<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/include, branch v2.6.16.28</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/include?h=v2.6.16.28</id>
<link rel='self' href='https://git.amat.us/linux/atom/include?h=v2.6.16.28'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2006-08-23T16:01:55Z</updated>
<entry>
<title>Fix sctp privilege elevation (CVE-2006-3745)</title>
<updated>2006-08-23T16:01:55Z</updated>
<author>
<name>Sridhar Samudrala</name>
<email>sri@us.ibm.com</email>
</author>
<published>2006-08-23T16:01:55Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=28ea23d9847cadc58edf3d10b8c1651f18b8d26b'/>
<id>urn:sha1:28ea23d9847cadc58edf3d10b8c1651f18b8d26b</id>
<content type='text'>
sctp_make_abort_user() now takes the msg_len along with the msg
so that we don't have to recalculate the bytes in iovec.
It also uses memcpy_fromiovec() so that we don't go beyond the
length allocated.

It is good to have this fix even if verify_iovec() is fixed to
return error on overflow.

Signed-off-by: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
Acked-by: David Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
</entry>
<entry>
<title>SPARC64: Fix quad-float multiply emulation.</title>
<updated>2006-08-18T19:28:03Z</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2006-08-18T19:28:03Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=d2b61ec602e7d7be485725bcda8f3b847cfc380e'/>
<id>urn:sha1:d2b61ec602e7d7be485725bcda8f3b847cfc380e</id>
<content type='text'>
Something is wrong with the 3-multiply (vs. 4-multiply) optimized
version of _FP_MUL_MEAT_2_*(), so just use the slower version
which actually computes correct values.

Noticed by Rene Rebe

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
</entry>
<entry>
<title>[PATCH] I2O: Bugfixes to get I2O working again</title>
<updated>2006-06-22T19:16:12Z</updated>
<author>
<name>Markus Lidel</name>
<email>Markus.Lidel@shadowconnect.com</email>
</author>
<published>2006-06-10T16:54:14Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=d83d3226f92a802242e8e80d0c7206d7b39c7b49'/>
<id>urn:sha1:d83d3226f92a802242e8e80d0c7206d7b39c7b49</id>
<content type='text'>
- Fixed locking of struct i2o_exec_wait in Executive-OSM

- Removed LCT Notify in i2o_exec_probe() which caused freeing memory and
  accessing freed memory during first enumeration of I2O devices

- Added missing locking in i2o_exec_lct_notify()

- removed put_device() of I2O controller in i2o_iop_remove() which caused
  the controller structure get freed to early

- Fixed size of mempool in i2o_iop_alloc()

- Fixed access to freed memory in i2o_msg_get()

See http://bugzilla.kernel.org/show_bug.cgi?id=6561

Signed-off-by: Markus Lidel &lt;Markus.Lidel@shadowconnect.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@osdl.org&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>[PATCH] SPARC64: Respect gfp_t argument to dma_alloc_coherent().</title>
<updated>2006-06-22T19:16:11Z</updated>
<author>
<name>David Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2006-06-05T03:41:00Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=af948395f08691edd731bac85c1f4c334bd312ec'/>
<id>urn:sha1:af948395f08691edd731bac85c1f4c334bd312ec</id>
<content type='text'>
Using asm-generic/dma-mapping.h does not work because pushing
the call down to pci_alloc_coherent() causes the gfp_t argument
of dma_alloc_coherent() to be ignored.

Fix this by implementing things directly, and adding a gfp_t
argument we can use in the internal call down to the PCI DMA
implementation of pci_alloc_coherent().

This fixes massive memory corruption when using the sound driver
layer, which passes things like __GFP_COMP down into these
routines and (correctly) expects that to work.

This is a disk eater when sound is used, so it's pretty critical.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>[PATCH] SPARC64: Fix D-cache corruption in mremap</title>
<updated>2006-06-22T19:16:11Z</updated>
<author>
<name>David Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2006-06-03T01:30:58Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=76fc2aafe67361e69c980408fc66ac4f051b17da'/>
<id>urn:sha1:76fc2aafe67361e69c980408fc66ac4f051b17da</id>
<content type='text'>
If we move a mapping from one virtual address to another,
and this changes the virtual color of the mapping to those
pages, we can see corrupt data due to D-cache aliasing.

Check for and deal with this by overriding the move_pte()
macro.  Set things up so that other platforms can cleanly
override the move_pte() macro too.

