++ Hot Fix 15 for Linux Kernel 2.4.29 - 2005/09/11 ++ Willy Tarreau - EXOSEC < wtarreau at exosec.net > Please read the "README" file first. Then, simply run "make" in the directory containing this file to rebuild the patches referenced in this file. 1) Security fixes ================= + flash_erase-checks-cap_sys_admin-1 (James Nelson) This patch adds CAP_SYS_ADMIN checks to the potentially dangerous ioctls FLASH_Erase and FLASH_Burn in the Cobalt LCD interface driver. + rw_verify_area-against-file-offset-overflow-2 (Linus Torvalds) backport 2.6 rw_verify_area() to check against file offset overflows - Make generic rw_verify_area check against file offset overflows. - Add 'f_maxcount' to allow filesystems to set a per-file maximum IO size. - Rename "locks_verify_area()" to "rw_verify_area()" and clean up the arguments. + rw_verify_area-missing-f_maxcount-1 (Solar Designer) + wireless-data-leak-1 (Chris Wright) There is a potential leak of kernel data to user space in private handler handling. Few drivers use that feature, there is no risk of crash or direct attack, so I would not worry about it. + ppp-server-remote-dos-1 (Paul Mackerras) Remote Linux DoS on ppp servers (CAN-2005-0384) + atm_get_addr-signedness-fix-1 (Simon Horman) [PATCH] Backport v2.6 ATM copy-to-user signedness fix. The signdness fix for atm_get_addr() in 2.6 seems to be needed for 2.4 as well. This relates to the bugs reported in this document : http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + af_bluetooth-checks-unsigned-only-1 (marcel holtmann) CAN-2005-0750: Fix af_bluetooth range checking bug, discovered by Ilja van Sprundel + ext2-mkdir-leaks-kernel-memory-1 (mathieu lafon) CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak. I think I have discovered a potential security problem in ext2: when a new directory is created, the ext2 block written to disk is not initialized. An information leak can then be found after the two directory entries ('.' and '..') or in the name buffer of each entry (struct ext2_dir_entry_2). + load_elf_library-potential-dos-2 (Herbert Xu) CAN-2005-0794: Potential DOS in load_elf_library. Yichen Xie points out that load_elf_library can modify `elf_phdata' before freeing it. Contains latest mismerge fix from Andreas Arens. + isofs-range-checking-flaws-1 (chris wright) [PATCH] isofs: Handle corupted rock-ridge info slightly better. Michal Zalewski discovers range checking flaws in iso9660 filesystem. CAN-2005-0815 is assigned to this issue. + 2.4.30-vuln-CAN-2005-1263-1 (Greg KH, Chris Wright) From Paul Starzetz: A locally exploitable flaw has been found in the Linux ELF binary format loader's core dump function that allows local users to gain root privileges and also execute arbitrary code at kernel privilege level. + 2.4.30-ipvs-unchecked-strcpy-1.diff (the PaX team) Replaced several unchecked strcpy() with strncpy(). + 2.4.30-loop-off-by-one-1 (Julien Tinnes) There is an obvious off by one bug in loop.c in kernel 2.4. + 2.4.30-rtnetlink-off-by-one-1 (Julien Tinnes) [RTNETLINK]: Fix off-by-one error in rtnetlink.c + 2.4.30-random-poolsize-sysctl-fix-1 (Vasily Averin) [PATCH] random poolsize sysctl fix SWSoft Linux kernel Team has discovered that your patch which should fix a random poolsize sysctl handler integer overflow, is wrong. You have changed a variable definition in function proc_do_poolsize(), but you had to fix an another function, poolsize_strategy() + 2.4.31-sparc64-solaris-emu-check-cmsg-len-1 (David S. Miller) [SPARC64]: Fix cmsg length checks in Solaris emulation layer. + 2.4.31-x86_64-ia64-32bit-execve-overflow-1 (Andi Kleen) [PATCH] Fix buffer overflow in x86-64/ia64 32bit execve Fix buffer overflow in x86-64/ia64 32bit execve. Originally noted by Ilja van Sprundel. I fixed it for both x86-64 and IA64. Other architectures are not affected. + 2.4.31-x86_64-ptrace-check-canonical-addr-1 (Andi Kleen) [PATCH] Check for canonical addresses in ptrace Check for canonical addresses in ptrace. This works around a AMD bug that allows to hang the CPU by passing illegal addresses. + 2.4.31-x86_64-fix-ptrace-check-for-seg-regs-1 (Andi Kleen) [PATCH] Fix canonical checking for segment registers in ptrace Fix canonical checking for segment registers in