• R/O
  • HTTP
  • SSH

linux-2.4.36: Liste der Commits

2.4.36-stable kernel tree

Rev. Zeit Autor
b6b3ead 2008-09-06 20:35:24 Herbert Xu

net pppoe: Check packet length on all receive paths

[backport of 2.6 commit 392fdb0e35055b96faa9c1cd6ab537805337cdce]

The length field in the PPPOE header wasn't checked completely.
This patch causes all packets shorter than the declared length
to be dropped.

It also changes the memcpy_toiovec call to skb_copy_datagram_iovec
so that paged packets (rare for PPPOE) are handled properly.

Thanks to Ilja of the Netric Security Team for discovering and
reporting this bug, and Chris Wright for the total_len check.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>

dcf072a 2008-09-06 20:35:24 Stephen Hemminger

ipv6: use timer pending

[backport of 2.6 commit 847499ce71bdcc8fc542062df6ebed3e596608dd]

This fixes the bridge reference count problem and cleanups ipv6 FIB
timer management. Don't use expires field, because it is not a proper
way to test, instead use timer_pending().

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>

72155e6 2008-07-21 02:13:34 Xiong Wu

Correct the upto value during list conntrack information

The problem:
When list numerous conntrack information from /proc/net/ip_conntrack,
we found some items are missing.

The solution:
This patch correct the upto value in conntrack_iterate() when the length
of conntrack information exceed the max length.

Cc: Patrick McHardy <kaber@trash.net>
Cc: coreteam@netfilter.org
Signed-off-by: Willy Tarreau <w@1wt.eu>

a7b5569 2008-06-07 01:25:34 Willy Tarreau

Change VERSION to

- asn1: additional sanity checking during BER decoding (CVE-2008-1673)

Signed-off-by: Willy Tarreau <w@1wt.eu>

53d12af 2008-06-06 07:11:50 Chris Wright

asn1: additional sanity checking during BER decoding (CVE-2008-1673)

[backport of 2.6 commit ddb2c43594f22843e9f3153da151deaba1a834c5]

- Don't trust a length which is greater than the working buffer.
An invalid length could cause overflow when calculating buffer size
for decoding oid.

- An oid length of zero is invalid and allows for an off-by-one error when
decoding oid because the first subid actually encodes first 2 subids.

- A primitive encoding may not have an indefinite length.

Thanks to Wei Wang from McAfee for report.

Cc: Steven French <sfrench@us.ibm.com>
Cc: stable@kernel.org
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[w@1wt.eu: backported to 2.4 : no cifs ; snmp in ip_nat_snmp_basic.c]
Signed-off-by: Willy Tarreau <w@1wt.eu>

e5e375d 2008-06-02 03:32:42 Willy Tarreau

Change VERSION to

- sit: Add missing kfree_skb() on pskb_may_pull() failure (CVE-2008-2136)
- sparc: Fix mmap VA span checking (CVE-2008-2137)
- 3c980-TX needs EXTRA_PREAMBLE
- ACPI: check a return value correctly in acpi_power_get_context()
- wireless, airo: waitbusy() won't delay
- signal.h: use an explicit cast to silent compiler warnings
- fix build error with some flavours of gcc 2.95.3
- old buffer overflow in moxa driver (CVE-2005-0504)

Signed-off-by: Willy Tarreau <w@1wt.eu>

409d2d5 2008-06-02 03:23:58 David S. Miller

sparc: Fix mmap VA span checking (CVE-2008-2137)

[backport of 2.6 commit 5816339310b2d9623cf413d33e538b45e815da5d]

We should not conditionalize VA range checks on MAP_FIXED.

Signed-off-by: David S. Miller <davem@davemloft.net>
[w@1wt.eu: sparc_mmap_check() does not exist in 2.4]
Signed-off-by: Willy Tarreau <w@1wt.eu>

3ce866b 2008-06-02 03:23:58 Li Zefan

ACPI: check a return value correctly in acpi_power_get_context()

[backport of 2.6 commit a815ab8b5891f3d2515316655729272f68269e3b]

We should check *resource != NULL rather than resource != NULL, which will be
always true.

