r1931 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Simon Horman
horms@haydn.debian.org
Fri, 26 Nov 2004 02:32:15 -0700
Author: horms
Date: 2004-11-26 02:31:46 -0700 (Fri, 26 Nov 2004)
New Revision: 1931
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/097-elf_loader_overflow-1.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/097-elf_loader_overflow-2.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/098-elf_huge_bbs-1.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/098-elf_huge_bbs-2.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/099-applicom-leak-fix.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/100-xfs-lock-leak-fix.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/101-cbq-sheduler-leak-fix.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/102-nsc-ircc-oops-fix.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/103-enter-acpi-early.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/104-jfs-memory-leak.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/105-raid1-error-locks-fix.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/106-sunclinkmp-oops-fix.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/107-hiddev-devfs-oops-fix.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/108-usb-devices-crash-fix.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/109-proc-delete-inode-1.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/109-proc-delete-inode-2.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/110-asus-boot-crash-fix.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/111-smb-client-overflow-fix-1.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/111-smb-client-overflow-fix-2.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/112-intermezzo-slab-leak-fix.diff
Modified:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-6
Log:
Added some oops/crash/leak fixes from upstream
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2004-11-26 09:31:46 UTC (rev 1931)
@@ -4,24 +4,63 @@
to upstream. (Dann Frazier)
* Annotate all diffs for the same purpose. (Dann Frazier)
* Fix $(upstream) regex, thanks Michael Tokarev. (Joshua Kwan)
- * Add asm/ptrace.h include as it is needed for pt_regs.
+ * 089_alpha_include_ptrace.diff:
+ Add asm/ptrace.h include as it is needed for pt_regs.
(Closes: #271533) (Simon Horman)
- * Add workaround for broken Happy Meal ethernet controllers.
- (closes: #275485) (Simon Horman)
- * Fix for bug which causes spddelete of individual entries using setkey
+ * 090_setkey_spddelete.diff:
+ Fix for bug which causes spddelete of individual entries using setkey
to fail. Teddy Hogeborn <teddy@fukt.bth.se>
- (closes: #272719) (Simon Horman)
- . net/key/af_key.c
- * Security: fix race conditions in linux terminal subsystem
+ (Closes: #272719) (Simon Horman)
+ * 091_disambiguate_sym53c8xx.diff:
+ Disambiguate sym53c8xx driver name. (Josh Kwan)
+ * 092_sparc64_hme_lockup.diff:
+ Add workaround for broken Happy Meal ethernet controllers.
+ (Closes: #275485) (Simon Horman)
+ * 093_tty_lockup.diff:
+ Security: fix race conditions in linux terminal subsystem
[CAN-2004-0814] (Closes: #277681) (Simon Horman)
- * Apply patch by Jurij Smakov that fixes bad memcpy() behavior on
+ * 094_menuconfig_crash.diff
+ Fix menuconfig crash due to infinite recursion (Maximilian Attems)
+ * 095_sparc32_initrd_memcpy.diff:
+ Apply patch by Jurij Smakov that fixes bad memcpy() behavior on
sparc32, especially with respect to loading ramdisks. (Joshua Kwan)
- * Fix menuconfig crash due to infinite recursion (Maximilian Attems)
- * Fix megaraid2's proc_name so ramdisks are built correctly. (Joshua Kwan)
- * Fix multiple vulnerablilities in the ELF loader. (Simon Horman)
- * Fix problems with loading ELF executables with a huge BBS. (Simon Horman)
+ * 096_megaraid2_proc_name.diff:
+ Fix megaraid2's proc_name so ramdisks are built correctly. (Joshua Kwan)
+ * 097-elf_loader_overflow-1.diff, 097-elf_loader_overflow-2.diff:
+ Fix multiple vulnerablilities in the ELF loader. (Simon Horman)
+ * 098-elf_huge_bbs-1.diff, 098-elf_huge_bbs-2.diff:
+ Fix problems with loading ELF executables with a huge BBS. (Simon Horman)
+ * 099-applicom-leak-fix.diff:
+ Fix leak and copy_user in applicom dirver (Simon Horman)
+ * 100-xfs-lock-leak-fix.diff:
+ Fix lock leak in xfs_free_file_space (Simon Horman)
+ * 101-cbq-sheduler-leak-fix.diff:
+ Fix class leak in CBQ scheduler (Simon Horman)
+ * 102-nsc-ircc-oops-fix.diff:
+ Fix oops in nsc-ircc if dongle id is out of range (Simon Horman)
+ * 103-enter-acpi-early.diff:
+ Fix boot failures that result from buggy SMM BIOS code by
+ entering ACPI mode earlier. (Simon Horman)
+ * 104-jfs-memory-leak.diff:
+ Fix memory leak in JFS __invalidate_metapages. (Simon Horman)
+ * 105-raid1-error-locks-fix.diff:
+ Fix error handling locks in RAID1. (Simon Horman)
+ * 106-sunclinkmp-oops-fix.diff:
+ Fix oops in synclinkmp. (Simon Horman)
+ * 107-hiddev-devfs-oops-fix.diff:
+ Fix hiddev devfs oops. (Simon Horman)
+ * 108-usb-devices-crash-fix.diff]
+ Fix crash with cat /proc/bus/usb/devices and disconnect. (Simon Horman)
+ * 109-proc-delete-inode-1.diff, 109-proc-delete-inode-2.diff:
+ Fix oops in proc_delete_inode. (Simon Horman)
+ * 110-asus-boot-crash-fix.diff:
+ Fix ASUS boot crash. (Simon Horman)
+ * 111-smb-client-overflow-fix-2.diff, 111-smb-client-overflow-fix-1.diff:
+ Fix SMBFS client overflow. (Simon Horman)
+ * 112-intermezzo-slab-leak-fix.diff:
+ Fix intermezzo slab allocator leak. (Simon Horman)
- -- Simon Horman <horms@debian.org> Wed, 24 Nov 2004 16:46:22 +0900
+ -- Simon Horman <horms@debian.org> Fri, 26 Nov 2004 16:59:20 +0900
kernel-source-2.4.27 (2.4.27-5) unstable; urgency=high
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/097-elf_loader_overflow-1.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/097-elf_loader_overflow-1.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/097-elf_loader_overflow-1.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,101 @@
+# origin: Chris Wright <chrisw@osdl.org>
+# cset: 1.1531 key=41a30a666cc7i7YZExn2ROMLgQwGWg
+# inclusion: uptream
+# revision date: Wed, 24 Nov 2004 16:52:24 +0900
+# description: [PATCH] binfmt_elf: handle partial reads gracefully
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/11 15:19:55-02:00 chrisw@osdl.org
+# [PATCH] binfmt_elf: handle partial reads gracefully
+#
+# Here's a backport of the fix that's in 2.6 tree.
+#
+# Make sure kernel reads full size of elf data. Error out if mmap
+# fails when mapping any sections of the executable. Make sure
+# interpreter string is NULL terminated.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+#
+# ===== fs/binfmt_elf.c 1.31 vs edited =====
+#
+# fs/binfmt_elf.c
+# 2004/11/11 04:22:28-02:00 chrisw@osdl.org +25 -8
+# binfmt_elf: handle partial reads gracefully
+#
+diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2004-11-24 16:39:09 +09:00
++++ b/fs/binfmt_elf.c 2004-11-24 16:39:09 +09:00
+@@ -299,9 +299,12 @@
+ goto out;
+
+ retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
+- error = retval;
+- if (retval < 0)
++ error = -EIO;
++ if (retval != size) {
++ if (retval < 0)
++ error = retval;
+ goto out_close;
++ }
+
+ eppnt = elf_phdata;
+ for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) {
+@@ -472,9 +475,12 @@
+ goto out;
+
+ retval = kernel_read(bprm->file, elf_ex.e_phoff, (char *) elf_phdata, size);
+- if (retval < 0)
++ if (retval != size) {
++ if (retval >= 0)
++ retval = -EIO;
+ goto out_free_ph;
+-
++ }
++
+ files = current->files; /* Refcounted so ok */
+ retval = unshare_files();
+ if (retval < 0)
+@@ -520,8 +526,14 @@
+ retval = kernel_read(bprm->file, elf_ppnt->p_offset,
+ elf_interpreter,
+ elf_ppnt->p_filesz);
+- if (retval < 0)
++ if (retval != elf_ppnt->p_filesz) {
++ if (retval >= 0)
++ retval = -EIO;
+ goto out_free_interp;
++ }
++ /* make sure path is NULL terminated */
++ elf_interpreter[elf_ppnt->p_filesz - 1] = '\0';
++
+ /* If the program interpreter is one of these two,
+ * then assume an iBCS2 image. Otherwise assume
+ * a native linux image.
+@@ -540,8 +552,11 @@
+ if (IS_ERR(interpreter))
+ goto out_free_interp;
+ retval = kernel_read(interpreter, 0, bprm->buf, BINPRM_BUF_SIZE);
+- if (retval < 0)
++ if (retval != BINPRM_BUF_SIZE) {
++ if (retval >= 0)
++ retval = -EIO;
+ goto out_free_dentry;
++ }
+
+ /* Get the exec headers */
+ interp_ex = *((struct exec *) bprm->buf);
+@@ -679,8 +694,10 @@
+ }
+
+ error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags);
+- if (BAD_ADDR(error))
+- continue;
++ if (BAD_ADDR(error)) {
++ send_sig(SIGKILL, current, 0);
++ goto out_free_dentry;
++ }
+
+ if (!load_addr_set) {
+ load_addr_set = 1;
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/097-elf_loader_overflow-2.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/097-elf_loader_overflow-2.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/097-elf_loader_overflow-2.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,50 @@
+# origin: Chris Wright <chrisw@osdl.org>
+# cset: 1.1530 key=41a30a51VLBj8ZBgAu4Aww3xFS8ZxA
+# inclusion: uptream
+# revision date: Wed, 24 Nov 2004 16:53:16 +0900
+# description: [PATCH] binfmt_elf: handle p_filesz == 0 on PT_INTERP section
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# fs/binfmt_elf.c
+# 2004/11/16 20:16:15-02:00 chrisw@osdl.org +5 -2
+# binfmt_elf: handle p_filesz == 0 on PT_INTERP section
+#
+# ChangeSet
+# 2004/11/16 17:55:02-02:00 chrisw@osdl.org
+# [PATCH] binfmt_elf: handle p_filesz == 0 on PT_INTERP section
+#
+# Jakub Jelinek points out that current fix has an underflow problem
+# if elf_ppnt->p_filesz == 0. Fix that up, and also stop overwriting
+# interpreter buffer, simply check that it's NULL-terminated.
+#
+# From: Jakub Jelinek <jakub@redhat.com>
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+#
+# ===== fs/binfmt_elf.c 1.32 vs edited =====
+# TAG: v2.4.28-rc4
+#
+diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2004-11-24 16:39:27 +09:00
++++ b/fs/binfmt_elf.c 2004-11-24 16:39:27 +09:00
+@@ -516,7 +516,8 @@
+ */
+
+ retval = -ENOMEM;
+- if (elf_ppnt->p_filesz > PATH_MAX)
++ if (elf_ppnt->p_filesz > PATH_MAX ||
++ elf_ppnt->p_filesz == 0)
+ goto out_free_file;
+ elf_interpreter = (char *) kmalloc(elf_ppnt->p_filesz,
+ GFP_KERNEL);
+@@ -532,7 +533,9 @@
+ goto out_free_interp;
+ }
+ /* make sure path is NULL terminated */
+- elf_interpreter[elf_ppnt->p_filesz - 1] = '\0';
++ retval = -EINVAL;
++ if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
++ goto out_free_interp;
+
+ /* If the program interpreter is one of these two,
+ * then assume an iBCS2 image. Otherwise assume
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/098-elf_huge_bbs-1.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/098-elf_huge_bbs-1.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/098-elf_huge_bbs-1.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,141 @@
+# origin: Barry K. Nathan <barryn@pobox.com>
+# cset: 1.1499.1.10 key=419a5b16V-2XzvsRfpc91BcdKnienQ
+# inclusion: uptream
+# revision date: Wed, 24 Nov 2004 16:54:22 +0900
+# description: [PATCH] fix ELF exec with huge bss
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/23 08:00:49-02:00 barryn@pobox.com
+# [PATCH] Fix ELF exec with huge bss
+#
+# This is a 2.4.27-2.4.28 port of the following patch:
+#
+# http://linux.bkbits.net:8080/linux-2.5/cset@3ff112802L-9-rs0BbkozDnTnpch9w
+#
+# > [PATCH] fix ELF exec with huge bss
+# >
+# > From: Roland McGrath <roland@redhat.com>
+# >
+# > The following test program will crash every time if dynamically linked.