This long standing bug corrupts user memory, and in particular
has been notorious for corrupting Debian package database
files on sparc64 boxes.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>[PATCH] SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858)</title>
<updated>2006-05-20T22:00:34Z</updated>
<author>
<name>Vladislav Yasevich</name>
<email>vladislav.yasevich@hp.com</email>
</author>
<published>2006-05-19T18:52:20Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=0eca2317be1345e056fb75d256099a04c97f7021'/>
<id>urn:sha1:0eca2317be1345e056fb75d256099a04c97f7021</id>
<content type='text'>
When performing bound checks during the parameter processing, we
want to use the real chunk and paramter lengths for bounds instead
of the rounded ones.  This prevents us from potentially walking of
the end if the chunk length was miscalculated.  We still use rounded
lengths when advancing the pointer. This was found during a
conformance test that changed the chunk length without modifying
parameters.

(Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem
is parameter dependent).

Signed-off-by: Vlad Yasevich &lt;vladislav.yasevich@hp.com&gt;
Signed-off-by: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
</entry>
<entry>
<title>[PATCH] SCTP: Allow spillover of receive buffer to avoid deadlock. (CVE-2006-2275)</title>
<updated>2006-05-09T19:53:21Z</updated>
<author>
<name>Neil Horman</name>
<email>nhorman@tuxdriver.com</email>
</author>
<published>2006-05-06T00:02:09Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=2e2a2cd09dd7b3fbc99a1879a54090fd6db16f0c'/>
<id>urn:sha1:2e2a2cd09dd7b3fbc99a1879a54090fd6db16f0c</id>
<content type='text'>
This patch fixes a deadlock situation in the receive path by allowing
temporary spillover of the receive buffer.

- If the chunk we receive has a tsn that immediately follows the ctsn,
  accept it even if we run out of receive buffer space and renege data with
  higher TSNs.
- Once we accept one chunk in a packet, accept all the remaining chunks
  even if we run out of receive buffer space.

Signed-off-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Mark Butler &lt;butlerm@middle.net&gt;
Acked-by: Vlad Yasevich &lt;vladislav.yasevich@hp.com&gt;
Signed-off-by: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
</entry>
<entry>
<title>[PATCH] i386: fix broken FP exception handling</title>
<updated>2006-05-01T19:03:44Z</updated>
<author>
<name>Chuck Ebbert</name>
<email>76306.1226@compuserve.com</email>
</author>
<published>2006-04-29T18:07:49Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=6584014ec33ed34c5bf6c5af20a0951069bea7a9'/>
<id>urn:sha1:6584014ec33ed34c5bf6c5af20a0951069bea7a9</id>
<content type='text'>
The FXSAVE information leak patch introduced a bug in FP exception
handling: it clears FP exceptions only when there are already
none outstanding.  Mikael Pettersson reported that causes problems
with the Erlang runtime and has tested this fix.

Signed-off-by: Chuck Ebbert &lt;76306.1226@compuserve.com&gt;
Acked-by: Mikael Pettersson &lt;mikpe@it.uu.se&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>[PATCH] MIPS: R2 build fixes for gcc &lt; 3.4.</title>
<updated>2006-05-01T19:03:44Z</updated>
<author>
<name>Ralf Baechle</name>
<email>ralf@linux-mips.org</email>
</author>
<published>2006-04-26T23:00:02Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=ce0bd8e0b232fdf2da9390ad280286f45c5f3a89'/>
<id>urn:sha1:ce0bd8e0b232fdf2da9390ad280286f45c5f3a89</id>
<content type='text'>
Signed-off-by: Ralf Baechle &lt;ralf@linux-mips.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>[PATCH] MIPS: Use "R" constraint for cache_op.</title>
<updated>2006-05-01T19:03:44Z</updated>
<author>
<name>Ralf Baechle</name>
<email>ralf@linux-mips.org</email>
</author>
<published>2006-04-26T23:00:01Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=97644aa31cb72ce0e9ebfae27042bc56db672dee'/>
<id>urn:sha1:97644aa31cb72ce0e9ebfae27042bc56db672dee</id>
<content type='text'>
Gcc might emit an absolute address for the the "m" constraint which
gas unfortunately does not permit.

Signed-off-by: Ralf Baechle &lt;ralf@linux-mips.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
</feed>
