[kernel] r16594 - in dists/lenny-security/linux-2.6: . debian debian/patches/bugfix/all debian/patches/series

Dann Frazier dannf at alioth.debian.org
Thu Nov 25 00:34:44 UTC 2010


Author: dannf
Date: Thu Nov 25 00:34:42 2010
New Revision: 16594

Log:
merge 2.6.26-26

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch
      - copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch
      - copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch
      - copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch
      - copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch
      - copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch
   dists/lenny-security/linux-2.6/debian/patches/series/26
      - copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/series/26
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny1
      - copied unchanged from r16591, dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Deleted:
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified:
   dists/lenny-security/linux-2.6/   (props changed)
   dists/lenny-security/linux-2.6/debian/changelog

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu Nov 25 00:26:16 2010	(r16593)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Nov 25 00:34:42 2010	(r16594)
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.26-25lenny2) UNRELEASED; urgency=high
+linux-2.6 (2.6.26-26lenny1) UNRELEASED; urgency=high
 
   * net sched: fix kernel leak in act_police (CVE-2010-3477)
   * aio: check for multiplication overflow in do_io_submit (CVE-2010-3067)
@@ -40,6 +40,18 @@
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 
+linux-2.6 (2.6.26-26) stable; urgency=high
+
+  [ Ben Hutchings ]
+  * [alpha,s390,sparc] math-emu: correct test for downshifting fraction in
+    _FP_FROM_INT() (Closes: #593193)
+  * SCSI/mptsas: fix hangs caused by ATA pass-through (Closes: #594690)
+  * xfs: prevent kernel crash due to corrupted inode log format
+    (Closes: #550733)
+  * r6040: Fix various bugs in r6040_multicast_list() (Closes: #600155)
+
+ -- dann frazier <dannf at debian.org>  Sat, 20 Nov 2010 15:30:51 -0700
+
 linux-2.6 (2.6.26-25lenny1) stable-security; urgency=high
 
   * irda: Correctly clean up self->ias_obj on irda_bind() failure.

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch	Thu Nov 25 00:34:42 2010	(r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch)
@@ -0,0 +1,77 @@
+From: Ryan Kuester <rkuester at kspace.net>
+Date: Mon, 26 Apr 2010 18:11:54 -0500
+Subject: [PATCH] [SCSI] mptsas: fix hangs caused by ATA pass-through
+
+commit 2a1b7e575b80ceb19ea50bfa86ce0053ea57181d upstream.
+
+I may have an explanation for the LSI 1068 HBA hangs provoked by ATA
+pass-through commands, in particular by smartctl.
+
+First, my version of the symptoms.  On an LSI SAS1068E B3 HBA running
+01.29.00.00 firmware, with SATA disks, and with smartd running, I'm seeing
+occasional task, bus, and host resets, some of which lead to hard faults of
+the HBA requiring a reboot.  Abusively looping the smartctl command,
+
+    # while true; do smartctl -a /dev/sdb > /dev/null; done
+
+dramatically increases the frequency of these failures to nearly one per
+minute.  A high IO load through the HBA while looping smartctl seems to
+improve the chance of a full scsi host reset or a non-recoverable hang.
+
+I reduced what smartctl was doing down to a simple test case which
+causes the hang with a single IO when pointed at the sd interface.  See
+the code at the bottom of this e-mail.  It uses an SG_IO ioctl to issue
+a single pass-through ATA identify device command.  If the buffer
+userspace gives for the read data has certain alignments, the task is
+issued to the HBA but the HBA fails to respond.  If run against the sg
+interface, neither the test code nor smartctl causes a hang.
+
+sd and sg handle the SG_IO ioctl slightly differently.  Unless you
+specifically set a flag to do direct IO, sg passes a buffer of its own,
+which is page-aligned, to the block layer and later copies the result
+into the userspace buffer regardless of its alignment.  sd, on the other
+hand, always does direct IO unless the userspace buffer fails an
+alignment test at block/blk-map.c line 57, in which case a page-aligned
+buffer is created and used for the transfer.
+
+The alignment test currently checks for word-alignment, the default
+setup by scsi_lib.c; therefore, userspace buffers of almost any
+alignment are given directly to the HBA as DMA targets.  The LSI 1068
+hardware doesn't seem to like at least a couple of the alignments which
+cross a page boundary (see the test code below).  Curiously, many
+page-boundary-crossing alignments do work just fine.
+
+So, either the hardware has an bug handling certain alignments or the
+hardware has a stricter alignment requirement than the driver is
+advertising.  If stricter alignment is required, then in no case should
+misaligned buffers from userspace be allowed through without being
+bounced or at least causing an error to be returned.
+
+It seems the mptsas driver could use blk_queue_dma_alignment() to advertise
+a stricter alignment requirement.  If it does, sd does the right thing and
+bounces misaligned buffers (see block/blk-map.c line 57).  The following
+patch to 2.6.34-rc5 makes my symptoms go away.  I'm sure this is the wrong
+place for this code, but it gets my idea across.
+
+Acked-by: "Desai, Kashyap" <Kashyap.Desai at lsi.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/message/fusion/mptscsih.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c
+index 5c53624..407cb84 100644
+--- a/drivers/message/fusion/mptscsih.c
++++ b/drivers/message/fusion/mptscsih.c
+@@ -2459,6 +2459,8 @@ mptscsih_slave_configure(struct scsi_device *sdev)
+ 		ioc->name,sdev->tagged_supported, sdev->simple_tags,
+ 		sdev->ordered_tags));
+ 
++	blk_queue_dma_alignment (sdev->request_queue, 512 - 1);
++
+ 	return 0;
+ }
+ 
+-- 
+1.7.1
+

