<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux, branch v2.6.16.16</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/?h=v2.6.16.16</id>
<link rel='self' href='https://git.amat.us/linux/atom/?h=v2.6.16.16'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2006-05-11T01:56:24Z</updated>
<entry>
<title>Linux 2.6.16.16</title>
<updated>2006-05-11T01:56:24Z</updated>
<author>
<name>Chris Wright</name>
<email>chrisw@sous-sol.org</email>
</author>
<published>2006-05-11T01:56:24Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=22ddf44d54d0b2326f7b233e836e7155d45d3a7d'/>
<id>urn:sha1:22ddf44d54d0b2326f7b233e836e7155d45d3a7d</id>
<content type='text'>
</content>
</entry>
<entry>
<title>[PATCH] fs/locks.c: Fix lease_init (CVE-2006-1860)</title>
<updated>2006-05-11T01:56:15Z</updated>
<author>
<name>Trond Myklebust</name>
<email>Trond.Myklebust@netapp.com</email>
</author>
<published>2006-05-08T03:02:42Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=1f0e637c94a9b041833947c79110d6c02fff8618'/>
<id>urn:sha1:1f0e637c94a9b041833947c79110d6c02fff8618</id>
<content type='text'>
It is insane to be giving lease_init() the task of freeing the lock it is
supposed to initialise, given that the lock is not guaranteed to be
allocated on the stack. This causes lockups in fcntl_setlease().
Problem diagnosed by Daniel Hokka Zakrisson &lt;daniel@hozac.com&gt;

Also fix a slab leak in __setlease() due to an uninitialised return value.
Problem diagnosed by BjÃ¶rn Steinbrink.

Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Tested-by: Daniel Hokka Zakrisson &lt;daniel@hozac.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@osdl.org&gt;
Cc: Björn Steinbrink &lt;B.Steinbrink@gmx.de&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
</entry>
<entry>
<title>Linux 2.6.16.15</title>
<updated>2006-05-09T19:53:30Z</updated>
<author>
<name>Chris Wright</name>
<email>chrisw@sous-sol.org</email>
</author>
<published>2006-05-09T19:53:30Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=90a03936acb1c3400a5833cc7b5c58e01b6106b8'/>
<id>urn:sha1:90a03936acb1c3400a5833cc7b5c58e01b6106b8</id>
<content type='text'>
</content>
</entry>
<entry>
<title>[PATCH] SCTP: Prevent possible infinite recursion with multiple bundled DATA. (CVE-2006-2274)</title>
<updated>2006-05-09T19:53:21Z</updated>
<author>
<name>Vladislav Yasevich</name>
<email>vladsilav.yasevich@hp.com</email>
</author>
<published>2006-05-06T00:03:49Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=25958c671804a3829d822fc3ccc3eff534b1aaa0'/>
<id>urn:sha1:25958c671804a3829d822fc3ccc3eff534b1aaa0</id>
<content type='text'>
There is a rare situation that causes lksctp to go into infinite recursion
and crash the system.  The trigger is a packet that contains at least the
first two DATA fragments of a message bundled together. The recursion is
triggered when the user data buffer is smaller that the full data message.
The problem is that we clone the skb for every fragment in the message.
When reassembling the full message, we try to link skbs from the "first
fragment" clone using the frag_list. However, since the frag_list is shared
between two clones in this rare situation, we end up setting the frag_list
pointer of the second fragment to point to itself.  This causes
sctp_skb_pull() to potentially recurse indefinitely.

Proposed solution is to make a copy of the skb when attempting to link
things using frag_list.

