1 Hot Fix 32.3 for Linux Kernel 2.4.30 - 2006/03/18
2 From Willy Tarreau - EXOSEC < wtarreau at exosec.net >
4 http://linux.exosec.net/kernel/2.4-hf/
22 diff -urN linux-2.4.30/arch/alpha/kernel/Makefile linux-2.4.30-hf32.3/arch/alpha/kernel/Makefile
23 --- linux-2.4.30/arch/alpha/kernel/Makefile 2003-11-28 19:26:19.000000000 +0100
24 +++ linux-2.4.30-hf32.3/arch/alpha/kernel/Makefile 2006-03-18 00:34:06.000000000 +0100
28 ifneq ($(CONFIG_ALPHA_CABRIOLET)$(CONFIG_ALPHA_EB164)$(CONFIG_ALPHA_EB66P)$(CONFIG_ALPHA_LX164)$(CONFIG_ALPHA_PC164),)
29 -obj-y += sys_cabriolet.o
30 +obj-y += sys_cabriolet.o ns87312.o
33 obj-$(CONFIG_ALPHA_DP264) += sys_dp264.o
34 diff -urN linux-2.4.30/arch/alpha/kernel/pci_iommu.c linux-2.4.30-hf32.3/arch/alpha/kernel/pci_iommu.c
35 --- linux-2.4.30/arch/alpha/kernel/pci_iommu.c 2003-06-13 16:51:29.000000000 +0200
36 +++ linux-2.4.30-hf32.3/arch/alpha/kernel/pci_iommu.c 2006-03-18 00:34:06.000000000 +0100
38 /* Given a scatterlist leader, choose an allocation method and fill
43 sg_fill(struct scatterlist *leader, struct scatterlist *end,
44 struct scatterlist *out, struct pci_iommu_arena *arena,
45 dma_addr_t max_dma, int dac_allowed)
46 diff -urN linux-2.4.30/arch/i386/config.in linux-2.4.30-hf32.3/arch/i386/config.in
47 --- linux-2.4.30/arch/i386/config.in 2004-11-17 12:54:21.000000000 +0100
48 +++ linux-2.4.30-hf32.3/arch/i386/config.in 2006-03-18 00:34:06.000000000 +0100
50 define_bool CONFIG_X86_POPAD_OK y
51 define_bool CONFIG_RWSEM_GENERIC_SPINLOCK n
52 define_bool CONFIG_RWSEM_XCHGADD_ALGORITHM y
53 + define_bool CONFIG_X86_TSC n
55 if [ "$CONFIG_M486" = "y" ]; then
56 define_int CONFIG_X86_L1_CACHE_SHIFT 4
58 define_bool CONFIG_X86_ALIGNMENT_16 y
59 define_bool CONFIG_X86_PPRO_FENCE y
60 define_bool CONFIG_X86_F00F_WORKS_OK n
61 + define_bool CONFIG_X86_TSC n
63 if [ "$CONFIG_M586" = "y" ]; then
64 define_int CONFIG_X86_L1_CACHE_SHIFT 5
65 diff -urN linux-2.4.30/arch/i386/kernel/apm.c linux-2.4.30-hf32.3/arch/i386/kernel/apm.c
66 --- linux-2.4.30/arch/i386/kernel/apm.c 2003-08-25 13:44:39.000000000 +0200
67 +++ linux-2.4.30-hf32.3/arch/i386/kernel/apm.c 2006-03-18 00:34:06.000000000 +0100
69 * Save a segment register away
71 #define savesegment(seg, where) \
72 - __asm__ __volatile__("movl %%" #seg ",%0" : "=m" (where))
73 + __asm__ __volatile__("mov %%" #seg ",%0" : "=m" (where))
76 * Maximum number of events stored
80 # define APM_DECL_SEGS \
81 - unsigned int saved_fs; unsigned int saved_gs;
82 + unsigned short saved_fs; unsigned short saved_gs;
83 # define APM_DO_SAVE_SEGS \
84 savesegment(fs, saved_fs); savesegment(gs, saved_gs)
85 # define APM_DO_ZERO_SEGS \
86 diff -urN linux-2.4.30/arch/i386/kernel/io_apic.c linux-2.4.30-hf32.3/arch/i386/kernel/io_apic.c
87 --- linux-2.4.30/arch/i386/kernel/io_apic.c 2004-11-17 12:54:21.000000000 +0100
88 +++ linux-2.4.30-hf32.3/arch/i386/kernel/io_apic.c 2006-03-18 00:34:06.000000000 +0100
90 * might have cached one ExtINT interrupt. Finally, at
91 * least one tick may be lost due to delays.
93 - if (jiffies - t1 > 4)
94 + if (jiffies - t1 > 4 && jiffies - t1 < 16)
98 diff -urN linux-2.4.30/arch/i386/kernel/mtrr.c linux-2.4.30-hf32.3/arch/i386/kernel/mtrr.c
99 --- linux-2.4.30/arch/i386/kernel/mtrr.c 2004-08-08 01:26:04.000000000 +0200
100 +++ linux-2.4.30-hf32.3/arch/i386/kernel/mtrr.c 2006-03-18 00:34:06.000000000 +0100
101 @@ -1674,6 +1674,7 @@
103 char line[LINE_SIZE];
105 + if (!len) return -EINVAL;
106 if ( !suser () ) return -EPERM;
107 /* Can't seek (pwrite) on this device */
108 if (ppos != &file->f_pos) return -ESPIPE;
109 diff -urN linux-2.4.30/arch/i386/kernel/process.c linux-2.4.30-hf32.3/arch/i386/kernel/process.c
110 --- linux-2.4.30/arch/i386/kernel/process.c 2004-11-17 12:54:21.000000000 +0100
111 +++ linux-2.4.30-hf32.3/arch/i386/kernel/process.c 2006-03-18 00:34:06.000000000 +0100
115 #define savesegment(seg,value) \
116 - asm volatile("movl %%" #seg ",%0":"=m" (*(int *)&(value)))
117 + asm volatile("mov %%" #seg ",%0":"=m" (value))
119 int copy_thread(int nr, unsigned long clone_flags, unsigned long esp,
120 unsigned long unused,
122 * Save away %fs and %gs. No need to save %es and %ds, as
123 * those are always kernel segments while inside the kernel.
125 - asm volatile("movl %%fs,%0":"=m" (*(int *)&prev->fs));
126 - asm volatile("movl %%gs,%0":"=m" (*(int *)&prev->gs));
127 + asm volatile("mov %%fs,%0":"=m" (prev->fs));
128 + asm volatile("mov %%gs,%0":"=m" (prev->gs));
131 * Restore %fs and %gs.
132 diff -urN linux-2.4.30/arch/i386/kernel/traps.c linux-2.4.30-hf32.3/arch/i386/kernel/traps.c
133 --- linux-2.4.30/arch/i386/kernel/traps.c 2002-11-29 00:53:09.000000000 +0100
134 +++ linux-2.4.30-hf32.3/arch/i386/kernel/traps.c 2006-03-18 00:34:06.000000000 +0100
135 @@ -631,15 +631,14 @@
137 cwd = get_fpu_cwd(task);
138 swd = get_fpu_swd(task);
139 - switch (((~cwd) & swd & 0x3f) | (swd & 0x240)) {
140 + switch (swd & ~cwd & 0x3f) {
144 case 0x001: /* Invalid Op */
145 - case 0x041: /* Stack Fault */
146 - case 0x241: /* Stack Fault | Direction */
147 + /* swd & 0x240 == 0x040: Stack Fault */
148 + /* swd & 0x240 == 0x240: Stack Fault | Direction */
149 info.si_code = FPE_FLTINV;
150 - /* Should we clear the SF or let user space do it ???? */
152 case 0x002: /* Denormalize */
153 case 0x010: /* Underflow */
154 diff -urN linux-2.4.30/arch/ia64/ia32/sys_ia32.c linux-2.4.30-hf32.3/arch/ia64/ia32/sys_ia32.c
155 --- linux-2.4.30/arch/ia64/ia32/sys_ia32.c 2005-04-14 09:43:32.000000000 +0200
156 +++ linux-2.4.30-hf32.3/arch/ia64/ia32/sys_ia32.c 2006-03-18 00:34:06.000000000 +0100
158 static DECLARE_MUTEX(ia32_mmap_sem);
161 -nargs (unsigned int arg, char **ap)
162 +nargs (unsigned int arg, char **ap, int max)
167 err = get_user(addr, (unsigned int *)A(arg));
173 *ap++ = (char *) A(addr);
174 arg += sizeof(unsigned int);
175 @@ -128,10 +130,11 @@
179 - na = nargs(argv, NULL);
180 + /* Allocates upto 2x MAX_ARG_PAGES */
181 + na = nargs(argv, NULL, (MAX_ARG_PAGES*PAGE_SIZE) / sizeof(char *) - 1);
184 - ne = nargs(envp, NULL);
185 + ne = nargs(envp, NULL, (MAX_ARG_PAGES*PAGE_SIZE) / sizeof(char *) - 1 );
188 len = (na + ne + 2) * sizeof(*av);
189 @@ -143,10 +146,10 @@
193 - r = nargs(argv, av);
194 + r = nargs(argv, av, na);
197 - r = nargs(envp, ae);
198 + r = nargs(envp, ae, ne);
202 @@ -1439,6 +1442,7 @@
204 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
205 CMSG_ALIGN(sizeof(struct cmsghdr)));
206 + tmp = CMSG_ALIGN(tmp);
208 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
210 @@ -1475,7 +1479,7 @@
211 goto out_free_efault;
214 - kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
215 + kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
216 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
219 diff -urN linux-2.4.30/arch/ia64/mm/fault.c linux-2.4.30-hf32.3/arch/ia64/mm/fault.c
220 --- linux-2.4.30/arch/ia64/mm/fault.c 2003-08-25 13:44:39.000000000 +0200
221 +++ linux-2.4.30-hf32.3/arch/ia64/mm/fault.c 2006-03-18 00:34:06.000000000 +0100
226 - if (done_with_exception(regs))
230 * Since we have no vma's for region 5, we might get here even if the address is
231 * valid, due to the VHPT walker inserting a non present translation that becomes
233 if (REGION_NUMBER(address) == 5 && mapped_kernel_page_is_present(address))
236 + if (done_with_exception(regs))
240 * Oops. The kernel tried to access some bad page. We'll have to terminate things
241 * with extreme prejudice.
242 diff -urN linux-2.4.30/arch/parisc/kernel/ioctl32.c linux-2.4.30-hf32.3/arch/parisc/kernel/ioctl32.c
243 --- linux-2.4.30/arch/parisc/kernel/ioctl32.c 2005-01-27 18:57:31.000000000 +0100
244 +++ linux-2.4.30-hf32.3/arch/parisc/kernel/ioctl32.c 2006-03-18 00:34:06.000000000 +0100
246 #include <linux/cdrom.h>
247 #include <linux/loop.h>
248 #include <linux/auto_fs.h>
249 +#include <linux/auto_fs4.h>
250 #include <linux/devfs_fs.h>
251 #include <linux/tty.h>
252 #include <linux/vt_kern.h>
253 diff -urN linux-2.4.30/arch/parisc/kernel/sys_parisc32.c linux-2.4.30-hf32.3/arch/parisc/kernel/sys_parisc32.c
254 --- linux-2.4.30/arch/parisc/kernel/sys_parisc32.c 2005-04-14 09:43:33.000000000 +0200
255 +++ linux-2.4.30-hf32.3/arch/parisc/kernel/sys_parisc32.c 2006-03-18 00:34:06.000000000 +0100
256 @@ -1934,12 +1934,13 @@
257 struct cmsghdr *kcmsg, *kcmsg_base;
258 __kernel_size_t32 ucmlen;
259 __kernel_size_t kcmlen, tmp;
263 kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
264 ucmsg = CMSG32_FIRSTHDR(kmsg);
265 while(ucmsg != NULL) {
266 - if(get_user(ucmlen, &ucmsg->cmsg_len))
267 + if (get_user(ucmlen, &ucmsg->cmsg_len))
271 @@ -1948,6 +1949,7 @@
273 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
274 CMSG_ALIGN(sizeof(struct cmsghdr)));
275 + tmp = CMSG_ALIGN(tmp);
277 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
279 @@ -1968,21 +1970,23 @@
280 memset(kcmsg, 0, kcmlen);
281 ucmsg = CMSG32_FIRSTHDR(kmsg);
282 while(ucmsg != NULL) {
283 - __get_user(ucmlen, &ucmsg->cmsg_len);
284 + if (__get_user(ucmlen, &ucmsg->cmsg_len))
286 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
287 CMSG_ALIGN(sizeof(struct cmsghdr)));
288 + if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
290 kcmsg->cmsg_len = tmp;
291 - __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
292 - __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
294 - /* Copy over the data. */
295 - if(copy_from_user(CMSG_DATA(kcmsg),
296 - CMSG32_DATA(ucmsg),
297 - (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
298 - goto out_free_efault;
299 + tmp = CMSG_ALIGN(tmp);
300 + if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
301 + __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
302 + copy_from_user(CMSG_DATA(kcmsg),
303 + CMSG32_DATA(ucmsg),
304 + (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
308 - kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
309 + kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
310 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
313 @@ -1991,10 +1995,12 @@
314 kmsg->msg_controllen = kcmlen;
318 - if(kcmsg_base != (struct cmsghdr *)stackbuf)
322 + if (kcmsg_base != (struct cmsghdr *)stackbuf)
328 static void put_cmsg32(struct msghdr *kmsg, int level, int type,
329 diff -urN linux-2.4.30/arch/ppc/boot/lib/zlib.c linux-2.4.30-hf32.3/arch/ppc/boot/lib/zlib.c
330 --- linux-2.4.30/arch/ppc/boot/lib/zlib.c 2003-08-25 13:44:40.000000000 +0200
331 +++ linux-2.4.30-hf32.3/arch/ppc/boot/lib/zlib.c 2006-03-18 00:34:06.000000000 +0100
332 @@ -1322,6 +1322,7 @@
336 + n = x[g]; /* set n to length of v */
339 /* Generate the Huffman codes and for each, make the table entries */
340 diff -urN linux-2.4.30/arch/ppc64/boot/zlib.c linux-2.4.30-hf32.3/arch/ppc64/boot/zlib.c
341 --- linux-2.4.30/arch/ppc64/boot/zlib.c 2003-08-25 13:44:40.000000000 +0200
342 +++ linux-2.4.30-hf32.3/arch/ppc64/boot/zlib.c 2006-03-18 00:34:06.000000000 +0100
343 @@ -1338,6 +1338,7 @@
347 + n = x[g]; /* set n to length of v */
350 /* Generate the Huffman codes and for each, make the table entries */
351 diff -urN linux-2.4.30/arch/ppc64/kernel/ioctl32.c linux-2.4.30-hf32.3/arch/ppc64/kernel/ioctl32.c
352 --- linux-2.4.30/arch/ppc64/kernel/ioctl32.c 2005-01-27 18:57:31.000000000 +0100
353 +++ linux-2.4.30-hf32.3/arch/ppc64/kernel/ioctl32.c 2006-03-18 00:34:06.000000000 +0100
355 #include <linux/cdrom.h>
356 #include <linux/loop.h>
357 #include <linux/auto_fs.h>
358 +#include <linux/autofs_4.h>
359 #include <linux/devfs_fs.h>
360 #include <linux/tty.h>
361 #include <linux/vt_kern.h>
362 @@ -876,13 +877,15 @@
374 ret = sys_ioctl (fd, cmd, (long) r);
381 diff -urN linux-2.4.30/arch/ppc64/kernel/signal.c linux-2.4.30-hf32.3/arch/ppc64/kernel/signal.c
382 --- linux-2.4.30/arch/ppc64/kernel/signal.c 2005-01-27 18:57:31.000000000 +0100
383 +++ linux-2.4.30-hf32.3/arch/ppc64/kernel/signal.c 2006-03-18 00:34:06.000000000 +0100
390 sys_rt_sigreturn(unsigned long r3, unsigned long r4, unsigned long r5,
391 unsigned long r6, unsigned long r7, unsigned long r8,
392 struct pt_regs *regs)
393 diff -urN linux-2.4.30/arch/ppc64/kernel/sys_ppc32.c linux-2.4.30-hf32.3/arch/ppc64/kernel/sys_ppc32.c
394 --- linux-2.4.30/arch/ppc64/kernel/sys_ppc32.c 2005-04-14 09:43:33.000000000 +0200
395 +++ linux-2.4.30-hf32.3/arch/ppc64/kernel/sys_ppc32.c 2006-03-18 00:34:06.000000000 +0100
396 @@ -3442,12 +3442,13 @@
397 struct cmsghdr *kcmsg, *kcmsg_base;
398 __kernel_size_t32 ucmlen;
399 __kernel_size_t kcmlen, tmp;
403 kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
404 ucmsg = CMSG32_FIRSTHDR(kmsg);
405 while(ucmsg != NULL) {
406 - if(get_user(ucmlen, &ucmsg->cmsg_len))
407 + if (get_user(ucmlen, &ucmsg->cmsg_len))
411 @@ -3456,6 +3457,7 @@
413 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
414 CMSG_ALIGN(sizeof(struct cmsghdr)));
415 + tmp = CMSG_ALIGN(tmp);
417 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
419 @@ -3476,21 +3478,23 @@
420 memset(kcmsg, 0, kcmlen);
421 ucmsg = CMSG32_FIRSTHDR(kmsg);
422 while (ucmsg != NULL) {
423 - __get_user(ucmlen, &ucmsg->cmsg_len);
424 + if (__get_user(ucmlen, &ucmsg->cmsg_len))
426 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
427 CMSG_ALIGN(sizeof(struct cmsghdr)));
428 + if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
430 kcmsg->cmsg_len = tmp;
431 - __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
432 - __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
434 - /* Copy over the data. */