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Acked-by: Zhao Yakui <yakui.zhao@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>

cbb9001 2008-06-02 03:23:58 Roel Kluin

wireless, airo: waitbusy() won't delay

[backport of 2.6 commit b7acbdfbd1f277c1eb23f344f899cfa4cd0bf36a]

There will be no delay even when COMMAND_BUSY (defined 0x8000) is set:
0x8000 & (delay < 10000) will evaluate to 0 - when delay is 0.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>

9a92158 2008-06-02 03:23:57 Steve Rosenbluth

fix build error with some flavours of gcc 2.95.3

This patches include/asm/processor.h
Sometime between 2.4.29 and spaces were deleted between colons
which causes compiler gcc 2.95.3 to fail to parse the header
when compiling applications which include it.
Adding back the spaces solves the problem on gcc 2.95.3.
gcc 4.1.1 also compiles the kernel OK with this patch."

Signed-off-by: Willy Tarreau <w@1wt.eu>

141ae84 2008-06-02 03:23:57 Steve Rosenbluth

signal.h: use an explicit cast to silent compiler warnings

This patches include/linux/signal.h
There is an implicit cast from an integer to an
unsigned long (sigset_t) which causes compilers to generate warnings.
Different compilers could possibly produce different code.
This change has been tested over several years of use and is stable.

Signed-off-by: Willy Tarreau <w@1wt.eu>

e9e3590 2008-06-02 03:23:57 Gunnar Larisch


The ethernet card 3c980-TX needs a mdio_sync() to initialize the ethernet
properly. This is forced by adding an EXTRA_PREAMBLE to its drv_flags.

Without this, the driver did not reconnect after a link loss since
Version 2.4.29.

Signed-off-by: Gunnar Larisch <Gunnar.Larisch@gmx.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>

5ed4605 2008-06-02 03:23:57 David S. Miller

sit: Add missing kfree_skb() on pskb_may_pull() failure (CVE-2008-2136)

[backport of 2.6 commit 36ca34cc3b8335eb1fe8bd9a1d0a2592980c3f02]

Noticed by Paul Marks <paul@pmarks.net>.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>

fee3cb6 2008-06-02 03:23:56 dann frazier

old buffer overflow in moxa driver (CVE-2005-0504)

[backport of 2.6 commit a2f72982e22b96862f8f15272732bd316d4db040]

old buffer overflow in moxa driver

I noticed that the moxa input checking security bug described by
CVE-2005-0504 appears to remain unfixed upstream.

The issue is described here:

Debian has been shipping the following patch from Andres Salomon.

(akpm: it's a privileged operation)

Signed-off-by: dann frazier <dannf@hp.com>
Signed-off-by: Andres Salomon <dilinger@debian.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>

b6dd8a5 2008-05-07 08:00:29 Willy Tarreau

Change VERSION to

- Fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)
- Fix dnotify/close race (CVE-2008-1375)

7e98aaf 2008-05-07 07:35:25 Al Viro

Fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)

[ sync up with 2.6 commit 0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9 ]

fcntl_setlk()/close() race prevention has a subtle hole - we need to
make sure that if we *do* have an fcntl/close race on SMP box, the
access to descriptor table and inode->i_flock won't get reordered.

As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
STORE descriptor table entry, LOAD inode->i_flock with not a single
lock in common on both sides. We do have BKL around the first STORE,
but check in locks_remove_posix() is outside of BKL and for a good
reason - we don't want BKL on common path of close(2).

Solution is to hold ->file_lock around fcheck() in there; that orders
us wrt removal from descriptor table that preceded locks_remove_posix()
on close path and we either come first (in which case eviction will be
handled by the close side) or we'll see the effect of close and do
eviction ourselves. Note that even though it's read-only access,
we do need ->file_lock here - rcu_read_lock() won't be enough to
order the things.

[ w@1wt.eu: this patch also includes a missing fix for and older
bug affecting the same code, which was already fixed in 2.6. As
of now, 2.4 is in sync with 2.6 concerning this bug. ]

141787e 2008-05-06 05:42:06 Willy Tarreau

Fix dnotify/close race (CVE-2008-1375)

Issue reported by Al Viro with description taken from 2.6 commit
214b7049a7929f03bbd2786aaef04b8b79db34e2 :

We have a race between fcntl() and close() that can lead to
dnotify_struct inserted into inode's list *after* the last descriptor
had been gone from current->files.

Since that's the only point where dnotify_struct gets evicted, we are
screwed - it will stick around indefinitely. Even after struct file in
question is gone and freed. Worse, we can trigger send_sigio() on it at
any later point, which allows to send an arbitrary signal to arbitrary
process if we manage to apply enough memory pressure to get the page
that used to host that struct file and fill it with the right pattern...