ptrace. This avoids a local DOS where a process could oops the kernel by passing bogus values to ptrace. Some versions of UML did this. Found by Alexander Nyberg + 2.4.31-x86_64-disable-exception-stack-1 (Andi Kleen) [PATCH] x86_64: Disable exception stack for stack faults Just drop the exception stack for stack segment faults. This will make some oops triple fault now, but that's better than allowing user triggerable oops. Found from RedHat QA using crashme + 2.4.31-null-deref-cyclades-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/cyclades.c + 2.4.31-null-deref-esp-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/esp.c + 2.4.31-null-deref-isicom-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/isicom.c + 2.4.31-null-deref-mxser-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/mxser.c + 2.4.31-null-deref-riscom8-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/riscom8.c + 2.4.31-null-deref-specialix-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/specialix.c + 2.4.31-zlib-security-bugs-2 (Tim Yamin, Sergey Vlasov) Fix outstanding security bugs in the Linux zlib implementations. See: a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html b) http://bugs.gentoo.org/show_bug.cgi?id=94584 The gzip description is as good as the ChangeLog says it is -: "Set n to length of v, to detect improper tables" and "Don't accidentally grow j past z". The return 2 instead of the return 0 is so that we actually error out if we also get inproper tables. + 2.4.31-zisofs-check-deflatebound-1 (Linus Torvalds) [PATCH] PATCH: Fix outstanding gzip/zlib security issues Add fakey 'deflateBound()' function to the in-kernel zlib routines. It's not the real deflateBound() in newer zlib libraries, partly because the upcoming usage of it won't have the "stream" available, so we can't have the same interfaces anyway. Problem noted by Tim Yamin. 2) Critical fixes ================= + panic-when-backing-up-lvm-snapshots-1 (Heinz J. Mauelshagen) This patch fixes lvm-snap.c in order to avoid a list update on the snapshot exception hash happening while only holding a read lock as documented in Red Hat bugzilla #135266. + 2.4.30-panic-if-more-than-one-moxa-1 (David Monniaux) [PATCH] fix moxa crash with more than one 1 board. The current Moxa Intellio driver (moxa.c) panics when using > 1 board. Fixed build by declaring variable prior to usage - Willy. + 2.4.31-bluetooth-hci_usb-race-hangs-kernel-1 (Marcel Holtmann) [PATCH] Fix introduced in 2.4.27pre2 for bluetooth hci_usb race causes kernel hang. > I have noticed a problem with a race condition fix introduced in > 2.4.27-pre2 that causes the kernel to hang when disconnecting a > Bluetooth USB dongle or doing 'hciconfig hci0 down'. No message is > printed, the kernel just doesn't respond anymore. if this works then we should do the same change in the bfusb driver. A patch that fixes both drivers is attached. 3) Major bug fixes ================== + oops-ata_to_sense_error-1 (Jeff Garzik) Fix an oops in ata_to_sense_error + lcd_ioctl-memory-leak-1 (James Nelson) This patch fixes a memory leak in the FLASH_Burn ioctl for the Cobalt LCD interface driver. + pkt_sched-netem-leaks-memory-1 (Stephen Hemminger) Good catch.. netem needs to free skb's that are dropped due to loss simulation. + netlink-fix-nlmsg_goodsize-calculation-1 (Thomas Graf) NLMSG_GOODSIZE specifies a good default size for the skb tailroom used in netlink messages when the size is unknown at the time of the allocation. The current value doesn't make much sense anymore because skb_shared_info isn't taken into account which means that depending on the architecture NLMSG_GOOSIZE can exceed PAGE_SIZE resulting in a waste of almost a complete page. Using SKB_MAXORDER solves this potential leak at the cost of slightly smaller but safer sizes for some architectures. + proc-kcore-memory-corruption-1 (Ernie Petrides) A fairly nasty memory corruption potential exists when /proc/kcore is accessed and there are at least 62 vmalloc'd areas. (...) The fix is already in 2.6. + net-oops-base_reachable_time-zero-1 (Hideaki Yoshifuji) [NET]: Fix kernel oops if base_reachable_time is set to 0. + x86_64-fix-x87-tag-word-emulation-1 (Roland McGrath) Fix x87 fnsave Tag Word emulation