Changelog from 2.4.28-hf32.3 to 2.4.28-hf32.4 --------------------------------------- '+' = added ; '-' = removed + 2.4.32-CVE-2006-0741-always-check-that-rips-are-canonical-1 (Andi Kleen) This works around a problem in handling non canonical RIPs on SYSRET on Intel CPUs. They report the #GP on the SYSRET, not the next instruction as Linux expects it. With these changes this path should never see a non canonical user RIP. This is CVE-2006-0741. Roughly based on a patch by Ernie Petrides, but redone by AK. + 2.4.32-CVE-2006-1524-fix-shm-mprotect-1 (Hugh Dickins) shmat stop mprotect from giving write permission to a readonly attachment. + 2.4.32-CVE-2006-1056-i386-x86_64-x87-information-leak-1 (Andi Kleen) AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE when an exception is pending. This means the value leak through context switches and allow processes to observe some x87 instruction state of other processes. This is CVE-2006-1056. The problem was discovered originally by Jan Beulich. Richard Brunner provided the basic code for the workarounds with contributions from Jan. + 2.4.32-via-rhine-zero-pad-short-packets-1 (Craig Brind) Fixes Rhine I cards disclosing fragments of previously transmitted frames in new transmissions. Before transmission, any socket buffer (skb) shorter than the ethernet minimum length of 60 bytes was zero-padded. On Rhine I cards the data can later be copied into an aligned transmission buffer without copying this padding. This resulted in the transmission of the frame with the extra bytes beyond the provided content leaking the previous contents of this buffer on to the network. Now zero-padding is repeated in the local aligned buffer if one is used. + 2.4.32-CVE-2006-1864-smbfs-escape-chroot-1 (Olaf Kirch) Initial work and description from Olaf Kirch for kernel 2.6 : Mark Moseley reported that a chroot environment on a SMB share can be left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for smbfs (CVE-2006-1864). Steven French wrote: Looks fine to me. This should catch the slash on lookup or equivalent, which will be all obvious paths of interest. Back-ported from 2.6 to 2.4 by Willy Tarreau. + 2.4.32-netfilter-ipt_recent-memleak-1 (Jesper Juhl) The Coverity checker spotted that we may leak 'hold' in net/ipv4/netfilter/ipt_recent.c::checkentry() when the following is true : if (!curr_table->status_proc) { ... if(!curr_table) { ... return 0; <-- here we leak. Simply moving an existing vfree(hold); up a bit avoids the possible leak. + 2.4.32-nfs-cache-consistency-with-mmap-1 (Jeff Layton) A customer of Red Hat reported a problem with cache invalidation when using mmapped files over NFS with the 2.4 kernel. This patch fixes this by checking whether the clean_pages list for the inode is empty after invalidate_inode_pages is called. If it's not then we set a flag so on the next pass through it automatically flags the data as invalid. + 2.4.32-vlan_ioctl-missing-checks-1 (Mika Kukkonen) In vlan_ioctl_handler() the code misses couple checks for error return values. The same patch was merged into 2.6. + 2.4.32-quota_v2-module-taints-the-kernel-1 (Marek Szuba) Apparently the quota_v2 module in 2.4 still lacks the licence macro and taints the kernel, even though the same module in 2.6 is correctly tagged as GPL. In case it makes things any easier, I am enclosing an appropriate patch. Changelog from 2.4.28-hf32.2 to 2.4.28-hf32.3 --------------------------------------- '+' = added ; '-' = removed + 2.4.32-orinoco-cve-2005-3180-information-leakage-1 (horms) Fix for CVE-2005-3180 by Alan Cox, back-ported by Horms. Fixes and etherleak bug in the orinoco driver. As yet untested. + 2.4.32-x86_64-check-for-bad-elf-entry-address-1 (andi kleen) Fixes a local DOS on Intel systems that lead to an endless recursive fault. AMD machines don't seem to be affected. Actually based on a 2.6 patch by Suresh Siddha, but the 2.4 implementation is somewhat different. + 2.4.32-information-leak-in-SO_ORIGINAL_DST-and-getname-1 (pavel kankovsky) It appears sockaddr_in.sin_zero is not zeroed during certain operations returning IPv4 socket names : getsockopt(...SO_ORIGINAL_DST...), getsockname() and getpeername(). + 2.4.32-fix-overflow-in-inode-1 (Rik van Riel) The following patch fixes an overflow in inode.c. This overflow can cause a system to stop reclaiming inodes, with a large amount of memory and zillions of inodes. This has caused systems to run out of low memory in real world situations. Thanks go out to Larry Woodman, as well as the unnamed customer who first tracked this problem down. + 2.4.32-make-kernel-work-on-i486-again-1 (jacek lipkowski) Booting the 2.4.32 kernel compiled for a i486 on an i486 box fails, because "Kernel compiled for Pentium+, requires TSC feature!" (printed from check_config() include/asm-i386/bugs.h). + 2.4.32-ppc64-fix-sys_rt_sigreturn-return-type-1 (stephen rothwell) Paul Mackerras noticed that sys_rt_sigreturn's return value was "int". It needs to be "long" or else the return value of a syscall that is interrupted by a signal will be truncated to 32 bits and then sign extended. This causes .e.g mmap's return value to be corrupted if it is returning an address above 2^31 (which is what caused a SEGV in malloc). This problem obviously only affects 64 bit processes. + 2.4.32-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption-1 (thomas graf) The size of the skb carrying the netlink message is not equivalent to the length of the actual netlink message due to padding. ip_queue matches the length of the payload against the original packet size to determine if packet mangling is desired, due to the above wrong assumption arbitary packets may not be mangled depening on their original size. + 2.4.32-drm_stub_open-range-checking-1 (marin mitov) Xorg-6.9.0 SIGSEGFAULTs when the loading of dri module is enabled (direct rendering). Xorg-6.9.0 (and evidently not the previous versions) has defined DRM_MAX_MINOR as 255 (and Xorg-6.9.0 tries to open all of them) while in the kernel: DRM_STUB_MAXCARDS is defined as 16. + 2.4.32-sparc-fix-compile-failures-in-math-emu-1 (david miller) Kill debugging default switch cases in do_one_mathemu(). That case is handled properly already and gcc hates the