ChangeSet@1.1925, 2004-04-21 16:23:05-07:00, jbglaw@lug-owl.de [PATCH] lkkbd: Current version This updates the lkkbd driver to it's current version. It also incorporates two patches suggested on LKML (fixing some leading whitespace and an unneccessary check). ChangeSet@1.1924, 2004-04-21 16:22:53-07:00, jbglaw@lug-owl.de [PATCH] New set of input patches This updates the vsxxx driver to it's current version. Even DEC tablet support (VSXXX-AB) is now tested - it works:) You can even hotplug between mouse and digitizer... ChangeSet@1.1923, 2004-04-21 16:22:42-07:00, sfr@canb.auug.org.au [PATCH] PPC64 iSeries virtual ethernet fix This patch is needed due to other patches that were applied in parallel with the inclusion of the iSeries virtual ethernet driver. ChangeSet@1.1922, 2004-04-21 16:16:05-07:00, B.Zolnierkiewicz@elka.pw.edu.pl [PATCH] removal of MOD_{INC,DEC}_USE_COUNT in ide-cs.c From: Pavel Roskin The "ide-cs" module cannot be unloaded because it uses obsolete MOD_INC_USE_COUNT and MOD_DEC_USE_COUNT macros. In fact, they are not needed in ide-cs.c in 2.6 kernels. The generic PCMCIA code already increases use count for every device served by the driver, so it's impossible to unload the ide-cs driver while it's in use. I was told that the removal of IDE interfaces may be unsafe in 2.6 kernels. However, MOD_INC_USE_COUNT only prevents removal of the module, not the interface. It's also the first obstacle, albeit a trivial one, for anybody debugging those problems (i.e. loading a modified module requires "rmmod -f" or reboot to unload the old version). ChangeSet@1.1921, 2004-04-21 16:15:54-07:00, B.Zolnierkiewicz@elka.pw.edu.pl [PATCH] ide-probe.c: kill duplicate #include From: Arthur Othieno ChangeSet@1.1920, 2004-04-21 16:15:42-07:00, B.Zolnierkiewicz@elka.pw.edu.pl [PATCH] ide-disk.c: fix for IDE CF card ejection with devfs From: Pavel Roskin If I eject IDE CompactFlash card, I get a stack dump from devfs_remove() because ide/host2/bus0/target0/lun0 doesn't exist. After del_gendisk() is called from idedisk_cleanup() drive->devfs_name refers to a non-existent directory and should be erased, so that ide_unregister() doesn't try to remove that directory again. ChangeSet@1.1919, 2004-04-21 16:13:25-07:00, torvalds@ppc970.osdl.org Merge bk://bk.arm.linux.org.uk/linux-2.6-serial into ppc970.osdl.org:/home/torvalds/v2.6/linux ChangeSet@1.1881.2.1, 2004-04-21 23:39:45+01:00, rmk@flint.arm.linux.org.uk [SERIAL] Correct PL011 help text. ChangeSet@1.1881.1.2, 2004-04-21 23:33:52+01:00, rmk@flint.arm.linux.org.uk [ARM] Add support for ARM Versatile platform. This cset adds minimal support for ARM Ltd's ARM926EJ-S "Versatile" platform. ChangeSet@1.1917, 2004-04-21 12:02:58-07:00, torvalds@ppc970.osdl.org Revert fb_ioctl "fix" with extreme prejudice. As Arjan points out, the patch does exactly the opposite of what it was claimed to do. Andrea: tssk tssk. Cset exclude: akpm@osdl.org[torvalds]|ChangeSet|20040421144431|15930 ChangeSet@1.1762.2.19, 2004-04-21 19:49:59+01:00, davej@redhat.com [CPUFREQ] Fix security hole in proc handler. Brad Spengler found an exploitable bug in the proc handler of cpufreq, where a user-supplied unsigned int is cast to a signed int and then passed on to copy_[to|from]_user() allowing arbitary amounts of memory to be written (root only thankfully), or read (as any user). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0228 to this issue. ChangeSet@1.1762.2.18, 2004-04-21 19:20:17+01:00, davej@redhat.com [CPUFREQ] Export an array of acpi driver supported frequencies in sysfs From Dominik. ChangeSet@1.1762.2.17, 2004-04-21 19:18:57+01:00, davej@redhat.com [CPUFREQ] Make an educated guess at the current P-state in the ACPI driver. One big limitation of the ACPI specification is that it's impossible to detect the current P-State by reading from ACPI-defined registers. And the CPU isn't always at P0 when the system boots. So, try to "guess" the current P-State by analyzing cpu_khz. From Dominik. ChangeSet@1.1762.2.16, 2004-04-21 17:58:29+01:00, davej@redhat.com [CPUFREQ] Remove redundant part of powernow-k7 module parm If used as a bootparam, this would've become powernow-k7.powernow_acpi_force which looks silly. ChangeSet@1.1762.2.15, 2004-04-21 17:07:29+01:00, davej@redhat.com [CPUFREQ] Fix unbalanced try_get_module/put_module Spotted by Charles Coffing ChangeSet@1.1916, 2004-04-21 07:44:58-07:00, akpm@osdl.org [PATCH] loop_set_fd() sendfile check fix From: Yury Umanets I have found small inconsistency in loop_set_fd(). It checks if ->sendfile() is implemented