when using FXSR (SSE). The fxsave instruction does not save the x87 tag word (only the empty bits), and we re-created the old-style x87 tags incorrectly. The registers are saved in "stack order" in the save area, but the tag word bits are in "hardware order", and we need to get the right register state. Both x86 and x86-64 needed this fix. + possible-pty-line-discipline-race-1 (Linus Torvalds) [PATCH] Workaround possible pty line discipline race. It's in no way "correct", in that the race hasn't actually gone away by this patch, but the patch makes it unimportant. We may end up calling a stale line discipline, which is still very wrong, but it so happens that we don't much care in practice. I think that in a 2.4.x tree there are some theoretical SMP races with module unloading etc (which the 2.6.x code doesn't have because module unload stops the other CPU's - maybe that part got backported to 2.4.x?), but quite frankly, I suspect that even in 2.4.x they are entirely theoretical and impossible to actually hit. And again, in theory some line discipline might do something strange in it's "chars_in_buffer" routine that would be problematic. In practice that's just not the case: the "chars_in_buffer()" routine might return a bogus _value_ for a stale line discipline thing, but none of them seem to follow any pointers that might have become invalid (and in fact, most ldiscs don't even have that function). + softdog-does-not-reboot-on-close-1 (Jacques Basson) There is a bug in the softdog.c (v 0.05) in the 2.4 kernel series (certainly in 2.4.29 and there are no references to it in the latest Changelog) that won't reboot the machine if /dev/watchdog is closed unexpectedly and nowayout is not set. + degraded-soft-raid1-can-corrupt-data-1 (Neil Brown) [PATH] md: allow degraded raid1 array to resync after an unclean shutdown. If a raid1 array has more than two devices, and not all are working, then it will not resync after an unclean shutdown (as it will think that it should reconstruct a failed drive, and will find there aren't any spares...). Problem found by Mario Holbe. + usb-serial_write-oops-1 (Pete Zaitcev) [PATCH] USB: fix oops in serial_write When I split the __serial_write off serial_write, the former took the NULL check away with it. However, the new serial_write still has an reference remaining in down(&port->sem). Joachim Nilsson corrected me. + link_path_walk-refcount-problem-1 (Greg Banks) [PATCH] link_path_walk refcount problem allows umount of active filesystem Following an absolute symlink opens a window during which the filesystem containing the symlink has an outstanding dentry count and no outstanding vfsmount count. A umount() of the filesystem can (incorrectly) proceed, resulting in the "Busy inodes after unmount" message and an oops shortly thereafter. + 2.4.30-bonding-rmmod-oops-1 (Mitch Williams) It fixes a stack dump when unloading the bonding module in 802.3ad mode if spinlock debugging is turned on, and it was already merged in 2.6. + 2.4.30-serial-null-dereference-1.diff (Julien Tinnes) Potential null pointer dereference in serial driver. + 2.4.30-mtrr-off-by-one-1.diff (Brad Spengler/Julien Tinnes) In mtrr_write(), if len==0, -1 is passed to copy_from_user(), which will trigger BUG_ON((long)n < 0). Brad found it, Julien explained it to me. + 2.4.30-jfs_read_super-oops-1 (Mike Kasick) [PATCH] JFS oops fix Specifically, the kernel attempts to mount root with JFS first, and upon aborting jfs_read_super(), the value of sbi->nls_tab is -1, a non-NULL value that causes unload_nls() to be called on garbage data leading to a NULL pointer dereference. + 2.4.30-usb-io_edgeport-oops-1 (Marcelo Tosatti) USB: fix oops in io_edgeport.c driver (2.6 backport) + 2.4.31-ip_vs_conn_tab-race-1 (Neil Horman) [IPVS]: Close race conditions on ip_vs_conn_tab list modification. In an smp system, it is possible for an connection timer to expire, calling ip_vs_conn_expire while the connection table is being flushed, before ct_write_lock_bh is acquired. (...) The result is that the next pointer gets set to NULL, and subsequently dereferenced, resulting in an oops. + 2.4.31-nat-fix-memory-corruption-1 (Patrick McHardy) [NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT) + 2.4.31-size_buffers_type-overflow-1 (Andrea Arcangeli) [PATCH] Andrea Arcangeli: avoid size_buffers_type overflow size_buffers_type array, which is an unsigned long, can overflow on 32-bits: its perfectly possible for PAE machines to have more than 4Gb of data mapped by buffer_head's at the same time. Avoid that by accounting 1/512 of the real size (size >> 9). 