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch	Thu Nov 25 00:34:42 2010	(r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch)
@@ -0,0 +1,56 @@
+From: Mikael Pettersson <mikpe at it.uu.se>
+Date: Tue, 20 Jul 2010 18:45:14 -0700
+Subject: [PATCH] math-emu: correct test for downshifting fraction in _FP_FROM_INT()
+
+commit f8324e20f8289dffc646d64366332e05eaacab25 upstream.
+
+The kernel's math-emu code contains a macro _FP_FROM_INT() which is
+used to convert an integer to a raw normalized floating-point value.
+It does this basically in three steps:
+
+1. Compute the exponent from the number of leading zero bits.
+2. Downshift large fractions to put the MSB in the right position
+   for normalized fractions.
+3. Upshift small fractions to put the MSB in the right position.
+
+There is an boundary error in step 2, causing a fraction with its
+MSB exactly one bit above the normalized MSB position to not be
+downshifted.  This results in a non-normalized raw float, which when
+packed becomes a massively inaccurate representation for that input.
+
+The impact of this depends on a number of arch-specific factors,
+but it is known to have broken emulation of FXTOD instructions
+on UltraSPARC III, which was originally reported as GCC bug 44631
+<http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44631>.
+
+Any arch which uses math-emu to emulate conversions from integers to
+same-size floats may be affected.
+
+The fix is simple: the exponent comparison used to determine if the
+fraction should be downshifted must be "<=" not "<".
+
+I'm sending a kernel module to test this as a reply to this message.
+There are also SPARC user-space test cases in the GCC bug entry.
+
+Signed-off-by: Mikael Pettersson <mikpe at it.uu.se>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ include/math-emu/op-common.h |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/include/math-emu/op-common.h b/include/math-emu/op-common.h
+index 408f743..a4cb9d1 100644
+--- a/include/math-emu/op-common.h
++++ b/include/math-emu/op-common.h
+@@ -793,7 +793,7 @@ do {									\
+ 		X##_e -= (_FP_W_TYPE_SIZE - rsize);			\
+ 	X##_e = rsize - X##_e - 1;					\
+ 									\
+-	if (_FP_FRACBITS_##fs < rsize && _FP_WFRACBITS_##fs < X##_e)	\
++	if (_FP_FRACBITS_##fs < rsize && _FP_WFRACBITS_##fs <= X##_e)	\
+ 	  __FP_FRAC_SRS_1(ur_, (X##_e - _FP_WFRACBITS_##fs + 1), rsize);\
+ 	_FP_FRAC_DISASSEMBLE_##wc(X, ur_, rsize);			\
+ 	if ((_FP_WFRACBITS_##fs - X##_e - 1) > 0)			\
+-- 
+1.7.1
+

