Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15430
HistoryDec 19, 2006 - 12:00 a.m.

ChangeLog-2.6.19.1

2006-12-1900:00:00
vulners.com
31

commit 1edb5a2de7a29144644794208eb63abbca419430
Author: Chris Wright <[email protected]>
Date: Mon Dec 11 11:32:53 2006 -0800

Linux 2.6.19.1

commit f558fdfaa8d62e33ef47a819d1ca659a8f9e1f1a
Author: David Miller <[email protected]>
Date: Fri Dec 8 17:14:38 2006 -0800

[PATCH] NETLINK: Put {IFA,IFLA}_{RTA,PAYLOAD} macros back for userspace.

GLIBC uses them etc.

They are guarded by ifndef __KERNEL__ so nobody will start
accidently using them in the kernel again, it&#39;s just for
userspace.

Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 39a173632d043082157b4b002e956b3131556eea
Author: Daniel Barkalow <[email protected]>
Date: Fri Dec 8 11:58:15 2006 -0500

[PATCH] forcedeth: Disable INTx when enabling MSI in forcedeth

At least some nforce cards continue to send legacy interrupts when MSI
is enabled, and these interrupts are treated as unhandled by the
kernel. This patch disables legacy interrupts explicitly when enabling
MSI mode.

The correct fix is to change the MSI infrastructure to disable legacy
interrupts when enabling MSI, but this is potentially risky if the
device isn&#39;t PCI-2.3 or is quirky, so the correct fix is going into
mainline, while patches like this one go into -stable.

Legend has it that it is most correct to disable legacy interrupts
before enabling MSI, but the mainline patch does it in the other
order, and this patch is &quot;obviously&quot; the same as mainline.

Signed-off-by: Daniel Barkalow &lt;[email protected]&gt;
Cc: Jeff Garzik &lt;[email protected]&gt;
Cc: Greg KH &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 3667bf6de29ff04c42557e31e3e8cbbbb835732c
Author: Ravikiran G Thirumalai <[email protected]>
Date: Sat Dec 9 21:33:35 2006 +0100

[PATCH] x86: Fix boot hang due to nmi watchdog init code

2.6.19  stopped booting &#40;or booted based on build/config&#41; on our x86_64
systems due to a bug introduced in 2.6.19.  check_nmi_watchdog schedules an
IPI on all cpus to  busy wait on a flag, but fails to set the busywait
flag if NMI functionality is disabled.  This causes the secondary cpus
to spin in an endless loop, causing the kernel bootup to hang.
Depending upon the build, the  busywait flag got overwritten &#40;stack variable&#41;
and caused  the kernel to bootup on certain builds.  Following patch fixes
the bug by setting the busywait flag before returning from check_nmi_watchdog.
I guess using a stack variable is not good here as the calling function could
potentially return while the busy wait loop is still spinning on the flag.

AK: I redid the patch significantly to be cleaner

Signed-off-by: Ravikiran Thirumalai &lt;[email protected]&gt;
Signed-off-by: Shai Fultheim &lt;[email protected]&gt;
Signed-off-by: Andi Kleen &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit a10457ccb7a459c86a94c46680c69afbf5608f49
Author: Hirokazu Takata <[email protected]>
Date: Fri Dec 8 02:35:54 2006 -0800

[PATCH] m32r: make userspace headers platform-independent

The m32r kernel 2.6.18-rc1 or after cause build errors of &quot;unknown isa
configuration&quot; for userspace application programs, such as glibc, gdb, etc.

This is because the recent kernel do not include linux/config.h not to expose
kernel headers for userspace.

To fix the above compile errors, this patch fixes two headers ptrace.h and
sigcontext.h for m32r and makes them platform-independent.

