ChangeLog-2.6.16.6

commit 37863c8a9b7b0261ec76daad8afffe9ab5314794
Author: Greg Kroah-Hartman <[email protected]>
Date: Mon Apr 17 13:36:51 2006 -0700

Linux 2.6.16.6

commit 512dba41bae0ec8de72269167f23b75a4770097d
Author: Hugh Dickins <[email protected]>
Date: Wed Apr 12 14:34:27 2006 -0700

[PATCH] shmat: stop mprotect from giving write permission to a readonly attachment (CVE-2006-1524)

I found that all of 2.4 and 2.6 have been letting mprotect give write
permission to a readonly attachment of shared memory, whether or not IPC
would give the caller that permission.

SUS says "The behaviour of this function [mprotect] is unspecified if the
mapping was not established by a call to mmap", but I don't think we can
interpret that as allowing it to subvert IPC permissions.

I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and
the patch below reproduces that behaviour - mprotect cannot be used to add
write permission to a shared memory segment attached readonly.

This patch is simple, and I'm sure it's what we should have done in 2.4.0:
if you want to go on to switch write permission on and off with mprotect,
just don't attach the segment readonly in the first place.

However, we could have accumulated apps which attach readonly (even though
they would be permitted to attach read/write), and which subsequently use
mprotect to switch write permission on and off: it's not unreasonable.

I was going to add a second ipcperms check in do_shmat, to check for
writable when readonly, and if not writable find_vma and clear VM_MAYWRITE.
 But security_ipc_permission might do auditing, and it seems wrong to
report an attempt for write permission when there has been none.  Or we
could flag the vma as SHM, note the shmid or shp in vm_private_data, and
then get mprotect to check.

But the patch below is a lot simpler: I'd rather stick with it, if we can
convince ourselves somehow that it'll be safe.

Signed-off-by: Hugh Dickins <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 23e0ac040b8052729c32dfec78f751d82515e73e
Author: Stephen Hemminger <[email protected]>
Date: Wed Apr 12 14:52:54 2006 -0700

[PATCH] atm: clip causes unregister hang

If Classical IP over ATM module is loaded, its neighbor table gets
populated when permanent neighbor entries are created; but these entries
are not flushed when the device is removed. Since the entry never gets
flushed the unregister of the network device never completes.

This version of the patch also adds locking around the reference to
the atm arp daemon to avoid races with events and daemon state changes.
(Note: barrier() was never really safe)

Bug-reference: http://bugzilla.kernel.org/show_bug.cgi?id=6295

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 18b1e8193eef97f3ac854276a7c4bacbb1bdfbd1
Author: Roland McGrath <[email protected]>
Date: Wed Apr 12 16:30:20 2006 -0700

[PATCH] fix non-leader exec under ptrace

This reverts most of commit 30e0fca6c1d7d26f3f2daa4dd2b12c51dadc778a.
It broke the case of non-leader MT exec when ptraced.
I think the bug it was intended to fix was already addressed by commit
788e05a67c343fa22f2ae1d3ca264e7f15c25eaf.

Signed-off-by: Roland McGrath <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 49fa79e5689a5c9089a5cdaf396fbdae5f928004
Author: Paul Fulghum <[email protected]>
Date: Wed Apr 12 23:41:59 2006 +0200

[PATCH] USB: remove __init from usb_console_setup

This prevents an Oops if booted with "console=ttyUSB0" but without a
USB-serial dongle, and plugged one in afterwards.

Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 6b2467e45179a336f1e5b70d2b2ae1fe89a00133
Author: Pavel Machek <[email protected]>
Date: Fri Mar 31 02:30:06 2006 -0800

[PATCH] Fix suspend with traced tasks

strace /bin/bash misbehaves after resume; this fixes it.

(akpm: it's scary calling refrigerator() in state TASK_TRACED, but it seems to
do the right thing).

Signed-off-by: Pavel Machek <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit dea8e11ab727c4c7d75d391354eab355cd74e95a
Author: Steve French <[email protected]>
Date: Fri Mar 31 21:22:00 2006 +0000

[PATCH] Incorrect signature sent on SMB Read

Fixes Samba bug 3621 and kernel.org bug 6147

For servers which require SMB/CIFS packet signing, we were sending the
wrong signature (all zeros) on SMB Read request.  The new cifs routine
to do signatures across an iovec was not complete - and SMB Read, unlike
the new SMBWrite2, did not fall back to the older routine (ie use
SendReceive vs. the more efficient SendReceive2 ie used the older
cifs_sign_smb vs. the disabled  cifs_sign_smb2) for calculating signatures.