4) Minor bug fixes ================== + ppc32-tlb-miss-handler-1 (Tom Rini / Joakim Tjernlund) There is a problem in the TLB Miss (and Error, as they jump to the Miss handler) handlers. The problem is that when an app spans more than one L1 entry, we don't have all of the correct information, and do_page_fault() things a protection fault happened, when it didn't really. The fix for this is to modify the handlers slightly to force a TLB Error in this case. + rtnetlink-set-multi-flags-1 (Thomas Graf) Set NLM_F_MULTI for neighbour rtnetlink messages to userspace. + hiddev-busy-loop-1 (David Micon) In the loop, schedule() returns with the current state TASK_RUNNING, so at the next revolution it returns immediately, and the task sits there burning CPU. + msf-overflow-multisession-dvd-1 (Luca Tettamanti) This a backport of my patch that went into 2.6.10. cdrom_read_toc (ide-cd.c) always reads the TOC using MSF format. If the last session of the disk starts beyond block 1152000 (LBA) there's an overflow in the MSF format and kernel complains: Unable to identify CD-ROM format. So read the multi-session TOC in LBA format in order to avoid an overflow in MSF format with multisession DVDs. + sparc64-signed-atomic-values-1 (David S. Miller / Hugh Daniels) Even though we declare these functions as returning a 32-bit signed integer, the sparc64 ABI states that such functions must properly sign-extend the return value to the full 64-bits. + kfree_skb-missing-memory-barrier-1 (Herbert Xu) The bug is that in the case where we do the atomic_read() optimization, we need to make sure that reads of skb state later in __kfree_skb() processing (particularly the skb->list BUG check) are not reordered to occur before the counter read by the cpu. + net-put-barriers-around-dst-refcnt-1 (Herbert Xu) In light of the recent discussion about sk_buff, I think we need the following patch for dst_entry. This adds a memory barrier before dst_release drops the refcnt, and a read memory barrier before dst_destroy starts destroying the entry. + sparc64-atomic-and-bitops-fixes-1 (David S. Miller) 1) Correct memory barriers. Routines not returning a value need no memory barriers, however routines returning values do need them. 2) Actually implement non-atomic ext2 bitops. + sparc64-xchg-use-membars-1 (David S. Miller) [SPARC64]: Add missing membars for xchg() and cmpxchg(). + sparc64-locks-use-membars-1 (David S. Miller) [SPARC64]: Add missing membars for xchg() and cmpxchg(). read_unlock should order all previous memory operations before the atomic counter update to drop the lock. The debugging version of write_unlock had a similar error. + ipconfig-use-memmove-not-strcpy-1 (Matthew Wilcox) strcpy is undefined if src and dest overlap. That's clearly possible here with a sufficiently deep path on the server. Use memmove instead. + sparc64-mask-32bits-stack-ptr-1 (David S. Miller) [SPARC64]: Mask off stack ptr in alloc_user_space() for 32-bit. + i386-pci-irq-displays-wrong-pin-1 (Mark Haigh) [PATCH] arch/i386/kernel/pci-irq.c: Wrong message output I'd submitted a patch earlier for this file, fixing a warning. When I looked at it further, I noticed it can output an incorrect warning message under certain circumstances. I've confirmed that this can and does happen in the wild: (...) This patch also fixes the original warning: + lp_write-race-can-corrupt-data-1 (Kenneth Sumrall) In lp_write(), copy_from_user() is called to copy data into a statically allocated kernel buffer before down_interruptible() is called. If a second thread of execution comes in between the copy_from_user() and the down_interruptible() calls, silent data corruption could result. + tunsetiff-needs-copy-back-after-ioctl-1 (David S. Miller) [COMPAT]: TUNSETIFF needs to copy back data after ioctl. It is defined as a _IOW() which is erroneous, it should have been defined as _IORW() but that cannot be changed now without breaking all existing applications using this ioctl. + sparc32-smp-clear-psr_ef-on-fork-1 (David S. Miller) [SPARC32]: Need to clear PSR_EF in psr of childregs on fork() on SMP. + netlink_remove-unhash-leaks-sockets-1 (Patrick McHardy) netlink_remove() only unhashes sockets contained in the first hash bucket. This leads to leaking sockets and, over time, to bind conflicts which confuse iproute. + brlock-causes-deadlock-1 (David S. Miller) There were two versions of the big-reader lock implementation. 