Signed-off-by: Hirokazu Takata &lt;[email protected]&gt;
Cc: &lt;[email protected]&gt;
Signed-off-by: Andrew Morton &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit a3956ef72c8d27e4b6a854afd45ae6cc9c6fa5e4
Author: Zachary Amsden <[email protected]>
Date: Wed Dec 6 20:39:39 2006 -0800

[PATCH] softirq: remove BUG_ONs which can incorrectly trigger

It is possible to have tasklets get scheduled before softirqd has had a chance
to spawn on all CPUs.  This is totally harmless; after success during action
CPU_UP_PREPARE, action CPU_ONLINE will be called, which immediately wakes
softirqd on the appropriate CPU to process the already pending tasklets.  So
there is no danger of having a missed wakeup for any tasklets that were
already pending.

In particular, i386 is affected by this during startup, and is visible when
using a very large initrd; during the time it takes for the initrd to be
decompressed, a timer IRQ can come in and schedule RCU callbacks.  It is also
possible that resending of a hardware IRQ via a softirq triggers the same bug.

Because of different timing conditions, this shows up in all emulators and
virtual machines tested, including Xen, VMware, Virtual PC, and Qemu.  It is
also possible to trigger on native hardware with a large enough initrd,
although I don&#39;t have a reliable case demonstrating that.

Signed-off-by: Zachary Amsden &lt;[email protected]&gt;
Cc: &lt;[email protected]&gt;
Cc: Ingo Molnar &lt;[email protected]&gt;
Cc: &lt;[email protected]&gt;
Signed-off-by: Andrew Morton &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 7f803f5145613f8e32a78d07d14fed6e82c797f7
Author: Jiri Kosina <[email protected]>
Date: Wed Dec 6 20:39:38 2006 -0800

[PATCH] autofs: fix error code path in autofs_fill_sb&#40;&#41;

When kernel is compiled with old version of autofs &#40;CONFIG_AUTOFS_FS&#41;, and
new &#40;observed at least with 5.x.x&#41; automount deamon is started, kernel
correctly reports incompatible version of kernel and userland daemon, but
then screws things up instead of correct handling of the error:

 autofs: kernel does not match daemon version
 =====================================
 [ BUG: bad unlock balance detected! ]
 -------------------------------------
 automount/4199 is trying to release lock &#40;&amp;type-&gt;s_umount_key&#41; at:
 [&lt;c0163b9e&gt;] get_sb_nodev+0x76/0xa4
 but there are no more locks to release!

 other info that might help us debug this:
 no locks held by automount/4199.

 stack backtrace:
  [&lt;c0103b15&gt;] dump_trace+0x68/0x1b2
  [&lt;c0103c77&gt;] show_trace_log_lvl+0x18/0x2c
  [&lt;c01041db&gt;] show_trace+0xf/0x11
  [&lt;c010424d&gt;] dump_stack+0x12/0x14
  [&lt;c012e02c&gt;] print_unlock_inbalance_bug+0xe7/0xf3
  [&lt;c012fd4f&gt;] lock_release+0x8d/0x164
  [&lt;c012b452&gt;] up_write+0x14/0x27
  [&lt;c0163b9e&gt;] get_sb_nodev+0x76/0xa4
  [&lt;c0163689&gt;] vfs_kern_mount+0x83/0xf6
  [&lt;c016373e&gt;] do_kern_mount+0x2d/0x3e
  [&lt;c017513f&gt;] do_mount+0x607/0x67a
  [&lt;c0175224&gt;] sys_mount+0x72/0xa4
  [&lt;c0102b96&gt;] sysenter_past_esp+0x5f/0x99
 DWARF2 unwinder stuck at sysenter_past_esp+0x5f/0x99
 Leftover inexact backtrace:
  =======================

and then deadlock comes.

The problem: autofs_fill_super&#40;&#41; returns EINVAL to get_sb_nodev&#40;&#41;, but
before that, it calls kill_anon_super&#40;&#41; to destroy the superblock which
won&#39;t be needed.  This is however way too soon to call kill_anon_super&#40;&#41;,
because get_sb_nodev&#40;&#41; has to perform its own cleanup of the superblock
first &#40;deactivate_super&#40;&#41;, etc.&#41;.  The correct time to call
kill_anon_super&#40;&#41; is in the autofs_kill_sb&#40;&#41; callback, which is called by
deactivate_super&#40;&#41; at proper time, when the superblock is ready to be
killed.

