r2674 - in trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian: . patches
Sven Luther
luther@costa.debian.org
Fri, 11 Mar 2005 15:48:59 +0100
Author: luther
Date: 2005-03-11 15:48:58 +0100 (Fri, 11 Mar 2005)
New Revision: 2674
Modified:
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/TODO
Log:
Updated TODO list, only non-free firmware pruning needs to be cleared.
Added the full released 2.6.10-6 changelog entry instead of the old unreleased one.
Modified: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog 2005-03-11 06:35:08 UTC (rev 2673)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog 2005-03-11 14:48:58 UTC (rev 2674)
@@ -26,7 +26,7 @@
-- Sven Luther <luther@debian.org> Mon, 7 Mar 2005 14:56:32 +0100
-kernel-source-2.6.10 (2.6.10-6) UNRELEASED; urgency=low
+kernel-source-2.6.10 (2.6.10-6) unstable; urgency=low
* Updated kernel-tree description from Martin F Krafft
(Simon Horman)
@@ -72,9 +72,247 @@
* sparc64-sb1500-clock-2.6.dpatch by David Miller: enable recognition
of the clock chip on SunBlade 1500, it won't boot otherwise.
(Jurij Smakov).
+
+ * 088-ibmvscsi_event_struct_use_after_free.dpatch
+ The ibmvscsi driver has paths that free evt_struct, and then proceed to
+ use it. That's clearly a no-no in SMP/threaded contexts; once an evt_struct
+ is free, something else may grab it. So, this patch:
+ - moves the free_event_struct() to after usage of the evt_struct
+ - creates a single path for cleanup
+ - calls evt_struct->done during cleanup, which is something that
+ should've been happening.
+ (Andres Salomon)
+
+ * 089-i386_acpi_backwards_ifdef.dpatch
+ [I386] An ACPI related printk is wrapped in an #ifdef that should be an
+ #ifndef. Correct that (Andres Salomon).
- -- Frederik Schüler <fs@gmx.net> Fri, 25 Feb 2005 22:49:22 +0100
+ * 090-alsa_midi_emulation_chorus_reverb_swap.dpatch
+ [ALSA] seq_midi_emul.c had CHORUS_MODE and REVERB_MODE swapped in sysex().
+ This patch fixes that (Andres Salomon).
+ * 091-alsa_emu8000_load_fx_skip_header.patch
+ [ALSA] emu8000's load_fx() loads a userspace blob, and should be skipping
+ over the header (Andres Salomon).
+
+ * 092-net_sched_police_locate_sanity_check_input.dpatch
+ [NET] Some sanity checks are needed to ensure payloads are the same size
+ as the structures they're being copied into. AFAICT, there's no way for a
+ malicious user to inject a payload in here (it looks like police_locate
+ stuff is called during routing changes by root); however, I can't say that
+ I'm too familiar w/ tcf stuff (Andres Salomon).
+
+ * 093-e1000_eeprom_read_off_by_one.dpatch
+ The e1000 driver's read_eeprom and write_eeprom functions allowed a bit to
+ much data to be read/written; an extra word. Fix that (Andres Salomon).
+
+ * 094-scsi_device_set_state_missing_oldstate.dpatch
+ [SCSI] scsi_device_set_state() might be setting a device offline, w/ an
+ oldstate of BLOCK; that shouldn't be considered an error. Add the missing
+ state transition (Andres Salomon).
+
+ * 095-jffs2_build_filesystem_memory_leak.dpatch
+ [JFFS2] Fix memory leak in jffs2_build_filesystem(), if jffs2_scan_medium
+ fails (Andres Salomon).
+
+ * 096-mtd_formatblock_zero_before_assignment.dpatch
+ [MTD] Inside NFTL_formatblock and INFTL_formatblock, the code was previously
+ assigning values to instr, then zero'ing out the values. Instead, move the
+ assignment to after the memset (Andres Salomon).
+
+ * 097-mtd_s3c2410_nand_inithw_calc_rate_fix.dpatch
+ [MTD] s3c2410_nand_inithw() was pulling timing information from the wrong
+ place, making the timing incorrect. This patch makes it pull the info from
+ the right place (Andres Salomon).
+
+ * 098-jffs2_do_mount_fs_init_bad_count.dpatch
+ [JFFS2] Initialize each eraseblock's bad_count to 0 in jffs2_do_mount_fs().
+ Unitialized memory sure is fun, eh? (Andres Salomon)
+
+ * 099-jfs_commit_inode_commit_race.dpatch
+ [JFS] Fix race in jfs_commit_inode(); before actually doing the commit,
+ retest to ensure that the inode is both dirty and linked (Andres Salomon).
+
+ * 101-ppc64_hugetlb_mm_free_pgd_unlock.dpatch
+ [PPC64] In hugetlb_mm_free_pgd(), mm->page_table_lock is locked, but never
+ unlocked in the event of an error. This patch fixes that (Andres Salomon).
+
+ * 102-cosa_sppp_channel_init_delay_attach.dpatch
+ Fix buglet in cosa's sppp_channel_init(); do not call sppp_attach() until
+ the netdev contains info that sppp_attach needs (Andres Salomon).
