6,534
edits
Changes
created
== Changes ==
* Driver updates from RHEL4u2/official sites to make OpenVZ conform to official HCL
* Mainstream security fixes
* Fixes for EMT64/ia64 compilation
* Small VPS/UBC fixes
<includeonly>[[{{PAGENAME}}/changes#Configs|{{Long changelog message}}]]</includeonly><noinclude>
=== Configs ===
The same as {{kernel link|2.6.8|022stab044.1}} plus:
* +<code>CONFIG_ATA_OVER_ETH=y</code>
* +<code>CONFIG_SCSI_LPFC=y</code>
* +<code>CONFIG_SCSI_ISCSI_SFNET=y</code>
* +<code>CONFIG_SCSI_QLA4XXX=y</code>
* +<code>CONFIG_SCSI_QLA4XXX_FAILOVER=n</code>
* +<code>CONFIG_SCSI_FC_ATTRS=y</code>
* +<code>CONFIG_SCSI_ISCSI_ATTRS=y</code>
=== Driver updates ===
* aacraid v1.1.5 (site)
* aoe v14 (site)
* e1000 v6.0.54 (site)
* e100 v3.4.8 (site)
* emulex v8.0.16.17 (site)
* iscsi-sfnet v4.0.1.11.1 (rhel4u2)
* megaraid v2.20.x (site)
* qla4xx v5.00.02 (site)
* r8169 v2.2 (site)
* sk98lin v8.24.1.3 (site)
* snapapi v0.6.7 (site)
* tg3 v3.27 (rhel4u)
=== Other updates ===
* scsi midlayer (rhel4u2)
* ide csb6-raid support (rhel4u2)
* intel ich7 and esb2 support (rhel4u2)
* libata v1.11 (rhel4u2)
=== Patches ===
==== diff-ve-emt64-apicirq-execenv-20051028 ====
<div class="change">Patch from Pavel:<br />
Add set_exec_env(get_ve0()) and back in emt64's
smp_apic_timer_interrupt() call.
</div>
==== diff-ve-ia64-irq-execenv-20051028 ====
<div class="change">Patch from Pavel:<br />
Added set_exec_env(get_ve0()) and back in handling
of irq in ia64.
</div>
==== diff-ve-emt64-irq-execenv-20051028 ====
<div class="change">Patch from Pavel:<br />
Added set_exec_env(get_ve0()) and back in do_IRQ for
x86_64 arch.
</div>
==== diff-ubc-ia64-irq-execub-20051028 ====
<div class="change">Patch from Pavel:<br />
Added ub0 execub context in ia64 irq handling.
</div>
==== diff-ubc-emt64-irq-execub-20051028 ====
<div class="change">Patch from Pavel:<br />
Added ub0 execub context in irq handling on x86_64.
</div>
==== diff-security-x86-sysexit-20041212 ====
<div class="change">Patch from mainstream:<br />
x86 sysenter: clear %ebp on exit.<br />
It contains the thread info pointer. That's not something that
user mode can really use for anything interesting, but it's also
not something that user mode should ever really see.<br />
Pointed out by Brad Spender as being in PaX.
</div>
==== diff-ms-emt64-tssldt-lim-20051027 ====
<div class="change">Patch from mainstream:<br />
[PATCH] Fix LDT/TSS limit on x86-64<br />
Paul Menage pointed out that the previous change for the LDT/TSS
limit on x86-64 was incorrect. This could cause the user to corrupt memory
beyond the LDT. This patch implements the fix suggested by Paul.
http://linux.bkbits.net:8080/linux-2.6/cset@1.1938.63.107<br/>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146244
</div>
==== diff-ve-vzwdog-pginfo-20051027 ====
<div class="change">Patch from Andrey Mirkin, modified by Kirill:<br />
This patch adds print of pgdat info in vzwdog.
</div>
==== diff-CAN-2005-0135-ia64-unwind ====
<div class="change">Patch from mainstream:<br />
[IA64] Sanity check unw_unwind_to_user<br />
The unw_unwind_to_user function in unwind.c on
Itanium (ia64) architectures in Linux kernel 2.6
allows local users to cause a denial of service
(system crash).<br />
Signed-off-by: Keith Owens <kaos@sgi.com><br />
Signed-off-by: Tony Luck <tony.luck@intel.com>
http://linux.bkbits.net:8080/linux-2.6/cset@1.1966.2.27
</div>
==== diff-CAN-2005-0136-ia64 ====
<div class="change">Patch from mainstream, ported by Pavel:<br />
A flaw affecting the auditing code was discovered.
On Itanium architectures a local user could use this
flaw to cause a denial of service (crash). This issue
is rated as having important security impact (CAN-2005-0136).
http://linux.bkbits.net:8080/linux-2.6/gnupatch@41f2d1eePludGYyb1yOmGaW6Iois8Q
</div>
==== diff-ms-ia64-ptrace-spd-20051025 ====
<div class="change">Patch from mainstream:<br />
[IA64] speedup ptrace by avoiding kernel-stack walk<br />
This patch changes the syscall entry path to store the
current-frame-mask (CFM) in pt_regs->cr_ifs. This just takes one
extra instruction (a "dep" to clear the bits other than 0-37) and is
free in terms of cycles.<br />
The advantage of doing this is that it lets ptrace() avoid having to
walk the stack to determine the end of the user-level backing-store of
a process which is in the middle of a system-call. Since this is what
strace does all the time, this speeds up strace quite a bit (by ~50%).