435 - if(copy_from_user(CMSG_DATA(kcmsg),
436 - CMSG32_DATA(ucmsg),
437 - (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
438 - goto out_free_efault;
439 + tmp = CMSG_ALIGN(tmp);
440 + if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
441 + __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
442 + copy_from_user(CMSG_DATA(kcmsg),
443 + CMSG32_DATA(ucmsg),
444 + (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
448 - kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
449 + kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
450 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
453 @@ -3499,10 +3503,12 @@
454 kmsg->msg_controllen = kcmlen;
458 - if(kcmsg_base != (struct cmsghdr *)stackbuf)
462 + if (kcmsg_base != (struct cmsghdr *)stackbuf)
468 asmlinkage long sys32_sendmsg(int fd, struct msghdr32* user_msg, unsigned int user_flags)
469 diff -urN linux-2.4.30/arch/s390x/kernel/linux32.c linux-2.4.30-hf32.3/arch/s390x/kernel/linux32.c
470 --- linux-2.4.30/arch/s390x/kernel/linux32.c 2005-04-14 09:43:33.000000000 +0200
471 +++ linux-2.4.30-hf32.3/arch/s390x/kernel/linux32.c 2006-03-18 00:34:06.000000000 +0100
472 @@ -2425,12 +2425,13 @@
473 struct cmsghdr *kcmsg, *kcmsg_base;
474 __kernel_size_t32 ucmlen;
475 __kernel_size_t kcmlen, tmp;
479 kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
480 ucmsg = CMSG32_FIRSTHDR(kmsg);
481 while(ucmsg != NULL) {
482 - if(get_user(ucmlen, &ucmsg->cmsg_len))
483 + if (get_user(ucmlen, &ucmsg->cmsg_len))
487 @@ -2439,6 +2440,7 @@
489 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
490 CMSG_ALIGN(sizeof(struct cmsghdr)));
491 + tmp = CMSG_ALIGN(tmp);
493 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
495 @@ -2459,21 +2461,23 @@
496 memset(kcmsg, 0, kcmlen);
497 ucmsg = CMSG32_FIRSTHDR(kmsg);
498 while(ucmsg != NULL) {
499 - __get_user(ucmlen, &ucmsg->cmsg_len);
500 + if (__get_user(ucmlen, &ucmsg->cmsg_len))
502 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
503 CMSG_ALIGN(sizeof(struct cmsghdr)));
504 + if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
506 kcmsg->cmsg_len = tmp;
507 - __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
508 - __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
510 - /* Copy over the data. */
511 - if(copy_from_user(CMSG_DATA(kcmsg),
512 - CMSG32_DATA(ucmsg),
513 - (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
514 - goto out_free_efault;
515 + tmp = CMSG_ALIGN(tmp);
516 + if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
517 + __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
518 + copy_from_user(CMSG_DATA(kcmsg),
519 + CMSG32_DATA(ucmsg),
520 + (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
524 - kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
525 + kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
526 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
529 @@ -2482,10 +2486,12 @@
530 kmsg->msg_controllen = kcmlen;
534 - if(kcmsg_base != (struct cmsghdr *)stackbuf)
538 + if (kcmsg_base != (struct cmsghdr *)stackbuf)
544 static void put_cmsg32(struct msghdr *kmsg, int level, int type,
545 diff -urN linux-2.4.30/arch/sparc/math-emu/math.c linux-2.4.30-hf32.3/arch/sparc/math-emu/math.c
546 --- linux-2.4.30/arch/sparc/math-emu/math.c 1999-12-03 00:28:54.000000000 +0100
547 +++ linux-2.4.30-hf32.3/arch/sparc/math-emu/math.c 2006-03-18 00:34:06.000000000 +0100
551 case FNEGS: TYPE(2,1,0,1,0,0,0); break;
553 -#ifdef DEBUG_MATHEMU
554 - printk("unknown FPop1: %03lx\n",(insn>>5)&0x1ff);
557 } else if ((insn & 0xc1f80000) == 0x81a80000) /* FPOP2 */ {
558 switch ((insn >> 5) & 0x1ff) {
560 case FCMPED: TYPE(3,0,0,2,1,2,1); break;
561 case FCMPQ: TYPE(3,0,0,3,1,3,1); break;
562 case FCMPEQ: TYPE(3,0,0,3,1,3,1); break;
564 -#ifdef DEBUG_MATHEMU
565 - printk("unknown FPop2: %03lx\n",(insn>>5)&0x1ff);
570 diff -urN linux-2.4.30/arch/sparc64/kernel/ioctl32.c linux-2.4.30-hf32.3/arch/sparc64/kernel/ioctl32.c
571 --- linux-2.4.30/arch/sparc64/kernel/ioctl32.c 2005-04-14 09:43:33.000000000 +0200
572 +++ linux-2.4.30-hf32.3/arch/sparc64/kernel/ioctl32.c 2006-03-18 00:34:06.000000000 +0100
573 @@ -809,13 +809,15 @@
585 ret = sys_ioctl (fd, cmd, (long) r);
592 diff -urN linux-2.4.30/arch/sparc64/kernel/sys_sparc32.c linux-2.4.30-hf32.3/arch/sparc64/kernel/sys_sparc32.c
593 --- linux-2.4.30/arch/sparc64/kernel/sys_sparc32.c 2005-04-14 09:43:33.000000000 +0200
594 +++ linux-2.4.30-hf32.3/arch/sparc64/kernel/sys_sparc32.c 2006-03-18 00:34:06.000000000 +0100
596 #include <linux/in.h>
597 #include <linux/icmpv6.h>
598 #include <linux/sysctl.h>
599 +#include <linux/vmalloc.h>
600 #include <linux/dnotify.h>
601 #include <linux/netfilter_ipv4/ip_tables.h>
603 @@ -2496,12 +2497,13 @@
604 struct cmsghdr *kcmsg, *kcmsg_base;
605 __kernel_size_t32 ucmlen;
606 __kernel_size_t kcmlen, tmp;
610 kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
611 ucmsg = CMSG32_FIRSTHDR(kmsg);
612 while(ucmsg != NULL) {
613 - if(get_user(ucmlen, &ucmsg->cmsg_len))
614 + if (get_user(ucmlen, &ucmsg->cmsg_len))
618 @@ -2510,6 +2512,7 @@
620 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
621 CMSG_ALIGN(sizeof(struct cmsghdr)));
622 + tmp = CMSG_ALIGN(tmp);
624 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
626 @@ -2530,21 +2533,23 @@
627 memset(kcmsg, 0, kcmlen);
628 ucmsg = CMSG32_FIRSTHDR(kmsg);
629 while(ucmsg != NULL) {
630 - __get_user(ucmlen, &ucmsg->cmsg_len);
631 + if (__get_user(ucmlen, &ucmsg->cmsg_len))
633 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
634 CMSG_ALIGN(sizeof(struct cmsghdr)));
635 + if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
637 kcmsg->cmsg_len = tmp;
638 - __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
639 - __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
641 - /* Copy over the data. */
642 - if(copy_from_user(CMSG_DATA(kcmsg),
643 - CMSG32_DATA(ucmsg),
644 - (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
645 - goto out_free_efault;
646 + tmp = CMSG_ALIGN(tmp);
647 + if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
648 + __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
649 + copy_from_user(CMSG_DATA(kcmsg),
650 + CMSG32_DATA(ucmsg),
651 + (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
655 - kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
656 + kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
657 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
660 @@ -2553,10 +2558,12 @@
661 kmsg->msg_controllen = kcmlen;
665 - if(kcmsg_base != (struct cmsghdr *)stackbuf)
669 + if (kcmsg_base != (struct cmsghdr *)stackbuf)
675 static void put_cmsg32(struct msghdr *kmsg, int level, int type,
676 @@ -2919,12 +2926,12 @@
677 if (optlen != kreplsize)
680 - krepl = (struct ipt_replace *)kmalloc(kreplsize, GFP_KERNEL);
681 + krepl = (struct ipt_replace *)vmalloc(kreplsize);
685 if (copy_from_user(krepl, optval, kreplsize)) {
691 @@ -2932,10 +2939,9 @@
692 ((struct ipt_replace32 *)krepl)->counters);
694 kcountersize = krepl->num_counters * sizeof(struct ipt_counters);
695 - krepl->counters = (struct ipt_counters *)kmalloc(
696 - kcountersize, GFP_KERNEL);
697 + krepl->counters = (struct ipt_counters *)vmalloc(kcountersize);
698 if (krepl->counters == NULL) {
704 @@ -2949,8 +2955,8 @@
705 copy_to_user(counters32, krepl->counters, kcountersize))
708 - kfree(krepl->counters);
710 + vfree(krepl->counters);
715 @@ -4205,7 +4211,7 @@
719 - ret = sys_utimes(kfilename, &ktvs[0]);
720 + ret = sys_utimes(kfilename, (tvs ? &ktvs[0] : NULL));
724 diff -urN linux-2.4.30/arch/sparc64/solaris/socket.c linux-2.4.30-hf32.3/arch/sparc64/solaris/socket.c
725 --- linux-2.4.30/arch/sparc64/solaris/socket.c 2001-02-19 04:49:54.000000000 +0100
726 +++ linux-2.4.30-hf32.3/arch/sparc64/solaris/socket.c 2006-03-18 00:34:06.000000000 +0100
728 unsigned long *kcmsg;
729 __kernel_size_t32 cmlen;
731 - if(kern_msg.msg_controllen > sizeof(ctl) &&
732 - kern_msg.msg_controllen <= 256) {
733 + if (kern_msg.msg_controllen <= sizeof(__kernel_size_t32))
736 + if(kern_msg.msg_controllen > sizeof(ctl)) {
738 ctl_buf = kmalloc(kern_msg.msg_controllen, GFP_KERNEL);
740 diff -urN linux-2.4.30/arch/x86_64/ia32/ia32_ioctl.c linux-2.4.30-hf32.3/arch/x86_64/ia32/ia32_ioctl.c
741 --- linux-2.4.30/arch/x86_64/ia32/ia32_ioctl.c 2005-01-27 18:57:31.000000000 +0100
742 +++ linux-2.4.30-hf32.3/arch/x86_64/ia32/ia32_ioctl.c 2006-03-18 00:34:06.000000000 +0100
745 extern struct socket *sockfd_lookup(int fd, int *err);
747 +extern __inline__ void sockfd_put(struct socket *sock)
752 static int routing_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
755 @@ -857,12 +862,17 @@
767 ret = sys_ioctl (fd, cmd, (long) r);
771 + sockfd_put(mysock);
775 @@ -2766,17 +2776,24 @@
776 static int tiocgdev(unsigned fd, unsigned cmd, unsigned int *ptr)
779 - struct file *file = fget(fd);
781 struct tty_struct *real_tty;
788 if (file->f_op->ioctl != tty_ioctl)
791 real_tty = (struct tty_struct *)file->private_data;
794 - return put_user(kdev_t_to_nr(real_tty->device), ptr);
796 + ret = put_user(kdev_t_to_nr(real_tty->device), ptr);
804 diff -urN linux-2.4.30/arch/x86_64/ia32/socket32.c linux-2.4.30-hf32.3/arch/x86_64/ia32/socket32.c
805 --- linux-2.4.30/arch/x86_64/ia32/socket32.c 2005-04-14 09:43:33.000000000 +0200
806 +++ linux-2.4.30-hf32.3/arch/x86_64/ia32/socket32.c 2006-03-18 00:34:06.000000000 +0100
807 @@ -127,12 +127,13 @@
808 struct cmsghdr *kcmsg, *kcmsg_base;
809 __kernel_size_t32 ucmlen;
810 __kernel_size_t kcmlen, tmp;
814 kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
815 ucmsg = CMSG32_FIRSTHDR(kmsg);
816 while(ucmsg != NULL) {
817 - if(get_user(ucmlen, &ucmsg->cmsg_len))
818 + if (get_user(ucmlen, &ucmsg->cmsg_len))
822 @@ -164,18 +165,19 @@
823 memset(kcmsg, 0, kcmlen);
824 ucmsg = CMSG32_FIRSTHDR(kmsg);
825 while(ucmsg != NULL) {
826 - __get_user(ucmlen, &ucmsg->cmsg_len);
827 + if (__get_user(ucmlen, &ucmsg->cmsg_len))
829 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
830 CMSG_ALIGN(sizeof(struct cmsghdr)));
831 + if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
833 kcmsg->cmsg_len = tmp;
834 - __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
835 - __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
837 - /* Copy over the data. */
838 - if(copy_from_user(CMSG_DATA(kcmsg),
839 - CMSG32_DATA(ucmsg),
840 - (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
841 - goto out_free_efault;
842 + if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
843 + __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
844 + copy_from_user(CMSG_DATA(kcmsg),
845 + CMSG32_DATA(ucmsg),
846 + (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
850 kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
851 @@ -187,10 +189,12 @@
852 kmsg->msg_controllen = kcmlen;
856 - if(kcmsg_base != (struct cmsghdr *)stackbuf)
860 + if (kcmsg_base != (struct cmsghdr *)stackbuf)
866 static void put_cmsg32(struct msghdr *kmsg, int level, int type,
867 diff -urN linux-2.4.30/arch/x86_64/ia32/sys_ia32.c linux-2.4.30-hf32.3/arch/x86_64/ia32/sys_ia32.c
868 --- linux-2.4.30/arch/x86_64/ia32/sys_ia32.c 2005-01-27 18:57:31.000000000 +0100
869 +++ linux-2.4.30-hf32.3/arch/x86_64/ia32/sys_ia32.c 2006-03-18 00:34:06.000000000 +0100
870 @@ -2200,7 +2200,7 @@
874 -static int nargs(u32 src, char **dst)
875 +static int nargs(u32 src, char **dst, int max)
879 @@ -2210,13 +2210,13 @@
880 int ret = get_user(val, (__u32 *)(u64)src);
886 dst[cnt] = (char *)(u64)val;
889 - if (cnt >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))
896 @@ -2230,13 +2230,14 @@
900 + /* Can actually allocate 2*MAX_ARG_PAGES */
902 - na = nargs(argv, NULL);
903 + na = nargs(argv, NULL, (MAX_ARG_PAGES * PAGE_SIZE)/sizeof(char*) - 1);
908 - ne = nargs(envp, NULL);
909 + ne = nargs(envp, NULL, (MAX_ARG_PAGES * PAGE_SIZE)/sizeof(char*) - 1);
913 @@ -2252,13 +2253,13 @@
917 - ret = nargs(argv, buf);
918 + ret = nargs(argv, buf, na);
924 - ret = nargs(envp, buf + na);
925 + ret = nargs(envp, buf + na, ne);
929 diff -urN linux-2.4.30/arch/x86_64/kernel/process.c linux-2.4.30-hf32.3/arch/x86_64/kernel/process.c
930 --- linux-2.4.30/arch/x86_64/kernel/process.c 2004-04-14 15:05:28.000000000 +0200
931 +++ linux-2.4.30-hf32.3/arch/x86_64/kernel/process.c 2006-03-18 00:34:06.000000000 +0100
932 @@ -527,10 +527,10 @@
933 p->thread.fs = me->thread.fs;
934 p->thread.gs = me->thread.gs;
936 - asm("movl %%gs,%0" : "=m" (p->thread.gsindex));
937 - asm("movl %%fs,%0" : "=m" (p->thread.fsindex));
938 - asm("movl %%es,%0" : "=m" (p->thread.es));
939 - asm("movl %%ds,%0" : "=m" (p->thread.ds));
940 + asm("mov %%gs,%0" : "=m" (p->thread.gsindex));
941 + asm("mov %%fs,%0" : "=m" (p->thread.fsindex));
942 + asm("mov %%es,%0" : "=m" (p->thread.es));
943 + asm("mov %%ds,%0" : "=m" (p->thread.ds));
946 p->thread.i387 = current->thread.i387;
947 @@ -575,11 +575,11 @@
951 - asm volatile("movl %%es,%0" : "=m" (prev->es));
952 + asm volatile("mov %%es,%0" : "=m" (prev->es));
953 if (unlikely(next->es | prev->es))
954 loadsegment(es, next->es);
956 - asm volatile ("movl %%ds,%0" : "=m" (prev->ds));
957 + asm volatile ("mov %%ds,%0" : "=m" (prev->ds));
958 if (unlikely(next->ds | prev->ds))
959 loadsegment(ds, next->ds);
965 - asm volatile("movl %%fs,%0" : "=g" (fsindex));
966 + asm volatile("movl %%fs,%0" : "=r" (fsindex));
967 /* segment register != 0 always requires a reload.
968 also reload when it has changed.
