++ Hot Fix 32.5 for Linux Kernel 2.4.31 - 2006/05/25 ++ Willy Tarreau - EXOSEC < wtarreau at exosec.net > Please read the "README" file first. Then, simply run "make" in the directory containing this file to rebuild the patches referenced in this file. 1) Security fixes ================= + 2.4.31-sparc64-solaris-emu-check-cmsg-len-1 (David S. Miller) [SPARC64]: Fix cmsg length checks in Solaris emulation layer. + 2.4.31-x86_64-ia64-32bit-execve-overflow-1 (Andi Kleen) [PATCH] Fix buffer overflow in x86-64/ia64 32bit execve Fix buffer overflow in x86-64/ia64 32bit execve. Originally noted by Ilja van Sprundel. I fixed it for both x86-64 and IA64. Other architectures are not affected. + 2.4.31-x86_64-ptrace-check-canonical-addr-1 (Andi Kleen) [PATCH] Check for canonical addresses in ptrace Check for canonical addresses in ptrace. This works around a AMD bug that allows to hang the CPU by passing illegal addresses. + 2.4.31-x86_64-fix-ptrace-check-for-seg-regs-1 (Andi Kleen) [PATCH] Fix canonical checking for segment registers in ptrace Fix canonical checking for segment registers in ptrace. This avoids a local DOS where a process could oops the kernel by passing bogus values to ptrace. Some versions of UML did this. Found by Alexander Nyberg + 2.4.31-x86_64-disable-exception-stack-1 (Andi Kleen) [PATCH] x86_64: Disable exception stack for stack faults Just drop the exception stack for stack segment faults. This will make some oops triple fault now, but that's better than allowing user triggerable oops. Found from RedHat QA using crashme + 2.4.31-null-deref-cyclades-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/cyclades.c + 2.4.31-null-deref-esp-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/esp.c + 2.4.31-null-deref-isicom-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/isicom.c + 2.4.31-null-deref-mxser-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/mxser.c + 2.4.31-null-deref-riscom8-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/riscom8.c + 2.4.31-null-deref-specialix-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/specialix.c + 2.4.31-zlib-security-bugs-2 (Tim Yamin, Sergey Vlasov) Fix outstanding security bugs in the Linux zlib implementations. See: a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html b) http://bugs.gentoo.org/show_bug.cgi?id=94584 The gzip description is as good as the ChangeLog says it is -: "Set n to length of v, to detect improper tables" and "Don't accidentally grow j past z". The return 2 instead of the return 0 is so that we actually error out if we also get inproper tables. + 2.4.31-zisofs-check-deflatebound-1 (Linus Torvalds) [PATCH] PATCH: Fix outstanding gzip/zlib security issues Add fakey 'deflateBound()' function to the in-kernel zlib routines. It's not the real deflateBound() in newer zlib libraries, partly because the upcoming usage of it won't have the "stream" available, so we can't have the same interfaces anyway. Problem noted by Tim Yamin. + 2.4.31-fix-can-2005-0204-1 (Suresh Siddha / Horms) [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction. Added definition of IO_BITMAP_BYTES. + 2.4.31-routing_ioctl-lost-sockfd_put-1 (Kirill Korotaev) This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on 64bit platforms. I believe this is a security issues, since user can fget() file as many times as he wants to. The oops can be done under files_lock and others, so this can be an exploitable DoS on SMP. Didn't checked it on practice actually. + 2.4.31-x86_64-lost-fput-32bit-ioctl-1 (Kirill Korotaev) This patch adds lost fput in 32bit tiocgdev ioctl on x86-64. I believe this is a security issues, since user can fget() file as many times as he wants to. The oops can be done under files_lock and others, so this is really exploitable DoS on SMP. Didn't checked it on practice actually. + 2.4.31-loadkeys-requires-root-1 (Andrew Morton) [PATCH] loadkeys requires root priviledges + 2.4.32-backport-of-CVE-2005-2709-fix-1 (dann frazier) I've backported the fix for CVE-2005-2709 to 2.4 for Debian's 2.4 sarge kernel. sysctl.c in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table. + 2.4.32-ipv6-fix-refcnt-of-struct-ip6_flowlabel-1 (Yan Zheng) This looks like another potential "local DoS" since this is in setsockopt(IPV6_FLOWLABEL_MGR). Users can cause a flow