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch	Thu Nov 25 00:34:42 2010	(r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch)
@@ -0,0 +1,33 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Fri, 15 Oct 2010 04:21:39 +0100
+Subject: [PATCH 2/2] r6040: Fix multicast list iteration when hash filter is used
+
+After walking the multicast list to set up the hash filter, this
+function will walk off the end of the list when filling the
+exact-match entries.  This was fixed in mainline by the interface
+change made in commit f9dcbcc9e338d08c0f7de7eba4eaafbbb7f81249.
+
+Reported-by: spamalot at hispeed.ch
+Reference: https://bugzilla.kernel.org/show_bug.cgi?id=15355
+Reported-by: Jason Heeris <jason.heeris at gmail.com>
+Reference: http://bugs.debian.org/600155
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/net/r6040.c |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/net/r6040.c b/drivers/net/r6040.c
+index ac865e1..9ee9f01 100644
+--- a/drivers/net/r6040.c
++++ b/drivers/net/r6040.c
+@@ -992,6 +992,7 @@ static void r6040_multicast_list(struct net_device *dev)
+ 		iowrite16(hash_table[3], ioaddr + MAR3);
+ 	}
+ 	/* Multicast Address 1~4 case */
++	dmi = dev->mc_list;
+ 	for (i = 0, dmi; (i < dev->mc_count) && (i < MCAST_MAX); i++) {
+ 		adrp = (u16 *)dmi->dmi_addr;
+ 		iowrite16(adrp[0], ioaddr + MID_1L + 8*i);
+-- 
+1.7.1
+

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch	Thu Nov 25 00:34:42 2010	(r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch)
@@ -0,0 +1,66 @@
+From: Florian Fainelli <florian at openwrt.org>
+Date: Wed, 7 Apr 2010 16:50:58 -0700
+Subject: [PATCH 1/2] r6040: fix r6040_multicast_list
+
+commit 3bcf8229a8c49769e48d3e0bd1e20d8e003f8106 upstream.
+
+As reported in <https://bugzilla.kernel.org/show_bug.cgi?id=15355>, r6040_
+multicast_list currently crashes. This is due a wrong maximum of multicast
+entries. This patch fixes the following issues with multicast:
+
+- number of maximum entries if off-by-one (4 instead of 3)
+
+- the writing of the hash table index is not necessary and leads to invalid
+values being written into the MCR1 register, so the MAC is simply put in a non
+coherent state
+
+- when we exceed the maximum number of mutlticast address, writing the
+broadcast address should be done in registers MID_1{L,M,H} instead of
+MID_O{L,M,H}, otherwise we would loose the adapter's MAC address
+
+Signed-off-by: Florian Fainelli <florian at openwrt.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Adjust context for 2.6.27]
+---
+ drivers/net/r6040.c |   11 ++++-------
+ 1 files changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/r6040.c b/drivers/net/r6040.c
+index 8b14c6e..ac865e1 100644
+--- a/drivers/net/r6040.c
++++ b/drivers/net/r6040.c
+@@ -135,7 +135,7 @@
+ #define RX_DESC_SIZE	(RX_DCNT * sizeof(struct r6040_descriptor))
+ #define TX_DESC_SIZE	(TX_DCNT * sizeof(struct r6040_descriptor))
+ #define MBCR_DEFAULT	0x012A	/* MAC Bus Control Register */
+-#define MCAST_MAX	4	/* Max number multicast addresses to filter */
++#define MCAST_MAX	3	/* Max number multicast addresses to filter */
+ 
+ /* PHY settings */
+ #define ICPLUS_PHY_ID	0x0243
+@@ -985,9 +985,6 @@ static void r6040_multicast_list(struct net_device *dev)
+ 			crc >>= 26;
+ 			hash_table[crc >> 4] |= 1 << (15 - (crc & 0xf));
+ 		}
+-		/* Write the index of the hash table */
+-		for (i = 0; i < 4; i++)
+-			iowrite16(hash_table[i] << 14, ioaddr + MCR1);
+ 		/* Fill the MAC hash tables with their values */
+ 		iowrite16(hash_table[0], ioaddr + MAR0);
+ 		iowrite16(hash_table[1], ioaddr + MAR1);
+@@ -1003,9 +1000,9 @@ static void r6040_multicast_list(struct net_device *dev)
+ 		dmi = dmi->next;
+ 	}
+ 	for (i = dev->mc_count; i < MCAST_MAX; i++) {
+-		iowrite16(0xffff, ioaddr + MID_0L + 8*i);
+-		iowrite16(0xffff, ioaddr + MID_0M + 8*i);
+-		iowrite16(0xffff, ioaddr + MID_0H + 8*i);
++		iowrite16(0xffff, ioaddr + MID_1L + 8*i);
++		iowrite16(0xffff, ioaddr + MID_1M + 8*i);
++		iowrite16(0xffff, ioaddr + MID_1H + 8*i);
+ 	}
+ }
+ 
+-- 
+1.7.1
+