I can see the same faulty codepath also in autofs4.  This patch solves
issues in both filesystems in a same way - it postpones the
kill_anon_super&#40;&#41; until the proper time is signalized by deactivate_super&#40;&#41;
calling the kill_sb&#40;&#41; callback.

[[email protected]: update comment]
Signed-off-by: Jiri Kosina &lt;[email protected]&gt;
Acked-by: Ian Kent &lt;[email protected]&gt;
Cc: &lt;[email protected]&gt;
Signed-off-by: Ian Kent &lt;[email protected]&gt;
Signed-off-by: Andrew Morton &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 1f583f6270cd7d3130b8a3b08cfef01534d588fe
Author: Rafael J Wysocki <[email protected]>
Date: Wed Dec 6 20:34:47 2006 -0800

[PATCH] PM: Fix swsusp debug mode testproc

The &#39;testproc&#39; swsusp debug mode thaws tasks twice in a row, which is _very_
confusing.  Fix that.

Signed-off-by: Rafael J. Wysocki &lt;[email protected]&gt;
Acked-by: Pavel Machek &lt;[email protected]&gt;
Cc: &lt;[email protected]&gt;
Signed-off-by: Andrew Morton &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 1157f82831d3745a61b897d9f8a38886c586d09f
Author: Andrey Mirkin <[email protected]>
Date: Wed Dec 6 20:31:35 2006 -0800

[PATCH] compat: skip data conversion in compat_sys_mount when data_page is NULL

OpenVZ Linux kernel team has found a problem with mounting in compat mode.

Simple command &quot;mount -t smbfs ...&quot; on Fedora Core 5 distro in 32-bit mode
leads to oops:

Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP:
[&lt;ffffffff802bc7c6&gt;] compat_sys_mount+0xd6/0x290
PGD 34d48067 PUD 34d03067 PMD 0
Oops: 0000 [1] SMP
CPU: 0
Modules linked in: iptable_nat simfs smbfs ip_nat ip_conntrack vzdquota
parport_pc lp parport 8021q bridge llc vznetdev vzmon nfs lockd sunrpc vzdev
iptable_filter af_packet xt_length ipt_ttl xt_tcpmss ipt_TCPMSS
iptable_mangle xt_limit ipt_tos ipt_REJECT ip_tables x_tables thermal
processor fan button battery asus_acpi ac uhci_hcd ehci_hcd usbcore i2c_i801
i2c_core e100 mii floppy ide_cd cdrom
Pid: 14656, comm: mount
RIP: 0060:[&lt;ffffffff802bc7c6&gt;]  [&lt;ffffffff802bc7c6&gt;]
compat_sys_mount+0xd6/0x290
RSP: 0000:ffff810034d31f38  EFLAGS: 00010292
RAX: 000000000000002c RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff810034c86bc0 RSI: 0000000000000096 RDI: ffffffff8061fc90
RBP: ffff810034d31f78 R08: 0000000000000000 R09: 000000000000000d
R10: ffff810034d31e58 R11: 0000000000000001 R12: ffff810039dc3000
R13: 000000000805ea48 R14: 0000000000000000 R15: 00000000c0ed0000
FS:  0000000000000000&#40;0000&#41; GS:ffffffff80749000&#40;0033&#41; knlGS:00000000b7d556b0
CS:  0060 DS: 007b ES: 007b CR0: 000000008005003b
CR2: 0000000000000000 CR3: 0000000034d43000 CR4: 00000000000006e0
Process mount &#40;pid: 14656, veid=300, threadinfo ffff810034d30000, task
ffff810034c86bc0&#41;
Stack:  0000000000000000 ffff810034dd0000 ffff810034e4a000 000000000805ea48
 0000000000000000 0000000000000000 0000000000000000 0000000000000000
 000000000805ea48 ffffffff8021e64e 0000000000000000 0000000000000000
Call Trace:
 [&lt;ffffffff8021e64e&gt;] ia32_sysret+0x0/0xa

Code: 83 3b 06 0f 85 41 01 00 00 0f b7 43 0c 89 43 14 0f b7 43 0a
RIP  [&lt;ffffffff802bc7c6&gt;] compat_sys_mount+0xd6/0x290
 RSP &lt;ffff810034d31f38&gt;
CR2: 0000000000000000

The problem is that data_page pointer can be NULL, so we should skip data
conversion in this case.

Signed-off-by: Andrey Mirkin &lt;[email protected]&gt;
Cc: &lt;[email protected]&gt;
Signed-off-by: Andrew Morton &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit ce9507af8c85327ac05e91a43c138591ed85b0aa
Author: Andrew Morton <[email protected]>
Date: Wed Dec 6 20:31:33 2006 -0800

[PATCH] drm-sis linkage fix

Fix http://bugzilla.kernel.org/show_bug.cgi?id=7606

WARNING: &quot;drm_sman_set_manager&quot; [drivers/char/drm/sis.ko] undefined!

Cc: &lt;[email protected]&gt;
Cc: Dave Airlie &lt;[email protected]&gt;
Cc: &lt;[email protected]&gt;
Signed-off-by: Andrew Morton &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit a030daed9949daa6746072ee2752217adc424252
Author: Andrew Morton <[email protected]>
Date: Wed Dec 6 20:31:30 2006 -0800

[PATCH] add bottom_half.h

With CONFIG_SMP=n:

drivers/input/ff-memless.c:384: warning: implicit declaration of function &#39;local_bh_disable&#39;
drivers/input/ff-memless.c:393: warning: implicit declaration of function &#39;local_bh_enable&#39;

Really linux/spinlock.h should include linux/interrupt.h.  But interrupt.h
includes sched.h which will need spinlock.h.

So the patch breaks the _bh declarations out into a separate header and
includes it in bothj interrupt.h and spinlock.h.

Cc: &quot;Randy.Dunlap&quot; &lt;[email protected]&gt;
Cc: Andi Kleen &lt;[email protected]&gt;
Cc: &lt;[email protected]&gt;
Cc: Ingo Molnar &lt;[email protected]&gt;
Signed-off-by: Andrew Morton &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 04ff1391c82a403b5775da6e03c22559f86de091
Author: Thomas Graf <[email protected]>
Date: Thu Dec 7 23:49:45 2006 -0800

[PATCH] NETLINK: Restore API compatibility of address and neighbour bits

Restore API compatibility due to bits moved from rtnetlink.h to
separate headers.

Signed-off-by: Thomas Graf &lt;[email protected]&gt;
Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit d58808bcc7cb732a4f62af1105d46757d3167e57
Author: Jeet Chaudhuri <[email protected]>
Date: Fri Dec 8 01:32:22 2006 +0200

[PATCH] IrDA: Incorrect TTP header reservation

We must reserve SAR + MAX_HEADER bytes for IrLMP to fit in.
This fixes an oops reported &#40;and fixed&#41; by Jeet Chaudhuri, when max_sdu_size
is greater than 0.

Signed-off-by: Samuel Ortiz &lt;[email protected]&gt;
Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 5bcd4af5fcd996bdd309bf506a60c6217810b1c6
Author: David Miller <[email protected]>
Date: Thu Dec 7 00:40:36 2006 -0800

[PATCH] IPSEC: Fix inetpeer leak in ipv4 xfrm dst entries.

We grab a reference to the route&#39;s inetpeer entry but
forget to release it in xfrm4_dst_destroy&#40;&#41;.

Bug discovered by Kazunori MIYAZAWA &lt;[email protected]&gt;

Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 53f9565904925cf3cf5d059c245cee2c974e5508
Author: Sean Young <[email protected]>
Date: Wed Dec 6 20:27:32 2006 +0000

[PATCH] USB: Fix oops in PhidgetServo

The PhidgetServo causes an Oops when any of its sysfs attributes are read
or written too, making the driver useless.