+# > I think this bites all 32-bit platforms, including 32-bit executables on
+# > 64-bit platforms that support them (and could in theory bite 64-bit
+# > platforms with bss sizes beyond the bounds of comprehension).
+# >
+# > volatile char hugebss[1080000000];
+# > main() { printf("%p..%p\n", &hugebss[0], &hugebss[sizeof hugebss]);
+# > system("cat /proc/$PPID/maps");
+# > hugebss[sizeof hugebss - 1] = 1;
+# > return 23;
+# > }
+# >
+# > The problem is that the kernel maps ld.so at 0x40000000 or some such place,
+# > before it maps the bss. Here the bss is so large that it overlaps and
+# > clobbers that mapping. I've changed it to map the bss before it loads the
+# > interpreter, so that part of the address space is reserved before ld.so's
+# > mapping (which doesn't really care where it goes) is done.
+# >
+# > This patch also adds error checking to the bss setup (and interpreter's bss
+# > setup). With the aforementioned change but no error checking, "ulimit -v
+# > 65536; ./hugebss" will crash in the store after the `system' call, because
+# > the kernel will have failed to allocate the bss and ignored the error, so
+# > the program runs without those pages being mapped at all. With this change
+# > it dies with a SIGKILL as for a failure to set up stack pages. It might be
+# > even better to try to detect the case earlier so that execve can return an
+# > error before it has wiped out the address space. But that seems like it
+# > would always be fragile and miss some corner cases, so I did not try to add
+# > such complexity.
+#
+# Signed-off-by: Barry K. Nathan <barryn@pobox.com>
+#
+# fs/binfmt_elf.c
+# 2004/10/16 07:44:41-03:00 barryn@pobox.com +31 -14
+# Fix ELF exec with huge bss
+#
+diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2004-11-24 16:39:40 +09:00
++++ b/fs/binfmt_elf.c 2004-11-24 16:39:40 +09:00
+@@ -79,13 +79,17 @@
+
+ #define BAD_ADDR(x) ((unsigned long)(x) > TASK_SIZE)
+
+-static void set_brk(unsigned long start, unsigned long end)
++static int set_brk(unsigned long start, unsigned long end)
+ {
+ start = ELF_PAGEALIGN(start);
+ end = ELF_PAGEALIGN(end);
+- if (end <= start)
+- return;
+- do_brk(start, end - start);
++ if (end > start) {
++ unsigned long addr = do_brk(start, end - start);
++ if (BAD_ADDR(addr))
++ return addr;
++ }
++ current->mm->start_brk = current->mm->brk = end;
++ return 0;
+ }
+
+
+@@ -360,8 +364,11 @@
+ elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1); /* What we have mapped so far */
+
+ /* Map the last of the bss segment */
+- if (last_bss > elf_bss)
+- do_brk(elf_bss, last_bss - elf_bss);
++ if (last_bss > elf_bss) {
++ error = do_brk(elf_bss, last_bss - elf_bss);
++ if (BAD_ADDR(error))
++ goto out_close;
++ }
+
+ *interp_load_addr = load_addr;
+ error = ((unsigned long) interp_elf_ex->e_entry) + load_addr;
+@@ -670,7 +677,12 @@
+ /* There was a PT_LOAD segment with p_memsz > p_filesz
+ before this one. Map anonymous pages, if needed,
+ and clear the area. */
+- set_brk (elf_bss + load_bias, elf_brk + load_bias);
++ retval = set_brk (elf_bss + load_bias,
++ elf_brk + load_bias);
++ if (retval) {
++ send_sig(SIGKILL, current, 0);
++ goto out_free_dentry;
++ }
+ nbyte = ELF_PAGEOFFSET(elf_bss);
+ if (nbyte) {
+ nbyte = ELF_MIN_ALIGN - nbyte;
+@@ -737,6 +749,18 @@
+ start_data += load_bias;
+ end_data += load_bias;
+
++ /* Calling set_brk effectively mmaps the pages that we need
++ * for the bss and break sections. We must do this before
++ * mapping in the interpreter, to make sure it doesn't wind
++ * up getting placed where the bss needs to go.
++ */
++ retval = set_brk(elf_bss, elf_brk);
++ if (retval) {
++ send_sig(SIGKILL, current, 0);
++ goto out_free_dentry;
++ }
++ padzero(elf_bss);
++
+ if (elf_interpreter) {
+ if (interpreter_type == INTERPRETER_AOUT)
+ elf_entry = load_aout_interp(&interp_ex,
+@@ -784,13 +808,6 @@
+ current->mm->start_data = start_data;
+ current->mm->end_data = end_data;
+ current->mm->start_stack = bprm->p;
+-
+- /* Calling set_brk effectively mmaps the pages that we need
+- * for the bss and break sections
+- */
+- set_brk(elf_bss, elf_brk);
+-
+- padzero(elf_bss);
+
+ #if 0
+ printk("(start_brk) %lx\n" , (long) current->mm->start_brk);
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/098-elf_huge_bbs-2.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/098-elf_huge_bbs-2.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/098-elf_huge_bbs-2.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,78 @@
+# origin: Barry K. Nathan <barryn@pobox.com>
+# cset: 1.1497 key=4193bbfertbISRQVPFzTMySXo4T7IA
+# inclusion: uptream
+# revision date: Wed, 24 Nov 2004 16:55:40 +0900
+# description: [PATCH] binfmt_elf.c fix for 32-bit apps with large bss
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/23 08:01:10-02:00 barryn@pobox.com
+# [PATCH] binfmt_elf.c fix for 32-bit apps with large bss
+#
+# This is a 2.4.27-2.4.28 port of this patch:
+#
+# > [PATCH] binfmt_elf.c fix for 32-bit apps with large bss
+# >
+# > From: Julie DeWandel <jdewand@redhat.com>
+# >
+# > A problem exists where a 32-bit application can have a huge bss, one that
+# > is so large that an overflow of the TASK_SIZE happens. But in this case,
+# > the overflow is not detected in load_elf_binary(). Instead, because
+# > arithmetic is being done using 32-bit containers, a truncation occurs and
+# > the program gets loaded when it shouldn't have been. Subsequent execution
+# > yields unpredictable results.
+# >
+# > The attached patch fixes this problem by checking for the overflow
+# > condition and sending a SIGKILL to the application if the overflow is
+# > detected. This problem can in theory exist when loading the elf
+# > interpreter as well, so a similar check was added there.
+#
+# Signed-off-by: Barry K. Nathan <barryn@pobox.com>
+#
+# fs/binfmt_elf.c
+# 2004/10/16 08:16:38-03:00 barryn@pobox.com +25 -0
+# binfmt_elf.c fix for 32-bit apps with large bss
+#
+diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2004-11-24 16:39:48 +09:00
++++ b/fs/binfmt_elf.c 2004-11-24 16:39:48 +09:00
+@@ -335,6 +335,18 @@
+ }
+
+ /*
++ * Check to see if the section's size will overflow the
++ * allowed task size. Note that p_filesz must always be
++ * <= p_memsize so it is only necessary to check p_memsz.
++ */
++ k = load_addr + eppnt->p_vaddr;
++ if (k > TASK_SIZE || eppnt->p_filesz > eppnt->p_memsz ||
++ eppnt->p_memsz > TASK_SIZE || TASK_SIZE - eppnt->p_memsz < k) {
++ error = -ENOMEM;
++ goto out_close;
++ }
++
++ /*
+ * Find the end of the file mapping for this phdr, and keep
+ * track of the largest address we see for this.
+ */
+@@ -727,6 +739,19 @@
+ k = elf_ppnt->p_vaddr;
+ if (k < start_code) start_code = k;
+ if (start_data < k) start_data = k;
++
++ /*
++ * Check to see if the section's size will overflow the
++ * allowed task size. Note that p_filesz must always be
++ * <= p_memsz so it is only necessary to check p_memsz.
++ */
++ if (k > TASK_SIZE || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
++ elf_ppnt->p_memsz > TASK_SIZE ||
++ TASK_SIZE - elf_ppnt->p_memsz < k) {
++ /* set_brk can never work. Avoid overflows. */
++ send_sig(SIGKILL, current, 0);
++ goto out_free_dentry;
++ }
+
+ k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
+
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/099-applicom-leak-fix.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/099-applicom-leak-fix.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/099-applicom-leak-fix.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,172 @@
+# origin: sezeroz (BitKeeper)
+# cset: 1.1449.1.30 (2.4) key=411e3c71-_ax7wozFPG3KNCMYI_3Qg
+# inclusion: upstream
+# descrition: [PATCH] backport applicom 2.6 fixes
+# revision date: Fri, 26 Nov 2004 14:59:38 +0900
+#
+# S rset: ChangeSet|1.1449.1.29..1.1449.1.30
+# I rset: drivers/char/applicom.c|1.5..1.6
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/08/14 13:23:13-03:00 sezeroz@ttnet.net.tr
+# [PATCH] backport applicom 2.6 fixes
+#
+# Leak and copy*user in cli fixes from 2.6
+# (by akpm iirc).
