2006-01-08 03:01:04

by Chris Wright

[permalink] [raw]
Subject: Linux 2.6.14.6

We (the -stable team) are announcing the release of the 2.6.14.6 kernel.
This flushes the outstanding 2.6.14-stable queue.

The diffstat and short summary of the fixes are below.

I'll also be replying to this message with a copy of the patch between
2.6.14.5 and 2.6.14.6, as it is small enough to do so.

The updated 2.6.14.y git tree can be found at:
rsync://rsync.kernel.org/pub/scm/linux/kernel/git/chrisw/linux-2.6.14.y.git
and can be browsed at the normal kernel.org git web browser:
http://www.kernel.org/git/

thanks,
-chris

--------


Makefile | 2 -
drivers/net/sungem.c | 4 +--
drivers/video/aty/atyfb_base.c | 2 -
fs/proc/generic.c | 47 ++++++++++++++++++++---------------------
fs/ufs/super.c | 4 ++-
kernel/sysctl.c | 29 +++++++++++++------------
net/ieee80211/Kconfig | 2 -
7 files changed, 47 insertions(+), 43 deletions(-)

Summary of changes from v2.6.14.5 to v2.6.14.6
==============================================

Adrian Bunk:
drivers/net/sungem.c: gem_remove_one mustn't be __devexit

Chris Wright:
Linux 2.6.14.6

Evgeniy Polyakov:
UFS: inode->i_sem is not released in error path

Linus Torvalds:
Insanity avoidance in /proc (CVE-2005-4605)
sysctl: make sure to terminate strings with a NUL

Luis F. Ortiz:
Fix onboard video on SPARC Blade 100 for 2.6.{13,14,15}

Olaf Hering:
ieee80211_crypt_tkip depends on NET_RADIO


2006-01-08 03:02:04

by Chris Wright

[permalink] [raw]
Subject: Re: Linux 2.6.14.6

diff --git a/Makefile b/Makefile
index ea6f2f9..8c6fcb0 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 14
-EXTRAVERSION = .5
+EXTRAVERSION = .6
NAME=Affluent Albatross

# *DOCUMENTATION*
diff --git a/drivers/net/sungem.c b/drivers/net/sungem.c
index de39956..da8c31d 100644
--- a/drivers/net/sungem.c
+++ b/drivers/net/sungem.c
@@ -2905,7 +2905,7 @@ static int __devinit gem_get_device_addr
return 0;
}

-static void __devexit gem_remove_one(struct pci_dev *pdev)
+static void gem_remove_one(struct pci_dev *pdev)
{
struct net_device *dev = pci_get_drvdata(pdev);

@@ -3179,7 +3179,7 @@ static struct pci_driver gem_driver = {
.name = GEM_MODULE_NAME,
.id_table = gem_pci_tbl,
.probe = gem_init_one,
- .remove = __devexit_p(gem_remove_one),
+ .remove = gem_remove_one,
#ifdef CONFIG_PM
.suspend = gem_suspend,
.resume = gem_resume,
diff --git a/drivers/video/aty/atyfb_base.c b/drivers/video/aty/atyfb_base.c
index 037fe9d..efbd63c 100644
--- a/drivers/video/aty/atyfb_base.c
+++ b/drivers/video/aty/atyfb_base.c
@@ -404,7 +404,7 @@ static struct {
{ PCI_CHIP_MACH64GM, "3D RAGE XL (Mach64 GM, AGP)", 230, 83, 63, ATI_CHIP_264XL },
{ PCI_CHIP_MACH64GN, "3D RAGE XL (Mach64 GN, AGP)", 230, 83, 63, ATI_CHIP_264XL },
{ PCI_CHIP_MACH64GO, "3D RAGE XL (Mach64 GO, PCI-66/BGA)", 230, 83, 63, ATI_CHIP_264XL },
- { PCI_CHIP_MACH64GR, "3D RAGE XL (Mach64 GR, PCI-33MHz)", 230, 83, 63, ATI_CHIP_264XL },
+ { PCI_CHIP_MACH64GR, "3D RAGE XL (Mach64 GR, PCI-33MHz)", 235, 83, 63, ATI_CHIP_264XL | M64F_SDRAM_MAGIC_PLL },
{ PCI_CHIP_MACH64GL, "3D RAGE XL (Mach64 GL, PCI)", 230, 83, 63, ATI_CHIP_264XL },
{ PCI_CHIP_MACH64GS, "3D RAGE XL (Mach64 GS, PCI)", 230, 83, 63, ATI_CHIP_264XL },

