add kernel 2.4 hot fixes
[openwrt/svn-archive/archive.git] / openwrt / target / linux / linux-2.4 / patches / generic / 901-hot_fixes-32.3.patch
1 Hot Fix 32.3 for Linux Kernel 2.4.30 - 2006/03/18
2 From Willy Tarreau - EXOSEC < wtarreau at exosec.net >
3
4 http://linux.exosec.net/kernel/2.4-hf/
5
6 - CVE-2004-1058
7 - CVE-2004-2607
8 - CVE-2005-0204
9 - CVE-2005-1263
10 - CVE-2005-2457
11 - CVE-2005-2490
12 - CVE-2005-2708
13 - CVE-2005-2709
14 - CVE-2005-2973
15 - CVE-2005-3180
16 - CVE-2005-3257
17 - CVE-2005-3783
18 - CVE-2005-3806
19 - CVE-2005-3857
20
21
22 diff -urN linux-2.4.30/arch/alpha/kernel/Makefile linux-2.4.30-hf32.3/arch/alpha/kernel/Makefile
23 --- linux-2.4.30/arch/alpha/kernel/Makefile 2003-11-28 19:26:19.000000000 +0100
24 +++ linux-2.4.30-hf32.3/arch/alpha/kernel/Makefile 2006-03-18 00:34:06.000000000 +0100
25 @@ -76,7 +76,7 @@
26 obj-y += sys_alcor.o
27 endif
28 ifneq ($(CONFIG_ALPHA_CABRIOLET)$(CONFIG_ALPHA_EB164)$(CONFIG_ALPHA_EB66P)$(CONFIG_ALPHA_LX164)$(CONFIG_ALPHA_PC164),)
29 -obj-y += sys_cabriolet.o
30 +obj-y += sys_cabriolet.o ns87312.o
31 endif
32
33 obj-$(CONFIG_ALPHA_DP264) += sys_dp264.o
34 diff -urN linux-2.4.30/arch/alpha/kernel/pci_iommu.c linux-2.4.30-hf32.3/arch/alpha/kernel/pci_iommu.c
35 --- linux-2.4.30/arch/alpha/kernel/pci_iommu.c 2003-06-13 16:51:29.000000000 +0200
36 +++ linux-2.4.30-hf32.3/arch/alpha/kernel/pci_iommu.c 2006-03-18 00:34:06.000000000 +0100
37 @@ -503,7 +503,7 @@
38 /* Given a scatterlist leader, choose an allocation method and fill
39 in the blanks. */
40
41 -static inline int
42 +static int
43 sg_fill(struct scatterlist *leader, struct scatterlist *end,
44 struct scatterlist *out, struct pci_iommu_arena *arena,
45 dma_addr_t max_dma, int dac_allowed)
46 diff -urN linux-2.4.30/arch/i386/config.in linux-2.4.30-hf32.3/arch/i386/config.in
47 --- linux-2.4.30/arch/i386/config.in 2004-11-17 12:54:21.000000000 +0100
48 +++ linux-2.4.30-hf32.3/arch/i386/config.in 2006-03-18 00:34:06.000000000 +0100
49 @@ -65,6 +65,7 @@
50 define_bool CONFIG_X86_POPAD_OK y
51 define_bool CONFIG_RWSEM_GENERIC_SPINLOCK n
52 define_bool CONFIG_RWSEM_XCHGADD_ALGORITHM y
53 + define_bool CONFIG_X86_TSC n
54 fi
55 if [ "$CONFIG_M486" = "y" ]; then
56 define_int CONFIG_X86_L1_CACHE_SHIFT 4
57 @@ -72,6 +73,7 @@
58 define_bool CONFIG_X86_ALIGNMENT_16 y
59 define_bool CONFIG_X86_PPRO_FENCE y
60 define_bool CONFIG_X86_F00F_WORKS_OK n
61 + define_bool CONFIG_X86_TSC n
62 fi
63 if [ "$CONFIG_M586" = "y" ]; then
64 define_int CONFIG_X86_L1_CACHE_SHIFT 5
65 diff -urN linux-2.4.30/arch/i386/kernel/apm.c linux-2.4.30-hf32.3/arch/i386/kernel/apm.c
66 --- linux-2.4.30/arch/i386/kernel/apm.c 2003-08-25 13:44:39.000000000 +0200
67 +++ linux-2.4.30-hf32.3/arch/i386/kernel/apm.c 2006-03-18 00:34:06.000000000 +0100
68 @@ -327,7 +327,7 @@
69 * Save a segment register away
70 */
71 #define savesegment(seg, where) \
72 - __asm__ __volatile__("movl %%" #seg ",%0" : "=m" (where))
73 + __asm__ __volatile__("mov %%" #seg ",%0" : "=m" (where))
74
75 /*
76 * Maximum number of events stored
77 @@ -553,7 +553,7 @@
78
79 #ifdef APM_ZERO_SEGS
80 # define APM_DECL_SEGS \
81 - unsigned int saved_fs; unsigned int saved_gs;
82 + unsigned short saved_fs; unsigned short saved_gs;
83 # define APM_DO_SAVE_SEGS \
84 savesegment(fs, saved_fs); savesegment(gs, saved_gs)
85 # define APM_DO_ZERO_SEGS \
86 diff -urN linux-2.4.30/arch/i386/kernel/io_apic.c linux-2.4.30-hf32.3/arch/i386/kernel/io_apic.c
87 --- linux-2.4.30/arch/i386/kernel/io_apic.c 2004-11-17 12:54:21.000000000 +0100
88 +++ linux-2.4.30-hf32.3/arch/i386/kernel/io_apic.c 2006-03-18 00:34:06.000000000 +0100
89 @@ -1194,7 +1194,7 @@
90 * might have cached one ExtINT interrupt. Finally, at
91 * least one tick may be lost due to delays.
92 */
93 - if (jiffies - t1 > 4)
94 + if (jiffies - t1 > 4 && jiffies - t1 < 16)
95 return 1;
96
97 return 0;
98 diff -urN linux-2.4.30/arch/i386/kernel/mtrr.c linux-2.4.30-hf32.3/arch/i386/kernel/mtrr.c
99 --- linux-2.4.30/arch/i386/kernel/mtrr.c 2004-08-08 01:26:04.000000000 +0200
100 +++ linux-2.4.30-hf32.3/arch/i386/kernel/mtrr.c 2006-03-18 00:34:06.000000000 +0100
101 @@ -1674,6 +1674,7 @@
102 char *ptr;
103 char line[LINE_SIZE];
104
105 + if (!len) return -EINVAL;
106 if ( !suser () ) return -EPERM;
107 /* Can't seek (pwrite) on this device */
108 if (ppos != &file->f_pos) return -ESPIPE;
109 diff -urN linux-2.4.30/arch/i386/kernel/process.c linux-2.4.30-hf32.3/arch/i386/kernel/process.c
110 --- linux-2.4.30/arch/i386/kernel/process.c 2004-11-17 12:54:21.000000000 +0100
111 +++ linux-2.4.30-hf32.3/arch/i386/kernel/process.c 2006-03-18 00:34:06.000000000 +0100
112 @@ -544,7 +544,7 @@
113 * Save a segment.
114 */
115 #define savesegment(seg,value) \
116 - asm volatile("movl %%" #seg ",%0":"=m" (*(int *)&(value)))
117 + asm volatile("mov %%" #seg ",%0":"=m" (value))
118
119 int copy_thread(int nr, unsigned long clone_flags, unsigned long esp,
120 unsigned long unused,
121 @@ -661,8 +661,8 @@
122 * Save away %fs and %gs. No need to save %es and %ds, as
123 * those are always kernel segments while inside the kernel.
124 */
125 - asm volatile("movl %%fs,%0":"=m" (*(int *)&prev->fs));
126 - asm volatile("movl %%gs,%0":"=m" (*(int *)&prev->gs));
127 + asm volatile("mov %%fs,%0":"=m" (prev->fs));
128 + asm volatile("mov %%gs,%0":"=m" (prev->gs));
129
130 /*
131 * Restore %fs and %gs.
132 diff -urN linux-2.4.30/arch/i386/kernel/traps.c linux-2.4.30-hf32.3/arch/i386/kernel/traps.c
133 --- linux-2.4.30/arch/i386/kernel/traps.c 2002-11-29 00:53:09.000000000 +0100
134 +++ linux-2.4.30-hf32.3/arch/i386/kernel/traps.c 2006-03-18 00:34:06.000000000 +0100
135 @@ -631,15 +631,14 @@
136 */
137 cwd = get_fpu_cwd(task);
138 swd = get_fpu_swd(task);
139 - switch (((~cwd) & swd & 0x3f) | (swd & 0x240)) {
140 + switch (swd & ~cwd & 0x3f) {
141 case 0x000:
142 default:
143 break;
144 case 0x001: /* Invalid Op */
145 - case 0x041: /* Stack Fault */
146 - case 0x241: /* Stack Fault | Direction */
147 + /* swd & 0x240 == 0x040: Stack Fault */
148 + /* swd & 0x240 == 0x240: Stack Fault | Direction */
149 info.si_code = FPE_FLTINV;
150 - /* Should we clear the SF or let user space do it ???? */
151 break;
152 case 0x002: /* Denormalize */
153 case 0x010: /* Underflow */
154 diff -urN linux-2.4.30/arch/ia64/ia32/sys_ia32.c linux-2.4.30-hf32.3/arch/ia64/ia32/sys_ia32.c
155 --- linux-2.4.30/arch/ia64/ia32/sys_ia32.c 2005-04-14 09:43:32.000000000 +0200
156 +++ linux-2.4.30-hf32.3/arch/ia64/ia32/sys_ia32.c 2006-03-18 00:34:06.000000000 +0100
157 @@ -94,7 +94,7 @@
158 static DECLARE_MUTEX(ia32_mmap_sem);
159
160 static int
161 -nargs (unsigned int arg, char **ap)
162 +nargs (unsigned int arg, char **ap, int max)
163 {
164 unsigned int addr;
165 int n, err;
166 @@ -107,6 +107,8 @@
167 err = get_user(addr, (unsigned int *)A(arg));
168 if (err)
169 return err;
170 + if (n > max)
171 + return -E2BIG;
172 if (ap)
173 *ap++ = (char *) A(addr);
174 arg += sizeof(unsigned int);
175 @@ -128,10 +130,11 @@
176 int na, ne, len;
177 long r;
178
179 - na = nargs(argv, NULL);
180 + /* Allocates upto 2x MAX_ARG_PAGES */
181 + na = nargs(argv, NULL, (MAX_ARG_PAGES*PAGE_SIZE) / sizeof(char *) - 1);
182 if (na < 0)
183 return na;
184 - ne = nargs(envp, NULL);
185 + ne = nargs(envp, NULL, (MAX_ARG_PAGES*PAGE_SIZE) / sizeof(char *) - 1 );
186 if (ne < 0)
187 return ne;
188 len = (na + ne + 2) * sizeof(*av);
189 @@ -143,10 +146,10 @@
190 av[na] = NULL;
191 ae[ne] = NULL;
192
193 - r = nargs(argv, av);
194 + r = nargs(argv, av, na);
195 if (r < 0)
196 goto out;
197 - r = nargs(envp, ae);
198 + r = nargs(envp, ae, ne);
199 if (r < 0)
200 goto out;
201
202 @@ -1439,6 +1442,7 @@
203
204 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
205 CMSG_ALIGN(sizeof(struct cmsghdr)));
206 + tmp = CMSG_ALIGN(tmp);
207 kcmlen += tmp;
208 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
209 }
210 @@ -1475,7 +1479,7 @@
211 goto out_free_efault;
212
213 /* Advance. */
214 - kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
215 + kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
216 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
217 }
218
219 diff -urN linux-2.4.30/arch/ia64/mm/fault.c linux-2.4.30-hf32.3/arch/ia64/mm/fault.c
220 --- linux-2.4.30/arch/ia64/mm/fault.c 2003-08-25 13:44:39.000000000 +0200
221 +++ linux-2.4.30-hf32.3/arch/ia64/mm/fault.c 2006-03-18 00:34:06.000000000 +0100
222 @@ -206,9 +206,6 @@
223 return;
224 }
225
226 - if (done_with_exception(regs))
227 - return;
228 -
229 /*
230 * Since we have no vma's for region 5, we might get here even if the address is
231 * valid, due to the VHPT walker inserting a non present translation that becomes
232 @@ -219,6 +216,9 @@
233 if (REGION_NUMBER(address) == 5 && mapped_kernel_page_is_present(address))
234 return;
235
236 + if (done_with_exception(regs))
237 + return;
238 +
239 /*
240 * Oops. The kernel tried to access some bad page. We'll have to terminate things
241 * with extreme prejudice.
242 diff -urN linux-2.4.30/arch/parisc/kernel/ioctl32.c linux-2.4.30-hf32.3/arch/parisc/kernel/ioctl32.c
243 --- linux-2.4.30/arch/parisc/kernel/ioctl32.c 2005-01-27 18:57:31.000000000 +0100
244 +++ linux-2.4.30-hf32.3/arch/parisc/kernel/ioctl32.c 2006-03-18 00:34:06.000000000 +0100
245 @@ -35,6 +35,7 @@
246 #include <linux/cdrom.h>
247 #include <linux/loop.h>
248 #include <linux/auto_fs.h>
249 +#include <linux/auto_fs4.h>
250 #include <linux/devfs_fs.h>
251 #include <linux/tty.h>
252 #include <linux/vt_kern.h>
253 diff -urN linux-2.4.30/arch/parisc/kernel/sys_parisc32.c linux-2.4.30-hf32.3/arch/parisc/kernel/sys_parisc32.c
254 --- linux-2.4.30/arch/parisc/kernel/sys_parisc32.c 2005-04-14 09:43:33.000000000 +0200
255 +++ linux-2.4.30-hf32.3/arch/parisc/kernel/sys_parisc32.c 2006-03-18 00:34:06.000000000 +0100
256 @@ -1934,12 +1934,13 @@
257 struct cmsghdr *kcmsg, *kcmsg_base;
258 __kernel_size_t32 ucmlen;
259 __kernel_size_t kcmlen, tmp;
260 + int err = -EFAULT;
261
262 kcmlen = 0;
263 kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
264 ucmsg = CMSG32_FIRSTHDR(kmsg);
265 while(ucmsg != NULL) {
266 - if(get_user(ucmlen, &ucmsg->cmsg_len))
267 + if (get_user(ucmlen, &ucmsg->cmsg_len))
268 return -EFAULT;
269
270 /* Catch bogons. */
271 @@ -1948,6 +1949,7 @@
272
273 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
274 CMSG_ALIGN(sizeof(struct cmsghdr)));
275 + tmp = CMSG_ALIGN(tmp);
276 kcmlen += tmp;
277 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
278 }
279 @@ -1968,21 +1970,23 @@
280 memset(kcmsg, 0, kcmlen);
281 ucmsg = CMSG32_FIRSTHDR(kmsg);
282 while(ucmsg != NULL) {
283 - __get_user(ucmlen, &ucmsg->cmsg_len);
284 + if (__get_user(ucmlen, &ucmsg->cmsg_len))
285 + goto Efault;
286 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
287 CMSG_ALIGN(sizeof(struct cmsghdr)));
288 + if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
289 + goto Einval;
290 kcmsg->cmsg_len = tmp;
291 - __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
292 - __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
293 -
294 - /* Copy over the data. */
295 - if(copy_from_user(CMSG_DATA(kcmsg),
296 - CMSG32_DATA(ucmsg),
297 - (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
298 - goto out_free_efault;
299 + tmp = CMSG_ALIGN(tmp);
300 + if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
301 + __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
302 + copy_from_user(CMSG_DATA(kcmsg),
303 + CMSG32_DATA(ucmsg),
304 + (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
305 + goto Efault;
306
307 /* Advance. */
308 - kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
309 + kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
310 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
311 }
312
313 @@ -1991,10 +1995,12 @@
314 kmsg->msg_controllen = kcmlen;
315 return 0;
316
317 -out_free_efault:
318 - if(kcmsg_base != (struct cmsghdr *)stackbuf)
319 +Einval:
320 + err = -EINVAL;
321 +Efault:
322 + if (kcmsg_base != (struct cmsghdr *)stackbuf)
323 kfree(kcmsg_base);
324 - return -EFAULT;
325 + return err;
326 }
327
328 static void put_cmsg32(struct msghdr *kmsg, int level, int type,
329 diff -urN linux-2.4.30/arch/ppc/boot/lib/zlib.c linux-2.4.30-hf32.3/arch/ppc/boot/lib/zlib.c
330 --- linux-2.4.30/arch/ppc/boot/lib/zlib.c 2003-08-25 13:44:40.000000000 +0200
331 +++ linux-2.4.30-hf32.3/arch/ppc/boot/lib/zlib.c 2006-03-18 00:34:06.000000000 +0100
332 @@ -1322,6 +1322,7 @@
333 if ((j = *p++) != 0)
334 v[x[j]++] = i;
335 } while (++i < n);
336 + n = x[g]; /* set n to length of v */
337
338
339 /* Generate the Huffman codes and for each, make the table entries */
340 diff -urN linux-2.4.30/arch/ppc64/boot/zlib.c linux-2.4.30-hf32.3/arch/ppc64/boot/zlib.c
341 --- linux-2.4.30/arch/ppc64/boot/zlib.c 2003-08-25 13:44:40.000000000 +0200
342 +++ linux-2.4.30-hf32.3/arch/ppc64/boot/zlib.c 2006-03-18 00:34:06.000000000 +0100
343 @@ -1338,6 +1338,7 @@
344 if ((j = *p++) != 0)
345 v[x[j]++] = i;
346 } while (++i < n);
347 + n = x[g]; /* set n to length of v */
348
349
350 /* Generate the Huffman codes and for each, make the table entries */
351 diff -urN linux-2.4.30/arch/ppc64/kernel/ioctl32.c linux-2.4.30-hf32.3/arch/ppc64/kernel/ioctl32.c
352 --- linux-2.4.30/arch/ppc64/kernel/ioctl32.c 2005-01-27 18:57:31.000000000 +0100
353 +++ linux-2.4.30-hf32.3/arch/ppc64/kernel/ioctl32.c 2006-03-18 00:34:06.000000000 +0100
354 @@ -49,6 +49,7 @@
355 #include <linux/cdrom.h>
356 #include <linux/loop.h>
357 #include <linux/auto_fs.h>
358 +#include <linux/autofs_4.h>
359 #include <linux/devfs_fs.h>
360 #include <linux/tty.h>
361 #include <linux/vt_kern.h>
362 @@ -876,13 +877,15 @@
363 r = (void *) &r4;
364 }
365
366 - if (ret)
367 - return -EFAULT;
368 + if (ret) {
369 + ret = -EFAULT;
370 + goto out;
371 + }
372
373 set_fs (KERNEL_DS);
374 ret = sys_ioctl (fd, cmd, (long) r);
375 set_fs (old_fs);
376 -
377 +out:
378 if (mysock)
379 sockfd_put(mysock);
380
381 diff -urN linux-2.4.30/arch/ppc64/kernel/signal.c linux-2.4.30-hf32.3/arch/ppc64/kernel/signal.c
382 --- linux-2.4.30/arch/ppc64/kernel/signal.c 2005-01-27 18:57:31.000000000 +0100
383 +++ linux-2.4.30-hf32.3/arch/ppc64/kernel/signal.c 2006-03-18 00:34:06.000000000 +0100
384 @@ -332,7 +332,7 @@
385 }
386
387
388 -asmlinkage int
389 +asmlinkage long
390 sys_rt_sigreturn(unsigned long r3, unsigned long r4, unsigned long r5,
391 unsigned long r6, unsigned long r7, unsigned long r8,
392 struct pt_regs *regs)
393 diff -urN linux-2.4.30/arch/ppc64/kernel/sys_ppc32.c linux-2.4.30-hf32.3/arch/ppc64/kernel/sys_ppc32.c
394 --- linux-2.4.30/arch/ppc64/kernel/sys_ppc32.c 2005-04-14 09:43:33.000000000 +0200
395 +++ linux-2.4.30-hf32.3/arch/ppc64/kernel/sys_ppc32.c 2006-03-18 00:34:06.000000000 +0100
396 @@ -3442,12 +3442,13 @@
397 struct cmsghdr *kcmsg, *kcmsg_base;
398 __kernel_size_t32 ucmlen;
399 __kernel_size_t kcmlen, tmp;
400 + int err = -EFAULT;
401
402 kcmlen = 0;
403 kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
404 ucmsg = CMSG32_FIRSTHDR(kmsg);
405 while(ucmsg != NULL) {
406 - if(get_user(ucmlen, &ucmsg->cmsg_len))
407 + if (get_user(ucmlen, &ucmsg->cmsg_len))
408 return -EFAULT;
409
410 /* Catch bogons. */
411 @@ -3456,6 +3457,7 @@
412
413 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
414 CMSG_ALIGN(sizeof(struct cmsghdr)));
415 + tmp = CMSG_ALIGN(tmp);
416 kcmlen += tmp;
417 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
418 }
419 @@ -3476,21 +3478,23 @@
420 memset(kcmsg, 0, kcmlen);
421 ucmsg = CMSG32_FIRSTHDR(kmsg);
422 while (ucmsg != NULL) {
423 - __get_user(ucmlen, &ucmsg->cmsg_len);
424 + if (__get_user(ucmlen, &ucmsg->cmsg_len))
425 + goto Efault;
426 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
427 CMSG_ALIGN(sizeof(struct cmsghdr)));
428 + if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
429 + goto Einval;
430 kcmsg->cmsg_len = tmp;
431 - __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
432 - __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
433 -
434 - /* Copy over the data. */
435 - if(copy_from_user(CMSG_DATA(kcmsg),
436 - CMSG32_DATA(ucmsg),
437 - (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
438 - goto out_free_efault;