+#
+# drivers/char/applicom.c
+# 2004/08/07 09:52:02-03:00 sezeroz@ttnet.net.tr +25 -28
+# backport applicom 2.6 fixes
+#
+#
+===== drivers/char/applicom.c 1.5 vs 1.6 =====
+--- 1.5/drivers/char/applicom.c 2002-02-28 22:57:20 +09:00
++++ 1.6/drivers/char/applicom.c 2004-08-07 21:52:02 +09:00
+@@ -222,6 +222,7 @@
+
+ if (!RamIO) {
+ printk(KERN_INFO "ac.o: Failed to ioremap PCI memory space at 0x%lx\n", PCI_BASE_ADDRESS(dev));
++ pci_disable_device(dev);
+ return -EIO;
+ }
+
+@@ -233,12 +234,14 @@
+ (unsigned long)RamIO,0))) {
+ printk(KERN_INFO "ac.o: PCI Applicom device doesn't have correct signature.\n");
+ iounmap(RamIO);
++ pci_disable_device(dev);
+ continue;
+ }
+
+ if (request_irq(dev->irq, &ac_interrupt, SA_SHIRQ, "Applicom PCI", &dummy)) {
+ printk(KERN_INFO "Could not allocate IRQ %d for PCI Applicom device.\n", dev->irq);
+ iounmap(RamIO);
++ pci_disable_device(dev);
+ apbs[boardno - 1].RamIO = 0;
+ continue;
+ }
+@@ -265,12 +268,6 @@
+
+ /* Now try the specified ISA cards */
+
+-#warning "LEAK"
+- RamIO = ioremap(mem, LEN_RAM_IO * MAX_ISA_BOARD);
+-
+- if (!RamIO)
+- printk(KERN_INFO "ac.o: Failed to ioremap ISA memory space at 0x%lx\n", mem);
+-
+ for (i = 0; i < MAX_ISA_BOARD; i++) {
+ RamIO = ioremap(mem + (LEN_RAM_IO * i), LEN_RAM_IO);
+
+@@ -293,7 +290,8 @@
+ iounmap((void *) RamIO);
+ apbs[boardno - 1].RamIO = 0;
+ }
+- apbs[boardno - 1].irq = irq;
++ else
++ apbs[boardno - 1].irq = irq;
+ }
+ else
+ apbs[boardno - 1].irq = 0;
+@@ -368,7 +366,7 @@
+ if (count != sizeof(struct st_ram_io) + sizeof(struct mailbox)) {
+ static int warncount = 5;
+ if (warncount) {
+- printk(KERN_INFO "Hmmm. write() of Applicom card, length %d != expected %d\n",
++ printk(KERN_INFO "Hmmm. write() of Applicom card, length %zd != expected %zd\n",
+ count, sizeof(struct st_ram_io) + sizeof(struct mailbox));
+ warncount--;
+ }
+@@ -476,18 +474,17 @@
+ return 0;
+ }
+
+-static int do_ac_read(int IndexCard, char *buf)
++static int do_ac_read(int IndexCard, char *buf,
++ struct st_ram_io *st_loc, struct mailbox *mailbox)
+ {
+- struct st_ram_io st_loc;
+- struct mailbox tmpmailbox; /* bounce buffer - can't copy to user space with cli() */
+ unsigned long from = (unsigned long)apbs[IndexCard].RamIO + RAM_TO_PC;
+- unsigned char *to = (unsigned char *)&tmpmailbox;
++ unsigned char *to = (unsigned char *)&mailbox;
+ #ifdef DEBUG
+ int c;
+ #endif
+
+- st_loc.tic_owner_to_pc = readb(apbs[IndexCard].RamIO + TIC_OWNER_TO_PC);
+- st_loc.numcard_owner_to_pc = readb(apbs[IndexCard].RamIO + NUMCARD_OWNER_TO_PC);
++ st_loc->tic_owner_to_pc = readb(apbs[IndexCard].RamIO + TIC_OWNER_TO_PC);
++ st_loc->numcard_owner_to_pc = readb(apbs[IndexCard].RamIO + NUMCARD_OWNER_TO_PC);
+
+
+ {
+@@ -510,32 +507,24 @@
+ printk("Read from applicom card #%d. struct st_ram_io follows:", NumCard);
+
+ for (c = 0; c < sizeof(struct st_ram_io);) {
+- printk("\n%5.5X: %2.2X", c, ((unsigned char *) &st_loc)[c]);
++ printk("\n%5.5X: %2.2X", c, ((unsigned char *)st_loc)[c]);
+
+ for (c++; c % 8 && c < sizeof(struct st_ram_io); c++) {
+- printk(" %2.2X", ((unsigned char *) &st_loc)[c]);
++ printk(" %2.2X", ((unsigned char *)st_loc)[c]);
+ }
+ }
+
+ printk("\nstruct mailbox follows:");
+
+ for (c = 0; c < sizeof(struct mailbox);) {
+- printk("\n%5.5X: %2.2X", c, ((unsigned char *) &tmpmailbox)[c]);
++ printk("\n%5.5X: %2.2X", c, ((unsigned char *)mailbox)[c]);
+
+ for (c++; c % 8 && c < sizeof(struct mailbox); c++) {
+- printk(" %2.2X", ((unsigned char *) &tmpmailbox)[c]);
++ printk(" %2.2X", ((unsigned char *)mailbox)[c]);
+ }
+ }
+ printk("\n");
+ #endif
+-
+-#warning "Je suis stupide. DW. - copy*user in cli"
+-
+- if (copy_to_user(buf, &st_loc, sizeof(struct st_ram_io)))
+- return -EFAULT;
+- if (copy_to_user(&buf[sizeof(struct st_ram_io)], &tmpmailbox, sizeof(struct mailbox)))
+- return -EFAULT;
+-
+ return (sizeof(struct st_ram_io) + sizeof(struct mailbox));
+ }
+
+@@ -551,7 +540,7 @@
+ #endif
+ /* No need to ratelimit this. Only root can trigger it anyway */
+ if (count != sizeof(struct st_ram_io) + sizeof(struct mailbox)) {
+- printk( KERN_WARNING "Hmmm. read() of Applicom card, length %d != expected %d\n",
++ printk( KERN_WARNING "Hmmm. read() of Applicom card, length %zd != expected %zd\n",
+ count,sizeof(struct st_ram_io) + sizeof(struct mailbox));
+ return -EINVAL;
+ }
+@@ -570,11 +559,19 @@
+ tmp = readb(apbs[i].RamIO + DATA_TO_PC_READY);
+
+ if (tmp == 2) {
++ struct st_ram_io st_loc;
++ struct mailbox mailbox;
++
+ /* Got a packet for us */
+- ret = do_ac_read(i, buf);
++ ret = do_ac_read(i, buf, &st_loc, &mailbox);
+ spin_unlock_irqrestore(&apbs[i].mutex, flags);
+ set_current_state(TASK_RUNNING);
+ remove_wait_queue(&FlagSleepRec, &wait);
++
++ if (copy_to_user(buf, &st_loc, sizeof(st_loc)))
++ return -EFAULT;
++ if (copy_to_user(buf + sizeof(st_loc), &mailbox, sizeof(mailbox)))
++ return -EFAULT;
+ return tmp;
+ }
+
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/100-xfs-lock-leak-fix.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/100-xfs-lock-leak-fix.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/100-xfs-lock-leak-fix.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,50 @@
+# origin: roehrich (BitKeeper)
+# cset: 1.1449.17.22 (2.4) key=41240cebupWd4HFyNZ6iso1kB1f4IA
+# inclusion: upstream
+# descrition: [XFS] Fix lock leak in xfs_free_file_space
+# revision date: Fri, 26 Nov 2004 14:59:38 +0900
+#
+# S rset: ChangeSet|1.1449.17.21..1.1449.17.22
+# I rset: fs/xfs/xfs_vnodeops.c|1.178..1.179
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/08/19 12:14:03+10:00 roehrich@sgi.com
+# [XFS] Fix lock leak in xfs_free_file_space
+#
+# SGI Modid: xfs-linux:xfs-kern:176905a
+# Signed-off-by: Nathan Scott <nathans@sgi.com>
+#
+# fs/xfs/xfs_vnodeops.c
+# 2004/08/19 12:13:57+10:00 roehrich@sgi.com +6 -2
+# [XFS] Fix lock leak in xfs_free_file_space
+#
+#
+===== fs/xfs/xfs_vnodeops.c 1.178 vs 1.179 =====
+--- 1.178/fs/xfs/xfs_vnodeops.c 2004-06-18 09:59:16 +09:00
++++ 1.179/fs/xfs/xfs_vnodeops.c 2004-08-19 11:13:57 +09:00
+@@ -4337,8 +4337,10 @@
+ nimap = 1;
+ error = xfs_bmapi(NULL, ip, startoffset_fsb, 1, 0, NULL, 0,
+ &imap, &nimap, NULL);
+- if (error)
++ if (error) {
++ xfs_iunlock(ip, XFS_IOLOCK_EXCL);
+ return error;
++ }
+ ASSERT(nimap == 0 || nimap == 1);
+ if (nimap && imap.br_startblock != HOLESTARTBLOCK) {
+ xfs_daddr_t block;
+@@ -4352,8 +4354,10 @@
+ nimap = 1;
+ error = xfs_bmapi(NULL, ip, endoffset_fsb - 1, 1, 0, NULL, 0,
+ &imap, &nimap, NULL);
+- if (error)
++ if (error) {
++ xfs_iunlock(ip, XFS_IOLOCK_EXCL);
+ return error;
++ }
+ ASSERT(nimap == 0 || nimap == 1);
+ if (nimap && imap.br_startblock != HOLESTARTBLOCK) {
+ ASSERT(imap.br_startblock != DELAYSTARTBLOCK);
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/101-cbq-sheduler-leak-fix.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/101-cbq-sheduler-leak-fix.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/101-cbq-sheduler-leak-fix.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,78 @@
+# origin: kaber (BitKeeper)
+# cset: 1.1449.16.5 (2.4) key=41297323Uj27U3EtErMOVt3qtcIIOw
+# inclusion: upstream
+# descrition: [PKT_SCHED]: Fix class leak in CBQ scheduler.
+# revision date: Fri, 26 Nov 2004 14:59:38 +0900
+#
+# S rset: ChangeSet|1.1449.16.4..1.1449.16.5
+# I rset: net/sched/sch_cbq.c|1.12..1.13
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/08/22 21:31:31-07:00 kaber@trash.net
+# [PKT_SCHED]: Fix class leak in CBQ scheduler.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@redhat.com>
+#
+# net/sched/sch_cbq.c
+# 2004/08/22 21:31:25-07:00 kaber@trash.net +8 -6
+# [PKT_SCHED]: Fix class leak in CBQ scheduler.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@redhat.com>
+#
+#
+===== net/sched/sch_cbq.c 1.12 vs 1.13 =====
+--- 1.12/net/sched/sch_cbq.c 2004-06-19 05:53:45 +09:00
++++ 1.13/net/sched/sch_cbq.c 2004-08-23 13:31:25 +09:00
+@@ -1712,15 +1712,18 @@
+ }
+ }
+
+-static void cbq_destroy_class(struct cbq_class *cl)
++static void cbq_destroy_class(struct Qdisc *sch, struct cbq_class *cl)
+ {
++ struct cbq_sched_data *q = (struct cbq_sched_data *)sch->data;
++
+ cbq_destroy_filters(cl);
+ qdisc_destroy(cl->q);
+ qdisc_put_rtab(cl->R_tab);
+ #ifdef CONFIG_NET_ESTIMATOR
+ qdisc_kill_estimator(&cl->stats);
+ #endif
+- kfree(cl);
++ if (cl != &q->link)
++ kfree(cl);
+ }
+
+ static void
+@@ -1743,8 +1746,7 @@
+
+ for (cl = q->classes[h]; cl; cl = next) {
+ next = cl->next;
+- if (cl != &q->link)
+- cbq_destroy_class(cl);
++ cbq_destroy_class(sch, cl);
+ }
+ }
+
+@@ -1766,7 +1768,7 @@
+ spin_unlock_bh(&sch->dev->queue_lock);
+ #endif
+
+- cbq_destroy_class(cl);
++ cbq_destroy_class(sch, cl);
+ }
+ }
+
+@@ -2000,7 +2002,7 @@
+ sch_tree_unlock(sch);
+
+ if (--cl->refcnt == 0)
+- cbq_destroy_class(cl);
++ cbq_destroy_class(sch, cl);
+
+ return 0;
+ }
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/102-nsc-ircc-oops-fix.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/102-nsc-ircc-oops-fix.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/102-nsc-ircc-oops-fix.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,67 @@
+# origin: mbroemme (BitKeeper)
+# cset: 1.1449.1.55 (2.4) key=4129d428jBa-HsJVI29uI4OLhE7uRA
+# inclusion: upstream
+# descrition: [PATCH] Fix kernel oops in nsc-ircc.c
+# revision date: Fri, 26 Nov 2004 14:59:38 +0900
+#
+# S rset: ChangeSet|1.1449.1.54..1.1449.1.55
+# I rset: drivers/net/irda/nsc-ircc.c|1.15..1.16
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/08/23 08:25:28-03:00 mbroemme@plusserver.de
+# [PATCH] Fix kernel oops in nsc-ircc.c
+#
+# * fix kernel oops if you load nsc-ircc.o with dongle id which is out of range
+# of available dongle ids.
+#
+# If you try to modprobe the nsc-ircc module with a specific dongle id for
+# example: "modprobe nsc-ircc irq=3 dma=1 io=0x2f8 dongle_id=0x99" the kernel
+# oopses and the module hangs until a reboot on initializing.
+#
+# drivers/net/irda/nsc-ircc.c
+# 2004/08/23 08:19:52-03:00 mbroemme@plusserver.de +12 -5
+# Fix kernel oops in nsc-ircc.c
+#
+#
+===== drivers/net/irda/nsc-ircc.c 1.15 vs 1.16 =====
+--- 1.15/drivers/net/irda/nsc-ircc.c 2004-01-15 03:21:16 +09:00
++++ 1.16/drivers/net/irda/nsc-ircc.c 2004-08-23 20:19:52 +09:00
+@@ -6,8 +6,8 @@
+ * Status: Stable.