+
+ * 104-wan_sdla_firmware_cap_sys_rawio_addition.dpatch
+ [SECURITY] The SDLA driver only checked CAP_NET_ADMIN when doing firmware
+ uploads. This patch adds an additional check for CAP_SYS_RAWIO, as well
+ (Andres Salomon).
+
+ * 107-xfs_finish_reclaim_always_inode.dpatch
+ [XFS] In xfs_finish_reclaim(), xfs_ireclaim() should always be called
+ (unless there's some sort of locking problem) before returning
+ (Andres Salomon).
+
+ * 108-xfs_attrmulti_by_handle_limit_mem_alloc.dpatch
+ [SECURITY] xfs_ioctl(XFS_IOC_ATTRMULTI_BY_HANDLE) calls
+ xfs_attrmulti_by_handle, which allocates memory based on user input. This
+ patch adds a check for a max size of memory to alloc; otherwise, a user
+ can potentially DoS the system by exhausting memory. Not sure whether root
+ is required to open the vnode device, but to be on the safe side...
+ (Andres Salomon)
+
+ * 109-binfmt_elf_loader_solar_designer_fixes.dpatch
+ [SECURITY] Fix from Solar Designer; the binfmt_elf load routines are
+ returning incorrect values, and are not strict enough in checking the
+ number of program headers (Andres Salomon).
+
+ * 110-load_module_arg_checking.dpatch
+ If the parsing of module args failed, the module could still be loaded
+ successfully. Fix that (Andres Salomon).
+
+ * 111-security_seclvl_kconfig_dep.dpatch
+ Add a Kconfig dependency on CRYPTO for SECURITY_SECLVL (Andres Salomon).
+
+ * 112-audit_receive_skb_double_negative_return_val.dpatch
+ audit_receive_skb negates the err it receives from audit_receive_msg. It
+ shouldn't do that (Andres Salomon).
+
+ * 114-netfilter_private_queues.dpatch
+ [NETFILTER] Amongst netfilter users, skb frag queues were shared. This
+ could cause problems. See
+ http://oss.sgi.com/archives/netdev/2005-01/threads.html#01036 for more
+ details (Andres Salomon).
+
+ * 115-proc_file_read_nbytes_signedness_fix.dpatch
+ [SECURITY] Heap overflow fix in /proc; WDYBTGT3-1 on
+ http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
+ No CAN# assigned yet, afaik (Andres Salomon).
+
+ * 116-n_tty_copy_from_read_buf_signedness_fixes.dpatch
+ [SECURITY] copy_from_read_buf() fix; WDYBTGT3-2 on
+ http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
+ No CAN#, yet (Andres Salomon).
+
+ * 117-reiserfs_file_64bit_size_t_fixes.dpatch
+ [SECURITY] reiserfs integer fixes; WDYBTGT3-4 on
+ http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
+ (Andres Salomon).
+
+ * 118-i2c_sis5595_setup_pci_config_return_checks.dpatch
+ [I2C] The i2c-sis5595 was forward ported from 2.4, but the calls to
+ read the pci config registers were never updated for 2.6. As such, they
+ are incorrectly handling the results of the function calls
+ (Andres Salomon).
+
+ * 119-i2c_viapro_i2cdump_overflow.dpatch
+ [SECURITY] Fix a very hard to exploit buffer overflow in the i2c-viapro
+ driver (Andres Salomon).
+
+ * 120-openpromfs_property_read_fix.dpatch
+ Fix an oopsable condition in Openpromfs's property_read() (Andres Salomon).
+
+ * 121-cpufreq_resume_readd.dpatch
+ [CPUFREQ] Somewhere around 2.6.6, a call to cpufreq_driver->resume() was
+ accidentally dropped. Readd it (Andres Salomon).
+
+ * 122-cpufreq_resume_readd_2.dpatch
+ [CPUFREQ] Fix a problem w/ 121-cpufreq_resume_readd.patch, where a return
+ value was not being checked correctly (Andres Salomon).
+
+ * 123-atm_get_addr_signedness_fix.dpatch
+ [SECURITY] Fix atm_get_addr()'s usage of its size arg, by making it
+ unsigned. WDYBTGT3-3 on
+ http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
+ (Andres Salomon).
+
+ * 125-netfilter_private_queues_2.dpatch
+ [SECURITY] Add missing bits needed to make 114-netfilter_private_queues.patch
+ compile. Patch stolen from ubuntu (mainly to keep the same ABI)
+ (Andres Salomon).
+
+ * 126-ftdi_sio_set_serial_info_baud_base_check.dpatch
+ [USB] Change ftdi_sio's set_serial_info() to do a correct check for baud_base;
+ it should be checking if baud_base<9600 if the baud_base has changed
+ (Andres Salomon).
+
+ * 129-video_cg3_screen_blanking.dpatch
+ [SPARC] Fix cg3 blanking; the driver was setting _ENABLE_VIDEO on POWERDOWN,
+ instead of unsetting it (Andres Salomon).
