https://lwn.net/Articles/375071/bigpage
2.6.32.9 Release notes
By Jonathan Corbet
February 21, 2010
Stable kernel update announcements posted on LWN have a certain
tendency to be
followed by complaints about the amount of information which is made
available. It seems that there is a desire for a description of the
changes which is more accessible than the patches themselves, and for
attention to be drawn to the security-relevant fixes. As an exercise in
determining what kind of effort is being asked
of the kernel maintainers, your editor decided to make a pass
through the proposed
2.6.32.9 update and
attempt to describe the impact of
each of the changes - all 93 of them. The results can be found below.
Disclaimers: there is no way to review 93 patches in a finite time
and
fully understand each of them. So there are probably
certainly errors in what follows. The simple truth of the matter is
that
it is very hard to say which fixes have security implications; a
determined
attacker can find a way to exploit some very obscure bugs.
Your editor would also like to discourage anybody from thinking
that this will become a regular LWN feature. The amount of work
required
is considerable; it's not something we're able to commit to doing for
every
release.
That said, here's a look at what's in this update.
Security-related fixes
Other bug fixes
- #1: Fix potential
crash with sys_move_pages. Fix an unreliable test which could cause
a crash in the page migration code. [Update: as has been pointed
out in the comments, this one is exploitable
and should have been in the security list above.]
- #6: hwmon: (w83781d)
Request I/O ports individually for probing. More robust access to
hardware monitoring ports.
- #7: hwmon: (lm78)
Request I/O ports individually for probing. More robust access to
hardware monitoring ports.
- #8: hwmon: (adt7462)
Wrong ADT7462_VOLT_COUNT. Fixes a bug which could cause one voltage
measurement to be passed over.
- #9: ALSA: ctxfi -
fix PTP address initialization. Fixes an alignment bug in the ctxfi
sound driver.
- #10: drm/i915:
disable hotplug detect before Ironlake CRT detect. Fixes a possible
hang in the monitor detection code.
- #12: drm/i915:
Disable SR when more than one pipe is enabled. Fixes a
flicker-causing i915 bug.
- #13: drm/i915: Fix
DDC on some systems by clearing BIOS GMBUS setup. Fixes a bug which
can cause failure to detect some monitors.
- #15: drm/i915: Fix
the incorrect DMI string for Samsung SX20S laptop. Incorrect
identification information was returned to user space.
- #17: usb:
r8a66597-hcd: Flush the D-cache for the pipe-in transfer buffers.
Fixes a cache consistency problem.
- #18: i2c-tiny-usb:
Fix on big-endian systems. An endianness bug in i2c-tiny-usb caused
incorrect information to be returned to user space.
- #19: drm/i915:
handle FBC and self-refresh better. Eliminates an i915 flicker
problem.
- #20: drm/i915:
Increase fb alignment to 64k. Fixes an obscure error in the i915
driver.
- #24: CPUFREQ: Fix
use after free of struct powernow_k8_data. Fixes a use-after-free
bug in the cpufreq code; does not appear to be user-triggerable.
- #25: freeze_bdev:
dont deactivate successfully frozen MS_RDONLY sb. Fixes a boot-time
crash in the block layer.
- #27: ioat: fix
infinite timeout checking in ioat2_quiesce. Fixes a typo in the
IOAT code.
- #29: fs/exec.c:
restrict initial stack space expansion to rlimit. Fixes a bug which
could cause process creation failures in the presence of tight stack
limits.a
- #30: cifs: fix
length calculation for converted unicode readdir names. Fixes a
CIFS data consistency bug.
- #31: NFS: Fix a
reference leak in nfs_wb_cancel_page(). Fixes a reference leak in
the NFS cancellation code.
- #32: NFS: Try to
commit unstable writes in nfs_release_page(). Looks like a fix for
a potential data loss problem in the NFS code.
- #33: NFSv4: Dont
allow posix locking against servers that dont support it. Be sure
to notice if a server does not support POSIX locking.
- #34: NFSv4: Ensure
that the NFSv4 locking can recover from stateid errors. Fix an
NFSv4 locking problem with unknown effects.
- #37: NFS: Fix a bug
in nfs_fscache_release_page(). Removes a spurious BUG_ON()
call.
- #38: NFS: Fix the
mapping of the NFSERR_SERVERFAULT error. Fix an incorrect error
value returned to user space.
- #39: md: fix
degraded calculation when starting a reshape. Some old code can
cause the MD subsystem to be unclear on whether a given array is
running in a degraded mode or not after a reshape.
- #42: kvmclock: count
total_sleep_time when updating guest clock. Fix an error which
could lead to incorrect wall clock time in KVM guests.
- #43: KVM: PIT:
control word is write-only. Prevent attempts to read a write-only
register.
- #44: tpm_infineon:
fix suspend/resume handler for pnp_driver. Fixes a hang-on-suspend
bug.
- #45: amd64_edac: Do
not falsely trigger kerneloops. Remove a spurious warning in the
amd64 EDAC code.
- #46: netfilter:
nf_conntrack: fix memory corruption with multiple namespaces. Fixes
a potential race condition which could lead to memory corruption.
Requires the instantiation of a new namespace (and, thus, root
privilege) to trigger.