+ * Author: Dag Brattli <dagb@cs.uit.no>
+ * Created at: Sat Nov 7 21:43:15 1998
+- * Modified at: Wed Mar 1 11:29:34 2000
+- * Modified by: Dag Brattli <dagb@cs.uit.no>
++ * Modified at: Sat Aug 14 04:14:57 2004
++ * Modified by: Maik Broemme <mbroemme@plusserver.de>
+ *
+ * Copyright (c) 1998-2000 Dag Brattli <dagb@cs.uit.no>
+ * Copyright (c) 1998 Lichen Wang, <lwang@actisys.com>
+@@ -369,15 +369,22 @@
+ }
+ MESSAGE("IrDA: Registered device %s\n", dev->name);
+
+- /* Check if user has supplied the dongle id or not */
++ /* Check if user has supplied the dongle id and if it is in the range of available ids or not. */
+ if (!dongle_id) {
+ dongle_id = nsc_ircc_read_dongle_id(self->io.fir_base);
+
+ MESSAGE("%s, Found dongle: %s\n", driver_name,
+ dongle_types[dongle_id]);
+ } else {
+- MESSAGE("%s, Using dongle: %s\n", driver_name,
+- dongle_types[dongle_id]);
++ if (dongle_id < sizeof(dongle_types) / sizeof(dongle_types[0])) {
++ MESSAGE("%s, Using dongle: %s\n", driver_name,
++ dongle_types[dongle_id]);
++ } else {
++ MESSAGE("%s, dongle id %i out of range, start autodetect.\n", driver_name, dongle_id);
++ dongle_id = nsc_ircc_read_dongle_id(self->io.fir_base);
++ MESSAGE("%s, Found dongle: %s\n", driver_name,
++ dongle_types[dongle_id]);
++ }
+ }
+
+ self->io.dongle_id = dongle_id;
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/103-enter-acpi-early.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/103-enter-acpi-early.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/103-enter-acpi-early.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,213 @@
+# origin: len.brown (BitKeeper)
+# cset: 1.1458.1.1 (2.4) key=412bff64m04mAwQ5oNVoKpGr6RxuFA
+# inclusion: upstream
+# descrition: [ACPI] Enter ACPI mode earlier
+# revision date: Fri, 26 Nov 2004 14:59:38 +0900
+#
+# S rset: ChangeSet|1.1458..1.1458.1.1
+# I rset: drivers/acpi/osl.c|1.30..1.31
+# I rset: init/main.c|1.30..1.31
+# I rset: arch/i386/kernel/dmi_scan.c|1.44..1.45
+# I rset: drivers/acpi/bus.c|1.30..1.31
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/08/24 22:54:28-04:00 len.brown@intel.com
+# [ACPI] Enter ACPI mode earlier
+# Fixes two common boot failures due to buggy SMM BIOS code
+#
+# SMP boot crash if SMI_CMD=ACPI written from CPU1
+# http://bugzilla.kernel.org/show_bug.cgi?id=2941
+#
+# laptop crash due to LAPIC timer before SMI_CMD=ACPI
+# http://bugzilla.kernel.org/show_bug.cgi?id=1269
+#
+# init/main.c
+# 2004/08/24 22:54:26-04:00 len.brown@intel.com +6 -0
+# acpi_early_init()
+#
+# drivers/acpi/osl.c
+# 2004/08/24 22:54:26-04:00 len.brown@intel.com +6 -0
+# defer acpi_os_initialize() to acpi_os_initialize1()
+#
+# drivers/acpi/bus.c
+# 2004/08/24 22:54:26-04:00 len.brown@intel.com +32 -6
+# add acpi_early_init()
+#
+# arch/i386/kernel/dmi_scan.c
+# 2004/08/24 22:54:26-04:00 len.brown@intel.com +0 -40
+# delete local_apic_kills_bios()
+#
+#
+===== drivers/acpi/osl.c 1.30 vs 1.31 =====
+--- 1.30/drivers/acpi/osl.c 2004-03-27 09:27:44 +09:00
++++ 1.31/drivers/acpi/osl.c 2004-08-25 11:54:26 +09:00
+@@ -72,6 +72,12 @@
+ acpi_status
+ acpi_os_initialize(void)
+ {
++ return AE_OK;
++}
++
++acpi_status
++acpi_os_initialize1(void)
++{
+ /*
+ * Initialize PCI configuration space access, as we'll need to access
+ * it while walking the namespace (bus 0 and root bridges w/ _BBNs).
+===== init/main.c 1.30 vs 1.31 =====
+--- 1.30/init/main.c 2003-08-31 01:50:15 +09:00
++++ 1.31/init/main.c 2004-08-25 11:54:26 +09:00
+@@ -101,6 +101,11 @@
+ extern int init_pcmcia_ds(void);
+
+ extern void free_initmem(void);
++#ifdef CONFIG_ACPI_BOOT
++extern void acpi_early_init(void);
++#else
++static inline acpi_early_init() { }
++#endif
+
+ #ifdef CONFIG_TC
+ extern void tc_init(void);
+@@ -426,6 +431,7 @@
+ proc_root_init();
+ #endif
+ check_bugs();
++ acpi_early_init(); /* before LAPIC and SMP init */
+ printk("POSIX conformance testing by UNIFIX\n");
+
+ /*
+===== arch/i386/kernel/dmi_scan.c 1.44 vs 1.45 =====
+--- 1.44/arch/i386/kernel/dmi_scan.c 2004-06-01 08:00:20 +09:00
++++ 1.45/arch/i386/kernel/dmi_scan.c 2004-08-25 11:54:26 +09:00
+@@ -328,26 +328,6 @@
+ }
+
+ /*
+- * Some machines, usually laptops, can't handle an enabled local APIC.
+- * The symptoms include hangs or reboots when suspending or resuming,
+- * attaching or detaching the power cord, or entering BIOS setup screens
+- * through magic key sequences.
+- */
+-static int __init local_apic_kills_bios(struct dmi_blacklist *d)
+-{
+-#ifdef CONFIG_X86_LOCAL_APIC
+- extern int enable_local_apic;
+- if (enable_local_apic == 0) {
+- enable_local_apic = -1;
+- printk(KERN_WARNING "%s with broken BIOS detected. "
+- "Refusing to enable the local APIC.\n",
+- d->ident);
+- }
+-#endif
+- return 0;
+-}
+-
+-/*
+ * Check for clue free BIOS implementations who use
+ * the following QA technique
+ *
+@@ -790,26 +770,6 @@
+ MATCH(DMI_BIOS_VERSION, "07.00T"),
+ MATCH(DMI_SYS_VENDOR, "Higraded"),
+ MATCH(DMI_PRODUCT_NAME, "P14H")
+- } },
+-
+- /* Machines which have problems handling enabled local APICs */
+-
+- { local_apic_kills_bios, "Dell Inspiron", {
+- MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
+- MATCH(DMI_PRODUCT_NAME, "Inspiron"),
+- NO_MATCH, NO_MATCH
+- } },
+-
+- { local_apic_kills_bios, "Dell Latitude", {
+- MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
+- MATCH(DMI_PRODUCT_NAME, "Latitude"),
+- NO_MATCH, NO_MATCH
+- } },
+-
+- { local_apic_kills_bios, "IBM Thinkpad T20", {
+- MATCH(DMI_BOARD_VENDOR, "IBM"),
+- MATCH(DMI_BOARD_NAME, "264741U"),
+- NO_MATCH, NO_MATCH
+ } },
+
+ { init_ints_after_s1, "Toshiba Satellite 4030cdt", { /* Reinitialization of 8259 is needed after S1 resume */
+===== drivers/acpi/bus.c 1.30 vs 1.31 =====
+--- 1.30/drivers/acpi/bus.c 2004-05-20 16:27:15 +09:00
++++ 1.31/drivers/acpi/bus.c 2004-08-25 11:54:26 +09:00
+@@ -1844,10 +1844,9 @@
+ }
+
+
+-static int __init
+-acpi_bus_init (void)
++void __init
++acpi_early_init (void)
+ {
+- int result = 0;
+ acpi_status status = AE_OK;
+ struct acpi_buffer buffer = {sizeof(acpi_fadt), &acpi_fadt};
+
+@@ -1871,7 +1870,7 @@
+ status = acpi_get_table(ACPI_TABLE_FADT, 1, &buffer);
+ if (ACPI_FAILURE(status)) {
+ printk(KERN_ERR PREFIX "Unable to get the FADT\n");
+- goto error1;
++ goto error0;
+ }
+
+ #ifdef CONFIG_X86
+@@ -1894,12 +1893,40 @@
+ }
+ #endif
+
+- status = acpi_enable_subsystem(ACPI_FULL_INITIALIZATION);
++ status = acpi_enable_subsystem(~(ACPI_NO_HARDWARE_INIT | ACPI_NO_ACPI_ENABLE));
++ if (ACPI_FAILURE(status)) {
++ printk(KERN_ERR PREFIX "Unable to enable ACPI\n");
++ goto error0;
++ }
++
++ return;
++
++error0:
++ disable_acpi();
++ return;
++}
++
++static int __init
++acpi_bus_init (void)
++{
++ int result = 0;
++ acpi_status status = AE_OK;
++ extern acpi_status acpi_os_initialize1(void);
++
++ ACPI_FUNCTION_TRACE("acpi_bus_init");
++
++ status = acpi_os_initialize1();
++
++ status = acpi_enable_subsystem(ACPI_NO_HARDWARE_INIT | ACPI_NO_ACPI_ENABLE);
+ if (ACPI_FAILURE(status)) {
+ printk(KERN_ERR PREFIX "Unable to start the ACPI Interpreter\n");
+ goto error1;
+ }
+
++ if (ACPI_FAILURE(status)) {
++ printk(KERN_ERR PREFIX "Unable to initialize ACPI OS objects\n");
++ goto error1;
++ }
+ #ifdef CONFIG_ACPI_EC
+ /*
+ * ACPI 2.0 requires the EC driver to be loaded and work before
+@@ -1992,7 +2019,6 @@
+ ACPI_SYSTEM_NOTIFY, &acpi_bus_notify);
+ error1:
+ acpi_terminate();
+-error0:
+ return_VALUE(-ENODEV);
+ }
+
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/104-jfs-memory-leak.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/104-jfs-memory-leak.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/104-jfs-memory-leak.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,33 @@
+# origin: shaggy (BitKeeper)
+# cset: 1.1449.1.79 (2.4) key=4130e7f372QVsEXPVRihDV79AZ_BVw
+# inclusion: upstream
+# descrition: JFS: fix memory leak in __invalidate_metapages
+# revision date: Fri, 26 Nov 2004 14:59:38 +0900
+#
+# S rset: ChangeSet|1.1449.1.78..1.1449.1.79
+# I rset: fs/jfs/jfs_metapage.c|1.16..1.17
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/08/28 15:15:47-05:00 shaggy@austin.ibm.com
+# JFS: fix memory leak in __invalidate_metapages
+#
+# Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
+#
+# fs/jfs/jfs_metapage.c
+# 2004/08/28 15:15:40-05:00 shaggy@austin.ibm.com +1 -0
+# fix memory leak
+#
+#
+===== fs/jfs/jfs_metapage.c 1.16 vs 1.17 =====
+--- 1.16/fs/jfs/jfs_metapage.c 2004-06-15 05:26:55 +09:00
++++ 1.17/fs/jfs/jfs_metapage.c 2004-08-29 05:15:40 +09:00
+@@ -606,6 +606,7 @@
+ if (page) {
+ block_flushpage(page, 0);
+ UnlockPage(page);
++ page_cache_release(page);
+ }
+ }
+ }
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/105-raid1-error-locks-fix.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/105-raid1-error-locks-fix.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/105-raid1-error-locks-fix.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,267 @@
+# origin: dledford (BitKeeper)
+# cset: 1.1449.42.2 (2.4) key=414c5046ARO0y3lX1yHZfV3gBv-VLg
+# inclusion: upstream
+# descrition: [PATCH] RAID1 error handling locking fix
+# revision date: Fri, 26 Nov 2004 14:59:39 +0900
+#
+# S rset: ChangeSet|1.1449.42.1..1.1449.42.2
+# I rset: drivers/md/raid1.c|1.18..1.19
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/09/18 12:12:06-03:00 dledford@redhat.com
+# [PATCH] RAID1 error handling locking fix
+#
+# OK, basic problem is that if you use mdadm to fail a device in a raid1
+# array and then immediately remove that device, you can end up triggering
+# a race condition in the raid1 code. This only shows up on SMP systems
+# (and the one I have here which is a 2 physical, 4 logical processor
+# system shows it very easily, but for some reason nmi_watchdog didn't
+# ever help and the system always just locked hard and refused to do
+# anything, so I didn't have an oops to work from, just a hardlock).
+#
+# In the raid1 code, we keep an array of devices that are part of the
+# raid1 array. Each of these devices can have multiple states, but for
+# the most part we check the operational bit of a device before deciding
+# to use it. If we decide to use that device, then we grab the device
+# number from the array (kdev_t, aka this is the device's major/minor and
+# is what we are going to pass to generic_make_request in order to pass
+# the buffer head on to the underlying device).
+#
+# When we fail a device, we set that operational bit to 0. When we remove
+# a device, we also set the dev item in the struct to MKDEV(0,0).
+#
+# There is no locking whatsoever between the failing of a device (setting
+# the operational bit to 0) and the make_request functions in the raid1
+# code. So, even though it's safe to fail a device without this locking,
+# before we can safely remove the device we need to know that every
+# possible context that might be checking that operational bit has in fact
+# seen the failed operational bit. If not, then we can end up setting the
+# dev to 0, then the other context grabs it and tries to pass that off to
+# generic_make_request, unnice things ensue.
