Changelog From 2.4.29-hf7 to 2.4.29-hf8 (semi-automated) --------------------------------------- '+' = added ; '-' = removed + 2.4.30-panic-if-more-than-one-moxa-1 (David Monniaux) [PATCH] fix moxa crash with more than one 1 board. The current Moxa Intellio driver (moxa.c) panics when using > 1 board. Fixed build by declaring variable prior to usage - Willy. + 2.4.30-bonding-rmmod-oops-1 (Mitch Williams) It fixes a stack dump when unloading the bonding module in 802.3ad mode if spinlock debugging is turned on, and it was already merged in 2.6. + 2.4.29-sk_rmem_alloc-assertion-failure-1 (Herbert Xu) [NETLINK]: Fix sk_rmem_alloc assertion failure in af_netlink.c. In netlink_dump we're operating on sk after dropping the cb lock. This is racy because the owner of the socket could close it after we drop the cb lock. The solution is to hold a ref count on the socket before we drop the cb lock. + 2.4.30-rwsem-spinlocks-must-disable-interrupts-2 (David Howells) [PATCH] rwsem: Make rwsems use interrupt disabling spinlocks. The attached patch makes read/write semaphores use interrupt disabling spinlocks in the slow path, thus rendering the up functions and trylock functions available for use in interrupt context. This matches the regular semaphore behaviour. Typo fixed by Mikael Pettersson. Changelog From 2.4.29-hf6 to 2.4.29-hf7 (semi-automated) --------------------------------------- '+' = added ; '-' = removed + bogus-mc_list-deletion-1 (Herbert Xu) Looks like I made a nasty typo in the 2.4 backport. When entries are unlinked from mc_list, we link the list up with the regular hash bucket list by using next instead of bind_next! + recent-kernels-need-modutils-2414-1 (Willy Tarreau) From Keith Owens: > You need modutils >= 2.4.14 to use the combination of > CONFIG_MODVERSIONS with EXPORT_SYMBOL_GPL() on 2.4 kernels. Changelog From 2.4.29-hf5 to 2.4.29-hf6 (semi-automated) --------------------------------------- '+' = added ; '-' = removed Note: this update fixes 2 oopses and 4 security vulnerabilities : CAN-2005-0400: kernel memory leak in ext2 mkdir() CAN-2005-0750: bluetooth range checking bug CAN-2005-0794: potential DOS in load_elf_library. CAN-2005-0815: range checking flaws in isofs + atm_get_addr-signedness-fix-1 (Simon Horman) [PATCH] Backport v2.6 ATM copy-to-user signedness fix. The signdness fix for atm_get_addr() in 2.6 seems to be needed for 2.4 as well. This relates to the bugs reported in this document : http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + af_bluetooth-checks-unsigned-only-1 (marcel holtmann) CAN-2005-0750: Fix af_bluetooth range checking bug, discovered by Ilja van Sprundel + ext2-mkdir-leaks-kernel-memory-1 (mathieu lafon) CAN-2005-0400: ext2 mkdir() directory entry random kernel memory leak. I think I have discovered a potential security problem in ext2: when a new directory is created, the ext2 block written to disk is not initialized. An information leak can then be found after the two directory entries ('.' and '..') or in the name buffer of each entry (struct ext2_dir_entry_2). + load_elf_library-potential-dos-2 (Herbert Xu) CAN-2005-0794: Potential DOS in load_elf_library. Yichen Xie points out that load_elf_library can modify `elf_phdata' before freeing it. Contains latest mismerge fix from Andreas Arens. + isofs-range-checking-flaws-1 (chris wright) [PATCH] isofs: Handle corupted rock-ridge info slightly better. Michal Zalewski discovers range checking flaws in iso9660 filesystem. CAN-2005-0815 is assigned to this issue. + degraded-soft-raid1-can-corrupt-data-1 (Neil Brown) [PATH] md: allow degraded raid1 array to resync after an unclean shutdown. If a raid1 array has more than two devices, and not all are working, then it will not resync after an unclean shutdown (as it will think that it should reconstruct a failed drive, and will find there aren't any spares...). Problem found by Mario Holbe. + usb-serial_write-oops-1 (Pete Zaitcev) [PATCH] USB: fix oops in serial_write When I split the __serial_write off serial_write, the former took the NULL check away with it. However, the new serial_write still has an reference remaining in down(&port->sem). Joachim Nilsson corrected me. + link_path_walk-refcount-problem-1 (Greg Banks) [PATCH] link_path_walk refcount problem allows umount of active filesystem Following an absolute symlink opens a window during which the filesystem containing the symlink has an outstanding dentry count and no outstanding vfsmount count. A umount() of the filesystem can (incorrectly) proceed, resulting in the "Busy inodes after unmount" message and an oops shortly thereafter. + netlink-multicast-bind-race-1 (Herbert Xu) [NETLINK]: Fix multicast bind/autobind race. Now it is possible for netlink_bind to race against netlink_autobind running on the same socket on another CPU. The result would be a socket that's on mc_list with groups set to zero. This socket will be left on the list even after it is destroyed. The fix is to remove the zeroing in netlink_autobind. + tun-check-for-underflow-1 (Patrick McHardy) [TUN]: Fix check for underflow. Backport fix from 2.6.x. + tcp-bic-reset-cwnd-on-loss-1 (Stephen Hemminger) [TCP]: BIC not binary searching correctly. 