More importantly, it makes the syscall vs. non-syscall case much more
symmetric, which is always something I wanted.<br />
Note that the change to ivt.S looks big but this is just a rippling
effect of instruction-scheduling to keep syscall latency the same.
All that's really going on there is that instead of storing 0 into
cr_ifs member we store the low 38 bits of ar.pfs.<br />
Signed-off-by: David Mosberger <davidm@hpl.hp.com><br />
Signed-off-by: Tony Luck <tony.luck@intel.com>
</div>
==== diff-ms-ia64-cpurelax-20051026 ====
<div class="change">Patch from mainstream:<br />
[IA64] add cpu_relax() in the body of spin loops<br />
This patch adds cpu_relax() in the body of spin loops in
smp_call_function(), smp_call_function_single(), and
ia64_mca_wakeup_ipi_wait().<br />
Signed-off-by: Fenghua Yu <fenghua.yu@intel.com><br />
Signed-off-by: Tony Luck <tony.luck@intel.com>
http://linux.bkbits.net:8080/linux-2.6/cset@1.1938.335.15
</div>
==== diff-video-vga80x25-20051027 ====
<div class="change">Patch from Kostja:<br />
Hack to force 80x25 video mode on boot,
when framebuffer is not configured.
</div>
==== diff-ms-e7xx-irqaffinity-disable ====
<div class="change">Patch from mainsream/RHEL4u2:<br />
Add pci quircks for intel E7320_MCH and E7525_MCH to
disable irq balancing.<br />
As part of the workaround for the "Interrupt message re-ordering across
hub interface" errata (page #16 in
<br />[http://developer.intel.com/design/chipsets/specupdt/30288402.pdf), http://developer.intel.com/design/chipsets/specupdt/30288402.pdf),]
BIOS may enable hardware IRQ balancing for E7520/E7320/E7525(revision ID
0x9 and below) based platforms.<br />
Add pci quirks to disable SW irqbalance/affinity on those platforms.
Move balanced_irq_init() to late_initcall so that kirqd will be started
after pci quirks.
</div>
==== diff-ms-invalidate-page-race-fix ====
<div class="change">Patch from mainstream:<br />
invalidate_inode_pages() and invalidate_inode_pages2()
can mark pages not uptodate while read() is trying
to read from them. This is interpreted as an I/O error.<br />
Fix that by teaching the invalidate code to leave the page alone if someone
else has a ref on it.
http://linux.bkbits.net:8080/linux-2.6/gnupatch@4174aca2ocZwQ_22QLBHXsj0hDWUWw
</div>
==== diff-ubc-pbc-racefix-20051027 ====
<div class="change">Patch from Pavel, modified by Kirill:<br />
Fixup of race between page_beancounting removing and
checking page for having valid pbc.
<br />Bug 52609.
</div>
==== diff-ve-ia64-taskvisibility-20051027 ====
<div class="change">Patch from Andrey:<br />
This patch fixes VE tasks find/travers in ia64 perfomance monitor
</div>
==== diff-ms-jbd-umount-race ====
<div class="change">Patch from mainstream:<br />
[PATCH] kjournald: missing JFS_UNMOUNT check<br />
It seems that kjournald() may be missing a check of the JFS_UNMOUNT flag
before calling schedule(). This showed up in testing of OCFS2 recovery
where our recovery thread would hang in journal_kill_thread() called from
journal_destroy() because kjournald never got a chance to read the flag to
shut down before the schedule().<br />
Zach pointed out the missing check which led me to hack up this trivial
patch. It's been tested many times now and I have yet to reproduce the
hang, which was happening very regularly before.<br />
<mild rant><br />
I'm guessing that we could really use some wait_event() calls with helper
functions in, well, most of jbd these days which would make a ton of the
wait code there vastly cleaner.<br />
</mild rant><br />
As for why this doesn't happen in ext3 (or OCFS2 during normal
mount/unmount of the local nodes journal), I think it may that the specific
timing of events in the ocfs2 recovery thread exposes a race there.
Because ocfs2_replay_journal() is only interested in playing back the
journal, initialization and shutdown happen very quicky with no other
metadata put into that specific journal.<br />
Acked-by: "Stephen C. Tweedie" <sct@redhat.com><br />
Signed-off-by: Andrew Morton <akpm@osdl.org><br />
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
http://linux.bkbits.net:8080/linux-2.6/gnupatch@431f7f05jxd-iagNaeYGxq4IVmcwYg
</div>
==== diff-ms-ext2-umount-leak ====
<div class="change">Patch from mainstream:<br />
The patch below fixes an ext2/ext3 memory leak: the _fill_super
functions allocate percpu data structures but don't free them in
_put_super.
http://linux.bkbits.net:8080/linux-2.6/gnupatch@41bdc37fLNoIB6Kx0Q-o47geCYYAYg
</div>
==== diff-ms-nfs-mmap-corruption ====
<div class="change">Patch from mainstream:
When doing shared mmap writes, the resulting dirty NFS pages may
find themselves incapable of being flushed out if I/O is started
after the file was released.
