an outstanding dentry count
and no outstanding vfsmount count. A umount() of the filesystem can
(incorrectly) proceed, resulting in the "Busy inodes after unmount"
message and an oops shortly thereafter.
Systems using autofs-controlled NFS mounts are especially vulnerable,
as autofs both increases the number of unmounts happening and does NFS
mounting in response to lookups which can result in multiple-second
vulnerability windows. However the bug could happen on any filesystem.
This patch adds a mntget()/mntput() pair around the link following code
(as the 2.6 code does). Attempts to umount() during link following
now return EBUSY.
Signed-off-by: Greg Banks <gnb@melbourne.sgi.com>
ChangeSet@1.1477, 2005-03-25 16:43:25-03:00, horms@verge.net.au
[PATCH] earlyquirk.o is needed for CONFIG_ACPI_BOOT
I think that this patch to the Makefile is needed
to ensure earlyquirk.c is compiled if CONFIG_ACPI_BOOT is enabled.
Signed-off-by: Horms <horms@verge.net.au>
ChangeSet@1.1448.128.1, 2005-03-24 14:06:27-06:00, shaggy@austin.ibm.com
JFS: remove aops from directory inodes
jfs no longer uses a directory inode's address space. Clean up the
code by removing aops for directories altogether
Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
ChangeSet@1.1475, 2005-03-24 10:27:54-08:00, davem@sunset.davemloft.net
[TG3]: Update driver version and reldate.
Signed-off-by: David S. Miller <davem@davemloft.net>
ChangeSet@1.1474, 2005-03-24 10:11:46-08:00, davem@sunset.davemloft.net
Merge sunset.davemloft.net:/home/davem/src/BK/network-2.4
into sunset.davemloft.net:/home/davem/src/BK/net-2.4
ChangeSet@1.1473, 2005-03-24 09:17:10-03:00, horms@verge.net.au
[PATCH] Backport v2.6 ATM copy-to-user signedness fix
Applologies if this is already pending, but the signdness fix for
atm_get_addr() in 2.6 seems to be needed for 2.4 as well.
This relates to the bugs reported in this document
http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
Backport of ATM copy-to-user signedness fix from 2.6
Signed-off-by: Simon Horman <horms@verge.net.au>
===== net/atm/addr.h 1.2 vs edited =====
ChangeSet@1.1472, 2005-03-24 09:13:38-03:00, relf@os2.ru
[PATCH] fs/hpfs/*: fix HPFS support under 64-bit kernel
The provided patch fixes HPFS filesystem support under 64-bit Linux kernel
and closes the bugreport http://bugme.osdl.org/show_bug.cgi?id=4333
The problem is in 'time_t' size which is 8 bytes on 64-bit systems
(comparing to 4 bytes on 32-bit systems). The patch introduces local
'time32_t' type of the fixed size 4 and uses it where required.
Signed-off-by: Andrew Morton <akpm@osdl.org>
ChangeSet@1.1471, 2005-03-24 09:00:35-03:00, neilb@cse.unsw.edu.au
[PATCH] [PATCH md: allow degraded raid1 array to resync after an unclean shutdown.
The following is (I think) appropriate for 2.4.30. The bug it fixes
can result in data corruption in a fairly unusual circumstance (having
a 3 drive raid1 array running in degraded mode, and suffering a system
crash).
### Comments for Changeset
If a raid1 array has more than two devices, and not all are working,
then it will not resync after an unclean shutdown (as it will think
that it should reconstruct a failed drive, and will find there aren't
any spares...)
This patch fixes the problem.
Problem found by Mario Holbe <Mario.Holbe@TU-Ilmenau.DE> (thanks!)
Signed-off-by: Neil Brown <neilb@cse.unsw.edu.au>
ChangeSet@1.1470, 2005-03-24 09:00:05-03:00, neilb@cse.unsw.edu.au
[PATCH] nlm: fix f_count leak
The following patch is probably appropriate for 2.4.30. The problem
it fixes is not a major one (no security or data corruption issues)
but is an occasional annoyance, and the fix is trivial (and tested).
### Comments for Changeset
I can't see any reason for this file->f_count++. Removing it fixes a
bug which leaves an exported filesystem busy (and so unmountable) if a
callback for a lock held on that filesystem ever failed.
Found by Terence Rokop.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@cse.unsw.edu.au>
ChangeSet@1.1448.127.15, 2005-03-23 12:28:00-08:00, davem@sunset.davemloft.net
[TG3]: Missing counter bump in tigon3_4gb_hwbug_workaround().
Signed-off-by: David S. Miller <davem@davemloft.net>
ChangeSet@1.1448.127.14, 2005-03-23 11:46:55-08:00, davem@sunset.davemloft.net
[TG3]: Add missing CHIPREV_5750_{A,B}X defines.
Signed-off-by: David S. Miller <davem@davemloft.net>
ChangeSet@1.1448.127.13, 2005-03-23 11:14:24-08:00, mchan@broadcom.com
[TG3]: Add Broadcom copyright.