439 + tmp = CMSG_ALIGN(tmp);
440 + if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
441 + __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
442 + copy_from_user(CMSG_DATA(kcmsg),
443 + CMSG32_DATA(ucmsg),
444 + (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
445 + goto Efault;
446
447 /* Advance. */
448 - kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
449 + kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
450 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
451 }
452
453 @@ -3499,10 +3503,12 @@
454 kmsg->msg_controllen = kcmlen;
455 return 0;
456
457 -out_free_efault:
458 - if(kcmsg_base != (struct cmsghdr *)stackbuf)
459 +Einval:
460 + err = -EINVAL;
461 +Efault:
462 + if (kcmsg_base != (struct cmsghdr *)stackbuf)
463 kfree(kcmsg_base);
464 - return -EFAULT;
465 + return err;
466 }
467
468 asmlinkage long sys32_sendmsg(int fd, struct msghdr32* user_msg, unsigned int user_flags)
469 diff -urN linux-2.4.30/arch/s390x/kernel/linux32.c linux-2.4.30-hf32.3/arch/s390x/kernel/linux32.c
470 --- linux-2.4.30/arch/s390x/kernel/linux32.c 2005-04-14 09:43:33.000000000 +0200
471 +++ linux-2.4.30-hf32.3/arch/s390x/kernel/linux32.c 2006-03-18 00:34:06.000000000 +0100
472 @@ -2425,12 +2425,13 @@
473 struct cmsghdr *kcmsg, *kcmsg_base;
474 __kernel_size_t32 ucmlen;
475 __kernel_size_t kcmlen, tmp;
476 + int err = -EFAULT;
477
478 kcmlen = 0;
479 kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
480 ucmsg = CMSG32_FIRSTHDR(kmsg);
481 while(ucmsg != NULL) {
482 - if(get_user(ucmlen, &ucmsg->cmsg_len))
483 + if (get_user(ucmlen, &ucmsg->cmsg_len))
484 return -EFAULT;
485
486 /* Catch bogons. */
487 @@ -2439,6 +2440,7 @@
488
489 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
490 CMSG_ALIGN(sizeof(struct cmsghdr)));
491 + tmp = CMSG_ALIGN(tmp);
492 kcmlen += tmp;
493 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
494 }
495 @@ -2459,21 +2461,23 @@
496 memset(kcmsg, 0, kcmlen);
497 ucmsg = CMSG32_FIRSTHDR(kmsg);
498 while(ucmsg != NULL) {
499 - __get_user(ucmlen, &ucmsg->cmsg_len);
500 + if (__get_user(ucmlen, &ucmsg->cmsg_len))
501 + goto Efault;
502 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
503 CMSG_ALIGN(sizeof(struct cmsghdr)));
504 + if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
505 + goto Einval;
506 kcmsg->cmsg_len = tmp;
507 - __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
508 - __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
509 -
510 - /* Copy over the data. */
511 - if(copy_from_user(CMSG_DATA(kcmsg),
512 - CMSG32_DATA(ucmsg),
513 - (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
514 - goto out_free_efault;
515 + tmp = CMSG_ALIGN(tmp);
516 + if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
517 + __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
518 + copy_from_user(CMSG_DATA(kcmsg),
519 + CMSG32_DATA(ucmsg),
520 + (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
521 + goto Efault;
522
523 /* Advance. */
524 - kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
525 + kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
526 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
527 }
528
529 @@ -2482,10 +2486,12 @@
530 kmsg->msg_controllen = kcmlen;
531 return 0;
532
533 -out_free_efault:
534 - if(kcmsg_base != (struct cmsghdr *)stackbuf)
535 +Einval:
536 + err = -EINVAL;
537 +Efault:
538 + if (kcmsg_base != (struct cmsghdr *)stackbuf)
539 kfree(kcmsg_base);
540 - return -EFAULT;
541 + return err;
542 }
543
544 static void put_cmsg32(struct msghdr *kmsg, int level, int type,
545 diff -urN linux-2.4.30/arch/sparc/math-emu/math.c linux-2.4.30-hf32.3/arch/sparc/math-emu/math.c
546 --- linux-2.4.30/arch/sparc/math-emu/math.c 1999-12-03 00:28:54.000000000 +0100
547 +++ linux-2.4.30-hf32.3/arch/sparc/math-emu/math.c 2006-03-18 00:34:06.000000000 +0100
548 @@ -323,10 +323,6 @@
549 case FMOVS:
550 case FABSS:
551 case FNEGS: TYPE(2,1,0,1,0,0,0); break;
552 - default:
553 -#ifdef DEBUG_MATHEMU
554 - printk("unknown FPop1: %03lx\n",(insn>>5)&0x1ff);
555 -#endif
556 }
557 } else if ((insn & 0xc1f80000) == 0x81a80000) /* FPOP2 */ {
558 switch ((insn >> 5) & 0x1ff) {
559 @@ -336,10 +332,6 @@
560 case FCMPED: TYPE(3,0,0,2,1,2,1); break;
561 case FCMPQ: TYPE(3,0,0,3,1,3,1); break;
562 case FCMPEQ: TYPE(3,0,0,3,1,3,1); break;
563 - default:
564 -#ifdef DEBUG_MATHEMU
565 - printk("unknown FPop2: %03lx\n",(insn>>5)&0x1ff);
566 -#endif
567 }
568 }
569
570 diff -urN linux-2.4.30/arch/sparc64/kernel/ioctl32.c linux-2.4.30-hf32.3/arch/sparc64/kernel/ioctl32.c
571 --- linux-2.4.30/arch/sparc64/kernel/ioctl32.c 2005-04-14 09:43:33.000000000 +0200
572 +++ linux-2.4.30-hf32.3/arch/sparc64/kernel/ioctl32.c 2006-03-18 00:34:06.000000000 +0100
573 @@ -809,13 +809,15 @@
574 r = (void *) &r4;
575 }
576
577 - if (ret)
578 - return -EFAULT;
579 + if (ret) {
580 + ret = -EFAULT;
581 + goto out;
582 + }
583
584 set_fs (KERNEL_DS);
585 ret = sys_ioctl (fd, cmd, (long) r);
586 set_fs (old_fs);
587 -
588 +out:
589 if (mysock)
590 sockfd_put(mysock);
591
592 diff -urN linux-2.4.30/arch/sparc64/kernel/sys_sparc32.c linux-2.4.30-hf32.3/arch/sparc64/kernel/sys_sparc32.c
593 --- linux-2.4.30/arch/sparc64/kernel/sys_sparc32.c 2005-04-14 09:43:33.000000000 +0200
594 +++ linux-2.4.30-hf32.3/arch/sparc64/kernel/sys_sparc32.c 2006-03-18 00:34:06.000000000 +0100
595 @@ -50,6 +50,7 @@
596 #include <linux/in.h>
597 #include <linux/icmpv6.h>
598 #include <linux/sysctl.h>
599 +#include <linux/vmalloc.h>
600 #include <linux/dnotify.h>
601 #include <linux/netfilter_ipv4/ip_tables.h>
602
603 @@ -2496,12 +2497,13 @@
604 struct cmsghdr *kcmsg, *kcmsg_base;
605 __kernel_size_t32 ucmlen;
606 __kernel_size_t kcmlen, tmp;
607 + int err = -EFAULT;
608
609 kcmlen = 0;
610 kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
611 ucmsg = CMSG32_FIRSTHDR(kmsg);
612 while(ucmsg != NULL) {
613 - if(get_user(ucmlen, &ucmsg->cmsg_len))
614 + if (get_user(ucmlen, &ucmsg->cmsg_len))
615 return -EFAULT;
616
617 /* Catch bogons. */
618 @@ -2510,6 +2512,7 @@
619
620 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
621 CMSG_ALIGN(sizeof(struct cmsghdr)));
622 + tmp = CMSG_ALIGN(tmp);
623 kcmlen += tmp;
624 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
625 }
626 @@ -2530,21 +2533,23 @@
627 memset(kcmsg, 0, kcmlen);
628 ucmsg = CMSG32_FIRSTHDR(kmsg);
629 while(ucmsg != NULL) {
630 - __get_user(ucmlen, &ucmsg->cmsg_len);
631 + if (__get_user(ucmlen, &ucmsg->cmsg_len))
632 + goto Efault;
633 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
634 CMSG_ALIGN(sizeof(struct cmsghdr)));
635 + if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
636 + goto Einval;
637 kcmsg->cmsg_len = tmp;
638 - __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
639 - __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
640 -
641 - /* Copy over the data. */
642 - if(copy_from_user(CMSG_DATA(kcmsg),
643 - CMSG32_DATA(ucmsg),
644 - (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
645 - goto out_free_efault;
646 + tmp = CMSG_ALIGN(tmp);
647 + if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
648 + __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
649 + copy_from_user(CMSG_DATA(kcmsg),
650 + CMSG32_DATA(ucmsg),
651 + (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
652 + goto Efault;
653
654 /* Advance. */
655 - kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
656 + kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
657 ucmsg = CMSG32_NXTHDR(kmsg, ucmsg, ucmlen);
658 }
659
660 @@ -2553,10 +2558,12 @@
661 kmsg->msg_controllen = kcmlen;
662 return 0;
663
664 -out_free_efault:
665 - if(kcmsg_base != (struct cmsghdr *)stackbuf)
666 +Einval:
667 + err = -EINVAL;
668 +Efault:
669 + if (kcmsg_base != (struct cmsghdr *)stackbuf)
670 kfree(kcmsg_base);
671 - return -EFAULT;
672 + return err;
673 }
674
675 static void put_cmsg32(struct msghdr *kmsg, int level, int type,
676 @@ -2919,12 +2926,12 @@
677 if (optlen != kreplsize)
678 return -ENOPROTOOPT;
679
680 - krepl = (struct ipt_replace *)kmalloc(kreplsize, GFP_KERNEL);
681 + krepl = (struct ipt_replace *)vmalloc(kreplsize);
682 if (krepl == NULL)
683 return -ENOMEM;
684
685 if (copy_from_user(krepl, optval, kreplsize)) {
686 - kfree(krepl);
687 + vfree(krepl);
688 return -EFAULT;
689 }
690
691 @@ -2932,10 +2939,9 @@
692 ((struct ipt_replace32 *)krepl)->counters);
693
694 kcountersize = krepl->num_counters * sizeof(struct ipt_counters);
695 - krepl->counters = (struct ipt_counters *)kmalloc(
696 - kcountersize, GFP_KERNEL);
697 + krepl->counters = (struct ipt_counters *)vmalloc(kcountersize);
698 if (krepl->counters == NULL) {
699 - kfree(krepl);
700 + vfree(krepl);
701 return -ENOMEM;
702 }
703
704 @@ -2949,8 +2955,8 @@
705 copy_to_user(counters32, krepl->counters, kcountersize))
706 ret = -EFAULT;
707
708 - kfree(krepl->counters);
709 - kfree(krepl);
710 + vfree(krepl->counters);
711 + vfree(krepl);
712
713 return ret;
714 }
715 @@ -4205,7 +4211,7 @@
716
717 old_fs = get_fs();
718 set_fs(KERNEL_DS);
719 - ret = sys_utimes(kfilename, &ktvs[0]);
720 + ret = sys_utimes(kfilename, (tvs ? &ktvs[0] : NULL));
721 set_fs(old_fs);
722
723 putname(kfilename);
724 diff -urN linux-2.4.30/arch/sparc64/solaris/socket.c linux-2.4.30-hf32.3/arch/sparc64/solaris/socket.c
725 --- linux-2.4.30/arch/sparc64/solaris/socket.c 2001-02-19 04:49:54.000000000 +0100
726 +++ linux-2.4.30-hf32.3/arch/sparc64/solaris/socket.c 2006-03-18 00:34:06.000000000 +0100
727 @@ -410,8 +410,10 @@
728 unsigned long *kcmsg;
729 __kernel_size_t32 cmlen;
730
731 - if(kern_msg.msg_controllen > sizeof(ctl) &&
732 - kern_msg.msg_controllen <= 256) {
733 + if (kern_msg.msg_controllen <= sizeof(__kernel_size_t32))
734 + return -EINVAL;
735 +
736 + if(kern_msg.msg_controllen > sizeof(ctl)) {
737 err = -ENOBUFS;
738 ctl_buf = kmalloc(kern_msg.msg_controllen, GFP_KERNEL);
739 if(!ctl_buf)
740 diff -urN linux-2.4.30/arch/x86_64/ia32/ia32_ioctl.c linux-2.4.30-hf32.3/arch/x86_64/ia32/ia32_ioctl.c
741 --- linux-2.4.30/arch/x86_64/ia32/ia32_ioctl.c 2005-01-27 18:57:31.000000000 +0100
742 +++ linux-2.4.30-hf32.3/arch/x86_64/ia32/ia32_ioctl.c 2006-03-18 00:34:06.000000000 +0100
743 @@ -816,6 +816,11 @@
744
745 extern struct socket *sockfd_lookup(int fd, int *err);
746
747 +extern __inline__ void sockfd_put(struct socket *sock)
748 +{
749 + fput(sock->file);
750 +}
751 +
752 static int routing_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
753 {
754 int ret;
755 @@ -857,12 +862,17 @@
756 r = (void *) &r4;
757 }
758
759 - if (ret)
760 - return -EFAULT;
761 + if (ret) {
762 + ret = -EFAULT;
763 + goto out;
764 + }
765
766 set_fs (KERNEL_DS);
767 ret = sys_ioctl (fd, cmd, (long) r);
768 set_fs (old_fs);
769 +out:
770 + if (mysock)
771 + sockfd_put(mysock);
772
773 return ret;
774 }
775 @@ -2766,17 +2776,24 @@
776 static int tiocgdev(unsigned fd, unsigned cmd, unsigned int *ptr)
777 {
778
779 - struct file *file = fget(fd);
780 + struct file *file;
781 struct tty_struct *real_tty;
782 + int ret;
783
784 + file = fget(fd);
785 if (!file)
786 return -EBADF;
787 + ret = -EINVAL;
788 if (file->f_op->ioctl != tty_ioctl)
789 - return -EINVAL;
790 + goto out;
791 real_tty = (struct tty_struct *)file->private_data;
792 if (!real_tty)
793 - return -EINVAL;
794 - return put_user(kdev_t_to_nr(real_tty->device), ptr);
795 + goto out;
796 + ret = put_user(kdev_t_to_nr(real_tty->device), ptr);
797 +out:
798 + fput(file);
799 +
800 + return ret;
801 }
802
803
804 diff -urN linux-2.4.30/arch/x86_64/ia32/socket32.c linux-2.4.30-hf32.3/arch/x86_64/ia32/socket32.c
805 --- linux-2.4.30/arch/x86_64/ia32/socket32.c 2005-04-14 09:43:33.000000000 +0200
806 +++ linux-2.4.30-hf32.3/arch/x86_64/ia32/socket32.c 2006-03-18 00:34:06.000000000 +0100
807 @@ -127,12 +127,13 @@
808 struct cmsghdr *kcmsg, *kcmsg_base;
809 __kernel_size_t32 ucmlen;
810 __kernel_size_t kcmlen, tmp;
811 + int err = -EFAULT;
812
813 kcmlen = 0;
814 kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
815 ucmsg = CMSG32_FIRSTHDR(kmsg);
816 while(ucmsg != NULL) {
817 - if(get_user(ucmlen, &ucmsg->cmsg_len))
818 + if (get_user(ucmlen, &ucmsg->cmsg_len))
819 return -EFAULT;
820
821 /* Catch bogons. */
822 @@ -164,18 +165,19 @@
823 memset(kcmsg, 0, kcmlen);
824 ucmsg = CMSG32_FIRSTHDR(kmsg);
825 while(ucmsg != NULL) {
826 - __get_user(ucmlen, &ucmsg->cmsg_len);
827 + if (__get_user(ucmlen, &ucmsg->cmsg_len))
828 + goto Efault;
829 tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
830 CMSG_ALIGN(sizeof(struct cmsghdr)));
831 + if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
832 + goto Einval;
833 kcmsg->cmsg_len = tmp;
834 - __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
835 - __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
836 -
837 - /* Copy over the data. */
838 - if(copy_from_user(CMSG_DATA(kcmsg),
839 - CMSG32_DATA(ucmsg),
840 - (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
841 - goto out_free_efault;
842 + if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
843 + __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
844 + copy_from_user(CMSG_DATA(kcmsg),
845 + CMSG32_DATA(ucmsg),
846 + (ucmlen - CMSG32_ALIGN(sizeof(*ucmsg)))))
847 + goto Efault;
848
849 /* Advance. */
850 kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
851 @@ -187,10 +189,12 @@
852 kmsg->msg_controllen = kcmlen;
853 return 0;
854
855 -out_free_efault:
856 - if(kcmsg_base != (struct cmsghdr *)stackbuf)
857 +Einval:
858 + err = -EINVAL;
859 +Efault:
860 + if (kcmsg_base != (struct cmsghdr *)stackbuf)
861 kfree(kcmsg_base);
862 - return -EFAULT;
863 + return err;
864 }
865
866 static void put_cmsg32(struct msghdr *kmsg, int level, int type,
867 diff -urN linux-2.4.30/arch/x86_64/ia32/sys_ia32.c linux-2.4.30-hf32.3/arch/x86_64/ia32/sys_ia32.c
868 --- linux-2.4.30/arch/x86_64/ia32/sys_ia32.c 2005-01-27 18:57:31.000000000 +0100
869 +++ linux-2.4.30-hf32.3/arch/x86_64/ia32/sys_ia32.c 2006-03-18 00:34:06.000000000 +0100
870 @@ -2200,7 +2200,7 @@
871 return ret;
872 }
873
874 -static int nargs(u32 src, char **dst)
875 +static int nargs(u32 src, char **dst, int max)
876 {
877 int cnt;
878 u32 val;
879 @@ -2210,13 +2210,13 @@
880 int ret = get_user(val, (__u32 *)(u64)src);
881 if (ret)
882 return ret;
883 + if (cnt > max)
884 + return -E2BIG;
885 if (dst)
886 dst[cnt] = (char *)(u64)val;
887 cnt++;
888 src += 4;
889 - if (cnt >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))
890 - return -E2BIG;
891 - } while(val);
892 + } while(val);
893 if (dst)
894 dst[cnt-1] = 0;
895 return cnt;
896 @@ -2230,13 +2230,14 @@
897 int ret;
898 unsigned sz = 0;
899
900 + /* Can actually allocate 2*MAX_ARG_PAGES */
901 if (argv) {
902 - na = nargs(argv, NULL);
903 + na = nargs(argv, NULL, (MAX_ARG_PAGES * PAGE_SIZE)/sizeof(char*) - 1);
904 if (na < 0)
905 return -EFAULT;
906 }
907 if (envp) {
908 - ne = nargs(envp, NULL);
909 + ne = nargs(envp, NULL, (MAX_ARG_PAGES * PAGE_SIZE)/sizeof(char*) - 1);
910 if (ne < 0)
911 return -EFAULT;
912 }
913 @@ -2252,13 +2253,13 @@
914 }
915
916 if (argv) {
917 - ret = nargs(argv, buf);
918 + ret = nargs(argv, buf, na);
919 if (ret < 0)
920 goto free;
921 }
922
923 if (envp) {
924 - ret = nargs(envp, buf + na);
925 + ret = nargs(envp, buf + na, ne);
926 if (ret < 0)
927 goto free;
928 }
929 diff -urN linux-2.4.30/arch/x86_64/kernel/process.c linux-2.4.30-hf32.3/arch/x86_64/kernel/process.c
930 --- linux-2.4.30/arch/x86_64/kernel/process.c 2004-04-14 15:05:28.000000000 +0200
931 +++ linux-2.4.30-hf32.3/arch/x86_64/kernel/process.c 2006-03-18 00:34:06.000000000 +0100
932 @@ -527,10 +527,10 @@
933 p->thread.fs = me->thread.fs;
934 p->thread.gs = me->thread.gs;
935
936 - asm("movl %%gs,%0" : "=m" (p->thread.gsindex));
937 - asm("movl %%fs,%0" : "=m" (p->thread.fsindex));
938 - asm("movl %%es,%0" : "=m" (p->thread.es));
939 - asm("movl %%ds,%0" : "=m" (p->thread.ds));
940 + asm("mov %%gs,%0" : "=m" (p->thread.gsindex));
941 + asm("mov %%fs,%0" : "=m" (p->thread.fsindex));
942 + asm("mov %%es,%0" : "=m" (p->thread.es));
943 + asm("mov %%ds,%0" : "=m" (p->thread.ds));
944
945 unlazy_fpu(current);
946 p->thread.i387 = current->thread.i387;
947 @@ -575,11 +575,11 @@
948 /*
949 * Switch DS and ES.