+#
+# So, this patch does these things:
+#
+# 1. Whenever we are calling mark_disk_bad(), hold the
+# conf->device_lock
+# 2. Whenever we are walking the device array looking for an
+# operational device, always grab the conf->device_lock first and
+# hold it until after we have gotten not only the operational bit
+# but also the dev number for the device
+# 3. Correct an accounting problem in the superblock. If we fail a
+# device and it's currently counted as a spare device instead of
+# an active device, then we failed to decrement the superblocks
+# spare disk count. This accounting error is preserved across
+# shutdown and restart of the array, and although it doesn't oops
+# the kernel (the kernel will refuse to try and read beyond disk
+# 26 even if the spare count indicates it should, although I'm not
+# sure it doesn't try and write past 26 so this could be a disk
+# corruptor when the spare count + active counts exceeds the
+# amount of space available in the on disk superblock format) it
+# does in fact cause mdadm to segfault on trying to read the
+# superblock.
+#
+# So, that's the description. Testing. Well, without this patch, my test
+# machine dies on the following command *very* quickly:
+#
+# while true; do mdadm /dev/md0 -f /dev/sdc1 -r /dev/sdc1 -a /dev/sdc1;
+# sleep 1; done
+#
+# In addition, without the patch you can watch the superblock's spare
+# count go up with every single invocation of that command.
+#
+# With my patch, the same machine survived the above command running over
+# the weekend, and in addition I mounted the raid1 array and ran a
+# continuous loop of bonnie++ sessions to generate as much load as
+# possible. I've verified that the spare count stays consistent when
+# failing a spare device, and I've verfied that once a device is synced up
+# then the spare count is also decremented as the device is switched to
+# being accounted as an active device.
+#
+# drivers/md/raid1.c
+# 2004/06/24 00:41:54-03:00 dledford@redhat.com +30 -6
+# RAID1 error handling locking fix
+#
+#
+===== drivers/md/raid1.c 1.18 vs 1.19 =====
+--- 1.18/drivers/md/raid1.c 2004-03-29 07:13:33 +09:00
++++ 1.19/drivers/md/raid1.c 2004-06-24 12:41:54 +09:00
+@@ -325,18 +325,22 @@
+ {
+ raid1_conf_t *conf = mddev_to_conf(mddev);
+ int i, disks = MD_SB_DISKS;
++ unsigned long flags;
+
+ /*
+ * Later we do read balancing on the read side
+ * now we use the first available disk.
+ */
+
++ md_spin_lock_irqsave(&conf->device_lock, flags);
+ for (i = 0; i < disks; i++) {
+ if (conf->mirrors[i].operational) {
+ *rdev = conf->mirrors[i].dev;
++ md_spin_unlock_irqrestore(&conf->device_lock, flags);
+ return (0);
+ }
+ }
++ md_spin_unlock_irqrestore(&conf->device_lock, flags);
+
+ printk (KERN_ERR "raid1_map(): huh, no more operational devices?\n");
+ return (-1);
+@@ -592,6 +596,7 @@
+ int disks = MD_SB_DISKS;
+ int i, sum_bhs = 0;
+ struct mirror_info *mirror;
++ kdev_t dev;
+
+ if (!buffer_locked(bh))
+ BUG();
+@@ -635,13 +640,16 @@
+ /*
+ * read balancing logic:
+ */
++ spin_lock_irq(&conf->device_lock);
+ mirror = conf->mirrors + raid1_read_balance(conf, bh);
++ dev = mirror->dev;
++ spin_unlock_irq(&conf->device_lock);
+
+ bh_req = &r1_bh->bh_req;
+ memcpy(bh_req, bh, sizeof(*bh));
+ bh_req->b_blocknr = bh->b_rsector;
+- bh_req->b_dev = mirror->dev;
+- bh_req->b_rdev = mirror->dev;
++ bh_req->b_dev = dev;
++ bh_req->b_rdev = dev;
+ /* bh_req->b_rsector = bh->n_rsector; */
+ bh_req->b_end_io = raid1_end_request;
+ bh_req->b_private = r1_bh;
+@@ -654,6 +662,7 @@
+ */
+
+ bhl = raid1_alloc_bh(conf, conf->raid_disks);
++ spin_lock_irq(&conf->device_lock);
+ for (i = 0; i < disks; i++) {
+ struct buffer_head *mbh;
+ if (!conf->mirrors[i].operational)
+@@ -702,6 +711,7 @@
+ r1_bh->mirror_bh_list = mbh;
+ sum_bhs++;
+ }
++ spin_unlock_irq(&conf->device_lock);
+ if (bhl) raid1_free_bh(conf,bhl);
+ if (!sum_bhs) {
+ /* Gag - all mirrors non-operational.. */
+@@ -771,6 +781,8 @@
+ mark_disk_inactive(sb->disks+mirror->number);
+ if (!mirror->write_only)
+ sb->active_disks--;
++ else
++ sb->spare_disks--;
+ sb->working_disks--;
+ sb->failed_disks++;
+ mddev->sb_dirty = 1;
+@@ -787,6 +799,7 @@
+ struct mirror_info * mirrors = conf->mirrors;
+ int disks = MD_SB_DISKS;
+ int i;
++ unsigned long flags;
+
+ /* Find the drive.
+ * If it is not operational, then we have already marked it as dead
+@@ -808,7 +821,9 @@
+
+ return 1;
+ }
++ md_spin_lock_irqsave(&conf->device_lock, flags);
+ mark_disk_bad(mddev, i);
++ md_spin_unlock_irqrestore(&conf->device_lock, flags);
+ return 0;
+ }
+
+@@ -876,7 +891,6 @@
+ mdp_disk_t *failed_desc, *spare_desc, *added_desc;
+ mdk_rdev_t *spare_rdev, *failed_rdev;
+
+- print_raid1_conf(conf);
+
+ switch (state) {
+ case DISKOP_SPARE_ACTIVE:
+@@ -887,6 +901,10 @@
+
+ md_spin_lock_irq(&conf->device_lock);
+ /*
++ * Need the conf lock when printing out state else we get BUG()s
++ */
++ print_raid1_conf(conf);
++ /*
+ * find the disk ...
+ */
+ switch (state) {
+@@ -1136,12 +1154,12 @@
+ goto abort;
+ }
+ abort:
++ print_raid1_conf(conf);
+ md_spin_unlock_irq(&conf->device_lock);
+ if (state == DISKOP_SPARE_ACTIVE || state == DISKOP_SPARE_INACTIVE)
+ /* should move to "END_REBUILD" when such exists */
+ raid1_shrink_buffers(conf);
+
+- print_raid1_conf(conf);
+ return err;
+ }
+
+@@ -1196,6 +1214,7 @@
+
+ conf = mddev_to_conf(mddev);
+ bhl = raid1_alloc_bh(conf, conf->raid_disks); /* don't really need this many */
++ spin_lock_irq(&conf->device_lock);
+ for (i = 0; i < disks ; i++) {
+ if (!conf->mirrors[i].operational)
+ continue;
+@@ -1238,6 +1257,7 @@
+
+ sum_bhs++;
+ }
++ spin_unlock_irq(&conf->device_lock);
+ md_atomic_set(&r1_bh->remaining, sum_bhs);
+ if (bhl) raid1_free_bh(conf, bhl);
+ mbh = r1_bh->mirror_bh_list;
+@@ -1373,6 +1393,7 @@
+ int disk;
+ int block_nr;
+ int buffs;
++ kdev_t dev;
+
+ if (!sector_nr) {
+ /* we want enough buffers to hold twice the window of 128*/
+@@ -1426,6 +1447,7 @@
+ * could dedicate one to rebuild and others to
+ * service read requests ..
+ */
++ spin_lock_irq(&conf->device_lock);
+ disk = conf->last_used;
+ /* make sure disk is operational */
+ while (!conf->mirrors[disk].operational) {
+@@ -1437,6 +1459,8 @@
+ conf->last_used = disk;
+
+ mirror = conf->mirrors+conf->last_used;
++ dev = mirror->dev;
++ spin_unlock_irq(&conf->device_lock);
+
+ r1_bh = raid1_alloc_buf (conf);
+ r1_bh->master_bh = NULL;
+@@ -1453,8 +1477,8 @@
+ }
+ bh->b_size = bsize;
+ bh->b_list = BUF_LOCKED;
+- bh->b_dev = mirror->dev;
+- bh->b_rdev = mirror->dev;
++ bh->b_dev = dev;
++ bh->b_rdev = dev;
+ bh->b_state = (1<<BH_Req) | (1<<BH_Mapped) | (1<<BH_Lock);
+ if (!bh->b_page)
+ BUG();
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/106-sunclinkmp-oops-fix.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/106-sunclinkmp-oops-fix.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/106-sunclinkmp-oops-fix.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,381 @@
+# origin: paulkf (BitKeeper)
+# cset: 1.1449.22.1 (2.4) key=412f206avPesQ3fD-tHlk54GaW15kg
+# inclusion: upstream
+# descrition: [PATCH] synclinkmp transmit eom fix
+# revision date: Fri, 26 Nov 2004 14:59:38 +0900
+#
+# S rset: ChangeSet|1.1449.21.7..1.1449.22.1
+# I rset: drivers/char/synclinkmp.c|1.4..1.5
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/08/27 08:52:10-03:00 paulkf@microgate.com
+# [PATCH] synclinkmp transmit eom fix
+#
+# Bug Fixes:
+#
+# * Fix transmit end of message (EOM) processing to
+# work correctly with hardware auto CTS feature
+#
+# * Fix oops in error path if hardware diags fail
+# during device initialization
+#
+# Cosmetic change:
+#
+# * Use existing macros for address space size
+# instead of hardcoded values
+#
+# Signed-off-by: Paul Fulghum <paulkf@microgate.com>
+#
+# drivers/char/synclinkmp.c
+# 2004/08/26 15:02:57-03:00 paulkf@microgate.com +79 -76
+# synclinkmp transmit eom fix
+#
+#
+===== drivers/char/synclinkmp.c 1.4 vs 1.5 =====
+--- 1.4/drivers/char/synclinkmp.c 2003-09-10 01:09:31 +09:00
++++ 1.5/drivers/char/synclinkmp.c 2004-08-27 03:02:57 +09:00
+@@ -1,5 +1,5 @@
+ /*
+- * $Id: synclinkmp.c,v 3.22 2003/09/05 14:04:26 paulkf Exp $
++ * $Id: synclinkmp.c,v 3.23 2004/08/24 19:49:48 paulkf Exp $
+ *
+ * Device driver for Microgate SyncLink Multiport
+ * high speed multiprotocol serial adapter.