Make sure we start I/O on all existing dirty pages in nfs_file_release().
http://linux.bkbits.net:8080/linux-2.6/gnupatch@4237ab9clq5WkE9BXlZbzpb6sb0_7Q
</div>
==== diff-ms-pty-close-race-20041218 ====
<div class="change">Patch from mainstream:<br />
[PATCH] Fix a race condition in pty.c
There is a race condition int pty.c when pty_close wakes up waiter on its
pair device before set TTY_OTHER_CLOSED flag.
It is possible on SMP or preempt kernel, waiter wakes up too early that it
will not get TTY_OTHER_CLOSED flag then fall into sleep again - missed
wakeup.
hjl reports that this bug will hang some expect scripts on SMP machines.<br />
Signed-off-by: Zou Nan hai <Nanhai.zou@intel.com><br />
Signed-off-by: Andrew Morton <akpm@osdl.org><br />
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
</div>
==== diff-ms-ia64-ia32-sigsusp-20051026 ====
<div class="change">Patch from mainstream:<br />
Fixup of incorrect memset in ia32_rt_sigsuspend().
</div>
==== diff-ms-ia64-vmallocfaults ====
<div class="change">Patch from mainstream:<br />
When copying data from user-space to kernel-space
by __copy_user(), a page_not_present fault sometimes
occurs at vmalloced kernel address because of VHPT
pre-fetching. Ignore the page_not_present fault in
ia64_do_page_fault() before Jumping into exception
handlers.
http://linux.bkbits.net:8080/linux-2.6/gnupatch@431e211200BFHGYtKlZEEKV7PWQ1SA
</div>
==== diff-ve-procptrace-20051027 ====
<div class="change">Patch from Kirill:<br />
This patch adds defensive VPS check in proc::may_ptrace_attach().
Suggested by Solar Designer.
</div>
==== diff-ia64-headers-20051025 ====
<div class="change">Patch from Andrey Mirkin:<br />
This patch fixes vzctl compilation with 2.6 headers on IA64.
</div>
==== diff-rh-irq-stack-apic-context ====
<div class="change">Patch from RedHat:
the patch below switches the APIC timer IRQ to the irq-stack, to
save ~350 bytes from the 4K process stack - nearly 10% and quite
reasonable. I've given it a quick go and it works fine. (Solves
bz#151222)
</div>
==== diff-CAN-2005-0207-nfsd ====
<div class="change">Patch from mainstream:<br />
[PATCH] NFS client O_DIRECT error case fix
The NFS direct-io error return path for request sizes greater than
MAX_DIRECTIO_SIZE fails to initialize the returned page struct array
pointer to NULL.
Discovered using AKPM's ext3-tools: odwrite -ko 0 16385 foo
Signed-off-by: Bill Rugolsky <brugolsky@telemetry-investments.com><br/>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
</div>
==== diff-ve-ip-conntrack-sysctls-20051026 ====
<div class="change">Patch from Dmitry:<br/>
fixed ability to set conntracks-related params
through sysctl interface
<br />Bug 52951.
</div>
==== diff-CAN-2005-2872-ipt-recent ====
<div class="change">Patch from mainstream:
The ipt_recent kernel module (ipt_recent.c) in Linux kernel before
2.6.12, when running on 64-bit processors such as AMD64, allows remote
attackers to cause a denial of service (kernel panic) via certain
attacks such as SSH brute force, which leads to memset calls using a
length based on the u_int32_t type, acting on an array of unsigned long
elements, a different vulnerability than {{CVE|2005-2873}}.
2005/06/15 20:51:14-07:00 davem@davemloft.net<br/>
[NETFILTER]: ipt_recent: last_pkts is an array of "unsigned long" not
"u_int32_t"
This fixes various crashes on 64-bit when using this module.
Based upon a patch by Juergen Kreileder <jk@blackdown.de>.
Signed-off-by: David S. Miller <davem@davemloft.net><br />
ACKed-by: Patrick McHardy <kaber@trash.net>
GIT: bcfff0b471a60df350338bcd727fc9b8a6aa54b2
</div>
==== diff-ms-jbdstack-20051025 ====
<div class="change">Patch from mainstream:<br />
[PATCH] JBD: reduce stack and number of journal descriptors
Dynamically allocate the holding array for kjournald write patching rather
than allocating it on the stack.