950 */
951 - asm volatile("movl %%es,%0" : "=m" (prev->es));
952 + asm volatile("mov %%es,%0" : "=m" (prev->es));
953 if (unlikely(next->es | prev->es))
954 loadsegment(es, next->es);
955
956 - asm volatile ("movl %%ds,%0" : "=m" (prev->ds));
957 + asm volatile ("mov %%ds,%0" : "=m" (prev->ds));
958 if (unlikely(next->ds | prev->ds))
959 loadsegment(ds, next->ds);
960
961 @@ -588,7 +588,7 @@
962 */
963 {
964 unsigned fsindex;
965 - asm volatile("movl %%fs,%0" : "=g" (fsindex));
966 + asm volatile("movl %%fs,%0" : "=r" (fsindex));
967 /* segment register != 0 always requires a reload.
968 also reload when it has changed.
969 when prev process used 64bit base always reload
970 @@ -609,7 +609,7 @@
971 }
972 {
973 unsigned gsindex;
974 - asm volatile("movl %%gs,%0" : "=g" (gsindex));
975 + asm volatile("movl %%gs,%0" : "=r" (gsindex));
976 if (unlikely((gsindex | next->gsindex) || prev->gs)) {
977 load_gs_index(next->gsindex);
978 if (gsindex)
979 diff -urN linux-2.4.30/arch/x86_64/kernel/ptrace.c linux-2.4.30-hf32.3/arch/x86_64/kernel/ptrace.c
980 --- linux-2.4.30/arch/x86_64/kernel/ptrace.c 2003-06-13 16:51:32.000000000 +0200
981 +++ linux-2.4.30-hf32.3/arch/x86_64/kernel/ptrace.c 2006-03-18 00:34:06.000000000 +0100
982 @@ -114,13 +114,13 @@
983 child->thread.es = value & 0xffff;
984 return 0;
985 case offsetof(struct user_regs_struct,fs_base):
986 - if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
987 - return -EIO;
988 + if (value >= TASK_SIZE)
989 + return -EIO;
990 child->thread.fs = value;
991 return 0;
992 case offsetof(struct user_regs_struct,gs_base):
993 - if (!((value >> 48) == 0 || (value >> 48) == 0xffff))
994 - return -EIO;
995 + if (value >= TASK_SIZE)
996 + return -EIO;
997 child->thread.gs = value;
998 return 0;
999 case offsetof(struct user_regs_struct, eflags):
1000 @@ -139,6 +139,11 @@
1001 return -EIO;
1002 value &= 0xffff;
1003 break;
1004 + case offsetof(struct user_regs_struct, rip):
1005 + /* Check if the new RIP address is canonical */
1006 + if (value >= TASK_SIZE)
1007 + return -EIO;
1008 + break;
1009 }
1010 put_stack_long(child, regno - sizeof(struct pt_regs), value);
1011 return 0;
1012 diff -urN linux-2.4.30/arch/x86_64/kernel/traps.c linux-2.4.30-hf32.3/arch/x86_64/kernel/traps.c
1013 --- linux-2.4.30/arch/x86_64/kernel/traps.c 2004-04-14 15:05:28.000000000 +0200
1014 +++ linux-2.4.30-hf32.3/arch/x86_64/kernel/traps.c 2006-03-18 00:34:06.000000000 +0100
1015 @@ -857,7 +857,7 @@
1016 set_intr_gate(9,&coprocessor_segment_overrun);
1017 set_intr_gate(10,&invalid_TSS);
1018 set_intr_gate(11,&segment_not_present);
1019 - set_intr_gate_ist(12,&stack_segment,STACKFAULT_STACK);
1020 + set_intr_gate(12,&stack_segment);
1021 set_intr_gate(13,&general_protection);
1022 set_intr_gate(14,&page_fault);
1023 set_intr_gate(15,&spurious_interrupt_bug);
1024 diff -urN linux-2.4.30/drivers/block/loop.c linux-2.4.30-hf32.3/drivers/block/loop.c
1025 --- linux-2.4.30/drivers/block/loop.c 2003-08-25 13:44:41.000000000 +0200
1026 +++ linux-2.4.30-hf32.3/drivers/block/loop.c 2006-03-18 00:34:06.000000000 +0100
1027 @@ -974,7 +974,7 @@
1028
1029 int loop_register_transfer(struct loop_func_table *funcs)
1030 {
1031 - if ((unsigned)funcs->number > MAX_LO_CRYPT || xfer_funcs[funcs->number])
1032 + if ((unsigned)funcs->number >= MAX_LO_CRYPT || xfer_funcs[funcs->number])
1033 return -EINVAL;
1034 xfer_funcs[funcs->number] = funcs;
1035 return 0;
1036 diff -urN linux-2.4.30/drivers/bluetooth/bfusb.c linux-2.4.30-hf32.3/drivers/bluetooth/bfusb.c
1037 --- linux-2.4.30/drivers/bluetooth/bfusb.c 2004-08-08 01:26:04.000000000 +0200
1038 +++ linux-2.4.30-hf32.3/drivers/bluetooth/bfusb.c 2006-03-18 00:34:06.000000000 +0100
1039 @@ -470,12 +470,11 @@
1040 return 0;
1041
1042 write_lock_irqsave(&bfusb->lock, flags);
1043 + write_unlock_irqrestore(&bfusb->lock, flags);
1044
1045 bfusb_unlink_urbs(bfusb);
1046 bfusb_flush(hdev);
1047
1048 - write_unlock_irqrestore(&bfusb->lock, flags);
1049 -
1050 MOD_DEC_USE_COUNT;
1051
1052 return 0;
1053 diff -urN linux-2.4.30/drivers/bluetooth/hci_usb.c linux-2.4.30-hf32.3/drivers/bluetooth/hci_usb.c
1054 --- linux-2.4.30/drivers/bluetooth/hci_usb.c 2004-08-08 01:26:04.000000000 +0200
1055 +++ linux-2.4.30-hf32.3/drivers/bluetooth/hci_usb.c 2006-03-18 00:34:06.000000000 +0100
1056 @@ -398,13 +398,13 @@
1057
1058 BT_DBG("%s", hdev->name);
1059
1060 + /* Synchronize with completion handlers */
1061 write_lock_irqsave(&husb->completion_lock, flags);
1062 -
1063 + write_unlock_irqrestore(&husb->completion_lock, flags);
1064 +
1065 hci_usb_unlink_urbs(husb);
1066 hci_usb_flush(hdev);
1067
1068 - write_unlock_irqrestore(&husb->completion_lock, flags);
1069 -
1070 MOD_DEC_USE_COUNT;
1071 return 0;
1072 }
1073 diff -urN linux-2.4.30/drivers/char/cyclades.c linux-2.4.30-hf32.3/drivers/char/cyclades.c
1074 --- linux-2.4.30/drivers/char/cyclades.c 2005-01-27 18:57:32.000000000 +0100
1075 +++ linux-2.4.30-hf32.3/drivers/char/cyclades.c 2006-03-18 00:34:06.000000000 +0100
1076 @@ -2960,10 +2960,15 @@
1077 cy_write(struct tty_struct * tty, int from_user,
1078 const unsigned char *buf, int count)
1079 {
1080 - struct cyclades_port *info = (struct cyclades_port *)tty->driver_data;
1081 + struct cyclades_port *info;
1082 unsigned long flags;
1083 int c, ret = 0;
1084
1085 + if (!tty)
1086 + return 0;
1087 +
1088 + info = (struct cyclades_port *)tty->driver_data;
1089 +
1090 #ifdef CY_DEBUG_IO
1091 printk("cyc:cy_write ttyC%d\n", info->line); /* */
1092 #endif
1093 @@ -2972,7 +2977,7 @@
1094 return 0;
1095 }
1096
1097 - if (!tty || !info->xmit_buf || !tmp_buf){
1098 + if (!info->xmit_buf || !tmp_buf){
1099 return 0;
1100 }
1101
1102 @@ -3047,9 +3052,14 @@
1103 static void
1104 cy_put_char(struct tty_struct *tty, unsigned char ch)
1105 {
1106 - struct cyclades_port *info = (struct cyclades_port *)tty->driver_data;
1107 + struct cyclades_port *info;
1108 unsigned long flags;
1109
1110 + if (!tty)
1111 + return;
1112 +
1113 + info = (struct cyclades_port *)tty->driver_data;
1114 +
1115 #ifdef CY_DEBUG_IO
1116 printk("cyc:cy_put_char ttyC%d\n", info->line);
1117 #endif
1118 @@ -3057,7 +3067,7 @@
1119 if (serial_paranoia_check(info, tty->device, "cy_put_char"))
1120 return;
1121
1122 - if (!tty || !info->xmit_buf)
1123 + if (!info->xmit_buf)
1124 return;
1125
1126 CY_LOCK(info, flags);
1127 diff -urN linux-2.4.30/drivers/char/drm/drm_stub.h linux-2.4.30-hf32.3/drivers/char/drm/drm_stub.h
1128 --- linux-2.4.30/drivers/char/drm/drm_stub.h 2006-02-26 22:56:01.000000000 +0100
1129 +++ linux-2.4.30-hf32.3/drivers/char/drm/drm_stub.h 2006-03-18 00:34:06.000000000 +0100
1130 @@ -52,6 +52,7 @@
1131 int err = -ENODEV;
1132 struct file_operations *old_fops;
1133
1134 + if (minor < 0 || minor >=DRM_STUB_MAXCARDS) return -ENODEV;
1135 if (!DRM(stub_list) || !DRM(stub_list)[minor].fops) return -ENODEV;
1136 old_fops = filp->f_op;
1137 filp->f_op = fops_get(DRM(stub_list)[minor].fops);
1138 diff -urN linux-2.4.30/drivers/char/esp.c linux-2.4.30-hf32.3/drivers/char/esp.c
1139 --- linux-2.4.30/drivers/char/esp.c 2005-01-27 18:57:32.000000000 +0100
1140 +++ linux-2.4.30-hf32.3/drivers/char/esp.c 2006-03-18 00:34:06.000000000 +0100
1141 @@ -1251,13 +1251,18 @@
1142
1143 static void rs_put_char(struct tty_struct *tty, unsigned char ch)
1144 {
1145 - struct esp_struct *info = (struct esp_struct *)tty->driver_data;
1146 + struct esp_struct *info;
1147 unsigned long flags;
1148
1149 + if (!tty)
1150 + return;
1151 +
1152 + info = (struct esp_struct *)tty->driver_data;
1153 +
1154 if (serial_paranoia_check(info, tty->device, "rs_put_char"))
1155 return;
1156
1157 - if (!tty || !info->xmit_buf)
1158 + if (!info->xmit_buf)
1159 return;
1160
1161 save_flags(flags); cli();
1162 @@ -1296,13 +1301,19 @@
1163 const unsigned char *buf, int count)
1164 {
1165 int c, t, ret = 0;
1166 - struct esp_struct *info = (struct esp_struct *)tty->driver_data;
1167 + struct esp_struct *info;
1168 unsigned long flags;
1169
1170 +
1171 + if (!tty)
1172 + return 0;
1173 +
1174 + info = (struct esp_struct *)tty->driver_data;
1175 +
1176 if (serial_paranoia_check(info, tty->device, "rs_write"))
1177 return 0;
1178
1179 - if (!tty || !info->xmit_buf || !tmp_buf)
1180 + if (!info->xmit_buf || !tmp_buf)
1181 return 0;
1182
1183 if (from_user)
1184 diff -urN linux-2.4.30/drivers/char/isicom.c linux-2.4.30-hf32.3/drivers/char/isicom.c
1185 --- linux-2.4.30/drivers/char/isicom.c 2005-01-27 18:57:32.000000000 +0100
1186 +++ linux-2.4.30-hf32.3/drivers/char/isicom.c 2006-03-18 00:34:06.000000000 +0100
1187 @@ -1223,9 +1223,15 @@
1188 static int isicom_write(struct tty_struct * tty, int from_user,
1189 const unsigned char * buf, int count)
1190 {
1191 - struct isi_port * port = (struct isi_port *) tty->driver_data;
1192 + struct isi_port * port;
1193 unsigned long flags;
1194 int cnt, total = 0;
1195 +
1196 + if (!tty)
1197 + return 0;
1198 +
1199 + port = (struct isi_port *) tty->driver_data;
1200 +
1201 #ifdef ISICOM_DEBUG
1202 printk(KERN_DEBUG "ISICOM: isicom_write for port%d: %d bytes.\n",
1203 port->channel+1, count);
1204 @@ -1233,7 +1239,7 @@
1205 if (isicom_paranoia_check(port, tty->device, "isicom_write"))
1206 return 0;
1207
1208 - if (!tty || !port->xmit_buf || !tmp_buf)
1209 + if (!port->xmit_buf || !tmp_buf)
1210 return 0;
1211 if (from_user)
1212 down(&tmp_buf_sem); /* acquire xclusive access to tmp_buf */
1213 @@ -1281,13 +1287,18 @@
1214 /* put_char et all */
1215 static void isicom_put_char(struct tty_struct * tty, unsigned char ch)
1216 {
1217 - struct isi_port * port = (struct isi_port *) tty->driver_data;
1218 + struct isi_port * port;
1219 unsigned long flags;
1220 +
1221 + if (!tty)
1222 + return;
1223 +
1224 + port = (struct isi_port *) tty->driver_data;
1225
1226 if (isicom_paranoia_check(port, tty->device, "isicom_put_char"))
1227 return;
1228
1229 - if (!tty || !port->xmit_buf)
1230 + if (!port->xmit_buf)
1231 return;
1232 #ifdef ISICOM_DEBUG
1233 printk(KERN_DEBUG "ISICOM: put_char, port %d, char %c.\n", port->channel+1, ch);
1234 diff -urN linux-2.4.30/drivers/char/moxa.c linux-2.4.30-hf32.3/drivers/char/moxa.c
1235 --- linux-2.4.30/drivers/char/moxa.c 2005-01-27 18:57:32.000000000 +0100
1236 +++ linux-2.4.30-hf32.3/drivers/char/moxa.c 2006-03-18 00:34:06.000000000 +0100
1237 @@ -294,6 +294,7 @@
1238 static int moxa_get_serial_info(struct moxa_str *, struct serial_struct *);
1239 static int moxa_set_serial_info(struct moxa_str *, struct serial_struct *);
1240 static void MoxaSetFifo(int port, int enable);
1241 +static unsigned long moxaIntPend[MAX_BOARDS];
1242
1243 #ifdef MODULE
1244 int init_module(void)
1245 @@ -995,7 +996,8 @@
1246 return;
1247 }
1248 for (card = 0; card < MAX_BOARDS; card++) {
1249 - if ((ports = MoxaPortsOfCard(card)) <= 0)
1250 + if ((ports = MoxaPortsOfCard(card)) <= 0
1251 + || moxaIntPend[card] == 0)
1252 continue;
1253 ch = &moxaChannels[card * MAX_PORTS_PER_BOARD];
1254 for (i = 0; i < ports; i++, ch++) {
1255 @@ -1578,7 +1580,6 @@
1256
1257 static unsigned char moxaBuff[10240];
1258 static unsigned long moxaIntNdx[MAX_BOARDS];
1259 -static unsigned long moxaIntPend[MAX_BOARDS];
1260 static unsigned long moxaIntTable[MAX_BOARDS];
1261 static char moxaChkPort[MAX_PORTS];
1262 static char moxaLineCtrl[MAX_PORTS];
1263 diff -urN linux-2.4.30/drivers/char/mxser.c linux-2.4.30-hf32.3/drivers/char/mxser.c
1264 --- linux-2.4.30/drivers/char/mxser.c 2005-01-27 18:57:32.000000000 +0100
1265 +++ linux-2.4.30-hf32.3/drivers/char/mxser.c 2006-03-18 00:34:06.000000000 +0100
1266 @@ -911,10 +911,15 @@
1267 const unsigned char *buf, int count)
1268 {
1269 int c, total = 0;
1270 - struct mxser_struct *info = (struct mxser_struct *) tty->driver_data;
1271 + struct mxser_struct *info;
1272 unsigned long flags;
1273
1274 - if (!tty || !info->xmit_buf || !mxvar_tmp_buf)
1275 + if (!tty)
1276 + return (0);
1277 +
1278 + info = (struct mxser_struct *) tty->driver_data;
1279 +
1280 + if (!info->xmit_buf || !mxvar_tmp_buf)
1281 return (0);
1282
1283 save_flags(flags);
1284 @@ -979,10 +984,15 @@
1285
1286 static void mxser_put_char(struct tty_struct *tty, unsigned char ch)
1287 {
1288 - struct mxser_struct *info = (struct mxser_struct *) tty->driver_data;
1289 + struct mxser_struct *info;
1290 unsigned long flags;
1291
1292 - if (!tty || !info->xmit_buf)
1293 + if (!tty)
1294 + return;
1295 +
1296 + info = (struct mxser_struct *) tty->driver_data;
1297 +
1298 + if (!info->xmit_buf)
1299 return;
1300
1301 save_flags(flags);
1302 diff -urN linux-2.4.30/drivers/char/random.c linux-2.4.30-hf32.3/drivers/char/random.c
1303 --- linux-2.4.30/drivers/char/random.c 2005-01-27 18:57:32.000000000 +0100
1304 +++ linux-2.4.30-hf32.3/drivers/char/random.c 2006-03-18 00:34:06.000000000 +0100
1305 @@ -1771,7 +1771,7 @@
1306 static int proc_do_poolsize(ctl_table *table, int write, struct file *filp,
1307 void *buffer, size_t *lenp)
1308 {
1309 - unsigned int ret;
1310 + int ret;
1311
1312 sysctl_poolsize = random_state->poolinfo.POOLBYTES;
1313
1314 @@ -1787,7 +1787,7 @@
1315 void *oldval, size_t *oldlenp,
1316 void *newval, size_t newlen, void **context)
1317 {
1318 - int len;
1319 + unsigned int len;
1320
1321 sysctl_poolsize = random_state->poolinfo.POOLBYTES;
1322
1323 diff -urN linux-2.4.30/drivers/char/riscom8.c linux-2.4.30-hf32.3/drivers/char/riscom8.c
1324 --- linux-2.4.30/drivers/char/riscom8.c 2005-01-27 18:57:32.000000000 +0100
1325 +++ linux-2.4.30-hf32.3/drivers/char/riscom8.c 2006-03-18 00:34:06.000000000 +0100