1) One using per-cpu reader locks, and a singular write lock. Predominantly enabled on x86 and it's brothers. 2) One using non-atomic per-cpu counter, and a single write lock. This is what all other platforms were using. #1 is unfortunately buggy. brlocks were meant to provide a high performance implementation of rwlock_t locks when it is known that the lock is taken %99 of the time by readers and that writers are thus rare. (...) + 32bit-sys_recvmsg-corruption-1 (Stephen Rothwell) In the presence of threads, there is a possibility of the kernel being fooled by the 32 bit sys_recvmsg control data into copying more than it should into the kernel and corrupting kernel data structures. (...) This patch just does some more length checking. This bug was actually being hit by BIND running at a customer site. It is very hard to hit, but (obviously) possible. + sparc64-32bit-compat-bugs-2 (David S. Miller) Fix 32bit compat layer bugs in sys_ipc() and sys_rt_sigtimedwait(). 1) sys_ipc() compat wrappers need to verify length before allocating kernel data and performing copies. 2) sys_rt_sigtimedwait() had one schedule_timeout() too many. + genesys-usb-workarounds-1 (Pete Zaitcev) Disk enclosures with Genesys Logics chipset require additional delays, or commands are not processed. Also, their maximum transfer size is limited. Patch by Martin Strigl. + libata-missing-hook-oops-1 (Jeff Garzik) Advanced SATA drivers should not (and cannot) use the basic PCI IDE hooks for checking the Status and Error registers, as these registers are either in non-standard locations, or simply don't exist. In the error handling path, libata was unconditionally calling some PCI IDE hardware bitbanging functions, which would cause an oops in the AHCI driver and any other advanced libata driver. + synclinkmp-register-access-typo-1 (Paul Fulghum) Fix typo to correctly access rx ready control (RRC) register instead of the tx ready control (TRC0) register. + aic7xxx-do-not-reset-on-pause-1 (Matt Domsch) Patch below taken from RHEL3 Update 4 kernel 2.4.21-27.EL, fixes a bug in the aic79xx and aic7xxx drivers, where upon trying to pause the controller chip, it is accidentally hard-reset. This causes PCI Parity errors to appear on Dell PowerEdge 4600 servers as the inb() immediately after accidental reset receives corrupted data. Patch was submitted by Justin Gibbs many moons ago, but never applied to mainline 2.4. It's in mainline 2.6. + fix-swapoff-after-recreating-device-1 (Solar Designer) [PATCH] Fix for swapoff after re-creating device files If device is recreated the current dentry-only comparison in sys_swapoff() might have problems. + sd-fix-partition-count-1 (Soo Lee) When a scsi disk is removed other scsi disk with biggest minor # disapears in /proc/partition at the same time. sd.c decreases nr_real on disk removal but because nr_real is not real # of devices but max # of devices of a major #, it doesn't need to be changed on disk add/remove. 2.6 has little different structure but it does like this. + af_unix-fix-siocinq-for-stream-1 (David S. Miller) [AF_UNIX]: Fix SIOCINQ for STREAM. We should report the total bytes in the whole receive queue, not just the first packet, in these cases. Reported by Uwe Bonnes. + scsi-tapes-return-enomem-1 (Marcelo Tosatti) + scsi-tapes-allow-lseek-2 (Marcelo Tosatti) Allow lseek on SCSI tapes and OSST again. Recently broken by a security fix. + write-throttling-ignore-free-highmem-1 (Andrea Arcangeli) I got reports of stalls with heavy writes on 2.4. There was a mistake in nr_free_buffer_pages. That function is definitely meant _not_ to take highmem into account (dirty cache cannot spread over highmem in 2.4 [even when on top of