Changelog From 2.4.29-hf12 to 2.4.29-hf13 (semi-automated) ----------------------------------------- '+' = added ; '-' = removed + 2.4.31-zlib-security-bugs-1 (Tim Yamin) Fix outstanding security bugs in the Linux zlib implementations. See: a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html b) http://bugs.gentoo.org/show_bug.cgi?id=94584 + 2.4.31-ip_vs_conn_tab-race-1 (Neil Horman) [IPVS]: Close race conditions on ip_vs_conn_tab list modification. In an smp system, it is possible for an connection timer to expire, calling ip_vs_conn_expire while the connection table is being flushed, before ct_write_lock_bh is acquired. (...) The result is that the next pointer gets set to NULL, and subsequently dereferenced, resulting in an oops. + 2.4.31-inode-cache-smp-races-1 (Larry Woodman) [PATCH] workaround inode cache (prune_icache/__refile_inode) SMP races Over the past couple of weeks we have seen two races in the inode cache code. The first is between [dispose_list()] and __refile_inode() and the second is between prune_icache() and truncate_inodes(). Fixes bug 155289. + 2.4.31-netlink-socket-hashing-bugs-2 (David S. Miller) [NETLINK]: Fix two socket hashing bugs. netlink_release() should only decrement the hash entry count if the socket was actually hashed. netlink_autobind() needs to propagate the error return from netlink_insert(). Otherwise, callers will not see the error as they should and thus try to operate on a socket with a zero pid, which is very bad. Thanks to Jakub Jelinek for providing backtraces, and Herbert Xu for debugging patches to help track this down. + 2.4.31-sparc64-sys32_utimes-random-timestamps-1 (Jakub Bogusz) [SPARC64]: fix sys32_utimes(somefile, NULL) This patch fixes utimes(somefile, NULL) syscalls on sparc64 kernel with 32-bit userland - use of uninitialized value resulted in making random timestamps, which confused e.g. sudo. It has been already fixed (by davem) in linux-2.6 tree 30 months ago. Changelog From 2.4.29-hf11 to 2.4.29-hf12 (semi-automated) ----------------------------------------- '+' = added ; '-' = removed - 2.4.31-sparc64-solaris-emu-check-cmsg-len-1 (David S. Miller) David told Marcelo this patch was not correct and that a better fix will follow later. + 2.4.31-null-deref-cyclades-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/cyclades.c + 2.4.31-null-deref-esp-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/esp.c + 2.4.31-null-deref-isicom-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/isicom.c + 2.4.31-null-deref-mxser-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/mxser.c + 2.4.31-null-deref-riscom8-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/riscom8.c + 2.4.31-null-deref-specialix-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/specialix.c Changelog From 2.4.29-hf10 to 2.4.29-hf11 (semi-automated) ----------------------------------------- '+' = added ; '-' = removed + 2.4.31-sparc64-solaris-emu-check-cmsg-len-1 (David S. Miller) [SPARC64]: Fix cmsg length checks in Solaris emulation layer. + 2.4.31-x86_64-ia64-32bit-execve-overflow-1 (Andi Kleen) [PATCH] Fix buffer overflow in x86-64/ia64 32bit execve Fix buffer overflow in x86-64/ia64 32bit execve. Originally noted by Ilja van Sprundel. I fixed it for both x86-64 and IA64. Other architectures are not affected. + 2.4.31-x86_64-ptrace-check-canonical-addr-1 (Andi Kleen) [PATCH] Check for canonical addresses in ptrace Check for canonical addresses in ptrace. This works around a AMD bug that allows to hang the CPU by passing illegal addresses. + 2.4.31-x86_64-fix-ptrace-check-for-seg-regs-1 (Andi Kleen) [PATCH] Fix canonical checking for segment registers in ptrace Fix canonical checking for segment registers in ptrace. This avoids a local DOS where a process could oops the kernel by passing bogus values to ptrace. Some versions of UML did this. Found by Alexander Nyberg + 2.4.31-x86_64-disable-exception-stack-1 (Andi Kleen) [PATCH] x86_64: Disable exception stack for stack faults Just drop the exception stack for stack segment faults. This will make some oops triple fault now, but that's better than allowing user triggerable oops. Found from RedHat QA using crashme + 2.4.31-bluetooth-hci_usb-race-hangs-kernel-1 (Marcel Holtmann) [PATCH] Fix introduced in 2.4.27pre2 for bluetooth hci_usb race causes kernel hang. > I have noticed a problem with a race condition fix introduced in > 2.4.27-pre2 that causes the kernel to hang when disconnecting a > Bluetooth USB dongle