- #48: netfilter:
nf_conntrack: restrict runtime expect hashsize modifications. Don't
allow the connection tracking expect_hashsize attribute to be
modified, since the code isn't prepared to handle that.
- #49: netfilter:
xtables: compat out of scope fix. Fixes a potential stack-based
dangling pointer bug.
- #51: drm/i915:
remove full registers dump debug. Removes an i915 debug option
which could hang the machine.
- #52: drm/i915: add
i915_lp_ring_sync helper. Code and performance improvement in the
i915 driver.
- #53: drm/i915: Dont
wait interruptible for possible plane buffer flush. The i915 DRM
driver can corrupt the hardware state if a signal comes in at the wrong
time. Could be seen as a denial of service problem, but that's a big
stretch.
- #56: wmi: Free the
allocated acpi objects through wmi_get_event_data. Fixes a memory
leak in the WMI code.
- #58: /dev/mem:
introduce size_inside_page(). Eliminates some duplicate code and
fixes the alignment logic for /dev/kmem, which was described
simply as "buggy." But who uses /dev/kmem anymore?
- #59: devmem: check
vmalloc address on kmem read/write. A missing test for addresses in
the vmalloc() space could cause an oops from the /dev/kmem
code. Probably not triggerable by ordinary users, though, even on
systems where /dev/kmem is enabled.
- #60: devmem: fix
kmem write bug on memory holes. An attempt to write data to /dev/mem
would get confused if a memory hole is hit, causing incorrect data to
be written after the hole.
- #61: SCSI: mptfusion
: mptscsih_abort return value should be SUCCESS instead of value 0.
The mptfusion driver had an incorrect return value with unknown
effects.
- #62: sh: Couple
kernel and user write page perm bits for CONFIG_X2TLB. The SuperH
architecture had a problem handling write faults for pages in the vmalloc()
space, which could cause problems with drivers that map such pages into
user space.
- #63: ALSA: hda - use
WARN_ON_ONCE() for zero-division detection. Avoid spamming the log
files if the hardware goes nuts.
- #64: dst: call
cond_resched() in dst_gc_task(). The network destination cache code
can process very long lists, leading to soft lockup warnings.
- #66: befs: fix leak.
There is a memory leak in the BeFS mount code; one would not normally
expect it to be user-triggerable.
- #67: rtc-fm3130: add
missing braces. Missing braces in the rtc-fm3130 would cause
spurious warnings to be emitted.
- #68: [libata] Call
flush_dcache_page after PIO data transfers in libata-sff.c. Fix a
cache coherency bug in the ATA code.
- #70: pktgen: Fix
freezing problem. The packet generator could prevent the system
from suspending or hibernating.
- #71: x86/amd-iommu:
Fix IOMMU-API initialization for iommu=pt. Fix a boot-time
initialization error in the IOMMU code.
- #72: x86/amd-iommu:
Fix deassignment of a device from the pt_domain. Fix a KVM device
assignment failure.
- #73: x86: Re-get
cfg_new in case reuse/move irq_desc. Fix a bug in interrupt
migration with unknown effect.
- #74: Staging: fix
rtl8187se compilation errors with mac80211. Boring compilation
problem fix.
- #76: serial: 8250:
add serial transmitter fully empty test. Fixes a serial driver
problem which could cause the loss of some transmitted data.
- #77: sysfs:
sysfs_sd_setattr set iattrs unconditionally. An omitted
initialization can cause sysfs attributes to have more restrictive
permissions than desired.
- #78: class: Free the
class private data in class_release. Fix a memory leak in the sysfs
class code. Potentially user-exploitable if somebody were willing to
dedicate a month of their life to repeatedly plugging and unplugging a
device.
- #80: USB: usbfs:
properly clean up the as structure on error paths. Fixes a memory
leak in the usbfs error recovery paths.
- #83: ACPI: fix High
cpu temperature with 2.6.32. Fixes behavior on a couple of laptops
with problematic power management operation.
- #84: drm/radeon/kms:
use udelay for short delays. Use of schedule_timeout()
for short delays was slowing bootstrap considerably on some systems.
- #85: NFS: Too many
GETATTR and ACCESS calls after direct I/O. Fixes a performance
regression in the NFS code.
- #86: eCryptfs: Add
getattr function. The eCryptfs filesystem would show incorrect file
sizes.
- #87: b43: Fix
throughput regression. Throughput on some BCM4311 devices is said
to have dropped from 18Mb/s to 0.7Mb/s, which is a bit more of a
penalty than some users wanted to pay.
- #88: ath9k: Fix
sequence numbers for PAE frames. Fixes a protocol error in the
ath9k driver.
- #89: mac80211: Fix
probe request filtering in IBSS mode. The wireless code could reply
to probe requests directed at a different SSID.
- #90: iwlwifi: Fix to
set correct ht configuration. The iwlwifi driver was not
configuring associations correctly, leading to dropped connections.
- #91: dm stripe:
avoid divide by zero with invalid stripe count. Giving a bad stripe
size to the device mapper code would cause a division by zero.
- #93: dm mpath: fix
stall when requeueing io. Fixes a root-triggerable stall in the
device mapper multipath code.
Enhancements
#81: rtl8187: Add new device
ID. Recognize another device ID.
|