• R/O
  • HTTP
  • SSH

linux-2.4.36: コミット一覧

2.4.36-stable kernel tree

Rev. 日時 作者
3a1250a 2006-06-20 23:43:55 Willy Tarreau

[PATCH] Fix vfs_unlink/NFS NULL pointer dereference

v2.4.33-pre introduced a fix for lack of synchronization between
link/unlink which requires vfs_unlink to grab i_zombie of both the
victim and its parent with double_down().

Problem is that NFS client deletes the victim dentry on ->unlink,
resulting in a NULL dereference when vfs_unlink() tries to up

Keep a copy of the inode pointer, incrementing its reference counter, to
fix the situation.

Signed-off-by: Marcelo Tosatti <marcelo@kvack.org>

0e978d6 2006-06-20 15:04:17 Solar Designer

[NETFILTER]: Fix do_add_counters race, possible oops or info leak (CVE-2006-0039)

Solar Designer found a race condition in do_add_counters(). The beginning
of paddc is supposed to be the same as tmp which was sanity-checked
above, but it might not be the same in reality. In case the integer
overflow and/or the race condition are triggered, paddc->num_counters
might not match the allocation size for paddc. If the check below
(t->private->number != paddc->num_counters) nevertheless passes (perhaps
this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
would read kernel memory beyond the allocation size, potentially causing
an oops or leaking sensitive data (e.g., passwords from host system or
from another VPS) via counter increments. This requires CAP_NET_ADMIN.

Signed-off-by: Solar Designer <solar@openwall.com>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

11b2b42 2006-06-20 14:57:28 Vlad Yasevich

[SCTP]: Respect the real chunk length when walking parameters. (CVE-2006-1858)

When performing bound checks during the parameter processing, we
want to use the real chunk and paramter lengths for bounds instead
of the rounded ones. This prevents us from potentially walking of
the end if the chunk length was miscalculated. We still use rounded
lengths when advancing the pointer. This was found during a
conformance test that changed the chunk length without modifying

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

478afbe 2006-06-20 14:56:37 Vlad Yasevich

[SCTP]: Validate the parameter length in HB-ACK chunk. (CVE-2006-1857)

If SCTP receives a badly formatted HB-ACK chunk, it is possible
that we may access invalid memory and potentially have a buffer
overflow. We should really make sure that the chunk format is
what we expect, before attempting to touch the data.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1e5c346 2006-06-18 06:15:11 Mikael Pettersson

[PATCH 2.4.33-rc1] repair __ide_dma_no_op breakage

> Willy TARREAU:
> ide: trying to enable DMA may cause an oops

This patch to ide-dma.c defines a function 'int __ide_dma_no_op(void)'
and stores its address in function pointer fields with type
'int (*)(ide_drive_t*)'. Thus callers will call __ide_dma_no_op() with
more parameters than it expects.

This is invalid C and it will break horribly in some valid calling
conventions (in particular, when parameters are passed on the stack
and the callee not the caller pops them).

Furtunately the fix is simple: just define __ide_dma_no_op() with
the correct prototype (taking an unused ide_drive_t* parameter),
and drop the now redundant casts from the assignments. Also make
__ide_dma_no_op() 'static' as it is local to ide-dma.c.

Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>

773a34c 2006-06-17 02:39:40 Marcelo Tosatti

Update VERSION to v2.4.33-rc1

86d549d 2006-06-13 23:39:15 Marcelo Tosatti

Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.4

a2ed5d8 2006-06-03 03:32:00 Willy Tarreau

[PATCH] forcedeth update to 0.50

While testing the forcedeth driver on a SunFire X2100 (Opteron Dual
Core), I encountered problems with the driver hanging after a few
megabytes while pushing traffic at Gbps speed. The driver was at 0.30.
An mostly trivial update to 0.50 fixed all the problems and brought a
huge performance boost. However, max_interrupt_work should be set to
10 not 5 above 400 kpps.

21a4136 2006-06-03 03:29:34 Jean Delvare

[PATCH] i2c: Delete 2 out-of-date, colliding ioctl defines

Delete 2 out-of-date, colliding ioctl defines

I2C_UDELAY and I2C_MDELAY are supposed to be used by i2c-algo-bit, but
actually aren't (and I suspect never were). That wouldn't be a major
issue, but it happens that their values are the same as I2C_FUNCS and
I2C_SLAVE_FORCE, respectively, which *are* widely used. It might cause
unnecessary confusion, thus I think it's better to get rid of them,
as was already done in Linux 2.6 and i2c-CVS 7 months ago.


Signed-off-by: Jean Delvare <khali@linux-fr.org>

252a7a8 2006-06-03 03:28:39 Jean Delvare

[PATCH] scx200_acb: Fix resource name use after free

scx200_acb: Fix resource name use after free

We can't pass a string on the stack to request_region. As soon as we
leave the function that stack is gone and the string is lost. Let's
use the same string we identify the i2c_adapter with instead, it's
more simple, more consistent, and just works.

