These patches are sent out with a number of different people on the Cc:
line. If you wish to be a reviewer, please email sta...@kernel.org to
add your name to the list. If you want to be off the reviewer list,
also email us.
Responses should be made by Friday, Aug 5 07:00:00, UTC 2005. Anything
received after that time, might be too late.
thanks,
the -stable release team
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
------------------
For inclusion into 2.6.12.stable, extracted from current Linus git:
[PATCH] kbuild: build TAGS problem with O=
make O=/dir TAGS
fails with:
MAKE TAGS
find: security/selinux/include: No such file or directory
find: include: No such file or directory
find: include/asm-i386: No such file or directory
find: include/asm-generic: No such file or directory
The problem is in this line:
ifeq ($(KBUILD_OUTPUT),)
KBUILD_OUTPUT is not defined (ever) after make reruns itself. This line is
used in the TAGS, tags, and cscope makes.
Signed-off-by: George Anzinger <geo...@mvista.com>
Cc: Sam Ravnborg <s...@ravnborg.org>
Signed-off-by: Andrew Morton <ak...@osdl.org>
Signed-off-by: Linus Torvalds <torv...@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
Makefile | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.12.3.orig/Makefile 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/Makefile 2005-07-28 11:17:04.000000000 -0700
@@ -1149,7 +1149,7 @@
#(which is the most common case IMHO) to avoid unneeded clutter in the big tags file.
#Adding $(srctree) adds about 20M on i386 to the size of the output file!
-ifeq ($(KBUILD_OUTPUT),)
+ifeq ($(src),$(obj))
__srctree =
else
__srctree = $(srctree)/
------------------
malicious 32bit app can have an elf section at 0xffffe000. During
exec of this app, we will have a memory leak as insert_vm_struct() is
not checking for return value in syscall32_setup_pages() and thus not
freeing the vma allocated for the vsyscall page.
Check the return value and free the vma incase of failure.
Signed-off-by: Suresh Siddha <suresh....@intel.com>
Signed-off-by: Chris Wright <chr...@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
arch/x86_64/ia32/syscall32.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletion(-)
--- linux-2.6.12.3.orig/arch/x86_64/ia32/syscall32.c 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/arch/x86_64/ia32/syscall32.c 2005-07-28 11:17:11.000000000 -0700
@@ -57,6 +57,7 @@
int npages = (VSYSCALL32_END - VSYSCALL32_BASE) >> PAGE_SHIFT;
struct vm_area_struct *vma;
struct mm_struct *mm = current->mm;
+ int ret;
vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
if (!vma)
@@ -78,7 +79,11 @@
vma->vm_mm = mm;
down_write(&mm->mmap_sem);
- insert_vm_struct(mm, vma);
+ if ((ret = insert_vm_struct(mm, vma))) {
+ up_write(&mm->mmap_sem);
+ kmem_cache_free(vm_area_cachep, vma);
+ return ret;
+ }
mm->total_vm += npages;
up_write(&mm->mmap_sem);
return 0;
------------------
From: Michal Ostrowski <most...@watson.ibm.com>
If bailing out because there is nothing to receive in rp_do_receive(),
tty_ldisc_deref is not called. Failure to do so increases the ref count=20
and causes release_dev() to hang since it can't get the ref count to 0.
Signed-off-by: Michal Ostrowski <most...@watson.ibm.com>
Signed-off-by: Andrew Morton <ak...@osdl.org>
Signed-off-by: Chris Wright <chr...@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
drivers/char/rocket.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletion(-)
--- linux-2.6.12.3.orig/drivers/char/rocket.c 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/drivers/char/rocket.c 2005-07-28 11:17:09.000000000 -0700
@@ -277,7 +277,7 @@
ToRecv = space;
if (ToRecv <= 0)
- return;
+ goto done;
/*
* if status indicates there are errored characters in the
@@ -359,6 +359,7 @@
}
/* Push the data up to the tty layer */
ld->receive_buf(tty, tty->flip.char_buf, tty->flip.flag_buf, count);
+done:
tty_ldisc_deref(ld);
------------------
Correct handling of fc_remote_port_add() failure case.