label to be kfreed() without removing it from the socket; and then overwrite its contents. This can trigger random kernel memory corruption. + 2.4.32-fix-sendmsg-overflow-CVE-2005-2490-1 (Marcus Meissner) Al Viro reported a flaw in sendmsg(). "When we copy 32bit ->msg_control contents to kernel, we walk the same userland data twice without sanity checks on the second pass. Moreover, if original looks small enough, we end up copying to on-stack array." - CVE-2005-2490. + 2.4.32-vfs-local-denial-of-service-file-lease-1 (Horms) [PATCH] VFS: local denial-of-service with file leases (CVE-2005-3857) Remove time_out_leases() printk that's easily triggered by users. + 2.4.32-x86-64-user-code-panics-kernel-CVE-2005-2708-1 (Dave Anderson) There seems to be a local DoS in exec on AMD64 / linux 2.4 when the system is under memory pressure. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161925 + 2.4.32-IGMP-workaround-for-IGMP-v1-v2-bug-1 (David Stevens) As explained at http://www.cs.ucsb.edu/~krishna/igmp_dos/ With IGMP version 1 and 2 it is possible to inject a unicast report to a client which will make it ignore multicast reports sent later by the router. The fix is to only accept the report if is was sent to a multicast or unicast address. + 2.4.32-ipv6-mcast-igmp-dos-fix-1 (David S. Miller) Same issue as IPv4, don't listen to non-broadcast non-multicast reports. + 2.4.32-wan-sdla-fix-probable-security-hole-1 (Horms) [PATCH] wan sdla: fix probable security hole Quoting Chris Wright : "Hrm, I believe you could use this to read 128k of kernel memory. sdla_read() takes len as a short, whereas mem.len is an int. So, if mem.len == 0x20000, the allocation could still succeed. When cast to short, len will be 0x0, causing the read loop to copy nothing into the buffer. At least it's protected by a capable() check. I don't know what proper upper bound is for this hardware, or how much it's used/cared about. Simple memset() is trivial fix." This seems to be applicable to 2.4. + 2.4.32-CAN-2004-1058-proc_pid_cmdline-race-fix-1 (dann frazier) The following patch fixes a race condition that allows local users to view the environment variables of another process. Taken from Red Hat's kernel-2.4.21-27.0.4.EL.src.rpm. + 2.4.32-orinoco-cve-2005-3180-information-leakage-1 (horms) Fix for CVE-2005-3180 by Alan Cox, back-ported by Horms. Fixes and etherleak bug in the orinoco driver. As yet untested. + 2.4.32-x86_64-check-for-bad-elf-entry-address-1 (andi kleen) Fixes a local DOS on Intel systems that lead to an endless recursive fault. AMD machines don't seem to be affected. Actually based on a 2.6 patch by Suresh Siddha, but the 2.4 implementation is somewhat different. + 2.4.32-information-leak-in-SO_ORIGINAL_DST-and-getname-1 (pavel kankovsky) It appears sockaddr_in.sin_zero is not zeroed during certain operations returning IPv4 socket names : getsockopt(...SO_ORIGINAL_DST...), getsockname() and getpeername(). + 2.4.32-CVE-2006-0741-always-check-that-rips-are-canonical-1 (Andi Kleen) This works around a problem in handling non canonical RIPs on SYSRET on Intel CPUs. They report the #GP on the SYSRET, not the next instruction as Linux expects it. With these changes this path should never see a non canonical user RIP. This is CVE-2006-0741. Roughly based on a patch by Ernie Petrides, but redone by AK. + 2.4.32-CVE-2006-1524-fix-shm-mprotect-1 (Hugh Dickins) shmat stop mprotect from giving write permission to a readonly attachment. + 2.4.32-CVE-2006-1056-i386-x86_64-x87-information-leak-1 (Andi Kleen) AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE when an exception is pending. This means the value leak through context switches and allow processes to observe some x87 instruction state of other processes. This is CVE-2006-1056. The problem was discovered originally by Jan Beulich. Richard Brunner provided the basic code for the workarounds with contributions from Jan. + 2.4.32-via-rhine-zero-pad-short-packets-1 (Craig Brind) Fixes Rhine I cards disclosing fragments of previously transmitted frames in new transmissions. Before transmission, any socket buffer (skb) shorter than the ethernet minimum length of 60 bytes was zero-padded. On Rhine I cards the data can later be copied into an aligned transmission buffer without copying this padding. This resulted in the transmission of the frame with the extra bytes beyond the provided content leaking the previous contents of this buffer on to the network. Now zero-padding is repeated in the local aligned buffer if one is used. + 2.4.32-CVE-2006-1864-smbfs-escape-chroot-1 (Olaf Kirch) Initial work and description from Olaf Kirch for kernel 2.6 : Mark Moseley reported that a chroot environment on a SMB share can be left via "cd ..