This finishes up cifs_sign_smb2/cifs_calc_signature2 so that the callers
of SendReceive2 can get SMB/CIFS packet signatures.

Now that cifs_sign_smb2 is supported, we could start using it in
the write path but this smaller fix does not include the change
to use SMBWrite2 when signatures are required (which when enabled
will make more Writes more efficient and alloc less memory).
Currently Write2 is only used when signatures are not
required at the moment but after more testing we will enable
that as well).

Thanks to James Slepicka and Sam Flory for initial investigation.

Signed-off-by: Steve French <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 284a7c99c01846ee44040268529c99fc92dcc531
Author: Andrew Morton <[email protected]>
Date: Fri Mar 24 03:18:35 2006 -0800

[PATCH] RLIMIT_CPU: fix handling of a zero limit

At present the kernel doesn't honour an attempt to set RLIMIT_CPU to zero
seconds.  But the spec says it should, and that's what 2.4.x does.

Fixing this for real would involve some complexity (such as adding a new
it-has-been-set flag to the task_struct, and testing that everwhere, instead
of overloading the value of it_prof_expires).

Given that a 2.4 kernel won't actually send the signal until one second has
expired anyway, let's just handle this case by treating the caller's
zero-seconds as one second.

Cc: Martin Schwidefsky <[email protected]>
Cc: Ulrich Weigand <[email protected]>
Cc: Cliff Wickman <[email protected]>
Acked-by: Ingo Molnar <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>

commit bc5bd8ac3c6956c7ce2c838e8e2f01435b8e4e0b
Author: Nathan Scott <[email protected]>
Date: Tue Apr 11 15:12:45 2006 +1000

[PATCH] Fix utime(2) in the case that no times parameter was passed in.

SGI-PV: 949858
SGI-Modid: xfs-linux-melb:xfs-kern:25717a

Signed-off-by: Jes Sorensen <[email protected]>
Signed-off-by: Nathan Scott <[email protected]>

commit 3e1792fa40be9dd0f530e2b32f439bb97c40bcee
Author: Brian Uhrain says <[email protected]>
Date: Mon Apr 10 22:53:16 2006 -0700

[PATCH] alpha: SMP boot fixes

I've encountered two problems with 2.6.16 and newer kernels on my API CS20
(dual 833MHz Alpha 21264b processors).  The first is the kernel OOPSing
because of a NULL pointer dereference while trying to populate SysFS with the
CPU information.  The other is that only one processor was being brought up.
I've included a small Alpha-specific patch that fixes both problems.

The first problem was caused by the CPUs never being properly registered using
register_cpu(), the way it's done on other architectures.

The second problem has to do with the removal of hwrpb_cpu_present_mask in
arch/alpha/kernel/smp.c.  In setup_smp() in the 2.6.15 kernel sources,
hwrpb_cpu_present_mask has a bit set for each processor that is probed, and
afterwards cpu_present_mask is set to the cpumask for the boot CPU.  In the
same function of the same file in the 2.6.16 sources, instead of
hwrpb_cpu_present_mask being set, cpu_possible_map is updated for each probed
CPU.  cpu_present_mask is still set to the cpumask of the boot CPU afterwards.
 The problem lies in include/asm-alpha/smp.h, where cpu_possible_map is
#define'd to be cpu_present_mask.

Cleanups from: Ivan Kokshaysky <[email protected]>

 - cpu_present_mask and cpu_possible_map are essentially the same thing
   on alpha, as it doesn't support CPU hotplug;
 - allocate "struct cpu" only for present CPUs, like sparc64 does.
   Static array of "struct cpu" is just a waste of memory.

Signed-off-by: Brian Uhrain <[email protected]>
Cc: Richard Henderson <[email protected]>
Cc: Ivan Kokshaysky <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit d90fd1f7c1e1003d899df415456f4f7164ff11e1
Author: Mike Miller <[email protected]>
Date: Mon Apr 10 15:38:07 2006 -0700

[PATCH] cciss: bug fix for crash when running hpacucli

Fix a crash when running hpacucli with multiple logical volumes on a cciss
controller.  We were not properly initializing the disk->queue and causing
a fault.