1326 @@ -1220,17 +1220,22 @@
1327 static int rc_write(struct tty_struct * tty, int from_user,
1328 const unsigned char *buf, int count)
1329 {
1330 - struct riscom_port *port = (struct riscom_port *)tty->driver_data;
1331 + struct riscom_port *port;
1332 struct riscom_board *bp;
1333 int c, total = 0;
1334 unsigned long flags;
1335 +
1336 + if (!tty)
1337 + return 0;
1338 +
1339 + port = (struct riscom_port *)tty->driver_data;
1340
1341 if (rc_paranoia_check(port, tty->device, "rc_write"))
1342 return 0;
1343
1344 bp = port_Board(port);
1345
1346 - if (!tty || !port->xmit_buf || !tmp_buf)
1347 + if (!port->xmit_buf || !tmp_buf)
1348 return 0;
1349
1350 save_flags(flags);
1351 @@ -1298,13 +1303,18 @@
1352
1353 static void rc_put_char(struct tty_struct * tty, unsigned char ch)
1354 {
1355 - struct riscom_port *port = (struct riscom_port *)tty->driver_data;
1356 + struct riscom_port *port;
1357 unsigned long flags;
1358
1359 + if (!tty)
1360 + return;
1361 +
1362 + port = (struct riscom_port *)tty->driver_data;
1363 +
1364 if (rc_paranoia_check(port, tty->device, "rc_put_char"))
1365 return;
1366
1367 - if (!tty || !port->xmit_buf)
1368 + if (!port->xmit_buf)
1369 return;
1370
1371 save_flags(flags); cli();
1372 diff -urN linux-2.4.30/drivers/char/serial.c linux-2.4.30-hf32.3/drivers/char/serial.c
1373 --- linux-2.4.30/drivers/char/serial.c 2005-01-27 18:57:32.000000000 +0100
1374 +++ linux-2.4.30-hf32.3/drivers/char/serial.c 2006-03-18 00:34:06.000000000 +0100
1375 @@ -1827,13 +1827,18 @@
1376
1377 static void rs_put_char(struct tty_struct *tty, unsigned char ch)
1378 {
1379 - struct async_struct *info = (struct async_struct *)tty->driver_data;
1380 + struct async_struct *info;
1381 unsigned long flags;
1382
1383 + if (!tty)
1384 + return;
1385 +
1386 + info = (struct async_struct *)tty->driver_data;
1387 +
1388 if (serial_paranoia_check(info, tty->device, "rs_put_char"))
1389 return;
1390
1391 - if (!tty || !info->xmit.buf)
1392 + if (!info->xmit.buf)
1393 return;
1394
1395 save_flags(flags); cli();
1396 @@ -1873,13 +1878,18 @@
1397 const unsigned char *buf, int count)
1398 {
1399 int c, ret = 0;
1400 - struct async_struct *info = (struct async_struct *)tty->driver_data;
1401 + struct async_struct *info;
1402 unsigned long flags;
1403
1404 + if (!tty)
1405 + return 0;
1406 +
1407 + info = (struct async_struct *)tty->driver_data;
1408 +
1409 if (serial_paranoia_check(info, tty->device, "rs_write"))
1410 return 0;
1411
1412 - if (!tty || !info->xmit.buf || !tmp_buf)
1413 + if (!info->xmit.buf || !tmp_buf)
1414 return 0;
1415
1416 save_flags(flags);
1417 diff -urN linux-2.4.30/drivers/char/specialix.c linux-2.4.30-hf32.3/drivers/char/specialix.c
1418 --- linux-2.4.30/drivers/char/specialix.c 2005-01-27 18:57:32.000000000 +0100
1419 +++ linux-2.4.30-hf32.3/drivers/char/specialix.c 2006-03-18 00:34:06.000000000 +0100
1420 @@ -1600,17 +1600,22 @@
1421 static int sx_write(struct tty_struct * tty, int from_user,
1422 const unsigned char *buf, int count)
1423 {
1424 - struct specialix_port *port = (struct specialix_port *)tty->driver_data;
1425 + struct specialix_port *port;
1426 struct specialix_board *bp;
1427 int c, total = 0;
1428 unsigned long flags;
1429 +
1430 + if (!tty)
1431 + return 0;
1432 +
1433 + port = (struct specialix_port *)tty->driver_data;
1434
1435 if (sx_paranoia_check(port, tty->device, "sx_write"))
1436 return 0;
1437
1438 bp = port_Board(port);
1439
1440 - if (!tty || !port->xmit_buf || !tmp_buf)
1441 + if (!port->xmit_buf || !tmp_buf)
1442 return 0;
1443
1444 save_flags(flags);
1445 @@ -1676,13 +1681,18 @@
1446
1447 static void sx_put_char(struct tty_struct * tty, unsigned char ch)
1448 {
1449 - struct specialix_port *port = (struct specialix_port *)tty->driver_data;
1450 + struct specialix_port *port;
1451 unsigned long flags;
1452
1453 + if (!tty)
1454 + return;
1455 +
1456 + port = (struct specialix_port *)tty->driver_data;
1457 +
1458 if (sx_paranoia_check(port, tty->device, "sx_put_char"))
1459 return;
1460
1461 - if (!tty || !port->xmit_buf)
1462 + if (!port->xmit_buf)
1463 return;
1464
1465 save_flags(flags); cli();
1466 diff -urN linux-2.4.30/drivers/char/vt.c linux-2.4.30-hf32.3/drivers/char/vt.c
1467 --- linux-2.4.30/drivers/char/vt.c 2005-01-27 18:57:32.000000000 +0100
1468 +++ linux-2.4.30-hf32.3/drivers/char/vt.c 2006-03-18 00:34:06.000000000 +0100
1469 @@ -166,6 +166,9 @@
1470 if (i >= NR_KEYS || s >= MAX_NR_KEYMAPS)
1471 return -EINVAL;
1472
1473 + if (!capable(CAP_SYS_TTY_CONFIG))
1474 + perm = 0;
1475 +
1476 switch (cmd) {
1477 case KDGKBENT:
1478 key_map = key_maps[s];
1479 @@ -276,6 +279,9 @@
1480 char *first_free, *fj, *fnw;
1481 int i, j, k;
1482
1483 + if (!capable(CAP_SYS_TTY_CONFIG))
1484 + perm = 0;
1485 +
1486 /* we mostly copy too much here (512bytes), but who cares ;) */
1487 if (copy_from_user(&tmp, user_kdgkb, sizeof(struct kbsentry)))
1488 return -EFAULT;
1489 diff -urN linux-2.4.30/drivers/ide/ide-io.c linux-2.4.30-hf32.3/drivers/ide/ide-io.c
1490 --- linux-2.4.30/drivers/ide/ide-io.c 2003-11-28 19:26:20.000000000 +0100
1491 +++ linux-2.4.30-hf32.3/drivers/ide/ide-io.c 2006-03-18 00:34:06.000000000 +0100
1492 @@ -899,11 +899,13 @@
1493 rq = HWGROUP(drive)->rq;
1494 HWGROUP(drive)->rq = NULL;
1495
1496 - rq->errors = 0;
1497 - rq->sector = rq->bh->b_rsector;
1498 - rq->current_nr_sectors = rq->bh->b_size >> 9;
1499 - rq->hard_cur_sectors = rq->current_nr_sectors;
1500 - rq->buffer = rq->bh->b_data;
1501 + if (rq) {
1502 + rq->errors = 0;
1503 + rq->sector = rq->bh->b_rsector;
1504 + rq->current_nr_sectors = rq->bh->b_size >> 9;
1505 + rq->hard_cur_sectors = rq->current_nr_sectors;
1506 + rq->buffer = rq->bh->b_data;
1507 + }
1508
1509 return ret;
1510 }
1511 diff -urN linux-2.4.30/drivers/net/bonding/bond_alb.c linux-2.4.30-hf32.3/drivers/net/bonding/bond_alb.c
1512 --- linux-2.4.30/drivers/net/bonding/bond_alb.c 2004-04-14 15:05:30.000000000 +0200
1513 +++ linux-2.4.30-hf32.3/drivers/net/bonding/bond_alb.c 2006-03-18 00:34:06.000000000 +0100
1514 @@ -37,6 +37,9 @@
1515 *
1516 * 2004/01/14 - Shmulik Hen <shmulik.hen at intel dot com>
1517 * - Add capability to tag self generated packets in ALB/TLB modes.
1518 + *
1519 + * 2005/12/02 - Michael O'Donnell <Michael.ODonnell at stratus dot com>
1520 + * - Stratus88746: tlb_clear_slave() must tlb_init_slave() while locked.
1521 */
1522
1523 //#define BONDING_DEBUG 1
1524 @@ -187,9 +190,9 @@
1525 index = next_index;
1526 }
1527
1528 - _unlock_tx_hashtbl(bond);
1529 + tlb_init_slave(slave); /* Stratus88746: do this before unlocking */
1530
1531 - tlb_init_slave(slave);
1532 + _unlock_tx_hashtbl(bond);
1533 }
1534
1535 /* Must be called before starting the monitor timer */
1536 diff -urN linux-2.4.30/drivers/net/bonding/bond_main.c linux-2.4.30-hf32.3/drivers/net/bonding/bond_main.c
1537 --- linux-2.4.30/drivers/net/bonding/bond_main.c 2004-11-17 12:54:21.000000000 +0100
1538 +++ linux-2.4.30-hf32.3/drivers/net/bonding/bond_main.c 2006-03-18 00:34:06.000000000 +0100
1539 @@ -469,6 +469,13 @@
1540 * * Add support for VLAN hardware acceleration capable slaves.
1541 * * Add capability to tag self generated packets in ALB/TLB modes.
1542 * Set version to 2.6.0.
1543 + * 2004/10/29 - Mitch Williams <mitch.a.williams at intel dot com>
1544 + * - Fixed bug when unloading module while using 802.3ad. If
1545 + * spinlock debugging is turned on, this causes a stack dump.
1546 + * Solution is to move call to dev_remove_pack outside of the
1547 + * spinlock.
1548 + * Set version to 2.6.1.
1549 + *
1550 */
1551
1552 //#define BONDING_DEBUG 1
1553 @@ -3565,15 +3572,15 @@
1554 {
1555 struct bonding *bond = bond_dev->priv;
1556
1557 - write_lock_bh(&bond->lock);
1558 -
1559 - bond_mc_list_destroy(bond);
1560 -
1561 if (bond->params.mode == BOND_MODE_8023AD) {
1562 /* Unregister the receive of LACPDUs */
1563 bond_unregister_lacpdu(bond);
1564 }
1565
1566 + write_lock_bh(&bond->lock);
1567 +
1568 + bond_mc_list_destroy(bond);
1569 +
1570 /* signal timers not to re-arm */
1571 bond->kill_timers = 1;
1572
1573 diff -urN linux-2.4.30/drivers/net/e1000/e1000_hw.c linux-2.4.30-hf32.3/drivers/net/e1000/e1000_hw.c
1574 --- linux-2.4.30/drivers/net/e1000/e1000_hw.c 2005-04-14 09:43:33.000000000 +0200
1575 +++ linux-2.4.30-hf32.3/drivers/net/e1000/e1000_hw.c 2006-03-18 00:34:06.000000000 +0100
1576 @@ -5049,7 +5049,7 @@
1577 if(ret_val)
1578 return ret_val;
1579
1580 - msec_delay(20);
1581 + msec_delay_irq(20);
1582
1583 ret_val = e1000_write_phy_reg(hw, 0x0000,
1584 IGP01E1000_IEEE_FORCE_GIGA);
1585 @@ -5073,7 +5073,7 @@
1586 if(ret_val)
1587 return ret_val;
1588
1589 - msec_delay(20);
1590 + msec_delay_irq(20);
1591
1592 /* Now enable the transmitter */
1593 ret_val = e1000_write_phy_reg(hw, 0x2F5B, phy_saved_data);
1594 @@ -5098,7 +5098,7 @@
1595 if(ret_val)
1596 return ret_val;
1597
1598 - msec_delay(20);
1599 + msec_delay_irq(20);
1600
1601 ret_val = e1000_write_phy_reg(hw, 0x0000,
1602 IGP01E1000_IEEE_FORCE_GIGA);
1603 @@ -5114,7 +5114,7 @@
1604 if(ret_val)
1605 return ret_val;
1606
1607 - msec_delay(20);
1608 + msec_delay_irq(20);
1609
1610 /* Now enable the transmitter */
1611 ret_val = e1000_write_phy_reg(hw, 0x2F5B, phy_saved_data);
1612 diff -urN linux-2.4.30/drivers/net/wan/sdla.c linux-2.4.30-hf32.3/drivers/net/wan/sdla.c
1613 --- linux-2.4.30/drivers/net/wan/sdla.c 2005-01-27 18:57:32.000000000 +0100
1614 +++ linux-2.4.30-hf32.3/drivers/net/wan/sdla.c 2006-03-18 00:34:06.000000000 +0100
1615 @@ -1201,6 +1201,7 @@
1616 temp = kmalloc(mem.len, GFP_KERNEL);
1617 if (!temp)
1618 return(-ENOMEM);
1619 + memset(temp, 0, mem.len);
1620 sdla_read(dev, mem.addr, temp, mem.len);
1621 if(copy_to_user(mem.data, temp, mem.len))
1622 {
1623 diff -urN linux-2.4.30/drivers/net/wireless/airo.c linux-2.4.30-hf32.3/drivers/net/wireless/airo.c
1624 --- linux-2.4.30/drivers/net/wireless/airo.c 2004-08-08 01:26:05.000000000 +0200
1625 +++ linux-2.4.30-hf32.3/drivers/net/wireless/airo.c 2006-03-18 00:34:06.000000000 +0100
1626 @@ -43,6 +43,8 @@
1627 #include <linux/pci.h>
1628 #include <asm/uaccess.h>
1629
1630 +#include "airo.h"
1631 +
1632 #ifdef CONFIG_PCI
1633 static struct pci_device_id card_ids[] = {
1634 { 0x14b9, 1, PCI_ANY_ID, PCI_ANY_ID, },
1635 diff -urN linux-2.4.30/drivers/net/wireless/airo.h linux-2.4.30-hf32.3/drivers/net/wireless/airo.h
1636 --- linux-2.4.30/drivers/net/wireless/airo.h 1970-01-01 01:00:00.000000000 +0100
1637 +++ linux-2.4.30-hf32.3/drivers/net/wireless/airo.h 2006-03-18 00:34:06.000000000 +0100
1638 @@ -0,0 +1,8 @@
1639 +#ifndef _AIRO_H_
1640 +#define _AIRO_H_
1641 +
1642 +struct net_device *init_airo_card(unsigned short irq, int port, int is_pcmcia);
1643 +void stop_airo_card(struct net_device *dev, int freeres);
1644 +int reset_airo_card(struct net_device *dev);
1645 +
1646 +#endif /* _AIRO_H_ */
1647 diff -urN linux-2.4.30/drivers/net/wireless/airo_cs.c linux-2.4.30-hf32.3/drivers/net/wireless/airo_cs.c
1648 --- linux-2.4.30/drivers/net/wireless/airo_cs.c 2002-11-29 00:53:14.000000000 +0100
1649 +++ linux-2.4.30-hf32.3/drivers/net/wireless/airo_cs.c 2006-03-18 00:34:06.000000000 +0100
1650 @@ -45,6 +45,8 @@
1651 #include <pcmcia/cisreg.h>
1652 #include <pcmcia/ds.h>
1653
1654 +#include "airo.h"
1655 +
1656 /*
1657 All the PCMCIA modules use PCMCIA_DEBUG to control debugging. If
1658 you do not define PCMCIA_DEBUG at all, all the debug code will be
1659 @@ -91,10 +93,6 @@
1660 event handler.
1661 */
1662
1663 -struct net_device *init_airo_card( int, int, int );
1664 -void stop_airo_card( struct net_device *, int );
1665 -int reset_airo_card( struct net_device * );
1666 -
1667 static void airo_config(dev_link_t *link);
1668 static void airo_release(u_long arg);
1669 static int airo_event(event_t event, int priority,
1670 diff -urN linux-2.4.30/drivers/net/wireless/hermes.c linux-2.4.30-hf32.3/drivers/net/wireless/hermes.c
1671 --- linux-2.4.30/drivers/net/wireless/hermes.c 2003-08-25 13:44:42.000000000 +0200
1672 +++ linux-2.4.30-hf32.3/drivers/net/wireless/hermes.c 2006-03-18 00:34:06.000000000 +0100
1673 @@ -448,6 +448,43 @@
1674 return err;
1675 }
1676
1677 +/* Write a block of data to the chip's buffer with padding if
1678 + * neccessary, via the BAP. Synchronization/serialization is the
1679 + * caller's problem. len must be even.
1680 + *
1681 + * Returns: < 0 on internal failure (errno), 0 on success, > 0 on error from firmware
1682 + */
1683 +int hermes_bap_pwrite_pad(hermes_t *hw, int bap, const void *buf, unsigned data_len, unsigned len,
1684 + u16 id, u16 offset)
1685 +{
1686 + int dreg = bap ? HERMES_DATA1 : HERMES_DATA0;
1687 + int err = 0;
1688 +
1689 + if (len < 0 || len % 2 || data_len > len)
1690 + return -EINVAL;
1691 +
1692 + err = hermes_bap_seek(hw, bap, id, offset);
1693 + if (err)
1694 + goto out;
1695 +
1696 + /* Transfer all the complete words of data */
1697 + hermes_write_words(hw, dreg, buf, data_len/2);
1698 + /* If there is an odd byte left over pad and transfer it */
1699 + if (data_len & 1) {
1700 + u8 end[2];
1701 + end[1] = 0;
1702 + end[0] = ((unsigned char *)buf)[data_len - 1];
1703 + hermes_write_words(hw, dreg, end, 1);
1704 + data_len ++;
1705 + }
1706 + /* Now send zeros for the padding */
1707 + if (data_len < len)
1708 + hermes_clear_words(hw, dreg, (len - data_len) / 2);
1709 + /* Complete */
1710 + out:
1711 + return err;
1712 +}
1713 +
1714 /* Read a Length-Type-Value record from the card.
