Hi all, Here's the fifth hotfix for linux-2.4.29 :
http://linux.exosec.net/kernel/2.4-hf/ NOTE: This update fixes a remote security issue on PPP servers which is also fixed in 2.4.30-rc1 (thanks to Paul Mackerras). I've appended the changelog from 2.4.29-hf4 below, and the incremental diff (very small). I'd like to thank particularly Grant Coady, who has compiled a lot of -hf kernels on several of his machines and maintains a build report on his page linked below. Those interested can check his site for more information : http://scatter.mine.nu/linux-2.4-hotfix/ When Marcelo starts 2.4.30-bk, I'll start a 2.4.30-hf and still maintain 2.4.29-hf in parallel (at least as long as I'll see downloads of this version in the server's logs). Of course, given the small number of changes between 2.4.29 and 2.4.30-rc1, everyone is encouraged to upgrade to 2.4.30 ASAP and stick to mainline as much as possible. Regards, Willy -- Changelog From 2.4.29-hf4 to 2.4.29-hf5 (semi-automated) --------------------------------------- '+' = added ; '-' = removed Note: This update fixes a remote security issue on PPP servers. + ppp-server-remote-dos-1 (Paul Mackerras) Remote Linux DoS on ppp servers (CAN-2005-0384) + x86_64-fix-x87-tag-word-emulation-1 (Roland McGrath) Fix x87 fnsave Tag Word emulation when using FXSR (SSE). The fxsave instruction does not save the x87 tag word (only the empty bits), and we re-created the old-style x87 tags incorrectly. The registers are saved in "stack order" in the save area, but the tag word bits are in "hardware order", and we need to get the right register state. Both x86 and x86-64 needed this fix. + possible-pty-line-discipline-race-1 (Linus Torvalds) [PATCH] Workaround possible pty line discipline race. It's in no way "correct", in that the race hasn't actually gone away by this patch, but the patch makes it unimportant. We may end up calling a stale line discipline, which is still very wrong, but it so happens that we don't much care in practice. I think that in a 2.4.x tree there are some theoretical SMP races with module unloading etc (which the 2.6.x code doesn't have because module unload stops the other CPU's - maybe that part got backported to 2.4.x?), but quite frankly, I suspect that even in 2.4.x they are entirely theoretical and impossible to actually hit. And again, in theory some line discipline might do something strange in it's "chars_in_buffer" routine that would be problematic. In practice that's just not the case: the "chars_in_buffer()" routine might return a bogus _value_ for a stale line discipline thing, but none of them seem to follow any pointers that might have become invalid (and in fact, most ldiscs don't even have that function). + softdog-does-not-reboot-on-close-1 (Jacques Basson) There is a bug in the softdog.c (v 0.05) in the 2.4 kernel series (certainly in 2.4.29 and there are no references to it in the latest Changelog) that won't reboot the machine if /dev/watchdog is closed unexpectedly and nowayout is not set. - scsi-tapes-allow-lseek-1 (Marcelo Tosatti) + scsi-tapes-allow-lseek-2 (Marcelo Tosatti) Fixed lseek on OSST tapes too. + write-throttling-ignore-free-highmem-1 (Andrea Arcangeli) I got reports of stalls with heavy writes on 2.4. There was a mistake in nr_free_buffer_pages. That function is definitely meant _not_ to take highmem into account (dirty cache cannot spread over highmem in 2.4 [even when on top of fs]). For unknown reasons it was actually taking highmem into account. The code was obviously meant to not take into account see the GFP_USER and zonelist, except it wasn't using the zonelist. That is a severe problem because