empty statement that results when the debug code is disabled. Pointed out by kaffe. + 2.4.32-alpha-fix-recursive-inlining-failure-pci_iommu-1 (solar designer) Building on alpha with gcc 3.4.5 fails because of recursive inlining. Simply removing the "inline" from the declaration of sg_fill() makes it build and work. + 2.4.32-build-fix-auto_fs4-changes-broke-ppc64-build-1 (jesse brandeburg) This patch adds a couple of #include statements verified to fix the compile for ppc64 and probably will fix the compile on parisc. ppc64 would not build without this fix. Changelog from 2.4.28-hf32.1 to 2.4.28-hf32.2 --------------------------------------- '+' = added ; '-' = removed + 2.4.32-wan-sdla-fix-probable-security-hole-1 (Horms) [PATCH] wan sdla: fix probable security hole Quoting Chris Wright : "Hrm, I believe you could use this to read 128k of kernel memory. sdla_read() takes len as a short, whereas mem.len is an int. So, if mem.len == 0x20000, the allocation could still succeed. When cast to short, len will be 0x0, causing the read loop to copy nothing into the buffer. At least it's protected by a capable() check. I don't know what proper upper bound is for this hardware, or how much it's used/cared about. Simple memset() is trivial fix." This seems to be applicable to 2.4. + 2.4.32-CAN-2004-1058-proc_pid_cmdline-race-fix-1 (dann frazier) The following patch fixes a race condition that allows local users to view the environment variables of another process. Taken from Red Hat's kernel-2.4.21-27.0.4.EL.src.rpm. + 2.4.32-bond_alb-hash-table-corruption-1 (ODonnell, Michael) Our systems have been crashing during testing of PCI HotPlug support in the various networking components. We've faulted in the bonding driver due to a bug in bond_alb.c:tlb_clear_slave(). In that routine, the last modification to the TLB hash table is made without protection of the lock, allowing a race that can lead tlb_choose_channel() to select an invalid table element. Changelog from 2.4.28 to 2.4.28-hf32.1 --------------------------------------- '+' = added ; '-' = removed + 2.4.28-01-binfmt_elf-fix-for-32bits-apps-with-large-bss-1 (barry nathan) 2004/11/23 08:01:10-02:00 barryn@pobox.com [PATCH] binfmt_elf.c fix for 32-bit apps with large bss This is a 2.4.27-2.4.28 port of this patch: > [PATCH] binfmt_elf.c fix for 32-bit apps with large bss > > From: Julie DeWandel > > A problem exists where a 32-bit application can have a huge bss, one that > is so large that an overflow of the TASK_SIZE happens. But in this case, > the overflow is not detected in load_elf_binary(). Instead, because > arithmetic is being done using 32-bit containers, a truncation occurs and > the program gets loaded when it shouldn't have been. Subsequent execution > yields unpredictable results. > > The attached patch fixes this problem by checking for the overflow > condition and sending a SIGKILL to the application if the overflow is > detected. This problem can in theory exist when loading the elf > interpreter as well, so a similar check was added there. Signed-off-by: Barry K. Nathan + 2.4.28-02-fix-elf-exec-with-huge-bss-1 (barry nathan) 2004/11/23 08:00:49-02:00 barryn@pobox.com [PATCH] Fix ELF exec with huge bss This is a 2.4.27-2.4.28 port of the following patch: http://linux.bkbits.net:8080/linux-2.5/cset@3ff112802L-9-rs0BbkozDnTnpch9w > [PATCH] fix ELF exec with huge bss > > From: Roland McGrath > > The following test program will crash every time if dynamically linked. > I think this bites all 32-bit platforms, including 32-bit executables on > 64-bit platforms that support them (and could in theory bite 64-bit > platforms with bss sizes beyond the bounds of comprehension). > > volatile char hugebss[1080000000]; > main() { printf("%p..%p\n", &hugebss[0], &hugebss[sizeof hugebss]); > system("cat /proc/$PPID/maps"); > hugebss[sizeof hugebss - 1] = 1; > return 23; > } > > The problem is that the kernel maps ld.so at 0x40000000 or some such place, > before it maps the bss. Here the bss is so large that it overlaps and > clobbers that mapping. I've changed it to map the bss before it loads the > interpreter, so that part of the address space is reserved before ld.so's > mapping (which doesn't really care where it goes) is done. > > This patch also adds error checking to the bss setup (and interpreter's bss > setup). With the aforementioned change but no error checking, "ulimit -v > 65536; ./hugebss" will crash in the store after the `system' call, because > the kernel will have failed to allocate the bss and ignored the error, so > the program runs without those pages being mapped at all. With this change > it dies with a SIGKILL as for a failure to set up stack pages. It might be > even better to try to detect the case earlier so that execve can return an > error before it has wiped out the address space. But that seems like it > would always be fragile and miss some corner cases, so I did not try to add > such complexity. Signed-off-by: Barry K. Nathan + 2.4.28-03-can-2003-0461.diff (chris wright) 2004/11/25 14:02:21-02:00 chrisw@osdl.org [PATCH] /proc/tty/driver/serial reveals the exact number of characters used in serial links (CAN-2003-0461) /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. To this issue has been assigned CAN-2003-0461. + 2.4.28-04-fork-file-desc-race-fix-1 (marcelo tosatti) 2004/12/03 21:08:19-02:00 marcelo@dmt.cyclades backport v2.6 fork/thread file descriptor race fix + 2.4.28-05-cmsg-needs-signedness.diff (david miller) 2004/12/08 13:33:08-08:00 davem@nuts.davemloft.net [NET]: CMSG compat code needs signedness fixes too. Signed-off-by: David S. Miller + 2.4.28-06-do-not-leak-ip-options.diff (david miller) 2004/12/08 12:40:30-08:00 davem@nuts.davemloft.net [IPV4]: Do not leak IP options. If the user makes ip_cmsg_send call ip_options_get multiple times, we leak kmalloced IP options data. Noticed by Georgi Guninski. Signed-off-by: David S. Miller + 2.4.28-07-make-sure-vc-resizing-fits-s16.diff (david miller) 2004/12/15 09:25:31-02:00 marcelo@logos.cnet [PATCH] Make sure VC resizing fits in s16 Noted by George Guninski + 2.4.28-08-binfmt_aout-do_brk-fail-during-exec-1 (chris wright) 2004/12/16 16:06:31-02:00 chrisw@osdl.org [PATCH] a.out: error