1715 *
1716 * If length is NULL, we ignore the length read from the card, and
1717 @@ -534,6 +571,7 @@
1718
1719 EXPORT_SYMBOL(hermes_bap_pread);
1720 EXPORT_SYMBOL(hermes_bap_pwrite);
1721 +EXPORT_SYMBOL(hermes_bap_pwrite_pad);
1722 EXPORT_SYMBOL(hermes_read_ltv);
1723 EXPORT_SYMBOL(hermes_write_ltv);
1724
1725 diff -urN linux-2.4.30/drivers/net/wireless/hermes.h linux-2.4.30-hf32.3/drivers/net/wireless/hermes.h
1726 --- linux-2.4.30/drivers/net/wireless/hermes.h 2006-01-29 08:47:28.000000000 +0100
1727 +++ linux-2.4.30-hf32.3/drivers/net/wireless/hermes.h 2006-03-18 00:34:06.000000000 +0100
1728 @@ -319,6 +319,8 @@
1729 u16 id, u16 offset);
1730 int hermes_bap_pwrite(hermes_t *hw, int bap, const void *buf, unsigned len,
1731 u16 id, u16 offset);
1732 +int hermes_bap_pwrite_pad(hermes_t *hw, int bap, const void *buf,
1733 + unsigned data_len, unsigned len, u16 id, u16 offset);
1734 int hermes_read_ltv(hermes_t *hw, int bap, u16 rid, unsigned buflen,
1735 u16 *length, void *buf);
1736 int hermes_write_ltv(hermes_t *hw, int bap, u16 rid,
1737 diff -urN linux-2.4.30/drivers/net/wireless/orinoco.c linux-2.4.30-hf32.3/drivers/net/wireless/orinoco.c
1738 --- linux-2.4.30/drivers/net/wireless/orinoco.c 2003-08-25 13:44:42.000000000 +0200
1739 +++ linux-2.4.30-hf32.3/drivers/net/wireless/orinoco.c 2006-03-18 00:34:06.000000000 +0100
1740 @@ -2312,6 +2312,8 @@
1741 }
1742 }
1743
1744 +#define ALIGN(x,a) (((x)+(a)-1)&~((a)-1))
1745 +
1746 static int
1747 orinoco_xmit(struct sk_buff *skb, struct net_device *dev)
1748 {
1749 @@ -2407,14 +2409,22 @@
1750 stats->tx_errors++;
1751 goto fail;
1752 }
1753 + /* Actual xfer length - allow for padding */
1754 + len = ALIGN(data_len, 2);
1755 + if (len < ETH_ZLEN - ETH_HLEN)
1756 + len = ETH_ZLEN - ETH_HLEN;
1757 } else { /* IEEE 802.3 frame */
1758 data_len = len + ETH_HLEN;
1759 data_off = HERMES_802_3_OFFSET;
1760 p = skb->data;
1761 + /* Actual xfer length - round up for odd length packets */
1762 + len = ALIGN(data_len, 2);
1763 + if (len < ETH_ZLEN)
1764 + len = ETH_ZLEN;
1765 }
1766
1767 - /* Round up for odd length packets */
1768 - err = hermes_bap_pwrite(hw, USER_BAP, p, RUP_EVEN(data_len), txfid, data_off);
1769 + err = hermes_bap_pwrite_pad(hw, USER_BAP, p, data_len, len,
1770 + txfid, data_off);
1771 if (err) {
1772 printk(KERN_ERR "%s: Error %d writing packet to BAP\n",
1773 dev->name, err);
1774 diff -urN linux-2.4.30/drivers/scsi/sd.c linux-2.4.30-hf32.3/drivers/scsi/sd.c
1775 --- linux-2.4.30/drivers/scsi/sd.c 2005-04-14 09:43:34.000000000 +0200
1776 +++ linux-2.4.30-hf32.3/drivers/scsi/sd.c 2006-03-18 00:34:06.000000000 +0100
1777 @@ -1472,6 +1472,7 @@
1778 kfree(sd_sizes);
1779 kfree(sd_blocksizes);
1780 kfree(sd_hardsizes);
1781 + kfree(sd_max_sectors);
1782 for (i = 0; i < N_USED_SD_MAJORS; i++) {
1783 kfree(sd_gendisks[i].de_arr);
1784 kfree(sd_gendisks[i].flags);
1785 @@ -1482,6 +1483,7 @@
1786 del_gendisk(&sd_gendisks[i]);
1787 blksize_size[SD_MAJOR(i)] = NULL;
1788 hardsect_size[SD_MAJOR(i)] = NULL;
1789 + max_sectors[SD_MAJOR(i)] = NULL;
1790 read_ahead[SD_MAJOR(i)] = 0;
1791 }
1792 sd_template.dev_max = 0;
1793 diff -urN linux-2.4.30/drivers/usb/serial/io_edgeport.c linux-2.4.30-hf32.3/drivers/usb/serial/io_edgeport.c
1794 --- linux-2.4.30/drivers/usb/serial/io_edgeport.c 2005-01-27 18:57:33.000000000 +0100
1795 +++ linux-2.4.30-hf32.3/drivers/usb/serial/io_edgeport.c 2006-03-18 00:34:06.000000000 +0100
1796 @@ -2803,9 +2803,13 @@
1797 static void unicode_to_ascii (char *string, short *unicode, int unicode_size)
1798 {
1799 int i;
1800 - for (i = 0; i < unicode_size; ++i) {
1801 +
1802 + if (unicode_size <= 0)
1803 + return;
1804 +
1805 + for (i = 0; i < unicode_size; ++i)
1806 string[i] = (char)(le16_to_cpu(unicode[i]));
1807 - }
1808 +
1809 string[unicode_size] = 0x00;
1810 }
1811
1812 diff -urN linux-2.4.30/fs/binfmt_elf.c linux-2.4.30-hf32.3/fs/binfmt_elf.c
1813 --- linux-2.4.30/fs/binfmt_elf.c 2005-04-14 09:43:34.000000000 +0200
1814 +++ linux-2.4.30-hf32.3/fs/binfmt_elf.c 2006-03-18 00:34:06.000000000 +0100
1815 @@ -222,7 +222,7 @@
1816 }
1817
1818 __put_user((elf_addr_t)argc,--sp);
1819 - current->mm->arg_start = (unsigned long) p;
1820 + current->mm->arg_end = current->mm->arg_start = (unsigned long) p;
1821 while (argc-->0) {
1822 __put_user((elf_caddr_t)(unsigned long)p,argv++);
1823 len = strnlen_user(p, PAGE_SIZE*MAX_ARG_PAGES);
1824 @@ -643,6 +643,11 @@
1825 SET_PERSONALITY(elf_ex, ibcs2_interpreter);
1826 }
1827
1828 + if (BAD_ADDR(elf_ex.e_entry)) {
1829 + retval = -ENOEXEC;
1830 + goto out_free_dentry;
1831 + }
1832 +
1833 /* OK, we are done with that, now set up the arg stuff,
1834 and then start this sucker up */
1835
1836 @@ -820,7 +825,7 @@
1837 printk(KERN_ERR "Unable to load interpreter %.128s\n",
1838 elf_interpreter);
1839 force_sig(SIGSEGV, current);
1840 - retval = -ENOEXEC; /* Nobody gets to see this, but.. */
1841 + retval = IS_ERR((void *)elf_entry) ? PTR_ERR((void *)elf_entry) : -ENOEXEC;
1842 goto out_free_dentry;
1843 }
1844 reloc_func_desc = interp_load_addr;
1845 @@ -1159,7 +1164,7 @@
1846 /* first copy the parameters from user space */
1847 memset(&psinfo, 0, sizeof(psinfo));
1848 {
1849 - int i, len;
1850 + unsigned int i, len;
1851
1852 len = current->mm->arg_end - current->mm->arg_start;
1853 if (len >= ELF_PRARGSZ)
1854 diff -urN linux-2.4.30/fs/buffer.c linux-2.4.30-hf32.3/fs/buffer.c
1855 --- linux-2.4.30/fs/buffer.c 2004-11-17 12:54:21.000000000 +0100
1856 +++ linux-2.4.30-hf32.3/fs/buffer.c 2006-03-18 00:34:06.000000000 +0100
1857 @@ -584,7 +584,7 @@
1858 (*bhp)->b_prev_free->b_next_free = bh;
1859 (*bhp)->b_prev_free = bh;
1860 nr_buffers_type[blist]++;
1861 - size_buffers_type[blist] += bh->b_size;
1862 + size_buffers_type[blist] += bh->b_size >> 9;
1863 }
1864
1865 static void __remove_from_lru_list(struct buffer_head * bh)
1866 @@ -604,7 +604,7 @@
1867 bh->b_next_free = NULL;
1868 bh->b_prev_free = NULL;
1869 nr_buffers_type[blist]--;
1870 - size_buffers_type[blist] -= bh->b_size;
1871 + size_buffers_type[blist] -= bh->b_size >> 9;
1872 }
1873 }
1874
1875 @@ -1033,7 +1033,7 @@
1876 {
1877 unsigned long dirty, tot, hard_dirty_limit, soft_dirty_limit;
1878
1879 - dirty = size_buffers_type[BUF_DIRTY] >> PAGE_SHIFT;
1880 + dirty = size_buffers_type[BUF_DIRTY] >> (PAGE_SHIFT - 9);
1881 tot = nr_free_buffer_pages();
1882
1883 dirty *= 100;
1884 @@ -1054,7 +1054,7 @@
1885 {
1886 unsigned long dirty, tot, dirty_limit;
1887
1888 - dirty = size_buffers_type[BUF_DIRTY] >> PAGE_SHIFT;
1889 + dirty = size_buffers_type[BUF_DIRTY] >> (PAGE_SHIFT - 9);
1890 tot = nr_free_buffer_pages();
1891
1892 dirty *= 100;
1893 @@ -2839,7 +2839,7 @@
1894 }
1895 printk("%9s: %d buffers, %lu kbyte, %d used (last=%d), "
1896 "%d locked, %d dirty, %d delay\n",
1897 - buf_types[nlist], found, size_buffers_type[nlist]>>10,
1898 + buf_types[nlist], found, size_buffers_type[nlist]>>(10-9),
1899 used, lastused, locked, dirty, delalloc);
1900 }
1901 spin_unlock(&lru_list_lock);
1902 diff -urN linux-2.4.30/fs/dcache.c linux-2.4.30-hf32.3/fs/dcache.c
1903 --- linux-2.4.30/fs/dcache.c 2004-11-17 12:54:21.000000000 +0100
1904 +++ linux-2.4.30-hf32.3/fs/dcache.c 2006-03-18 00:34:06.000000000 +0100
1905 @@ -221,7 +221,7 @@
1906 static inline struct dentry * __dget_locked(struct dentry *dentry)
1907 {
1908 atomic_inc(&dentry->d_count);
1909 - if (atomic_read(&dentry->d_count) == 1) {
1910 + if (!list_empty(&dentry->d_lru)) {
1911 dentry_stat.nr_unused--;
1912 list_del_init(&dentry->d_lru);
1913 }
1914 diff -urN linux-2.4.30/fs/inode.c linux-2.4.30-hf32.3/fs/inode.c
1915 --- linux-2.4.30/fs/inode.c 2004-04-14 15:05:40.000000000 +0200
1916 +++ linux-2.4.30-hf32.3/fs/inode.c 2006-03-18 00:34:06.000000000 +0100
1917 @@ -297,7 +297,7 @@
1918 {
1919 struct list_head *to;
1920
1921 - if (inode->i_state & I_FREEING)
1922 + if (inode->i_state & (I_FREEING|I_CLEAR))
1923 return;
1924 if (list_empty(&inode->i_hash))
1925 return;
1926 @@ -634,7 +634,9 @@
1927 cdput(inode->i_cdev);
1928 inode->i_cdev = NULL;
1929 }
1930 + spin_lock(&inode_lock);
1931 inode->i_state = I_CLEAR;
1932 + spin_unlock(&inode_lock);
1933 }
1934
1935 /*
1936 @@ -852,8 +854,8 @@
1937 */
1938 if (goal <= 0)
1939 return;
1940 - if (inodes_stat.nr_unused * sizeof(struct inode) * 10 <
1941 - freeable_lowmem() * PAGE_SIZE)
1942 + if (inodes_stat.nr_unused <
1943 + (freeable_lowmem() * PAGE_SIZE) / (sizeof(struct inode) * 10))
1944 return;
1945
1946 wakeup_bdflush();
1947 diff -urN linux-2.4.30/fs/isofs/compress.c linux-2.4.30-hf32.3/fs/isofs/compress.c
1948 --- linux-2.4.30/fs/isofs/compress.c 2002-11-29 00:53:15.000000000 +0100
1949 +++ linux-2.4.30-hf32.3/fs/isofs/compress.c 2006-03-18 00:34:06.000000000 +0100
1950 @@ -147,8 +147,14 @@
1951 cend = le32_to_cpu(*(u32 *)(bh->b_data + (blockendptr & bufmask)));
1952 brelse(bh);
1953
1954 + if (cstart > cend)
1955 + goto eio;
1956 +
1957 csize = cend-cstart;
1958
1959 + if (csize > deflateBound(1UL << zisofs_block_shift))
1960 + goto eio;
1961 +
1962 /* Now page[] contains an array of pages, any of which can be NULL,
1963 and the locks on which we hold. We should now read the data and
1964 release the pages. If the pages are NULL the decompressed data
1965 diff -urN linux-2.4.30/fs/isofs/inode.c linux-2.4.30-hf32.3/fs/isofs/inode.c
1966 --- linux-2.4.30/fs/isofs/inode.c 2005-04-14 09:43:34.000000000 +0200
1967 +++ linux-2.4.30-hf32.3/fs/isofs/inode.c 2006-03-18 00:34:06.000000000 +0100
1968 @@ -335,16 +335,16 @@
1969 else if (!strcmp(value,"acorn")) popt->map = 'a';
1970 else return 0;
1971 }
1972 - if (!strcmp(this_char,"session") && value) {
1973 + else if (!strcmp(this_char,"session") && value) {
1974 char * vpnt = value;
1975 unsigned int ivalue = simple_strtoul(vpnt, &vpnt, 0);
1976 - if(ivalue < 0 || ivalue >99) return 0;
1977 + if (ivalue > 99) return 0;
1978 popt->session=ivalue+1;
1979 }
1980 - if (!strcmp(this_char,"sbsector") && value) {
1981 + else if (!strcmp(this_char,"sbsector") && value) {
1982 char * vpnt = value;
1983 unsigned int ivalue = simple_strtoul(vpnt, &vpnt, 0);
1984 - if(ivalue < 0 || ivalue >660*512) return 0;
1985 + if (ivalue > 660*512) return 0;
1986 popt->sbsector=ivalue;
1987 }
1988 else if (!strcmp(this_char,"check") && value) {
1989 diff -urN linux-2.4.30/fs/jfs/super.c linux-2.4.30-hf32.3/fs/jfs/super.c
1990 --- linux-2.4.30/fs/jfs/super.c 2005-04-14 09:43:34.000000000 +0200
1991 +++ linux-2.4.30-hf32.3/fs/jfs/super.c 2006-03-18 00:34:06.000000000 +0100
1992 @@ -407,7 +407,7 @@
1993 jfs_err("jfs_umount failed with return code %d", rc);
1994 }
1995 out_kfree:
1996 - if (sbi->nls_tab)
1997 + if (sbi->nls_tab && sbi->nls_tab != (void *) -1)
1998 unload_nls(sbi->nls_tab);
1999 kfree(sbi);
2000 return NULL;
2001 diff -urN linux-2.4.30/fs/locks.c linux-2.4.30-hf32.3/fs/locks.c
2002 --- linux-2.4.30/fs/locks.c 2004-04-14 15:05:40.000000000 +0200
2003 +++ linux-2.4.30-hf32.3/fs/locks.c 2006-03-18 00:34:06.000000000 +0100
2004 @@ -1087,7 +1087,6 @@
2005 before = &fl->fl_next;
2006 continue;
2007 }
2008 - printk(KERN_INFO "lease broken - owner pid = %d\n", fl->fl_pid);
2009 lease_modify(before, fl->fl_type & ~F_INPROGRESS);
2010 if (fl == *before) /* lease_modify may have freed fl */
2011 before = &fl->fl_next;
2012 diff -urN linux-2.4.30/fs/nfs/nfs2xdr.c linux-2.4.30-hf32.3/fs/nfs/nfs2xdr.c
2013 --- linux-2.4.30/fs/nfs/nfs2xdr.c 2002-11-29 00:53:15.000000000 +0100
2014 +++ linux-2.4.30-hf32.3/fs/nfs/nfs2xdr.c 2006-03-18 00:34:06.000000000 +0100
2015 @@ -571,8 +571,11 @@
2016 strlen = (u32*)kmap(rcvbuf->pages[0]);
2017 /* Convert length of symlink */
2018 len = ntohl(*strlen);
2019 - if (len > rcvbuf->page_len)
2020 - len = rcvbuf->page_len;
2021 + if (len >= rcvbuf->page_len - sizeof(u32) || len > NFS2_MAXPATHLEN) {
2022 + dprintk("NFS: server returned giant symlink!\n");
2023 + kunmap(rcvbuf->pages[0]);
2024 + return -ENAMETOOLONG;
2025 + }
2026 *strlen = len;
2027 /* NULL terminate the string we got */
2028 string = (char *)(strlen + 1);
2029 diff -urN linux-2.4.30/fs/nfs/nfs3xdr.c linux-2.4.30-hf32.3/fs/nfs/nfs3xdr.c
2030 --- linux-2.4.30/fs/nfs/nfs3xdr.c 2003-11-28 19:26:21.000000000 +0100
2031 +++ linux-2.4.30-hf32.3/fs/nfs/nfs3xdr.c 2006-03-18 00:34:06.000000000 +0100
2032 @@ -759,8 +759,11 @@
2033 strlen = (u32*)kmap(rcvbuf->pages[0]);
2034 /* Convert length of symlink */
2035 len = ntohl(*strlen);
2036 - if (len > rcvbuf->page_len)
2037 - len = rcvbuf->page_len;
2038 + if (len >= rcvbuf->page_len - sizeof(u32)) {
2039 + dprintk("NFS: server returned giant symlink!\n");
2040 + kunmap(rcvbuf->pages[0]);
2041 + return -ENAMETOOLONG;
2042 + }
2043 *strlen = len;
2044 /* NULL terminate the string we got */
2045 string = (char *)(strlen + 1);
2046 diff -urN linux-2.4.30/fs/proc/base.c linux-2.4.30-hf32.3/fs/proc/base.c
2047 --- linux-2.4.30/fs/proc/base.c 2005-01-27 18:57:33.000000000 +0100
2048 +++ linux-2.4.30-hf32.3/fs/proc/base.c 2006-03-18 00:34:06.000000000 +0100
2049 @@ -185,8 +185,12 @@
2050 int res = 0;
2051 task_lock(task);
2052 mm = task->mm;
2053 - if (mm)
2054 - atomic_inc(&mm->mm_users);
2055 + if (mm) {
2056 + if (mm->arg_end)
2057 + atomic_inc(&mm->mm_users);
2058 + else
2059 + mm = NULL;
2060 + }
2061 task_unlock(task);
2062 if (mm && mm->arg_start && mm->arg_start < mm->arg_end) {
2063 unsigned long len = mm->arg_end - mm->arg_start;
2064 diff -urN linux-2.4.30/fs/smbfs/proc.c linux-2.4.30-hf32.3/fs/smbfs/proc.c
2065 --- linux-2.4.30/fs/smbfs/proc.c 2004-11-17 12:54:21.000000000 +0100
2066 +++ linux-2.4.30-hf32.3/fs/smbfs/proc.c 2006-03-18 00:34:06.000000000 +0100
2067 @@ -2945,7 +2945,7 @@
2068 LSET(data, 32, SMB_TIME_NO_CHANGE);
2069 LSET(data, 40, SMB_UID_NO_CHANGE);
2070 LSET(data, 48, SMB_GID_NO_CHANGE);
2071 - LSET(data, 56, smb_filetype_from_mode(attr->ia_mode));
2072 + DSET(data, 56, smb_filetype_from_mode(attr->ia_mode));
2073 LSET(data, 60, major);
2074 LSET(data, 68, minor);
2075 LSET(data, 76, 0);
2076 diff -urN linux-2.4.30/fs/xfs/linux-2.4/xfs_buf.c linux-2.4.30-hf32.3/fs/xfs/linux-2.4/xfs_buf.c
2077 --- linux-2.4.30/fs/xfs/linux-2.4/xfs_buf.c 2005-01-27 18:57:33.000000000 +0100
2078 +++ linux-2.4.30-hf32.3/fs/xfs/linux-2.4/xfs_buf.c 2006-03-18 00:34:06.000000000 +0100
2079 @@ -1073,7 +1073,7 @@
2080 return(locked ? 0 : -EBUSY);
2081 }
2082
2083 -#ifdef DEBUG
2084 +#if defined(DEBUG) || defined(XFS_BLI_TRACE)
2085 /*
2086 * pagebuf_lock_value
2087 *
2088 diff -urN linux-2.4.30/include/asm-i386/system.h linux-2.4.30-hf32.3/include/asm-i386/system.h
2089 --- linux-2.4.30/include/asm-i386/system.h 2005-03-26 10:13:13.000000000 +0100
2090 +++ linux-2.4.30-hf32.3/include/asm-i386/system.h 2006-03-18 00:34:06.000000000 +0100
2091 @@ -84,7 +84,7 @@
2092 #define loadsegment(seg,value) \
2093 asm volatile("\n" \
2094 "1:\t" \
2095 - "movl %0,%%" #seg "\n" \
2096 + "mov %0,%%" #seg "\n" \
2097 "2:\n" \
2098 ".section .fixup,\"ax\"\n" \
2099 "3:\t" \
2100 @@ -96,7 +96,7 @@
2101 ".align 4\n\t" \
2102 ".long 1b,3b\n" \
2103 ".previous" \
2104 - : :"m" (*(unsigned int *)&(value)))
2105 + : :"m" (value))
2106
2107 /*
2108 * Clear and set 'TS' bit respectively
2109 diff -urN linux-2.4.30/include/asm-x86_64/desc.h linux-2.4.30-hf32.3/include/asm-x86_64/desc.h
2110 --- linux-2.4.30/include/asm-x86_64/desc.h 2004-08-08 01:26:06.000000000 +0200
2111 +++ linux-2.4.30-hf32.3/include/asm-x86_64/desc.h 2006-03-18 00:34:06.000000000 +0100
2112 @@ -128,7 +128,7 @@
2113
2114 static inline void set_tss_desc(unsigned n, void *addr)
2115 {
2116 - set_tssldt_descriptor((void *)&gdt_table + __CPU_DESC_INDEX(n,tss), (unsigned long)addr, DESC_TSS, sizeof(struct tss_struct));
2117 + set_tssldt_descriptor((void *)&gdt_table + __CPU_DESC_INDEX(n,tss), (unsigned long)addr, DESC_TSS, IO_BITMAP_OFFSET + IO_BITMAP_BYTES + 7);
2118 }
2119
2120 static inline void set_ldt_desc(unsigned n, void *addr, int size)
2121 diff -urN linux-2.4.30/include/asm-x86_64/processor.h linux-2.4.30-hf32.3/include/asm-x86_64/processor.h
2122 --- linux-2.4.30/include/asm-x86_64/processor.h 2004-04-14 15:05:40.000000000 +0200
2123 +++ linux-2.4.30-hf32.3/include/asm-x86_64/processor.h 2006-03-18 00:34:06.000000000 +0100
2124 @@ -260,6 +260,7 @@
2125 * Size of io_bitmap in longwords: 32 is ports 0-0x3ff.