Signed-off-by: Michael Chan <mchan@broadcom.com>
ACKed-by: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
ChangeSet@1.1448.127.12, 2005-03-23 11:12:50-08:00, mchan@broadcom.com
[TG3]: Fix ethtool set functions
Fix all relevant ethtool set functions to properly handle the
not-netif_running() case. In most cases, the new settings are accepted without
setting the hardware if not-netif_running(). The new settings will take effect
when the device is subsequently brought up. tg3_nway_reset() is the exception
where it will return -EAGAIN if not-netif_running().
Signed-off-by: Michael Chan <mchan@broadcom.com>
ACKed-by: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
ChangeSet@1.1448.127.11, 2005-03-23 11:10:16-08:00, mchan@broadcom.com
[TG3]: Fix jumbo frames phy settings
Fix jumbo frame settings on all copper phys that support jumbo frames by
setting the fifo elasticity bit. This setting is for the phy's tx fifo to
properly handle jumbo frames. Note that a similar jumbo frame fix for the
phy's rx fifo was made to tg3 in the past.
Signed-off-by: Michael Chan <mchan@broadcom.com>
ACKed-by: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
ChangeSet@1.1448.127.10, 2005-03-23 11:07:57-08:00, mchan@broadcom.com
[TG3]: Add unstable PLL workaround for 5750
Add unstable PLL clock workaround for 5750 Ax and Bx devices. The workaround
code is run just before entering D3hot state.
Signed-off-by: Michael Chan <mchan@broadcom.com>
ACKed-by: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
ChangeSet@1.1448.127.9, 2005-03-23 11:05:37-08:00, mchan@broadcom.com
[TG3]: Flush status block in tg3_interrupt()
Add register read of PCI state register in tg3_interrupt() if status block's
updated bit is not set. This will flush the status block and confirm whether
the interrupt is ours or not. PCI ordering rules allow the interrupt to
arrive at the CPU ahead of the status block that may be posted at the
chipset.
Signed-off-by: Michael Chan <mchan@broadcom.com>
ACKed-by: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
ChangeSet@1.1448.127.8, 2005-03-23 11:02:16-08:00, mchan@broadcom.com
[TG3]: Add 5705_plus flag
Add a 5705_plus flag to indicate the device is 5705, 5750, or future chips
that all share the same basic architecture. This makes it easier to add
support for future devices.
Signed-off-by: Michael Chan <mchan@broadcom.com>
ACKed-by: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
ChangeSet@1.1469, 2005-03-23 13:00:39-03:00, zaitcev@redhat.com
[PATCH] USB: Fix baud selection in mct_u232
This is an obvious fix by Hansjoerg Lipp, which fixes baud rate selection
for one of two types of MCT adapters. Unfortunately, I only have the other
type, and so I let it slip in. I have tested this to build and not break
my type. This fix is not yet present in Linus's 2.6, but I am confident
that it will make it in due time. I keep MCT synched between 2.4 and 2.6,
this patch applies to both trees.
ChangeSet@1.1448.127.7, 2005-03-22 19:06:48-08:00, shemminger@osdl.org
[TCP]: BIC not binary searching correctly
2.4 version of same fix as 2.6.11.
The problem is that BIC is supposed to reset the cwnd to the last loss value
rather than ssthresh when loss is detected. The correct code (from the BIC
TCP code for Web100) is in this patch.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
ChangeSet@1.1448.127.6, 2005-03-22 18:42:38-08:00, kaber@trash.net
[TUN]: Fix check for underflow.
Backport fix from 2.6.x
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
ChangeSet@1.1468, 2005-03-22 14:30:33-03:00, zaitcev@redhat.com
[PATCH] USB: fix oops in serial_write
When I split the __serial_write off serial_write, the former took the NULL
check away with it. However, the new serial_write still has an reference
remaining in down(&port->sem). Joachim Nilsson corrected me.
ChangeSet@1.1466, 2005-03-18 13:47:58-07:00, kaos@sgi.com
[IA64] Tighten up unw_unwind_to_user check
Detect user space by the unwind frame with predicate PRED_USER_STACK
set, instead of a user space IP. Tighten up the last ditch check for
running off the top of the kernel stack.
Based on a suggestion by David Mosberger, reworked to fit the current
tree. This survives my stress test which used to break 2.6.9 kernels.
Unlike 2.6.11, the stress test now unwinds to the correct point, so
gdb can get the user space registers.
Signed-off-by: Keith Owens <kaos@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
ChangeSet@1.1448.1.137, 2005-03-18 14:09:27-03:00, shemminger@osdl.org
[PATCH] TCP BIC not binary searching correctly
2.4 version of same fix as 2.6.11.
The problem is that BIC is supposed to reset the cwnd to the last loss value
rather than ssthresh when loss is detected. The correct code (from the BIC
TCP code for Web100) is in this patch.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
TAG: v2.4.30-rc1