for passed block device file. But in fact, loop back device driver never calls it. It uses ->sendfile() from backing store file. ChangeSet@1.1915, 2004-04-21 07:44:44-07:00, akpm@osdl.org [PATCH] i386 hugetlb tlb correction From: William Lee Irwin III i386 does hardware interpretation of pagetables, so pte_clear() can't be used on present ptes, as it sets the upper half of the hugepte prior to setting the lower half (which includes the valid bit). i.e. there is a window where having a hugepage mapped at 56GB and doing pte_clear() in unmap_hugepage_range() allows other threads of the process to see a hugepage at 0 in place of the original hugepage at 56GB. This patch corrects the situation by using ptep_get_and_clear(), which clears the lower word of the pte prior to clearing the upper word. There is another nasty where huge_page_release() needs to wait for TLB flushes before returning the hugepages to the free pool, analogous to the issue tlb_remove_page() and tlb_flush_mm() repair. ChangeSet@1.1914, 2004-04-21 07:44:31-07:00, akpm@osdl.org [PATCH] fb_ioctl() usercopy fix From: Andrea Arcangeli Arrange for ioctl(FBIOPUTCMAP) to do copy_to_user() rather than memcpy. ChangeSet@1.1913, 2004-04-21 07:44:18-07:00, akpm@osdl.org [PATCH] i810_dma range check From: Andrea Arcangeli Correctly range-check an incoming-from-userspace argument. Found by the Stanford checker. ChangeSet@1.1912, 2004-04-21 07:44:05-07:00, akpm@osdl.org [PATCH] selinux: remove hardcoded policy assumption from get_user_sids() logic From: Stephen Smalley This patch removes a hardcoded policy assumption from the get_user_sids logic in the SELinux module that was preventing it from returning contexts that had the same type as the caller even if the policy allowed such a transition. The assumption is not valid for all policies, and can be handled via policy configuration and userspace rather than hardcoding it in the module logic. ChangeSet@1.1911, 2004-04-21 07:43:53-07:00, akpm@osdl.org [PATCH] selinux: add runtime disable From: Stephen Smalley This patch adds a kernel configuration option that enables writing to a new selinuxfs node 'disable' that allows SELinux to be disabled at runtime prior to initial policy load. SELinux will then remain disabled until next boot. This option is similar to the selinux=0 boot parameter, but is to support runtime disabling of SELinux, e.g. from /sbin/init, for portability across platforms where boot parameters are difficult to employ (based on feedback by Jeremy Katz). ChangeSet@1.1910, 2004-04-21 07:43:42-07:00, akpm@osdl.org [PATCH] selinux: change context_to_sid handling for no-policy case From: Stephen Smalley This patch changes the behavior of security_context_to_sid in the no-policy case so that it simply accepts all contexts and maps them to the kernel SID rather than rejecting anything other than an initial SID. The change avoids error conditions when using SELinux in permissive/no-policy mode, so that any file contexts left on disk from prior use of SELinux with a policy will not cause an error when they are looked up and userspace attempts to set contexts can succeed. ChangeSet@1.1909, 2004-04-21 07:43:30-07:00, akpm@osdl.org [PATCH] i4l: add compat ioctl's for CAPI From: Marcel Holtmann This patch adds the needed compat ioctl's for the CAPI on 64bit platforms. ChangeSet@1.1908, 2004-04-21 07:43:17-07:00, akpm@osdl.org [PATCH] lockfs - dm bits From: Christoph Hellwig This patch makes the device mapper use the new freeze_bdev/thaw_bdev interface. Extracted from Chris Mason's patch. ChangeSet@1.1907, 2004-04-21 07:43:05-07:00, akpm@osdl.org [PATCH] lockfs - xfs bits From: Christoph Hellwig Remove all the code now in the VFS, make XFS's freeze ioctls use the new infastructure and reorganize some code. This code needs some work so the source files shared with 2.4 aren't exposed to the new VFS interfaces directly. You'll get an update once this has been discussed with the other XFS developers and is implemented. Note that the current patch works fine and I wouldn't complain if it gets into Linus' tree as-is. ChangeSet@1.1906, 2004-04-21 07:42:53-07:00, akpm@osdl.org [PATCH] lockfs: reiserfs fix From: Chris Mason reiserfs_write_super_lockfs() is supposed to wait for the transaction to commit. ChangeSet@1.1905, 2004-04-21 07:42:39-07:00, akpm@osdl.org [PATCH] lockfs - vfs bits From: Christoph Hellwig These are the generic lockfs bits. Basically it takes the XFS freezing statemachine into the VFS. It's all behind the kernel-doc documented freeze_bdev and thaw_bdev interfaces. Based