2126 */
2127 #define IO_BITMAP_SIZE 32
2128 +#define IO_BITMAP_BYTES (IO_BITMAP_SIZE * sizeof(u32))
2129 #define IO_BITMAP_OFFSET offsetof(struct tss_struct,io_bitmap)
2130 #define INVALID_IO_BITMAP_OFFSET 0x8000
2131
2132 @@ -325,10 +326,9 @@
2133 #define INIT_MMAP \
2134 { &init_mm, 0, 0, NULL, PAGE_SHARED, VM_READ | VM_WRITE | VM_EXEC, 1, NULL, NULL }
2135
2136 -#define STACKFAULT_STACK 1
2137 -#define DOUBLEFAULT_STACK 2
2138 -#define NMI_STACK 3
2139 -#define N_EXCEPTION_STACKS 3 /* hw limit: 7 */
2140 +#define DOUBLEFAULT_STACK 1
2141 +#define NMI_STACK 2
2142 +#define N_EXCEPTION_STACKS 2 /* hw limit: 7 */
2143 #define EXCEPTION_STKSZ PAGE_SIZE
2144 #define EXCEPTION_STK_ORDER 0
2145
2146 diff -urN linux-2.4.30/include/linux/delay.h linux-2.4.30-hf32.3/include/linux/delay.h
2147 --- linux-2.4.30/include/linux/delay.h 2005-11-18 12:45:36.000000000 +0100
2148 +++ linux-2.4.30-hf32.3/include/linux/delay.h 2006-03-18 00:34:06.000000000 +0100
2149 @@ -14,6 +14,24 @@
2150 #include <asm/delay.h>
2151
2152 /*
2153 + * We define MAX_MSEC_OFFSET as the maximal value that can be accepted by
2154 + * msecs_to_jiffies() without risking a multiply overflow. This function
2155 + * returns MAX_JIFFY_OFFSET for arguments above those values.
2156 + */
2157 +
2158 +#if HZ <= 1000 && !(1000 % HZ)
2159 +# define MAX_MSEC_OFFSET \
2160 + (ULONG_MAX - (1000 / HZ) + 1)
2161 +#elif HZ > 1000 && !(HZ % 1000)
2162 +# define MAX_MSEC_OFFSET \
2163 + (ULONG_MAX / (HZ / 1000))
2164 +#else
2165 +# define MAX_MSEC_OFFSET \
2166 + ((ULONG_MAX - 999) / HZ)
2167 +#endif
2168 +
2169 +
2170 +/*
2171 * Convert jiffies to milliseconds and back.
2172 *
2173 * Avoid unnecessary multiplications/divisions in the
2174 @@ -43,14 +61,14 @@
2175
2176 static inline unsigned long msecs_to_jiffies(const unsigned int m)
2177 {
2178 - if (m > jiffies_to_msecs(MAX_JIFFY_OFFSET))
2179 + if (MAX_MSEC_OFFSET < UINT_MAX && m > (unsigned int)MAX_MSEC_OFFSET)
2180 return MAX_JIFFY_OFFSET;
2181 #if HZ <= 1000 && !(1000 % HZ)
2182 - return (m + (1000 / HZ) - 1) / (1000 / HZ);
2183 + return ((unsigned long)m + (1000 / HZ) - 1) / (1000 / HZ);
2184 #elif HZ > 1000 && !(HZ % 1000)
2185 - return m * (HZ / 1000);
2186 + return (unsigned long)m * (HZ / 1000);
2187 #else
2188 - return (m * HZ + 999) / 1000;
2189 + return ((unsigned long)m * HZ + 999) / 1000;
2190 #endif
2191 }
2192
2193 diff -urN linux-2.4.30/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.30-hf32.3/include/linux/netfilter_ipv4/ip_conntrack.h
2194 --- linux-2.4.30/include/linux/netfilter_ipv4/ip_conntrack.h 2005-07-27 13:13:58.000000000 +0200
2195 +++ linux-2.4.30-hf32.3/include/linux/netfilter_ipv4/ip_conntrack.h 2006-03-18 00:34:06.000000000 +0100
2196 @@ -229,7 +229,7 @@
2197 ip_conntrack_get(struct sk_buff *skb, enum ip_conntrack_info *ctinfo);
2198
2199 /* decrement reference count on a conntrack */
2200 -extern inline void ip_conntrack_put(struct ip_conntrack *ct);
2201 +extern void ip_conntrack_put(struct ip_conntrack *ct);
2202
2203 /* find unconfirmed expectation based on tuple */
2204 struct ip_conntrack_expect *
2205 diff -urN linux-2.4.30/include/linux/netfilter_ipv4/ip_nat_rule.h linux-2.4.30-hf32.3/include/linux/netfilter_ipv4/ip_nat_rule.h
2206 --- linux-2.4.30/include/linux/netfilter_ipv4/ip_nat_rule.h 2006-01-29 08:38:54.000000000 +0100
2207 +++ linux-2.4.30-hf32.3/include/linux/netfilter_ipv4/ip_nat_rule.h 2006-03-18 00:34:06.000000000 +0100
2208 @@ -19,5 +19,10 @@
2209 alloc_null_binding(struct ip_conntrack *conntrack,
2210 struct ip_nat_info *info,
2211 unsigned int hooknum);
2212 +
2213 +extern unsigned int
2214 +alloc_null_binding_confirmed(struct ip_conntrack *conntrack,
2215 + struct ip_nat_info *info,
2216 + unsigned int hooknum);
2217 #endif
2218 #endif /* _IP_NAT_RULE_H */
2219 diff -urN linux-2.4.30/include/linux/proc_fs.h linux-2.4.30-hf32.3/include/linux/proc_fs.h
2220 --- linux-2.4.30/include/linux/proc_fs.h 2005-12-04 19:00:23.000000000 +0100
2221 +++ linux-2.4.30-hf32.3/include/linux/proc_fs.h 2006-03-18 00:34:06.000000000 +0100
2222 @@ -70,6 +70,7 @@
2223 atomic_t count; /* use count */
2224 int deleted; /* delete flag */
2225 kdev_t rdev;
2226 + void *set;
2227 };
2228
2229 #define PROC_INODE_PROPER(inode) ((inode)->i_ino & ~0xffff)
2230 diff -urN linux-2.4.30/include/linux/sysctl.h linux-2.4.30-hf32.3/include/linux/sysctl.h
2231 --- linux-2.4.30/include/linux/sysctl.h 2005-11-02 10:29:31.000000000 +0100
2232 +++ linux-2.4.30-hf32.3/include/linux/sysctl.h 2006-03-18 00:34:06.000000000 +0100
2233 @@ -29,6 +29,7 @@
2234 #include <linux/list.h>
2235
2236 struct file;
2237 +struct completion;
2238
2239 #define CTL_MAXNAME 10
2240
2241 @@ -829,6 +830,8 @@
2242 {
2243 ctl_table *ctl_table;
2244 struct list_head ctl_entry;
2245 + int used;
2246 + struct completion *unregistering;
2247 };
2248
2249 struct ctl_table_header * register_sysctl_table(ctl_table * table,
2250 diff -urN linux-2.4.30/include/linux/zlib.h linux-2.4.30-hf32.3/include/linux/zlib.h
2251 --- linux-2.4.30/include/linux/zlib.h 2005-11-18 12:46:17.000000000 +0100
2252 +++ linux-2.4.30-hf32.3/include/linux/zlib.h 2006-03-18 00:34:06.000000000 +0100
2253 @@ -516,6 +516,11 @@
2254 stream state was inconsistent (such as zalloc or state being NULL).
2255 */
2256
2257 +static inline unsigned long deflateBound(unsigned long s)
2258 +{
2259 + return s + ((s + 7) >> 3) + ((s + 63) >> 6) + 11;
2260 +}
2261 +
2262 ZEXTERN int ZEXPORT zlib_deflateParams OF((z_streamp strm,
2263 int level,
2264 int strategy));
2265 diff -urN linux-2.4.30/include/net/ax25.h linux-2.4.30-hf32.3/include/net/ax25.h
2266 --- linux-2.4.30/include/net/ax25.h 2005-11-18 12:45:59.000000000 +0100
2267 +++ linux-2.4.30-hf32.3/include/net/ax25.h 2006-03-18 00:34:06.000000000 +0100
2268 @@ -142,7 +142,7 @@
2269 ax25_address calls[AX25_MAX_DIGIS];
2270 unsigned char repeated[AX25_MAX_DIGIS];
2271 unsigned char ndigi;
2272 - char lastrepeat;
2273 + signed char lastrepeat;
2274 } ax25_digi;
2275
2276 typedef struct ax25_route {
2277 diff -urN linux-2.4.30/include/net/ip6_fib.h linux-2.4.30-hf32.3/include/net/ip6_fib.h
2278 --- linux-2.4.30/include/net/ip6_fib.h 2005-09-01 16:18:27.000000000 +0200
2279 +++ linux-2.4.30-hf32.3/include/net/ip6_fib.h 2006-03-18 00:34:06.000000000 +0100
2280 @@ -171,13 +171,16 @@
2281
2282 extern int fib6_add(struct fib6_node *root,
2283 struct rt6_info *rt,
2284 - struct nlmsghdr *nlh);
2285 + struct nlmsghdr *nlh,
2286 + struct netlink_skb_parms *req);
2287
2288 extern int fib6_del(struct rt6_info *rt,
2289 - struct nlmsghdr *nlh);
2290 + struct nlmsghdr *nlh,
2291 + struct netlink_skb_parms *req);
2292
2293 extern void inet6_rt_notify(int event, struct rt6_info *rt,
2294 - struct nlmsghdr *nlh);
2295 + struct nlmsghdr *nlh,
2296 + struct netlink_skb_parms *req);
2297
2298 extern void fib6_run_gc(unsigned long dummy);
2299
2300 diff -urN linux-2.4.30/include/net/ip6_route.h linux-2.4.30-hf32.3/include/net/ip6_route.h
2301 --- linux-2.4.30/include/net/ip6_route.h 2005-09-01 16:18:27.000000000 +0200
2302 +++ linux-2.4.30-hf32.3/include/net/ip6_route.h 2006-03-18 00:34:06.000000000 +0100
2303 @@ -39,9 +39,11 @@
2304 extern int ipv6_route_ioctl(unsigned int cmd, void *arg);
2305
2306 extern int ip6_route_add(struct in6_rtmsg *rtmsg,
2307 - struct nlmsghdr *);
2308 + struct nlmsghdr *,
2309 + struct netlink_skb_parms *req);
2310 extern int ip6_del_rt(struct rt6_info *,
2311 - struct nlmsghdr *);
2312 + struct nlmsghdr *,
2313 + struct netlink_skb_parms *req);
2314
2315 extern int ip6_rt_addr_add(struct in6_addr *addr,
2316 struct net_device *dev);
2317 diff -urN linux-2.4.30/include/net/ip_vs.h linux-2.4.30-hf32.3/include/net/ip_vs.h
2318 --- linux-2.4.30/include/net/ip_vs.h 2005-09-01 16:18:30.000000000 +0200
2319 +++ linux-2.4.30-hf32.3/include/net/ip_vs.h 2006-03-18 00:34:06.000000000 +0100
2320 @@ -82,6 +82,7 @@
2321 #define IP_VS_CONN_F_IN_SEQ 0x0400 /* must do input seq adjust */
2322 #define IP_VS_CONN_F_SEQ_MASK 0x0600 /* in/out sequence mask */
2323 #define IP_VS_CONN_F_NO_CPORT 0x0800 /* no client port set yet */
2324 +#define IP_VS_CONN_F_TEMPLATE 0x1000 /* template, not connection */
2325
2326 /* Move it to better place one day, for now keep it unique */
2327 #define NFC_IPVS_PROPERTY 0x10000
2328 @@ -592,6 +593,8 @@
2329
2330 extern struct ip_vs_conn *ip_vs_conn_in_get
2331 (int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port);
2332 +extern struct ip_vs_conn *ip_vs_ct_in_get
2333 +(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port);
2334 extern struct ip_vs_conn *ip_vs_conn_out_get
2335 (int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port);
2336
2337 diff -urN linux-2.4.30/kernel/kmod.c linux-2.4.30-hf32.3/kernel/kmod.c
2338 --- linux-2.4.30/kernel/kmod.c 2003-11-28 19:26:21.000000000 +0100
2339 +++ linux-2.4.30-hf32.3/kernel/kmod.c 2006-03-18 00:34:06.000000000 +0100
2340 @@ -125,6 +125,8 @@
2341 curtask->euid = curtask->uid = curtask->suid = curtask->fsuid = 0;
2342 curtask->egid = curtask->gid = curtask->sgid = curtask->fsgid = 0;
2343
2344 + memcpy(&curtask->rlim, &init_task.rlim, sizeof(struct rlimit)*RLIM_NLIMITS);
2345 +
2346 curtask->ngroups = 0;
2347
2348 cap_set_full(curtask->cap_effective);
2349 diff -urN linux-2.4.30/kernel/ptrace.c linux-2.4.30-hf32.3/kernel/ptrace.c
2350 --- linux-2.4.30/kernel/ptrace.c 2003-08-25 13:44:44.000000000 +0200
2351 +++ linux-2.4.30-hf32.3/kernel/ptrace.c 2006-03-18 00:34:06.000000000 +0100
2352 @@ -58,7 +58,7 @@
2353 task_lock(task);
2354 if (task->pid <= 1)
2355 goto bad;
2356 - if (task == current)
2357 + if (task->tgid == current->tgid)
2358 goto bad;
2359 if (!task->mm)
2360 goto bad;
2361 diff -urN linux-2.4.30/kernel/sysctl.c linux-2.4.30-hf32.3/kernel/sysctl.c
2362 --- linux-2.4.30/kernel/sysctl.c 2005-01-27 18:57:34.000000000 +0100
2363 +++ linux-2.4.30-hf32.3/kernel/sysctl.c 2006-03-18 00:34:06.000000000 +0100
2364 @@ -147,7 +147,7 @@
2365
2366 extern struct proc_dir_entry *proc_sys_root;
2367
2368 -static void register_proc_table(ctl_table *, struct proc_dir_entry *);
2369 +static void register_proc_table(ctl_table *, struct proc_dir_entry *, void *);
2370 static void unregister_proc_table(ctl_table *, struct proc_dir_entry *);
2371 #endif
2372
2373 @@ -360,10 +360,51 @@
2374
2375 extern void init_irq_proc (void);
2376
2377 +static spinlock_t sysctl_lock = SPIN_LOCK_UNLOCKED;
2378 +
2379 +/* called under sysctl_lock */
2380 +static int use_table(struct ctl_table_header *p)
2381 +{
2382 + if (unlikely(p->unregistering != NULL))
2383 + return 0;
2384 + p->used++;
2385 + return 1;
2386 +}
2387 +
2388 +/* called under sysctl_lock */
2389 +static void unuse_table(struct ctl_table_header *p)
2390 +{
2391 + if (!--p->used)
2392 + if (unlikely(p->unregistering != NULL))
2393 + complete(p->unregistering);
2394 +}
2395 +
2396 +/* called under sysctl_lock, will reacquire if has to wait */
2397 +static void start_unregistering(struct ctl_table_header *p)
2398 +{
2399 + /*
2400 + * if p->used is 0, nobody will ever touch that entry again;
2401 + * we'll eliminate all paths to it before dropping sysctl_lock
2402 + */
2403 + if (unlikely(p->used)) {
2404 + struct completion wait;
2405 + init_completion(&wait);
2406 + p->unregistering = &wait;
2407 + spin_unlock(&sysctl_lock);
2408 + wait_for_completion(&wait);
2409 + spin_lock(&sysctl_lock);
2410 + }
2411 + /*
2412 + * do not remove from the list until nobody holds it; walking the
2413 + * list in do_sysctl() relies on that.