969 when prev process used 64bit base always reload
974 - asm volatile("movl %%gs,%0" : "=g" (gsindex));
975 + asm volatile("movl %%gs,%0" : "=r" (gsindex));
976 if (unlikely((gsindex | next->gsindex) || prev->gs)) {
977 load_gs_index(next->gsindex);
979 diff -urN linux-2.4.30/arch/x86_64/kernel/ptrace.c linux-2.4.30-hf32.3/arch/x86_64/kernel/ptrace.c
980 --- linux-2.4.30/arch/x86_64/kernel/ptrace.c 2003-06-13 16:51:32.000000000 +0200
981 +++ linux-2.4.30-hf32.3/arch/x86_64/kernel/ptrace.c 2006-03-18 00:34:06.000000000 +0100
982 @@ -114,13 +114,13 @@
983 child->thread.es = value & 0xffff;
985 case offsetof(struct user_regs_struct,fs_base):
986 - if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
988 + if (value >= TASK_SIZE)
990 child->thread.fs = value;
992 case offsetof(struct user_regs_struct,gs_base):
993 - if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
995 + if (value >= TASK_SIZE)
997 child->thread.gs = value;
999 case offsetof(struct user_regs_struct, eflags):
1000 @@ -139,6 +139,11 @@
1004 + case offsetof(struct user_regs_struct, rip):
1005 + /* Check if the new RIP address is canonical */
1006 + if (value >= TASK_SIZE)
1010 put_stack_long(child, regno - sizeof(struct pt_regs), value);
1012 diff -urN linux-2.4.30/arch/x86_64/kernel/traps.c linux-2.4.30-hf32.3/arch/x86_64/kernel/traps.c
1013 --- linux-2.4.30/arch/x86_64/kernel/traps.c 2004-04-14 15:05:28.000000000 +0200
1014 +++ linux-2.4.30-hf32.3/arch/x86_64/kernel/traps.c 2006-03-18 00:34:06.000000000 +0100
1016 set_intr_gate(9,&coprocessor_segment_overrun);
1017 set_intr_gate(10,&invalid_TSS);
1018 set_intr_gate(11,&segment_not_present);
1019 - set_intr_gate_ist(12,&stack_segment,STACKFAULT_STACK);
1020 + set_intr_gate(12,&stack_segment);
1021 set_intr_gate(13,&general_protection);
1022 set_intr_gate(14,&page_fault);
1023 set_intr_gate(15,&spurious_interrupt_bug);
1024 diff -urN linux-2.4.30/drivers/block/loop.c linux-2.4.30-hf32.3/drivers/block/loop.c
1025 --- linux-2.4.30/drivers/block/loop.c 2003-08-25 13:44:41.000000000 +0200
1026 +++ linux-2.4.30-hf32.3/drivers/block/loop.c 2006-03-18 00:34:06.000000000 +0100
1029 int loop_register_transfer(struct loop_func_table *funcs)
1031 - if ((unsigned)funcs->number > MAX_LO_CRYPT || xfer_funcs[funcs->number])
1032 + if ((unsigned)funcs->number >= MAX_LO_CRYPT || xfer_funcs[funcs->number])
1034 xfer_funcs[funcs->number] = funcs;
1036 diff -urN linux-2.4.30/drivers/bluetooth/bfusb.c linux-2.4.30-hf32.3/drivers/bluetooth/bfusb.c
1037 --- linux-2.4.30/drivers/bluetooth/bfusb.c 2004-08-08 01:26:04.000000000 +0200
1038 +++ linux-2.4.30-hf32.3/drivers/bluetooth/bfusb.c 2006-03-18 00:34:06.000000000 +0100
1039 @@ -470,12 +470,11 @@
1042 write_lock_irqsave(&bfusb->lock, flags);
1043 + write_unlock_irqrestore(&bfusb->lock, flags);
1045 bfusb_unlink_urbs(bfusb);
1048 - write_unlock_irqrestore(&bfusb->lock, flags);
1053 diff -urN linux-2.4.30/drivers/bluetooth/hci_usb.c linux-2.4.30-hf32.3/drivers/bluetooth/hci_usb.c
1054 --- linux-2.4.30/drivers/bluetooth/hci_usb.c 2004-08-08 01:26:04.000000000 +0200
1055 +++ linux-2.4.30-hf32.3/drivers/bluetooth/hci_usb.c 2006-03-18 00:34:06.000000000 +0100
1056 @@ -398,13 +398,13 @@
1058 BT_DBG("%s", hdev->name);
1060 + /* Synchronize with completion handlers */
1061 write_lock_irqsave(&husb->completion_lock, flags);
1063 + write_unlock_irqrestore(&husb->completion_lock, flags);
1065 hci_usb_unlink_urbs(husb);
1066 hci_usb_flush(hdev);
1068 - write_unlock_irqrestore(&husb->completion_lock, flags);
1073 diff -urN linux-2.4.30/drivers/char/cyclades.c linux-2.4.30-hf32.3/drivers/char/cyclades.c
1074 --- linux-2.4.30/drivers/char/cyclades.c 2005-01-27 18:57:32.000000000 +0100
1075 +++ linux-2.4.30-hf32.3/drivers/char/cyclades.c 2006-03-18 00:34:06.000000000 +0100
1076 @@ -2960,10 +2960,15 @@
1077 cy_write(struct tty_struct * tty, int from_user,
1078 const unsigned char *buf, int count)
1080 - struct cyclades_port *info = (struct cyclades_port *)tty->driver_data;
1081 + struct cyclades_port *info;
1082 unsigned long flags;
1088 + info = (struct cyclades_port *)tty->driver_data;
1091 printk("cyc:cy_write ttyC%d\n", info->line); /* */
1093 @@ -2972,7 +2977,7 @@
1097 - if (!tty || !info->xmit_buf || !tmp_buf){
1098 + if (!info->xmit_buf || !tmp_buf){
1102 @@ -3047,9 +3052,14 @@
1104 cy_put_char(struct tty_struct *tty, unsigned char ch)
1106 - struct cyclades_port *info = (struct cyclades_port *)tty->driver_data;
1107 + struct cyclades_port *info;
1108 unsigned long flags;
1113 + info = (struct cyclades_port *)tty->driver_data;
1116 printk("cyc:cy_put_char ttyC%d\n", info->line);
1118 @@ -3057,7 +3067,7 @@
1119 if (serial_paranoia_check(info, tty->device, "cy_put_char"))
1122 - if (!tty || !info->xmit_buf)
1123 + if (!info->xmit_buf)
1126 CY_LOCK(info, flags);
1127 diff -urN linux-2.4.30/drivers/char/drm/drm_stub.h linux-2.4.30-hf32.3/drivers/char/drm/drm_stub.h
1128 --- linux-2.4.30/drivers/char/drm/drm_stub.h 2006-02-26 22:56:01.000000000 +0100
1129 +++ linux-2.4.30-hf32.3/drivers/char/drm/drm_stub.h 2006-03-18 00:34:06.000000000 +0100
1132 struct file_operations *old_fops;
1134 + if (minor < 0 || minor >=DRM_STUB_MAXCARDS) return -ENODEV;
1135 if (!DRM(stub_list) || !DRM(stub_list)[minor].fops) return -ENODEV;
1136 old_fops = filp->f_op;
1137 filp->f_op = fops_get(DRM(stub_list)[minor].fops);
1138 diff -urN linux-2.4.30/drivers/char/esp.c linux-2.4.30-hf32.3/drivers/char/esp.c
1139 --- linux-2.4.30/drivers/char/esp.c 2005-01-27 18:57:32.000000000 +0100
1140 +++ linux-2.4.30-hf32.3/drivers/char/esp.c 2006-03-18 00:34:06.000000000 +0100
1141 @@ -1251,13 +1251,18 @@
1143 static void rs_put_char(struct tty_struct *tty, unsigned char ch)
1145 - struct esp_struct *info = (struct esp_struct *)tty->driver_data;
1146 + struct esp_struct *info;
1147 unsigned long flags;
1152 + info = (struct esp_struct *)tty->driver_data;
1154 if (serial_paranoia_check(info, tty->device, "rs_put_char"))
1157 - if (!tty || !info->xmit_buf)
1158 + if (!info->xmit_buf)
1161 save_flags(flags); cli();
1162 @@ -1296,13 +1301,19 @@
1163 const unsigned char *buf, int count)
1166 - struct esp_struct *info = (struct esp_struct *)tty->driver_data;
1167 + struct esp_struct *info;
1168 unsigned long flags;
1174 + info = (struct esp_struct *)tty->driver_data;
1176 if (serial_paranoia_check(info, tty->device, "rs_write"))
1179 - if (!tty || !info->xmit_buf || !tmp_buf)
1180 + if (!info->xmit_buf || !tmp_buf)
1184 diff -urN linux-2.4.30/drivers/char/isicom.c linux-2.4.30-hf32.3/drivers/char/isicom.c
1185 --- linux-2.4.30/drivers/char/isicom.c 2005-01-27 18:57:32.000000000 +0100
1186 +++ linux-2.4.30-hf32.3/drivers/char/isicom.c 2006-03-18 00:34:06.000000000 +0100
1187 @@ -1223,9 +1223,15 @@
1188 static int isicom_write(struct tty_struct * tty, int from_user,
1189 const unsigned char * buf, int count)
1191 - struct isi_port * port = (struct isi_port *) tty->driver_data;
1192 + struct isi_port * port;
1193 unsigned long flags;
1199 + port = (struct isi_port *) tty->driver_data;
1202 printk(KERN_DEBUG "ISICOM: isicom_write for port%d: %d bytes.\n",
1203 port->channel+1, count);
1204 @@ -1233,7 +1239,7 @@
1205 if (isicom_paranoia_check(port, tty->device, "isicom_write"))
1208 - if (!tty || !port->xmit_buf || !tmp_buf)
1209 + if (!port->xmit_buf || !tmp_buf)
1212 down(&tmp_buf_sem); /* acquire xclusive access to tmp_buf */
1213 @@ -1281,13 +1287,18 @@
1214 /* put_char et all */
1215 static void isicom_put_char(struct tty_struct * tty, unsigned char ch)
1217 - struct isi_port * port = (struct isi_port *) tty->driver_data;
1218 + struct isi_port * port;
1219 unsigned long flags;
1224 + port = (struct isi_port *) tty->driver_data;
1226 if (isicom_paranoia_check(port, tty->device, "isicom_put_char"))
1229 - if (!tty || !port->xmit_buf)
1230 + if (!port->xmit_buf)
1233 printk(KERN_DEBUG "ISICOM: put_char, port %d, char %c.\n", port->channel+1, ch);
1234 diff -urN linux-2.4.30/drivers/char/moxa.c linux-2.4.30-hf32.3/drivers/char/moxa.c
1235 --- linux-2.4.30/drivers/char/moxa.c 2005-01-27 18:57:32.000000000 +0100
1236 +++ linux-2.4.30-hf32.3/drivers/char/moxa.c 2006-03-18 00:34:06.000000000 +0100
1238 static int moxa_get_serial_info(struct moxa_str *, struct serial_struct *);
1239 static int moxa_set_serial_info(struct moxa_str *, struct serial_struct *);
1240 static void MoxaSetFifo(int port, int enable);
1241 +static unsigned long moxaIntPend[MAX_BOARDS];
1244 int init_module(void)
1248 for (card = 0; card < MAX_BOARDS; card++) {
1249 - if ((ports = MoxaPortsOfCard(card)) <= 0)
1250 + if ((ports = MoxaPortsOfCard(card)) <= 0
1251 + || moxaIntPend[card] == 0)
1253 ch = &moxaChannels[card * MAX_PORTS_PER_BOARD];
1254 for (i = 0; i < ports; i++, ch++) {
1255 @@ -1578,7 +1580,6 @@
1257 static unsigned char moxaBuff[10240];
1258 static unsigned long moxaIntNdx[MAX_BOARDS];
1259 -static unsigned long moxaIntPend[MAX_BOARDS];
1260 static unsigned long moxaIntTable[MAX_BOARDS];
1261 static char moxaChkPort[MAX_PORTS];
1262 static char moxaLineCtrl[MAX_PORTS];
1263 diff -urN linux-2.4.30/drivers/char/mxser.c linux-2.4.30-hf32.3/drivers/char/mxser.c
1264 --- linux-2.4.30/drivers/char/mxser.c 2005-01-27 18:57:32.000000000 +0100
1265 +++ linux-2.4.30-hf32.3/drivers/char/mxser.c 2006-03-18 00:34:06.000000000 +0100
1266 @@ -911,10 +911,15 @@
1267 const unsigned char *buf, int count)
1270 - struct mxser_struct *info = (struct mxser_struct *) tty->driver_data;
1271 + struct mxser_struct *info;
1272 unsigned long flags;
1274 - if (!tty || !info->xmit_buf || !mxvar_tmp_buf)
1278 + info = (struct mxser_struct *) tty->driver_data;
1280 + if (!info->xmit_buf || !mxvar_tmp_buf)
1284 @@ -979,10 +984,15 @@
1286 static void mxser_put_char(struct tty_struct *tty, unsigned char ch)
1288 - struct mxser_struct *info = (struct mxser_struct *) tty->driver_data;
1289 + struct mxser_struct *info;
1290 unsigned long flags;
1292 - if (!tty || !info->xmit_buf)
1296 + info = (struct mxser_struct *) tty->driver_data;
1298 + if (!info->xmit_buf)
1302 diff -urN linux-2.4.30/drivers/char/random.c linux-2.4.30-hf32.3/drivers/char/random.c
1303 --- linux-2.4.30/drivers/char/random.c 2005-01-27 18:57:32.000000000 +0100
1304 +++ linux-2.4.30-hf32.3/drivers/char/random.c 2006-03-18 00:34:06.000000000 +0100
1305 @@ -1771,7 +1771,7 @@
1306 static int proc_do_poolsize(ctl_table *table, int write, struct file *filp,
1307 void *buffer, size_t *lenp)
1312 sysctl_poolsize = random_state->poolinfo.POOLBYTES;
1314 @@ -1787,7 +1787,7 @@
1315 void *oldval, size_t *oldlenp,
1316 void *newval, size_t newlen, void **context)
1321 sysctl_poolsize = random_state->poolinfo.POOLBYTES;
1323 diff -urN linux-2.4.30/drivers/char/riscom8.c linux-2.4.30-hf32.3/drivers/char/riscom8.c
1324 --- linux-2.4.30/drivers/char/riscom8.c 2005-01-27 18:57:32.000000000 +0100
1325 +++ linux-2.4.30-hf32.3/drivers/char/riscom8.c 2006-03-18 00:34:06.000000000 +0100
1326 @@ -1220,17 +1220,22 @@
1327 static int rc_write(struct tty_struct * tty, int from_user,
1328 const unsigned char *buf, int count)
1330 - struct riscom_port *port = (struct riscom_port *)tty->driver_data;
1331 + struct riscom_port *port;
1332 struct riscom_board *bp;
1334 unsigned long flags;
1339 + port = (struct riscom_port *)tty->driver_data;
1341 if (rc_paranoia_check(port, tty->device, "rc_write"))
1344 bp = port_Board(port);
1346 - if (!tty || !port->xmit_buf || !tmp_buf)
1347 + if (!port->xmit_buf || !tmp_buf)
1351 @@ -1298,13 +1303,18 @@
1353 static void rc_put_char(struct tty_struct * tty, unsigned char ch)
1355 - struct riscom_port *port = (struct riscom_port *)tty->driver_data;
1356 + struct riscom_port *port;
1357 unsigned long flags;
1362 + port = (struct riscom_port *)tty->driver_data;
1364 if (rc_paranoia_check(port, tty->device, "rc_put_char"))
1367 - if (!tty || !port->xmit_buf)
1368 + if (!port->xmit_buf)
1371 save_flags(flags); cli();
1372 diff -urN linux-2.4.30/drivers/char/serial.c linux-2.4.30-hf32.3/drivers/char/serial.c
1373 --- linux-2.4.30/drivers/char/serial.c 2005-01-27 18:57:32.000000000 +0100
1374 +++ linux-2.4.30-hf32.3/drivers/char/serial.c 2006-03-18 00:34:06.000000000 +0100
1375 @@ -1827,13 +1827,18 @@
1377 static void rs_put_char(struct tty_struct *tty, unsigned char ch)
1379 - struct async_struct *info = (struct async_struct *)tty->driver_data;
1380 + struct async_struct *info;
1381 unsigned long flags;
1386 + info = (struct async_struct *)tty->driver_data;
1388 if (serial_paranoia_check(info, tty->device, "rs_put_char"))
1391 - if (!tty || !info->xmit.buf)
1392 + if (!info->xmit.buf)
1395 save_flags(flags); cli();
1396 @@ -1873,13 +1878,18 @@
1397 const unsigned char *buf, int count)
1400 - struct async_struct *info = (struct async_struct *)tty->driver_data;
1401 + struct async_struct *info;
1402 unsigned long flags;
1407 + info = (struct async_struct *)tty->driver_data;
1409 if (serial_paranoia_check(info, tty->device, "rs_write"))
1412 - if (!tty || !info->xmit.buf || !tmp_buf)
1413 + if (!info->xmit.buf || !tmp_buf)
1417 diff -urN linux-2.4.30/drivers/char/specialix.c linux-2.4.30-hf32.3/drivers/char/specialix.c
1418 --- linux-2.4.30/drivers/char/specialix.c 2005-01-27 18:57:32.000000000 +0100
1419 +++ linux-2.4.30-hf32.3/drivers/char/specialix.c 2006-03-18 00:34:06.000000000 +0100
1420 @@ -1600,17 +1600,22 @@
1421 static int sx_write(struct tty_struct * tty, int from_user,
1422 const unsigned char *buf, int count)
1424 - struct specialix_port *port = (struct specialix_port *)tty->driver_data;
1425 + struct specialix_port *port;
1426 struct specialix_board *bp;
1428 unsigned long flags;
1433 + port = (struct specialix_port *)tty->driver_data;
1435 if (sx_paranoia_check(port, tty->device, "sx_write"))
1438 bp = port_Board(port);
1440 - if (!tty || !port->xmit_buf || !tmp_buf)
1441 + if (!port->xmit_buf || !tmp_buf)
1445 @@ -1676,13 +1681,18 @@
1447 static void sx_put_char(struct tty_struct * tty, unsigned char ch)
1449 - struct specialix_port *port = (struct specialix_port *)tty->driver_data;
1450 + struct specialix_port *port;
1451 unsigned long flags;
1456 + port = (struct specialix_port *)tty->driver_data;
1458 if (sx_paranoia_check(port, tty->device, "sx_put_char"))
1461 - if (!tty || !port->xmit_buf)
1462 + if (!port->xmit_buf)
1465 save_flags(flags); cli();
1466 diff -urN linux-2.4.30/drivers/char/vt.c linux-2.4.30-hf32.3/drivers/char/vt.c
1467 --- linux-2.4.30/drivers/char/vt.c 2005-01-27 18:57:32.000000000 +0100
1468 +++ linux-2.4.30-hf32.3/drivers/char/vt.c 2006-03-18 00:34:06.000000000 +0100
1470 if (i >= NR_KEYS || s >= MAX_NR_KEYMAPS)
1473 + if (!capable(CAP_SYS_TTY_CONFIG))
1478 key_map = key_maps[s];
1480 char *first_free, *fj, *fnw;
1483 + if (!capable(CAP_SYS_TTY_CONFIG))
1486 /* we mostly copy too much here (512bytes), but who cares ;) */
1487 if (copy_from_user(&tmp, user_kdgkb, sizeof(struct kbsentry)))
1489 diff -urN linux-2.4.30/drivers/ide/ide-io.c linux-2.4.30-hf32.3/drivers/ide/ide-io.c
1490 --- linux-2.4.30/drivers/ide/ide-io.c 2003-11-28 19:26:20.000000000 +0100
1491 +++ linux-2.4.30-hf32.3/drivers/ide/ide-io.c 2006-03-18 00:34:06.000000000 +0100
1492 @@ -899,11 +899,13 @@
1493 rq = HWGROUP(drive)->rq;
1494 HWGROUP(drive)->rq = NULL;
1497 - rq->sector = rq->bh->b_rsector;
1498 - rq->current_nr_sectors = rq->bh->b_size >> 9;
1499 - rq->hard_cur_sectors = rq->current_nr_sectors;
1500 - rq->buffer = rq->bh->b_data;
1503 + rq->sector = rq->bh->b_rsector;
1504 + rq->current_nr_sectors = rq->bh->b_size >> 9;
1505 + rq->hard_cur_sectors = rq->current_nr_sectors;
1506 + rq->buffer = rq->bh->b_data;
1511 diff -urN linux-2.4.30/drivers/net/bonding/bond_alb.c linux-2.4.30-hf32.3/drivers/net/bonding/bond_alb.c
1512 --- linux-2.4.30/drivers/net/bonding/bond_alb.c 2004-04-14 15:05:30.000000000 +0200
1513 +++ linux-2.4.30-hf32.3/drivers/net/bonding/bond_alb.c 2006-03-18 00:34:06.000000000 +0100
1516 * 2004/01/14 - Shmulik Hen <shmulik.hen at intel dot com>
1517 * - Add capability to tag self generated packets in ALB/TLB modes.
1519 + * 2005/12/02 - Michael O'Donnell <Michael.ODonnell at stratus dot com>
1520 + * - Stratus88746: tlb_clear_slave() must tlb_init_slave() while locked.
1523 //#define BONDING_DEBUG 1
1528 - _unlock_tx_hashtbl(bond);
1529 + tlb_init_slave(slave); /* Stratus88746: do this before unlocking */
1531 - tlb_init_slave(slave);
1532 + _unlock_tx_hashtbl(bond);
1535 /* Must be called before starting the monitor timer */
1536 diff -urN linux-2.4.30/drivers/net/bonding/bond_main.c linux-2.4.30-hf32.3/drivers/net/bonding/bond_main.c
1537 --- linux-2.4.30/drivers/net/bonding/bond_main.c 2004-11-17 12:54:21.000000000 +0100
1538 +++ linux-2.4.30-hf32.3/drivers/net/bonding/bond_main.c 2006-03-18 00:34:06.000000000 +0100
1539 @@ -469,6 +469,13 @@
1540 * * Add support for VLAN hardware acceleration capable slaves.
1541 * * Add capability to tag self generated packets in ALB/TLB modes.
1542 * Set version to 2.6.0.
1543 + * 2004/10/29 - Mitch Williams <mitch.a.williams at intel dot com>
1544 + * - Fixed bug when unloading module while using 802.3ad. If
1545 + * spinlock debugging is turned on, this causes a stack dump.
1546 + * Solution is to move call to dev_remove_pack outside of the
1548 + * Set version to 2.6.1.