Signed-off-by: Vladislav Yasevich &lt;vladsilav.yasevich@hp.com&gt;
Signed-off-by: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
</entry>
<entry>
<title>[PATCH] SCTP: Allow spillover of receive buffer to avoid deadlock. (CVE-2006-2275)</title>
<updated>2006-05-09T19:53:21Z</updated>
<author>
<name>Neil Horman</name>
<email>nhorman@tuxdriver.com</email>
</author>
<published>2006-05-06T00:02:09Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=2e2a2cd09dd7b3fbc99a1879a54090fd6db16f0c'/>
<id>urn:sha1:2e2a2cd09dd7b3fbc99a1879a54090fd6db16f0c</id>
<content type='text'>
This patch fixes a deadlock situation in the receive path by allowing
temporary spillover of the receive buffer.

- If the chunk we receive has a tsn that immediately follows the ctsn,
  accept it even if we run out of receive buffer space and renege data with
  higher TSNs.
- Once we accept one chunk in a packet, accept all the remaining chunks
  even if we run out of receive buffer space.

Signed-off-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Mark Butler &lt;butlerm@middle.net&gt;
Acked-by: Vlad Yasevich &lt;vladislav.yasevich@hp.com&gt;
Signed-off-by: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
</entry>
<entry>
<title>[PATCH] SCTP: Fix state table entries for chunks received in CLOSED state. (CVE-2006-2271)</title>
<updated>2006-05-09T19:53:20Z</updated>
<author>
<name>Sridhar Samudrala</name>
<email>sri@us.ibm.com</email>
</author>
<published>2006-05-06T00:05:23Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=cb19baa0bb7a4064e6d0c99e8f479673120a9f28'/>
<id>urn:sha1:cb19baa0bb7a4064e6d0c99e8f479673120a9f28</id>
<content type='text'>
Discard an unexpected chunk in CLOSED state rather can calling BUG().

Signed-off-by: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
</entry>
<entry>
<title>[PATCH] SCTP: Fix panic's when receiving fragmented SCTP control chunks. (CVE-2006-2272)</title>
<updated>2006-05-09T19:53:20Z</updated>
<author>
<name>Sridhar Samudrala</name>
<email>sri@us.ibm.com</email>
</author>
<published>2006-05-06T00:04:43Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=40885c13b394cd1b74acc196f1d7990a3e0a484d'/>
<id>urn:sha1:40885c13b394cd1b74acc196f1d7990a3e0a484d</id>
<content type='text'>
Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that
are received as skb's with fragment list.

Signed-off-by: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
</entry>
<entry>
<title>Linux 2.6.16.14</title>
<updated>2006-05-05T00:03:45Z</updated>
<author>
<name>Chris Wright</name>
<email>chrisw@sous-sol.org</email>
</author>
<published>2006-05-05T00:03:45Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=bf7d8bacaaf241a0f0157986fd4e1e6834873d50'/>
<id>urn:sha1:bf7d8bacaaf241a0f0157986fd4e1e6834873d50</id>
<content type='text'>
</content>
</entry>
<entry>
<title>[PATCH] smbfs chroot issue (CVE-2006-1864)</title>
<updated>2006-05-05T00:03:36Z</updated>
<author>
<name>Olaf Kirch</name>
<email>okir@suse.de</email>
</author>
<published>2006-05-04T04:30:11Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=4acbb3fbaccda1f1d38e7154228e052ce80a2dfa'/>
<id>urn:sha1:4acbb3fbaccda1f1d38e7154228e052ce80a2dfa</id>
<content type='text'>
Mark Moseley reported that a chroot environment on a SMB share can be
left via "cd ..\\".  Similar to CVE-2006-1863 issue with cifs, this fix
is for smbfs.

Steven French &lt;sfrench@us.ibm.com&gt; wrote:

Looks fine to me.  This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest.

Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
</entry>
<entry>
<title>Linux 2.6.16.13</title>
<updated>2006-05-02T21:38:44Z</updated>
<author>
<name>Greg Kroah-Hartman</name>
<email>gregkh@suse.de</email>
</author>
<published>2006-05-02T21:38:44Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=a120571fbdfc8f543eea64248abe3c4d7f210450'/>
<id>urn:sha1:a120571fbdfc8f543eea64248abe3c4d7f210450</id>
<content type='text'>
</content>
</entry>
</feed>
