user/sven/linux.git/kernel, branch v2.6.14.2

[PATCH] Fix ptrace self-attach rule

2005-11-11T05:22:08Z

Before we did CLONE_THREAD, the way to check whether we were attaching to ourselves was to just check "current == task", but with CLONE_THREAD we should check that the thread group ID matches instead. Signed-off-by: Linus Torvalds

[PATCH] - fix signal->live leak in copy_process()

2005-11-11T05:18:55Z

exit_signal() (called from copy_process's error path) should decrement ->signal->live, otherwise forking process will miss 'group_dead' in do_exit(). Signed-off-by: Oleg Nesterov Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman

[PATCH] CVE-2005-2709 sysctl unregistration oops

2005-11-08T19:14:00Z

You could open the /proc/sys/net/ipv4/conf// file, then wait for interface to go away, try to grab as much memory as possible in hope to hit the (kfreed) ctl_table. Then fill it with pointers to your function. Then do read from file you've opened and if you are lucky, you'll get it called as ->proc_handler() in kernel mode. So this is at least an Oops and possibly more. It does depend on an interface going away though, so less of a security risk than it would otherwise be. Signed-off-by: Greg Kroah-Hartman

[PATCH] Yet more posix-cpu-timer fixes

2005-10-27T16:08:43Z

This just makes sure that a thread's expiry times can't get reset after it clears them in do_exit. This is what allowed us to re-introduce the stricter BUG_ON() check in a362f463a6d316d14daed0f817e151835ce97ff7. Signed-off-by: Linus Torvalds

Revert "remove false BUG_ON() from run_posix_cpu_timers()"

2005-10-27T16:07:33Z

This reverts commit 3de463c7d9d58f8cf3395268230cb20a4c15bffa. Roland has another patch that allows us to leave the BUG_ON() in place by just making sure that the condition it tests for really is always true. That goes in next. Signed-off-by: Linus Torvalds

[PATCH] Fix cpu timers expiration time

2005-10-26T22:21:14Z

There's a silly off-by-one error in the code that updates the expiration of posix CPU timers, causing them to not be properly updated when they hit exactly on their expiration time (which should be the normal case). This causes them to then fire immediately again, and only _then_ get properly updated. Signed-off-by: Linus Torvalds

posix cpu timers: fix timer ordering

2005-10-26T18:23:06Z

Pointed out by Oleg Nesterov, who has been walking over the code forwards and backwards. Signed-off-by: Linus Torvalds

[PATCH] export cpu_online_map

2005-10-26T17:39:43Z

With CONFIG_SMP=n: *** Warning: "cpu_online_map" [drivers/firmware/dcdbas.ko] undefined! due to set_cpus_allowed(). Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] posix-timers: fix posix_cpu_timer_set() vs run_posix_cpu_timers() race

2005-10-24T15:13:14Z

This might be harmless, but looks like a race from code inspection (I was unable to trigger it). I must admit, I don't understand why we can't return TIMER_RETRY after 'spin_unlock(&p->sighand->siglock)' without doing bump_cpu_timer(), but this is what original code does. posix_cpu_timer_set: read_lock(&tasklist_lock); spin_lock(&p->sighand->siglock); list_del_init(&timer->it.cpu.entry); spin_unlock(&p->sighand->siglock); We are probaly deleting the timer from run_posix_cpu_timers's 'firing' local list_head while run_posix_cpu_timers() does list_for_each_safe. Various bad things can happen, for example we can just delete this timer so that list_for_each() will not notice it and run_posix_cpu_timers() will not reset '->firing' flag. In that case, .... if (timer->it.cpu.firing) { read_unlock(&tasklist_lock); timer->it.cpu.firing = -1; return TIMER_RETRY; } sys_timer_settime() goes to 'retry:', calls posix_cpu_timer_set() again, it returns TIMER_RETRY ... Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds

[PATCH] posix-timers: exit path cleanup

2005-10-24T15:12:35Z

No need to rebalance when task exited Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds