[kernel] r16594 - in dists/lenny-security/linux-2.6: . debian debian/patches/bugfix/all debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Nov 25 00:34:44 UTC 2010
Author: dannf
Date: Thu Nov 25 00:34:42 2010
New Revision: 16594
Log:
merge 2.6.26-26
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch
- copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch
- copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch
- copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch
- copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch
- copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch
dists/lenny-security/linux-2.6/debian/patches/series/26
- copied unchanged from r16593, releases/linux-2.6/2.6.26-26/debian/patches/series/26
dists/lenny-security/linux-2.6/debian/patches/series/26lenny1
- copied unchanged from r16591, dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Deleted:
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified:
dists/lenny-security/linux-2.6/ (props changed)
dists/lenny-security/linux-2.6/debian/changelog
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Nov 25 00:26:16 2010 (r16593)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Nov 25 00:34:42 2010 (r16594)
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.26-25lenny2) UNRELEASED; urgency=high
+linux-2.6 (2.6.26-26lenny1) UNRELEASED; urgency=high
* net sched: fix kernel leak in act_police (CVE-2010-3477)
* aio: check for multiplication overflow in do_io_submit (CVE-2010-3067)
@@ -40,6 +40,18 @@
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
+linux-2.6 (2.6.26-26) stable; urgency=high
+
+ [ Ben Hutchings ]
+ * [alpha,s390,sparc] math-emu: correct test for downshifting fraction in
+ _FP_FROM_INT() (Closes: #593193)
+ * SCSI/mptsas: fix hangs caused by ATA pass-through (Closes: #594690)
+ * xfs: prevent kernel crash due to corrupted inode log format
+ (Closes: #550733)
+ * r6040: Fix various bugs in r6040_multicast_list() (Closes: #600155)
+
+ -- dann frazier <dannf at debian.org> Sat, 20 Nov 2010 15:30:51 -0700
+
linux-2.6 (2.6.26-25lenny1) stable-security; urgency=high
* irda: Correctly clean up self->ias_obj on irda_bind() failure.
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch Thu Nov 25 00:34:42 2010 (r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch)
@@ -0,0 +1,77 @@
+From: Ryan Kuester <rkuester at kspace.net>
+Date: Mon, 26 Apr 2010 18:11:54 -0500
+Subject: [PATCH] [SCSI] mptsas: fix hangs caused by ATA pass-through
+
+commit 2a1b7e575b80ceb19ea50bfa86ce0053ea57181d upstream.
+
+I may have an explanation for the LSI 1068 HBA hangs provoked by ATA
+pass-through commands, in particular by smartctl.
+
+First, my version of the symptoms. On an LSI SAS1068E B3 HBA running
+01.29.00.00 firmware, with SATA disks, and with smartd running, I'm seeing
+occasional task, bus, and host resets, some of which lead to hard faults of
+the HBA requiring a reboot. Abusively looping the smartctl command,
+
+ # while true; do smartctl -a /dev/sdb > /dev/null; done
+
+dramatically increases the frequency of these failures to nearly one per
+minute. A high IO load through the HBA while looping smartctl seems to
+improve the chance of a full scsi host reset or a non-recoverable hang.
+
+I reduced what smartctl was doing down to a simple test case which
+causes the hang with a single IO when pointed at the sd interface. See
+the code at the bottom of this e-mail. It uses an SG_IO ioctl to issue
+a single pass-through ATA identify device command. If the buffer
+userspace gives for the read data has certain alignments, the task is
+issued to the HBA but the HBA fails to respond. If run against the sg
+interface, neither the test code nor smartctl causes a hang.
+
+sd and sg handle the SG_IO ioctl slightly differently. Unless you
+specifically set a flag to do direct IO, sg passes a buffer of its own,
+which is page-aligned, to the block layer and later copies the result
+into the userspace buffer regardless of its alignment. sd, on the other
+hand, always does direct IO unless the userspace buffer fails an
+alignment test at block/blk-map.c line 57, in which case a page-aligned
+buffer is created and used for the transfer.
+
+The alignment test currently checks for word-alignment, the default
+setup by scsi_lib.c; therefore, userspace buffers of almost any
+alignment are given directly to the HBA as DMA targets. The LSI 1068
+hardware doesn't seem to like at least a couple of the alignments which
+cross a page boundary (see the test code below). Curiously, many
+page-boundary-crossing alignments do work just fine.