2414 + */
2415 + list_del_init(&p->ctl_entry);
2416 +}
2417 +
2418 void __init sysctl_init(void)
2419 {
2420 #ifdef CONFIG_PROC_FS
2421 - register_proc_table(root_table, proc_sys_root);
2422 + register_proc_table(root_table, proc_sys_root, &root_table_header);
2423 init_irq_proc();
2424 #endif
2425 }
2426 @@ -372,6 +413,7 @@
2427 void *newval, size_t newlen)
2428 {
2429 struct list_head *tmp;
2430 + int error = -ENOTDIR;
2431
2432 if (nlen <= 0 || nlen >= CTL_MAXNAME)
2433 return -ENOTDIR;
2434 @@ -383,21 +425,31 @@
2435 if ((ssize_t)old_len < 0)
2436 return -EINVAL;
2437 }
2438 + spin_lock(&sysctl_lock);
2439 tmp = &root_table_header.ctl_entry;
2440 do {
2441 struct ctl_table_header *head =
2442 list_entry(tmp, struct ctl_table_header, ctl_entry);
2443 void *context = NULL;
2444 - int error = parse_table(name, nlen, oldval, oldlenp,
2445 +
2446 + if (!use_table(head))
2447 + continue;
2448 +
2449 + spin_unlock(&sysctl_lock);
2450 +
2451 + error = parse_table(name, nlen, oldval, oldlenp,
2452 newval, newlen, head->ctl_table,
2453 &context);
2454 if (context)
2455 kfree(context);
2456 +
2457 + spin_lock(&sysctl_lock);
2458 + unuse_table(head);
2459 if (error != -ENOTDIR)
2460 - return error;
2461 - tmp = tmp->next;
2462 - } while (tmp != &root_table_header.ctl_entry);
2463 - return -ENOTDIR;
2464 + break;
2465 + } while ((tmp = tmp->next) != &root_table_header.ctl_entry);
2466 + spin_unlock(&sysctl_lock);
2467 + return error;
2468 }
2469
2470 extern asmlinkage long sys_sysctl(struct __sysctl_args *args)
2471 @@ -604,12 +656,16 @@
2472 return NULL;
2473 tmp->ctl_table = table;
2474 INIT_LIST_HEAD(&tmp->ctl_entry);
2475 + tmp->used = 0;
2476 + tmp->unregistering = NULL;
2477 + spin_lock(&sysctl_lock);
2478 if (insert_at_head)
2479 list_add(&tmp->ctl_entry, &root_table_header.ctl_entry);
2480 else
2481 list_add_tail(&tmp->ctl_entry, &root_table_header.ctl_entry);
2482 + spin_unlock(&sysctl_lock);
2483 #ifdef CONFIG_PROC_FS
2484 - register_proc_table(table, proc_sys_root);
2485 + register_proc_table(table, proc_sys_root, tmp);
2486 #endif
2487 return tmp;
2488 }
2489 @@ -623,10 +679,12 @@
2490 */
2491 void unregister_sysctl_table(struct ctl_table_header * header)
2492 {
2493 - list_del(&header->ctl_entry);
2494 + spin_lock(&sysctl_lock);
2495 + start_unregistering(header);
2496 #ifdef CONFIG_PROC_FS
2497 unregister_proc_table(header->ctl_table, proc_sys_root);
2498 #endif
2499 + spin_unlock(&sysctl_lock);
2500 kfree(header);
2501 }
2502
2503 @@ -637,7 +695,7 @@
2504 #ifdef CONFIG_PROC_FS
2505
2506 /* Scan the sysctl entries in table and add them all into /proc */
2507 -static void register_proc_table(ctl_table * table, struct proc_dir_entry *root)
2508 +static void register_proc_table(ctl_table * table, struct proc_dir_entry *root, void *set)
2509 {
2510 struct proc_dir_entry *de;
2511 int len;
2512 @@ -673,6 +731,7 @@
2513 de = create_proc_entry(table->procname, mode, root);
2514 if (!de)
2515 continue;
2516 + de->set = set;
2517 de->data = (void *) table;
2518 if (table->proc_handler) {
2519 de->proc_fops = &proc_sys_file_operations;
2520 @@ -681,7 +740,7 @@
2521 }
2522 table->de = de;
2523 if (de->mode & S_IFDIR)
2524 - register_proc_table(table->child, de);
2525 + register_proc_table(table->child, de, set);
2526 }
2527 }
2528
2529 @@ -706,6 +765,13 @@
2530 continue;
2531 }
2532
2533 + /*
2534 + * In any case, mark the entry as goner; we'll keep it
2535 + * around if it's busy, but we'll know to do nothing with
2536 + * its fields. We are under sysctl_lock here.
2537 + */
2538 + de->data = NULL;
2539 +
2540 /* Don't unregister proc entries that are still being used.. */
2541 if (atomic_read(&de->count))
2542 continue;
2543 @@ -719,31 +785,44 @@
2544 size_t count, loff_t *ppos)
2545 {
2546 int op;
2547 - struct proc_dir_entry *de;
2548 + struct proc_dir_entry *de =
2549 + (struct proc_dir_entry*) file->f_dentry->d_inode->u.generic_ip;
2550 struct ctl_table *table;
2551 size_t res;
2552 - ssize_t error;
2553 -
2554 - de = (struct proc_dir_entry*) file->f_dentry->d_inode->u.generic_ip;
2555 - if (!de || !de->data)
2556 - return -ENOTDIR;
2557 - table = (struct ctl_table *) de->data;
2558 - if (!table || !table->proc_handler)
2559 - return -ENOTDIR;
2560 - op = (write ? 002 : 004);
2561 - if (ctl_perm(table, op))
2562 - return -EPERM;
2563 -
2564 - res = count;
2565 + ssize_t error = -ENOTDIR;
2566
2567 - /*
2568 - * FIXME: we need to pass on ppos to the handler.
2569 - */
2570 + spin_lock(&sysctl_lock);
2571 + if (de && de->data && use_table(de->set)) {
2572 + /*
2573 + * at that point we know that sysctl was not unregistered
2574 + * and won't be until we finish
2575 + */
2576 + spin_unlock(&sysctl_lock);
2577 + table = (struct ctl_table *) de->data;
2578 + if (!table || !table->proc_handler)
2579 + goto out;
2580 + error = -EPERM;
2581 + op = (write ? 002 : 004);
2582 + if (ctl_perm(table, op))
2583 + goto out;
2584 +
2585 + /* careful: calling conventions are nasty here */
2586 + res = count;
2587
2588 - error = (*table->proc_handler) (table, write, file, buf, &res);
2589 - if (error)
2590 - return error;
2591 - return res;
2592 + /*
2593 + * FIXME: we need to pass on ppos to the handler.
2594 + */
2595 +
2596 + error = (*table->proc_handler)(table, write, file,
2597 + buf, &res);
2598 + if (!error)
2599 + error = res;
2600 + out:
2601 + spin_lock(&sysctl_lock);
2602 + unuse_table(de->set);
2603 + }
2604 + spin_unlock(&sysctl_lock);
2605 + return error;
2606 }
2607
2608 static ssize_t proc_readsys(struct file * file, char * buf,
2609 diff -urN linux-2.4.30/lib/inflate.c linux-2.4.30-hf32.3/lib/inflate.c
2610 --- linux-2.4.30/lib/inflate.c 2002-11-29 00:53:15.000000000 +0100
2611 +++ linux-2.4.30-hf32.3/lib/inflate.c 2006-03-18 00:34:06.000000000 +0100
2612 @@ -320,7 +320,7 @@
2613 {
2614 *t = (struct huft *)NULL;
2615 *m = 0;
2616 - return 0;
2617 + return 2;
2618 }
2619
2620 DEBG("huft2 ");
2621 @@ -368,6 +368,7 @@
2622 if ((j = *p++) != 0)
2623 v[x[j]++] = i;
2624 } while (++i < n);
2625 + n = x[g]; /* set n to length of v */
2626
2627 DEBG("h6 ");
2628
2629 @@ -404,12 +405,13 @@
2630 DEBG1("2 ");
2631 f -= a + 1; /* deduct codes from patterns left */
2632 xp = c + k;
2633 - while (++j < z) /* try smaller tables up to z bits */
2634 - {
2635 - if ((f <<= 1) <= *++xp)
2636 - break; /* enough codes to use up j bits */
2637 - f -= *xp; /* else deduct codes from patterns */
2638 - }
2639 + if (j < z)
2640 + while (++j < z) /* try smaller tables up to z bits */
2641 + {
2642 + if ((f <<= 1) <= *++xp)
2643 + break; /* enough codes to use up j bits */
2644 + f -= *xp; /* else deduct codes from patterns */
2645 + }
2646 }
2647 DEBG1("3 ");
2648 z = 1 << j; /* table entries for j-bit table */
2649 diff -urN linux-2.4.30/lib/rbtree.c linux-2.4.30-hf32.3/lib/rbtree.c
2650 --- linux-2.4.30/lib/rbtree.c 2004-11-17 12:54:22.000000000 +0100
2651 +++ linux-2.4.30-hf32.3/lib/rbtree.c 2006-03-18 00:34:06.000000000 +0100
2652 @@ -332,6 +332,7 @@
2653 node = node->rb_right;
2654 while (node->rb_left)
2655 node = node->rb_left;
2656 + return node;
2657 }
2658
2659 /* No right-hand children. Everything down and left is
2660 @@ -355,6 +356,7 @@
2661 node = node->rb_left;
2662 while (node->rb_right)
2663 node = node->rb_right;
2664 + return node;
2665 }
2666
2667 /* No left-hand children. Go up till we find an ancestor which
2668 diff -urN linux-2.4.30/lib/rwsem-spinlock.c linux-2.4.30-hf32.3/lib/rwsem-spinlock.c
2669 --- linux-2.4.30/lib/rwsem-spinlock.c 2005-01-27 18:57:34.000000000 +0100
2670 +++ linux-2.4.30-hf32.3/lib/rwsem-spinlock.c 2006-03-18 00:34:06.000000000 +0100
2671 @@ -127,12 +127,12 @@
2672
2673 rwsemtrace(sem,"Entering __down_read");
2674
2675 - spin_lock(&sem->wait_lock);
2676 + spin_lock_irq(&sem->wait_lock);
2677
2678 if (sem->activity>=0 && list_empty(&sem->wait_list)) {
2679 /* granted */
2680 sem->activity++;
2681 - spin_unlock(&sem->wait_lock);
2682 + spin_unlock_irq(&sem->wait_lock);
2683 goto out;
2684 }
2685
2686 @@ -147,7 +147,7 @@
2687 list_add_tail(&waiter.list,&sem->wait_list);
2688
2689 /* we don't need to touch the semaphore struct anymore */
2690 - spin_unlock(&sem->wait_lock);
2691 + spin_unlock_irq(&sem->wait_lock);
2692
2693 /* wait to be given the lock */
2694 for (;;) {
2695 @@ -169,9 +169,10 @@
2696 int fastcall __down_read_trylock(struct rw_semaphore *sem)
2697 {
2698 int ret = 0;
2699 + unsigned long flags;
2700 rwsemtrace(sem,"Entering __down_read_trylock");
2701
2702 - spin_lock(&sem->wait_lock);
2703 + spin_lock_irqsave(&sem->wait_lock, flags);
2704
2705 if (sem->activity>=0 && list_empty(&sem->wait_list)) {
2706 /* granted */
2707 @@ -179,7 +180,7 @@
2708 ret = 1;
2709 }
2710
2711 - spin_unlock(&sem->wait_lock);
2712 + spin_unlock_irqrestore(&sem->wait_lock, flags);
2713
2714 rwsemtrace(sem,"Leaving __down_read_trylock");
2715 return ret;
2716 @@ -196,12 +197,12 @@
2717
2718 rwsemtrace(sem,"Entering __down_write");
2719
2720 - spin_lock(&sem->wait_lock);
2721 + spin_lock_irq(&sem->wait_lock);
2722
2723 if (sem->activity==0 && list_empty(&sem->wait_list)) {
2724 /* granted */
2725 sem->activity = -1;
2726 - spin_unlock(&sem->wait_lock);
2727 + spin_unlock_irq(&sem->wait_lock);
2728 goto out;
2729 }
2730
2731 @@ -216,7 +217,7 @@
2732 list_add_tail(&waiter.list,&sem->wait_list);
2733
2734 /* we don't need to touch the semaphore struct anymore */
2735 - spin_unlock(&sem->wait_lock);
2736 + spin_unlock_irq(&sem->wait_lock);
2737
2738 /* wait to be given the lock */
2739 for (;;) {
2740 @@ -238,9 +239,10 @@
2741 int fastcall __down_write_trylock(struct rw_semaphore *sem)
2742 {
2743 int ret = 0;
2744 + unsigned long flags;
2745 rwsemtrace(sem,"Entering __down_write_trylock");
2746
2747 - spin_lock(&sem->wait_lock);
2748 + spin_lock_irqsave(&sem->wait_lock, flags);
2749
2750 if (sem->activity==0 && list_empty(&sem->wait_list)) {
2751 /* granted */
2752 @@ -248,7 +250,7 @@
2753 ret = 1;
2754 }
2755
2756 - spin_unlock(&sem->wait_lock);
2757 + spin_unlock_irqrestore(&sem->wait_lock, flags);
2758
2759 rwsemtrace(sem,"Leaving __down_write_trylock");
2760 return ret;
2761 @@ -259,14 +261,15 @@
2762 */
2763 void fastcall __up_read(struct rw_semaphore *sem)
2764 {
2765 + unsigned long flags;
2766 rwsemtrace(sem,"Entering __up_read");
2767
2768 - spin_lock(&sem->wait_lock);
2769 + spin_lock_irqsave(&sem->wait_lock, flags);
2770
2771 if (--sem->activity==0 && !list_empty(&sem->wait_list))
2772 sem = __rwsem_wake_one_writer(sem);
2773
2774 - spin_unlock(&sem->wait_lock);
2775 + spin_unlock_irqrestore(&sem->wait_lock, flags);
2776
2777 rwsemtrace(sem,"Leaving __up_read");
2778 }
2779 @@ -276,15 +279,16 @@
2780 */
2781 void fastcall __up_write(struct rw_semaphore *sem)
2782 {
2783 + unsigned long flags;
2784 rwsemtrace(sem,"Entering __up_write");
2785
2786 - spin_lock(&sem->wait_lock);
2787 + spin_lock_irqsave(&sem->wait_lock, flags);
2788
2789 sem->activity = 0;
2790 if (!list_empty(&sem->wait_list))
2791 sem = __rwsem_do_wake(sem);
2792
2793 - spin_unlock(&sem->wait_lock);
2794 + spin_unlock_irqrestore(&sem->wait_lock, flags);
2795
2796 rwsemtrace(sem,"Leaving __up_write");
2797 }
2798 diff -urN linux-2.4.30/lib/rwsem.c linux-2.4.30-hf32.3/lib/rwsem.c
2799 --- linux-2.4.30/lib/rwsem.c 2004-11-17 12:54:22.000000000 +0100
2800 +++ linux-2.4.30-hf32.3/lib/rwsem.c 2006-03-18 00:34:06.000000000 +0100
2801 @@ -127,7 +127,7 @@
2802 set_task_state(tsk,TASK_UNINTERRUPTIBLE);
2803
2804 /* set up my own style of waitqueue */
2805 - spin_lock(&sem->wait_lock);
2806 + spin_lock_irq(&sem->wait_lock);
2807 waiter->task = tsk;
2808 get_task_struct(tsk);
2809
2810 @@ -142,7 +142,7 @@
2811 if (!(count & RWSEM_ACTIVE_MASK))
2812 sem = __rwsem_do_wake(sem);
2813
2814 - spin_unlock(&sem->wait_lock);
2815 + spin_unlock_irq(&sem->wait_lock);
2816
2817 /* wait to be given the lock */
2818 for (;;) {
2819 @@ -195,15 +195,16 @@
2820 */
2821 struct rw_semaphore fastcall *rwsem_wake(struct rw_semaphore *sem)
2822 {
2823 + unsigned long flags;
2824 rwsemtrace(sem,"Entering rwsem_wake");
2825
2826 - spin_lock(&sem->wait_lock);
2827 + spin_lock_irqsave(&sem->wait_lock, flags);
2828
2829 /* do nothing if list empty */
2830 if (!list_empty(&sem->wait_list))
2831 sem = __rwsem_do_wake(sem);
2832
2833 - spin_unlock(&sem->wait_lock);
2834 + spin_unlock_irqrestore(&sem->wait_lock, flags);
2835
2836 rwsemtrace(sem,"Leaving rwsem_wake");
2837
2838 diff -urN linux-2.4.30/mm/filemap.c linux-2.4.30-hf32.3/mm/filemap.c
2839 --- linux-2.4.30/mm/filemap.c 2005-04-14 09:43:35.000000000 +0200
2840 +++ linux-2.4.30-hf32.3/mm/filemap.c 2006-03-18 00:34:06.000000000 +0100
2841 @@ -2605,6 +2605,8 @@
2842 end = vma->vm_end;
2843 end = ((end - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
2844
2845 + error = -EIO;
2846 +
2847 /* round to cluster boundaries if this isn't a "random" area. */
2848 if (!VM_RandomReadHint(vma)) {
2849 start = CLUSTER_OFFSET(start);
2850 diff -urN linux-2.4.30/mm/vmscan.c linux-2.4.30-hf32.3/mm/vmscan.c
2851 --- linux-2.4.30/mm/vmscan.c 2005-01-27 18:57:34.000000000 +0100
2852 +++ linux-2.4.30-hf32.3/mm/vmscan.c 2006-03-18 00:34:06.000000000 +0100
2853 @@ -556,6 +556,7 @@
2854 continue;
2855
2856 }
2857 + smp_rmb();
2858 if (PageDirty(page)) {
2859 spin_unlock(&pagecache_lock);
2860 UnlockPage(page);
2861 diff -urN linux-2.4.30/net/core/rtnetlink.c linux-2.4.30-hf32.3/net/core/rtnetlink.c
2862 --- linux-2.4.30/net/core/rtnetlink.c 2003-08-25 13:44:44.000000000 +0200
2863 +++ linux-2.4.30-hf32.3/net/core/rtnetlink.c 2006-03-18 00:34:06.000000000 +0100
2864 @@ -303,7 +303,7 @@
2865 return 0;
2866
2867 family = ((struct rtgenmsg*)NLMSG_DATA(nlh))->rtgen_family;
2868 - if (family > NPROTO) {
2869 + if (family >= NPROTO) {
2870 *errp = -EAFNOSUPPORT;
2871 return -1;
2872 }
2873 diff -urN linux-2.4.30/net/ipv4/af_inet.c linux-2.4.30-hf32.3/net/ipv4/af_inet.c
2874 --- linux-2.4.30/net/ipv4/af_inet.c 2005-01-27 18:57:34.000000000 +0100
2875 +++ linux-2.4.30-hf32.3/net/ipv4/af_inet.c 2006-03-18 00:34:06.000000000 +0100
2876 @@ -724,6 +724,7 @@
2877 sin->sin_port = sk->sport;
2878 sin->sin_addr.s_addr = addr;
2879 }
2880 + memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
2881 *uaddr_len = sizeof(*sin);
2882 return(0);
2883 }
2884 diff -urN linux-2.4.30/net/ipv4/igmp.c linux-2.4.30-hf32.3/net/ipv4/igmp.c
2885 --- linux-2.4.30/net/ipv4/igmp.c 2005-01-27 18:57:34.000000000 +0100
2886 +++ linux-2.4.30-hf32.3/net/ipv4/igmp.c 2006-03-18 00:34:06.000000000 +0100
2887 @@ -876,6 +876,10 @@
2888 /* Is it our report looped back? */
2889 if (((struct rtable*)skb->dst)->key.iif == 0)
2890 break;
2891 + /* don't rely on MC router hearing unicast reports */
2892 + if (skb->pkt_type == PACKET_MULTICAST ||
2893 + skb->pkt_type == PACKET_BROADCAST)
2894 + igmp_heard_report(in_dev, ih->group);
2895 igmp_heard_report(in_dev, ih->group);
2896 break;
2897 case IGMP_PIM:
2898 @@ -1582,7 +1586,7 @@
2899 }
2900 pmc->sources = 0;
2901 pmc->sfmode = MCAST_EXCLUDE;
2902 - pmc->sfcount[MCAST_EXCLUDE] = 0;
2903 + pmc->sfcount[MCAST_INCLUDE] = 0;
2904 pmc->sfcount[MCAST_EXCLUDE] = 1;
2905 }
2906
2907 @@ -1876,8 +1880,11 @@
2908 sock_kfree_s(sk, newpsl, IP_SFLSIZE(newpsl->sl_max));
2909 goto done;
2910 }
2911 - } else
2912 - newpsl = 0;
2913 + } else {
2914 + newpsl = NULL;
2915 + (void) ip_mc_add_src(in_dev, &msf->imsf_multiaddr,
2916 + msf->imsf_fmode, 0, NULL, 0);
2917 + }
2918 psl = pmc->sflist;
2919 if (psl) {
2920 (void) ip_mc_del_src(in_dev, &msf->imsf_multiaddr, pmc->sfmode,
2921 diff -urN linux-2.4.30/net/ipv4/inetpeer.c linux-2.4.30-hf32.3/net/ipv4/inetpeer.c
2922 --- linux-2.4.30/net/ipv4/inetpeer.c 2001-10-01 18:19:56.000000000 +0200
2923 +++ linux-2.4.30-hf32.3/net/ipv4/inetpeer.c 2006-03-18 00:34:06.000000000 +0100
2924 @@ -445,9 +445,12 @@
2925 /* Trigger the timer after inet_peer_gc_mintime .. inet_peer_gc_maxtime
2926 * interval depending on the total number of entries (more entries,
2927 * less interval). */
2928 - peer_periodic_timer.expires = jiffies
2929 - + inet_peer_gc_maxtime
2930 - - (inet_peer_gc_maxtime - inet_peer_gc_mintime) / HZ *
2931 - peer_total / inet_peer_threshold * HZ;
2932 + if (peer_total >= inet_peer_threshold)
2933 + peer_periodic_timer.expires = jiffies + inet_peer_gc_mintime;
2934 + else
2935 + peer_periodic_timer.expires = jiffies
2936 + + inet_peer_gc_maxtime
2937 + - (inet_peer_gc_maxtime - inet_peer_gc_mintime) / HZ *
2938 + peer_total / inet_peer_threshold * HZ;
2939 add_timer(&peer_periodic_timer);
2940 }
2941 diff -urN linux-2.4.30/net/ipv4/ipvs/ip_vs_conn.c linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_conn.c
2942 --- linux-2.4.30/net/ipv4/ipvs/ip_vs_conn.c 2005-01-27 18:57:34.000000000 +0100
2943 +++ linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_conn.c 2006-03-18 00:34:06.000000000 +0100
2944 @@ -210,6 +210,7 @@
2945 cp = list_entry(e, struct ip_vs_conn, c_list);
2946 if (s_addr==cp->caddr && s_port==cp->cport &&
2947 d_port==cp->vport && d_addr==cp->vaddr &&
2948 + ((!s_port) ^ (!(cp->flags & IP_VS_CONN_F_NO_CPORT))) &&
2949 protocol==cp->protocol) {
2950 /* HIT */
2951 atomic_inc(&cp->refcnt);
2952 @@ -241,6 +242,40 @@
2953 return cp;
2954 }
2955
2956 +/* Get reference to connection template */
2957 +struct ip_vs_conn *ip_vs_ct_in_get
2958 +(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr, __u16 d_port)
2959 +{
2960 + unsigned hash;
2961 + struct ip_vs_conn *cp;
2962 +
2963 + hash = ip_vs_conn_hashkey(protocol, s_addr, s_port);
2964 +
2965 + ct_read_lock(hash);
2966 +
2967 + list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) {
2968 + if (s_addr==cp->caddr && s_port==cp->cport &&
2969 + d_port==cp->vport && d_addr==cp->vaddr &&
2970 + cp->flags & IP_VS_CONN_F_TEMPLATE &&
2971 + protocol==cp->protocol) {
2972 + /* HIT */
2973 + atomic_inc(&cp->refcnt);
2974 + goto out;
2975 + }
2976 + }
2977 + cp = NULL;
2978 +
2979 + out:
2980 + ct_read_unlock(hash);
2981 +
2982 + IP_VS_DBG(7, "template lookup/in %s %u.%u.%u.%u:%d->%u.%u.%u.%u:%d %s\n",
2983 + ip_vs_proto_name(protocol),
2984 + NIPQUAD(s_addr), ntohs(s_port),
2985 + NIPQUAD(d_addr), ntohs(d_port),
2986 + cp?"hit":"not hit");
2987 +
2988 + return cp;
2989 +}
2990
2991 /*
2992 * Gets ip_vs_conn associated with supplied parameters in the ip_vs_conn_tab.