Immediately return if fc_remote_port_add() fails to allocate
resources for the rport. Original code would result in NULL
pointer dereference upon failure.
Reported-by: Michael Reed <m...@sgi.com>
Signed-off-by: Andrew Vasquez <andrew....@qlogic.com>
Signed-off-by: Chris Wright <chr...@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
drivers/scsi/qla2xxx/qla_init.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletion(-)
--- linux-2.6.12.3.orig/drivers/scsi/qla2xxx/qla_init.c 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/drivers/scsi/qla2xxx/qla_init.c 2005-07-28 11:17:08.000000000 -0700
@@ -1914,9 +1914,11 @@
rport_ids.roles |= FC_RPORT_ROLE_FCP_TARGET;
fcport->rport = rport = fc_remote_port_add(ha->host, 0, &rport_ids);
- if (!rport)
+ if (!rport) {
qla_printk(KERN_WARNING, ha,
"Unable to allocate fc remote port!\n");
+ return;
+ }
if (rport->scsi_target_id != -1 && rport->scsi_target_id < MAX_TARGETS)
fcport->os_target_id = rport->scsi_target_id;
------------------
This is the code to load packet data into a register:
k = fentry->k;
if (k < 0) {
...
} else {
u32 _tmp, *p;
p = skb_header_pointer(skb, k, 4, &_tmp);
if (p != NULL) {
A = ntohl(*p);
continue;
}
}
skb_header_pointer checks if the requested data is within the
linear area:
int hlen = skb_headlen(skb);
if (offset + len <= hlen)
return skb->data + offset;
When offset is within [INT_MAX-len+1..INT_MAX] the addition will
result in a negative number which is <= hlen.
I couldn't trigger a crash on my AMD64 with 2GB of memory, but a
coworker tried on his x86 machine and it crashed immediately.
This patch fixes the check in skb_header_pointer to handle large
positive offsets similar to skb_copy_bits. Invalid data can still
be accessed using negative offsets (also similar to skb_copy_bits),
anyone using negative offsets needs to verify them himself.
Thanks to Thomas Vögtle <thomas....@coreworks.de> for verifying the
problem by crashing his machine and providing me with an Oops.
Signed-off-by: Patrick McHardy <ka...@trash.net>
Signed-off-by: Chris Wright <chr...@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
include/linux/skbuff.h | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.12.3.orig/include/linux/skbuff.h 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/include/linux/skbuff.h 2005-07-28 11:17:12.000000000 -0700
@@ -1192,7 +1192,7 @@
{
int hlen = skb_headlen(skb);
- if (offset + len <= hlen)
+ if (hlen - offset >= len)
return skb->data + offset;
if (skb_copy_bits(skb, offset, buffer, len) < 0)
------------------
[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
The portptr pointing to the port in the conntrack tuple is declared static,
which could result in memory corruption when two packets of the same
protocol are NATed at the same time and one conntrack goes away.
Signed-off-by: Patrick McHardy <ka...@trash.net>
Signed-off-by: Chris Wright <chr...@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
net/ipv4/netfilter/ip_nat_proto_tcp.c | 3 ++-
net/ipv4/netfilter/ip_nat_proto_udp.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_nat_proto_tcp.c 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/ipv4/netfilter/ip_nat_proto_tcp.c 2005-07-28 11:17:15.000000000 -0700
@@ -40,7 +40,8 @@
enum ip_nat_manip_type maniptype,
const struct ip_conntrack *conntrack)
{
- static u_int16_t port, *portptr;
+ static u_int16_t port;
+ u_int16_t *portptr;
unsigned int range_size, min, i;
if (maniptype == IP_NAT_MANIP_SRC)
--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_nat_proto_udp.c 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/ipv4/netfilter/ip_nat_proto_udp.c 2005-07-28 11:17:15.000000000 -0700
@@ -41,7 +41,8 @@
enum ip_nat_manip_type maniptype,
const struct ip_conntrack *conntrack)
{
- static u_int16_t port, *portptr;
+ static u_int16_t port;
+ u_int16_t *portptr;
unsigned int range_size, min, i;
if (maniptype == IP_NAT_MANIP_SRC)
------------------
[NETFILTER]: Wait until all references to ip_conntrack_untracked are dropped on unload
Fixes a crash when unloading ip_conntrack.