+
+So, either the hardware has an bug handling certain alignments or the
+hardware has a stricter alignment requirement than the driver is
+advertising. If stricter alignment is required, then in no case should
+misaligned buffers from userspace be allowed through without being
+bounced or at least causing an error to be returned.
+
+It seems the mptsas driver could use blk_queue_dma_alignment() to advertise
+a stricter alignment requirement. If it does, sd does the right thing and
+bounces misaligned buffers (see block/blk-map.c line 57). The following
+patch to 2.6.34-rc5 makes my symptoms go away. I'm sure this is the wrong
+place for this code, but it gets my idea across.
+
+Acked-by: "Desai, Kashyap" <Kashyap.Desai at lsi.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/message/fusion/mptscsih.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c
+index 5c53624..407cb84 100644
+--- a/drivers/message/fusion/mptscsih.c
++++ b/drivers/message/fusion/mptscsih.c
+@@ -2459,6 +2459,8 @@ mptscsih_slave_configure(struct scsi_device *sdev)
+ ioc->name,sdev->tagged_supported, sdev->simple_tags,
+ sdev->ordered_tags));
+
++ blk_queue_dma_alignment (sdev->request_queue, 512 - 1);
++
+ return 0;
+ }
+
+--
+1.7.1
+
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch Thu Nov 25 00:34:42 2010 (r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch)
@@ -0,0 +1,56 @@
+From: Mikael Pettersson <mikpe at it.uu.se>
+Date: Tue, 20 Jul 2010 18:45:14 -0700
+Subject: [PATCH] math-emu: correct test for downshifting fraction in _FP_FROM_INT()
+
+commit f8324e20f8289dffc646d64366332e05eaacab25 upstream.
+
+The kernel's math-emu code contains a macro _FP_FROM_INT() which is
+used to convert an integer to a raw normalized floating-point value.
+It does this basically in three steps:
+
+1. Compute the exponent from the number of leading zero bits.
+2. Downshift large fractions to put the MSB in the right position
+ for normalized fractions.
+3. Upshift small fractions to put the MSB in the right position.
+
+There is an boundary error in step 2, causing a fraction with its
+MSB exactly one bit above the normalized MSB position to not be
+downshifted. This results in a non-normalized raw float, which when
+packed becomes a massively inaccurate representation for that input.
+
+The impact of this depends on a number of arch-specific factors,
+but it is known to have broken emulation of FXTOD instructions
+on UltraSPARC III, which was originally reported as GCC bug 44631
+<http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44631>.
+
+Any arch which uses math-emu to emulate conversions from integers to
+same-size floats may be affected.
+
+The fix is simple: the exponent comparison used to determine if the
+fraction should be downshifted must be "<=" not "<".
+
+I'm sending a kernel module to test this as a reply to this message.
+There are also SPARC user-space test cases in the GCC bug entry.
+
+Signed-off-by: Mikael Pettersson <mikpe at it.uu.se>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ include/math-emu/op-common.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/include/math-emu/op-common.h b/include/math-emu/op-common.h
+index 408f743..a4cb9d1 100644
+--- a/include/math-emu/op-common.h
++++ b/include/math-emu/op-common.h
+@@ -793,7 +793,7 @@ do { \
+ X##_e -= (_FP_W_TYPE_SIZE - rsize); \
+ X##_e = rsize - X##_e - 1; \
+ \
+- if (_FP_FRACBITS_##fs < rsize && _FP_WFRACBITS_##fs < X##_e) \
++ if (_FP_FRACBITS_##fs < rsize && _FP_WFRACBITS_##fs <= X##_e) \
+ __FP_FRAC_SRS_1(ur_, (X##_e - _FP_WFRACBITS_##fs + 1), rsize);\
+ _FP_FRAC_DISASSEMBLE_##wc(X, ur_, rsize); \
+ if ((_FP_WFRACBITS_##fs - X##_e - 1) > 0) \
+--
+1.7.1
+
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch Thu Nov 25 00:34:42 2010 (r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-Fix-multicast-list-iteration.patch)
@@ -0,0 +1,33 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Fri, 15 Oct 2010 04:21:39 +0100
+Subject: [PATCH 2/2] r6040: Fix multicast list iteration when hash filter is used
+
+After walking the multicast list to set up the hash filter, this
+function will walk off the end of the list when filling the
+exact-match entries. This was fixed in mainline by the interface
+change made in commit f9dcbcc9e338d08c0f7de7eba4eaafbbb7f81249.
+
+Reported-by: spamalot at hispeed.ch
+Reference: https://bugzilla.kernel.org/show_bug.cgi?id=15355
+Reported-by: Jason Heeris <jason.heeris at gmail.com>
+Reference: http://bugs.debian.org/600155
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/net/r6040.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/net/r6040.c b/drivers/net/r6040.c
+index ac865e1..9ee9f01 100644
+--- a/drivers/net/r6040.c
++++ b/drivers/net/r6040.c
+@@ -992,6 +992,7 @@ static void r6040_multicast_list(struct net_device *dev)
+ iowrite16(hash_table[3], ioaddr + MAR3);
+ }
+ /* Multicast Address 1~4 case */
++ dmi = dev->mc_list;
+ for (i = 0, dmi; (i < dev->mc_count) && (i < MCAST_MAX); i++) {
+ adrp = (u16 *)dmi->dmi_addr;
+ iowrite16(adrp[0], ioaddr + MID_1L + 8*i);
+--
+1.7.1
+
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch Thu Nov 25 00:34:42 2010 (r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/r6040-fix-r6040_multicast_list.patch)
@@ -0,0 +1,66 @@
+From: Florian Fainelli <florian at openwrt.org>
+Date: Wed, 7 Apr 2010 16:50:58 -0700
+Subject: [PATCH 1/2] r6040: fix r6040_multicast_list
+
+commit 3bcf8229a8c49769e48d3e0bd1e20d8e003f8106 upstream.
+
+As reported in <https://bugzilla.kernel.org/show_bug.cgi?id=15355>, r6040_
+multicast_list currently crashes. This is due a wrong maximum of multicast
+entries. This patch fixes the following issues with multicast:
+
+- number of maximum entries if off-by-one (4 instead of 3)
+
+- the writing of the hash table index is not necessary and leads to invalid
+values being written into the MCR1 register, so the MAC is simply put in a non
+coherent state
+
+- when we exceed the maximum number of mutlticast address, writing the
+broadcast address should be done in registers MID_1{L,M,H} instead of
+MID_O{L,M,H}, otherwise we would loose the adapter's MAC address
+
+Signed-off-by: Florian Fainelli <florian at openwrt.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Adjust context for 2.6.27]
+---
+ drivers/net/r6040.c | 11 ++++-------
+ 1 files changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/r6040.c b/drivers/net/r6040.c
+index 8b14c6e..ac865e1 100644
+--- a/drivers/net/r6040.c
++++ b/drivers/net/r6040.c
+@@ -135,7 +135,7 @@
+ #define RX_DESC_SIZE (RX_DCNT * sizeof(struct r6040_descriptor))
+ #define TX_DESC_SIZE (TX_DCNT * sizeof(struct r6040_descriptor))
+ #define MBCR_DEFAULT 0x012A /* MAC Bus Control Register */
+-#define MCAST_MAX 4 /* Max number multicast addresses to filter */
++#define MCAST_MAX 3 /* Max number multicast addresses to filter */
+
+ /* PHY settings */
+ #define ICPLUS_PHY_ID 0x0243
+@@ -985,9 +985,6 @@ static void r6040_multicast_list(struct net_device *dev)
+ crc >>= 26;
+ hash_table[crc >> 4] |= 1 << (15 - (crc & 0xf));
+ }
+- /* Write the index of the hash table */
+- for (i = 0; i < 4; i++)
+- iowrite16(hash_table[i] << 14, ioaddr + MCR1);
+ /* Fill the MAC hash tables with their values */
+ iowrite16(hash_table[0], ioaddr + MAR0);
+ iowrite16(hash_table[1], ioaddr + MAR1);
+@@ -1003,9 +1000,9 @@ static void r6040_multicast_list(struct net_device *dev)
+ dmi = dmi->next;
+ }
+ for (i = dev->mc_count; i < MCAST_MAX; i++) {
+- iowrite16(0xffff, ioaddr + MID_0L + 8*i);
+- iowrite16(0xffff, ioaddr + MID_0M + 8*i);
+- iowrite16(0xffff, ioaddr + MID_0H + 8*i);
++ iowrite16(0xffff, ioaddr + MID_1L + 8*i);
++ iowrite16(0xffff, ioaddr + MID_1M + 8*i);
++ iowrite16(0xffff, ioaddr + MID_1H + 8*i);
+ }
+ }
+
+--
+1.7.1
+
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch Thu Nov 25 00:34:42 2010 (r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch)
@@ -0,0 +1,50 @@
+From: Christoph Hellwig <hch at infradead.org>
+Date: Tue, 3 Mar 2009 14:48:36 -0500
+Subject: [PATCH] xfs: prevent kernel crash due to corrupted inode log format
+
+commit e8fa6b483feebd23ded5eb01afd7a6e82b6078c6 upstream.