or doing 'hciconfig hci0 down'. No message is > printed, the kernel just doesn't respond anymore. if this works then we should do the same change in the bfusb driver. A patch that fixes both drivers is attached. + 2.4.31-netlink-socket-hashing-bugs-1 (David S. Miller) [NETLINK]: Fix two socket hashing bugs. netlink_release() should only decrement the hash entry count if the socket was actually hashed. netlink_autobind() needs to propagate the error return from netlink_insert(). Otherwise, callers will not see the error as they should and thus try to operate on a socket with a zero pid, which is very bad. Thanks to Jakub Jelinek for providing backtraces, and Herbert Xu for debugging patches to help track this down. + 2.4.31-no-32bit-moves-on-seg-regs-1 (H. J. Lu) [PATCH] newer i386/x86_64 assemblers prohibit instructions for moving between a seg register and a 32bit location. The new i386/x86_64 assemblers no longer accept instructions for moving between a segment register and a 32bit memory location. Changelog From 2.4.29-hf9 to 2.4.29-hf10 (semi-automated) ---------------------------------------- '+' = added ; '-' = removed + 2.4.30-ipvs-unchecked-strcpy-1.diff (the PaX team) Replaced several unchecked strcpy() with strncpy(). + 2.4.30-loop-off-by-one-1 (Julien Tinnes) There is an obvious off by one bug in loop.c in kernel 2.4. + 2.4.30-rtnetlink-off-by-one-1 (Julien Tinnes) [RTNETLINK]: Fix off-by-one error in rtnetlink.c + 2.4.30-random-poolsize-sysctl-fix-1 (Vasily Averin) [PATCH] random poolsize sysctl fix SWSoft Linux kernel Team has discovered that your patch which should fix a random poolsize sysctl handler integer overflow, is wrong. You have changed a variable definition in function proc_do_poolsize(), but you had to fix an another function, poolsize_strategy() + 2.4.30-serial-null-dereference-1.diff (Julien Tinnes) Potential null pointer dereference in serial driver. + 2.4.30-mtrr-off-by-one-1.diff (Brad Spengler/Julien Tinnes) In mtrr_write(), if len==0, -1 is passed to copy_from_user(), which will trigger BUG_ON((long)n < 0). Brad found it, Julien explained it to me. + 2.4.30-jfs_read_super-oops-1 (Mike Kasick) [PATCH] JFS oops fix Specifically, the kernel attempts to mount root with JFS first, and upon aborting jfs_read_super(), the value of sbi->nls_tab is -1, a non-NULL value that causes unload_nls() to be called on garbage data leading to a NULL pointer dereference. + 2.4.30-usb-io_edgeport-oops-1 (Marcelo Tosatti) USB: fix oops in io_edgeport.c driver (2.6 backport) + 2.4.30-stretch-ack-kills-performance-1 (David Miller) [TCP]: Fix stretch ACK performance killer when doing ucopy. When we are doing ucopy, we try to defer the ACK generation to cleanup_rbuf(). This works most of the time very well, but if the ucopy prequeue is large, this ACKing behavior kills performance. + 2.4.30-xfs-build-without-debug-1 (Christoph Hellwig) [PATCH] XFS: fix compilation error > 2.4.30 will not compile if XFS is turned on, but XFS debugging is not. Looks like a trivial one-liner got lost when merging from the SGI CVS tree. Changelog From 2.4.29-hf8 to 2.4.29-hf9 (semi-automated) --------------------------------------- '+' = added ; '-' = removed + 2.4.30-vuln-CAN-2005-1263-1 (Greg KH, Chris Wright) From Paul Starzetz: A locally exploitable flaw has been found in the Linux ELF binary format loader's core dump function that allows local users to gain root privileges and also execute arbitrary code at kernel privilege level. Changelog From 2.4.29-hf7 to 2.4.29-hf8 (semi-automated) --------------------------------------- '+' = added ; '-' = removed + 2.4.30-panic-if-more-than-one-moxa-1 (David Monniaux) [PATCH] fix moxa crash with more than one 1 board. The current Moxa Intellio driver (moxa.c) panics when using > 1 board. Fixed build by declaring variable prior to usage - Willy. + 2.4.30-bonding-rmmod-oops-1 (Mitch Williams) It fixes a stack dump when unloading the bonding module in 802.3ad mode if spinlock debugging is turned on, and it was already merged in 2.6. + 2.4.29-sk_rmem_alloc-assertion-failure-1 (Herbert Xu) [NETLINK]: Fix sk_rmem_alloc assertion failure in af_netlink.c. In netlink_dump we're operating on sk after dropping the cb lock. This is racy because the owner of the socket could close it after we drop the cb lock. The solution is to hold a ref count on the socket before we drop the cb lock. + 2.4.30-rwsem-spinlocks-must-disable-interrupts-2 (David Howells) [PATCH] rwsem: Make rwsems use