+@@ -504,7 +504,7 @@
+ MODULE_PARM(dosyncppp,"1-" __MODULE_STRING(MAX_DEVICES) "i");
+
+ static char *driver_name = "SyncLink MultiPort driver";
+-static char *driver_version = "$Revision: 3.22 $";
++static char *driver_version = "$Revision: 3.23 $";
+
+ static int __devinit synclinkmp_init_one(struct pci_dev *dev,const struct pci_device_id *ent);
+ static void __devexit synclinkmp_remove_one(struct pci_dev *dev);
+@@ -681,7 +681,7 @@
+ static unsigned char tx_negate_fifo_level = 32; // tx request FIFO negation level in bytes
+
+ static u32 misc_ctrl_value = 0x007e4040;
+-static u32 lcr1_brdr_value = 0x0080002d;
++static u32 lcr1_brdr_value = 0x00800029;
+
+ static u32 read_ahead_count = 8;
+
+@@ -2036,16 +2036,15 @@
+ {
+ struct tty_struct *tty = info->tty;
+ struct mgsl_icount *icount = &info->icount;
+- unsigned char status = read_reg(info, SR1);
+- unsigned char status2 = read_reg(info, SR2);
++ unsigned char status = read_reg(info, SR1) & info->ie1_value & (FLGD + IDLD + CDCD + BRKD);
++ unsigned char status2 = read_reg(info, SR2) & info->ie2_value & OVRN;
+
+ /* clear status bits */
+- if ( status & (FLGD + IDLD + CDCD + BRKD) )
+- write_reg(info, SR1,
+- (unsigned char)(status & (FLGD + IDLD + CDCD + BRKD)));
++ if (status)
++ write_reg(info, SR1, status);
+
+- if ( status2 & OVRN )
+- write_reg(info, SR2, (unsigned char)(status2 & OVRN));
++ if (status2)
++ write_reg(info, SR2, status2);
+
+ if ( debug_level >= DEBUG_LEVEL_ISR )
+ printk("%s(%d):%s isr_rxint status=%02X %02x\n",
+@@ -2182,15 +2181,22 @@
+ printk("%s(%d):%s isr_txeom status=%02x\n",
+ __FILE__,__LINE__,info->device_name,status);
+
+- /* disable and clear MSCI interrupts */
+- info->ie1_value &= ~(IDLE + UDRN);
+- write_reg(info, IE1, info->ie1_value);
+- write_reg(info, SR1, (unsigned char)(UDRN + IDLE));
+-
+ write_reg(info, TXDMA + DIR, 0x00); /* disable Tx DMA IRQs */
+ write_reg(info, TXDMA + DSR, 0xc0); /* clear IRQs and disable DMA */
+ write_reg(info, TXDMA + DCMD, SWABORT); /* reset/init DMA channel */
+
++ if (status & UDRN) {
++ write_reg(info, CMD, TXRESET);
++ write_reg(info, CMD, TXENABLE);
++ } else
++ write_reg(info, CMD, TXBUFCLR);
++
++ /* disable and clear tx interrupts */
++ info->ie0_value &= ~TXRDYE;
++ info->ie1_value &= ~(IDLE + UDRN);
++ write_reg16(info, IE0, (unsigned short)((info->ie1_value << 8) + info->ie0_value));
++ write_reg(info, SR1, (unsigned char)(UDRN + IDLE));
++
+ if ( info->tx_active ) {
+ if (info->params.mode != MGSL_MODE_ASYNC) {
+ if (status & UDRN)
+@@ -2231,10 +2237,10 @@
+ */
+ void isr_txint(SLMP_INFO * info)
+ {
+- unsigned char status = read_reg(info, SR1);
++ unsigned char status = read_reg(info, SR1) & info->ie1_value & (UDRN + IDLE + CCTS);
+
+ /* clear status bits */
+- write_reg(info, SR1, (unsigned char)(status & (UDRN + IDLE + CCTS)));
++ write_reg(info, SR1, status);
+
+ if ( debug_level >= DEBUG_LEVEL_ISR )
+ printk("%s(%d):%s isr_txint status=%02x\n",
+@@ -2263,6 +2269,14 @@
+ printk("%s(%d):%s isr_txrdy() tx_count=%d\n",
+ __FILE__,__LINE__,info->device_name,info->tx_count);
+
++ if (info->params.mode != MGSL_MODE_ASYNC) {
++ /* disable TXRDY IRQ, enable IDLE IRQ */
++ info->ie0_value &= ~TXRDYE;
++ info->ie1_value |= IDLE;
++ write_reg16(info, IE0, (unsigned short)((info->ie1_value << 8) + info->ie0_value));
++ return;
++ }
++
+ if (info->tty && (info->tty->stopped || info->tty->hw_stopped)) {
+ tx_stop(info);
+ return;
+@@ -2317,13 +2331,6 @@
+
+ void isr_txdmaok(SLMP_INFO * info)
+ {
+- /* BIT7 = EOT (end of transfer, used for async mode)
+- * BIT6 = EOM (end of message/frame, used for sync mode)
+- *
+- * We don't look at DMA status because only EOT is enabled
+- * and we always clear and disable all tx DMA IRQs.
+- */
+-// unsigned char dma_status = read_reg(info,TXDMA + DSR) & 0xc0;
+ unsigned char status_reg1 = read_reg(info, SR1);
+
+ write_reg(info, TXDMA + DIR, 0x00); /* disable Tx DMA IRQs */
+@@ -2334,19 +2341,10 @@
+ printk("%s(%d):%s isr_txdmaok(), status=%02x\n",
+ __FILE__,__LINE__,info->device_name,status_reg1);
+
+- /* If transmitter already idle, do end of frame processing,
+- * otherwise enable interrupt for tx IDLE.
+- */
+- if (status_reg1 & IDLE)
+- isr_txeom(info, IDLE);
+- else {
+- /* disable and clear underrun IRQ, enable IDLE interrupt */
+- info->ie1_value |= IDLE;
+- info->ie1_value &= ~UDRN;
+- write_reg(info, IE1, info->ie1_value);
+-
+- write_reg(info, SR1, UDRN);
+- }
++ /* program TXRDY as FIFO empty flag, enable TXRDY IRQ */
++ write_reg16(info, TRC0, 0);
++ info->ie0_value |= TXRDYE;
++ write_reg(info, IE0, info->ie0_value);
+ }
+
+ void isr_txdmaerror(SLMP_INFO * info)
+@@ -3037,7 +3035,7 @@
+ unsigned char oldval = info->ie1_value;
+ unsigned char newval = oldval +
+ (mask & MgslEvent_ExitHuntMode ? FLGD:0) +
+- (mask & MgslEvent_IdleReceived ? IDLE:0);
++ (mask & MgslEvent_IdleReceived ? IDLD:0);
+ if ( oldval != newval ) {
+ info->ie1_value = newval;
+ write_reg(info, IE1, info->ie1_value);
+@@ -3104,7 +3102,7 @@
+ spin_lock_irqsave(&info->lock,flags);
+ if (!waitqueue_active(&info->event_wait_q)) {
+ /* disable enable exit hunt mode/idle rcvd IRQs */
+- info->ie1_value &= ~(FLGD|IDLE);
++ info->ie1_value &= ~(FLGD|IDLD);
+ write_reg(info, IE1, info->ie1_value);
+ }
+ spin_unlock_irqrestore(&info->lock,flags);
+@@ -3554,9 +3552,10 @@
+
+ int claim_resources(SLMP_INFO *info)
+ {
+- if (request_mem_region(info->phys_memory_base,0x40000,"synclinkmp") == NULL) {
++ if (request_mem_region(info->phys_memory_base,SCA_MEM_SIZE,"synclinkmp") == NULL) {
+ printk( "%s(%d):%s mem addr conflict, Addr=%08X\n",
+ __FILE__,__LINE__,info->device_name, info->phys_memory_base);
++ info->init_error = DiagStatus_AddressConflict;
+ goto errout;
+ }
+ else
+@@ -3565,22 +3564,25 @@
+ if (request_mem_region(info->phys_lcr_base + info->lcr_offset,128,"synclinkmp") == NULL) {
+ printk( "%s(%d):%s lcr mem addr conflict, Addr=%08X\n",
+ __FILE__,__LINE__,info->device_name, info->phys_lcr_base);
++ info->init_error = DiagStatus_AddressConflict;
+ goto errout;
+ }
+ else
+ info->lcr_mem_requested = 1;
+
+- if (request_mem_region(info->phys_sca_base + info->sca_offset,512,"synclinkmp") == NULL) {
++ if (request_mem_region(info->phys_sca_base + info->sca_offset,SCA_BASE_SIZE,"synclinkmp") == NULL) {
+ printk( "%s(%d):%s sca mem addr conflict, Addr=%08X\n",
+ __FILE__,__LINE__,info->device_name, info->phys_sca_base);
++ info->init_error = DiagStatus_AddressConflict;
+ goto errout;
+ }
+ else
+ info->sca_base_requested = 1;
+
+- if (request_mem_region(info->phys_statctrl_base + info->statctrl_offset,16,"synclinkmp") == NULL) {
++ if (request_mem_region(info->phys_statctrl_base + info->statctrl_offset,SCA_REG_SIZE,"synclinkmp") == NULL) {
+ printk( "%s(%d):%s stat/ctrl mem addr conflict, Addr=%08X\n",
+ __FILE__,__LINE__,info->device_name, info->phys_statctrl_base);
++ info->init_error = DiagStatus_AddressConflict;
+ goto errout;
+ }
+ else
+@@ -3590,33 +3592,41 @@
+ if (!info->memory_base) {
+ printk( "%s(%d):%s Cant map shared memory, MemAddr=%08X\n",
+ __FILE__,__LINE__,info->device_name, info->phys_memory_base );
++ info->init_error = DiagStatus_CantAssignPciResources;
+ goto errout;
+ }
+
+- if ( !memory_test(info) ) {
+- printk( "%s(%d):Shared Memory Test failed for device %s MemAddr=%08X\n",
+- __FILE__,__LINE__,info->device_name, info->phys_memory_base );
+- goto errout;
+- }
+-
+- info->lcr_base = ioremap(info->phys_lcr_base,PAGE_SIZE) + info->lcr_offset;
++ info->lcr_base = ioremap(info->phys_lcr_base,PAGE_SIZE);
+ if (!info->lcr_base) {
+ printk( "%s(%d):%s Cant map LCR memory, MemAddr=%08X\n",
+ __FILE__,__LINE__,info->device_name, info->phys_lcr_base );
++ info->init_error = DiagStatus_CantAssignPciResources;
+ goto errout;
+ }
++ info->lcr_base += info->lcr_offset;
+
+- info->sca_base = ioremap(info->phys_sca_base,PAGE_SIZE) + info->sca_offset;
++ info->sca_base = ioremap(info->phys_sca_base,PAGE_SIZE);
+ if (!info->sca_base) {
+ printk( "%s(%d):%s Cant map SCA memory, MemAddr=%08X\n",
+ __FILE__,__LINE__,info->device_name, info->phys_sca_base );
++ info->init_error = DiagStatus_CantAssignPciResources;
+ goto errout;
+ }
++ info->sca_base += info->sca_offset;
+
+- info->statctrl_base = ioremap(info->phys_statctrl_base,PAGE_SIZE) + info->statctrl_offset;
++ info->statctrl_base = ioremap(info->phys_statctrl_base,PAGE_SIZE);
+ if (!info->statctrl_base) {
+ printk( "%s(%d):%s Cant map SCA Status/Control memory, MemAddr=%08X\n",
+ __FILE__,__LINE__,info->device_name, info->phys_statctrl_base );
++ info->init_error = DiagStatus_CantAssignPciResources;
++ goto errout;
++ }
++ info->statctrl_base += info->statctrl_offset;
++
++ if ( !memory_test(info) ) {
++ printk( "%s(%d):Shared Memory Test failed for device %s MemAddr=%08X\n",
++ __FILE__,__LINE__,info->device_name, info->phys_memory_base );
++ info->init_error = DiagStatus_MemoryError;
+ goto errout;
+ }
+
+@@ -3639,7 +3649,7 @@
+ }
+
+ if ( info->shared_mem_requested ) {
+- release_mem_region(info->phys_memory_base,0x40000);
++ release_mem_region(info->phys_memory_base,SCA_MEM_SIZE);
+ info->shared_mem_requested = 0;
+ }
+ if ( info->lcr_mem_requested ) {
+@@ -3647,11 +3657,11 @@
+ info->lcr_mem_requested = 0;
+ }
+ if ( info->sca_base_requested ) {
+- release_mem_region(info->phys_sca_base + info->sca_offset,512);
++ release_mem_region(info->phys_sca_base + info->sca_offset,SCA_BASE_SIZE);
+ info->sca_base_requested = 0;
+ }
+ if ( info->sca_statctrl_requested ) {
+- release_mem_region(info->phys_statctrl_base + info->statctrl_offset,16);
++ release_mem_region(info->phys_statctrl_base + info->statctrl_offset,SCA_REG_SIZE);
+ info->sca_statctrl_requested = 0;
+ }
+
+@@ -3982,34 +3992,25 @@
+ __FILE__,__LINE__,rc);
+ restore_flags(flags);
+
++ /* reset devices */
+ info = synclinkmp_device_list;
+ while(info) {
+-#ifdef CONFIG_SYNCLINK_SYNCPPP
+- if (info->dosyncppp)
+- sppp_delete(info);
+-#endif
+ reset_port(info);
+- if ( info->port_num == 0 ) {
+- if ( info->irq_requested ) {
+- free_irq(info->irq_level, info);
+- info->irq_requested = 0;
+- }
+- }
+ info = info->next_device;
+ }
+
+- /* port 0 of each adapter originally claimed
+- * all resources, release those now
+- */
++ /* release devices */
+ info = synclinkmp_device_list;
+ while(info) {
++#ifdef CONFIG_SYNCLINK_SYNCPPP
++ if (info->dosyncppp)
++ sppp_delete(info);
++#endif
+ free_dma_bufs(info);
+ free_tmp_rx_buf(info);
+ if ( info->port_num == 0 ) {
+- spin_lock_irqsave(&info->lock,flags);
+- reset_adapter(info);
+- write_reg(info, LPR, 1); /* set low power mode */
+- spin_unlock_irqrestore(&info->lock,flags);
++ if (info->sca_base)
++ write_reg(info, LPR, 1); /* set low power mode */
+ release_resources(info);
+ }
+ tmp = info;
+@@ -4229,6 +4230,9 @@
+ }
+ }
+
++ write_reg16(info, TRC0,
++ (unsigned short)(((tx_negate_fifo_level-1)<<8) + tx_active_fifo_level));
++
+ write_reg(info, TXDMA + DSR, 0); /* disable DMA channel */
+ write_reg(info, TXDMA + DCMD, SWABORT); /* reset/init DMA channel */
+
+@@ -4240,11 +4244,10 @@
+ write_reg16(info, TXDMA + EDA,
+ info->tx_buf_list_ex[info->last_tx_buf].phys_entry);
+
+- /* clear IDLE and UDRN status bit */
+- info->ie1_value &= ~(IDLE + UDRN);
+- if (info->params.mode != MGSL_MODE_ASYNC)
+- info->ie1_value |= UDRN; /* HDLC, IRQ on underrun */
+- write_reg(info, IE1, info->ie1_value); /* enable MSCI interrupts */
++ /* enable underrun IRQ */
++ info->ie1_value &= ~IDLE;
++ info->ie1_value |= UDRN;
++ write_reg(info, IE1, info->ie1_value);
+ write_reg(info, SR1, (unsigned char)(IDLE + UDRN));
+
+ write_reg(info, TXDMA + DIR, 0x40); /* enable Tx DMA interrupts (EOM) */
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/107-hiddev-devfs-oops-fix.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/107-hiddev-devfs-oops-fix.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/107-hiddev-devfs-oops-fix.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,46 @@
+# origin: herbert (BitKeeper)
+# cset: 1.1449.50.2 (2.4) key=416d1319_ND7oLGXGU_W7bj8fS4_DA
+# inclusion: upstream
+# descrition: [PATCH] Fix hiddev devfs oops
+# revision date: Fri, 26 Nov 2004 14:59:39 +0900
+#
+# S rset: ChangeSet|1.1449.50.1..1.1449.50.2
+# I rset: drivers/usb/hid-core.c|1.30..1.31
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/10/13 08:35:53-03:00 herbert@gondor.apana.org.au
+# [PATCH] Fix hiddev devfs oops
+#
+# There is a long-standing devfs_unregister oops in hid/hiddev. It's
+# caused by hid calling hiddev_exit before unregistering itself which
+# in turn calls hiddev_disconnect.