+
+Andras Korn reported an oops on log replay causes by a corrupted
+xfs_inode_log_format_t passing a 0 size to kmem_zalloc. This patch handles
+to small or too large numbers of log regions gracefully by rejecting the
+log replay with a useful error message.
+
+Signed-off-by: Christoph Hellwig <hch at lst.de>
+Reported-by: Andras Korn <korn-sgi.com at chardonnay.math.bme.hu>
+Reviewed-by: Eric Sandeen <sandeen at sandeen.net>
+Signed-off-by: Felix Blyakher <felixb at sgi.com>
+---
+ fs/xfs/xfs_log_recover.c | 17 +++++++++++++----
+ 1 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
+index 504d540..ceeba45 100644
+--- a/fs/xfs/xfs_log_recover.c
++++ b/fs/xfs/xfs_log_recover.c
+@@ -1455,10 +1455,19 @@ xlog_recover_add_to_trans(
+ item = item->ri_prev;
+
+ if (item->ri_total == 0) { /* first region to be added */
+- item->ri_total = in_f->ilf_size;
+- ASSERT(item->ri_total <= XLOG_MAX_REGIONS_IN_ITEM);
+- item->ri_buf = kmem_zalloc((item->ri_total *
+- sizeof(xfs_log_iovec_t)), KM_SLEEP);
++ if (in_f->ilf_size == 0 ||
++ in_f->ilf_size > XLOG_MAX_REGIONS_IN_ITEM) {
++ xlog_warn(
++ "XFS: bad number of regions (%d) in inode log format",
++ in_f->ilf_size);
++ ASSERT(0);
++ return XFS_ERROR(EIO);
++ }
++
++ item->ri_total = in_f->ilf_size;
++ item->ri_buf =
++ kmem_zalloc(item->ri_total * sizeof(xfs_log_iovec_t),
++ KM_SLEEP);
+ }
+ ASSERT(item->ri_total > item->ri_cnt);
+ /* Description region is ri_buf[0] */
+--
+1.7.1
+
Copied: dists/lenny-security/linux-2.6/debian/patches/series/26 (from r16593, releases/linux-2.6/2.6.26-26/debian/patches/series/26)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26 Thu Nov 25 00:34:42 2010 (r16594, copy of r16593, releases/linux-2.6/2.6.26-26/debian/patches/series/26)
@@ -0,0 +1,5 @@
++ bugfix/all/math-emu-correct-test-for-downshifting-fraction.patch
++ bugfix/all/SCSI-mptsas-fix-hangs-caused-by-ATA-pass-through.patch
++ bugfix/all/xfs-prevent-kernel-crash-due-to-corrupted-inode-log.patch
++ bugfix/all/r6040-fix-r6040_multicast_list.patch
++ bugfix/all/r6040-Fix-multicast-list-iteration.patch
Copied: dists/lenny-security/linux-2.6/debian/patches/series/26lenny1 (from r16591, dists/lenny-security/linux-2.6/debian/patches/series/25lenny2)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny1 Thu Nov 25 00:34:42 2010 (r16594, copy of r16591, dists/lenny-security/linux-2.6/debian/patches/series/25lenny2)
@@ -0,0 +1,33 @@
++ bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
++ bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch
++ bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
++ bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
++ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
++ bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
++ bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch
++ bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
++ bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch
++ bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch
++ bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch
++ bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
++ bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
++ bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch
++ bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
++ bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
++ bugfix/all/net-ax25-fix-information-leak-to-userland.patch
++ bugfix/all/can-bcm-fix-minor-heap-overflow.patch
++ bugfix/all/net-tipc-fix-information-leak-to-userland.patch
++ bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch
++ bugfix/all/ipc-shm-fix-information-leak-to-userland.patch
++ bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
++ bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/gdth-integer-overflow-in-ioctl.patch
++ bugfix/all/econet-fix-redeclaration-of-symbol-len.patch
++ bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch
++ bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch
++ bugfix/all/econet-coalesced-iovec.patch
More information about the Kernel-svn-changes
mailing list