0062f7f 2008-04-19 23:39:27 Willy Tarreau

Change VERSION to

- usb-serial: back-port of pl2303.c from
- ext2_readdir() filp->f_pos fix (try #2)
- Duplicate id in videodev.h
- Fix typo in acpi_boot_init
- ip-pnp-dhcp: wait lazily when doing dhcp for diskless systems
- [TCP]: Fix shrinking windows with window scaling
- intermezzo: fix uninitialized use of pointer in error path

26af9f7 2008-04-18 19:01:15 Willy Tarreau

intermezzo: fix uninitialized use of pointer in error path

gcc pointed out the following issue :
dcache.c: In function `presto_set_dd':
dcache.c:251: warning: `fset' might be used uninitialized in this function

fset is not yet assigned in the error path, so no operation must be done
with it.

e502c9c 2008-04-17 15:53:59 Patrick McHardy

[TCP]: Fix shrinking windows with window scaling

[backported from 2.6 commit 607bfbf2d55dd1cfe5368b41c2a81a8c9ccf4723]

When selecting a new window, tcp_select_window() tries not to shrink
the offered window by using the maximum of the remaining offered window
size and the newly calculated window size. The newly calculated window
size is always a multiple of the window scaling factor, the remaining
window size however might not be since it depends on rcv_wup/rcv_nxt.
This means we're effectively shrinking the window when scaling it down.

The dump below shows the problem (scaling factor 2^7):

- Window size of 557 (71296) is advertised, up to 3111907257:

IP > . ack 3111835961 win 557 <...>

- New window size of 514 (65792) is advertised, up to 3111907217, 40 bytes
below the last end:

IP > . 3113575668:3113577116(1448) ack 3111841425 win 514 <...>

The number 40 results from downscaling the remaining window:

3111907257 - 3111841425 = 65832
65832 / 2^7 = 514
65832 % 2^7 = 40

If the sender uses up the entire window before it is shrunk, this can have
chaotic effects on the connection. When sending ACKs, tcp_acceptable_seq()
will notice that the window has been shrunk since tcp_wnd_end() is before
tp->snd_nxt, which makes it choose tcp_wnd_end() as sequence number.
This will fail the receivers checks in tcp_sequence() however since it
is before it's tp->rcv_wup, making it respond with a dupack.

If both sides are in this condition, this leads to a constant flood of
ACKs until the connection times out.

Make sure the window is never shrunk by aligning the remaining window to
the window scaling factor.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

bebd7ca 2008-04-17 15:35:59 Jesse Brandeburg

[PATCH] ip-pnp-dhcp: wait lazily when doing dhcp for diskless systems

ic_dynamic() holds the cpu too long and tasks do not have a chance to run.
This causes adapters like e1000 that have the link come up in a tasklet to fail
link up due to exceptionally long delays in acquiring link, and then a dhcp

Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>

8d20b0b 2008-04-16 17:26:15 David Newall

usb-serial: back-port of pl2303.c from

I experienced major major data loss on a PL-2303 USB-serial converter
under 2.4.36, which I remedied by back-porting the pl2303.c from the
latest 2.6 kernel tree.

Here's a new patch, which is more complete than my previous one.
It's based on the

There's a lot of trivial white-space changes and some things that have
been moved, which make the patch rather larger than it could be. I
didn't include those changes before, but have now in order that the
driver be closer to the 2.6 driver. It'll never be identical, of course.

Note, too, that the 2.6 driver (and thus the patched 2.4) includes a 1k
circular buffer which rather duplicates a buffer in the 2.4 usbserial.c;
2.6's usb-serial has had that buffer removed. As the buffer resolves
loss of the occasional putchar (e.g. from n_tty's opost), it is
important and correct, even in 2.4.

Speaking as a user, I no longer see any problems with PL2303, and I
think this is okay to release.

Cc: Greg Kroah-Hartman <greg@kroah.com>

2c04119 2008-04-16 17:14:33 Glen Nakamura

Fix typo in acpi_boot_init

Here's a heads up on a couple of patches I submitted a few years back
that seem to have been forgotten:


The following ChangeSet introduced a typo in acpi_boot_init:

ChangeSet@1.1448.1.123 2005-03-09 11:43:51-03:00 marcelo@cnet
* Early ACPI PCI quirk depends on CONFIG_X86_IO_APIC

CONFIG_X86_IOAPIC should obviously be CONFIG_X86_IO_APIC
as written in the patch description above.