1552 //#define BONDING_DEBUG 1
1553 @@ -3565,15 +3572,15 @@
1555 struct bonding *bond = bond_dev->priv;
1557 - write_lock_bh(&bond->lock);
1559 - bond_mc_list_destroy(bond);
1561 if (bond->params.mode == BOND_MODE_8023AD) {
1562 /* Unregister the receive of LACPDUs */
1563 bond_unregister_lacpdu(bond);
1566 + write_lock_bh(&bond->lock);
1568 + bond_mc_list_destroy(bond);
1570 /* signal timers not to re-arm */
1571 bond->kill_timers = 1;
1573 diff -urN linux-2.4.30/drivers/net/e1000/e1000_hw.c linux-2.4.30-hf32.3/drivers/net/e1000/e1000_hw.c
1574 --- linux-2.4.30/drivers/net/e1000/e1000_hw.c 2005-04-14 09:43:33.000000000 +0200
1575 +++ linux-2.4.30-hf32.3/drivers/net/e1000/e1000_hw.c 2006-03-18 00:34:06.000000000 +0100
1576 @@ -5049,7 +5049,7 @@
1581 + msec_delay_irq(20);
1583 ret_val = e1000_write_phy_reg(hw, 0x0000,
1584 IGP01E1000_IEEE_FORCE_GIGA);
1585 @@ -5073,7 +5073,7 @@
1590 + msec_delay_irq(20);
1592 /* Now enable the transmitter */
1593 ret_val = e1000_write_phy_reg(hw, 0x2F5B, phy_saved_data);
1594 @@ -5098,7 +5098,7 @@
1599 + msec_delay_irq(20);
1601 ret_val = e1000_write_phy_reg(hw, 0x0000,
1602 IGP01E1000_IEEE_FORCE_GIGA);
1603 @@ -5114,7 +5114,7 @@
1608 + msec_delay_irq(20);
1610 /* Now enable the transmitter */
1611 ret_val = e1000_write_phy_reg(hw, 0x2F5B, phy_saved_data);
1612 diff -urN linux-2.4.30/drivers/net/wan/sdla.c linux-2.4.30-hf32.3/drivers/net/wan/sdla.c
1613 --- linux-2.4.30/drivers/net/wan/sdla.c 2005-01-27 18:57:32.000000000 +0100
1614 +++ linux-2.4.30-hf32.3/drivers/net/wan/sdla.c 2006-03-18 00:34:06.000000000 +0100
1615 @@ -1201,6 +1201,7 @@
1616 temp = kmalloc(mem.len, GFP_KERNEL);
1619 + memset(temp, 0, mem.len);
1620 sdla_read(dev, mem.addr, temp, mem.len);
1621 if(copy_to_user(mem.data, temp, mem.len))
1623 diff -urN linux-2.4.30/drivers/net/wireless/airo.c linux-2.4.30-hf32.3/drivers/net/wireless/airo.c
1624 --- linux-2.4.30/drivers/net/wireless/airo.c 2004-08-08 01:26:05.000000000 +0200
1625 +++ linux-2.4.30-hf32.3/drivers/net/wireless/airo.c 2006-03-18 00:34:06.000000000 +0100
1627 #include <linux/pci.h>
1628 #include <asm/uaccess.h>
1633 static struct pci_device_id card_ids[] = {
1634 { 0x14b9, 1, PCI_ANY_ID, PCI_ANY_ID, },
1635 diff -urN linux-2.4.30/drivers/net/wireless/airo.h linux-2.4.30-hf32.3/drivers/net/wireless/airo.h
1636 --- linux-2.4.30/drivers/net/wireless/airo.h 1970-01-01 01:00:00.000000000 +0100
1637 +++ linux-2.4.30-hf32.3/drivers/net/wireless/airo.h 2006-03-18 00:34:06.000000000 +0100
1642 +struct net_device *init_airo_card(unsigned short irq, int port, int is_pcmcia);
1643 +void stop_airo_card(struct net_device *dev, int freeres);
1644 +int reset_airo_card(struct net_device *dev);
1646 +#endif /* _AIRO_H_ */
1647 diff -urN linux-2.4.30/drivers/net/wireless/airo_cs.c linux-2.4.30-hf32.3/drivers/net/wireless/airo_cs.c
1648 --- linux-2.4.30/drivers/net/wireless/airo_cs.c 2002-11-29 00:53:14.000000000 +0100
1649 +++ linux-2.4.30-hf32.3/drivers/net/wireless/airo_cs.c 2006-03-18 00:34:06.000000000 +0100
1651 #include <pcmcia/cisreg.h>
1652 #include <pcmcia/ds.h>
1657 All the PCMCIA modules use PCMCIA_DEBUG to control debugging. If
1658 you do not define PCMCIA_DEBUG at all, all the debug code will be
1663 -struct net_device *init_airo_card( int, int, int );
1664 -void stop_airo_card( struct net_device *, int );
1665 -int reset_airo_card( struct net_device * );
1667 static void airo_config(dev_link_t *link);
1668 static void airo_release(u_long arg);
1669 static int airo_event(event_t event, int priority,
1670 diff -urN linux-2.4.30/drivers/net/wireless/hermes.c linux-2.4.30-hf32.3/drivers/net/wireless/hermes.c
1671 --- linux-2.4.30/drivers/net/wireless/hermes.c 2003-08-25 13:44:42.000000000 +0200
1672 +++ linux-2.4.30-hf32.3/drivers/net/wireless/hermes.c 2006-03-18 00:34:06.000000000 +0100
1673 @@ -448,6 +448,43 @@
1677 +/* Write a block of data to the chip's buffer with padding if
1678 + * neccessary, via the BAP. Synchronization/serialization is the
1679 + * caller's problem. len must be even.
1681 + * Returns: < 0 on internal failure (errno), 0 on success, > 0 on error from firmware
1683 +int hermes_bap_pwrite_pad(hermes_t *hw, int bap, const void *buf, unsigned data_len, unsigned len,
1684 + u16 id, u16 offset)
1686 + int dreg = bap ? HERMES_DATA1 : HERMES_DATA0;
1689 + if (len < 0 || len % 2 || data_len > len)
1692 + err = hermes_bap_seek(hw, bap, id, offset);
1696 + /* Transfer all the complete words of data */
1697 + hermes_write_words(hw, dreg, buf, data_len/2);
1698 + /* If there is an odd byte left over pad and transfer it */
1699 + if (data_len & 1) {
1702 + end[0] = ((unsigned char *)buf)[data_len - 1];
1703 + hermes_write_words(hw, dreg, end, 1);
1706 + /* Now send zeros for the padding */
1707 + if (data_len < len)
1708 + hermes_clear_words(hw, dreg, (len - data_len) / 2);
1714 /* Read a Length-Type-Value record from the card.
1716 * If length is NULL, we ignore the length read from the card, and
1719 EXPORT_SYMBOL(hermes_bap_pread);
1720 EXPORT_SYMBOL(hermes_bap_pwrite);
1721 +EXPORT_SYMBOL(hermes_bap_pwrite_pad);
1722 EXPORT_SYMBOL(hermes_read_ltv);
1723 EXPORT_SYMBOL(hermes_write_ltv);
1725 diff -urN linux-2.4.30/drivers/net/wireless/hermes.h linux-2.4.30-hf32.3/drivers/net/wireless/hermes.h
1726 --- linux-2.4.30/drivers/net/wireless/hermes.h 2006-01-29 08:47:28.000000000 +0100
1727 +++ linux-2.4.30-hf32.3/drivers/net/wireless/hermes.h 2006-03-18 00:34:06.000000000 +0100
1729 u16 id, u16 offset);
1730 int hermes_bap_pwrite(hermes_t *hw, int bap, const void *buf, unsigned len,
1731 u16 id, u16 offset);
1732 +int hermes_bap_pwrite_pad(hermes_t *hw, int bap, const void *buf,
1733 + unsigned data_len, unsigned len, u16 id, u16 offset);
1734 int hermes_read_ltv(hermes_t *hw, int bap, u16 rid, unsigned buflen,
1735 u16 *length, void *buf);
1736 int hermes_write_ltv(hermes_t *hw, int bap, u16 rid,
1737 diff -urN linux-2.4.30/drivers/net/wireless/orinoco.c linux-2.4.30-hf32.3/drivers/net/wireless/orinoco.c
1738 --- linux-2.4.30/drivers/net/wireless/orinoco.c 2003-08-25 13:44:42.000000000 +0200
1739 +++ linux-2.4.30-hf32.3/drivers/net/wireless/orinoco.c 2006-03-18 00:34:06.000000000 +0100
1740 @@ -2312,6 +2312,8 @@
1744 +#define ALIGN(x,a) (((x)+(a)-1)&~((a)-1))
1747 orinoco_xmit(struct sk_buff *skb, struct net_device *dev)
1749 @@ -2407,14 +2409,22 @@
1753 + /* Actual xfer length - allow for padding */
1754 + len = ALIGN(data_len, 2);
1755 + if (len < ETH_ZLEN - ETH_HLEN)
1756 + len = ETH_ZLEN - ETH_HLEN;
1757 } else { /* IEEE 802.3 frame */
1758 data_len = len + ETH_HLEN;
1759 data_off = HERMES_802_3_OFFSET;
1761 + /* Actual xfer length - round up for odd length packets */
1762 + len = ALIGN(data_len, 2);
1763 + if (len < ETH_ZLEN)
1767 - /* Round up for odd length packets */
1768 - err = hermes_bap_pwrite(hw, USER_BAP, p, RUP_EVEN(data_len), txfid, data_off);
1769 + err = hermes_bap_pwrite_pad(hw, USER_BAP, p, data_len, len,
1772 printk(KERN_ERR "%s: Error %d writing packet to BAP\n",
1774 diff -urN linux-2.4.30/drivers/scsi/sd.c linux-2.4.30-hf32.3/drivers/scsi/sd.c
1775 --- linux-2.4.30/drivers/scsi/sd.c 2005-04-14 09:43:34.000000000 +0200
1776 +++ linux-2.4.30-hf32.3/drivers/scsi/sd.c 2006-03-18 00:34:06.000000000 +0100
1777 @@ -1472,6 +1472,7 @@
1779 kfree(sd_blocksizes);
1780 kfree(sd_hardsizes);
1781 + kfree(sd_max_sectors);
1782 for (i = 0; i < N_USED_SD_MAJORS; i++) {
1783 kfree(sd_gendisks[i].de_arr);
1784 kfree(sd_gendisks[i].flags);
1785 @@ -1482,6 +1483,7 @@
1786 del_gendisk(&sd_gendisks[i]);
1787 blksize_size[SD_MAJOR(i)] = NULL;
1788 hardsect_size[SD_MAJOR(i)] = NULL;
1789 + max_sectors[SD_MAJOR(i)] = NULL;
1790 read_ahead[SD_MAJOR(i)] = 0;
1792 sd_template.dev_max = 0;
1793 diff -urN linux-2.4.30/drivers/usb/serial/io_edgeport.c linux-2.4.30-hf32.3/drivers/usb/serial/io_edgeport.c
1794 --- linux-2.4.30/drivers/usb/serial/io_edgeport.c 2005-01-27 18:57:33.000000000 +0100
1795 +++ linux-2.4.30-hf32.3/drivers/usb/serial/io_edgeport.c 2006-03-18 00:34:06.000000000 +0100
1796 @@ -2803,9 +2803,13 @@
1797 static void unicode_to_ascii (char *string, short *unicode, int unicode_size)
1800 - for (i = 0; i < unicode_size; ++i) {
1802 + if (unicode_size <= 0)
1805 + for (i = 0; i < unicode_size; ++i)
1806 string[i] = (char)(le16_to_cpu(unicode[i]));
1809 string[unicode_size] = 0x00;
1812 diff -urN linux-2.4.30/fs/binfmt_elf.c linux-2.4.30-hf32.3/fs/binfmt_elf.c
1813 --- linux-2.4.30/fs/binfmt_elf.c 2005-04-14 09:43:34.000000000 +0200
1814 +++ linux-2.4.30-hf32.3/fs/binfmt_elf.c 2006-03-18 00:34:06.000000000 +0100
1818 __put_user((elf_addr_t)argc,--sp);
1819 - current->mm->arg_start = (unsigned long) p;
1820 + current->mm->arg_end = current->mm->arg_start = (unsigned long) p;
1822 __put_user((elf_caddr_t)(unsigned long)p,argv++);
1823 len = strnlen_user(p, PAGE_SIZE*MAX_ARG_PAGES);
1824 @@ -643,6 +643,11 @@
1825 SET_PERSONALITY(elf_ex, ibcs2_interpreter);
1828 + if (BAD_ADDR(elf_ex.e_entry)) {
1829 + retval = -ENOEXEC;
1830 + goto out_free_dentry;
1833 /* OK, we are done with that, now set up the arg stuff,
1834 and then start this sucker up */
1837 printk(KERN_ERR "Unable to load interpreter %.128s\n",
1839 force_sig(SIGSEGV, current);
1840 - retval = -ENOEXEC; /* Nobody gets to see this, but.. */
1841 + retval = IS_ERR((void *)elf_entry) ? PTR_ERR((void *)elf_entry) : -ENOEXEC;
1842 goto out_free_dentry;
1844 reloc_func_desc = interp_load_addr;
1845 @@ -1159,7 +1164,7 @@
1846 /* first copy the parameters from user space */
1847 memset(&psinfo, 0, sizeof(psinfo));
1850 + unsigned int i, len;
1852 len = current->mm->arg_end - current->mm->arg_start;
1853 if (len >= ELF_PRARGSZ)
1854 diff -urN linux-2.4.30/fs/buffer.c linux-2.4.30-hf32.3/fs/buffer.c
1855 --- linux-2.4.30/fs/buffer.c 2004-11-17 12:54:21.000000000 +0100
1856 +++ linux-2.4.30-hf32.3/fs/buffer.c 2006-03-18 00:34:06.000000000 +0100
1858 (*bhp)->b_prev_free->b_next_free = bh;
1859 (*bhp)->b_prev_free = bh;
1860 nr_buffers_type[blist]++;
1861 - size_buffers_type[blist] += bh->b_size;
1862 + size_buffers_type[blist] += bh->b_size >> 9;
1865 static void __remove_from_lru_list(struct buffer_head * bh)
1867 bh->b_next_free = NULL;
1868 bh->b_prev_free = NULL;
1869 nr_buffers_type[blist]--;
1870 - size_buffers_type[blist] -= bh->b_size;
1871 + size_buffers_type[blist] -= bh->b_size >> 9;
1875 @@ -1033,7 +1033,7 @@
1877 unsigned long dirty, tot, hard_dirty_limit, soft_dirty_limit;
1879 - dirty = size_buffers_type[BUF_DIRTY] >> PAGE_SHIFT;
1880 + dirty = size_buffers_type[BUF_DIRTY] >> (PAGE_SHIFT - 9);
1881 tot = nr_free_buffer_pages();
1884 @@ -1054,7 +1054,7 @@
1886 unsigned long dirty, tot, dirty_limit;
1888 - dirty = size_buffers_type[BUF_DIRTY] >> PAGE_SHIFT;
1889 + dirty = size_buffers_type[BUF_DIRTY] >> (PAGE_SHIFT - 9);
1890 tot = nr_free_buffer_pages();
1893 @@ -2839,7 +2839,7 @@
1895 printk("%9s: %d buffers, %lu kbyte, %d used (last=%d), "
1896 "%d locked, %d dirty, %d delay\n",
1897 - buf_types[nlist], found, size_buffers_type[nlist]>>10,
1898 + buf_types[nlist], found, size_buffers_type[nlist]>>(10-9),
1899 used, lastused, locked, dirty, delalloc);
1901 spin_unlock(&lru_list_lock);
1902 diff -urN linux-2.4.30/fs/dcache.c linux-2.4.30-hf32.3/fs/dcache.c
1903 --- linux-2.4.30/fs/dcache.c 2004-11-17 12:54:21.000000000 +0100
1904 +++ linux-2.4.30-hf32.3/fs/dcache.c 2006-03-18 00:34:06.000000000 +0100
1906 static inline struct dentry * __dget_locked(struct dentry *dentry)
1908 atomic_inc(&dentry->d_count);
1909 - if (atomic_read(&dentry->d_count) == 1) {
1910 + if (!list_empty(&dentry->d_lru)) {
1911 dentry_stat.nr_unused--;
1912 list_del_init(&dentry->d_lru);
1914 diff -urN linux-2.4.30/fs/inode.c linux-2.4.30-hf32.3/fs/inode.c
1915 --- linux-2.4.30/fs/inode.c 2004-04-14 15:05:40.000000000 +0200
1916 +++ linux-2.4.30-hf32.3/fs/inode.c 2006-03-18 00:34:06.000000000 +0100
1919 struct list_head *to;
1921 - if (inode->i_state & I_FREEING)
1922 + if (inode->i_state & (I_FREEING|I_CLEAR))
1924 if (list_empty(&inode->i_hash))
1927 cdput(inode->i_cdev);
1928 inode->i_cdev = NULL;
1930 + spin_lock(&inode_lock);
1931 inode->i_state = I_CLEAR;
1932 + spin_unlock(&inode_lock);
1940 - if (inodes_stat.nr_unused * sizeof(struct inode) * 10 <
1941 - freeable_lowmem() * PAGE_SIZE)
1942 + if (inodes_stat.nr_unused <
1943 + (freeable_lowmem() * PAGE_SIZE) / (sizeof(struct inode) * 10))
1947 diff -urN linux-2.4.30/fs/isofs/compress.c linux-2.4.30-hf32.3/fs/isofs/compress.c
1948 --- linux-2.4.30/fs/isofs/compress.c 2002-11-29 00:53:15.000000000 +0100
1949 +++ linux-2.4.30-hf32.3/fs/isofs/compress.c 2006-03-18 00:34:06.000000000 +0100
1950 @@ -147,8 +147,14 @@
1951 cend = le32_to_cpu(*(u32 *)(bh->b_data + (blockendptr & bufmask)));
1954 + if (cstart > cend)
1957 csize = cend-cstart;
1959 + if (csize > deflateBound(1UL << zisofs_block_shift))
1962 /* Now page[] contains an array of pages, any of which can be NULL,
1963 and the locks on which we hold. We should now read the data and
1964 release the pages. If the pages are NULL the decompressed data
1965 diff -urN linux-2.4.30/fs/isofs/inode.c linux-2.4.30-hf32.3/fs/isofs/inode.c
1966 --- linux-2.4.30/fs/isofs/inode.c 2005-04-14 09:43:34.000000000 +0200
1967 +++ linux-2.4.30-hf32.3/fs/isofs/inode.c 2006-03-18 00:34:06.000000000 +0100
1968 @@ -335,16 +335,16 @@
1969 else if (!strcmp(value,"acorn")) popt->map = 'a';
1972 - if (!strcmp(this_char,"session") && value) {
1973 + else if (!strcmp(this_char,"session") && value) {
1974 char * vpnt = value;
1975 unsigned int ivalue = simple_strtoul(vpnt, &vpnt, 0);
1976 - if(ivalue < 0 || ivalue >99) return 0;
1977 + if (ivalue > 99) return 0;
1978 popt->session=ivalue+1;
1980 - if (!strcmp(this_char,"sbsector") && value) {
1981 + else if (!strcmp(this_char,"sbsector") && value) {
1982 char * vpnt = value;
1983 unsigned int ivalue = simple_strtoul(vpnt, &vpnt, 0);
1984 - if(ivalue < 0 || ivalue >660*512) return 0;
1985 + if (ivalue > 660*512) return 0;
1986 popt->sbsector=ivalue;
1988 else if (!strcmp(this_char,"check") && value) {
1989 diff -urN linux-2.4.30/fs/jfs/super.c linux-2.4.30-hf32.3/fs/jfs/super.c
1990 --- linux-2.4.30/fs/jfs/super.c 2005-04-14 09:43:34.000000000 +0200
1991 +++ linux-2.4.30-hf32.3/fs/jfs/super.c 2006-03-18 00:34:06.000000000 +0100
1993 jfs_err("jfs_umount failed with return code %d", rc);
1997 + if (sbi->nls_tab && sbi->nls_tab != (void *) -1)
1998 unload_nls(sbi->nls_tab);
2001 diff -urN linux-2.4.30/fs/locks.c linux-2.4.30-hf32.3/fs/locks.c
2002 --- linux-2.4.30/fs/locks.c 2004-04-14 15:05:40.000000000 +0200
2003 +++ linux-2.4.30-hf32.3/fs/locks.c 2006-03-18 00:34:06.000000000 +0100
2004 @@ -1087,7 +1087,6 @@
2005 before = &fl->fl_next;
2008 - printk(KERN_INFO "lease broken - owner pid = %d\n", fl->fl_pid);
2009 lease_modify(before, fl->fl_type & ~F_INPROGRESS);
2010 if (fl == *before) /* lease_modify may have freed fl */
2011 before = &fl->fl_next;
2012 diff -urN linux-2.4.30/fs/nfs/nfs2xdr.c linux-2.4.30-hf32.3/fs/nfs/nfs2xdr.c
2013 --- linux-2.4.30/fs/nfs/nfs2xdr.c 2002-11-29 00:53:15.000000000 +0100
2014 +++ linux-2.4.30-hf32.3/fs/nfs/nfs2xdr.c 2006-03-18 00:34:06.000000000 +0100
2015 @@ -571,8 +571,11 @@
2016 strlen = (u32*)kmap(rcvbuf->pages[0]);
2017 /* Convert length of symlink */
2018 len = ntohl(*strlen);
2019 - if (len > rcvbuf->page_len)
2020 - len = rcvbuf->page_len;
2021 + if (len >= rcvbuf->page_len - sizeof(u32) || len > NFS2_MAXPATHLEN) {
2022 + dprintk("NFS: server returned giant symlink!\n");
2023 + kunmap(rcvbuf->pages[0]);
2024 + return -ENAMETOOLONG;
2027 /* NULL terminate the string we got */
2028 string = (char *)(strlen + 1);
2029 diff -urN linux-2.4.30/fs/nfs/nfs3xdr.c linux-2.4.30-hf32.3/fs/nfs/nfs3xdr.c
2030 --- linux-2.4.30/fs/nfs/nfs3xdr.c 2003-11-28 19:26:21.000000000 +0100
2031 +++ linux-2.4.30-hf32.3/fs/nfs/nfs3xdr.c 2006-03-18 00:34:06.000000000 +0100
2032 @@ -759,8 +759,11 @@
2033 strlen = (u32*)kmap(rcvbuf->pages[0]);
2034 /* Convert length of symlink */
2035 len = ntohl(*strlen);
2036 - if (len > rcvbuf->page_len)
2037 - len = rcvbuf->page_len;
2038 + if (len >= rcvbuf->page_len - sizeof(u32)) {
2039 + dprintk("NFS: server returned giant symlink!\n");
2040 + kunmap(rcvbuf->pages[0]);
2041 + return -ENAMETOOLONG;
2044 /* NULL terminate the string we got */
2045 string = (char *)(strlen + 1);
2046 diff -urN linux-2.4.30/fs/proc/base.c linux-2.4.30-hf32.3/fs/proc/base.c
2047 --- linux-2.4.30/fs/proc/base.c 2005-01-27 18:57:33.000000000 +0100
2048 +++ linux-2.4.30-hf32.3/fs/proc/base.c 2006-03-18 00:34:06.000000000 +0100
2049 @@ -185,8 +185,12 @@
2054 - atomic_inc(&mm->mm_users);
2057 + atomic_inc(&mm->mm_users);
2062 if (mm && mm->arg_start && mm->arg_start < mm->arg_end) {
2063 unsigned long len = mm->arg_end - mm->arg_start;
2064 diff -urN linux-2.4.30/fs/smbfs/proc.c linux-2.4.30-hf32.3/fs/smbfs/proc.c
2065 --- linux-2.4.30/fs/smbfs/proc.c 2004-11-17 12:54:21.000000000 +0100
2066 +++ linux-2.4.30-hf32.3/fs/smbfs/proc.c 2006-03-18 00:34:06.000000000 +0100
2067 @@ -2945,7 +2945,7 @@
2068 LSET(data, 32, SMB_TIME_NO_CHANGE);
2069 LSET(data, 40, SMB_UID_NO_CHANGE);
2070 LSET(data, 48, SMB_GID_NO_CHANGE);
2071 - LSET(data, 56, smb_filetype_from_mode(attr->ia_mode));
2072 + DSET(data, 56, smb_filetype_from_mode(attr->ia_mode));
2073 LSET(data, 60, major);
2074 LSET(data, 68, minor);
2076 diff -urN linux-2.4.30/fs/xfs/linux-2.4/xfs_buf.c linux-2.4.30-hf32.3/fs/xfs/linux-2.4/xfs_buf.c
2077 --- linux-2.4.30/fs/xfs/linux-2.4/xfs_buf.c 2005-01-27 18:57:33.000000000 +0100
2078 +++ linux-2.4.30-hf32.3/fs/xfs/linux-2.4/xfs_buf.c 2006-03-18 00:34:06.000000000 +0100
2079 @@ -1073,7 +1073,7 @@
2080 return(locked ? 0 : -EBUSY);
2084 +#if defined(DEBUG) || defined(XFS_BLI_TRACE)
2086 * pagebuf_lock_value
2088 diff -urN linux-2.4.30/include/asm-i386/system.h linux-2.4.30-hf32.3/include/asm-i386/system.h
2089 --- linux-2.4.30/include/asm-i386/system.h 2005-03-26 10:13:13.000000000 +0100
2090 +++ linux-2.4.30-hf32.3/include/asm-i386/system.h 2006-03-18 00:34:06.000000000 +0100
2092 #define loadsegment(seg,value) \
2095 - "movl %0,%%" #seg "\n" \
2096 + "mov %0,%%" #seg "\n" \
2098 ".section .fixup,\"ax\"\n" \
2104 - : :"m" (*(unsigned int *)&(value)))
2108 * Clear and set 'TS' bit respectively
2109 diff -urN linux-2.4.30/include/asm-x86_64/desc.h linux-2.4.30-hf32.3/include/asm-x86_64/desc.h
2110 --- linux-2.4.30/include/asm-x86_64/desc.h 2004-08-08 01:26:06.000000000 +0200
2111 +++ linux-2.4.30-hf32.3/include/asm-x86_64/desc.h 2006-03-18 00:34:06.000000000 +0100
2114 static inline void set_tss_desc(unsigned n, void *addr)
2116 - set_tssldt_descriptor((void *)&gdt_table + __CPU_DESC_INDEX(n,tss), (unsigned long)addr, DESC_TSS, sizeof(struct tss_struct));
2117 + set_tssldt_descriptor((void *)&gdt_table + __CPU_DESC_INDEX(n,tss), (unsigned long)addr, DESC_TSS, IO_BITMAP_OFFSET + IO_BITMAP_BYTES + 7);
2120 static inline void set_ldt_desc(unsigned n, void *addr, int size)
2121 diff -urN linux-2.4.30/include/asm-x86_64/processor.h linux-2.4.30-hf32.3/include/asm-x86_64/processor.h
2122 --- linux-2.4.30/include/asm-x86_64/processor.h 2004-04-14 15:05:40.000000000 +0200
2123 +++ linux-2.4.30-hf32.3/include/asm-x86_64/processor.h 2006-03-18 00:34:06.000000000 +0100
2125 * Size of io_bitmap in longwords: 32 is ports 0-0x3ff.