\". Similar to CVE-2006-1863 issue with cifs, this fix is for smbfs (CVE-2006-1864). Steven French wrote: Looks fine to me. This should catch the slash on lookup or equivalent, which will be all obvious paths of interest. Back-ported from 2.6 to 2.4 by Willy Tarreau. + 2.4.32-CVE-2006-2444-netfilter-snmp-nat-mem-corruption-1 (Patrick McHardy) CVE-2006-2444 - Potential remote DoS in SNMP NAT helper. Fix memory corruption caused by snmp_trap_decode which may free random memory when snmp_trap_decode fails. The corruption can be triggered remotely when the ip_nat_snmp_basic module is loaded and traffic on port 161 or 162 is NATed. 2) Critical fixes ================= + 2.4.31-bluetooth-hci_usb-race-hangs-kernel-1 (Marcel Holtmann) [PATCH] Fix introduced in 2.4.27pre2 for bluetooth hci_usb race causes kernel hang. > I have noticed a problem with a race condition fix introduced in > 2.4.27-pre2 that causes the kernel to hang when disconnecting a > Bluetooth USB dongle or doing 'hciconfig hci0 down'. No message is > printed, the kernel just doesn't respond anymore. if this works then we should do the same change in the bfusb driver. A patch that fixes both drivers is attached. + 2.4.31-ia64-page_no_present-fault-1 (Kiyoshi Ueda) [PATCH] IA64: page_not_present fault in region 5 is normal Without this patch, exception handler can be unexpectedly invoked for page-not-present fault in region 5 and cause panic etc. + 2.4.32-e1000-do-not-call-msec_delay-in-irq-context-1 (jesse brandeburg) There are some functions that are called in irq context that need to use msec_delay_irq instead to avoid a BUG. 3) Major bug fixes ================== + 2.4.30-serial-null-dereference-1.diff (Julien Tinnes) Potential null pointer dereference in serial driver. + 2.4.31-ip_vs_conn_tab-race-1 (Neil Horman) [IPVS]: Close race conditions on ip_vs_conn_tab list modification. In an smp system, it is possible for an connection timer to expire, calling ip_vs_conn_expire while the connection table is being flushed, before ct_write_lock_bh is acquired. (...) The result is that the next pointer gets set to NULL, and subsequently dereferenced, resulting in an oops. + 2.4.31-nat-fix-memory-corruption-1 (Patrick McHardy) [NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT) + 2.4.31-size_buffers_type-overflow-1 (Andrea Arcangeli) [PATCH] Andrea Arcangeli: avoid size_buffers_type overflow size_buffers_type array, which is an unsigned long, can overflow on 32-bits: its perfectly possible for PAE machines to have more than 4Gb of data mapped by buffer_head's at the same time. Avoid that by accounting 1/512 of the real size (size >> 9). + 2.4.31-possible-mem-ordering-bug-1 (Nick Piggin) [PATCH] possible memory ordering bug in page reclaim Is there anything that prevents PageDirty from theoretically being speculatively loaded before page_count here? (see patch) It would result in pagecache corruption. + 2.4.32-rc2-ip_vs_conn_expire_now-fix_refcnt-dec-1 (Julian Anastasov) Quoting Roberto Nibali: It is absolutely needed. Without it, people will really experience a long term problem with hanging templates in IPVS, manifesting itself depending on time and hardware configuration. It seems we forgot to fix one place where ip_vs_conn_expire_now is used. Callers should hold write lock or cp->refcnt (and not forget it). This results in hanging template entries when expire_nodest_conn is kicking in and trying to remove all connection entries for a specific destination. Julian Anastasov created a patch to fix this and asked me to forward it for inclusion, after test and verification, which have happened the last 24 hours. + 2.4.31-sd_mod-memory-leak-1 (Dan Aloni) [PATCH] fix memory leak in sd_mod.o Handle freeing of sd_max_sectors in sd_exit(). + 2.4.31-udp_v6_get_port-infinite-loop-1 (YOSHIFUJI Hideaki) [IPV6]: Fix infinite loop in udp_v6_get_port() This is CVE-2005-2973, and 