Signed-off-by: Alex Tomas <alex@clusterfs.com><br />
Signed-off-by: Andrew Morton <akpm@osdl.org><br />
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
</div>
==== diff-emt64-gatevma-20051017 ====
<div class="change">Patch from mainstream, backported by Alexey:
get_user_pages() oopses on vsyscall pages. Mainstream has at least
two critical patches:
<pre>
Author: ak <ak@suse.de>
Date: Mon Nov 15 19:53:40 2004 -0800
[PATCH] x86-64: Fix get_user_pages access to vsyscall page
The current kernel oopses on x86-64 when gdb steps into the vsyscall page.
This patch fixes it.
I also removed the bogus NULL checks of _offset and replaced them with
proper _none checks. I made them BUGs because vsyscall pages should be
always mapped.
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
ChangeSet@1.1938.364.10
</pre>
diff-tree 690dbe1ced143876d8fa56b72310738dbe079d0a (from 74f9c9c258249fba3e2e78f)
<pre>
Author: Hugh Dickins <hugh@veritas.com>
Date: Mon Aug 1 21:11:42 2005 -0700
[PATCH] x86_64: access of some bad address
x86_64 has a large sparse gate area between VSYSCALL_START and
VSYSCALL_END, not all of it presently backed by pmds. Alexander Nyberg has
found that in some circumstances gdb may try to ptrace here, and hit
get_user_pages BUG_ON. It seems odd that gdb should be accessing here, but
it certainly shouldn't crash in this way: relax BUG_ON to -EFAULT.
Fixes kernel bugzilla #4801.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
</pre>
</div>
==== diff-emt64-vsyscall-20041119 ====
<div class="change">Patch from mainstream:<br />
[PATCH] x86_64: fix vsyscalls<br />
Author: ak <ak@suse.de><br />
Date: Fri Nov 19 15:20:37 2004 -0800
Fix incorrect alignment in the vsyscall variables that caused
vsyscalls to be completely broken.
This change should decrease system time during TPC-* tests
considerably.
Clean up the vmlinux.lds to make it easier readable
Do some cleanups in the vsyscall code.
Align cacheline_aligned correctly on 128 byte cacheline systems.
Signed-off-by: Andi Kleen <ak@suse.de><br />
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
ChangeSet@1.1938.386.62
</div>
==== diff-ms-cbq-destroy-20051025 ====
<div class="change">Patch from mainstream:<br />
[PKT_SCHED]: CBQ; Destroy filters before destroying classes.
CBQ destroys its classes by traversing the hashtable and thus
classes are not destroyed from root to leafs which means that
class Y being a subclass of class X may be destroyed before X.
This is a problem if a filter is attached to class X (parent)
classifying into class Y (result). In case Y gets deleted
before X the filter references an already deleted class while
trying to unbind (cbq_unbind_filter).
Therefore all filters must be destroyed before destroying classes.
An additional BUG_TRAP has been added to document this not so obvious
case.
http://linux.bkbits.net:8080/linux-2.6/gnupatch@4175e7a1Be1t1bq0UgwJIOmb2Jjo_Q
Bug 52585.
</div>
==== diff-security-ia64-pl3-20051018 ====
<div class="change">Patch from mainstream, prepared by Pavel:<br/>
[PATCH] ia64 ptrace + sigrestore_context (CAN-2005-1761)
This patch fixes handling of accesses to ar.rsc via ptrace &
restore_sigcontext
</div>
==== diff-ubc-ia64-charge-20051020 ====
<div class="change">Patch from Pavel:
IA64 uses register backing store area for tasks, and it
grows like stack does, so we must charge it the same way.
Possible fix of one leaked privvmpage after each VE stop.
</div>
==== diff-vzdq-comp-quotaoff-20051020 ====
<div class="change">Patch from Alexander:<br />
This patch fixes kernel compilation when CONFIG_VZQUOTA=n
{{Bug|52}}.
</div>
==== diff-vefs-comp-quotaoff-20051020 ====
<div class="change">Patch from Alexander:
This patch fixes compilation of VZFS when CONFIG_VZQUOTA=n
{{Bug|52}}.
</div>
==== diff-ve-venet-comp-20051021 ====
<div class="change">Patch from Alexander:<br />
fixes broken compilation when CONFIG_VE_NETDEV=n
{{Bug|52}}.
</div>
==== diff-ubc-expandstack-fix-20051020 ====
<div class="change">Patch from Pavel:
expand_stack() has two incarnations - for STACK_GROW_UP and
STACK_GROWS_DOWN. One of them uses UB_LOW constant, which
is absent. Fixed.
</div>
==== diff-ve-proc-vpid-20051024 ====
<div class="change">Patch from Dmitry:<br />
added vpid field to /proc/*/status and /proc/*/stat
Bug 52680.
</div>
==== diff-simfs-statfs-fix-20051024 ====
<div class="change">Patch from Dmitry:<br/>
fix of df output in case of quota limit exceedance
{{Bug|59}}.
</div>
==== diff-ve-vpsdumpable-20051024 ====
<div class="change">Patch from Kirill:
This patch prohibits processes entered to VPS to be
ptraceable from the VPS. This doesn't fix any security
issue by itself, since vzctl enter don't leak any sensitive
information. But this makes isolation more logically correct
and can prevent possible security issues in future.