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch	Thu Nov 25 00:34:42 2010	(r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch)
@@ -0,0 +1,50 @@
+From: Christoph Hellwig <hch at infradead.org>
+Date: Tue, 3 Mar 2009 14:48:36 -0500
+Subject: [PATCH] xfs: prevent kernel crash due to corrupted inode log format
+
+commit e8fa6b483feebd23ded5eb01afd7a6e82b6078c6 upstream.
+
+Andras Korn reported an oops on log replay causes by a corrupted
+xfs_inode_log_format_t passing a 0 size to kmem_zalloc.  This patch handles
+to small or too large numbers of log regions gracefully by rejecting the
+log replay with a useful error message.
+
+Signed-off-by: Christoph Hellwig <hch at lst.de>
+Reported-by: Andras Korn <korn-sgi.com at chardonnay.math.bme.hu>
+Reviewed-by: Eric Sandeen <sandeen at sandeen.net>
+Signed-off-by: Felix Blyakher <felixb at sgi.com>
+---
+ fs/xfs/xfs_log_recover.c |   17 +++++++++++++----
+ 1 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
+index 504d540..ceeba45 100644
+--- a/fs/xfs/xfs_log_recover.c
++++ b/fs/xfs/xfs_log_recover.c
+@@ -1455,10 +1455,19 @@ xlog_recover_add_to_trans(
+ 	item = item->ri_prev;
+ 
+ 	if (item->ri_total == 0) {		/* first region to be added */
+-		item->ri_total	= in_f->ilf_size;
+-		ASSERT(item->ri_total <= XLOG_MAX_REGIONS_IN_ITEM);
+-		item->ri_buf = kmem_zalloc((item->ri_total *
+-					    sizeof(xfs_log_iovec_t)), KM_SLEEP);
++		if (in_f->ilf_size == 0 ||
++		    in_f->ilf_size > XLOG_MAX_REGIONS_IN_ITEM) {
++			xlog_warn(
++	"XFS: bad number of regions (%d) in inode log format",
++				  in_f->ilf_size);
++			ASSERT(0);
++			return XFS_ERROR(EIO);
++		}
++
++		item->ri_total = in_f->ilf_size;
++		item->ri_buf =
++			kmem_zalloc(item->ri_total * sizeof(xfs_log_iovec_t),
++				    KM_SLEEP);
+ 	}
+ 	ASSERT(item->ri_total > item->ri_cnt);
+ 	/* Description region is ri_buf[0] */
+-- 
+1.7.1
+

Copied: dists/lenny-security/linux-2.6/debian/patches/series/26 (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/series/26)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26	Thu Nov 25 00:34:42 2010	(r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/series/26)
@@ -0,0 +1,5 @@
++ bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch
++ bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch
++ bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch
++ bugfix/all/r6040-fix-r6040_multicast_list.patch
++ bugfix/all/r6040-Fix-multicast-list-iteration.patch

Copied: dists/lenny-security/linux-2.6/debian/patches/series/26lenny1 (from r16591, dists/lenny-security/linux-2.6/debian/patches/series/25lenny2)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny1	Thu Nov 25 00:34:42 2010	(r16594, copy of r16591, dists/lenny-security/linux-2.6/debian/patches/series/25lenny2)
@@ -0,0 +1,33 @@
++ bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
++ bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch
++ bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
++ bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
++ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
++ bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
++ bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch
++ bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
++ bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch
++ bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch
++ bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch
++ bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
++ bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
++ bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch
++ bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
++ bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
++ bugfix/all/net-ax25-fix-information-leak-to-userland.patch
++ bugfix/all/can-bcm-fix-minor-heap-overflow.patch
++ bugfix/all/net-tipc-fix-information-leak-to-userland.patch
++ bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch
++ bugfix/all/ipc-shm-fix-information-leak-to-userland.patch
++ bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
++ bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/gdth-integer-overflow-in-ioctl.patch
++ bugfix/all/econet-fix-redeclaration-of-symbol-len.patch
++ bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch
++ bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch
++ bugfix/all/econet-coalesced-iovec.patch



More information about the Kernel-svn-changes mailing list