87bf9c97b4b3af8dec7b2b79cdfe7bfc0a0a03b2 in Linus' 2.6 Git Tree. It seems to be relevant to 2.4 + 2.4.32-airo_cs-prototypes-1 (Adrian Bunk) If you got strange problems with either airo_cs devices or in any other completely unrelated part of the kernel shortly or long after a airo_cs device was detected by the kernel, this might have been caused by the fact that caller and callee disagreed regarding the size of the first argument to init_airo_card()... + 2.4.32-dont-panic-on-ide-dma-errors-1 (Chris Ross) Kernel 2.4.32 and earlier can panic when trying to read a corrupted sector from an IDE disk. The function ide_dma_timeout_retry can end a request early by calling idedisk_error, but then goes on to use the request anyway causing a kernel panic due to a null pointer exception. + 2.4.32-data-corruption-in-smb_proc_setattr_unix-1 (Maciej W. Rozycki) This patch fixes a data corruption in smb_proc_setattr_unix(). smb_filetype_from_mode() returns an u32, and there are only four bytes reserved for it in data. + 2.4.32-bond_alb-hash-table-corruption-1 (ODonnell, Michael) Our systems have been crashing during testing of PCI HotPlug support in the various networking components. We've faulted in the bonding driver due to a bug in bond_alb.c:tlb_clear_slave(). In that routine, the last modification to the TLB hash table is made without protection of the lock, allowing a race that can lead tlb_choose_channel() to select an invalid table element. + 2.4.32-fix-overflow-in-inode-1 (Rik van Riel) The following patch fixes an overflow in inode.c. This overflow can cause a system to stop reclaiming inodes, with a large amount of memory and zillions of inodes. This has caused systems to run out of low memory in real world situations. Thanks go out to Larry Woodman, as well as the unnamed customer who first tracked this problem down. + 2.4.32-netfilter-ipt_recent-memleak-1 (Jesper Juhl) The Coverity checker spotted that we may leak 'hold' in net/ipv4/netfilter/ipt_recent.c::checkentry() when the following is true : if (!curr_table->status_proc) { ... if(!curr_table) { ... return 0; <-- here we leak. Simply moving an existing vfree(hold); up a bit avoids the possible leak. + 2.4.32-memleak-on-corrupted-ext3-journal-1 (Theodore Ts'o) Fix memory leak when the ext3's journal file is corrupted + 2.4.32-avoid-panic-on-corrupted-ext3-journal-1 (Willy Tarreau) Backport from 2.6 of a patch from Andrew Morton : Don't panic if the journal superblock is wrecked: just fail the mount. 4) Minor bug fixes ================== + 2.4.31-inode-cache-smp-races-1 (Larry Woodman) [PATCH] workaround inode cache (prune_icache/__refile_inode) SMP races. Over the past couple of weeks we have seen two races in the inode cache code. The first is between [dispose_list()] and __refile_inode() and the second is between prune_icache() and truncate_inodes(). Fixes bug 155289. + 2.4.31-netlink-socket-hashing-bugs-2 (David S. Miller) [NETLINK]: Fix two socket hashing bugs. netlink_release() should only decrement the hash entry count if the socket was actually hashed. netlink_autobind() needs to propagate the error return from netlink_insert(). Otherwise, callers will not see the error as they should and thus try to operate on a socket with a zero pid, which is very bad. Thanks to Jakub Jelinek for providing backtraces, and Herbert Xu for debugging patches to help track this down. + 2.4.31-sparc64-sys32_utimes-random-timestamps-1 (Jakub Bogusz) [SPARC64]: fix sys32_utimes(somefile, NULL) This patch fixes utimes(somefile, NULL) syscalls on sparc64 kernel with 32-bit userland - use of uninitialized value resulted in making random timestamps, which confused e.g. sudo. It has been already fixed (by davem) in linux-2.6 tree 30 months ago. + 2.4.31-isofs-option-parse-fix-1 (Horms + Andrey J.Melnikoff) Fix isofs option parser. If iocharset, map or session are matched, then none of the if or else if clauses under sbsector will match (that is none of these clauses match iocharset, map or session), and thus the else clause will be hit, and the function will return 1 without parsing any furhter options. Also fix gcc-3.4 warnings. + 2.4.31-netfilter-tcp-unclean-1.diff (Patrick McHardy) [NETFILTER]: Ignore PSH on SYN/ACK in ipt_unclean + 2.4.31-redblacktree-missing-returns-1 (deep-blue@t-online.de) [PATCH] fix