2127 #define IO_BITMAP_SIZE 32
2128 +#define IO_BITMAP_BYTES (IO_BITMAP_SIZE * sizeof(u32))
2129 #define IO_BITMAP_OFFSET offsetof(struct tss_struct,io_bitmap)
2130 #define INVALID_IO_BITMAP_OFFSET 0x8000
2132 @@ -325,10 +326,9 @@
2134 { &init_mm, 0, 0, NULL, PAGE_SHARED, VM_READ | VM_WRITE | VM_EXEC, 1, NULL, NULL }
2136 -#define STACKFAULT_STACK 1
2137 -#define DOUBLEFAULT_STACK 2
2138 -#define NMI_STACK 3
2139 -#define N_EXCEPTION_STACKS 3 /* hw limit: 7 */
2140 +#define DOUBLEFAULT_STACK 1
2141 +#define NMI_STACK 2
2142 +#define N_EXCEPTION_STACKS 2 /* hw limit: 7 */
2143 #define EXCEPTION_STKSZ PAGE_SIZE
2144 #define EXCEPTION_STK_ORDER 0
2146 diff -urN linux-2.4.30/include/linux/delay.h linux-2.4.30-hf32.3/include/linux/delay.h
2147 --- linux-2.4.30/include/linux/delay.h 2005-11-18 12:45:36.000000000 +0100
2148 +++ linux-2.4.30-hf32.3/include/linux/delay.h 2006-03-18 00:34:06.000000000 +0100
2150 #include <asm/delay.h>
2153 + * We define MAX_MSEC_OFFSET as the maximal value that can be accepted by
2154 + * msecs_to_jiffies() without risking a multiply overflow. This function
2155 + * returns MAX_JIFFY_OFFSET for arguments above those values.
2158 +#if HZ <= 1000 && !(1000 % HZ)
2159 +# define MAX_MSEC_OFFSET \
2160 + (ULONG_MAX - (1000 / HZ) + 1)
2161 +#elif HZ > 1000 && !(HZ % 1000)
2162 +# define MAX_MSEC_OFFSET \
2163 + (ULONG_MAX / (HZ / 1000))
2165 +# define MAX_MSEC_OFFSET \
2166 + ((ULONG_MAX - 999) / HZ)
2171 * Convert jiffies to milliseconds and back.
2173 * Avoid unnecessary multiplications/divisions in the
2176 static inline unsigned long msecs_to_jiffies(const unsigned int m)
2178 - if (m > jiffies_to_msecs(MAX_JIFFY_OFFSET))
2179 + if (MAX_MSEC_OFFSET < UINT_MAX && m > (unsigned int)MAX_MSEC_OFFSET)
2180 return MAX_JIFFY_OFFSET;
2181 #if HZ <= 1000 && !(1000 % HZ)
2182 - return (m + (1000 / HZ) - 1) / (1000 / HZ);
2183 + return ((unsigned long)m + (1000 / HZ) - 1) / (1000 / HZ);
2184 #elif HZ > 1000 && !(HZ % 1000)
2185 - return m * (HZ / 1000);
2186 + return (unsigned long)m * (HZ / 1000);
2188 - return (m * HZ + 999) / 1000;
2189 + return ((unsigned long)m * HZ + 999) / 1000;
2193 diff -urN linux-2.4.30/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.30-hf32.3/include/linux/netfilter_ipv4/ip_conntrack.h
2194 --- linux-2.4.30/include/linux/netfilter_ipv4/ip_conntrack.h 2005-07-27 13:13:58.000000000 +0200
2195 +++ linux-2.4.30-hf32.3/include/linux/netfilter_ipv4/ip_conntrack.h 2006-03-18 00:34:06.000000000 +0100
2197 ip_conntrack_get(struct sk_buff *skb, enum ip_conntrack_info *ctinfo);
2199 /* decrement reference count on a conntrack */
2200 -extern inline void ip_conntrack_put(struct ip_conntrack *ct);
2201 +extern void ip_conntrack_put(struct ip_conntrack *ct);
2203 /* find unconfirmed expectation based on tuple */
2204 struct ip_conntrack_expect *
2205 diff -urN linux-2.4.30/include/linux/netfilter_ipv4/ip_nat_rule.h linux-2.4.30-hf32.3/include/linux/netfilter_ipv4/ip_nat_rule.h
2206 --- linux-2.4.30/include/linux/netfilter_ipv4/ip_nat_rule.h 2006-01-29 08:38:54.000000000 +0100
2207 +++ linux-2.4.30-hf32.3/include/linux/netfilter_ipv4/ip_nat_rule.h 2006-03-18 00:34:06.000000000 +0100
2209 alloc_null_binding(struct ip_conntrack *conntrack,
2210 struct ip_nat_info *info,
2211 unsigned int hooknum);
2213 +extern unsigned int
2214 +alloc_null_binding_confirmed(struct ip_conntrack *conntrack,
2215 + struct ip_nat_info *info,
2216 + unsigned int hooknum);
2218 #endif /* _IP_NAT_RULE_H */
2219 diff -urN linux-2.4.30/include/linux/proc_fs.h linux-2.4.30-hf32.3/include/linux/proc_fs.h
2220 --- linux-2.4.30/include/linux/proc_fs.h 2005-12-04 19:00:23.000000000 +0100
2221 +++ linux-2.4.30-hf32.3/include/linux/proc_fs.h 2006-03-18 00:34:06.000000000 +0100
2223 atomic_t count; /* use count */
2224 int deleted; /* delete flag */
2229 #define PROC_INODE_PROPER(inode) ((inode)->i_ino & ~0xffff)
2230 diff -urN linux-2.4.30/include/linux/sysctl.h linux-2.4.30-hf32.3/include/linux/sysctl.h
2231 --- linux-2.4.30/include/linux/sysctl.h 2005-11-02 10:29:31.000000000 +0100
2232 +++ linux-2.4.30-hf32.3/include/linux/sysctl.h 2006-03-18 00:34:06.000000000 +0100
2234 #include <linux/list.h>
2239 #define CTL_MAXNAME 10
2243 ctl_table *ctl_table;
2244 struct list_head ctl_entry;
2246 + struct completion *unregistering;
2249 struct ctl_table_header * register_sysctl_table(ctl_table * table,
2250 diff -urN linux-2.4.30/include/linux/zlib.h linux-2.4.30-hf32.3/include/linux/zlib.h
2251 --- linux-2.4.30/include/linux/zlib.h 2005-11-18 12:46:17.000000000 +0100
2252 +++ linux-2.4.30-hf32.3/include/linux/zlib.h 2006-03-18 00:34:06.000000000 +0100
2253 @@ -516,6 +516,11 @@
2254 stream state was inconsistent (such as zalloc or state being NULL).
2257 +static inline unsigned long deflateBound(unsigned long s)
2259 + return s + ((s + 7) >> 3) + ((s + 63) >> 6) + 11;
2262 ZEXTERN int ZEXPORT zlib_deflateParams OF((z_streamp strm,
2265 diff -urN linux-2.4.30/include/net/ax25.h linux-2.4.30-hf32.3/include/net/ax25.h
2266 --- linux-2.4.30/include/net/ax25.h 2005-11-18 12:45:59.000000000 +0100
2267 +++ linux-2.4.30-hf32.3/include/net/ax25.h 2006-03-18 00:34:06.000000000 +0100
2269 ax25_address calls[AX25_MAX_DIGIS];
2270 unsigned char repeated[AX25_MAX_DIGIS];
2271 unsigned char ndigi;
2273 + signed char lastrepeat;
2276 typedef struct ax25_route {
2277 diff -urN linux-2.4.30/include/net/ip6_fib.h linux-2.4.30-hf32.3/include/net/ip6_fib.h
2278 --- linux-2.4.30/include/net/ip6_fib.h 2005-09-01 16:18:27.000000000 +0200
2279 +++ linux-2.4.30-hf32.3/include/net/ip6_fib.h 2006-03-18 00:34:06.000000000 +0100
2280 @@ -171,13 +171,16 @@
2282 extern int fib6_add(struct fib6_node *root,
2283 struct rt6_info *rt,
2284 - struct nlmsghdr *nlh);
2285 + struct nlmsghdr *nlh,
2286 + struct netlink_skb_parms *req);
2288 extern int fib6_del(struct rt6_info *rt,
2289 - struct nlmsghdr *nlh);
2290 + struct nlmsghdr *nlh,
2291 + struct netlink_skb_parms *req);
2293 extern void inet6_rt_notify(int event, struct rt6_info *rt,
2294 - struct nlmsghdr *nlh);
2295 + struct nlmsghdr *nlh,
2296 + struct netlink_skb_parms *req);
2298 extern void fib6_run_gc(unsigned long dummy);
2300 diff -urN linux-2.4.30/include/net/ip6_route.h linux-2.4.30-hf32.3/include/net/ip6_route.h
2301 --- linux-2.4.30/include/net/ip6_route.h 2005-09-01 16:18:27.000000000 +0200
2302 +++ linux-2.4.30-hf32.3/include/net/ip6_route.h 2006-03-18 00:34:06.000000000 +0100
2304 extern int ipv6_route_ioctl(unsigned int cmd, void *arg);
2306 extern int ip6_route_add(struct in6_rtmsg *rtmsg,
2307 - struct nlmsghdr *);
2308 + struct nlmsghdr *,
2309 + struct netlink_skb_parms *req);
2310 extern int ip6_del_rt(struct rt6_info *,
2311 - struct nlmsghdr *);
2312 + struct nlmsghdr *,
2313 + struct netlink_skb_parms *req);
2315 extern int ip6_rt_addr_add(struct in6_addr *addr,
2316 struct net_device *dev);
2317 diff -urN linux-2.4.30/include/net/ip_vs.h linux-2.4.30-hf32.3/include/net/ip_vs.h
2318 --- linux-2.4.30/include/net/ip_vs.h 2005-09-01 16:18:30.000000000 +0200
2319 +++ linux-2.4.30-hf32.3/include/net/ip_vs.h 2006-03-18 00:34:06.000000000 +0100
2321 #define IP_VS_CONN_F_IN_SEQ 0x0400 /* must do input seq adjust */
2322 #define IP_VS_CONN_F_SEQ_MASK 0x0600 /* in/out sequence mask */
2323 #define IP_VS_CONN_F_NO_CPORT 0x0800 /* no client port set yet */
2324 +#define IP_VS_CONN_F_TEMPLATE 0x1000 /* template, not connection */
2326 /* Move it to better place one day, for now keep it unique */
2327 #define NFC_IPVS_PROPERTY 0x10000
2330 extern struct ip_vs_conn *ip_vs_conn_in_get
2331 (int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port);
2332 +extern struct ip_vs_conn *ip_vs_ct_in_get
2333 +(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port);
2334 extern struct ip_vs_conn *ip_vs_conn_out_get
2335 (int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port);
2337 diff -urN linux-2.4.30/kernel/kmod.c linux-2.4.30-hf32.3/kernel/kmod.c
2338 --- linux-2.4.30/kernel/kmod.c 2003-11-28 19:26:21.000000000 +0100
2339 +++ linux-2.4.30-hf32.3/kernel/kmod.c 2006-03-18 00:34:06.000000000 +0100
2341 curtask->euid = curtask->uid = curtask->suid = curtask->fsuid = 0;
2342 curtask->egid = curtask->gid = curtask->sgid = curtask->fsgid = 0;
2344 + memcpy(&curtask->rlim, &init_task.rlim, sizeof(struct rlimit)*RLIM_NLIMITS);
2346 curtask->ngroups = 0;
2348 cap_set_full(curtask->cap_effective);
2349 diff -urN linux-2.4.30/kernel/ptrace.c linux-2.4.30-hf32.3/kernel/ptrace.c
2350 --- linux-2.4.30/kernel/ptrace.c 2003-08-25 13:44:44.000000000 +0200
2351 +++ linux-2.4.30-hf32.3/kernel/ptrace.c 2006-03-18 00:34:06.000000000 +0100
2356 - if (task == current)
2357 + if (task->tgid == current->tgid)
2361 diff -urN linux-2.4.30/kernel/sysctl.c linux-2.4.30-hf32.3/kernel/sysctl.c
2362 --- linux-2.4.30/kernel/sysctl.c 2005-01-27 18:57:34.000000000 +0100
2363 +++ linux-2.4.30-hf32.3/kernel/sysctl.c 2006-03-18 00:34:06.000000000 +0100
2366 extern struct proc_dir_entry *proc_sys_root;
2368 -static void register_proc_table(ctl_table *, struct proc_dir_entry *);
2369 +static void register_proc_table(ctl_table *, struct proc_dir_entry *, void *);
2370 static void unregister_proc_table(ctl_table *, struct proc_dir_entry *);
2373 @@ -360,10 +360,51 @@
2375 extern void init_irq_proc (void);
2377 +static spinlock_t sysctl_lock = SPIN_LOCK_UNLOCKED;
2379 +/* called under sysctl_lock */
2380 +static int use_table(struct ctl_table_header *p)
2382 + if (unlikely(p->unregistering != NULL))
2388 +/* called under sysctl_lock */
2389 +static void unuse_table(struct ctl_table_header *p)
2392 + if (unlikely(p->unregistering != NULL))
2393 + complete(p->unregistering);
2396 +/* called under sysctl_lock, will reacquire if has to wait */
2397 +static void start_unregistering(struct ctl_table_header *p)
2400 + * if p->used is 0, nobody will ever touch that entry again;
2401 + * we'll eliminate all paths to it before dropping sysctl_lock
2403 + if (unlikely(p->used)) {
2404 + struct completion wait;
2405 + init_completion(&wait);
2406 + p->unregistering = &wait;
2407 + spin_unlock(&sysctl_lock);
2408 + wait_for_completion(&wait);
2409 + spin_lock(&sysctl_lock);
2412 + * do not remove from the list until nobody holds it; walking the
2413 + * list in do_sysctl() relies on that.