fs]). For unknown reasons it was actually taking highmem into account. The code was obviously meant to not take into account see the GFP_USER and zonelist, except it wasn't using the zonelist. That is a severe problem because there will be no write throttling at all, and no bdflush wakeup either. This is a noop for all systems <800M (1G shouldn't be noticeable either). This is why most people can't notice. + get_user_pages-no-pg_reserved-1 (Andrea Arcangeli) get_user_pages() shall not grab PG_reserved pages. + netlink-multicast-bind-race-1 (Herbert Xu) [NETLINK]: Fix multicast bind/autobind race. Now it is possible for netlink_bind to race against netlink_autobind running on the same socket on another CPU. The result would be a socket that's on mc_list with groups set to zero. This socket will be left on the list even after it is destroyed. The fix is to remove the zeroing in netlink_autobind. + tun-check-for-underflow-1 (Patrick McHardy) [TUN]: Fix check for underflow. Backport fix from 2.6.x. + tcp-bic-reset-cwnd-on-loss-1 (Stephen Hemminger) [TCP]: BIC not binary searching correctly. 2.4 version of same fix as 2.6.11. The problem is that BIC is supposed to reset the cwnd to the last loss value rather than ssthresh when loss is detected. The correct code (from the BIC TCP code for Web100) is in this patch. + useless-f_count-leaves-fs-busy-1 (Neil Brown) [PATCH] nlm: fix f_count leak I can't see any reason for this file->f_count++. Removing it fixes a bug which leaves an exported filesystem busy (and so unmountable) if a callback for a lock held on that filesystem ever failed. Found by Terence Rokop. + bogus-mc_list-deletion-1 (Herbert Xu) Looks like I made a nasty typo in the 2.4 backport. When entries are unlinked from mc_list, we link the list up with the regular hash bucket list by using next instead of bind_next! + 2.4.29-sk_rmem_alloc-assertion-failure-1 (Herbert Xu) [NETLINK]: Fix sk_rmem_alloc assertion failure in af_netlink.c. In netlink_dump we're operating on sk after dropping the cb lock. This is racy because the owner of the socket could close it after we drop the cb lock. The solution is to hold a ref count on the socket before we drop the cb lock. + 2.4.30-rwsem-spinlocks-must-disable-interrupts-2 (David Howells) [PATCH] rwsem: Make rwsems use interrupt disabling spinlocks. The attached patch makes read/write semaphores use interrupt disabling spinlocks in the slow path, thus rendering the up functions and trylock functions available for use in interrupt context. This matches the regular semaphore behaviour. Typo fixed by Mikael Pettersson. + 2.4.30-stretch-ack-kills-performance-1 (David Miller) [TCP]: Fix stretch ACK performance killer when doing ucopy. When we are doing ucopy, we try to defer the ACK generation to cleanup_rbuf(). This works most of the time very well, but if the ucopy prequeue is large, this ACKing behavior kills performance. + 2.4.31-inode-cache-smp-races-1 (Larry Woodman) [PATCH] workaround inode cache (prune_icache/__refile_inode) SMP races Over the past couple of weeks we have seen two races in the inode cache code. The first is between [dispose_list()] and __refile_inode() and the second is between prune_icache() and truncate_inodes(). Fixes bug 155289. + 2.4.31-netlink-socket-hashing-bugs-2 (David S. Miller) [NETLINK]: Fix two socket hashing bugs. netlink_release() should only decrement the hash entry count if the socket was actually hashed. netlink_autobind() needs to propagate the error return from netlink_insert(). Otherwise, callers will not see the error as they should and thus try to operate on a socket with a zero pid, which is very bad. Thanks to Jakub Jelinek for providing backtraces, and Herbert Xu for debugging patches to help track this down. + 2.4.31-sparc64-sys32_utimes-random-timestamps-1 (Jakub Bogusz) [SPARC64]: fix sys32_utimes(somefile, NULL) This patch fixes utimes(somefile, NULL) syscalls on sparc64 kernel with 32-bit userland - use of uninitialized value resulted in making random timestamps, which confused e.g. sudo. It has been already fixed (by davem) in linux-2.6 tree 30 months ago. + 2.4.31-isofs-option-parse-fix-1 (Horms + Andrey J.Melnikoff) Fix isofs option parser. If iocharset, map or session are