check on set_brk It's possible for do_brk() to fail during set_brk() when exec'ing and a.out. This was noted with Florian's a.out binary and overcommit set to 0. Capture this error and terminate properly. Signed-off-by: Chris Wright Signed-off-by: Linus Torvalds + 2.4.28-09-insert_vm_struct-user-triggerable-bug-1 (chris wright) 2004/12/17 21:45:58-02:00 chrisw@osdl.org [PATCH] Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). This eliminates a user triggerable BUG() when user created a large vma that overlapped with arg pages during exec (could be triggered with a.out on i386 and x86_64 and elf on ia64). Signed-off-by: Chris Wright ===== arch/ia64/ia32/binfmt_elf32.c 1.13 vs edited ===== + 2.4.28-10-binfmt_elf-fix-error-codes-2 (chris wright) 2004/12/20 05:20:28-02:00 solar@openwall.com [PATCH] binfmt_elf fix return error codes and early corrupt binary detection + 2.4.28-11-can-2004-1144.diff (andi kleen) 2004/12/22 14:00:27-02:00 ak@suse.de [PATCH] [CAN-2004-1144] Fix int 0x80 hole in 2.4 x86-64 linux kernels Petr Vandrovec discovered an exploitable root hole on all 2.4 x86-64 kernels. The problem occurs because the eax register on the 32bit int 0x80 syscall handler is not properly 64bit zero extended, which can be used to overflow the system call table. The problem only occurs on 2.4 x86-64 kernels, 2.6 doesn't have this hole because some unrelated changes in 2.5 fixed it as a side effect. Marcelo should be releasing a new pre* kernel with this fix shortly, there should be also update kernel from the various linux distributions. It is recommended that everybody who runs a 2.4 x86-64 kernel with shell user access updates to a kernel which has this patch applied. Patch is for 2.4.29pre2, but should apply to pretty much any 2.4.x x86-64 kernel. -Andi TAG: v2.4.29-pre3 + 2.4.28-12-CAN-2004-1235-uselib-fix.diff (marcelo tosatti) 2005/01/07 07:36:24-02:00 marcelo@logos.cnet Paul Starzetz: sys_uselib() race vulnerability (CAN-2004-1235) http://isec.pl/vulnerabilities/isec-0021-uselib.txt TAG: v2.4.29-rc1 + 2.4.28-13-helper-for-mmap_sem-write-lock-check-in-do_brk-1a (marcelo tosatti) 2005/01/10 14:48:43-02:00 marcelo@logos.cnet Linus Torvalds: Warn if mmap_sem is not locked in do_brk + 2.4.28-14-rip-do_brk_locked-in-uselib-fix-1 (marcelo tosatti) 2005/01/10 15:26:24-02:00 marcelo@logos.cnet Change do_uselib() fix to match v2.6, rip do_brk_locked() + 2.4.28-15-helper-for-mmap_sem-write-lock-check-in-do_brk-1b (marcelo tosatti) 2005/01/12 11:17:44-02:00 marcelo@logos.cnet Linus Torvalds: Create helper for mmap_sem write-lock check in do_brk() + 2.4.28-16-remove-unused-do_brk_locked-1 (marcelo tosatti) 2005/01/12 10:34:31-02:00 marcelo@logos.cnet Completly remove old do_brk() fix + 2.4.32-backport-of-CVE-2005-2709-fix-1 (dann frazier) I've backported the fix for CVE-2005-2709 to 2.4 for Debian's 2.4 sarge kernel. sysctl.c in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table. + 2.4.32-ipv6-fix-refcnt-of-struct-ip6_flowlabel-1 (Yan Zheng) This looks like another potential "local DoS" since this is in setsockopt(IPV6_FLOWLABEL_MGR). Users can cause a flow label to be kfreed() without removing it from the socket; and then overwrite its contents. This can trigger random kernel memory corruption. + 2.4.32-fix-sendmsg-overflow-CVE-2005-2490-1 (Marcus Meissner) Al Viro reported a flaw in sendmsg(). "When we copy 32bit ->msg_control contents to kernel, we walk the same userland data twice without sanity checks on the second pass. Moreover, if original looks small enough, we end up copying to on-stack array." - CVE-2005-2490. + 2.4.32-vfs-local-denial-of-service-file-lease-1 (Horms) [PATCH] VFS: local denial-of-service with file leases (CVE-2005-3857) Remove time_out_leases() printk that's easily triggered by users. + 2.4.32-x86-64-user-code-panics-kernel-CVE-2005-2708-1 (Dave Anderson) There seems to be a local DoS in exec on AMD64 / linux 2.4 when the system is under memory pressure. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161925 + 2.4.32-IGMP-workaround-for-IGMP-v1-v2-bug-1 (David Stevens) As explained at http://www.cs.ucsb.edu/~krishna/igmp_dos/ With IGMP version 1 and 2 it is possible to inject a unicast report to a client which will make it ignore multicast reports sent later by the router. The fix is to only accept the report if is was sent to a multicast or unicast address. + 2.4.32-ipv6-mcast-igmp-dos-fix-1 (David S. Miller) Same issue as IPv4, don't listen to non-broadcast non-multicast reports. + 2.4.32-airo_cs-prototypes-1 (Adrian Bunk) If you got strange problems with either airo_cs devices or in any other completely unrelated part of the kernel shortly or long after a airo_cs device was detected by the kernel, this might have been caused by the fact that caller and callee disagreed regarding the size of the first argument to init_airo_card()... + 2.4.32-dont-panic-on-ide-dma-errors-1 (Chris Ross) Kernel 2.4.32 and earlier can panic when trying to read a corrupted sector from an IDE disk. The function ide_dma_timeout_retry can end a request early by calling idedisk_error, but then goes on to use the request anyway causing a kernel panic due to a null pointer exception. + 2.4.32-data-corruption-in-smb_proc_setattr_unix-1 (Maciej W. Rozycki) This patch fixes a data corruption in smb_proc_setattr_unix(). smb_filetype_from_mode() returns an u32, and there are only four bytes reserved for it in data. + 2.4.32-fix-for-clock-running-too-fast-1 (Akira Tsukamoto) This one line patch adds upper bound testing inside timer_irq_works() when evaluating whether irq timer works or not on boot up. It fix the machines having problem with clock running too fast. What this patch do is, if timer interrupts running too fast through IO-APIC IRQ then false back to i8259A IRQ. + 2.4.32-fix-ptrace-self-attach-rule-1 (Linus Torvalds) [PATCH] Fix ptrace self-attach rule Before we did CLONE_THREAD, the way to check whether we were attaching to ourselves was to just check "current == task", but with CLONE_THREAD we should check that the thread group ID matches instead. + 2.4.32-dcache-avoid-race-nr_unused-dentries-1 (Neil Brown) [PATCH] fs/dcache.c: avoid race when updating nr_unused count of unused dentries. d_count==1 is no guarantee