2415 + list_del_init(&p->ctl_entry);
2418 void __init sysctl_init(void)
2420 #ifdef CONFIG_PROC_FS
2421 - register_proc_table(root_table, proc_sys_root);
2422 + register_proc_table(root_table, proc_sys_root, &root_table_header);
2427 void *newval, size_t newlen)
2429 struct list_head *tmp;
2430 + int error = -ENOTDIR;
2432 if (nlen <= 0 || nlen >= CTL_MAXNAME)
2434 @@ -383,21 +425,31 @@
2435 if ((ssize_t)old_len < 0)
2438 + spin_lock(&sysctl_lock);
2439 tmp = &root_table_header.ctl_entry;
2441 struct ctl_table_header *head =
2442 list_entry(tmp, struct ctl_table_header, ctl_entry);
2443 void *context = NULL;
2444 - int error = parse_table(name, nlen, oldval, oldlenp,
2446 + if (!use_table(head))
2449 + spin_unlock(&sysctl_lock);
2451 + error = parse_table(name, nlen, oldval, oldlenp,
2452 newval, newlen, head->ctl_table,
2457 + spin_lock(&sysctl_lock);
2458 + unuse_table(head);
2459 if (error != -ENOTDIR)
2462 - } while (tmp != &root_table_header.ctl_entry);
2465 + } while ((tmp = tmp->next) != &root_table_header.ctl_entry);
2466 + spin_unlock(&sysctl_lock);
2470 extern asmlinkage long sys_sysctl(struct __sysctl_args *args)
2471 @@ -604,12 +656,16 @@
2473 tmp->ctl_table = table;
2474 INIT_LIST_HEAD(&tmp->ctl_entry);
2476 + tmp->unregistering = NULL;
2477 + spin_lock(&sysctl_lock);
2479 list_add(&tmp->ctl_entry, &root_table_header.ctl_entry);
2481 list_add_tail(&tmp->ctl_entry, &root_table_header.ctl_entry);
2482 + spin_unlock(&sysctl_lock);
2483 #ifdef CONFIG_PROC_FS
2484 - register_proc_table(table, proc_sys_root);
2485 + register_proc_table(table, proc_sys_root, tmp);
2489 @@ -623,10 +679,12 @@
2491 void unregister_sysctl_table(struct ctl_table_header * header)
2493 - list_del(&header->ctl_entry);
2494 + spin_lock(&sysctl_lock);
2495 + start_unregistering(header);
2496 #ifdef CONFIG_PROC_FS
2497 unregister_proc_table(header->ctl_table, proc_sys_root);
2499 + spin_unlock(&sysctl_lock);
2504 #ifdef CONFIG_PROC_FS
2506 /* Scan the sysctl entries in table and add them all into /proc */
2507 -static void register_proc_table(ctl_table * table, struct proc_dir_entry *root)
2508 +static void register_proc_table(ctl_table * table, struct proc_dir_entry *root, void *set)
2510 struct proc_dir_entry *de;
2513 de = create_proc_entry(table->procname, mode, root);
2517 de->data = (void *) table;
2518 if (table->proc_handler) {
2519 de->proc_fops = &proc_sys_file_operations;
2523 if (de->mode & S_IFDIR)
2524 - register_proc_table(table->child, de);
2525 + register_proc_table(table->child, de, set);
2529 @@ -706,6 +765,13 @@
2534 + * In any case, mark the entry as goner; we'll keep it
2535 + * around if it's busy, but we'll know to do nothing with
2536 + * its fields. We are under sysctl_lock here.
2540 /* Don't unregister proc entries that are still being used.. */
2541 if (atomic_read(&de->count))
2543 @@ -719,31 +785,44 @@
2544 size_t count, loff_t *ppos)
2547 - struct proc_dir_entry *de;
2548 + struct proc_dir_entry *de =
2549 + (struct proc_dir_entry*) file->f_dentry->d_inode->u.generic_ip;
2550 struct ctl_table *table;
2554 - de = (struct proc_dir_entry*) file->f_dentry->d_inode->u.generic_ip;
2555 - if (!de || !de->data)
2557 - table = (struct ctl_table *) de->data;
2558 - if (!table || !table->proc_handler)
2560 - op = (write ? 002 : 004);
2561 - if (ctl_perm(table, op))
2565 + ssize_t error = -ENOTDIR;
2568 - * FIXME: we need to pass on ppos to the handler.
2570 + spin_lock(&sysctl_lock);
2571 + if (de && de->data && use_table(de->set)) {
2573 + * at that point we know that sysctl was not unregistered
2574 + * and won't be until we finish
2576 + spin_unlock(&sysctl_lock);
2577 + table = (struct ctl_table *) de->data;
2578 + if (!table || !table->proc_handler)
2581 + op = (write ? 002 : 004);
2582 + if (ctl_perm(table, op))
2585 + /* careful: calling conventions are nasty here */
2588 - error = (*table->proc_handler) (table, write, file, buf, &res);
2593 + * FIXME: we need to pass on ppos to the handler.
2596 + error = (*table->proc_handler)(table, write, file,
2601 + spin_lock(&sysctl_lock);
2602 + unuse_table(de->set);
2604 + spin_unlock(&sysctl_lock);
2608 static ssize_t proc_readsys(struct file * file, char * buf,
2609 diff -urN linux-2.4.30/lib/inflate.c linux-2.4.30-hf32.3/lib/inflate.c
2610 --- linux-2.4.30/lib/inflate.c 2002-11-29 00:53:15.000000000 +0100
2611 +++ linux-2.4.30-hf32.3/lib/inflate.c 2006-03-18 00:34:06.000000000 +0100
2614 *t = (struct huft *)NULL;
2622 if ((j = *p++) != 0)
2625 + n = x[g]; /* set n to length of v */
2629 @@ -404,12 +405,13 @@
2631 f -= a + 1; /* deduct codes from patterns left */
2633 - while (++j < z) /* try smaller tables up to z bits */
2635 - if ((f <<= 1) <= *++xp)
2636 - break; /* enough codes to use up j bits */
2637 - f -= *xp; /* else deduct codes from patterns */
2640 + while (++j < z) /* try smaller tables up to z bits */
2642 + if ((f <<= 1) <= *++xp)
2643 + break; /* enough codes to use up j bits */
2644 + f -= *xp; /* else deduct codes from patterns */
2648 z = 1 << j; /* table entries for j-bit table */
2649 diff -urN linux-2.4.30/lib/rbtree.c linux-2.4.30-hf32.3/lib/rbtree.c
2650 --- linux-2.4.30/lib/rbtree.c 2004-11-17 12:54:22.000000000 +0100
2651 +++ linux-2.4.30-hf32.3/lib/rbtree.c 2006-03-18 00:34:06.000000000 +0100
2653 node = node->rb_right;
2654 while (node->rb_left)
2655 node = node->rb_left;
2659 /* No right-hand children. Everything down and left is
2661 node = node->rb_left;
2662 while (node->rb_right)
2663 node = node->rb_right;
2667 /* No left-hand children. Go up till we find an ancestor which
2668 diff -urN linux-2.4.30/lib/rwsem-spinlock.c linux-2.4.30-hf32.3/lib/rwsem-spinlock.c
2669 --- linux-2.4.30/lib/rwsem-spinlock.c 2005-01-27 18:57:34.000000000 +0100
2670 +++ linux-2.4.30-hf32.3/lib/rwsem-spinlock.c 2006-03-18 00:34:06.000000000 +0100
2671 @@ -127,12 +127,12 @@
2673 rwsemtrace(sem,"Entering __down_read");
2675 - spin_lock(&sem->wait_lock);
2676 + spin_lock_irq(&sem->wait_lock);
2678 if (sem->activity>=0 && list_empty(&sem->wait_list)) {
2681 - spin_unlock(&sem->wait_lock);
2682 + spin_unlock_irq(&sem->wait_lock);
2687 list_add_tail(&waiter.list,&sem->wait_list);
2689 /* we don't need to touch the semaphore struct anymore */
2690 - spin_unlock(&sem->wait_lock);
2691 + spin_unlock_irq(&sem->wait_lock);
2693 /* wait to be given the lock */
2695 @@ -169,9 +169,10 @@
2696 int fastcall __down_read_trylock(struct rw_semaphore *sem)
2699 + unsigned long flags;
2700 rwsemtrace(sem,"Entering __down_read_trylock");
2702 - spin_lock(&sem->wait_lock);
2703 + spin_lock_irqsave(&sem->wait_lock, flags);
2705 if (sem->activity>=0 && list_empty(&sem->wait_list)) {
2711 - spin_unlock(&sem->wait_lock);
2712 + spin_unlock_irqrestore(&sem->wait_lock, flags);
2714 rwsemtrace(sem,"Leaving __down_read_trylock");
2716 @@ -196,12 +197,12 @@
2718 rwsemtrace(sem,"Entering __down_write");
2720 - spin_lock(&sem->wait_lock);
2721 + spin_lock_irq(&sem->wait_lock);
2723 if (sem->activity==0 && list_empty(&sem->wait_list)) {
2726 - spin_unlock(&sem->wait_lock);
2727 + spin_unlock_irq(&sem->wait_lock);
2732 list_add_tail(&waiter.list,&sem->wait_list);
2734 /* we don't need to touch the semaphore struct anymore */
2735 - spin_unlock(&sem->wait_lock);
2736 + spin_unlock_irq(&sem->wait_lock);
2738 /* wait to be given the lock */
2740 @@ -238,9 +239,10 @@
2741 int fastcall __down_write_trylock(struct rw_semaphore *sem)
2744 + unsigned long flags;
2745 rwsemtrace(sem,"Entering __down_write_trylock");
2747 - spin_lock(&sem->wait_lock);
2748 + spin_lock_irqsave(&sem->wait_lock, flags);
2750 if (sem->activity==0 && list_empty(&sem->wait_list)) {
2756 - spin_unlock(&sem->wait_lock);
2757 + spin_unlock_irqrestore(&sem->wait_lock, flags);
2759 rwsemtrace(sem,"Leaving __down_write_trylock");
2761 @@ -259,14 +261,15 @@
2763 void fastcall __up_read(struct rw_semaphore *sem)
2765 + unsigned long flags;
2766 rwsemtrace(sem,"Entering __up_read");
2768 - spin_lock(&sem->wait_lock);
2769 + spin_lock_irqsave(&sem->wait_lock, flags);
2771 if (--sem->activity==0 && !list_empty(&sem->wait_list))
2772 sem = __rwsem_wake_one_writer(sem);
2774 - spin_unlock(&sem->wait_lock);
2775 + spin_unlock_irqrestore(&sem->wait_lock, flags);
2777 rwsemtrace(sem,"Leaving __up_read");
2779 @@ -276,15 +279,16 @@
2781 void fastcall __up_write(struct rw_semaphore *sem)
2783 + unsigned long flags;
2784 rwsemtrace(sem,"Entering __up_write");
2786 - spin_lock(&sem->wait_lock);
2787 + spin_lock_irqsave(&sem->wait_lock, flags);
2790 if (!list_empty(&sem->wait_list))
2791 sem = __rwsem_do_wake(sem);
2793 - spin_unlock(&sem->wait_lock);
2794 + spin_unlock_irqrestore(&sem->wait_lock, flags);
2796 rwsemtrace(sem,"Leaving __up_write");
2798 diff -urN linux-2.4.30/lib/rwsem.c linux-2.4.30-hf32.3/lib/rwsem.c
2799 --- linux-2.4.30/lib/rwsem.c 2004-11-17 12:54:22.000000000 +0100
2800 +++ linux-2.4.30-hf32.3/lib/rwsem.c 2006-03-18 00:34:06.000000000 +0100
2802 set_task_state(tsk,TASK_UNINTERRUPTIBLE);
2804 /* set up my own style of waitqueue */
2805 - spin_lock(&sem->wait_lock);
2806 + spin_lock_irq(&sem->wait_lock);
2808 get_task_struct(tsk);
2811 if (!(count & RWSEM_ACTIVE_MASK))
2812 sem = __rwsem_do_wake(sem);
2814 - spin_unlock(&sem->wait_lock);
2815 + spin_unlock_irq(&sem->wait_lock);
2817 /* wait to be given the lock */
2819 @@ -195,15 +195,16 @@
2821 struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem)
2823 + unsigned long flags;
2824 rwsemtrace(sem,"Entering rwsem_wake");
2826 - spin_lock(&sem->wait_lock);
2827 + spin_lock_irqsave(&sem->wait_lock, flags);
2829 /* do nothing if list empty */
2830 if (!list_empty(&sem->wait_list))
2831 sem = __rwsem_do_wake(sem);
2833 - spin_unlock(&sem->wait_lock);
2834 + spin_unlock_irqrestore(&sem->wait_lock, flags);
2836 rwsemtrace(sem,"Leaving rwsem_wake");
2838 diff -urN linux-2.4.30/mm/filemap.c linux-2.4.30-hf32.3/mm/filemap.c
2839 --- linux-2.4.30/mm/filemap.c 2005-04-14 09:43:35.000000000 +0200
2840 +++ linux-2.4.30-hf32.3/mm/filemap.c 2006-03-18 00:34:06.000000000 +0100
2841 @@ -2605,6 +2605,8 @@
2843 end = ((end - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
2847 /* round to cluster boundaries if this isn't a "random" area. */
2848 if (!VM_RandomReadHint(vma)) {
2849 start = CLUSTER_OFFSET(start);
2850 diff -urN linux-2.4.30/mm/vmscan.c linux-2.4.30-hf32.3/mm/vmscan.c
2851 --- linux-2.4.30/mm/vmscan.c 2005-01-27 18:57:34.000000000 +0100
2852 +++ linux-2.4.30-hf32.3/mm/vmscan.c 2006-03-18 00:34:06.000000000 +0100
2858 if (PageDirty(page)) {
2859 spin_unlock(&pagecache_lock);
2861 diff -urN linux-2.4.30/net/core/rtnetlink.c linux-2.4.30-hf32.3/net/core/rtnetlink.c
2862 --- linux-2.4.30/net/core/rtnetlink.c 2003-08-25 13:44:44.000000000 +0200
2863 +++ linux-2.4.30-hf32.3/net/core/rtnetlink.c 2006-03-18 00:34:06.000000000 +0100
2867 family = ((struct rtgenmsg*)NLMSG_DATA(nlh))->rtgen_family;
2868 - if (family > NPROTO) {
2869 + if (family >= NPROTO) {
2870 *errp = -EAFNOSUPPORT;
2873 diff -urN linux-2.4.30/net/ipv4/af_inet.c linux-2.4.30-hf32.3/net/ipv4/af_inet.c
2874 --- linux-2.4.30/net/ipv4/af_inet.c 2005-01-27 18:57:34.000000000 +0100
2875 +++ linux-2.4.30-hf32.3/net/ipv4/af_inet.c 2006-03-18 00:34:06.000000000 +0100
2877 sin->sin_port = sk->sport;
2878 sin->sin_addr.s_addr = addr;
2880 + memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
2881 *uaddr_len = sizeof(*sin);
2884 diff -urN linux-2.4.30/net/ipv4/igmp.c linux-2.4.30-hf32.3/net/ipv4/igmp.c
2885 --- linux-2.4.30/net/ipv4/igmp.c 2005-01-27 18:57:34.000000000 +0100
2886 +++ linux-2.4.30-hf32.3/net/ipv4/igmp.c 2006-03-18 00:34:06.000000000 +0100
2887 @@ -876,6 +876,10 @@
2888 /* Is it our report looped back? */
2889 if (((struct rtable*)skb->dst)->key.iif == 0)
2891 + /* don't rely on MC router hearing unicast reports */
2892 + if (skb->pkt_type == PACKET_MULTICAST ||
2893 + skb->pkt_type == PACKET_BROADCAST)
2894 + igmp_heard_report(in_dev, ih->group);
2895 igmp_heard_report(in_dev, ih->group);
2898 @@ -1582,7 +1586,7 @@
2901 pmc->sfmode = MCAST_EXCLUDE;
2902 - pmc->sfcount[MCAST_EXCLUDE] = 0;
2903 + pmc->sfcount[MCAST_INCLUDE] = 0;
2904 pmc->sfcount[MCAST_EXCLUDE] = 1;
2907 @@ -1876,8 +1880,11 @@
2908 sock_kfree_s(sk, newpsl, IP_SFLSIZE(newpsl->sl_max));
2915 + (void) ip_mc_add_src(in_dev, &msf->imsf_multiaddr,
2916 + msf->imsf_fmode, 0, NULL, 0);
2920 (void) ip_mc_del_src(in_dev, &msf->imsf_multiaddr, pmc->sfmode,
2921 diff -urN linux-2.4.30/net/ipv4/inetpeer.c linux-2.4.30-hf32.3/net/ipv4/inetpeer.c
2922 --- linux-2.4.30/net/ipv4/inetpeer.c 2001-10-01 18:19:56.000000000 +0200
2923 +++ linux-2.4.30-hf32.3/net/ipv4/inetpeer.c 2006-03-18 00:34:06.000000000 +0100
2924 @@ -445,9 +445,12 @@
2925 /* Trigger the timer after inet_peer_gc_mintime .. inet_peer_gc_maxtime
2926 * interval depending on the total number of entries (more entries,
2927 * less interval). */
2928 - peer_periodic_timer.expires = jiffies
2929 - + inet_peer_gc_maxtime
2930 - - (inet_peer_gc_maxtime - inet_peer_gc_mintime) / HZ *
2931 - peer_total / inet_peer_threshold * HZ;
2932 + if (peer_total >= inet_peer_threshold)
2933 + peer_periodic_timer.expires = jiffies + inet_peer_gc_mintime;
2935 + peer_periodic_timer.expires = jiffies
2936 + + inet_peer_gc_maxtime
2937 + - (inet_peer_gc_maxtime - inet_peer_gc_mintime) / HZ *
2938 + peer_total / inet_peer_threshold * HZ;
2939 add_timer(&peer_periodic_timer);
2941 diff -urN linux-2.4.30/net/ipv4/ipvs/ip_vs_conn.c linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_conn.c
2942 --- linux-2.4.30/net/ipv4/ipvs/ip_vs_conn.c 2005-01-27 18:57:34.000000000 +0100
2943 +++ linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_conn.c 2006-03-18 00:34:06.000000000 +0100
2945 cp = list_entry(e, struct ip_vs_conn, c_list);
2946 if (s_addr==cp->caddr && s_port==cp->cport &&
2947 d_port==cp->vport && d_addr==cp->vaddr &&
2948 + ((!s_port) ^ (!(cp->flags & IP_VS_CONN_F_NO_CPORT))) &&
2949 protocol==cp->protocol) {
2951 atomic_inc(&cp->refcnt);
2952 @@ -241,6 +242,40 @@
2956 +/* Get reference to connection template */
2957 +struct ip_vs_conn *ip_vs_ct_in_get
2958 +(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port)
2961 + struct ip_vs_conn *cp;
2963 + hash = ip_vs_conn_hashkey(protocol, s_addr, s_port);
2965 + ct_read_lock(hash);
2967 + list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) {
2968 + if (s_addr==cp->caddr && s_port==cp->cport &&
2969 + d_port==cp->vport && d_addr==cp->vaddr &&
2970 + cp->flags & IP_VS_CONN_F_TEMPLATE &&
2971 + protocol==cp->protocol) {
2973 + atomic_inc(&cp->refcnt);
2980 + ct_read_unlock(hash);
2982 + IP_VS_DBG(7, "template lookup/in %s %u.%u.%u.%u:%d->%u.%u.%u.%u:%d %s\n",
2983 + ip_vs_proto_name(protocol),
2984 + NIPQUAD(s_addr), ntohs(s_port),
2985 + NIPQUAD(d_addr), ntohs(d_port),
2986 + cp?"hit":"not hit");
2992 * Gets ip_vs_conn associated with supplied parameters in the ip_vs_conn_tab.