Signed-off-by: Sean Young &lt;[email protected]&gt;
Signed-off-by: Greg Kroah-Hartman &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 4bcae31990d440ff1c58702b66db014f0c659fb3
Author: Patrick McHardy <[email protected]>
Date: Mon Dec 4 20:01:31 2006 -0800

[PATCH] XFRM: Use output device disable_xfrm for forwarded packets

Currently the behaviour of disable_xfrm is inconsistent between
locally generated and forwarded packets. For locally generated
packets disable_xfrm disables the policy lookup if it is set on
the output device, for forwarded traffic however it looks at the
input device. This makes it impossible to disable xfrm on all
devices but a dummy device and use normal routing to direct
traffic to that device.

Always use the output device when checking disable_xfrm.

Signed-off-by: Patrick McHardy &lt;[email protected]&gt;
Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit ad8ca99ca28aba9961395dd59fdd1adfa6ad07fd
Author: David Miller <[email protected]>
Date: Mon Dec 4 19:57:11 2006 -0800

[PATCH] TOKENRING: Remote memory corruptor in ibmtr.c

ip_summed changes last summer had missed that one.  As the result,
we have ip_summed interpreted as CHECKSUM_PARTIAL now.  IOW,
-&gt;csum is interpreted as offset of checksum in the packet.  net/core/*
will both read and modify the value as that offset, with obvious
reasons.  At the very least it&#39;s a remote memory corruptor.

Signed-off-by: Al Viro &lt;[email protected]&gt;
Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit a526d58e9f362189b49a3ca73315101ff0fc1dc1
Author: Alexey Dobriyan <[email protected]>
Date: Sat Dec 2 23:58:49 2006 +0300

[PATCH] do_coredump&#40;&#41; and not stopping rewrite attacks? &#40;CVE-2006-6304&#41;

On Sat, Dec 02, 2006 at 11:47:44PM +0300, Alexey Dobriyan wrote:
&gt; David Binderman compiled 2.6.19 with icc and grepped for &quot;was set but never
&gt; used&quot;. Many warnings are on
&gt; 	http://coderock.org/kj/unused-2.6.19-fs

Heh, the very first line:
fs/exec.c&#40;1465&#41;: remark #593: variable &quot;flag&quot; was set but never used

fs/exec.c:
  1477		/*
  1478		 *	We cannot trust fsuid as being the &quot;true&quot; uid of the
  1479		 *	process nor do we know its entire history. We only know it
  1480		 *	was tainted so we dump it as root in mode 2.
  1481		 */
  1482		if &#40;mm-&gt;dumpable == 2&#41; {	/* Setuid core dump mode */
  1483			flag = O_EXCL;		/* Stop rewrite attacks */
  1484			current-&gt;fsuid = 0;	/* Dump root private */
  1485		}

And then filp_open follows with &quot;flag&quot; totally ignored.

Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 68057dcdf944f5801af3692c63e1f193e0f1a818
Author: Michael S Tsirkin <[email protected]>
Date: Mon Dec 4 18:44:48 2006 +0200

[PATCH] IB/ucm: Fix deadlock in cleanup

ib_ucm_cleanup_events&#40;&#41; holds file_mutex while calling ib_destroy_cm_id&#40;&#41;.
This can deadlock since ib_destroy_cm_id&#40;&#41; flushes event handlers, and
ib_ucm_event_handler&#40;&#41; needs file_mutex, too.  Therefore, drop the
file_mutex during the call to ib_destroy_cm_id&#40;&#41;.

Signed-off-by: Michael S. Tsirkin &lt;[email protected]&gt;
Signed-off-by: Roland Dreier &lt;[email protected]&gt;
Acked-by: Sean Hefty &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit bed569c712c48235f355b963d41482ecda314e4f
Author: Maxime Austruy <[email protected]>
Date: Sun Dec 3 10:40:01 2006 -0600

[PATCH] softmac: fix unbalanced mutex_lock/unlock in ieee80211softmac_wx_set_mlme

Routine ieee80211softmac_wx_set_mlme has one return that fails
to release a mutex acquired at entry.