</div>
</noinclude>
* Driver updates from RHEL4u2/official sites to make OpenVZ conform to official HCL
* Mainstream security fixes
* Fixes for EMT64/ia64 compilation
* Small VPS/UBC fixes
<includeonly>[[{{PAGENAME}}/changes#Configs|{{Long changelog message}}]]</includeonly><noinclude>
=== Configs ===
The same as {{kernel link|2.6.8|022stab044.1}} plus:
* +<code>CONFIG_ATA_OVER_ETH=y</code>
* +<code>CONFIG_SCSI_LPFC=y</code>
* +<code>CONFIG_SCSI_ISCSI_SFNET=y</code>
* +<code>CONFIG_SCSI_QLA4XXX=y</code>
* +<code>CONFIG_SCSI_QLA4XXX_FAILOVER=n</code>
* +<code>CONFIG_SCSI_FC_ATTRS=y</code>
* +<code>CONFIG_SCSI_ISCSI_ATTRS=y</code>
=== Driver updates ===
* aacraid v1.1.5 (site)
* aoe v14 (site)
* e1000 v6.0.54 (site)
* e100 v3.4.8 (site)
* emulex v8.0.16.17 (site)
* iscsi-sfnet v4.0.1.11.1 (rhel4u2)
* megaraid v2.20.x (site)
* qla4xx v5.00.02 (site)
* r8169 v2.2 (site)
* sk98lin v8.24.1.3 (site)
* snapapi v0.6.7 (site)
* tg3 v3.27 (rhel4u)
=== Other updates ===
* scsi midlayer (rhel4u2)
* ide csb6-raid support (rhel4u2)
* intel ich7 and esb2 support (rhel4u2)
* libata v1.11 (rhel4u2)
=== Patches ===
==== diff-ve-emt64-apicirq-execenv-20051028 ====
<div class="change">Patch from Pavel:<br />
Add set_exec_env(get_ve0()) and back in emt64's
smp_apic_timer_interrupt() call.
</div>
==== diff-ve-ia64-irq-execenv-20051028 ====
<div class="change">Patch from Pavel:<br />
Added set_exec_env(get_ve0()) and back in handling
of irq in ia64.
</div>
==== diff-ve-emt64-irq-execenv-20051028 ====
<div class="change">Patch from Pavel:<br />
Added set_exec_env(get_ve0()) and back in do_IRQ for
x86_64 arch.
</div>
==== diff-ubc-ia64-irq-execub-20051028 ====
<div class="change">Patch from Pavel:<br />
Added ub0 execub context in ia64 irq handling.
</div>
==== diff-ubc-emt64-irq-execub-20051028 ====
<div class="change">Patch from Pavel:<br />
Added ub0 execub context in irq handling on x86_64.
</div>
==== diff-security-x86-sysexit-20041212 ====
<div class="change">Patch from mainstream:<br />
x86 sysenter: clear %ebp on exit.<br />
It contains the thread info pointer. That's not something that
user mode can really use for anything interesting, but it's also
not something that user mode should ever really see.<br />
Pointed out by Brad Spender as being in PaX.
</div>
==== diff-ms-emt64-tssldt-lim-20051027 ====
<div class="change">Patch from mainstream:<br />
[PATCH] Fix LDT/TSS limit on x86-64<br />
Paul Menage pointed out that the previous change for the LDT/TSS
limit on x86-64 was incorrect. This could cause the user to corrupt memory
beyond the LDT. This patch implements the fix suggested by Paul.
http://linux.bkbits.net:8080/linux-2.6/cset@1.1938.63.107<br/>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146244
</div>
==== diff-ve-vzwdog-pginfo-20051027 ====
<div class="change">Patch from Andrey Mirkin, modified by Kirill:<br />
This patch adds print of pgdat info in vzwdog.
</div>
==== diff-CAN-2005-0135-ia64-unwind ====
<div class="change">Patch from mainstream:<br />
[IA64] Sanity check unw_unwind_to_user<br />
The unw_unwind_to_user function in unwind.c on
Itanium (ia64) architectures in Linux kernel 2.6
allows local users to cause a denial of service
(system crash).<br />
Signed-off-by: Keith Owens <kaos@sgi.com><br />
Signed-off-by: Tony Luck <tony.luck@intel.com>
http://linux.bkbits.net:8080/linux-2.6/cset@1.1966.2.27
</div>
==== diff-CAN-2005-0136-ia64 ====
<div class="change">Patch from mainstream, ported by Pavel:<br />
A flaw affecting the auditing code was discovered.
On Itanium architectures a local user could use this
flaw to cause a denial of service (crash). This issue
is rated as having important security impact (CAN-2005-0136).
http://linux.bkbits.net:8080/linux-2.6/gnupatch@41f2d1eePludGYyb1yOmGaW6Iois8Q
</div>
==== diff-ms-ia64-ptrace-spd-20051025 ====
<div class="change">Patch from mainstream:<br />
[IA64] speedup ptrace by avoiding kernel-stack walk<br />
This patch changes the syscall entry path to store the
current-frame-mask (CFM) in pt_regs->cr_ifs. This just takes one
extra instruction (a "dep" to clear the bits other than 0-37) and is
free in terms of cycles.<br />
The advantage of doing this is that it lets ptrace() avoid having to
walk the stack to determine the end of the user-level backing-store of
a process which is in the middle of a system-call. Since this is what
strace does all the time, this speeds up strace quite a bit (by ~50%).