diff --git a/fs/proc/generic.c b/fs/proc/generic.c
index 8a8c344..89f64c1 100644
--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -54,6 +54,18 @@ proc_file_read(struct file *file, char _
ssize_t n, count;
char *start;
struct proc_dir_entry * dp;
+ unsigned long long pos;
+
+ /*
+ * Gaah, please just use "seq_file" instead. The legacy /proc
+ * interfaces cut loff_t down to off_t for reads, and ignore
+ * the offset entirely for writes..
+ */
+ pos = *ppos;
+ if (pos > MAX_NON_LFS)
+ return 0;
+ if (nbytes > MAX_NON_LFS - pos)
+ nbytes = MAX_NON_LFS - pos;

dp = PDE(inode);
if (!(page = (char*) __get_free_page(GFP_KERNEL)))
@@ -202,30 +214,17 @@ proc_file_write(struct file *file, const
static loff_t
proc_file_lseek(struct file *file, loff_t offset, int orig)
{
- lock_kernel();
-
- switch (orig) {
- case 0:
- if (offset < 0)
- goto out;
- file->f_pos = offset;
- unlock_kernel();
- return(file->f_pos);
- case 1:
- if (offset + file->f_pos < 0)
- goto out;
- file->f_pos += offset;
- unlock_kernel();
- return(file->f_pos);
- case 2:
- goto out;
- default:
- goto out;
- }
-
-out:
- unlock_kernel();
- return -EINVAL;
+ loff_t retval = -EINVAL;
+ switch (orig) {
+ case 1:
+ offset += file->f_pos;
+ /* fallthrough */
+ case 0:
+ if (offset < 0 || offset > MAX_NON_LFS)
+ break;
+ file->f_pos = retval = offset;
+ }
+ return retval;
}

static int proc_notify_change(struct dentry *dentry, struct iattr *iattr)
diff --git a/fs/ufs/super.c b/fs/ufs/super.c
index f036d69..b466265 100644
--- a/fs/ufs/super.c
+++ b/fs/ufs/super.c
@@ -1294,8 +1294,10 @@ static ssize_t ufs_quota_write(struct su
blk++;
}
out:
- if (len == towrite)
+ if (len == towrite) {
+ up(&inode->i_sem);
return err;
+ }
if (inode->i_size < off+len-towrite)
i_size_write(inode, off+len-towrite);
inode->i_version++;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index b90dba7..eebedca 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2191,29 +2191,32 @@ int sysctl_string(ctl_table *table, int
void __user *oldval, size_t __user *oldlenp,
void __user *newval, size_t newlen, void **context)
{
- size_t l, len;
-
if (!table->data || !table->maxlen)
return -ENOTDIR;

if (oldval && oldlenp) {
- if (get_user(len, oldlenp))
+ size_t bufsize;
+ if (get_user(bufsize, oldlenp))
return -EFAULT;
- if (len) {
- l = strlen(table->data);
- if (len > l) len = l;
- if (len >= table->maxlen)
+ if (bufsize) {
+ size_t len = strlen(table->data), copied;
+
+ /* This shouldn't trigger for a well-formed sysctl */
+ if (len > table->maxlen)
len = table->maxlen;
- if(copy_to_user(oldval, table->data, len))
- return -EFAULT;
- if(put_user(0, ((char __user *) oldval) + len))
+
+ /* Copy up to a max of bufsize-1 bytes of the string */
+ copied = (len >= bufsize) ? bufsize - 1 : len;
+
+ if (copy_to_user(oldval, table->data, copied) ||
+ put_user(0, (char __user *)(oldval + copied)))
return -EFAULT;
- if(put_user(len, oldlenp))
+ if (put_user(len, oldlenp))
return -EFAULT;
}
}
if (newval && newlen) {
- len = newlen;
+ size_t len = newlen;
if (len > table->maxlen)
len = table->maxlen;
if(copy_from_user(table->data, newval, len))
@@ -2222,7 +2225,7 @@ int sysctl_string(ctl_table *table, int
len--;
((char *) table->data)[len] = 0;
}
- return 0;
+ return 1;
}

/*
diff --git a/net/ieee80211/Kconfig b/net/ieee80211/Kconfig
index 91b16fb..d18ccba 100644
--- a/net/ieee80211/Kconfig
+++ b/net/ieee80211/Kconfig
@@ -55,7 +55,7 @@ config IEEE80211_CRYPT_CCMP

config IEEE80211_CRYPT_TKIP
tristate "IEEE 802.11i TKIP encryption"
- depends on IEEE80211
+ depends on IEEE80211 && NET_RADIO
select CRYPTO
select CRYPTO_MICHAEL_MIC
---help---