2.4 version of same fix as 2.6.11. The problem is that BIC is supposed to reset the cwnd to the last loss value rather than ssthresh when loss is detected. The correct code (from the BIC TCP code for Web100) is in this patch. + useless-f_count-leaves-fs-busy-1 (Neil Brown) [PATCH] nlm: fix f_count leak I can't see any reason for this file->f_count++. Removing it fixes a bug which leaves an exported filesystem busy (and so unmountable) if a callback for a lock held on that filesystem ever failed. Found by Terence Rokop. Changelog From 2.4.29-hf4 to 2.4.29-hf5 (semi-automated) --------------------------------------- '+' = added ; '-' = removed Note: This update fixes a remote security issue on PPP servers. + ppp-server-remote-dos-1 (Paul Mackerras) Remote Linux DoS on ppp servers (CAN-2005-0384) + x86_64-fix-x87-tag-word-emulation-1 (Roland McGrath) Fix x87 fnsave Tag Word emulation when using FXSR (SSE). The fxsave instruction does not save the x87 tag word (only the empty bits), and we re-created the old-style x87 tags incorrectly. The registers are saved in "stack order" in the save area, but the tag word bits are in "hardware order", and we need to get the right register state. Both x86 and x86-64 needed this fix. + possible-pty-line-discipline-race-1 (Linus Torvalds) [PATCH] Workaround possible pty line discipline race. It's in no way "correct", in that the race hasn't actually gone away by this patch, but the patch makes it unimportant. We may end up calling a stale line discipline, which is still very wrong, but it so happens that we don't much care in practice. I think that in a 2.4.x tree there are some theoretical SMP races with module unloading etc (which the 2.6.x code doesn't have because module unload stops the other CPU's - maybe that part got backported to 2.4.x?), but quite frankly, I suspect that even in 2.4.x they are entirely theoretical and impossible to actually hit. And again, in theory some line discipline might do something strange in it's "chars_in_buffer" routine that would be problematic. In practice that's just not the case: the "chars_in_buffer()" routine might return a bogus _value_ for a stale line discipline thing, but none of them seem to follow any pointers that might have become invalid (and in fact, most ldiscs don't even have that function). + softdog-does-not-reboot-on-close-1 (Jacques Basson) There is a bug in the softdog.c (v 0.05) in the 2.4 kernel series (certainly in 2.4.29 and there are no references to it in the latest Changelog) that won't reboot the machine if /dev/watchdog is closed unexpectedly and nowayout is not set. - scsi-tapes-allow-lseek-1 (Marcelo Tosatti) + scsi-tapes-allow-lseek-2 (Marcelo Tosatti) Fixed lseek on OSST tapes too. + write-throttling-ignore-free-highmem-1 (Andrea Arcangeli) I got reports of stalls with heavy writes on 2.4. There was a mistake in nr_free_buffer_pages. That function is definitely meant _not_ to take highmem into account (dirty cache cannot spread over highmem in 2.4 [even when on top of fs]). For unknown reasons it was actually taking highmem into account. The code was obviously meant to not take into account see the GFP_USER and zonelist, except it wasn't using the zonelist. That is a severe problem because there will be no write throttling at all, and no bdflush wakeup either. This is a noop for all systems <800M (1G shouldn't be noticeable either). This is why most people can't notice. + get_user_pages-no-pg_reserved-1 (Andrea Arcangeli) get_user_pages() shall not grab PG_reserved pages. + sparc32-fix-parallel-build-1 (crn:netunix.com) [SPARC32]: Fix build dependencies for vmlinux.o This helps make parallel builds work properly. Changelog From 2.4.29-hf3 to 2.4.29-hf4 (semi-automated) --------------------------------------- '+' = added ; '-' = removed Only minor fixes this time again, several of which affect drivers but are as trivial as timeouts enlargements. 