RedBlackTree rb_next/rb_prev functions. I have found a bug in the source of rbtree.c file in /lib. In Kernel 2.6 it's ok, but 2.4.31 has this error. We try to use it with the jffs2 source code and only with this fix it works fine. + 2.4.31-incorrect-fp-signal-delivery-1 (Chuck Ebbert) [PATCH] i386: fix incorrect FP signal delivery i386 floating-point exception handling has a bug that can cause error code 0 to be sent instead of the proper code during signal delivery. + 2.4.31-ipv4-peers-negative-timer-1 (Dave Johnson) [IPV4]: Fix negative timer loop with lots of ipv4 peers. peer_check_expire() in net/ipv4/inetpeer.c isn't using inet_peer_gc_mintime correctly and will end up creating an expire timer with less than the minimum duration, and even zero/negative if enough active peers are present. If >65K peers, the timer will be less than inet_peer_gc_mintime, and with >70K peers, the timer duration will reach zero and go negative. + 2.4.31-ipv6-route-events-with-wrong-netlink-pid-1 (Hasso Tepper) [IPV6]: Route events reported with wrong netlink PID and seq number Attached is backport of patch from jamal already in the 2.6 kernel - It would be very nice to see it in the 2.4 kernel as well, as I keep receiving reports from users that "Quagga IPv6 is broken with 2.4 kernel". + 2.4.31-nat-module-load-race-1 (Patrick McHardy) [NETFILTER]: Handle NAT module load race When the NAT module is loaded when connections are already confirmed it must not change their tuples anymore. This is especially important with CONFIG_NETFILTER_DEBUG, the netfilter listhelp functions will refuse to remove an entry from a list when it can not be found on the list, so when a changed tuple hashes to a new bucket the entry is kept in the list until and after the conntrack is freed. Allocate the exact conntrack tuple for NAT for already confirmed connections or drop them if that fails. + 2.4.31-sparc64-do_netfilter_replace-use-vmalloc-1 (Gustavo Zacarias) [SPARC64]: Use vmalloc() in do_netfilter_replace() Otherwise the number of rules one can upload into the kernel is severely limited. + 2.4.31-nfs-client-long-symlinks-1 (Assar Westerlund) [PATCH] nfs client: handle long symlinks properly. In 2.4.31, the v2/3 nfs readlink accepts too long symlinks. I have tested this by having a server return long symlinks. + 2.4.31-ax25-signed-char-bug-1 (Ralf Baechle) [PATCH] AX.25: signed char bug On architectures where the char type defaults to unsigned some of the arithmetic in the AX.25 stack to fail, resulting in some packets being dropped on receive. Credits for tracking this down and the original patch to Bob Brose N0QBJ . + 2.4.31-fix-jiffies-multiply-overflow-2 (Willy Tarreau) The checks for multiply overflow in msecs_to_jiffies() are wrong and limit maximum time to very low values because the check itself can overflow. Those functions are not much used but select() and poll() would benefit from them by eliminating divides and multiples in most situations. + 2.4.31-ip_vs_ftp-persistence-breaks-connections-1 (Julian Anastasov) [IPVS]: ip_vs_ftp breaks connections using persistence ip_vs_ftp when loaded can create NAT connections with unknown client port for passive FTP. For such expectations we lookup with cport=0 on incoming packet but it matches the format of the persistence templates causing packets to other persistent virtual servers to be forwarded to real server without creating connection. Later the reply packets are treated as foreign and not SNAT-ed. This patch changes the connection lookup for packets from clients: + 2.4.31-ipvs-invalidate-persistent-templates-1 (Julian Anastasov) [IPVS]: really invalidate persistent templates Agostino di Salle noticed that persistent templates are not invalidated due to buggy optimization. + 2.4.31-mcast-exclude-typos-1 (Denis Lukianov) [MCAST]: Fix MCAST_EXCLUDE line dupes pmc->sfcount[MCAST_EXCLUDE] got initialized twice and [MCAST_INCLUDE] did not get initialized. + 2.4.31-tcp_clamp_window-fix-1 (Alexey Kuznetsov) [TCP]: Don't over-clamp window in tcp_clamp_window() Handle better the case where the sender sends full sized frames initially, then moves to a mode where it trickles out small amounts of data at a time. This known problem is even mentioned in the comments above tcp_grow_window() in tcp_input.c. Fix confirmed by Ion Badulescu. + 