that dentry is on the dentry_unused list, even if it has just been incremented inside dcache_lock, as dput can decrement at any time. This test from Greg Banks is much safer, and is more transparently correct. + 2.4.31-sd_mod-memory-leak-1 (Dan Aloni) [PATCH] fix memory leak in sd_mod.o Handle freeing of sd_max_sectors in sd_exit(). + 2.4.31-udp_v6_get_port-infinite-loop-1 (YOSHIFUJI Hideaki) [IPV6]: Fix infinite loop in udp_v6_get_port() This is CVE-2005-2973, and 87bf9c97b4b3af8dec7b2b79cdfe7bfc0a0a03b2 in Linus' 2.6 Git Tree. It seems to be relevant to 2.4 + 2.4.31-tcp-clear-stale-pred_flags-snd_wnd-change-1 (Herbert Xu) [PATCH] Clear stale pred_flags when snd_wnd change This bug is responsible for causing the infamous "Treason uncloaked" messages that's been popping up everywhere since the printk was added. In the case of the treason messages, it just happens that the snd_wnd cached in pred_flags is zero while tp->snd_wnd is non-zero. Therefore when a zero-window packet comes in we incorrectly conclude that the window is non-zero. + 2.4.31-only-disallow-setting-function-key-1 (Marcelo Tosatti) [PATCH] only disallow _setting_ of function key string Mikael Pettersson noted that the current 2.6-git (and 2.4) patch to disallow KDSKBSENT for unpriviledged users should be less restrictive allowing reading of current function key string entry, but not writing. + 2.4.32-rc2-ip_vs_conn_expire_now-fix_refcnt-dec-1 (Julian Anastasov) Quoting Roberto Nibali: It is absolutely needed. Without it, people will really experience a long term problem with hanging templates in IPVS, manifesting itself depending on time and hardware configuration. It seems we forgot to fix one place where ip_vs_conn_expire_now is used. Callers should hold write lock or cp->refcnt (and not forget it). This results in hanging template entries when expire_nodest_conn is kicking in and trying to remove all connection entries for a specific destination. Julian Anastasov created a patch to fix this and asked me to forward it for inclusion, after test and verification, which have happened the last 24 hours. + 2.4.32-rc2-mcast-filter-1 (Willy Tarreau) [PATCH-2.4][MCAST]IPv6: small fix for ip6_mc_msfilter(...) Multicast source filters aren't widely used yet, and that's really the only feature that's affected if an application actually exercises this bug, as far as I can tell. An ordinary filter-less multicast join should still work, and only forwarded multicast traffic making use of filters and doing empty-source filters with the MSFILTER ioctl would be at risk of not getting multicast traffic forwarded to them because the reports generated would not be based on the correct counts. Initial 2.6 patch by Yan Zheng, bug explanation by David Stevens, patch ACKed by David. + 2.4.31-loadkeys-requires-root-1 (Andrew Morton) [PATCH] loadkeys requires root priviledges + 2.4.31-possible-mem-ordering-bug-1 (Nick Piggin) [PATCH] possible memory ordering bug in page reclaim Is there anything that prevents PageDirty from theoretically being speculatively loaded before page_count here? (see patch) It would result in pagecache corruption. + 2.4.31-ax25-signed-char-bug-1 (Ralf Baechle) [PATCH] AX.25: signed char bug On architectures where the char type defaults to unsigned some of the arithmetic in the AX.25 stack to fail, resulting in some packets being dropped on receive. Credits for tracking this down and the original patch to Bob Brose N0QBJ . + 2.4.31-fix-jiffies-multiply-overflow-2 (Willy Tarreau) The checks for multiply overflow in msecs_to_jiffies() are wrong and limit maximum time to very low values because the check itself can overflow. Those functions are not much used but select() and poll() would benefit from them by eliminating divides and multiples in most situations. + 2.4.31-ip_vs_ftp-persistence-breaks-connections-1 (Julian Anastasov) [IPVS]: ip_vs_ftp breaks connections using persistence ip_vs_ftp when loaded can create NAT connections with unknown client port for passive FTP. For such expectations we lookup with cport=0 on incoming packet but it matches the format of the persistence templates causing packets to other persistent virtual servers to be forwarded to real server without creating connection. Later the reply packets are treated as foreign and not SNAT-ed. This patch changes the connection lookup for packets from clients: + 2.4.31-ipvs-invalidate-persistent-templates-1 (Julian Anastasov) [IPVS]: really invalidate persistent templates Agostino di Salle noticed that persistent templates are not invalidated due to buggy optimization. + 2.4.31-mcast-exclude-typos-1 (Denis Lukianov) [MCAST]: Fix MCAST_EXCLUDE line dupes pmc->sfcount[MCAST_EXCLUDE] got initialized twice and [MCAST_INCLUDE] did not get initialized. + 2.4.31-tcp_clamp_window-fix-1 (Alexey Kuznetsov) [TCP]: Don't over-clamp window in tcp_clamp_window() Handle better the case where the sender sends full sized frames initially, then moves to a mode where it trickles out small amounts of data at a time. This known problem is even mentioned in the comments above tcp_grow_window() in tcp_input.c. Fix confirmed by Ion Badulescu. + 2.4.31-netfilter-gcc-3.4.3-build-1 (Marcus Sundberg) [NETFILTER]: this patch fixes a compilation issue with gcc 3.4.3. + 2.4.31-fix-can-2005-0204-1 (Suresh Siddha / Horms) [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction. Added definition of IO_BITMAP_BYTES. + 2.4.31-routing_ioctl-lost-sockfd_put-1 (Kirill Korotaev) This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on 64bit platforms. I believe this is a security issues, since user can fget() file as many times as he wants to. The oops can be done under files_lock and others, so this can be an exploitable DoS on SMP. Didn't checked it on practice actually. + 2.4.31-x86_64-lost-fput-32bit-ioctl-1 (Kirill Korotaev) This patch adds lost fput in 32bit tiocgdev ioctl on x86-64. I believe this is a security issues, since user can fget() file as many times as he wants to. The oops can be done under files_lock and others, so this is really exploitable DoS on SMP. Didn't checked it on practice actually. + 2.4.31-ia64-page_no_present-fault-1 (Kiyoshi Ueda) [PATCH] IA64: page_not_present fault in region 5 is