+#
+# hiddev_exit removes the directory which contains the hiddev devices.
+# Therefore it needs to be called after the hiddev devices have been
+# disconnected.
+#
+# This patch fixes that.
+#
+#
+# ===== drivers/usb/hid-core.c 1.30 vs edited =====
+#
+# drivers/usb/hid-core.c
+# 2004/10/05 09:33:52-03:00 herbert@gondor.apana.org.au +1 -1
+# Re: [HID] Fix hiddev devfs oops
+#
+#
+===== drivers/usb/hid-core.c 1.30 vs 1.31 =====
+--- 1.30/drivers/usb/hid-core.c 2004-08-08 17:59:53 +09:00
++++ 1.31/drivers/usb/hid-core.c 2004-10-05 21:33:52 +09:00
+@@ -1459,8 +1459,8 @@
+
+ static void __exit hid_exit(void)
+ {
+- hiddev_exit();
+ usb_deregister(&hid_driver);
++ hiddev_exit();
+ }
+
+ module_init(hid_init);
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/108-usb-devices-crash-fix.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/108-usb-devices-crash-fix.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/108-usb-devices-crash-fix.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,55 @@
+# origin: zaitcev (BitKeeper)
+# cset: 1.1449.50.3 (2.4) key=416d7928vBaxkotcpbJNjHKYY6bK_g
+# inclusion: upstream
+# descrition: [PATCH] Crash with cat /proc/bus/usb/devices and disconnect
+# revision date: Fri, 26 Nov 2004 14:59:39 +0900
+#
+# S rset: ChangeSet|1.1449.50.2..1.1449.50.3
+# I rset: drivers/usb/devices.c|1.9..1.10
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/10/13 15:51:20-03:00 zaitcev@redhat.com
+# [PATCH] Crash with cat /proc/bus/usb/devices and disconnect
+#
+# Here's a patch, I'd like to be in -pre.
+#
+# It is not the best fix. The 2.6 took a more fundamental approach, but I do
+# not wish to rock the boat too much. Also, I'm not sure if 2.6 even gets it
+# right at all, considering Fedora Core 3 bug 135171. At least this patch fixes
+# the problem for me! :-) so I suppose better this than nothing, because
+# getting oops otherwise is just too easy.
+#
+# I would like this to be in -pre.
+#
+# Here's the 2.6 bug (unfixed yet):
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135171
+#
+# The 2.4 bug (fixed by this patch - admittedly a contrived scenario):
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129265
+#
+# drivers/usb/devices.c
+# 2004/10/05 17:54:14-03:00 zaitcev@redhat.com +6 -2
+# Crash with cat /proc/bus/usb/devices and disconnect
+#
+#
+===== drivers/usb/devices.c 1.9 vs 1.10 =====
+--- 1.9/drivers/usb/devices.c 2004-08-25 04:47:09 +09:00
++++ 1.10/drivers/usb/devices.c 2004-10-06 05:54:14 +09:00
+@@ -552,9 +552,13 @@
+
+ /* Now look at all of this device's children. */
+ for (chix = 0; chix < usbdev->maxchild; chix++) {
+- if (usbdev->children[chix]) {
+- ret = usb_device_dump(buffer, nbytes, skip_bytes, file_offset, usbdev->children[chix],
++ struct usb_device *childdev = usbdev->children[chix];
++ if (childdev) {
++ usb_inc_dev_use(childdev);
++ ret = usb_device_dump(buffer, nbytes, skip_bytes,
++ file_offset, childdev,
+ bus, level + 1, chix, ++cnt);
++ usb_dec_dev_use(childdev);
+ if (ret == -EFAULT)
+ return total_written;
+ total_written += ret;
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/109-proc-delete-inode-1.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/109-proc-delete-inode-1.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/109-proc-delete-inode-1.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,42 @@
+# origin: kaos (BitKeeper)
+# cset: 1.1482.2.3 (2.4) key=4189fe8bQyYTlpITPgFN0mT6orB-Pw
+# inclusion: upstream
+# descrition: [PATCH] Avoid oops in proc_delete_inode
+# revision date: Fri, 26 Nov 2004 14:59:39 +0900
+#
+# S rset: ChangeSet|1.1482.2.2..1.1482.2.3
+# I rset: fs/proc/base.c|1.19..1.20
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/04 08:03:55-02:00 kaos@sgi.com
+# [PATCH] Avoid oops in proc_delete_inode
+#
+# Under heavy load, vmstat, top and other programs that access /proc can
+# oops. PROC_INODE_PROPER(inode) is sometimes false for pid entries
+# (usually zombies), but inode->u.generic_ip is not NULL.
+#
+# Backport a fix by AL Viro from 2.5.7-pre2 to 2.4.28-rc1.
+#
+# Signed-off-by: Keith Owens <kaos@sgi.com>
+#
+# Index: 2.4.28-rc1/fs/proc/base.c
+# ===================================================================
+#
+# fs/proc/base.c
+# 2004/11/04 00:25:16-02:00 kaos@sgi.com +1 -0
+# Avoid oops in proc_delete_inode
+#
+#
+===== fs/proc/base.c 1.19 vs 1.20 =====
+--- 1.19/fs/proc/base.c 2004-07-30 22:29:39 +09:00
++++ 1.20/fs/proc/base.c 2004-11-04 11:25:16 +09:00
+@@ -780,6 +780,7 @@
+ return inode;
+
+ out_unlock:
++ node->u.generic_ip = NULL;
+ iput(inode);
+ return NULL;
+ }
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/109-proc-delete-inode-2.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/109-proc-delete-inode-2.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/109-proc-delete-inode-2.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,32 @@
+# origin: marcelo (BitKeeper)
+# cset: 1.1482.2.4 (2.4) key=418a6777HQyW4FAHRd2zRqroXw2w_w
+# inclusion: upstream
+# descrition: mcp: Fix proc_delete_inode oops bug correction typo
+# revision date: Fri, 26 Nov 2004 16:58:09 +0900
+#
+# S rset: ChangeSet|1.1482.2.3..1.1482.2.4
+# I rset: fs/proc/base.c|1.20..1.21
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/04 15:31:35-02:00 marcelo@logos.cnet
+# mcp: Fix proc_delete_inode oops bug correction typo
+#
+# fs/proc/base.c
+# 2004/11/04 15:30:42-02:00 marcelo@logos.cnet +1 -1
+# Fix proc_delete_inode oops bug correction typo
+#
+#
+===== fs/proc/base.c 1.20 vs 1.21 =====
+--- 1.20/fs/proc/base.c 2004-11-04 11:25:16 +09:00
++++ 1.21/fs/proc/base.c 2004-11-05 02:30:42 +09:00
+@@ -780,7 +780,7 @@
+ return inode;
+
+ out_unlock:
+- node->u.generic_ip = NULL;
++ inode->u.generic_ip = NULL;
+ iput(inode);
+ return NULL;
+ }
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/110-asus-boot-crash-fix.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/110-asus-boot-crash-fix.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/110-asus-boot-crash-fix.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,46 @@
+# origin: len.brown (BitKeeper)
+# cset: 1.1458.1.5 (2.4) key=418a9d25yv7JoxiIALvGAlZMPl53Tw
+# inclusion: upstream
+# descrition: [ACPI] fix ASUS boot crash
+# revision date: Fri, 26 Nov 2004 14:59:39 +0900
+#
+# S rset: ChangeSet|1.1458.1.4..1.1458.1.5
+# I rset: drivers/acpi/dispatcher/dsopcode.c|1.23..1.24
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/04 16:20:37-05:00 len.brown@intel.com
+# [ACPI] fix ASUS boot crash
+# http://bugzilla.kernel.org/show_bug.cgi?id=2755
+#
+# backported from ACPICA 20040527 in linux-2.6.9
+#
+# Signed-off-by: Len Brown <len.brown@intel.com>
+#
+# drivers/acpi/dispatcher/dsopcode.c
+# 2004/06/01 21:39:21-04:00 len.brown@intel.com +0 -3
+# remove stale code that crashes asus boxes.
+#
+#
+===== drivers/acpi/dispatcher/dsopcode.c 1.23 vs 1.24 =====
+--- 1.23/drivers/acpi/dispatcher/dsopcode.c 2004-02-14 07:45:52 +09:00
++++ 1.24/drivers/acpi/dispatcher/dsopcode.c 2004-06-02 10:39:21 +09:00
+@@ -79,7 +79,6 @@
+ acpi_status status;
+ union acpi_parse_object *op;
+ struct acpi_walk_state *walk_state;
+- union acpi_parse_object *arg;
+
+
+ ACPI_FUNCTION_TRACE ("ds_execute_arguments");
+@@ -126,9 +125,7 @@
+
+ /* Get and init the Op created above */
+
+- arg = op->common.value.arg;
+ op->common.node = node;
+- arg->common.node = node;
+ acpi_ps_delete_parse_tree (op);
+
+ /* Evaluate the deferred arguments */
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/111-smb-client-overflow-fix-1.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/111-smb-client-overflow-fix-1.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/111-smb-client-overflow-fix-1.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,97 @@
+# origin: marcelo.tosatti (BitKeeper)
+# cset: 1.1482.2.8 (2.4) key=418e1b09MoAGAjd5ZLQzkiFiOkEfUw
+# inclusion: upstream
+# descrition: [PATCH] Urban Widmark: Fix smbfs client overflow
+# revision date: Fri, 26 Nov 2004 14:59:39 +0900
+#
+# S rset: ChangeSet|1.1482.2.7..1.1482.2.8
+# I rset: fs/smbfs/proc.c|1.16..1.17
+# I rset: fs/smbfs/sock.c|1.5..1.6
+# I rset: MAINTAINERS|1.149..1.150
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/07 10:54:33-02:00 marcelo.tosatti@cyclades.com
+# [PATCH] Urban Widmark: Fix smbfs client overflow
+#
+# Description by Stefan Esser:
+#
+# There exist two bugs in the handling of SMB responses that result
+# in remote kernel overflows. Due to the nature of the bugs both seem
+# to be very hard to exploit (in the sense of remote code execution
+# or local privilege escalation) but are trivial remote kernel crashes.