2.4.32-rc2-mcast-filter-1 (Willy Tarreau) [PATCH-2.4][MCAST]IPv6: small fix for ip6_mc_msfilter(...) Multicast source filters aren't widely used yet, and that's really the only feature that's affected if an application actually exercises this bug, as far as I can tell. An ordinary filter-less multicast join should still work, and only forwarded multicast traffic making use of filters and doing empty-source filters with the MSFILTER ioctl would be at risk of not getting multicast traffic forwarded to them because the reports generated would not be based on the correct counts. Initial 2.6 patch by Yan Zheng, bug explanation by David Stevens, patch ACKed by David. + 2.4.31-tcp-clear-stale-pred_flags-snd_wnd-change-1 (Herbert Xu) [PATCH] Clear stale pred_flags when snd_wnd change This bug is responsible for causing the infamous "Treason uncloaked" messages that's been popping up everywhere since the printk was added. In the case of the treason messages, it just happens that the snd_wnd cached in pred_flags is zero while tp->snd_wnd is non-zero. Therefore when a zero-window packet comes in we incorrectly conclude that the window is non-zero. + 2.4.31-only-disallow-setting-function-key-1 (Marcelo Tosatti) [PATCH] only disallow _setting_ of function key string Mikael Pettersson noted that the current 2.6-git (and 2.4) patch to disallow KDSKBSENT for unpriviledged users should be less restrictive allowing reading of current function key string entry, but not writing. + 2.4.32-fix-for-clock-running-too-fast-1 (Akira Tsukamoto) This one line patch adds upper bound testing inside timer_irq_works() when evaluating whether irq timer works or not on boot up. It fix the machines having problem with clock running too fast. What this patch do is, if timer interrupts running too fast through IO-APIC IRQ then false back to i8259A IRQ. + 2.4.32-fix-ptrace-self-attach-rule-1 (Linus Torvalds) [PATCH] Fix ptrace self-attach rule Before we did CLONE_THREAD, the way to check whether we were attaching to ourselves was to just check "current == task", but with CLONE_THREAD we should check that the thread group ID matches instead. + 2.4.32-dcache-avoid-race-nr_unused-dentries-1 (Neil Brown) [PATCH] fs/dcache.c: avoid race when updating nr_unused count of unused dentries. d_count==1 is no guarantee that dentry is on the dentry_unused list, even if it has just been incremented inside dcache_lock, as dput can decrement at any time. This test from Greg Banks is much safer, and is more transparently correct. + 2.4.32-make-kernel-work-on-i486-again-1 (jacek lipkowski) Booting the 2.4.32 kernel compiled for a i486 on an i486 box fails, because "Kernel compiled for Pentium+, requires TSC feature!" (printed from check_config() include/asm-i386/bugs.h). + 2.4.32-ppc64-fix-sys_rt_sigreturn-return-type-1 (stephen rothwell) Paul Mackerras noticed that sys_rt_sigreturn's return value was "int". It needs to be "long" or else the return value of a syscall that is interrupted by a signal will be truncated to 32 bits and then sign extended. This causes .e.g mmap's return value to be corrupted if it is returning an address above 2^31 (which is what caused a SEGV in malloc). This problem obviously only affects 64 bit processes. + 2.4.32-ip_queue-fix-wrong-skb-len-nlmsg_len-assumption-1 (thomas graf) The size of the skb carrying the netlink message is not equivalent to the length of the actual netlink message due to padding. ip_queue matches the length of the payload against the original packet size to determine if packet mangling is desired, due to the above wrong assumption arbitary packets may not be mangled depening on their original size. + 2.4.32-drm_stub_open-range-checking-1 (marin mitov) Xorg-6.9.0 SIGSEGFAULTs when the loading of dri module is enabled (direct rendering). Xorg-6.9.0 (and evidently not the previous versions) has defined DRM_MAX_MINOR as 255 (and Xorg-6.9.0 tries to open all of them) while in the kernel: DRM_STUB_MAXCARDS is defined as 16. + 2.4.32-nfs-cache-consistency-with-mmap-1 (Jeff Layton) A customer of Red Hat reported a problem with cache invalidation when using mmapped files over NFS with the 2.4 kernel. This patch fixes this by checking whether the clean_pages list for the inode is empty after invalidate_inode_pages is called. If it's not then we set