normal Without this patch, exception handler can be unexpectedly invoked for page-not-present fault in region 5 and cause panic etc. + 2.4.31-nfs-client-long-symlinks-1 (Assar Westerlund) [PATCH] nfs client: handle long symlinks properly. In 2.4.31, the v2/3 nfs readlink accepts too long symlinks. I have tested this by having a server return long symlinks. + 2.4.31-size_buffers_type-overflow-1 (Andrea Arcangeli) [PATCH] Andrea Arcangeli: avoid size_buffers_type overflow size_buffers_type array, which is an unsigned long, can overflow on 32-bits: its perfectly possible for PAE machines to have more than 4Gb of data mapped by buffer_head's at the same time. Avoid that by accounting 1/512 of the real size (size >> 9). + 2.4.31-incorrect-fp-signal-delivery-1 (Chuck Ebbert) [PATCH] i386: fix incorrect FP signal delivery i386 floating-point exception handling has a bug that can cause error code 0 to be sent instead of the proper code during signal delivery. + 2.4.31-ipv4-peers-negative-timer-1 (Dave Johnson) [IPV4]: Fix negative timer loop with lots of ipv4 peers. peer_check_expire() in net/ipv4/inetpeer.c isn't using inet_peer_gc_mintime correctly and will end up creating an expire timer with less than the minimum duration, and even zero/negative if enough active peers are present. If >65K peers, the timer will be less than inet_peer_gc_mintime, and with >70K peers, the timer duration will reach zero and go negative. + 2.4.31-ipv6-route-events-with-wrong-netlink-pid-1 (Hasso Tepper) [IPV6]: Route events reported with wrong netlink PID and seq number Attached is backport of patch from jamal already in the 2.6 kernel - It would be very nice to see it in the 2.4 kernel as well, as I keep receiving reports from users that "Quagga IPv6 is broken with 2.4 kernel". + 2.4.31-nat-module-load-race-1 (Patrick McHardy) [NETFILTER]: Handle NAT module load race When the NAT module is loaded when connections are already confirmed it must not change their tuples anymore. This is especially important with CONFIG_NETFILTER_DEBUG, the netfilter listhelp functions will refuse to remove an entry from a list when it can not be found on the list, so when a changed tuple hashes to a new bucket the entry is kept in the list until and after the conntrack is freed. Allocate the exact conntrack tuple for NAT for already confirmed connections or drop them if that fails. + 2.4.31-sparc64-do_netfilter_replace-use-vmalloc-1 (Gustavo Zacarias) [SPARC64]: Use vmalloc() in do_netfilter_replace() Otherwise the number of rules one can upload into the kernel is severely limited. - 2.4.31-zlib-security-bugs-1 (Tim Yamin) + 2.4.31-zlib-security-bugs-2 (Tim Yamin, Sergey Vlasov) Reverted the Z_OK to Z_DATA_ERROR changes in inftrees.c (& PPC). + 2.4.31-zisofs-check-deflatebound-1 (Linus Torvalds) [PATCH] PATCH: Fix outstanding gzip/zlib security issues Add fakey 'deflateBound()' function to the in-kernel zlib routines. It's not the real deflateBound() in newer zlib libraries, partly because the upcoming usage of it won't have the "stream" available, so we can't have the same interfaces anyway. Problem noted by Tim Yamin. + 2.4.31-nat-fix-memory-corruption-1 (Patrick McHardy) [NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT) + 2.4.31-isofs-option-parse-fix-1 (Horms + Andrey J.Melnikoff) Fix isofs option parser. If iocharset, map or session are matched, then none of the if or else if clauses under sbsector will match (that is none of these clauses match iocharset, map or session), and thus the else clause will be hit, and the function will return 1 without parsing any furhter options. Also fix gcc-3.4 warnings. + 2.4.31-netfilter-tcp-unclean-1.diff (Patrick McHardy) [NETFILTER]: Ignore PSH on SYN/ACK in ipt_unclean + 2.4.31-redblacktree-missing-returns-1 (deep-blue@t-online.de) [PATCH] fix RedBlackTree rb_next/rb_prev functions. I have found a bug in the source of rbtree.c file in /lib. In Kernel 2.6 it's ok, but 2.4.31 has this error. We try to use it with the jffs2 source code and only with this fix it works fine. + 2.4.31-alpha-cabriolet-needs-ns87312-1 (Bill Dupree) [PATCH] Fix Alpha AXP Cabriolet build. Alpha AXP Cabriolet build fails with unresolved reference to ns87312_enable_ide(). + 2.4.31-zlib-security-bugs-1 (Tim Yamin) Fix outstanding security bugs in the Linux zlib implementations. See: a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html b) http://bugs.gentoo.org/show_bug.cgi?id=94584 + 2.4.31-ip_vs_conn_tab-race-1 (Neil Horman) [IPVS]: Close race conditions on ip_vs_conn_tab list modification. In an smp system, it is possible for an connection timer to expire, calling ip_vs_conn_expire while the connection table is being flushed, before ct_write_lock_bh is acquired. (...) The result is that the next pointer gets set to NULL, and subsequently dereferenced, resulting in an oops. + 2.4.31-inode-cache-smp-races-1 (Larry Woodman) [PATCH] workaround inode cache (prune_icache/__refile_inode) SMP races Over the past couple of weeks we have seen two races in the inode cache code. The first is between [dispose_list()] and __refile_inode() and the second is between prune_icache() and truncate_inodes(). Fixes bug 155289. + 2.4.31-netlink-socket-hashing-bugs-2 (David S. Miller) [NETLINK]: Fix two socket hashing bugs. netlink_release() should only decrement the hash entry count if the socket was actually hashed. netlink_autobind() needs to propagate the error return from netlink_insert(). Otherwise, callers will not see the error as they should and thus try to operate on a socket with a zero pid, which is very bad. Thanks to Jakub Jelinek for providing backtraces, and Herbert Xu for debugging patches to help track this down. + 2.4.31-sparc64-sys32_utimes-random-timestamps-1 (Jakub Bogusz) [SPARC64]: fix sys32_utimes(somefile, NULL) This patch fixes utimes(somefile, NULL) syscalls on sparc64 kernel with 32-bit userland - use of uninitialized value resulted in making random timestamps, which confused e.g. sudo. It has been already fixed (by davem) in linux-2.6 tree 30 months ago. - 2.4.31-sparc64-solaris-emu-check-cmsg-len-1 (David S. Miller) David told Marcelo this patch was not correct and that a better fix will follow later. + 