Signed-off-by: Patrick McHardy <ka...@trash.net>
Signed-off-by: Chris Wright <chr...@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
net/ipv4/netfilter/ip_conntrack_core.c | 3 +++
1 files changed, 3 insertions(+)
--- linux-2.6.12.3.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/ipv4/netfilter/ip_conntrack_core.c 2005-07-28 11:17:16.000000000 -0700
@@ -1124,6 +1124,9 @@
schedule();
goto i_see_dead_people;
}
+ /* wait until all references to ip_conntrack_untracked are dropped */
+ while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1)
+ schedule();
kmem_cache_destroy(ip_conntrack_cachep);
kmem_cache_destroy(ip_conntrack_expect_cachep);
------------------
powernow-k8 requires that a data structure for
each core be created in the _cpu_init function
call. The cpufreq infrastructure doesn't call
_cpu_init for the second core in each processor.
Some systems crashed when _get was called with
an odd-numbered core because it tried to
dereference a NULL pointer since the data
structure had not been created.
The attached patch solves the problem by
initializing data structures for all shared
cores in the _cpu_init function. It should
apply to 2.6.12-rc6 and has been tested by
AMD and Sun.
Signed-off-by: Mark Langsdorf <mark.la...@amd.com>
Signed-off-by: Dave Jones <da...@redhat.com>
Signed-off-by: Chris Wright <chr...@osdl.org>
---
--- a/arch/i386/kernel/cpu/cpufreq/powernow-k8.c
+++ b/arch/i386/kernel/cpu/cpufreq/powernow-k8.c
@@ -44,7 +44,7 @@
#define PFX "powernow-k8: "
#define BFX PFX "BIOS error: "
-#define VERSION "version 1.40.2"
+#define VERSION "version 1.40.4"
#include "powernow-k8.h"
/* serialize freq changes */
@@ -978,7 +978,7 @@ static int __init powernowk8_cpu_init(st
{
struct powernow_k8_data *data;
cpumask_t oldmask = CPU_MASK_ALL;
- int rc;
+ int rc, i;
if (!check_supported_cpu(pol->cpu))
return -ENODEV;
@@ -1064,7 +1064,9 @@ static int __init powernowk8_cpu_init(st
printk("cpu_init done, current fid 0x%x, vid 0x%x\n",
data->currfid, data->currvid);
- powernow_data[pol->cpu] = data;
+ for_each_cpu_mask(i, cpu_core_map[pol->cpu]) {
+ powernow_data[i] = data;
+ }
return 0;
------------------
sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space... since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.
This was already committed to Linus' repository.
Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaiso...@yahoo.it>
Signed-off-by: Chris Wright <chr...@osdl.org>
---
vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c | 2 ++
1 files changed, 2 insertions(+)
diff -puN arch/i386/kernel/process.c~sec-micro-info-leak arch/i386/kernel/process.c
--- vanilla-linux-2.6.12/arch/i386/kernel/process.c~sec-micro-info-leak 2005-07-28 21:19:26.000000000 +0200
+++ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c 2005-07-28 21:19:26.000000000 +0200
@@ -827,6 +827,8 @@ asmlinkage int sys_get_thread_area(struc
if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
return -EINVAL;
+ memset(&info, 0, sizeof(info));
+
desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
info.entry_number = idx;
------------------
[VLAN]: Fix early vlan adding leads to not functional device
OK, I can see what's happening here. eth0 doesn't detect link-up until
after a few seconds, so when the vlan interface is opened immediately
after eth0 has been opened, it inherits the link-down state. Subsequently
the vlan interface is never properly activated and are thus unable to
transmit any packets.
dev->state bits are not supposed to be manipulated directly. Something
similar is probably needed for the netif_device_present() bit, although
I don't know how this is meant to work for a virtual device.
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Chris Wright <chr...@osdl.org>
---
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -578,6 +578,14 @@ static int vlan_device_event(struct noti
if (!vlandev)
continue;
+ if (netif_carrier_ok(dev)) {
+ if (!netif_carrier_ok(vlandev))
+ netif_carrier_on(vlandev);
+ } else {
+ if (netif_carrier_ok(vlandev))
+ netif_carrier_off(vlandev);
+ }
+
if ((vlandev->state & VLAN_LINK_STATE_MASK) != flgs) {
vlandev->state = (vlandev->state &~ VLAN_LINK_STATE_MASK)
| flgs;
------------------
[PATCH] bio_clone fix
Fix bug introduced in 2.6.11-rc2: when we clone a BIO we need to copy over the
current index into it as well.
It corrupts data with some MD setups.
See http://bugzilla.kernel.org/show_bug.cgi?id=4946
Huuuuuuuuge thanks to Matthew Stapleton <matth...@gmail.com> for doggedly
chasing this one down.
Acked-by: Jens Axboe <ax...@suse.de>
Cc: <linux...@vger.kernel.org>
Cc: <dm-d...@redhat.com>
Signed-off-by: Andrew Morton <ak...@osdl.org>
Signed-off-by: Linus Torvalds <torv...@osdl.org>
Signed-off-by: Chris Wright <chr...@osdl.org>
---
fs/bio.c | 1 +
1 files changed, 1 insertion(+)
diff --git a/fs/bio.c b/fs/bio.c
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -261,6 +261,7 @@ inline void __bio_clone(struct bio *bio,
*/
bio->bi_vcnt = bio_src->bi_vcnt;
bio->bi_size = bio_src->bi_size;
+ bio->bi_idx = bio_src->bi_idx;
bio_phys_segments(q, bio);
bio_hw_segments(q, bio);
}
-
Full ack.
--
Jens Axboe
------------------
[NETFILTER]: Fix deadlock in ip6_queue
Already fixed in ip_queue, ip6_queue was missed.
Signed-off-by: Patrick McHardy <ka...@trash.net>
Signed-off-by: Chris Wright <chr...@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
net/ipv6/netfilter/ip6_queue.c | 2 ++
1 files changed, 2 insertions(+)
--- linux-2.6.12.3.orig/net/ipv6/netfilter/ip6_queue.c 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/ipv6/netfilter/ip6_queue.c 2005-07-28 11:17:13.000000000 -0700
@@ -76,7 +76,9 @@
static void
ipq_issue_verdict(struct ipq_queue_entry *entry, int verdict)
{
+ local_bh_disable();
nf_reinject(entry->skb, entry->info, verdict);
+ local_bh_enable();
kfree(entry);
------------------
From: Herbert Xu <her...@gondor.apana.org.au>
[XFRM]: Fix possible overflow of sock->sk_policy
Spotted by, and original patch by, Balazs Scheidler.
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Chris Wright <chr...@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
net/xfrm/xfrm_user.c | 3 +++
1 files changed, 3 insertions(+)
--- linux-2.6.12.3.orig/net/xfrm/xfrm_user.c 2005-07-28 11:17:01.000000000 -0700
+++ linux-2.6.12.3/net/xfrm/xfrm_user.c 2005-07-28 11:17:18.000000000 -0700
@@ -1180,6 +1180,9 @@
if (nr > XFRM_MAX_DEPTH)
return NULL;
+ if (p->dir > XFRM_POLICY_OUT)
+ return NULL;
+
xp = xfrm_policy_alloc(GFP_KERNEL);
if (xp == NULL) {
*dir = -ENOBUFS;
-Andi
On Tue, Aug 02, 2005 at 11:52:20PM -0700, Chris Wright wrote:
> -stable review patch. If anyone has any objections, please let us know.
>
> ------------------
>
> malicious 32bit app can have an elf section at 0xffffe000. During
> exec of this app, we will have a memory leak as insert_vm_struct() is
> not checking for return value in syscall32_setup_pages() and thus not
> freeing the vma allocated for the vsyscall page.
>
Ack.
Sam