2993 @@ -1087,7 +1122,7 @@
2995 IP_VS_DBG(9, "Unbind-dest %s c:%u.%u.%u.%u:%d "
2996 "v:%u.%u.%u.%u:%d d:%u.%u.%u.%u:%d fwd:%c "
2997 - "s:%s flg:%X cnt:%d destcnt:%d",
2998 + "s:%s flg:%X cnt:%d destcnt:%d\n",
2999 ip_vs_proto_name(cp->protocol),
3000 NIPQUAD(cp->caddr), ntohs(cp->cport),
3001 NIPQUAD(cp->vaddr), ntohs(cp->vport),
3002 @@ -1098,10 +1133,9 @@
3005 * Decrease the inactconns or activeconns counter
3006 - * if it is not a connection template ((cp->cport!=0)
3007 - * || (cp->flags & IP_VS_CONN_F_NO_CPORT)).
3008 + * if it is not a connection template
3010 - if (cp->cport || (cp->flags & IP_VS_CONN_F_NO_CPORT)) {
3011 + if (!(cp->flags & IP_VS_CONN_F_TEMPLATE)) {
3012 if (cp->flags & IP_VS_CONN_F_INACTIVE) {
3013 atomic_dec(&dest->inactconns);
3015 @@ -1145,7 +1179,7 @@
3017 * Invalidate the connection template
3020 + if (ct->vport != 65535) {
3021 if (ip_vs_conn_unhash(ct)) {
3024 @@ -1430,7 +1464,7 @@
3025 l = &ip_vs_conn_tab[hash];
3026 for (e=l->next; e!=l; e=e->next) {
3027 cp = list_entry(e, struct ip_vs_conn, c_list);
3028 - if (!cp->cport && !(cp->flags & IP_VS_CONN_F_NO_CPORT))
3029 + if (cp->flags & IP_VS_CONN_F_TEMPLATE)
3030 /* connection template */
3033 diff -urN linux-2.4.30/net/ipv4/ipvs/ip_vs_core.c linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_core.c
3034 --- linux-2.4.30/net/ipv4/ipvs/ip_vs_core.c 2005-04-14 09:43:35.000000000 +0200
3035 +++ linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_core.c 2006-03-18 00:34:06.000000000 +0100
3036 @@ -188,10 +188,10 @@
3037 if (portp[1] == svc->port) {
3038 /* Check if a template already exists */
3039 if (svc->port != FTPPORT)
3040 - ct = ip_vs_conn_in_get(iph->protocol, snet, 0,
3041 + ct = ip_vs_ct_in_get(iph->protocol, snet, 0,
3042 iph->daddr, portp[1]);
3044 - ct = ip_vs_conn_in_get(iph->protocol, snet, 0,
3045 + ct = ip_vs_ct_in_get(iph->protocol, snet, 0,
3048 if (!ct || !ip_vs_check_template(ct)) {
3049 @@ -216,14 +216,14 @@
3051 iph->daddr, portp[1],
3052 dest->addr, dest->port,
3054 + IP_VS_CONN_F_TEMPLATE,
3057 ct = ip_vs_conn_new(iph->protocol,
3062 + IP_VS_CONN_F_TEMPLATE,
3066 @@ -242,10 +242,10 @@
3067 * port zero template: <protocol,caddr,0,vaddr,0,daddr,0>
3070 - ct = ip_vs_conn_in_get(IPPROTO_IP, snet, 0,
3071 + ct = ip_vs_ct_in_get(IPPROTO_IP, snet, 0,
3072 htonl(svc->fwmark), 0);
3074 - ct = ip_vs_conn_in_get(iph->protocol, snet, 0,
3075 + ct = ip_vs_ct_in_get(iph->protocol, snet, 0,
3078 if (!ct || !ip_vs_check_template(ct)) {
3079 @@ -270,14 +270,14 @@
3081 htonl(svc->fwmark), 0,
3084 + IP_VS_CONN_F_TEMPLATE,
3087 ct = ip_vs_conn_new(iph->protocol,
3092 + IP_VS_CONN_F_TEMPLATE,
3096 @@ -1111,11 +1111,10 @@
3097 if (sysctl_ip_vs_expire_nodest_conn) {
3098 /* try to expire the connection immediately */
3099 ip_vs_conn_expire_now(cp);
3101 - /* don't restart its timer, and silently
3102 - drop the packet. */
3103 - __ip_vs_conn_put(cp);
3105 + /* don't restart its timer, and silently
3106 + drop the packet. */
3107 + __ip_vs_conn_put(cp);
3111 diff -urN linux-2.4.30/net/ipv4/ipvs/ip_vs_ctl.c linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_ctl.c
3112 --- linux-2.4.30/net/ipv4/ipvs/ip_vs_ctl.c 2005-01-27 18:57:34.000000000 +0100
3113 +++ linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_ctl.c 2006-03-18 00:34:06.000000000 +0100
3114 @@ -1842,7 +1842,8 @@
3115 entry.addr = svc->addr;
3116 entry.port = svc->port;
3117 entry.fwmark = svc->fwmark;
3118 - strcpy(entry.sched_name, svc->scheduler->name);
3119 + strncpy(entry.sched_name, svc->scheduler->name, sizeof(entry.sched_name));
3120 + entry.sched_name[sizeof(entry.sched_name) - 1] = 0;
3121 entry.flags = svc->flags;
3122 entry.timeout = svc->timeout / HZ;
3123 entry.netmask = svc->netmask;
3124 @@ -1866,7 +1867,8 @@
3125 entry.addr = svc->addr;
3126 entry.port = svc->port;
3127 entry.fwmark = svc->fwmark;
3128 - strcpy(entry.sched_name, svc->scheduler->name);
3129 + strncpy(entry.sched_name, svc->scheduler->name, sizeof(entry.sched_name));
3130 + entry.sched_name[sizeof(entry.sched_name) - 1] = 0;
3131 entry.flags = svc->flags;
3132 entry.timeout = svc->timeout / HZ;
3133 entry.netmask = svc->netmask;
3134 @@ -2020,7 +2022,8 @@
3135 svc = __ip_vs_service_get(get.protocol,
3136 get.addr, get.port);
3138 - strcpy(get.sched_name, svc->scheduler->name);
3139 + strncpy(get.sched_name, svc->scheduler->name, sizeof(get.sched_name));
3140 + get.sched_name[sizeof(get.sched_name) - 1] = 0;
3141 get.flags = svc->flags;
3142 get.timeout = svc->timeout / HZ;
3143 get.netmask = svc->netmask;
3144 @@ -2083,10 +2086,14 @@
3147 u.state = ip_vs_sync_state;
3148 - if (ip_vs_sync_state & IP_VS_STATE_MASTER)
3149 - strcpy(u.mcast_master_ifn, ip_vs_mcast_master_ifn);
3150 - if (ip_vs_sync_state & IP_VS_STATE_BACKUP)
3151 - strcpy(u.mcast_backup_ifn, ip_vs_mcast_backup_ifn);
3152 + if (ip_vs_sync_state & IP_VS_STATE_MASTER) {
3153 + strncpy(u.mcast_master_ifn, ip_vs_mcast_master_ifn, sizeof(u.mcast_master_ifn));
3154 + u.mcast_master_ifn[sizeof(u.mcast_master_ifn) - 1] = 0;
3156 + if (ip_vs_sync_state & IP_VS_STATE_BACKUP) {
3157 + strncpy(u.mcast_backup_ifn, ip_vs_mcast_backup_ifn, sizeof(u.mcast_backup_ifn));
3158 + u.mcast_backup_ifn[sizeof(u.mcast_backup_ifn) - 1] = 0;
3160 if (copy_to_user(user, &u, sizeof(u)) != 0)
3163 diff -urN linux-2.4.30/net/ipv4/ipvs/ip_vs_sched.c linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_sched.c
3164 --- linux-2.4.30/net/ipv4/ipvs/ip_vs_sched.c 2004-04-14 15:05:41.000000000 +0200
3165 +++ linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_sched.c 2006-03-18 00:34:06.000000000 +0100
3168 if (sched == NULL) {
3169 char module_name[IP_VS_SCHEDNAME_MAXLEN+8];
3170 - sprintf(module_name,"ip_vs_%s", sched_name);
3171 + snprintf(module_name, sizeof(module_name), "ip_vs_%s", sched_name);
3172 request_module(module_name);
3173 sched = ip_vs_sched_getbyname(sched_name);
3175 diff -urN linux-2.4.30/net/ipv4/ipvs/ip_vs_sync.c linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_sync.c
3176 --- linux-2.4.30/net/ipv4/ipvs/ip_vs_sync.c 2005-01-27 18:57:34.000000000 +0100
3177 +++ linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_sync.c 2006-03-18 00:34:06.000000000 +0100
3178 @@ -295,16 +295,24 @@
3180 p = (char *)buffer + sizeof(struct ip_vs_sync_mesg);
3181 for (i=0; i<m->nr_conns; i++) {
3184 s = (struct ip_vs_sync_conn *)p;
3185 - cp = ip_vs_conn_in_get(s->protocol,
3186 - s->caddr, s->cport,
3187 - s->vaddr, s->vport);
3188 + flags = ntohs(s->flags);
3189 + if (!(flags & IP_VS_CONN_F_TEMPLATE))
3190 + cp = ip_vs_conn_in_get(s->protocol,
3191 + s->caddr, s->cport,
3192 + s->vaddr, s->vport);
3194 + cp = ip_vs_ct_in_get(s->protocol,
3195 + s->caddr, s->cport,
3196 + s->vaddr, s->vport);
3198 cp = ip_vs_conn_new(s->protocol,
3202 - ntohs(s->flags), NULL);
3205 IP_VS_ERR("ip_vs_conn_new failed\n");
3207 @@ -313,11 +321,11 @@
3208 } else if (!cp->dest) {
3209 /* it is an entry created by the synchronization */
3210 cp->state = ntohs(s->state);
3211 - cp->flags = ntohs(s->flags) | IP_VS_CONN_F_HASHED;
3212 + cp->flags = flags | IP_VS_CONN_F_HASHED;
3213 } /* Note that we don't touch its state and flags
3214 if it is a normal entry. */
3216 - if (ntohs(s->flags) & IP_VS_CONN_F_SEQ_MASK) {
3217 + if (flags & IP_VS_CONN_F_SEQ_MASK) {
3218 opt = (struct ip_vs_sync_conn_options *)&s[1];
3219 memcpy(&cp->in_seq, opt, sizeof(*opt));
3220 p += FULL_CONN_SIZE;
3221 @@ -808,10 +816,12 @@
3223 ip_vs_sync_state |= state;
3224 if (state == IP_VS_STATE_MASTER) {
3225 - strcpy(ip_vs_mcast_master_ifn, mcast_ifn);
3226 + strncpy(ip_vs_mcast_master_ifn, mcast_ifn, sizeof(ip_vs_mcast_master_ifn));
3227 + ip_vs_mcast_master_ifn[sizeof(ip_vs_mcast_master_ifn) - 1] = 0;
3228 ip_vs_master_syncid = syncid;
3230 - strcpy(ip_vs_mcast_backup_ifn, mcast_ifn);
3231 + strncpy(ip_vs_mcast_backup_ifn, mcast_ifn, sizeof(ip_vs_mcast_backup_ifn));
3232 + ip_vs_mcast_backup_ifn[sizeof(ip_vs_mcast_backup_ifn) - 1] = 0;
3233 ip_vs_backup_syncid = syncid;
3236 diff -urN linux-2.4.30/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_conntrack_core.c
3237 --- linux-2.4.30/net/ipv4/netfilter/ip_conntrack_core.c 2005-04-14 09:43:35.000000000 +0200
3238 +++ linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_conntrack_core.c 2006-03-18 00:34:06.000000000 +0100
3239 @@ -1349,6 +1349,7 @@
3240 .tuple.dst.u.tcp.port;
3241 sin.sin_addr.s_addr = h->ctrack->tuplehash[IP_CT_DIR_ORIGINAL]
3243 + memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
3245 DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
3246 NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
3247 diff -urN linux-2.4.30/net/ipv4/netfilter/ip_nat_proto_tcp.c linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_proto_tcp.c
3248 --- linux-2.4.30/net/ipv4/netfilter/ip_nat_proto_tcp.c 2002-11-29 00:53:15.000000000 +0100
3249 +++ linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_proto_tcp.c 2006-03-18 00:34:06.000000000 +0100
3251 enum ip_nat_manip_type maniptype,
3252 const struct ip_conntrack *conntrack)
3254 - static u_int16_t port = 0, *portptr;
3255 + static u_int16_t port = 0;
3256 + u_int16_t *portptr;
3257 unsigned int range_size, min, i;
3259 if (maniptype == IP_NAT_MANIP_SRC)
3260 diff -urN linux-2.4.30/net/ipv4/netfilter/ip_nat_proto_udp.c linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_proto_udp.c
3261 --- linux-2.4.30/net/ipv4/netfilter/ip_nat_proto_udp.c 2000-08-04 22:07:24.000000000 +0200
3262 +++ linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_proto_udp.c 2006-03-18 00:34:06.000000000 +0100
3264 enum ip_nat_manip_type maniptype,
3265 const struct ip_conntrack *conntrack)
3267 - static u_int16_t port = 0, *portptr;
3268 + static u_int16_t port = 0;
3269 + u_int16_t *portptr;
3270 unsigned int range_size, min, i;
3272 if (maniptype == IP_NAT_MANIP_SRC)
3273 diff -urN linux-2.4.30/net/ipv4/netfilter/ip_nat_rule.c linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_rule.c
3274 --- linux-2.4.30/net/ipv4/netfilter/ip_nat_rule.c 2005-01-27 18:57:34.000000000 +0100
3275 +++ linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_rule.c 2006-03-18 00:34:06.000000000 +0100
3276 @@ -241,6 +241,27 @@
3277 return ip_nat_setup_info(conntrack, &mr, hooknum);
3281 +alloc_null_binding_confirmed(struct ip_conntrack *conntrack,
3282 + struct ip_nat_info *info,
3283 + unsigned int hooknum)
3286 + = (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC
3287 + ? conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip
3288 + : conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip);
3290 + = (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC
3291 + ? conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.all
3292 + : conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.src.u.all);
3293 + struct ip_nat_multi_range mr
3294 + = { 1, { { IP_NAT_RANGE_MAP_IPS, ip, ip, { all }, { all } } } };
3296 + DEBUGP("Allocating NULL binding for confirmed %p (%u.%u.%u.%u)\n",
3297 + conntrack, NIPQUAD(ip));
3298 + return ip_nat_setup_info(conntrack, &mr, hooknum);
3301 int ip_nat_rule_find(struct sk_buff **pskb,
3302 unsigned int hooknum,
3303 const struct net_device *in,
3304 diff -urN linux-2.4.30/net/ipv4/netfilter/ip_nat_standalone.c linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_standalone.c
3305 --- linux-2.4.30/net/ipv4/netfilter/ip_nat_standalone.c 2005-04-14 09:43:35.000000000 +0200
3306 +++ linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_standalone.c 2006-03-18 00:34:06.000000000 +0100
3307 @@ -123,8 +123,12 @@
3308 ret = call_expect(master_ct(ct), pskb,
3311 - /* LOCAL_IN hook doesn't have a chain! */
3312 - if (hooknum == NF_IP_LOCAL_IN)
3313 + if (unlikely(is_confirmed(ct)))
3314 + /* NAT module was loaded late */
3315 + ret = alloc_null_binding_confirmed(ct, info,
3317 + else if (hooknum == NF_IP_LOCAL_IN)
3318 + /* LOCAL_IN hook doesn't have a chain */
3319 ret = alloc_null_binding(ct, info,
3322 diff -urN linux-2.4.30/net/ipv4/netfilter/ip_queue.c linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_queue.c
3323 --- linux-2.4.30/net/ipv4/netfilter/ip_queue.c 2004-02-18 14:36:32.000000000 +0100
3324 +++ linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_queue.c 2006-03-18 00:34:06.000000000 +0100
3326 write_unlock_bh(&queue_lock);
3328 status = ipq_receive_peer(NLMSG_DATA(nlh), type,
3329 - skblen - NLMSG_LENGTH(0));
3330 + nlmsglen - NLMSG_LENGTH(0));
3332 RCV_SKB_FAIL(status);
3334 diff -urN linux-2.4.30/net/ipv4/netfilter/ipt_unclean.c linux-2.4.30-hf32.3/net/ipv4/netfilter/ipt_unclean.c
3335 --- linux-2.4.30/net/ipv4/netfilter/ipt_unclean.c 2004-08-08 01:26:06.000000000 +0200
3336 +++ linux-2.4.30-hf32.3/net/ipv4/netfilter/ipt_unclean.c 2006-03-18 00:34:06.000000000 +0100
3340 [TH_SYN|TH_ACK] = 1,
3341 + [TH_SYN|TH_ACK|TH_PUSH] = 1,
3343 [TH_RST|TH_ACK] = 1,
3344 [TH_RST|TH_ACK|TH_PUSH] = 1,
3345 diff -urN linux-2.4.30/net/ipv4/tcp_input.c linux-2.4.30-hf32.3/net/ipv4/tcp_input.c
3346 --- linux-2.4.30/net/ipv4/tcp_input.c 2005-04-14 09:43:35.000000000 +0200
3347 +++ linux-2.4.30-hf32.3/net/ipv4/tcp_input.c 2006-03-18 00:34:06.000000000 +0100
3349 app_win -= tp->ack.rcv_mss;
3350 app_win = max(app_win, 2U*tp->advmss);
3353 - tp->window_clamp = min(tp->window_clamp, app_win);
3354 tp->rcv_ssthresh = min(tp->window_clamp, 2U*tp->advmss);
3357 @@ -2488,6 +2486,7 @@
3358 /* Note, it is the only place, where
3359 * fast path is recovered for sending TCP.