This is the second half of fix to bug #6445.

It was merged in 2.6.17-rc4:


Signed-off-by: Jean Delvare <khali@linux-fr.org>

2a5b739 2006-05-29 18:10:39 Kirill Korotaev

[NETFILTER]: Fix possible overflow in netfilters do_replace()

netfilter's do_replace() can overflow on addition within SMP_ALIGN()
and/or on multiplication by NR_CPUS, resulting in a buffer overflow on
the copy_from_user(). In practice, the overflow on addition is
triggerable on all systems, whereas the multiplication one might require
much physical memory to be present due to the check above. Either is
sufficient to overwrite arbitrary amounts of kernel memory.

I really hate adding the same check to all 4 versions of do_replace(),
but the code is duplicate...

Found by Solar Designer during security audit of OpenVZ.org

Signed-Off-By: Kirill Korotaev <dev@openvz.org>
Signed-Off-By: Solar Designer <solar@openwall.com>
Signed-off-by: Patrck McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

13c55af 2006-05-29 15:33:47 Sridhar Samudrala

[SCTP]: Fix panic's when receiving fragmented SCTP control chunks. (CVE-2006-2272)

Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that
are received as skb's with fragment list.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

ff6c55b 2006-05-29 15:32:14 Vladislav Yasevich

[SCTP]: Prevent possible infinite recursion with multiple bundled DATA. (CVE-2006-2274)

There is a rare situation that causes lksctp to go into infinite recursion
and crash the system. The trigger is a packet that contains at least the
first two DATA fragments of a message bundled together. The recursion is
triggered when the user data buffer is smaller that the full data message.
The problem is that we clone the skb for every fragment in the message.
When reassembling the full message, we try to link skbs from the "first
fragment" clone using the frag_list. However, since the frag_list is shared
between two clones in this rare situation, we end up setting the frag_list
pointer of the second fragment to point to itself. This causes
sctp_skb_pull() to potentially recurse indefinitely.

Proposed solution is to make a copy of the skb when attempting to link
things using frag_list.

Signed-off-by: Vladislav Yasevich <vladsilav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

4ff1c7d 2006-05-29 15:27:17 Stephen Hemminger

[IPV4]: ip_route_input panic fix (CVE-2006-1525)

This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
The bug is caused by ip_route_input dereferencing skb->nh.protocol of
the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing
it). It only happens if the route requested is for a multicast IP

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

3bbf58a 2006-05-29 15:20:42 Sridhar Samudrala

[SCTP]: Fix state table entries for chunks received in CLOSED state. (CVE-2006-2271)

Discard an unexpected chunk in CLOSED state rather can calling BUG().

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: dann frazier <dannf@debian.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

02099ad 2006-05-29 06:35:23 Shaun Tancheff

[PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)

Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
for the data attached to the reply, and not the reply structure
itself. This caused other kmalloc'd memory to be corrupted.

Signed-off-by: Shaun Tancheff <shaun@tancheff.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

efc9559 2006-05-27 04:41:06 Marcelo Tosatti

[PATCH] Fix vfs_unlink issue introduced by link/unlink race correction

may_delete() should be called before attempting to grab victim's

Signed-off-by: Marcelo Tosatti <marcelo@kvack.org>

6601095 2006-05-27 04:35:58 Willy TARREAU

[PATCH] JBD: avoid panic on corrupted journal superblock (from akpm)

Initial patch from Andrew Morton merged into 2.6 :
Don't panic if the journal superblock is wrecked: just fail the mount.

2c7a224 2006-05-27 04:33:22 Theodore Ts'o

[PATCH] Fix memory leak when the ext3's journal file is corrupted

Fix memory leak when the ext3's journal file is corrupted

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

818593c 2006-05-23 17:05:41 Patrick McHardy

[NETFILTER]: SNMP NAT: fix memory corruption

Fix memory corruption caused by snmp_trap_decode:

- When snmp_trap_decode fails before the id and address are allocated,
the pointers contain random memory, but are freed by the caller

- When snmp_trap_decode fails after allocating just the ID, it tries
to free both address and ID, but the address pointer still contains
random memory. The caller frees both ID and random memory again.

- When snmp_trap_decode fails after allocating both, it frees both,
and the callers frees both again.

The corruption can be triggered remotely when the ip_nat_snmp_basic
module is loaded and traffic on port 161 or 162 is NATed.

Found by multiple testcases of the trap-app and trap-enc groups of the
PROTOS c06-snmpv1 testsuite.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

c9630f4 2006-05-13 03:14:05 Sergei Shtylyov

[PATCH] AMD Au1xx0: fix ethernet TX stats

With Au1xx0 Ethernet driver, TX bytes/packets always remain zero.

The problem seems to be that when packet has been transmitted, the
length word in DMA buffer is zero.

Attached is a patch that updates the TX stats when a buffer is fed to

The initial 2.4 patch was posted to linux-mips@linux-mips.org by
Thomas Lange 21 Jan 2005.

Signed-off-by: Thomas Lange <thomas@corelatus.se>
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>

f41e0ce 2006-05-13 03:02:33 Marcelo Tosatti

Vadim Egorov: ext3 link/unlink race

I found this issue with 2.4.27 kernel but I believe that other versions
are affected too.

The problem happens when link and unlink are invoked simultaneously on
the same inode on ext3 filesystem. In this case ext3_unlink may
decrement i_nlink to 0 and put this inode into the in-memory orphan
list, while ext3_link will increment i_nlink back to 1 having the inode
in the orphan list.

Thus the system ends up having an inode with i_nlink == 1 in the orphan

When this inode gets unused later it the memory might get released to
the free pool and then be used for some other purpose, most likely some
other inode.

From this point on any operation on the orphan list may result in
modification of the list_head that could alredy be used to store some
other date.

925c7ce 2006-05-08 06:54:44 Willy TARREAU

Merge branch 'updates'

4abe1e2 2006-05-08 06:48:50 Willy TARREAU

[PATCH] ide: trying to enable DMA may cause an oops

If DMA is disabled on the interface at boot time, then later calling
config_drive_for_dma() to try to enable it will cause an oops because
hwif->ide_dma_off_quietly will be NULL. The workaround is to make those
*ide_dma* functions point to a dummy one when DMA is disabled.

Originally reported by Glenn Wurster, and been running on my systems since

Signed-off-by: Willy Tarreau <willy@w.ods.org>

- Willy

7834450 2006-05-08 06:42:20 Willy TARREAU

[PATCH] drm: gcc complains that print_heap() in radeon_mem.c is not used.

print_heap() is declared static but not used anywhere. It could be removed,
but might be useful to someone for debugging purposes. Surrounding it with

Signed-off-by: Willy Tarreau <willy@w.ods.org>

- Willy

daf8794 2006-05-08 06:38:01 Willy TARREAU

[PATCH] netdrv: b44 driver must ignore carrier lost errors

some (?) hardware seems to be buggy and is reporting bogus carrier lost
values. Both reference implementations from Broadcom indicate that this
counter is not reliable and therefore ignore it. We should do the same.
"Fixes" the carrier lost problem i've seen.

Signed-off-by: Florian Schirmer <jolt@tuxbox.org>

Note: This patch was merged in 2.6 in early 2005.

Signed-off-by: Willy Tarreau <willy@w.ods.org>

- Willy

66cd21f 2006-05-08 06:33:09 Willy TARREAU

[PATCH] netdrv: fix b44 loading after bcm4400

From Pekka Pietikain :

This patch makes the b44-after-bcm4400 scenario work for me. What
was happening is that the broadcom driver sets a "power off MAC"
bit, and we didn't remove that when initializing the chip. Also
added some (a bit ugly, I know ) logic to clear up the address
filter stuff, which is what recent broadcom drivers do...

This fix was merged in 2.6 late in 2004, but did not receive any
echo for 2.4. At least it made the b44 driver usable on an Asus
Pundit for me.

Signed-off-by: Willy Tarreau <willy@w.ods.org>

- Willy

8511aca 2006-05-08 06:19:26 Willy TARREAU

[PATCH] 3c59x: reload EEPROM values at rmmod for needy cards

John W. Linville has posted this patch twice in the past, but it was merged
only in 2.6 and eventually got lost.

3c905 cards need an additional bit unmasked in the reset at rmmod or
else they don't get reinitialized properly when the driver is reloaded.
3c900 Boomerang added to list of devices needing EEPROM_RESET.

Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Willy Tarreau <willy@w.ods.org>

- Willy

ab23eb3 2006-05-08 05:14:51 Jesper Juhl

[PATCH] fix mem-leak in netfilter

The Coverity checker spotted that we may leak 'hold' in
net/ipv4/netfilter/ipt_recent.c::checkentry() when the following
is true :
if (!curr_table->status_proc) {
if(!curr_table) {
return 0; <-- here we leak.
Simply moving an existing vfree(hold); up a bit avoids the possible leak.

(please keep me on CC when replying since I'm not subscribed
to netfilter-devel)

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>

010896b 2006-05-08 04:53:31 Willy TARREAU

[PATCH] scripts : ver_linux does not report recent binutils version

The 'ver_linux' script expects 'ld' to output a line starting with
'BFD', while recent versions of 'ld' print 'GNU ld'. The effect is
that binutils version is not listed in reports based on ver_linux.

The following trivial fix makes it do the right thing as 2.6 does.
Initially reported by Joshua Kwan. Tested and works.

Signed-off-by: Willy Tarreau <willy@w.ods.org>

- Willy