More importantly, it makes the syscall vs. non-syscall case much more
symmetric, which is always something I wanted.<br />
Note that the change to ivt.S looks big but this is just a rippling
effect of instruction-scheduling to keep syscall latency the same.
All that's really going on there is that instead of storing 0 into
cr_ifs member we store the low 38 bits of ar.pfs.<br />
Signed-off-by: David Mosberger <davidm@hpl.hp.com><br />
Signed-off-by: Tony Luck <tony.luck@intel.com>
</div>
==== diff-ms-ia64-cpurelax-20051026 ====
<div class="change">Patch from mainstream:<br />
[IA64] add cpu_relax() in the body of spin loops<br />
This patch adds cpu_relax() in the body of spin loops in
smp_call_function(), smp_call_function_single(), and
ia64_mca_wakeup_ipi_wait().<br />
Signed-off-by: Fenghua Yu <fenghua.yu@intel.com><br />
Signed-off-by: Tony Luck <tony.luck@intel.com>
http://linux.bkbits.net:8080/linux-2.6/cset@1.1938.335.15
</div>
==== diff-video-vga80x25-20051027 ====
<div class="change">Patch from Kostja:<br />
Hack to force 80x25 video mode on boot,
when framebuffer is not configured.
</div>
==== diff-ms-e7xx-irqaffinity-disable ====
<div class="change">Patch from mainsream/RHEL4u2:<br />
Add pci quircks for intel E7320_MCH and E7525_MCH to
disable irq balancing.<br />
As part of the workaround for the "Interrupt message re-ordering across
hub interface" errata (page #16 in
<br />[http://developer.intel.com/design/chipsets/specupdt/30288402.pdf), http://developer.intel.com/design/chipsets/specupdt/30288402.pdf),]
BIOS may enable hardware IRQ balancing for E7520/E7320/E7525(revision ID
0x9 and below) based platforms.<br />
Add pci quirks to disable SW irqbalance/affinity on those platforms.
Move balanced_irq_init() to late_initcall so that kirqd will be started
after pci quirks.
</div>
==== diff-ms-invalidate-page-race-fix ====
<div class="change">Patch from mainstream:<br />
invalidate_inode_pages() and invalidate_inode_pages2()
can mark pages not uptodate while read() is trying
to read from them. This is interpreted as an I/O error.<br />
Fix that by teaching the invalidate code to leave the page alone if someone
else has a ref on it.
http://linux.bkbits.net:8080/linux-2.6/gnupatch@4174aca2ocZwQ_22QLBHXsj0hDWUWw
</div>
==== diff-ubc-pbc-racefix-20051027 ====
<div class="change">Patch from Pavel, modified by Kirill:<br />
Fixup of race between page_beancounting removing and
checking page for having valid pbc.
<br />Bug 52609.
</div>
==== diff-ve-ia64-taskvisibility-20051027 ====
<div class="change">Patch from Andrey:<br />
This patch fixes VE tasks find/travers in ia64 perfomance monitor
</div>
==== diff-ms-jbd-umount-race ====
<div class="change">Patch from mainstream:<br />
[PATCH] kjournald: missing JFS_UNMOUNT check<br />
It seems that kjournald() may be missing a check of the JFS_UNMOUNT flag
before calling schedule(). This showed up in testing of OCFS2 recovery
where our recovery thread would hang in journal_kill_thread() called from
journal_destroy() because kjournald never got a chance to read the flag to
shut down before the schedule().<br />
Zach pointed out the missing check which led me to hack up this trivial
patch. It's been tested many times now and I have yet to reproduce the
hang, which was happening very regularly before.<br />
<mild rant><br />
I'm guessing that we could really use some wait_event() calls with helper
functions in, well, most of jbd these days which would make a ton of the
wait code there vastly cleaner.<br />
</mild rant><br />
As for why this doesn't happen in ext3 (or OCFS2 during normal
mount/unmount of the local nodes journal), I think it may that the specific
timing of events in the ocfs2 recovery thread exposes a race there.
Because ocfs2_replay_journal() is only interested in playing back the
journal, initialization and shutdown happen very quicky with no other
metadata put into that specific journal.<br />
Acked-by: "Stephen C. Tweedie" <sct@redhat.com><br />
Signed-off-by: Andrew Morton <akpm@osdl.org><br />
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
http://linux.bkbits.net:8080/linux-2.6/gnupatch@431f7f05jxd-iagNaeYGxq4IVmcwYg
</div>
==== diff-ms-ext2-umount-leak ====
<div class="change">Patch from mainstream:<br />
The patch below fixes an ext2/ext3 memory leak: the _fill_super
functions allocate percpu data structures but don't free them in
_put_super.
http://linux.bkbits.net:8080/linux-2.6/gnupatch@41bdc37fLNoIB6Kx0Q-o47geCYYAYg
</div>
==== diff-ms-nfs-mmap-corruption ====
<div class="change">Patch from mainstream:
When doing shared mmap writes, the resulting dirty NFS pages may
find themselves incapable of being flushed out if I/O is started
after the file was released.