+
+ * 130-sparc_prom_nodematch_check_getproperty.dpatch
+ [SPARC] In prom_nodematch, check whether prom_getproperty() actually
+ succeeds before using the string it sets (Andres Salomon).
+
+ * 131-sparc_check_prom_getproperty.dpatch
+ [SPARC] Check return value from prom_getproperty() in various places where
+ it wasn't being checked (Andres Salomon).
+
+ * 132-sparc32_get_tv32_use_correct_variable.dpatch
+ [SPARC] get_tv32() uses a non-existent variable 'tv32'. Fix that
+ (Andres Salomon).
+
+ * 133-scsi_advansys_build_with_non_pci.dpatch
+ [SCSI] Allow advansys driver to compile if CONFIG_PCI isn't set
+ (Andres Salomon).
+
+ * 134-cciss_scsi_detect_put_host_on_error.dpatch
+ [SCSI] cciss_scsi_detect() calls scsi_add_host(), which bumps the refcount
+ (even in the event of an error). Thus, if scsi_add_host fails, the
+ scsi host refcount needs to be decremented; so, call scsi_host_put upon
+ error (Andres Salomon).
+
+ * 135-64bit_sys_shmget_compat_size_t_overflow.dpatch
+ 64bit archs that offer 32bit compat wrappers for sys_shmget were mostly
+ passing the second arg as a 32bit signed int; what would happen then is,
+ it would be casted to a size_t (64bit unsigned), and the sign would cause
+ it to overflow. Instead, we need to cast to a 32bit unsigned value first,
+ and then cast to 64bit unsigned (Andres Salomon).
+
+ * 136-64bit_sys_compat_overflows.dpatch
+ More of the same as 135*.dpatch, except for stuff like sys_ipc, sys_semget,
+ sys_msgsnd, etc (Andres Salomon).
+
+ * 137-ppc64_prom_initialize_tce_table_typo.dpatch
+ [PPC64] prom_initialize_tce_table() refers to 'vbase', which doesn't
+ actually exist; instead, 'base' was what was meant (Andres Salomon).
+
+ * 138-tulip_de_init_one_irq_init.dpatch
+ The tulip driver's de_init_one() was using pdev->irq before it had been
+ initialized. Move its usage until after it has been initted
+ (Andres Salomon).
+
+ * 139-pci_dma_free_coherent.dpatch
+ [I386] dma_free_coherent() was calling kmalloc with its args reversed;
+ clearly incorrect (Andres Salomon).
+
+ * 140-s390_memset_arg_order_fixes.dpatch
+ [S390] Fix various drivers that call memset() with args in the wrong order
+ (Andres Salomon).
+
+ * 141-pci_devices_dont_disable_dev_if_busy.dpatch
+ For various pci devices, if pci_request_regions fails (because resources
+ are already in use), don't disable the pci device (someone else is using it)
+ (Andres Salomon).
+
+ * 142-r8169_dev_alloc_skb_alignment_fix.dpatch
+ The r8169 driver wasn't alloc'ing enough memory for skbs; the size should
+ be padded by NET_IP_ALIGN (Andres Salomon).
+
+ * 143-sysfs_write_file_signedness_problem.dpatch
+ [SYSFS] sysfs_write_file assigns the result of fill_write_buffer (which is
+ signed and returns negative upon error) to an unsigned int. Clearly, bad
+ and wrong.. (Andres Salomon)
+
+ * 144-sys_epoll_wait_int_overflow.dpatch
+ [SECURITY] sys_epoll_wait contains an integer overflow; see
+ http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html for additional
+ details (Andres Salomon).
+
+ * ipv4-fragment-queues.dpatch, ipv4-fragment-queues-2.dpatch:
+ Drop netfilter frag queue stuff, as a) it's an ABI change,
+ b) it's fixed in 2.6.11, and c) it's not that critical. It's more
+ important to get other 2.6.10 fixes out to people (Andres Salomon).
+
+ -- Andres Salomon <dilinger@voxel.net> Thu, 10 Mar 2005 18:25:39 -0500
+
kernel-source-2.6.10 (2.6.10-5) unstable; urgency=low
* Change $((exp) | exp) to $( (exp) | exp), so things work with dash
Modified: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/TODO
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/TODO 2005-03-11 06:35:08 UTC (rev 2673)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/TODO 2005-03-11 14:48:58 UTC (rev 2674)
@@ -1,9 +1,9 @@
# + remove-references-to-removed-drivers.dpatch # FAILED
-# + ia64-generic-no-smp.dpatch # FAILED
-# + ia64-generic-no-smp-1-to-2.dpatch # FAILED
# tg3: sed script to just kill the tg3 firmware
# + keep the patch to add firmware loading separate
# + ipv4-fragment-queues-2.dpatch # DROP, code seems to have dissapeared upstream ?
+# + outs.dpatch # DROP, dropped on trippeh's recomendation.
-# + outs.dpatch # DROP, dropped on trippeh's recomendation.
+# + ia64-generic-no-smp.dpatch # DROP, a new patch is needed.
+# + ia64-generic-no-smp-1-to-2.dpatch # DROP, a new patch is needed.