interrupt disabling spinlocks. The attached patch makes read/write semaphores use interrupt disabling spinlocks in the slow path, thus rendering the up functions and trylock functions available for use in interrupt context. This matches the regular semaphore behaviour. Typo fixed by Mikael Pettersson. Changelog From 2.4.29-hf6 to 2.4.29-hf7 (semi-automated) --------------------------------------- '+' = added ; '-' = removed + bogus-mc_list-deletion-1 (Herbert Xu) Looks like I made a nasty typo in the 2.4 backport. When entries are unlinked from mc_list, we link the list up with the regular hash bucket list by using next instead of bind_next! + recent-kernels-need-modutils-2414-1 (Willy Tarreau) From Keith Owens: > You need modutils >= 2.4.14 to use the combination of > CONFIG_MODVERSIONS with EXPORT_SYMBOL_GPL() on 2.4 kernels. Changelog From 2.4.29-hf5 to 2.4.29-hf6 (semi-automated) --------------------------------------- '+' = added ; '-' = removed Note: this update fixes 2 oopses and 4 security vulnerabilities : CAN-2005-0400: kernel memory leak in ext2 mkdir() CAN-2005-0750: bluetooth range checking bug CAN-2005-0794: potential DOS in load_elf_library. CAN-2005-0815: range checking flaws in isofs + atm_get_addr-signedness-fix-1 (Simon Horman) [PATCH] Backport v2.6 ATM copy-to-user signedness fix. The signdness fix for atm_get_addr() in 2.6 seems to be needed for 2.4 as well. This relates to the bugs reported in this document : http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + af_bluetooth-checks-unsigned-only-1 (marcel holtmann) CAN-2005-0750: Fix af_bluetooth range checking bug, discovered by Ilja van Sprundel + ext2-mkdir-leaks-kernel-memory-1 (mathieu lafon) CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak. I think I have discovered a potential security problem in ext2: when a new directory is created, the ext2 block written to disk is not initialized. An information leak can then be found after the two directory entries ('.' and '..') or in the name buffer of each entry (struct ext2_dir_entry_2). + load_elf_library-potential-dos-2 (Herbert Xu) CAN-2005-0794: Potential DOS in load_elf_library. Yichen Xie points out that load_elf_library can modify `elf_phdata' before freeing it. Contains latest mismerge fix from Andreas Arens. + isofs-range-checking-flaws-1 (chris wright) [PATCH] isofs: Handle corupted rock-ridge info slightly better. Michal Zalewski discovers range checking flaws in iso9660 filesystem. CAN-2005-0815 is assigned to this issue. + degraded-soft-raid1-can-corrupt-data-1 (Neil Brown) [PATH] md: allow degraded raid1 array to resync after an unclean shutdown. If a raid1 array has more than two devices, and not all are working, then it will not resync after an unclean shutdown (as it will think that it should reconstruct a failed drive, and will find there aren't any spares...). Problem found by Mario Holbe. + usb-serial_write-oops-1 (Pete Zaitcev) [PATCH] USB: fix oops in serial_write When I split the __serial_write off serial_write, the former took the NULL check away with it. However, the new serial_write still has an reference remaining in down(&port->sem). Joachim Nilsson corrected me. + link_path_walk-refcount-problem-1 (Greg Banks) [PATCH] link_path_walk refcount problem allows umount of active filesystem Following an absolute symlink opens a window during which the filesystem containing the symlink has an outstanding dentry count and no outstanding vfsmount count. A umount() of the filesystem can (incorrectly) proceed, resulting in the "Busy inodes after unmount" message and an oops shortly thereafter. + netlink-multicast-bind-race-1 (Herbert Xu) [NETLINK]: Fix multicast bind/autobind race. Now it is possible for netlink_bind to race against netlink_autobind running on the same socket on another CPU. The result would be a socket that's on mc_list with groups set to zero. This socket will be left on the list even after it is destroyed. The fix is to remove the zeroing in netlink_autobind. + tun-check-for-underflow-1 (Patrick McHardy) [TUN]: Fix check for underflow. Backport fix from 2.6.x. + tcp-bic-reset-cwnd-on-loss-1 (Stephen Hemminger) [TCP]: BIC not binary searching correctly. 