Make sure we start I/O on all existing dirty pages in nfs_file_release().
http://linux.bkbits.net:8080/linux-2.6/gnupatch@4237ab9clq5WkE9BXlZbzpb6sb0_7Q
</div>
==== diff-ms-pty-close-race-20041218 ====
<div class="change">Patch from mainstream:<br />
[PATCH] Fix a race condition in pty.c
There is a race condition int pty.c when pty_close wakes up waiter on its
pair device before set TTY_OTHER_CLOSED flag.
It is possible on SMP or preempt kernel, waiter wakes up too early that it
will not get TTY_OTHER_CLOSED flag then fall into sleep again - missed
wakeup.
hjl reports that this bug will hang some expect scripts on SMP machines.<br />
Signed-off-by: Zou Nan hai <Nanhai.zou@intel.com><br />
Signed-off-by: Andrew Morton <akpm@osdl.org><br />
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
</div>
==== diff-ms-ia64-ia32-sigsusp-20051026 ====
<div class="change">Patch from mainstream:<br />
Fixup of incorrect memset in ia32_rt_sigsuspend().
</div>
==== diff-ms-ia64-vmallocfaults ====
<div class="change">Patch from mainstream:<br />
When copying data from user-space to kernel-space
by __copy_user(), a page_not_present fault sometimes
occurs at vmalloced kernel address because of VHPT
pre-fetching. Ignore the page_not_present fault in
ia64_do_page_fault() before Jumping into exception
handlers.
http://linux.bkbits.net:8080/linux-2.6/gnupatch@431e211200BFHGYtKlZEEKV7PWQ1SA
</div>
==== diff-ve-procptrace-20051027 ====
<div class="change">Patch from Kirill:<br />
This patch adds defensive VPS check in proc::may_ptrace_attach().
Suggested by Solar Designer.
</div>
==== diff-ia64-headers-20051025 ====
<div class="change">Patch from Andrey Mirkin:<br />
This patch fixes vzctl compilation with 2.6 headers on IA64.
</div>
==== diff-rh-irq-stack-apic-context ====
<div class="change">Patch from RedHat:
the patch below switches the APIC timer IRQ to the irq-stack, to
save ~350 bytes from the 4K process stack - nearly 10% and quite
reasonable. I've given it a quick go and it works fine. (Solves
bz#151222)
</div>
==== diff-CAN-2005-0207-nfsd ====
<div class="change">Patch from mainstream:<br />
[PATCH] NFS client O_DIRECT error case fix
The NFS direct-io error return path for request sizes greater than
MAX_DIRECTIO_SIZE fails to initialize the returned page struct array
pointer to NULL.
Discovered using AKPM's ext3-tools: odwrite -ko 0 16385 foo
Signed-off-by: Bill Rugolsky <brugolsky@telemetry-investments.com><br/>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
</div>
==== diff-ve-ip-conntrack-sysctls-20051026 ====
<div class="change">Patch from Dmitry:<br/>
fixed ability to set conntracks-related params
through sysctl interface
<br />Bug 52951.
</div>
==== diff-CAN-2005-2872-ipt-recent ====
<div class="change">Patch from mainstream:
The ipt_recent kernel module (ipt_recent.c) in Linux kernel before
2.6.12, when running on 64-bit processors such as AMD64, allows remote
attackers to cause a denial of service (kernel panic) via certain
attacks such as SSH brute force, which leads to memset calls using a
length based on the u_int32_t type, acting on an array of unsigned long
elements, a different vulnerability than {{CVE|2005-2873}}.
2005/06/15 20:51:14-07:00 davem@davemloft.net<br/>
[NETFILTER]: ipt_recent: last_pkts is an array of "unsigned long" not
"u_int32_t"
This fixes various crashes on 64-bit when using this module.
Based upon a patch by Juergen Kreileder <jk@blackdown.de>.
Signed-off-by: David S. Miller <davem@davemloft.net><br />
ACKed-by: Patrick McHardy <kaber@trash.net>
GIT: bcfff0b471a60df350338bcd727fc9b8a6aa54b2
</div>
==== diff-ms-jbdstack-20051025 ====
<div class="change">Patch from mainstream:<br />
[PATCH] JBD: reduce stack and number of journal descriptors
Dynamically allocate the holding array for kjournald write patching rather
than allocating it on the stack.