Thanks to Hasso Tepper for reporting the problem.  Thanks to Steve Cameron
for root causing the problem.  Most of the patch just moves things around.
The fix is a one-liner.

Signed-off-by: Mike Miller <[email protected]>
Signed-off-by: Stephen Cameron <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 6cbe9c0d5b6c45a0d7ec1365be27b11df4099a9a
Author: Randy Dunlap <[email protected]>
Date: Mon Apr 10 20:54:24 2006 +0200

[PATCH] edac_752x needs CONFIG_HOTPLUG

EDAC_752X uses pci_scan_single_device(), which is only available
if CONFIG_HOTPLUG is enabled, so limit this driver with HOTPLUG.

This patch was already included in Linus' tree.

Adrian Bunk:
Rediffed for 2.6.16.x due to unrelated context changes.

Signed-off-by: Randy Dunlap <[email protected]>
Signed-off-by: Adrian Bunk <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: David S. Peterson <[email protected]>

commit 345db2843239353833c28d2e12e32a2429a73b2b
Author: Ananiev, Leonid I <[email protected]>
Date: Mon Apr 10 22:54:38 2006 -0700

[PATCH] ext3: Fix missed mutex unlock

Missed unlock_super()call is added in error condition code path.

Signed-off-by: Leonid Ananiev <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 49e91c3b2131b16ea13e3b44426c5a577e9b4fd8
Author: Stephen Rothwell <[email protected]>
Date: Mon Apr 10 00:17:20 2006 -0700

[PATCH] Fix block device symlink name

As noted further on the this file, some block devices have a / in their
name, so fix the "block:..." symlink name the same as the /sys/block name.

Signed-off-by: Stephen Rothwell <[email protected]>
Cc: Al Viro <[email protected]>
Cc: Christoph Hellwig <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 2b53303840e1a8f1c7d007d988e8f497248ca270
Author: Nick Piggin <[email protected]>
Date: Mon Apr 10 16:54:00 2006 -0700

[PATCH] Fix buddy list race that could lead to page lru list corruptions

Rohit found an obscure bug causing buddy list corruption.

page_is_buddy is using a non-atomic test (PagePrivate && page_count == 0)
to determine whether or not a free page's buddy is itself free and in the
buddy lists.

Each of the conjuncts may be true at different times due to unrelated
conditions, so the non-atomic page_is_buddy test may find each conjunct to
be true even if they were not both true at the same time (ie. the page was
not on the buddy lists).

Signed-off-by: Martin Bligh <[email protected]>
Signed-off-by: Rohit Seth <[email protected]>
Signed-off-by: Nick Piggin <[email protected]>
Signed-off-by: KAMEZAWA Hiroyuki <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit add92b7ade7eb528b7df6153f8bc773f5e2a80f1
Author: Miklos Szeredi <[email protected]>
Date: Tue Apr 11 18:37:57 2006 +0200

[PATCH] fuse: fix oops in fuse_send_readpages()

During heavy parallel filesystem activity it was possible to Oops the
kernel.  The reason is that read_cache_pages() could skip pages which
have already been inserted into the cache by another task.
Occasionally this may result in zero pages actually being sent, while
fuse_send_readpages() relies on at least one page being in the
request.

So check this corner case and just free the request instead of trying
to send it.

Reported and tested by Konstantin Isakov.

Signed-off-by: Miklos Szeredi <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 3a62231e38fe628ec2540fb22276ea1c3af5ddd8
Author: Hirokazu Takata <[email protected]>
Date: Mon Apr 10 22:53:18 2006 -0700

[PATCH] m32r: Fix cpu_possible_map and cpu_present_map initialization for SMP kernel

This patch fixes a boot problem of the m32r SMP kernel 2.6.16-rc1-mm3 or
later.

In this patch, cpu_possible_map is statically initialized, and cpu_present_map
is also copied from cpu_possible_map in smp_prepare_cpus(), because the m32r
architecture has not supported CPU hotplug yet.