2993 @@ -1087,7 +1122,7 @@
2994
2995 IP_VS_DBG(9, "Unbind-dest %s c:%u.%u.%u.%u:%d "
2996 "v:%u.%u.%u.%u:%d d:%u.%u.%u.%u:%d fwd:%c "
2997 - "s:%s flg:%X cnt:%d destcnt:%d",
2998 + "s:%s flg:%X cnt:%d destcnt:%d\n",
2999 ip_vs_proto_name(cp->protocol),
3000 NIPQUAD(cp->caddr), ntohs(cp->cport),
3001 NIPQUAD(cp->vaddr), ntohs(cp->vport),
3002 @@ -1098,10 +1133,9 @@
3003
3004 /*
3005 * Decrease the inactconns or activeconns counter
3006 - * if it is not a connection template ((cp->cport!=0)
3007 - * || (cp->flags & IP_VS_CONN_F_NO_CPORT)).
3008 + * if it is not a connection template
3009 */
3010 - if (cp->cport || (cp->flags & IP_VS_CONN_F_NO_CPORT)) {
3011 + if (!(cp->flags & IP_VS_CONN_F_TEMPLATE)) {
3012 if (cp->flags & IP_VS_CONN_F_INACTIVE) {
3013 atomic_dec(&dest->inactconns);
3014 } else {
3015 @@ -1145,7 +1179,7 @@
3016 /*
3017 * Invalidate the connection template
3018 */
3019 - if (ct->cport) {
3020 + if (ct->vport != 65535) {
3021 if (ip_vs_conn_unhash(ct)) {
3022 ct->dport = 65535;
3023 ct->vport = 65535;
3024 @@ -1430,7 +1464,7 @@
3025 l = &ip_vs_conn_tab[hash];
3026 for (e=l->next; e!=l; e=e->next) {
3027 cp = list_entry(e, struct ip_vs_conn, c_list);
3028 - if (!cp->cport && !(cp->flags & IP_VS_CONN_F_NO_CPORT))
3029 + if (cp->flags & IP_VS_CONN_F_TEMPLATE)
3030 /* connection template */
3031 continue;
3032 switch(cp->state) {
3033 diff -urN linux-2.4.30/net/ipv4/ipvs/ip_vs_core.c linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_core.c
3034 --- linux-2.4.30/net/ipv4/ipvs/ip_vs_core.c 2005-04-14 09:43:35.000000000 +0200
3035 +++ linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_core.c 2006-03-18 00:34:06.000000000 +0100
3036 @@ -188,10 +188,10 @@
3037 if (portp[1] == svc->port) {
3038 /* Check if a template already exists */
3039 if (svc->port != FTPPORT)
3040 - ct = ip_vs_conn_in_get(iph->protocol, snet, 0,
3041 + ct = ip_vs_ct_in_get(iph->protocol, snet, 0,
3042 iph->daddr, portp[1]);
3043 else
3044 - ct = ip_vs_conn_in_get(iph->protocol, snet, 0,
3045 + ct = ip_vs_ct_in_get(iph->protocol, snet, 0,
3046 iph->daddr, 0);
3047
3048 if (!ct || !ip_vs_check_template(ct)) {
3049 @@ -216,14 +216,14 @@
3050 snet, 0,
3051 iph->daddr, portp[1],
3052 dest->addr, dest->port,
3053 - 0,
3054 + IP_VS_CONN_F_TEMPLATE,
3055 dest);
3056 else
3057 ct = ip_vs_conn_new(iph->protocol,
3058 snet, 0,
3059 iph->daddr, 0,
3060 dest->addr, 0,
3061 - 0,
3062 + IP_VS_CONN_F_TEMPLATE,
3063 dest);
3064 if (ct == NULL)
3065 return NULL;
3066 @@ -242,10 +242,10 @@
3067 * port zero template: <protocol,caddr,0,vaddr,0,daddr,0>
3068 */
3069 if (svc->fwmark)
3070 - ct = ip_vs_conn_in_get(IPPROTO_IP, snet, 0,
3071 + ct = ip_vs_ct_in_get(IPPROTO_IP, snet, 0,
3072 htonl(svc->fwmark), 0);
3073 else
3074 - ct = ip_vs_conn_in_get(iph->protocol, snet, 0,
3075 + ct = ip_vs_ct_in_get(iph->protocol, snet, 0,
3076 iph->daddr, 0);
3077
3078 if (!ct || !ip_vs_check_template(ct)) {
3079 @@ -270,14 +270,14 @@
3080 snet, 0,
3081 htonl(svc->fwmark), 0,
3082 dest->addr, 0,
3083 - 0,
3084 + IP_VS_CONN_F_TEMPLATE,
3085 dest);
3086 else
3087 ct = ip_vs_conn_new(iph->protocol,
3088 snet, 0,
3089 iph->daddr, 0,
3090 dest->addr, 0,
3091 - 0,
3092 + IP_VS_CONN_F_TEMPLATE,
3093 dest);
3094 if (ct == NULL)
3095 return NULL;
3096 @@ -1111,11 +1111,10 @@
3097 if (sysctl_ip_vs_expire_nodest_conn) {
3098 /* try to expire the connection immediately */
3099 ip_vs_conn_expire_now(cp);
3100 - } else {
3101 - /* don't restart its timer, and silently
3102 - drop the packet. */
3103 - __ip_vs_conn_put(cp);
3104 }
3105 + /* don't restart its timer, and silently
3106 + drop the packet. */
3107 + __ip_vs_conn_put(cp);
3108 return NF_DROP;
3109 }
3110
3111 diff -urN linux-2.4.30/net/ipv4/ipvs/ip_vs_ctl.c linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_ctl.c
3112 --- linux-2.4.30/net/ipv4/ipvs/ip_vs_ctl.c 2005-01-27 18:57:34.000000000 +0100
3113 +++ linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_ctl.c 2006-03-18 00:34:06.000000000 +0100
3114 @@ -1842,7 +1842,8 @@
3115 entry.addr = svc->addr;
3116 entry.port = svc->port;
3117 entry.fwmark = svc->fwmark;
3118 - strcpy(entry.sched_name, svc->scheduler->name);
3119 + strncpy(entry.sched_name, svc->scheduler->name, sizeof(entry.sched_name));
3120 + entry.sched_name[sizeof(entry.sched_name) - 1] = 0;
3121 entry.flags = svc->flags;
3122 entry.timeout = svc->timeout / HZ;
3123 entry.netmask = svc->netmask;
3124 @@ -1866,7 +1867,8 @@
3125 entry.addr = svc->addr;
3126 entry.port = svc->port;
3127 entry.fwmark = svc->fwmark;
3128 - strcpy(entry.sched_name, svc->scheduler->name);
3129 + strncpy(entry.sched_name, svc->scheduler->name, sizeof(entry.sched_name));
3130 + entry.sched_name[sizeof(entry.sched_name) - 1] = 0;
3131 entry.flags = svc->flags;
3132 entry.timeout = svc->timeout / HZ;
3133 entry.netmask = svc->netmask;
3134 @@ -2020,7 +2022,8 @@
3135 svc = __ip_vs_service_get(get.protocol,
3136 get.addr, get.port);
3137 if (svc) {
3138 - strcpy(get.sched_name, svc->scheduler->name);
3139 + strncpy(get.sched_name, svc->scheduler->name, sizeof(get.sched_name));
3140 + get.sched_name[sizeof(get.sched_name) - 1] = 0;
3141 get.flags = svc->flags;
3142 get.timeout = svc->timeout / HZ;
3143 get.netmask = svc->netmask;
3144 @@ -2083,10 +2086,14 @@
3145 goto out;
3146 }
3147 u.state = ip_vs_sync_state;
3148 - if (ip_vs_sync_state & IP_VS_STATE_MASTER)
3149 - strcpy(u.mcast_master_ifn, ip_vs_mcast_master_ifn);
3150 - if (ip_vs_sync_state & IP_VS_STATE_BACKUP)
3151 - strcpy(u.mcast_backup_ifn, ip_vs_mcast_backup_ifn);
3152 + if (ip_vs_sync_state & IP_VS_STATE_MASTER) {
3153 + strncpy(u.mcast_master_ifn, ip_vs_mcast_master_ifn, sizeof(u.mcast_master_ifn));
3154 + u.mcast_master_ifn[sizeof(u.mcast_master_ifn) - 1] = 0;
3155 + }
3156 + if (ip_vs_sync_state & IP_VS_STATE_BACKUP) {
3157 + strncpy(u.mcast_backup_ifn, ip_vs_mcast_backup_ifn, sizeof(u.mcast_backup_ifn));
3158 + u.mcast_backup_ifn[sizeof(u.mcast_backup_ifn) - 1] = 0;
3159 + }
3160 if (copy_to_user(user, &u, sizeof(u)) != 0)
3161 ret = -EFAULT;
3162 }
3163 diff -urN linux-2.4.30/net/ipv4/ipvs/ip_vs_sched.c linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_sched.c
3164 --- linux-2.4.30/net/ipv4/ipvs/ip_vs_sched.c 2004-04-14 15:05:41.000000000 +0200
3165 +++ linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_sched.c 2006-03-18 00:34:06.000000000 +0100
3166 @@ -156,7 +156,7 @@
3167 */
3168 if (sched == NULL) {
3169 char module_name[IP_VS_SCHEDNAME_MAXLEN+8];
3170 - sprintf(module_name,"ip_vs_%s", sched_name);
3171 + snprintf(module_name, sizeof(module_name), "ip_vs_%s", sched_name);
3172 request_module(module_name);
3173 sched = ip_vs_sched_getbyname(sched_name);
3174 }
3175 diff -urN linux-2.4.30/net/ipv4/ipvs/ip_vs_sync.c linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_sync.c
3176 --- linux-2.4.30/net/ipv4/ipvs/ip_vs_sync.c 2005-01-27 18:57:34.000000000 +0100
3177 +++ linux-2.4.30-hf32.3/net/ipv4/ipvs/ip_vs_sync.c 2006-03-18 00:34:06.000000000 +0100
3178 @@ -295,16 +295,24 @@
3179
3180 p = (char *)buffer + sizeof(struct ip_vs_sync_mesg);
3181 for (i=0; i<m->nr_conns; i++) {
3182 + unsigned flags;
3183 +
3184 s = (struct ip_vs_sync_conn *)p;
3185 - cp = ip_vs_conn_in_get(s->protocol,
3186 - s->caddr, s->cport,
3187 - s->vaddr, s->vport);
3188 + flags = ntohs(s->flags);
3189 + if (!(flags & IP_VS_CONN_F_TEMPLATE))
3190 + cp = ip_vs_conn_in_get(s->protocol,
3191 + s->caddr, s->cport,
3192 + s->vaddr, s->vport);
3193 + else
3194 + cp = ip_vs_ct_in_get(s->protocol,
3195 + s->caddr, s->cport,
3196 + s->vaddr, s->vport);
3197 if (!cp) {
3198 cp = ip_vs_conn_new(s->protocol,
3199 s->caddr, s->cport,
3200 s->vaddr, s->vport,
3201 s->daddr, s->dport,
3202 - ntohs(s->flags), NULL);
3203 + flags, NULL);
3204 if (!cp) {
3205 IP_VS_ERR("ip_vs_conn_new failed\n");
3206 return;
3207 @@ -313,11 +321,11 @@
3208 } else if (!cp->dest) {
3209 /* it is an entry created by the synchronization */
3210 cp->state = ntohs(s->state);
3211 - cp->flags = ntohs(s->flags) | IP_VS_CONN_F_HASHED;
3212 + cp->flags = flags | IP_VS_CONN_F_HASHED;
3213 } /* Note that we don't touch its state and flags
3214 if it is a normal entry. */
3215
3216 - if (ntohs(s->flags) & IP_VS_CONN_F_SEQ_MASK) {
3217 + if (flags & IP_VS_CONN_F_SEQ_MASK) {
3218 opt = (struct ip_vs_sync_conn_options *)&s[1];
3219 memcpy(&cp->in_seq, opt, sizeof(*opt));
3220 p += FULL_CONN_SIZE;
3221 @@ -808,10 +816,12 @@
3222
3223 ip_vs_sync_state |= state;
3224 if (state == IP_VS_STATE_MASTER) {
3225 - strcpy(ip_vs_mcast_master_ifn, mcast_ifn);
3226 + strncpy(ip_vs_mcast_master_ifn, mcast_ifn, sizeof(ip_vs_mcast_master_ifn));
3227 + ip_vs_mcast_master_ifn[sizeof(ip_vs_mcast_master_ifn) - 1] = 0;
3228 ip_vs_master_syncid = syncid;
3229 } else {
3230 - strcpy(ip_vs_mcast_backup_ifn, mcast_ifn);
3231 + strncpy(ip_vs_mcast_backup_ifn, mcast_ifn, sizeof(ip_vs_mcast_backup_ifn));
3232 + ip_vs_mcast_backup_ifn[sizeof(ip_vs_mcast_backup_ifn) - 1] = 0;
3233 ip_vs_backup_syncid = syncid;
3234 }
3235
3236 diff -urN linux-2.4.30/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_conntrack_core.c
3237 --- linux-2.4.30/net/ipv4/netfilter/ip_conntrack_core.c 2005-04-14 09:43:35.000000000 +0200
3238 +++ linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_conntrack_core.c 2006-03-18 00:34:06.000000000 +0100
3239 @@ -1349,6 +1349,7 @@
3240 .tuple.dst.u.tcp.port;
3241 sin.sin_addr.s_addr = h->ctrack->tuplehash[IP_CT_DIR_ORIGINAL]
3242 .tuple.dst.ip;
3243 + memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
3244
3245 DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
3246 NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
3247 diff -urN linux-2.4.30/net/ipv4/netfilter/ip_nat_proto_tcp.c linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_proto_tcp.c
3248 --- linux-2.4.30/net/ipv4/netfilter/ip_nat_proto_tcp.c 2002-11-29 00:53:15.000000000 +0100
3249 +++ linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_proto_tcp.c 2006-03-18 00:34:06.000000000 +0100
3250 @@ -31,7 +31,8 @@
3251 enum ip_nat_manip_type maniptype,
3252 const struct ip_conntrack *conntrack)
3253 {
3254 - static u_int16_t port = 0, *portptr;
3255 + static u_int16_t port = 0;
3256 + u_int16_t *portptr;
3257 unsigned int range_size, min, i;
3258
3259 if (maniptype == IP_NAT_MANIP_SRC)
3260 diff -urN linux-2.4.30/net/ipv4/netfilter/ip_nat_proto_udp.c linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_proto_udp.c
3261 --- linux-2.4.30/net/ipv4/netfilter/ip_nat_proto_udp.c 2000-08-04 22:07:24.000000000 +0200
3262 +++ linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_proto_udp.c 2006-03-18 00:34:06.000000000 +0100
3263 @@ -32,7 +32,8 @@
3264 enum ip_nat_manip_type maniptype,
3265 const struct ip_conntrack *conntrack)
3266 {
3267 - static u_int16_t port = 0, *portptr;
3268 + static u_int16_t port = 0;
3269 + u_int16_t *portptr;
3270 unsigned int range_size, min, i;
3271
3272 if (maniptype == IP_NAT_MANIP_SRC)
3273 diff -urN linux-2.4.30/net/ipv4/netfilter/ip_nat_rule.c linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_rule.c
3274 --- linux-2.4.30/net/ipv4/netfilter/ip_nat_rule.c 2005-01-27 18:57:34.000000000 +0100
3275 +++ linux-2.4.30-hf32.3/net/ipv4/netfilter/ip_nat_rule.c 2006-03-18 00:34:06.000000000 +0100