2.4 version of same fix as 2.6.11. The problem is that BIC is supposed to reset the cwnd to the last loss value rather than ssthresh when loss is detected. The correct code (from the BIC TCP code for Web100) is in this patch. + useless-f_count-leaves-fs-busy-1 (Neil Brown) [PATCH] nlm: fix f_count leak I can't see any reason for this file->f_count++. Removing it fixes a bug which leaves an exported filesystem busy (and so unmountable) if a callback for a lock held on that filesystem ever failed. Found by Terence Rokop. Changelog From 2.4.29-hf4 to 2.4.29-hf5 (semi-automated) --------------------------------------- '+' = added ; '-' = removed Note: This update fixes a remote security issue on PPP servers. + ppp-server-remote-dos-1 (Paul Mackerras) Remote Linux DoS on ppp servers (CAN-2005-0384) + x86_64-fix-x87-tag-word-emulation-1 (Roland McGrath) Fix x87 fnsave Tag Word emulation when using FXSR (SSE). The fxsave instruction does not save the x87 tag word (only the empty bits), and we re-created the old-style x87 tags incorrectly. The registers are saved in "stack order" in the save area, but the tag word bits are in "hardware order", and we need to get the right register state. Both x86 and x86-64 needed this fix. + possible-pty-line-discipline-race-1 (Linus Torvalds) [PATCH] Workaround possible pty line discipline race. It's in no way "correct", in that the race hasn't actually gone away by this patch, but the patch makes it unimportant. We may end up calling a stale line discipline, which is still very wrong, but it so happens that we don't much care in practice. I think that in a 2.4.x tree there are some theoretical SMP races with module unloading etc (which the 2.6.x code doesn't have because module unload stops the other CPU's - maybe that part got backported to 2.4.x?), but quite frankly, I suspect that even in 2.4.x they are entirely theoretical and impossible to actually hit. And again, in theory some line discipline might do something strange in it's "chars_in_buffer" routine that would be problematic. In practice that's just not the case: the "chars_in_buffer()" routine might return a bogus _value_ for a stale line discipline thing, but none of them seem to follow any pointers that might have become invalid (and in fact, most ldiscs don't even have that function). + softdog-does-not-reboot-on-close-1 (Jacques Basson) There is a bug in the softdog.c (v 0.05) in the 2.4 kernel series (certainly in 2.4.29 and there are no references to it in the latest Changelog) that won't reboot the machine if /dev/watchdog is closed unexpectedly and nowayout is not set. - scsi-tapes-allow-lseek-1 (Marcelo Tosatti) + scsi-tapes-allow-lseek-2 (Marcelo Tosatti) Fixed lseek on OSST tapes too. + write-throttling-ignore-free-highmem-1 (Andrea Arcangeli) I got reports of stalls with heavy writes on 2.4. There was a mistake in nr_free_buffer_pages. That function is definitely meant _not_ to take highmem into account (dirty cache cannot spread over highmem in 2.4 [even when on top of fs]). For unknown reasons it was actually taking highmem into account. The code was obviously meant to not take into account see the GFP_USER and zonelist, except it wasn't using the zonelist. That is a severe problem because there will be no write throttling at all, and no bdflush wakeup either. This is a noop for all systems <800M (1G shouldn't be noticeable either). This is why most people can't notice. + get_user_pages-no-pg_reserved-1 (Andrea Arcangeli) get_user_pages() shall not grab PG_reserved pages. + sparc32-fix-parallel-build-1 (crn:netunix.com) [SPARC32]: Fix build dependencies for vmlinux.o This helps make parallel builds work properly. Changelog From 2.4.29-hf3 to 2.4.29-hf4 (semi-automated) --------------------------------------- '+' = added ; '-' = removed Only minor fixes this time again, several of which affect drivers but are as trivial as timeouts enlargements. 504 lines removed, 714 lines added. Please note : The aic7xxx patch is known to cause Justin Gibbs' AIC7XXX driver to reject when applied because it already contains the fix. In this case, simply rebuild the whole patch without the former. - sparc64-32bit-compat-bugs-1 (David S. Miller) + sparc64-32bit-compat-bugs-2 (David S. Miller) Fixed a typo found in the original patch which affects semtimedop(). ACKed by David, should reach mainline ASAP. + genesys-usb-workarounds-1 (Pete Zaitcev) Disk enclosures with Genesys Logics chipset require additional delays, or commands are not processed. Also, their maximum transfer size is limited. Patch by Martin Strigl. + libata-missing-hook-oops-1 (Jeff Garzik) Advanced SATA drivers should not (and cannot) use the basic PCI IDE hooks for checking the Status and Error registers, as these registers are either