Signed-off-by: Alex Tomas <alex@clusterfs.com><br />
Signed-off-by: Andrew Morton <akpm@osdl.org><br />
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
</div>
==== diff-emt64-gatevma-20051017 ====
<div class="change">Patch from mainstream, backported by Alexey:
get_user_pages() oopses on vsyscall pages. Mainstream has at least
two critical patches:
<pre>
Author: ak <ak@suse.de>
Date: Mon Nov 15 19:53:40 2004 -0800
[PATCH] x86-64: Fix get_user_pages access to vsyscall page
The current kernel oopses on x86-64 when gdb steps into the vsyscall page.
This patch fixes it.
I also removed the bogus NULL checks of _offset and replaced them with
proper _none checks. I made them BUGs because vsyscall pages should be
always mapped.
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
ChangeSet@1.1938.364.10
</pre>
diff-tree 690dbe1ced143876d8fa56b72310738dbe079d0a (from 74f9c9c258249fba3e2e78f)
<pre>
Author: Hugh Dickins <hugh@veritas.com>
Date: Mon Aug 1 21:11:42 2005 -0700
[PATCH] x86_64: access of some bad address
x86_64 has a large sparse gate area between VSYSCALL_START and
VSYSCALL_END, not all of it presently backed by pmds. Alexander Nyberg has
found that in some circumstances gdb may try to ptrace here, and hit
get_user_pages BUG_ON. It seems odd that gdb should be accessing here, but
it certainly shouldn't crash in this way: relax BUG_ON to -EFAULT.
Fixes kernel bugzilla #4801.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
</pre>
</div>
==== diff-emt64-vsyscall-20041119 ====
<div class="change">Patch from mainstream:<br />
[PATCH] x86_64: fix vsyscalls<br />
Author: ak <ak@suse.de><br />
Date: Fri Nov 19 15:20:37 2004 -0800
Fix incorrect alignment in the vsyscall variables that caused
vsyscalls to be completely broken.
This change should decrease system time during TPC-* tests
considerably.
Clean up the vmlinux.lds to make it easier readable
Do some cleanups in the vsyscall code.
Align cacheline_aligned correctly on 128 byte cacheline systems.
Signed-off-by: Andi Kleen <ak@suse.de><br />
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
ChangeSet@1.1938.386.62
</div>
==== diff-ms-cbq-destroy-20051025 ====
<div class="change">Patch from mainstream:<br />
[PKT_SCHED]: CBQ; Destroy filters before destroying classes.
CBQ destroys its classes by traversing the hashtable and thus
classes are not destroyed from root to leafs which means that
class Y being a subclass of class X may be destroyed before X.
This is a problem if a filter is attached to class X (parent)
classifying into class Y (result). In case Y gets deleted
before X the filter references an already deleted class while
trying to unbind (cbq_unbind_filter).
Therefore all filters must be destroyed before destroying classes.
An additional BUG_TRAP has been added to document this not so obvious
case.
http://linux.bkbits.net:8080/linux-2.6/gnupatch@4175e7a1Be1t1bq0UgwJIOmb2Jjo_Q
Bug 52585.
</div>
==== diff-security-ia64-pl3-20051018 ====
<div class="change">Patch from mainstream, prepared by Pavel:<br/>
[PATCH] ia64 ptrace + sigrestore_context (CAN-2005-1761)
This patch fixes handling of accesses to ar.rsc via ptrace &
restore_sigcontext
</div>
==== diff-ubc-ia64-charge-20051020 ====
<div class="change">Patch from Pavel:
IA64 uses register backing store area for tasks, and it
grows like stack does, so we must charge it the same way.
Possible fix of one leaked privvmpage after each VE stop.
</div>
==== diff-vzdq-comp-quotaoff-20051020 ====
<div class="change">Patch from Alexander:<br />
This patch fixes kernel compilation when CONFIG_VZQUOTA=n
{{Bug|52}}.
</div>
==== diff-vefs-comp-quotaoff-20051020 ====
<div class="change">Patch from Alexander:
This patch fixes compilation of VZFS when CONFIG_VZQUOTA=n
{{Bug|52}}.
</div>
==== diff-ve-venet-comp-20051021 ====
<div class="change">Patch from Alexander:<br />
fixes broken compilation when CONFIG_VE_NETDEV=n
{{Bug|52}}.
</div>
==== diff-ubc-expandstack-fix-20051020 ====
<div class="change">Patch from Pavel:
expand_stack() has two incarnations - for STACK_GROW_UP and
STACK_GROWS_DOWN. One of them uses UB_LOW constant, which
is absent. Fixed.
</div>
==== diff-ve-proc-vpid-20051024 ====
<div class="change">Patch from Dmitry:<br />
added vpid field to /proc/*/status and /proc/*/stat
Bug 52680.
</div>
==== diff-simfs-statfs-fix-20051024 ====
<div class="change">Patch from Dmitry:<br/>
fix of df output in case of quota limit exceedance
{{Bug|59}}.
</div>
==== diff-ve-vpsdumpable-20051024 ====
<div class="change">Patch from Kirill:
This patch prohibits processes entered to VPS to be
ptraceable from the VPS. This doesn't fix any security
issue by itself, since vzctl enter don't leak any sensitive
information. But this makes isolation more logically correct
and can prevent possible security issues in future.
</div>
</noinclude>