Signed-off-by: Maxime Austruy &lt;[email protected]&gt;
Signed-off-by: Larry Finger &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 721aed8126ef1b3823fdd27c3fc3b98667e80fa9
Author: Bart De Schuymer <[email protected]>
Date: Mon Dec 4 12:22:10 2006 +0100

[PATCH] NETFILTER: bridge netfilter: deal with martians correctly

The attached patch resolves an issue where a IP DNATed packet with a
martian source is forwarded while it&#39;s better to drop it. It also
resolves messages complaining about ip forwarding being disabled while
it&#39;s actually enabled. Thanks to lepton &lt;[email protected]&gt; for
reporting this problem.

This is probably a candidate for the -stable release.

Signed-off-by: Bart De Schuymer &lt;[email protected]&gt;
Signed-off-by: Patrick McHardy &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 204f62139c90f142d05372d71e58cc3e6c9780ac
Author: Dmitry Mishin <[email protected]>
Date: Mon Dec 4 12:22:09 2006 +0100

[PATCH] NETFILTER: Fix iptables compat hook validation

In compat mode, matches and targets valid hooks checks always successful due
to not initialized e-&gt;comefrom field yet. This patch separates this checks from
translation code and moves them after mark_source_chains&#40;&#41; call, where these
marks are initialized.

Signed-off-by: Dmitry Mishin &lt;[email protected]&gt;
Signed-off-by; Patrick McHardy &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 9d62d3f1f0eb730d9308aa4fa427a0e682d22b5f
Author: Dmitry Mishin <[email protected]>
Date: Mon Dec 4 12:22:07 2006 +0100

[PATCH] NETFILTER: Fix {ip, ip6, arp}_tables hook validation

Commit 590bdf7fd2292b47c428111cb1360e312eff207e introduced a regression
in match/target hook validation. mark_source_chains builds a bitmask
for each rule representing the hooks it can be reached from, which is
then used by the matches and targets to make sure they are only called
from valid hooks. The patch moved the match/target specific validation
before the mark_source_chains call, at which point the mask is always zero.

This patch returns back to the old order and moves the standard checks
to mark_source_chains. This allows to get rid of a special case for
standard targets as a nice side-effect.

Signed-off-by: Dmitry Mishin &lt;[email protected]&gt;
Signed-off-by: Patrick McHardy &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit c856e3d57e3fdb74237ddfb8356e1cabee94c155
Author: Jurij Smakov <[email protected]>
Date: Sun Dec 3 19:36:32 2006 -0800

[PATCH] SUNHME: Fix for sunhme failures on x86

The following patch fixes the failure of sunhme drivers on x86 hosts
due to missing pci_enable_device&#40;&#41; and pci_set_master&#40;&#41; calls, lost
during code refactoring. It has been filed as bugzilla bug #7502 [0]
and Debian bug #397460 [1].

[0] http://bugzilla.kernel.org/show_bug.cgi?id=7502
[1] http://bugs.debian.org/397460

Signed-off-by: Jurij Smakov &lt;[email protected]&gt;
Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 643f290e85dca25c7fdf914b0fa20f104b2c2321
Author: David Miller <[email protected]>
Date: Fri Dec 1 20:36:44 2006 -0800

[PATCH] PKT_SCHED act_gact: division by zero

Not returning -EINVAL, because someone might want to use the value
zero in some future gact_prob algorithm?

Signed-off-by: Kim Nordlund &lt;[email protected]&gt;
Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 36dc46c8de3f6b4aa27622e808b35be5d7d5cf06
Author: Len Brown <[email protected]>
Date: Sat Dec 2 02:27:46 2006 -0500

[PATCH] Revert &quot;ACPI: SCI interrupt source override&quot;

This reverts commit 281ea49b0c294649a6de47a6f8fbe5611137726b,
which broke ACPI Interrupt source overrides that move
the SCI from one IRQ in PIC mode to another in IOAPIC mode.

If the SCI shared an interrupt line with another device,
this would result in a &quot;irq 18: nobody cared&quot; type failure.

http://bugzilla.kernel.org/show_bug.cgi?id=7601

Signed-off-by: Len Brown &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 3da6c899c1a015019d05c724700b992cd740687d
Author: Herbert Xu <[email protected]>
Date: Sat Dec 2 14:37:27 2006 +1100

[PATCH] cryptoloop: Select CRYPTO_CBC

As CBC is the default chaining method for cryptoloop, we should select
it from cryptoloop to ease the transition.