Signed-off-by: Hayato Fujiwara <[email protected]>
Signed-off-by: Hirokazu Takata <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 1fbbed27cf11386f621b00a033fe557266753c54
Author: Hirokazu Takata <[email protected]>
Date: Mon Apr 10 22:53:20 2006 -0700

[PATCH] m32r: security fix of {get, put}_user macros

Update {get,put}_user macros for m32r kernel.
- Modify get_user to use __get_user_asm macro, instead of __get_user_x macro.
- Remove arch/m32r/lib/{get,put}user.S.
- Some cosmetic updates.

I would like to thank NIIBE Yutaka for his reporting about the m32r kernel's
security problem in {get,put}_user macros.

There were no address checking for user space access in {get,put}_user macros.
 ;-)

Signed-off-by: Hirokazu Takata <[email protected]>
Cc: NIIBE Yutaka <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit ea0fcdd684262eed42bb40cceff450ef46a97306
Author: Patrick McHardy <[email protected]>
Date: Thu Apr 6 18:51:38 2006 +0200

[PATCH] NETFILTER: Fix fragmentation issues with bridge netfilter

[NETFILTER]: Fix fragmentation issues with bridge netfilter

The conntrack code doesn't do re-fragmentation of defragmented packets
anymore but relies on fragmentation in the IP layer. Purely bridged
packets don't pass through the IP layer, so the bridge netfilter code
needs to take care of fragmentation itself.

Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 8abb9bed57d5ee0f645eedb7208e8d53b2431b01
Author: Stephen Hemminger <[email protected]>
Date: Wed Apr 5 17:47:15 2006 -0700

[PATCH] sky2: bad memory reference on dual port cards

Sky2 driver will oops referencing bad memory if used on
a dual port card.  The problem is accessing past end of
MIB counter space.

Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 905ea1183cb0a6e82ab6de4d4ea0ff0bf807ff27
Author: Randy Dunlap <[email protected]>
Date: Wed Apr 5 12:03:45 2006 -0700

[PATCH] isd200: limit to BLK_DEV_IDE

Limit USB_STORAGE_ISD200 to whatever BLK_DEV_IDE and USB_STORAGE
are set to (y, m) since isd200 calls ide_fix_driveid() in the
BLK_DEV_IDE code.

Signed-off-by: Randy Dunlap <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 27de783e1874115054e079998b3a7f5b06a67b1f
Author: Mark Bellon <[email protected]>
Date: Wed Apr 5 01:06:06 2006 -0700

[PATCH] MPBL0010 driver sysfs permissions wide open

The MPBL0010 Telco clock driver (drivers/char/tlclk.c) uses 0222 (anyone
can write) permissions on its writable sysfs entries.  Alter the
permissions to 0220 (owner and group can write).

The use case for this driver is to configure the fail over behavior of the
clock hardware.  That should be done by the more privileged users.

Signed-off-by: Mark Bellon <[email protected]>
Acked-by: Gross Mark <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit bb532cb98cd10b4bbb14c0ce253fbaed16a761c4
Author: Laurent MEYER <[email protected]>
Date: Thu Apr 6 08:45:19 2006 +1000

[PATCH] powerpc: fix incorrect SA_ONSTACK behaviour for 64-bit processes

*) When setting a sighandler using sigaction() call, if the flag
SA_ONSTACK is set and no alternate stack is provided via sigaltstack(),
the kernel still try to install the alternate stack. This behavior is
the opposite of the one which is documented in Single Unix
Specifications V3.

*) Also when setting an alternate stack using sigaltstack() with the
flag SS_DISABLE, the kernel try to install the alternate stack on
signal delivery.

These two use cases makes the process crash at signal delivery.

This fixes it.

Signed-off-by: Laurent Meyer <[email protected]>
Signed-off-by: Paul Mackerras <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit bce29a817a973634535f92aa217152177e82c3bd
Author: Stephen Rothwell <[email protected]>
Date: Wed Apr 5 10:41:21 2006 +1000

[PATCH] powerpc: iSeries needs slb_initialize to be called

Since the powerpc 64k pages patch went in, systems that have SLBs
(like Power4 iSeries) needed to have slb_initialize called to set up
some variables for the SLB miss handler.  This was not being called
on the boot processor on iSeries, so on single cpu iSeries machines,
we would get apparent memory curruption as soon as we entered user mode.

This patch fixes that by calling slb_initialize on the boot cpu if the
processor has an SLB.

Signed-off-by: Stephen Rothwell <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>