a flag so on the next pass through it automatically flags the data as invalid. + 2.4.32-vlan_ioctl-missing-checks-1 (Mika Kukkonen) In vlan_ioctl_handler() the code misses couple checks for error return values. The same patch was merged into 2.6. + 2.4.32-quota_v2-module-taints-the-kernel-1 (Marek Szuba) Apparently the quota_v2 module in 2.4 still lacks the licence macro and taints the kernel, even though the same module in 2.6 is correctly tagged as GPL. In case it makes things any easier, I am enclosing an appropriate patch. + 2.4.32-fix-usb-fdd-without-partitions-1 (Gilles Espinasse) When an USB flash disk is formatted as a floppy (without partitions), random partitions appear in /proc/partitions depending on the code and data used by the boot loader at the offset where the partition table is expected. Such layout appears when Windows is used to format the USB stick, or when putting a boot-loader such as syslinux on an device. This patch is a back-port of the 2.6 fix. Carefully tested, works as expected. + 2.4.32-expire-stale-arp-entries-1 (Pradeep Vincent) In 2.4.21, arp code uses gc_timer to check for stale arp cache entries. In 2.6, each entry has its own timer to check for stale arp cache. 2.4.29 to 2.4.32 kernels (atleast) use neither of these timers. This causes problems in environments where IPs or MACs are reassigned - saw this problem on load balancing router based networks that use VMACs. Tested this code on load balancing router based networks as well as peer-linux systems. + 2.4.32-ext2-update-inode-ctime-on-rename-1 (Willy TARREAU) The ext2fs filesystem on 2.2 and 2.6, as well as other filesystems on 2.4 update the inode ctime on rename(). When this fix was applied to 2.2.13, it was applied to the ext3 tree at the same time, but the ext2 tree was forgotten. It was recently fixed in 2.6, but 2.4 was forgotten again. First reported by Chris Siebenmann on 10 Jan 2004. + 2.4.32-ext3-link-unlink-race-1 (Vadim Egorov) The problem happens when link and unlink are invoked simultaneously on the same inode on ext3 filesystem. In this case ext3_unlink may decrement i_nlink to 0 and put this inode into the in-memory orphan list, while ext3_link will increment i_nlink back to 1 having the inode in the orphan list. Thus the system ends up having an inode with i_nlink == 1 in the orphan list. When this inode gets unused later it the memory might get released to the free pool and then be used for some other purpose, most likely some other inode. From this point on any operation on the orphan list may result in modification of the list_head that could alredy be used to store some other date. 5) Build fixes ============== + 2.4.31-no-32bit-moves-on-seg-regs-1 (H. J. Lu) [PATCH] newer i386/x86_64 assemblers prohibit instructions for moving between a seg register and a 32bit location. The new i386/x86_64 assemblers no longer accept instructions for moving between a segment register and a 32bit memory location. + 2.4.31-alpha-cabriolet-needs-ns87312-1 (Bill Dupree) [PATCH] Fix Alpha AXP Cabriolet build. Alpha AXP Cabriolet build fails with unresolved reference to ns87312_enable_ide(). + 2.4.31-netfilter-gcc-3.4.3-build-1 (Marcus Sundberg) [NETFILTER]: this patch fixes a compilation issue with gcc 3.4.3. + 2.4.32-sparc-fix-compile-failures-in-math-emu-1 (david miller) Kill debugging default switch cases in do_one_mathemu(). That case is handled properly already and gcc hates the empty statement that results when the debug code is disabled. Pointed out by kaffe. + 2.4.32-alpha-fix-recursive-inlining-failure-pci_iommu-1 (solar designer) Building on alpha with gcc 3.4.5 fails because of recursive inlining. Simply removing the "inline" from the declaration of sg_fill() makes it build and work. + 2.4.32-build-fix-auto_fs4-changes-broke-ppc64-build-1 (jesse brandeburg) This patch adds a couple of #include statements verified to fix the compile for ppc64 and probably will fix the compile on parisc. ppc64 would not build without this fix. + 2.4.32-ver_linux-binutils-version-reporting-1 (Joshua Kwan) The 'ver_linux' script expects 'ld' to output a line starting with 'BFD', while recent versions of 'ld' print 'GNU ld'. The effect is that binutils version is not listed in reports based on ver_linux. 6) Documentation fixes ====================== - None END.