Signed-off-by: Herbert Xu &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 98178d01fce23126ffd2f71ca5c289db02ec460e
Author: Patrick McHardy <[email protected]>
Date: Thu Nov 30 20:06:33 2006 -0800

[PATCH] NET_SCHED: policer: restore compatibility with old iproute binaries

The tc actions increased the size of struct tc_police, which broke
compatibility with old iproute binaries since both the act_police
and the old NET_CLS_POLICE code check for an exact size match.

Since the new members are not even used, the simple fix is to also
accept the size of the old structure. Dumping is not affected since
old userspace will receive a bigger structure, which is handled fine.

Signed-off-by: Patrick McHardy &lt;[email protected]&gt;
Acked-by: Jamal Hadi Salim &lt;[email protected]&gt;
Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit bf59e3085f0d107969c01c3c00c88b0db3a3ca82
Author: Al Viro <[email protected]>
Date: Thu Nov 30 19:47:59 2006 -0800

[PATCH] EBTABLES: Prevent wraparounds in checks for entry components&#39; sizes.

Signed-off-by: Al Viro &lt;[email protected]&gt;
Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit dc983545ac3c17728ebb1e0c56aadc85ae3f8daf
Author: Al Viro <[email protected]>
Date: Thu Nov 30 19:47:58 2006 -0800

[PATCH] EBTABLES: Deal with the worst-case behaviour in loop checks.

No need to revisit a chain we&#39;d already finished with during
the check for current hook.  It&#39;s either instant loop &#40;which
we&#39;d just detected&#41; or a duplicate work.

Signed-off-by: Al Viro &lt;[email protected]&gt;
Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 2066918ca75a860c085f294db4f679a397bcc9a3
Author: Al Viro <[email protected]>
Date: Thu Nov 30 19:47:56 2006 -0800

[PATCH] EBTABLES: Verify that ebt_entries have zero -&gt;distinguisher.

We need that for iterator to work; existing check had been too weak.

Signed-off-by: Al Viro &lt;[email protected]&gt;
Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 1ebe9529ae0ea279959d6455811f6f8cfcff0485
Author: Al Viro <[email protected]>
Date: Thu Nov 30 19:47:52 2006 -0800

[PATCH] EBTABLES: Fix wraparounds in ebt_entries verification.

We need to verify that
	a&#41; we are not too close to the end of buffer to dereference
	b&#41; next entry we&#39;ll be checking won&#39;t be _before_ our

While we are at it, don&#39;t subtract unrelated pointers...

Signed-off-by: Al Viro &lt;[email protected]&gt;
Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit 80215bd7c3d16e459f0d96edbe310f0c5e0df3e8
Author: Michael Buesch <[email protected]>
Date: Wed Nov 29 18:51:12 2006 -0600

[PATCH] softmac: remove netif_tx_disable when scanning

In the scan section of ieee80211softmac, network transmits are disabled.
When SoftMAC re-enables transmits, it may override the wishes of a driver
that may have very good reasons for disabling transmits. At least one failure
in bcm43xx can be traced to this problem. In addition, several unexplained
problems may arise from the unexpected enabling of transmits.

Signed-off-by: Michael Buesch &lt;[email protected]&gt;
Signed-off-by: Larry Finger &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;

commit ba29705432462317d1a7b135612a9ef5b928d6c0
Author: David Miller <[email protected]>
Date: Sat Dec 2 21:04:06 2006 -0800

[PATCH] IPV6 NDISC: Calculate packet length correctly for allocation.

MAX_HEADER does not include the ipv6 header length in it,
so we need to add it in explicitly.

With help from YOSHIFUJI Hideaki.

Signed-off-by: David S. Miller &lt;[email protected]&gt;
Signed-off-by: Chris Wright &lt;[email protected]&gt;
Related for SECURITYVULNS:DOC:15430