in non-standard locations, or simply don't exist. In the error handling path, libata was unconditionally calling some PCI IDE hardware bitbanging functions, which would cause an oops in the AHCI driver and any other advanced libata driver. + synclinkmp-register-access-typo-1 (Paul Fulghum) Fix typo to correctly access rx ready control (RRC) register instead of the tx ready control (TRC0) register. + aic7xxx-do-not-reset-on-pause-1 (Matt Domsch) Patch below taken from RHEL3 Update 4 kernel 2.4.21-27.EL, fixes a bug in the aic79xx and aic7xxx drivers, where upon trying to pause the controller chip, it is accidentally hard-reset. This causes PCI Parity errors to appear on Dell PowerEdge 4600 servers as the inb() immediately after accidental reset receives corrupted data. Patch was submitted by Justin Gibbs many moons ago, but never applied to mainline 2.4. It's in mainline 2.6. + fix-swapoff-after-recreating-device-1 (Solar Designer) [PATCH] Fix for swapoff after re-creating device files If device is recreated the current dentry-only comparison in sys_swapoff() might have problems. + sd-fix-partition-count-1 (Soo Lee) When a scsi disk is removed other scsi disk with biggest minor # disapears in /proc/partition at the same time. sd.c decreases nr_real on disk removal but because nr_real is not real # of devices but max # of devices of a major #, it doesn't need to be changed on disk add/remove. 2.6 has little different structure but it does like this. + af_unix-fix-siocinq-for-stream-1 (David S. Miller) [AF_UNIX]: Fix SIOCINQ for STREAM. We should report the total bytes in the whole receive queue, not just the first packet, in these cases. Reported by Uwe Bonnes. + scsi-tapes-return-enomem-1 (Marcelo Tosatti) + scsi-tapes-allow-lseek-1 (Marcelo Tosatti) Allow lseek on SCSI tapes again. Recently broken by a security fix. Changelog From 2.4.29-hf2 to 2.4.29-hf3 (semi-automated) --------------------------------------- + net-oops-base_reachable_time-zero-1 (Hideaki Yoshifuji) [NET]: Fix kernel oops if base_reachable_time is set to 0. + tunsetiff-needs-copy-back-after-ioctl-1 (David S. Miller) [COMPAT]: TUNSETIFF needs to copy back data after ioctl. It is defined as a _IOW() which is erroneous, it should have been defined as _IORW() but that cannot be changed now without breaking all existing applications using this ioctl. + sparc32-smp-clear-psr_ef-on-fork-1 (David S. Miller) [SPARC32]: Need to clear PSR_EF in psr of childregs on fork() on SMP. + netlink_remove-unhash-leaks-sockets-1 (Patrick McHardy) netlink_remove() only unhashes sockets contained in the first hash bucket. This leads to leaking sockets and, over time, to bind conflicts which confuse iproute. + brlock-causes-deadlock-1 (David S. Miller) There were two versions of the big-reader lock implementation. 1) One using per-cpu reader locks, and a singular write lock. Predominantly enabled on x86 and it's brothers. 2) One using non-atomic per-cpu counter, and a single write lock. This is what all other platforms were using. #1 is unfortunately buggy. brlocks were meant to provide a high performance implementation of rwlock_t locks when it is known that the lock is taken %99 of the time by readers and that writers are thus rare. (...) + 32bit-sys_recvmsg-corruption-1 (Stephen Rothwell) In the presence of threads, there is a possibility of the kernel being fooled by the 32 bit sys_recvmsg control data into copying more than it should into the kernel and corrupting kernel data structures. (...) This patch just does some more length checking. This bug was actually being hit by BIND running at a customer site. It is very hard to hit, but (obviously) possible. + sparc64-32bit-compat-bugs-1 (David S. Miller) Fix 32bit compat layer bugs in sys_ipc() and sys_rt_sigtimedwait(). 1) sys_ipc() compat wrappers need to verify length before allocating kernel data and performing copies. 2) sys_rt_sigtimedwait() had one schedule_timeout() too many. - sparc-membar-extra-semi-colons-1 (Willy Tarreau) - sparc64-membar-extra-semi-colons-1 (Willy Tarreau) This was my quick build fix. Now David has sent the clean stuff. + sparc-smb_macros-extra-semicolons-1 (David S. Miller) [SPARC]: Fix bogus trailing semicolon in smb_*() macros. Backported from 2.6.x + sparc-nop-extra-semicolons-1 (David S. Miller) [SPARC]: nop() macro has bogus trailing semicolon Noticed by Bob Breuer. + sparc64-membar-extra-semicolons-2 (David S. Miller) [SPARC64]: Fix trailing semicolon in membar macros.