on an older patch from Chris Mason. ChangeSet@1.1904, 2004-04-21 07:42:28-07:00, akpm@osdl.org [PATCH] remove amd7xx_tco From: Zwane Mwaikambo We've had trouble with this driver, it appears to work but the hardware never does the final reboot. I have yet to come across someone with a board which works and don't have personal access to one. So how about scrapping the whole thing. ChangeSet@1.1903, 2004-04-21 07:42:18-07:00, akpm@osdl.org [PATCH] Call populate_rootfs later in boot populate_rootfs() is called rather early - before we've called init_idle(). But populate_rootfs() does file I/O, which involves calls to cond_resched(), and downing of semaphores, etc. If it scheules, the scheduler emits scheduling-while-atomic warnings and sometimes oopses. So run populate_rootfs() later, after the scheduler is all set up. ChangeSet@1.1902, 2004-04-21 07:42:05-07:00, akpm@osdl.org [PATCH] ext3 avoid writing kernel memory to disk From: Marc-Christian Petersen Solar Designer discovered an information leak in the ext3 code of Linux. In a worst case an attacker could read sensitive data such as cryptographic keys which would otherwise never hit disk media. Theodore Ts'o developed a correction for this. ChangeSet@1.1901, 2004-04-21 07:41:53-07:00, akpm@osdl.org [PATCH] compute_creds race From: Andy Lutomirski Fixes from me, Olaf Dietsche In fs/exec.c, compute_creds does: task_lock(current); if (bprm->e_uid != current->uid || bprm->e_gid != current->gid) { current->mm->dumpable = 0; if (must_not_trace_exec(current) || atomic_read(¤t->fs->count) > 1 || atomic_read(¤t->files->count) > 1 || atomic_read(¤t->sighand->count) > 1) { if(!capable(CAP_SETUID)) { bprm->e_uid = current->uid; bprm->e_gid = current->gid; } } } current->suid = current->euid = current->fsuid = bprm->e_uid; current->sgid = current->egid = current->fsgid = bprm->e_gid; task_unlock(current); security_bprm_compute_creds(bprm); I assume the task_lock is to prevent another process (on SMP or preempt) from ptracing the execing process between the check and the assignment. If that's the concern then the fact that the lock is dropped before the call to security_brpm_compute_creds means that, if security_bprm_compute_creds does anything interesting, there's a race. For my (nearly complete) caps patch, I obviously need to fix this. But I think it may be exploitable now. Suppose there are two processes, A (the malicious code) and B (which uses exec). B starts out unprivileged (A and B have, e.g., uid and euid = 500). 1. A ptraces B. 2. B calls exec on some setuid-root program. 3. in cap_bprm_set_security, B sets bprm->cap_permitted to the full set. 4. B gets to compute_creds in exec.c, calls task_lock, and does not change its uid. 5. B calls task_unlock. 6. A detaches from B (on preempt or SMP). 7. B gets to task_lock in cap_bprm_compute_creds, changes its capabilities, and returns from compute_creds into load_elf_binary. 8. load_elf_binary calls create_elf_tables (line 852 in 2.6.5-mm1), which calls cap_bprm_secureexec (through LSM), which returns false (!). 9. exec finishes. The setuid program is now running with uid=euid=500 but full permitted capabilities. There are two (or three) ways to effectively get local root now: 1. IIRC, linux 2.4 doesn't check capabilities in ptrace, so A could just ptrace B again. 2. LD_PRELOAD. 3. There are probably programs that will misbehave on their own under these circumstances. Is there some reason why this is not doable? The patch renames bprm_compute_creds to bprm_apply_creds and moves all uid logic into the hook, where the test and the resulting modification can both happen under task_lock(). This way, out-of-tree LSMs will fail to compile instead of malfunctioning. It should also make life easier for LSMs and will certainly make it easier for me to finish the cap patch. ChangeSet@1.1900, 2004-04-21 07:41:40-07:00, akpm@osdl.org [PATCH] Fix nfsroot option handling From: Trond Myklebust The following patch fixes up a number of bugs in the NFSroot parser rewrite from patchset trond.myklebust@fys.uio.no|ChangeSet|20040411182341|00938 It also ensures that NFSroot mount options are consistent with the userland "mount" program. ChangeSet@1.1899, 2004-04-21 07:24:51-07:00, drepper@redhat.com [PATCH] Add missing __initdata One of the stack size optimizations introduced a new static variable in a function marked with __init. But the variable is not marked appropriately and so 1k of data is never freed. ChangeSet@1.1897, 2004-04-20 14:24:38-07:00, torvalds@ppc970.osdl.org Linux 2.6.6-rc2 TAG: v2.6.6-rc2