there will be no write throttling at all, and no bdflush wakeup either. This is a noop for all systems <800M (1G shouldn't be noticeable either). This is why most people can't notice. + get_user_pages-no-pg_reserved-1 (Andrea Arcangeli) get_user_pages() shall not grab PG_reserved pages. + sparc32-fix-parallel-build-1 (crn:netunix.com) [SPARC32]: Fix build dependencies for vmlinux.o This helps make parallel builds work properly. -- diff -urN linux-2.4.29-hf4/Makefile linux-2.4.29-hf5/Makefile --- linux-2.4.29-hf4/Makefile 2005-03-19 17:50:48.000000000 +0100 +++ linux-2.4.29-hf5/Makefile 2005-03-19 17:47:41.000000000 +0100 @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 4 SUBLEVEL = 29 -EXTRAVERSION = -hf4 +EXTRAVERSION = -hf5 KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION) diff -urN linux-2.4.29-hf4/arch/i386/kernel/i387.c linux-2.4.29-hf5/arch/i386/kernel/i387.c --- linux-2.4.29-hf4/arch/i386/kernel/i387.c 2003-08-25 13:44:39.000000000 +0200 +++ linux-2.4.29-hf5/arch/i386/kernel/i387.c 2005-03-19 17:47:41.000000000 +0100 @@ -128,16 +128,17 @@ static inline unsigned long twd_fxsr_to_i387( struct i387_fxsave_struct *fxsave ) { struct _fpxreg *st = NULL; + unsigned long tos = (fxsave->swd >> 11) & 7; unsigned long twd = (unsigned long) fxsave->twd; unsigned long tag; unsigned long ret = 0xffff0000; int i; -#define FPREG_ADDR(f, n) ((char *)&(f)->st_space + (n) * 16); +#define FPREG_ADDR(f, n) ((void *)&(f)->st_space + (n) * 16); for ( i = 0 ; i < 8 ; i++ ) { if ( twd & 0x1 ) { - st = (struct _fpxreg *) FPREG_ADDR( fxsave, i ); + st = FPREG_ADDR( fxsave, (i - tos) & 7 ); switch ( st->exponent & 0x7fff ) { case 0x7fff: diff -urN linux-2.4.29-hf4/arch/sparc/Makefile linux-2.4.29-hf5/arch/sparc/Makefile --- linux-2.4.29-hf4/arch/sparc/Makefile 2004-08-08 01:26:04.000000000 +0200 +++ linux-2.4.29-hf5/arch/sparc/Makefile 2005-03-19 17:47:41.000000000 +0100 @@ -45,6 +45,7 @@ $(TOPDIR)/arch/sparc/lib/lib.a # This one has to come last +_dir_arch/sparc/boot : $(patsubst %, _dir_%, $(SUBDIRS)) SUBDIRS += arch/sparc/boot CORE_FILES_NO_BTFIX := $(CORE_FILES) CORE_FILES += arch/sparc/boot/btfix.o diff -urN linux-2.4.29-hf4/arch/sparc/boot/Makefile linux-2.4.29-hf5/arch/sparc/boot/Makefile --- linux-2.4.29-hf4/arch/sparc/boot/Makefile 2002-08-03 02:39:43.000000000 +0200 +++ linux-2.4.29-hf5/arch/sparc/boot/Makefile 2005-03-19 17:47:41.000000000 +0100 @@ -26,11 +26,14 @@ BTLIBS := $(CORE_FILES_NO_BTFIX) $(FILESYSTEMS) \ $(DRIVERS) $(NETWORKS) -# I wanted to make this depend upon BTOBJS so that a parallel -# build would work, but this fails because $(HEAD) cannot work -# properly as it will cause head.o to be built with the implicit -# rules not the ones in kernel/Makefile. Someone please fix. --DaveM -vmlinux.o: dummy +GENFILES := include/linux/version.h include/linux/compile.h $(foreach dirname, $(CORE_FILES_NO_BTFIX), _dir_$(dir $(dirname))) +.PHONY : $(GENFILES) +GENFILES += $(BTOBJS) + +$(GENFILES): + $(MAKE) -C $(TOPDIR) $@ + +vmlinux.o: $(GENFILES) $(LD) -r $(patsubst %,$(TOPDIR)/%,$(BTOBJS)) \ --start-group \ $(patsubst %,$(TOPDIR)/%,$(BTLIBS)) \ diff -urN linux-2.4.29-hf4/arch/x86_64/ia32/fpu32.c linux-2.4.29-hf5/arch/x86_64/ia32/fpu32.c --- linux-2.4.29-hf4/arch/x86_64/ia32/fpu32.c 2003-06-13 16:51:32.000000000 +0200 +++ linux-2.4.29-hf5/arch/x86_64/ia32/fpu32.c 2005-03-19 17:47:41.000000000 +0100 @@ -28,16 +28,17 @@ static inline unsigned long twd_fxsr_to_i387(struct i387_fxsave_struct *fxsave) { struct _fpxreg *st = NULL; + unsigned long tos = (fxsave->swd >> 11) & 7; unsigned long twd = (unsigned long) fxsave->twd; unsigned long tag; unsigned long ret = 0xffff0000; int i; -#define