3361 + tp->pred_flags = 0;
3362 tcp_fast_path_check(sk, tp);
3364 if (nwin > tp->max_window) {
3365 @@ -4243,16 +4242,7 @@
3370 - if (tcp_in_quickack_mode(tp)) {
3373 - tcp_send_delayed_ack(sk);
3376 - __tcp_ack_snd_check(sk, 0);
3379 + __tcp_ack_snd_check(sk, 0);
3383 diff -urN linux-2.4.30/net/ipv6/addrconf.c linux-2.4.30-hf32.3/net/ipv6/addrconf.c
3384 --- linux-2.4.30/net/ipv6/addrconf.c 2004-11-17 12:54:22.000000000 +0100
3385 +++ linux-2.4.30-hf32.3/net/ipv6/addrconf.c 2006-03-18 00:34:06.000000000 +0100
3387 if (dev->type == ARPHRD_SIT && (dev->flags&IFF_POINTOPOINT))
3388 rtmsg.rtmsg_flags |= RTF_NONEXTHOP;
3390 - ip6_route_add(&rtmsg, NULL);
3391 + ip6_route_add(&rtmsg, NULL, NULL);
3394 /* Create "default" multicast route to the interface */
3396 rtmsg.rtmsg_ifindex = dev->ifindex;
3397 rtmsg.rtmsg_flags = RTF_UP;
3398 rtmsg.rtmsg_type = RTMSG_NEWROUTE;
3399 - ip6_route_add(&rtmsg, NULL);
3400 + ip6_route_add(&rtmsg, NULL, NULL);
3403 static void sit_route_add(struct net_device *dev)
3405 rtmsg.rtmsg_flags = RTF_UP|RTF_NONEXTHOP;
3406 rtmsg.rtmsg_ifindex = dev->ifindex;
3408 - ip6_route_add(&rtmsg, NULL);
3409 + ip6_route_add(&rtmsg, NULL, NULL);
3412 static void addrconf_add_lroute(struct net_device *dev)
3413 @@ -1009,7 +1009,7 @@
3414 if (rt && ((rt->rt6i_flags & (RTF_GATEWAY | RTF_DEFAULT)) == 0)) {
3415 if (rt->rt6i_flags&RTF_EXPIRES) {
3416 if (pinfo->onlink == 0 || valid_lft == 0) {
3417 - ip6_del_rt(rt, NULL);
3418 + ip6_del_rt(rt, NULL, NULL);
3421 rt->rt6i_expires = rt_expires;
3422 @@ -1592,7 +1592,7 @@
3424 rtmsg.rtmsg_ifindex = ifp->idev->dev->ifindex;
3426 - ip6_route_add(&rtmsg, NULL);
3427 + ip6_route_add(&rtmsg, NULL, NULL);
3431 diff -urN linux-2.4.30/net/ipv6/ip6_fib.c linux-2.4.30-hf32.3/net/ipv6/ip6_fib.c
3432 --- linux-2.4.30/net/ipv6/ip6_fib.c 2004-11-17 12:54:22.000000000 +0100
3433 +++ linux-2.4.30-hf32.3/net/ipv6/ip6_fib.c 2006-03-18 00:34:06.000000000 +0100
3437 static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
3438 - struct nlmsghdr *nlh)
3439 + struct nlmsghdr *nlh, struct netlink_skb_parms *req)
3441 struct rt6_info *iter = NULL;
3442 struct rt6_info **ins;
3446 atomic_inc(&rt->rt6i_ref);
3447 - inet6_rt_notify(RTM_NEWROUTE, rt, nlh);
3448 + inet6_rt_notify(RTM_NEWROUTE, rt, nlh, req);
3449 rt6_stats.fib_rt_entries++;
3451 if ((fn->fn_flags & RTN_RTINFO) == 0) {
3453 * with source addr info in sub-trees
3456 -int fib6_add(struct fib6_node *root, struct rt6_info *rt, struct nlmsghdr *nlh)
3457 +int fib6_add(struct fib6_node *root, struct rt6_info *rt, struct nlmsghdr *nlh,
3458 + struct netlink_skb_parms *req)
3460 struct fib6_node *fn;
3466 - err = fib6_add_rt2node(fn, rt, nlh);
3467 + err = fib6_add_rt2node(fn, rt, nlh, req);
3474 static void fib6_del_route(struct fib6_node *fn, struct rt6_info **rtp,
3475 - struct nlmsghdr *nlh)
3476 + struct nlmsghdr *nlh, struct netlink_skb_parms *req)
3478 struct fib6_walker_t *w;
3479 struct rt6_info *rt = *rtp;
3480 @@ -943,11 +944,11 @@
3481 if (atomic_read(&rt->rt6i_ref) != 1) BUG();
3484 - inet6_rt_notify(RTM_DELROUTE, rt, nlh);
3485 + inet6_rt_notify(RTM_DELROUTE, rt, nlh, req);
3489 -int fib6_del(struct rt6_info *rt, struct nlmsghdr *nlh)
3490 +int fib6_del(struct rt6_info *rt, struct nlmsghdr *nlh, struct netlink_skb_parms *req)
3492 struct fib6_node *fn = rt->rt6i_node;
3493 struct rt6_info **rtp;
3496 for (rtp = &fn->leaf; *rtp; rtp = &(*rtp)->u.next) {
3498 - fib6_del_route(fn, rtp, nlh);
3499 + fib6_del_route(fn, rtp, nlh, req);
3503 @@ -1101,7 +1102,7 @@
3504 res = c->func(rt, c->arg);
3507 - res = fib6_del(rt, NULL);
3508 + res = fib6_del(rt, NULL, NULL);
3511 printk(KERN_DEBUG "fib6_clean_node: del failed: rt=%p@%p err=%d\n", rt, rt->rt6i_node, res);
3512 diff -urN linux-2.4.30/net/ipv6/ip6_flowlabel.c linux-2.4.30-hf32.3/net/ipv6/ip6_flowlabel.c
3513 --- linux-2.4.30/net/ipv6/ip6_flowlabel.c 2000-08-07 07:20:09.000000000 +0200
3514 +++ linux-2.4.30-hf32.3/net/ipv6/ip6_flowlabel.c 2006-03-18 00:34:06.000000000 +0100
3519 - atomic_inc(&fl->users);
3520 + atomic_inc(&fl1->users);
3524 diff -urN linux-2.4.30/net/ipv6/mcast.c linux-2.4.30-hf32.3/net/ipv6/mcast.c
3525 --- linux-2.4.30/net/ipv6/mcast.c 2005-01-27 18:57:34.000000000 +0100
3526 +++ linux-2.4.30-hf32.3/net/ipv6/mcast.c 2006-03-18 00:34:06.000000000 +0100
3527 @@ -505,8 +505,11 @@
3528 sock_kfree_s(sk, newpsl, IP6_SFLSIZE(newpsl->sl_max));
3535 + (void) ip6_mc_add_src(idev, group, gsf->gf_fmode, 0, NULL, 0);
3540 (void) ip6_mc_del_src(idev, group, pmc->sfmode,
3541 @@ -1142,6 +1145,11 @@
3542 if (skb->pkt_type == PACKET_LOOPBACK)
3545 + /* send our report if the MC router may not have heard this report */
3546 + if (skb->pkt_type != PACKET_MULTICAST &&
3547 + skb->pkt_type != PACKET_BROADCAST)
3550 if (!pskb_may_pull(skb, sizeof(struct in6_addr)))
3553 @@ -1867,7 +1875,7 @@
3555 pmc->mca_sources = 0;
3556 pmc->mca_sfmode = MCAST_EXCLUDE;
3557 - pmc->mca_sfcount[MCAST_EXCLUDE] = 0;
3558 + pmc->mca_sfcount[MCAST_INCLUDE] = 0;
3559 pmc->mca_sfcount[MCAST_EXCLUDE] = 1;
3562 diff -urN linux-2.4.30/net/ipv6/ndisc.c linux-2.4.30-hf32.3/net/ipv6/ndisc.c
3563 --- linux-2.4.30/net/ipv6/ndisc.c 2004-11-17 12:54:22.000000000 +0100
3564 +++ linux-2.4.30-hf32.3/net/ipv6/ndisc.c 2006-03-18 00:34:06.000000000 +0100
3566 /* It is safe only because
3568 dst_release(&rt->u.dst);
3569 - ip6_del_rt(rt, NULL);
3570 + ip6_del_rt(rt, NULL, NULL);
3575 rt = rt6_get_dflt_router(&skb->nh.ipv6h->saddr, skb->dev);
3577 if (rt && lifetime == 0) {
3578 - ip6_del_rt(rt, NULL);
3579 + ip6_del_rt(rt, NULL, NULL);
3583 diff -urN linux-2.4.30/net/ipv6/netfilter/ip6_queue.c linux-2.4.30-hf32.3/net/ipv6/netfilter/ip6_queue.c
3584 --- linux-2.4.30/net/ipv6/netfilter/ip6_queue.c 2004-02-18 14:36:32.000000000 +0100
3585 +++ linux-2.4.30-hf32.3/net/ipv6/netfilter/ip6_queue.c 2006-03-18 00:34:06.000000000 +0100
3587 write_unlock_bh(&queue_lock);
3589 status = ipq_receive_peer(NLMSG_DATA(nlh), type,
3590 - skblen - NLMSG_LENGTH(0));
3591 + nlmsglen - NLMSG_LENGTH(0));
3593 RCV_SKB_FAIL(status);
3595 diff -urN linux-2.4.30/net/ipv6/route.c linux-2.4.30-hf32.3/net/ipv6/route.c
3596 --- linux-2.4.30/net/ipv6/route.c 2004-11-17 12:54:22.000000000 +0100
3597 +++ linux-2.4.30-hf32.3/net/ipv6/route.c 2006-03-18 00:34:06.000000000 +0100
3598 @@ -325,12 +325,12 @@
3602 -static int rt6_ins(struct rt6_info *rt, struct nlmsghdr *nlh)
3603 +static int rt6_ins(struct rt6_info *rt, struct nlmsghdr *nlh, struct netlink_skb_parms *req)
3607 write_lock_bh(&rt6_lock);
3608 - err = fib6_add(&ip6_routing_table, rt, nlh);
3609 + err = fib6_add(&ip6_routing_table, rt, nlh, req);
3610 write_unlock_bh(&rt6_lock);
3616 static struct rt6_info *rt6_cow(struct rt6_info *ort, struct in6_addr *daddr,
3617 - struct in6_addr *saddr)
3618 + struct in6_addr *saddr, struct netlink_skb_parms *req)
3621 struct rt6_info *rt;
3624 dst_hold(&rt->u.dst);
3626 - err = rt6_ins(rt, NULL);
3627 + err = rt6_ins(rt, NULL, req);
3632 read_unlock_bh(&rt6_lock);
3634 rt = rt6_cow(rt, &skb->nh.ipv6h->daddr,
3635 - &skb->nh.ipv6h->saddr);
3636 + &skb->nh.ipv6h->saddr,
3637 + &NETLINK_CB(skb));
3639 if (rt->u.dst.error != -EEXIST || --attempts <= 0)
3642 read_unlock_bh(&rt6_lock);
3644 rt = rt6_cow(rt, fl->nl_u.ip6_u.daddr,
3645 - fl->nl_u.ip6_u.saddr);
3646 + fl->nl_u.ip6_u.saddr, NULL);
3648 if (rt->u.dst.error != -EEXIST || --attempts <= 0)
3653 if (rt->rt6i_flags & RTF_CACHE)
3654 - ip6_del_rt(rt, NULL);
3655 + ip6_del_rt(rt, NULL, NULL);
3663 -int ip6_route_add(struct in6_rtmsg *rtmsg, struct nlmsghdr *nlh)
3664 +int ip6_route_add(struct in6_rtmsg *rtmsg, struct nlmsghdr *nlh, struct netlink_skb_parms *req)
3669 if (rt->u.dst.advmss > 65535-20)
3670 rt->u.dst.advmss = 65535;
3671 rt->u.dst.dev = dev;
3672 - return rt6_ins(rt, nlh);
3673 + return rt6_ins(rt, nlh, req);
3681 -int ip6_del_rt(struct rt6_info *rt, struct nlmsghdr *nlh)
3682 +int ip6_del_rt(struct rt6_info *rt, struct nlmsghdr *nlh, struct netlink_skb_parms *req)
3686 @@ -886,13 +887,13 @@
3688 dst_release(&rt->u.dst);
3690 - err = fib6_del(rt, nlh);
3691 + err = fib6_del(rt, nlh, req);
3692 write_unlock_bh(&rt6_lock);
3697 -int ip6_route_del(struct in6_rtmsg *rtmsg, struct nlmsghdr *nlh)
3698 +int ip6_route_del(struct in6_rtmsg *rtmsg, struct nlmsghdr *nlh, struct netlink_skb_parms *req)
3700 struct fib6_node *fn;
3701 struct rt6_info *rt;
3703 dst_hold(&rt->u.dst);
3704 read_unlock_bh(&rt6_lock);
3706 - return ip6_del_rt(rt, nlh);
3707 + return ip6_del_rt(rt, nlh, req);
3710 read_unlock_bh(&rt6_lock);
3711 @@ -1021,11 +1022,11 @@
3712 rt->u.dst.advmss = 65535;
3713 nrt->rt6i_hoplimit = ipv6_get_hoplimit(neigh->dev);
3715 - if (rt6_ins(nrt, NULL))
3716 + if (rt6_ins(nrt, NULL, NULL))
3719 if (rt->rt6i_flags&RTF_CACHE) {
3720 - ip6_del_rt(rt, NULL);
3721 + ip6_del_rt(rt, NULL, NULL);
3725 @@ -1087,7 +1088,7 @@
3726 2. It is gatewayed route or NONEXTHOP route. Action: clone it.
3728 if (!rt->rt6i_nexthop && !(rt->rt6i_flags & RTF_NONEXTHOP)) {
3729 - nrt = rt6_cow(rt, daddr, saddr);
3730 + nrt = rt6_cow(rt, daddr, saddr, NULL);
3731 if (!nrt->u.dst.error) {
3732 nrt->u.dst.pmtu = pmtu;
3733 /* According to RFC 1981, detecting PMTU increase shouldn't be
3734 @@ -1111,7 +1112,7 @@
3735 dst_set_expires(&nrt->u.dst, ip6_rt_mtu_expires);
3736 nrt->rt6i_flags |= RTF_DYNAMIC|RTF_CACHE|RTF_EXPIRES;
3737 nrt->u.dst.pmtu = pmtu;
3738 - rt6_ins(nrt, NULL);
3739 + rt6_ins(nrt, NULL, NULL);
3743 @@ -1184,7 +1185,7 @@
3745 rtmsg.rtmsg_ifindex = dev->ifindex;
3747 - ip6_route_add(&rtmsg, NULL);
3748 + ip6_route_add(&rtmsg, NULL, NULL);
3749 return rt6_get_dflt_router(gwaddr, dev);
3752 @@ -1210,7 +1211,7 @@
3754 read_unlock_bh(&rt6_lock);
3756 - ip6_del_rt(rt, NULL);
3757 + ip6_del_rt(rt, NULL, NULL);
3761 @@ -1236,10 +1237,10 @@
3765 - err = ip6_route_add(&rtmsg, NULL);
3766 + err = ip6_route_add(&rtmsg, NULL, NULL);
3769 - err = ip6_route_del(&rtmsg, NULL);
3770 + err = ip6_route_del(&rtmsg, NULL, NULL);
3774 @@ -1296,7 +1297,7 @@
3776 ipv6_addr_copy(&rt->rt6i_dst.addr, addr);
3777 rt->rt6i_dst.plen = 128;
3778 - rt6_ins(rt, NULL);
3779 + rt6_ins(rt, NULL, NULL);
3783 @@ -1313,7 +1314,7 @@
3784 rt = rt6_lookup(addr, NULL, loopback_dev.ifindex, 1);
3786 if (rt->rt6i_dst.plen == 128)
3787 - err = ip6_del_rt(rt, NULL);
3788 + err = ip6_del_rt(rt, NULL, NULL);
3790 dst_release(&rt->u.dst);
3792 @@ -1429,7 +1430,7 @@
3794 nrt->rt6i_flags |= RTF_CACHE;
3795 dst_hold(&nrt->u.dst);
3796 - err = rt6_ins(nrt, NULL);
3797 + err = rt6_ins(nrt, NULL, NULL);
3799 nrt->u.dst.error = err;
3801 @@ -1556,7 +1557,7 @@
3803 if (inet6_rtm_to_rtmsg(r, arg, &rtmsg))
3805 - return ip6_route_del(&rtmsg, nlh);
3806 + return ip6_route_del(&rtmsg, nlh, &NETLINK_CB(skb));
3809 int inet6_rtm_newroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
3810 @@ -1566,7 +1567,7 @@
3812 if (inet6_rtm_to_rtmsg(r, arg, &rtmsg))
3814 - return ip6_route_add(&rtmsg, nlh);
3815 + return ip6_route_add(&rtmsg, nlh, &NETLINK_CB(skb));
3818 struct rt6_rtnl_dump_arg
3819 @@ -1576,11 +1577,8 @@
3822 static int rt6_fill_node(struct sk_buff *skb, struct rt6_info *rt,
3823 - struct in6_addr *dst,
3824 - struct in6_addr *src,
3826 - int type, u32 pid, u32 seq,
3827 - struct nlmsghdr *in_nlh, int prefix)
3828 + struct in6_addr *dst, struct in6_addr *src,
3829 + int iif, int type, u32 pid, u32 seq, int prefix)
3832 struct nlmsghdr *nlh;
3833 @@ -1593,9 +1591,6 @@
3837 - if (!pid && in_nlh) {
3838 - pid = in_nlh->nlmsg_pid;
3841 nlh = NLMSG_PUT(skb, pid, seq, type, sizeof(*rtm));
3842 rtm = NLMSG_DATA(nlh);
3843 @@ -1683,7 +1678,7 @@
3845 return rt6_fill_node(arg->skb, rt, NULL, NULL, 0, RTM_NEWROUTE,
3846 NETLINK_CB(arg->cb->skb).pid, arg->cb->nlh->nlmsg_seq,
3851 static int fib6_dump_node(struct fib6_walker_t *w)
3852 @@ -1834,7 +1829,7 @@
3853 fl.nl_u.ip6_u.saddr,
3855 RTM_NEWROUTE, NETLINK_CB(in_skb).pid,
3856 - nlh->nlmsg_seq, nlh, 0);
3857 + nlh->nlmsg_seq, 0);
3861 @@ -1850,17 +1845,25 @@
3865 -void inet6_rt_notify(int event, struct rt6_info *rt, struct nlmsghdr *nlh)
3866 +void inet6_rt_notify(int event, struct rt6_info *rt, struct nlmsghdr *nlh,
3867 + struct netlink_skb_parms *req)
3869 struct sk_buff *skb;
3870 int size = NLMSG_SPACE(sizeof(struct rtmsg)+256);
3871 + u32 pid = current->pid;
3877 + seq = nlh->nlmsg_seq;
3879 skb = alloc_skb(size, gfp_any());
3881 netlink_set_err(rtnl, 0, RTMGRP_IPV6_ROUTE, ENOBUFS);
3884 - if (rt6_fill_node(skb, rt, NULL, NULL, 0, event, 0, 0, nlh, 0) < 0) {
3885 + if (rt6_fill_node(skb, rt, NULL, NULL, 0, event, pid, seq, 0) < 0) {
3887 netlink_set_err(rtnl, 0, RTMGRP_IPV6_ROUTE, EINVAL);
3889 diff -urN linux-2.4.30/net/ipv6/udp.c linux-2.4.30-hf32.3/net/ipv6/udp.c
3890 --- linux-2.4.30/net/ipv6/udp.c 2004-11-17 12:54:22.000000000 +0100
3891 +++ linux-2.4.30-hf32.3/net/ipv6/udp.c 2006-03-18 00:34:06.000000000 +0100
3896 - for(;; result += UDP_HTABLE_SIZE) {
3897 + for(i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++, result += UDP_HTABLE_SIZE) {
3898 if (result > sysctl_local_port_range[1])
3899 result = sysctl_local_port_range[0]
3900 + ((result - sysctl_local_port_range[0]) &
3902 if (!udp_lport_inuse(result))
3905 + if (i >= (1 << 16) / UDP_HTABLE_SIZE)
3908 udp_port_rover = snum = result;
3910 diff -urN linux-2.4.30/net/netlink/af_netlink.c linux-2.4.30-hf32.3/net/netlink/af_netlink.c
3911 --- linux-2.4.30/net/netlink/af_netlink.c 2005-04-14 09:43:35.000000000 +0200
3912 +++ linux-2.4.30-hf32.3/net/netlink/af_netlink.c 2006-03-18 00:34:06.000000000 +0100
3914 u32 pid = nlk_sk(sk)->pid;
3916 netlink_table_grab();
3918 for (skp = nl_pid_hashfn(hash, pid); *skp; skp = &((*skp)->next)) {
3924 @@ -450,7 +450,12 @@
3925 err = netlink_insert(sk, pid);
3926 if (err == -EADDRINUSE)
3930 + /* If 2 threads race to autobind, that is fine. */
3931 + if (err == -EBUSY)
3937 static inline int netlink_capable(struct socket *sock, unsigned int flag)