2.4.31-null-deref-cyclades-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/cyclades.c + 2.4.31-null-deref-esp-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/esp.c + 2.4.31-null-deref-isicom-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/isicom.c + 2.4.31-null-deref-mxser-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/mxser.c + 2.4.31-null-deref-riscom8-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/riscom8.c + 2.4.31-null-deref-specialix-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/specialix.c + 2.4.31-sparc64-solaris-emu-check-cmsg-len-1 (David S. Miller) [SPARC64]: Fix cmsg length checks in Solaris emulation layer. + 2.4.31-x86_64-ia64-32bit-execve-overflow-1 (Andi Kleen) [PATCH] Fix buffer overflow in x86-64/ia64 32bit execve Fix buffer overflow in x86-64/ia64 32bit execve. Originally noted by Ilja van Sprundel. I fixed it for both x86-64 and IA64. Other architectures are not affected. + 2.4.31-x86_64-ptrace-check-canonical-addr-1 (Andi Kleen) [PATCH] Check for canonical addresses in ptrace Check for canonical addresses in ptrace. This works around a AMD bug that allows to hang the CPU by passing illegal addresses. + 2.4.31-x86_64-fix-ptrace-check-for-seg-regs-1 (Andi Kleen) [PATCH] Fix canonical checking for segment registers in ptrace Fix canonical checking for segment registers in ptrace. This avoids a local DOS where a process could oops the kernel by passing bogus values to ptrace. Some versions of UML did this. Found by Alexander Nyberg + 2.4.31-x86_64-disable-exception-stack-1 (Andi Kleen) [PATCH] x86_64: Disable exception stack for stack faults Just drop the exception stack for stack segment faults. This will make some oops triple fault now, but that's better than allowing user triggerable oops. Found from RedHat QA using crashme + 2.4.31-bluetooth-hci_usb-race-hangs-kernel-1 (Marcel Holtmann) [PATCH] Fix introduced in 2.4.27pre2 for bluetooth hci_usb race causes kernel hang. > I have noticed a problem with a race condition fix introduced in > 2.4.27-pre2 that causes the kernel to hang when disconnecting a > Bluetooth USB dongle or doing 'hciconfig hci0 down'. No message is > printed, the kernel just doesn't respond anymore. if this works then we should do the same change in the bfusb driver. A patch that fixes both drivers is attached. + 2.4.31-netlink-socket-hashing-bugs-1 (David S. Miller) [NETLINK]: Fix two socket hashing bugs. netlink_release() should only decrement the hash entry count if the socket was actually hashed. netlink_autobind() needs to propagate the error return from netlink_insert(). Otherwise, callers will not see the error as they should and thus try to operate on a socket with a zero pid, which is very bad. Thanks to Jakub Jelinek for providing backtraces, and Herbert Xu for debugging patches to help track this down. + 2.4.31-no-32bit-moves-on-seg-regs-1 (H. J. Lu) [PATCH] newer i386/x86_64 assemblers prohibit instructions for moving between a seg register and a 32bit location. The new i386/x86_64 assemblers no longer accept instructions for moving between a segment register and a 32bit memory location. + 2.4.30-ipvs-unchecked-strcpy-1.diff (the PaX team) Replaced several unchecked strcpy() with strncpy(). + 2.4.30-loop-off-by-one-1 (Julien Tinnes) There is an obvious off by one bug in loop.c in kernel 2.4. + 2.4.30-rtnetlink-off-by-one-1 (Julien Tinnes) [RTNETLINK]: Fix off-by-one error in rtnetlink.c + 2.4.30-random-poolsize-sysctl-fix-1 (Vasily Averin) [PATCH] random poolsize sysctl fix SWSoft Linux kernel Team has discovered that your patch which should fix a random poolsize sysctl handler integer overflow, is wrong. You have changed a variable definition in function proc_do_poolsize(), but you had to fix an another function, poolsize_strategy() + 2.4.30-serial-null-dereference-1.diff (Julien Tinnes) Potential null pointer dereference in serial driver. + 2.4.30-mtrr-off-by-one-1.diff (Brad Spengler/Julien Tinnes) In mtrr_write(), if len==0, -1 is passed to copy_from_user(), which will trigger BUG_ON((long)n < 0). Brad found it, Julien explained it to me. + 2.4.30-jfs_read_super-oops-1 (Mike Kasick) [PATCH] JFS oops fix Specifically, the kernel attempts to mount root with JFS first, and upon aborting jfs_read_super(), the value of sbi->nls_tab is -1, a non-NULL value that causes unload_nls() to be called on garbage data leading to a NULL pointer dereference. + 2.4.30-usb-io_edgeport-oops-1 (Marcelo Tosatti) USB: fix oops in io_edgeport.c driver (2.6 backport) + 2.4.30-stretch-ack-kills-performance-1 (David Miller) [TCP]: Fix stretch ACK performance killer when doing ucopy. When we are doing ucopy, we try to defer the ACK generation to cleanup_rbuf(). This works most of the time very well, but if the ucopy prequeue is large, this ACKing behavior kills performance. + 2.4.30-xfs-build-without-debug-1 (Christoph Hellwig) [PATCH] XFS: fix compilation error > 2.4.30 will not compile if XFS is turned on, but XFS debugging is not. Looks like a trivial one-liner got lost when merging from the SGI CVS tree. + 2.4.30-vuln-CAN-2005-1263-1 (Greg KH, Chris Wright) From Paul Starzetz: A locally exploitable flaw has been found in the Linux ELF binary format loader's core dump function that allows local users to gain root privileges and also execute arbitrary code at kernel privilege level. + 2.4.30-panic-if-more-than-one-moxa-1 (David Monniaux) [PATCH] fix moxa crash with more than one 1 board. The current Moxa Intellio driver (moxa.c) panics when using > 1 board. Fixed build by declaring variable prior to usage - Willy. + 2.4.30-bonding-rmmod-oops-1 (Mitch Williams) It fixes a stack dump when unloading the bonding module in 802.3ad mode if spinlock debugging is turned on, and it was already merged in 2.6. + 2.4.29-sk_rmem_alloc-assertion-failure-1 (Herbert Xu) [NETLINK]: Fix sk_rmem_alloc assertion failure in af_netlink.c. In netlink_dump we're operating on sk after dropping the cb lock. This is racy because the owner of the socket could close it after we drop the cb lock. The solution is to hold a ref count on the socket before we drop the cb lock. + 2.4.30-rwsem-spinlocks-must-disable-interrupts-2 (David Howells) [PATCH] rwsem: Make rwsems use interrupt disabling spinlocks. The attached patch makes read/write semaphores use interrupt disabling spinlocks in the slow path, thus rendering the up functions and trylock functions available for use in interrupt context. This matches the regular semaphore behaviour. Typo fixed by Mikael Pettersson. + 2.4.29-bogus-mc_list-deletion-1 (Herbert Xu) Looks like I made a nasty typo in the 2.4 backport. When entries are unlinked from mc_list, we link the list up with the regular hash bucket list by using next instead of bind_next! + 2.4.29-recent-kernels-need-modutils-2414-1 (Willy Tarreau) From Keith Owens: > You need modutils >= 2.4.14 to use the combination of > CONFIG_MODVERSIONS with EXPORT_SYMBOL_GPL() on 2.4 kernels. + 2.4.29-atm_get_addr-signedness-fix-1 (Simon Horman) [PATCH] Backport v2.6 ATM copy-to-user signedness fix. The signdness fix for atm_get_addr() in 2.6 seems to be needed for 2.4 as well. This relates to the bugs reported in this document : http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + 2.4.29-af_bluetooth-checks-unsigned-only-1 (marcel holtmann) CAN-2005-0750: Fix af_bluetooth range checking bug, discovered by Ilja van Sprundel + 2.4.29-ext2-mkdir-leaks-kernel-memory-1 (mathieu lafon) CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak. I think I have discovered a potential security problem in ext2: when a new directory is created, the ext2 block written to disk is not initialized. An information leak can then be found after the two directory entries ('.' and '..') or in the name buffer of each entry (struct ext2_dir_entry_2). + 2.4.29-load_elf_library-potential-dos-2 (Herbert Xu) CAN-2005-0794: Potential DOS in load_elf_library. Yichen Xie points out that load_elf_library can modify `elf_phdata' before freeing it. Contains latest mismerge fix from Andreas Arens. + 2.4.29-isofs-range-checking-flaws-1 (chris wright) [PATCH] isofs: Handle corupted rock-ridge info slightly better. Michal Zalewski discovers range checking flaws in iso9660 filesystem. CAN-2005-0815 is assigned to this issue. + 2.4.29-degraded-soft-raid1-can-corrupt-data-1 (Neil Brown) [PATH] md: allow degraded raid1 array to resync after an unclean shutdown. If a raid1 array has more than two devices, and not all are working, then it will not resync after an unclean shutdown (as it will think that it should reconstruct a failed drive, and will find there aren't any spares...). Problem found by Mario Holbe. + 2.4.29-usb-serial_write-oops-1 (Pete Zaitcev) [PATCH] USB: fix oops in serial_write When I split the __serial_write off serial_write, the former took the NULL check away with it. However, the new serial_write still has an reference remaining in down(&port->sem). Joachim Nilsson corrected me. + 2.4.29-link_path_walk-refcount-problem-1 (Greg Banks) [PATCH] link_path_walk refcount problem allows umount of active filesystem Following an absolute symlink opens a window during which the filesystem containing the symlink has an outstanding dentry count and no outstanding vfsmount count. A umount() of the filesystem can (incorrectly) proceed, resulting in the "Busy inodes after unmount" message and an oops shortly thereafter. + 2.4.29-netlink-multicast-bind-race-1 (Herbert Xu) [NETLINK]: Fix multicast bind/autobind race. Now it is possible for netlink_bind to race against netlink_autobind running on the same socket on another CPU. The result would be a socket that's on mc_list with groups set to zero. This socket will be left on the list even after it is destroyed. The fix is to remove the zeroing in netlink_autobind. + 2.4.29-tun-check-for-underflow-1 (Patrick McHardy) [TUN]: Fix check for underflow. Backport fix from 2.6.x. + 2.4.29-tcp-bic-reset-cwnd-on-loss-1 (Stephen Hemminger) [TCP]: BIC not binary searching correctly. 2.4 version of same fix as 2.6.11. The problem is that BIC is supposed to reset the cwnd to the last loss value rather than ssthresh when loss is detected. The correct code (from the BIC TCP code for Web100) is in this patch. + 2.4.29-useless-f_count-leaves-fs-busy-1 (Neil Brown) [PATCH] nlm: fix f_count leak I can't see any reason for this file->f_count++. Removing it fixes a bug which leaves an exported filesystem busy (and so unmountable) if a callback for a lock held on that filesystem ever failed. Found by Terence Rokop. + 2.4.29-ppp-server-remote-dos-1 (Paul Mackerras) Remote Linux DoS on ppp servers (CAN-2005-0384) + 2.4.29-x86_64-fix-x87-tag-word-emulation-1 (Roland McGrath) Fix x87 fnsave Tag Word emulation when using FXSR (SSE). The fxsave instruction does not save the x87 tag word (only the empty bits), and we re-created the old-style x87 tags incorrectly. The registers are saved in "stack order" in the save area, but the tag word bits are in "hardware order", and we need to get the right register state. Both x86 and x86-64 needed this fix. + 2.4.29-possible-pty-line-discipline-race-1 (Linus Torvalds) [PATCH] Workaround possible pty line discipline race. It's in no way "correct", in that the race hasn't actually gone away by this patch, but the patch makes it unimportant. We may end up calling a stale line discipline, which is still very wrong, but it so happens that we don't much care in practice. I think that in a 2.4.x tree there are some theoretical SMP races with module unloading etc (which the 2.6.x code doesn't have because module unload stops the other CPU's - maybe that part got backported to 2.4.x?), but quite frankly, I suspect that even in 2.4.x they are entirely theoretical and impossible to actually hit. And again, in theory some line discipline might do something strange in it's "chars_in_buffer" routine that would be problematic. In practice that's just not the case: the "chars_in_buffer()" routine might return a bogus _value_ for a stale line discipline thing, but none of them seem to follow any pointers that might have become invalid (and in fact, most ldiscs don't even have that function). + 2.4.29-softdog-does-not-reboot-on-close-1 (Jacques Basson) There is a bug in the softdog.c (v 0.05) in the 2.4 kernel series (certainly in 2.4.29 and there are no references to it in the latest Changelog) that won't reboot the machine if /dev/watchdog is closed unexpectedly and nowayout is not set. - 2.4.29-scsi-tapes-allow-lseek-1 (Marcelo Tosatti) + 2.4.29-scsi-tapes-allow-lseek-2 (Marcelo Tosatti) Fixed lseek on OSST tapes too. + 2.4.29-write-throttling-ignore-free-highmem-1 (Andrea Arcangeli) I got reports of stalls with heavy writes on 2.4. There was a mistake in nr_free_buffer_pages. That function is definitely meant _not_ to take highmem into account (dirty cache cannot spread over highmem in 2.4 [even when on top of fs]). For unknown reasons it was actually taking highmem into account. The code was obviously meant to not take into account see the GFP_USER and zonelist, except it wasn't using the zonelist. That is a severe problem because there will be no write throttling at all, and no bdflush wakeup either. This is a noop for all systems <800M (1G shouldn't be noticeable either). This is why most people can't notice. + 2.4.29-get_user_pages-no-pg_reserved-1 (Andrea Arcangeli) get_user_pages() shall not grab PG_reserved pages. + 2.4.29-sparc32-fix-parallel-build-1 (crn:netunix.com) [SPARC32]: Fix build dependencies for vmlinux.o This helps make parallel builds work properly. - 2.4.29-sparc64-32bit-compat-bugs-1 (David S. Miller) + 2.4.29-sparc64-32bit-compat-bugs-2 (David S. Miller) Fixed a typo found in the original patch which affects semtimedop(). ACKed by David, should reach mainline ASAP. + 2.4.29-genesys-usb-workarounds-1 (Pete Zaitcev) Disk enclosures with Genesys Logics chipset require additional delays, or commands are not processed. Also, their maximum transfer size is limited. Patch by Martin Strigl. + 2.4.29-libata-missing-hook-oops-1 (Jeff Garzik) Advanced SATA drivers should not (and cannot) use the basic PCI IDE hooks for checking the Status and Error registers, as these registers are either in non-standard locations, or simply don't exist. In the error handling path, libata was unconditionally calling some PCI IDE hardware bitbanging functions, which would cause an oops in the AHCI driver and any other advanced libata driver. + 2.4.29-synclinkmp-register-access-typo-1 (Paul Fulghum) Fix typo to correctly access rx ready control (RRC) register instead of the tx ready control (TRC0) register. + 2.4.29-aic7xxx-do-not-reset-on-pause-1 (Matt Domsch) Patch below taken from RHEL3 Update 4 kernel 2.4.21-27.EL, fixes a bug in the aic79xx and aic7xxx drivers, where upon trying to pause the controller chip, it is accidentally hard-reset. This causes PCI Parity errors to appear on Dell PowerEdge 4600 servers as the inb() immediately after accidental reset receives corrupted data. Patch was submitted by Justin Gibbs many moons ago, but never applied to mainline 2.4. It's in mainline 2.6. + 2.4.29-fix-swapoff-after-recreating-device-1 (Solar Designer) [PATCH] Fix for swapoff after re-creating device files If device is recreated the current dentry-only comparison in sys_swapoff() might have problems. + 2.4.29-sd-fix-partition-count-1 (Soo Lee) When a scsi disk is removed other scsi disk with biggest minor # disapears in /proc/partition at the same time. sd.c decreases nr_real on disk removal but because nr_real is not real # of devices but max # of devices of a major #, it doesn't need to be changed on disk add/remove. 2.6 has little different structure but it does like this. + 2.4.29-af_unix-fix-siocinq-for-stream-1 (David S. Miller) [AF_UNIX]: Fix SIOCINQ for STREAM. We should report the total bytes in the whole receive queue, not just the first packet, in these cases. Reported by Uwe Bonnes. + 2.4.29-scsi-tapes-return-enomem-1 (Marcelo Tosatti) + 2.4.29-scsi-tapes-allow-lseek-1 (Marcelo Tosatti) Allow lseek on SCSI tapes again. Recently broken by a security fix. + 2.4.29-net-oops-base_reachable_time-zero-1 (Hideaki Yoshifuji) [NET]: Fix kernel oops if base_reachable_time is set to 0. + 2.4.29-tunsetiff-needs-copy-back-after-ioctl-1 (David S. Miller) [COMPAT]: TUNSETIFF needs to copy back data after ioctl. It is defined as a _IOW() which is erroneous, it should have been defined as _IORW() but that cannot be changed now without breaking all existing applications using this ioctl. + 2.4.29-sparc32-smp-clear-psr_ef-on-fork-1 (David S. Miller) [SPARC32]: Need to clear PSR_EF in psr of childregs on fork() on SMP. + 2.4.29-netlink_remove-unhash-leaks-sockets-1 (Patrick McHardy) netlink_remove() only unhashes sockets contained in the first hash bucket. This leads to leaking sockets and, over time, to bind conflicts which confuse iproute. + 2.4.29-brlock-causes-deadlock-1 (David S. Miller) There were two versions of the big-reader lock implementation. 1) One using per-cpu reader locks, and a singular write lock. Predominantly enabled on x86 and it's brothers. 2) One using non-atomic per-cpu counter, and a single write lock. This is what all other platforms were using. #1 is unfortunately buggy. brlocks were meant to provide a high performance implementation of rwlock_t locks when it is known that the lock is taken %99 of the time by readers and that writers are thus rare. (...) + 2.4.29-32bit-sys_recvmsg-corruption-1 (Stephen Rothwell) In the presence of threads, there is a possibility of the kernel being fooled by the 32 bit sys_recvmsg control data into copying more than it should into the kernel and corrupting kernel data structures. (...) This patch just does some more length checking. This bug was actually being hit by BIND running at a customer site. It is very hard to hit, but (obviously) possible. + 2.4.29-sparc64-32bit-compat-bugs-1 (David S. Miller) Fix 32bit compat layer bugs in sys_ipc() and sys_rt_sigtimedwait(). 1) sys_ipc() compat wrappers need to verify length before allocating kernel data and performing copies. 2) sys_rt_sigtimedwait() had one schedule_timeout() too many. - 2.4.29-sparc-membar-extra-semi-colons-1 (Willy Tarreau) - 2.4.29-sparc64-membar-extra-semi-colons-1 (Willy Tarreau) This was my quick build fix. Now David has sent the clean stuff. + 2.4.29-sparc-smb_macros-extra-semicolons-1 (David S. Miller) [SPARC]: Fix bogus trailing semicolon in smb_*() macros. Backported from 2.6.x + 2.4.29-sparc-nop-extra-semicolons-1 (David S. Miller) [SPARC]: nop() macro has bogus trailing semicolon Noticed by Bob Breuer. + 2.4.29-sparc64-membar-extra-semicolons-2 (David S. Miller) [SPARC64]: Fix trailing semicolon in membar macros.