Trivial fix below.

Signed-off-by: Glen Nakamura <glen@imodulo.com>

448678e 2008-04-16 17:14:32 Glen Nakamura

Duplicate id in videodev.h

Here's a heads up on a couple of patches I submitted a few years back
that seem to have been forgotten:


VID_HARDWARE_W9968CF and VID_HARDWARE_SAA7114H are both assigned value 36.
Trivial patch below increases VID_HARDWARE_SAA7114H to 37.

Signed-off-by: Glen Nakamura <glen@imodulo.com>

72a9d5a 2008-04-16 17:06:58 Glen Nakamura

ext2_readdir() filp->f_pos fix (try #2)

This patch reintroduces a fixed version of reverted commit
c30306fb287323591c854a0982d9fa5351859b45 from Dann Frazier :

This is a 2.4 backport of a linux-2.6 change by Jan Blunck
(old-2.6-bkcvs commit 2196b4744393d4f6c06fc4d63b98556d05b90933)

Commit log from 2.6 follows.

[PATCH] ext2_readdir() filp->f_pos fix

If the whole directory is read, ext2_readdir() sets the f_pos to a multiple
of the page size (because of the conditions of the outer for loop). This
sets the wrong f_pos for directory inodes on ext2 partitions with a block
size differing from the page size.

Note from Glen :

Perhaps the "filp->f_pos += le16_to_cpu(de->rec_len);" line should be
outside of the if statement like the indentation implies?
As it is, filp->f_pos gets corrupted if de->inode is ever zero...
This could possibly explain why I had a few strange directory
entries until I checked the filesystem with:
e2fsck -D -F -f /dev/{ext2 partition}

This fix was confirmed by both Dann Frazier and Pascal Hambourg.

Note from Willy :

The code now differs from 2.6 only by commit
2d7f2ea9c989853310c7f6e8be52cc090cc8e66b which is only in 2.6.

The reporter, Al Masoud, provided the test case which could not be
reproduced on 2.4 (neither with nor without the fix above), so the
patch in question has *not* been applied to 2.4.

Dann will take the same approach for the Debian update.

3f4bf06 2008-02-25 05:38:03 Willy Tarreau

Change VERSION to

- Revert "ext2_readdir() filp->f_pos fix"
- 2.4: [POWERPC] CHRP: Fix possible NULL pointer dereference

3983140 2008-02-25 05:37:40 Willy Tarreau

Revert "ext2_readdir() filp->f_pos fix"

This reverts commit c30306fb287323591c854a0982d9fa5351859b45.

This backported fix caused some lockups to people while reading

Cc: dann frazier <dannf@hp.com>

5a8870c 2008-02-25 05:28:42 dann frazier

2.4: [POWERPC] CHRP: Fix possible NULL pointer dereference

This is a 2.4 backport of a linux-2.6 change by Cyrill Gorcunov.
(commit 9ac71d00398674aaec664f30559f0a21d963862f)

CVE-2007-6694 was assigned for this issue.
This backport has been compile-tested only.

Commit log from 2.6 follows.

This fixes a possible NULL pointer dereference inside of strncmp() if
of_get_property() fails.

Signed-off-by: dann frazier <dannf@hp.com>

4de5159 2008-02-16 21:56:03 Willy Tarreau

Change VERSION to

- Do not complain about gcc 4.2 for user-space
- i386: fix setCx86/getCx86 race in macros
- security: insufficient range checks in certain fault handlers
- ext2_readdir() filp->f_pos fix
- avoid semi-infinite loop when mounting bad ext2
- ext2: skip pages past number of blocks in ext2_find_entry
- memory leak when socket is release()d before PPPIOCGCHAN has been called on it
- 2.4: fix memory corruption from misinterpreted bad_inode_ops return values
- 2.4: [SCSI] aacraid: Fix security hole
- 2.4: USB: fix DoS in pwc USB video driver

70fc53f 2008-02-11 14:48:05 Willy Tarreau

security: insufficient range checks in certain fault handlers

This is the 2.4 version of Nick Piggin's work on 2.6 fault handlers.
This deals with security vulnerability CVE-2008-0007.

Drivers that register a ->nopage handler, that does not range-check its
offset argument, must set VM_DONTEXPAND in the vm_flags to ensure the
offset is within bounds.

Signed-off-by: Willy Tarreau <w@1wt.eu>

Show on old repository browser