FPREG_ADDR(f, n) ((char *)&(f)->st_space + (n) * 16); +#define FPREG_ADDR(f, n) ((void *)&(f)->st_space + (n) * 16); for (i = 0 ; i < 8 ; i++) { if (twd & 0x1) { - st = (struct _fpxreg *) FPREG_ADDR( fxsave, i ); + st = FPREG_ADDR( fxsave, (i - tos) & 7 ); switch (st->exponent & 0x7fff) { case 0x7fff: diff -urN linux-2.4.29-hf4/drivers/char/pty.c linux-2.4.29-hf5/drivers/char/pty.c --- linux-2.4.29-hf4/drivers/char/pty.c 2005-01-27 18:57:32.000000000 +0100 +++ linux-2.4.29-hf5/drivers/char/pty.c 2005-03-19 17:47:41.000000000 +0100 @@ -218,13 +218,15 @@ static int pty_chars_in_buffer(struct tty_struct *tty) { struct tty_struct *to = tty->link; + ssize_t (*chars_in_buffer)(struct tty_struct *); int count; - if (!to || !to->ldisc.chars_in_buffer) + /* We should get the line discipline lock for "tty->link" */ + if (!to || !(chars_in_buffer = to->ldisc.chars_in_buffer)) return 0; /* The ldisc must report 0 if no characters available to be read */ - count = to->ldisc.chars_in_buffer(to); + count = chars_in_buffer(to); if (tty->driver.subtype == PTY_TYPE_SLAVE) return count; diff -urN linux-2.4.29-hf4/drivers/char/softdog.c linux-2.4.29-hf5/drivers/char/softdog.c --- linux-2.4.29-hf4/drivers/char/softdog.c 2003-11-28 19:26:20.000000000 +0100 +++ linux-2.4.29-hf5/drivers/char/softdog.c 2005-03-19 17:47:41.000000000 +0100 @@ -124,7 +124,7 @@ * Shut off the timer. * Lock it in if it's a module and we set nowayout */ - if (expect_close || nowayout == 0) { + if (expect_close && nowayout == 0) { del_timer(&watchdog_ticktock); } else { printk(KERN_CRIT "SOFTDOG: WDT device closed unexpectedly. WDT will not stop!\n"); diff -urN linux-2.4.29-hf4/drivers/net/ppp_async.c linux-2.4.29-hf5/drivers/net/ppp_async.c --- linux-2.4.29-hf4/drivers/net/ppp_async.c 2005-01-27 18:57:32.000000000 +0100 +++ linux-2.4.29-hf5/drivers/net/ppp_async.c 2005-03-19 17:47:41.000000000 +0100 @@ -996,7 +996,7 @@ data += 4; dlen -= 4; /* data[0] is code, data[1] is length */ - while (dlen >= 2 && dlen >= data[1]) { + while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) { switch (data[0]) { case LCP_MRU: val = (data[2] << 8) + data[3]; diff -urN linux-2.4.29-hf4/drivers/scsi/osst.c linux-2.4.29-hf5/drivers/scsi/osst.c --- linux-2.4.29-hf4/drivers/scsi/osst.c 2004-08-08 01:26:05.000000000 +0200 +++ linux-2.4.29-hf5/drivers/scsi/osst.c 2005-03-19 17:47:41.000000000 +0100 @@ -5505,7 +5505,6 @@ read: osst_read, write: osst_write, ioctl: osst_ioctl, - llseek: no_llseek, open: os_scsi_tape_open, flush: os_scsi_tape_flush, release: os_scsi_tape_close, diff -urN linux-2.4.29-hf4/mm/memory.c linux-2.4.29-hf5/mm/memory.c --- linux-2.4.29-hf4/mm/memory.c 2005-01-27 18:57:34.000000000 +0100 +++ linux-2.4.29-hf5/mm/memory.c 2005-03-19 17:47:41.000000000 +0100 @@ -499,9 +499,11 @@ /* FIXME: call the correct function, * depending on the type of the found page */ - if (!pages[i]) - goto bad_page; - page_cache_get(pages[i]); + if (!pages[i] || PageReserved(pages[i])) { + if (pages[i] != ZERO_PAGE(start)) + goto bad_page; + } else + page_cache_get(pages[i]); } if (vmas) vmas[i] = vma; diff -urN linux-2.4.29-hf4/mm/page_alloc.c linux-2.4.29-hf5/mm/page_alloc.c --- linux-2.4.29-hf4/mm/page_alloc.c 2004-11-17 12:54:22.000000000 +0100 +++ linux-2.4.29-hf5/mm/page_alloc.c 2005-03-19 17:47:41.000000000 +0100 @@ -551,7 +551,7 @@ class_idx = zone_idx(zone); sum += zone->nr_cache_pages; - for (zone = pgdat->node_zones; zone < pgdat->node_zones + MAX_NR_ZONES; zone++) { + for (; zone; zone = *zonep++) { int free = zone->free_pages - zone->watermarks[class_idx].high; if (free <= 0) continue; - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/