matched, then none of the if or else if clauses under sbsector will match (that is none of these clauses match iocharset, map or session), and thus the else clause will be hit, and the function will return 1 without parsing any furhter options. Also fix gcc-3.4 warnings. + 2.4.31-netfilter-tcp-unclean-1.diff (Patrick McHardy) [NETFILTER]: Ignore PSH on SYN/ACK in ipt_unclean + 2.4.31-redblacktree-missing-returns-1 (deep-blue@t-online.de) [PATCH] fix RedBlackTree rb_next/rb_prev functions. I have found a bug in the source of rbtree.c file in /lib. In Kernel 2.6 it's ok, but 2.4.31 has this error. We try to use it with the jffs2 source code and only with this fix it works fine. + 2.4.31-incorrect-fp-signal-delivery-1 (Chuck Ebbert) [PATCH] i386: fix incorrect FP signal delivery i386 floating-point exception handling has a bug that can cause error code 0 to be sent instead of the proper code during signal delivery. + 2.4.31-ipv4-peers-negative-timer-1 (Dave Johnson) [IPV4]: Fix negative timer loop with lots of ipv4 peers. peer_check_expire() in net/ipv4/inetpeer.c isn't using inet_peer_gc_mintime correctly and will end up creating an expire timer with less than the minimum duration, and even zero/negative if enough active peers are present. If >65K peers, the timer will be less than inet_peer_gc_mintime, and with >70K peers, the timer duration will reach zero and go negative. + 2.4.31-ipv6-route-events-with-wrong-netlink-pid-1 (Hasso Tepper) [IPV6]: Route events reported with wrong netlink PID and seq number Attached is backport of patch from jamal already in the 2.6 kernel - It would be very nice to see it in the 2.4 kernel as well, as I keep receiving reports from users that "Quagga IPv6 is broken with 2.4 kernel". + 2.4.31-nat-module-load-race-1 (Patrick McHardy) [NETFILTER]: Handle NAT module load race When the NAT module is loaded when connections are already confirmed it must not change their tuples anymore. This is especially important with CONFIG_NETFILTER_DEBUG, the netfilter listhelp functions will refuse to remove an entry from a list when it can not be found on the list, so when a changed tuple hashes to a new bucket the entry is kept in the list until and after the conntrack is freed. Allocate the exact conntrack tuple for NAT for already confirmed connections or drop them if that fails. + 2.4.31-sparc64-do_netfilter_replace-use-vmalloc-1 (Gustavo Zacarias) [SPARC64]: Use vmalloc() in do_netfilter_replace() Otherwise the number of rules one can upload into the kernel is severely limited. 5) Build fixes ============== + configure-mangles-hex-values-1 (Nick Pollitt) When doing a make oldconfig, the hex function strips the leading '0x' from hex values. The '0x' is needed in the final autoconf.h, and its absence causes the following problem. + sparc-smb_macros-extra-semicolons-1 (David S. Miller) [SPARC]: Fix bogus trailing semicolon in smb_*() macros. Backported from 2.6.x + sparc-nop-extra-semicolons-1 (David S. Miller) [SPARC]: nop() macro has bogus trailing semicolon Noticed by Bob Breuer. + sparc64-membar-extra-semicolons-2 (David S. Miller) [SPARC64]: Fix trailing semicolon in membar macros. + sparc32-fix-parallel-build-1 (crn:netunix.com) [SPARC32]: Fix build dependencies for vmlinux.o This helps make parallel builds work properly. + 2.4.30-xfs-build-without-debug-1 (Christoph Hellwig) [PATCH] XFS: fix compilation error > 2.4.30 will not compile if XFS is turned on, but XFS debugging is not. Looks like a trivial one-liner got lost when merging from the SGI CVS tree. + 2.4.31-no-32bit-moves-on-seg-regs-1 (H. J. Lu) [PATCH] newer i386/x86_64 assemblers prohibit instructions for moving between a seg register and a 32bit location. The new i386/x86_64 assemblers no longer accept instructions for moving between a segment register and a 32bit memory location. + 2.4.31-alpha-cabriolet-needs-ns87312-1 (Bill Dupree) [PATCH] Fix Alpha AXP Cabriolet build. Alpha AXP Cabriolet build fails with unresolved reference to ns87312_enable_ide(). 6) Documentation fixes ====================== + recent-kernels-need-modutils-2414-1 (Willy Tarreau) From Keith Owens: > You need modutils >= 2.4.14 to use the combination of > CONFIG_MODVERSIONS with EXPORT_SYMBOL_GPL() on 2.4 kernels. END.