504 lines removed, 714 lines added. Please note : The aic7xxx patch is known to cause Justin Gibbs' AIC7XXX driver to reject when applied because it already contains the fix. In this case, simply rebuild the whole patch without the former. - sparc64-32bit-compat-bugs-1 (David S. Miller) + sparc64-32bit-compat-bugs-2 (David S. Miller) Fixed a typo found in the original patch which affects semtimedop(). ACKed by David, should reach mainline ASAP. + genesys-usb-workarounds-1 (Pete Zaitcev) Disk enclosures with Genesys Logics chipset require additional delays, or commands are not processed. Also, their maximum transfer size is limited. Patch by Martin Strigl. + libata-missing-hook-oops-1 (Jeff Garzik) Advanced SATA drivers should not (and cannot) use the basic PCI IDE hooks for checking the Status and Error registers, as these registers are either in non-standard locations, or simply don't exist. In the error handling path, libata was unconditionally calling some PCI IDE hardware bitbanging functions, which would cause an oops in the AHCI driver and any other advanced libata driver. + synclinkmp-register-access-typo-1 (Paul Fulghum) Fix typo to correctly access rx ready control (RRC) register instead of the tx ready control (TRC0) register. + aic7xxx-do-not-reset-on-pause-1 (Matt Domsch) Patch below taken from RHEL3 Update 4 kernel 2.4.21-27.EL, fixes a bug in the aic79xx and aic7xxx drivers, where upon trying to pause the controller chip, it is accidentally hard-reset. This causes PCI Parity errors to appear on Dell PowerEdge 4600 servers as the inb() immediately after accidental reset receives corrupted data. Patch was submitted by Justin Gibbs many moons ago, but never applied to mainline 2.4. It's in mainline 2.6. + fix-swapoff-after-recreating-device-1 (Solar Designer) [PATCH] Fix for swapoff after re-creating device files If device is recreated the current dentry-only comparison in sys_swapoff() might have problems. + sd-fix-partition-count-1 (Soo Lee) When a scsi disk is removed other scsi disk with biggest minor # disapears in /proc/partition at the same time. sd.c decreases nr_real on disk removal but because nr_real is not real # of devices but max # of devices of a major #, it doesn't need to be changed on disk add/remove. 2.6 has little different structure but it does like this. + af_unix-fix-siocinq-for-stream-1 (David S. Miller) [AF_UNIX]: Fix SIOCINQ for STREAM. We should report the total bytes in the whole receive queue, not just the first packet, in these cases. Reported by Uwe Bonnes. + scsi-tapes-return-enomem-1 (Marcelo Tosatti) + scsi-tapes-allow-lseek-1 (Marcelo Tosatti) Allow lseek on SCSI tapes again. Recently broken by a security fix. Changelog From 2.4.29-hf2 to 2.4.29-hf3 (semi-automated) --------------------------------------- + net-oops-base_reachable_time-zero-1 (Hideaki Yoshifuji) [NET]: Fix kernel oops if base_reachable_time is set to 0. + tunsetiff-needs-copy-back-after-ioctl-1 (David S. Miller) [COMPAT]: TUNSETIFF needs to copy back data after ioctl. It is defined as a _IOW() which is erroneous, it should have been defined as _IORW() but that cannot be changed now without breaking all existing applications using this ioctl. + sparc32-smp-clear-psr_ef-on-fork-1 (David S. Miller) [SPARC32]: Need to clear PSR_EF in psr of childregs on fork() on SMP. + netlink_remove-unhash-leaks-sockets-1 (Patrick McHardy) netlink_remove() only unhashes sockets contained in the first hash bucket. This leads to leaking sockets and, over time, to bind conflicts which confuse iproute. + brlock-causes-deadlock-1 (David S. Miller) There were two versions of the big-reader lock implementation. 1) One using per-cpu reader locks, and a singular write lock. Predominantly enabled on x86 and it's brothers. 2) One using non-atomic per-cpu counter, and a single write lock. This is what all other platforms were using. #1 is unfortunately buggy. brlocks were meant to provide a high performance implementation of rwlock_t locks when it is known that the lock is taken %99 of the time by readers and that writers are thus rare. (...) + 32bit-sys_recvmsg-corruption-1 (Stephen Rothwell) In the presence of threads, there is a possibility of the kernel being fooled by the 32 bit sys_recvmsg control data into copying more than it should into the kernel and corrupting kernel data structures. (...) This patch just does some more length checking. This bug was actually being hit by BIND running at a customer site. It is very hard to hit, but (obviously) possible. + sparc64-32bit-compat-bugs-1 (David S. Miller) Fix 32bit compat layer bugs in sys_ipc() and sys_rt_sigtimedwait(). 1) sys_ipc() compat wrappers need to verify length before allocating kernel data and performing copies. 2) sys_rt_sigtimedwait() had one schedule_timeout() too many. - sparc-membar-extra-semi-colons-1 (Willy Tarreau) - sparc64-membar-extra-semi-colons-1 (Willy Tarreau) This was my quick build fix. Now David has sent the clean stuff. + sparc-smb_macros-extra-semicolons-1 (David S. Miller) [SPARC]: Fix bogus trailing semicolon in smb_*() macros. Backported from 2.6.x + sparc-nop-extra-semicolons-1 (David S. Miller) [SPARC]: nop() macro has bogus trailing semicolon Noticed by Bob Breuer. + sparc64-membar-extra-semicolons-2 (David S. Miller) [SPARC64]: Fix trailing semicolon in membar macros.