+#
+# fs/smbfs/sock.c
+# 2004/09/26 15:42:36-03:00 marcelo.tosatti@cyclades.com +3 -0
+# Fix smbfs client overflow
+#
+# fs/smbfs/proc.c
+# 2004/09/26 16:04:22-03:00 marcelo.tosatti@cyclades.com +8 -4
+# Fix smbfs client overflow
+#
+# MAINTAINERS
+# 2004/09/26 15:48:59-03:00 marcelo.tosatti@cyclades.com +2 -4
+# Fix smbfs client overflow
+#
+#
+===== fs/smbfs/proc.c 1.16 vs 1.17 =====
+--- 1.16/fs/smbfs/proc.c 2004-04-05 01:34:36 +09:00
++++ 1.17/fs/smbfs/proc.c 2004-09-27 04:04:22 +09:00
+@@ -1289,9 +1289,11 @@
+ data_len = WVAL(buf, 1);
+
+ /* we can NOT simply trust the data_len given by the server ... */
+- if (data_len > server->packet_size - (buf+3 - server->packet)) {
++ if (data_len > count ||
++ data_len > server->packet_size - (buf+3 - server->packet)) {
+ printk(KERN_ERR "smb_proc_read: invalid data length!! "
+- "%d > %d - (%p - %p)\n",
++ "%d > %d || %d > %d - (%p - %p)\n",
++ data_len, count,
+ data_len, server->packet_size, buf+3, server->packet);
+ result = -EIO;
+ goto out;
+@@ -1378,9 +1380,11 @@
+ buf = smb_base(server->packet) + data_off;
+
+ /* we can NOT simply trust the info given by the server ... */
+- if (data_len > server->packet_size - (buf - server->packet)) {
++ if (data_len > count ||
++ data_len > server->packet_size - (buf - server->packet)) {
+ printk(KERN_ERR "smb_proc_read: invalid data length!! "
+- "%d > %d - (%p - %p)\n",
++ "%d > %d || %d > %d - (%p - %p)\n",
++ data_len, count,
+ data_len, server->packet_size, buf, server->packet);
+ result = -EIO;
+ goto out;
+===== fs/smbfs/sock.c 1.5 vs 1.6 =====
+--- 1.5/fs/smbfs/sock.c 2002-08-16 07:32:43 +09:00
++++ 1.6/fs/smbfs/sock.c 2004-09-27 03:42:36 +09:00
+@@ -625,6 +625,9 @@
+ server->packet = rcv_buf;
+ rcv_buf = inbuf;
+ } else {
++ if (parm_len + data_len > buf_len)
++ goto out_data_grew;
++
+ PARANOIA("copying data, old size=%d, new size=%u\n",
+ server->packet_size, buf_len);
+ memcpy(inbuf, rcv_buf, parm_len + data_len);
+===== MAINTAINERS 1.149 vs 1.150 =====
+--- 1.149/MAINTAINERS 2004-10-27 01:56:56 +09:00
++++ 1.150/MAINTAINERS 2004-09-27 03:48:59 +09:00
+@@ -1707,10 +1707,8 @@
+
+ SMB FILESYSTEM
+ P: Urban Widmark
+-M: urban@teststation.com
+-W: http://samba.org/
+-L: samba@samba.org
+-S: Maintained
++M: Urban.Widmark@enlight.net
++S: Odd Fixes
+
+ SNA NETWORK LAYER
+ P: Jay Schulist
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/111-smb-client-overflow-fix-2.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/111-smb-client-overflow-fix-2.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/111-smb-client-overflow-fix-2.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,113 @@
+# origin: s.esser (BitKeeper)
+# cset: 1.1498 (2.4) key=4194c993lBH6Oz19XYGdw8VtR9Du-g
+# inclusion: upstream
+# descrition: [PATCH] Improved smbfs client overflow fix
+# revision date: Fri, 26 Nov 2004 14:59:39 +0900
+#
+# S rset: ChangeSet|1.1497..1.1498
+# I rset: fs/smbfs/proc.c|1.17..1.18
+# I rset: fs/smbfs/sock.c|1.6..1.7
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# fs/smbfs/proc.c
+# 2004/11/12 14:34:21-02:00 s.esser@e-matters.de +8 -8
+# Improved smbfs client overflow fix
+#
+# fs/smbfs/sock.c
+# 2004/11/12 14:26:04-02:00 s.esser@e-matters.de +14 -1
+# Improved smbfs client overflow fix
+#
+# ChangeSet
+# 2004/11/12 12:32:51-02:00 s.esser@e-matters.de
+# [PATCH] Improved smbfs client overflow fix
+#
+# the patches in v2.4.28-rc2 are incomplete. They do not fix
+# any of the possible leaks.
+#
+#
+===== fs/smbfs/proc.c 1.17 vs 1.18 =====
+--- 1.17/fs/smbfs/proc.c 2004-09-27 04:04:22 +09:00
++++ 1.18/fs/smbfs/proc.c 2004-11-13 01:34:21 +09:00
+@@ -1290,11 +1290,11 @@
+
+ /* we can NOT simply trust the data_len given by the server ... */
+ if (data_len > count ||
+- data_len > server->packet_size - (buf+3 - server->packet)) {
+- printk(KERN_ERR "smb_proc_read: invalid data length!! "
+- "%d > %d || %d > %d - (%p - %p)\n",
++ (buf+3 - server->packet) + data_len > server->packet_size) {
++ printk(KERN_ERR "smb_proc_read: invalid data length/offset!! "
++ "%d > %d || (%p - %p) + %d > %d\n",
+ data_len, count,
+- data_len, server->packet_size, buf+3, server->packet);
++ buf+3, server->packet, data_len, server->packet_size);
+ result = -EIO;
+ goto out;
+ }
+@@ -1381,11 +1381,11 @@
+
+ /* we can NOT simply trust the info given by the server ... */
+ if (data_len > count ||
+- data_len > server->packet_size - (buf - server->packet)) {
+- printk(KERN_ERR "smb_proc_read: invalid data length!! "
+- "%d > %d || %d > %d - (%p - %p)\n",
++ (buf - server->packet) + data_len > server->packet_size) {
++ printk(KERN_ERR "smb_proc_readX: invalid data length/offset!! "
++ "%d > %d || (%p - %p) + %d > %d\n",
+ data_len, count,
+- data_len, server->packet_size, buf, server->packet);
++ buf, server->packet, data_len, server->packet_size);
+ result = -EIO;
+ goto out;
+ }
+===== fs/smbfs/sock.c 1.6 vs 1.7 =====
+--- 1.6/fs/smbfs/sock.c 2004-09-27 03:42:36 +09:00
++++ 1.7/fs/smbfs/sock.c 2004-11-13 01:26:04 +09:00
+@@ -571,7 +571,11 @@
+ parm_disp, parm_offset, parm_count,
+ data_disp, data_offset, data_count);
+ *parm = base + parm_offset;
++ if (*parm - inbuf + parm_tot > server->packet_size)
++ goto out_bad_parm;
+ *data = base + data_offset;
++ if (*data - inbuf + data_tot > server->packet_size)
++ goto out_bad_data;
+ goto success;
+ }
+
+@@ -591,6 +595,8 @@
+ rcv_buf = smb_vmalloc(buf_len);
+ if (!rcv_buf)
+ goto out_no_mem;
++ memset(rcv_buf, 0, buf_len);
++
+ *parm = rcv_buf;
+ *data = rcv_buf + total_p;
+ } else if (data_tot > total_d || parm_tot > total_p)
+@@ -598,8 +604,12 @@
+
+ if (parm_disp + parm_count > total_p)
+ goto out_bad_parm;
++ if (parm_offset + parm_count > server->packet_size)
++ goto out_bad_parm;
+ if (data_disp + data_count > total_d)
+ goto out_bad_data;
++ if (data_offset + data_count > server->packet_size)
++ goto out_bad_data;
+ memcpy(*parm + parm_disp, base + parm_offset, parm_count);
+ memcpy(*data + data_disp, base + data_offset, data_count);
+
+@@ -610,8 +620,11 @@
+ * Check whether we've received all of the data. Note that
+ * we use the packet totals -- total lengths might shrink!
+ */
+- if (data_len >= data_tot && parm_len >= parm_tot)
++ if (data_len >= data_tot && parm_len >= parm_tot) {
++ data_len = data_tot;
++ parm_len = parm_tot;
+ break;
++ }
+ }
+
+ /*
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/112-intermezzo-slab-leak-fix.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/112-intermezzo-slab-leak-fix.diff 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/112-intermezzo-slab-leak-fix.diff 2004-11-26 09:31:46 UTC (rev 1931)
@@ -0,0 +1,336 @@
+# origin: sezeroz (BitKeeper)
+# cset: 1.1529 (2.4) key=41a309c0EsG_EEhEbvnte1Y7QYVHSQ
+# inclusion: upstream
+# descrition: [PATCH] intermezzo, fixes from cvs
+# revision date: Fri, 26 Nov 2004 14:59:39 +0900
+#
+# S rset: ChangeSet|1.1528..1.1529
+# I rset: fs/intermezzo/replicator.c|1.1..1.2
+# I rset: fs/intermezzo/dir.c|1.4..1.5
+# I rset: fs/intermezzo/psdev.c|1.8..1.9
+# I rset: fs/intermezzo/cache.c|1.3..1.4
+# I rset: include/linux/intermezzo_fs.h|1.5..1.6
+# I rset: fs/intermezzo/fileset.c|1.1..1.2
+# I rset: fs/intermezzo/dcache.c|1.5..1.6
+# I rset: fs/intermezzo/super.c|1.4..1.5
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/23 07:58:24-02:00 sezeroz@ttnet.net.tr
+# [PATCH] intermezzo, fixes from cvs
+#
+# While messing with intermezzo, I ran into this patch at sourceforge
+# cvs which still isn't in 2.4. Please review, and apply if appropriate.
+#
+#
+# from intermezzo cvs repo at Sourceforge:
+#
+# * Applied and tested Domen Puncer's patch to fs25/fs24 part code
+# for list related processing
+# * Applied and tested Renaud Duhaut(rd@duhaut.com)'s patch to solve
+# fs24's InterMezzo's SLAB allocator leakage problem, on 2.4 kernel,
+# now it can insmod and run, then rmmod. Insmod again won't cause
+# Oops any more. :-)
+#
+# ===================================================================
+# RCS file: /cvsroot/intermezzo/intermezzo/fs24/fileset.c,v
+# retrieving revision 1.17
+# retrieving revision 1.18
+#
+# include/linux/intermezzo_fs.h
+# 2003/09/30 12:51:52-03:00 sezeroz@ttnet.net.tr +12 -4
+# intermezzo, fixes from cvs
+#
+# fs/intermezzo/super.c
+# 2003/09/30 12:51:52-03:00 sezeroz@ttnet.net.tr +6 -2
+# intermezzo, fixes from cvs
+#
+# fs/intermezzo/replicator.c
+# 2003/09/30 12:51:52-03:00 sezeroz@ttnet.net.tr +11 -14
+# intermezzo, fixes from cvs
+#
+# fs/intermezzo/psdev.c
+# 2003/09/30 12:51:52-03:00 sezeroz@ttnet.net.tr +7 -14
+# intermezzo, fixes from cvs
+#
+# fs/intermezzo/fileset.c
+# 2003/09/30 12:51:52-03:00 sezeroz@ttnet.net.tr +3 -1
+# intermezzo, fixes from cvs
+#
+# fs/intermezzo/dir.c
+# 2003/09/30 12:51:52-03:00 sezeroz@ttnet.net.tr +1 -4
+# intermezzo, fixes from cvs
+#
+# fs/intermezzo/dcache.c
+# 2003/09/30 12:51:52-03:00 sezeroz@ttnet.net.tr +5 -0
+# intermezzo, fixes from cvs
+#
+# fs/intermezzo/cache.c
+# 2003/09/30 12:51:52-03:00 sezeroz@ttnet.net.tr +3 -0
+# intermezzo, fixes from cvs
+#
+#
+===== fs/intermezzo/replicator.c 1.1 vs 1.2 =====
+--- 1.1/fs/intermezzo/replicator.c 2002-10-15 03:57:11 +09:00
++++ 1.2/fs/intermezzo/replicator.c 2003-10-01 00:51:52 +09:00
+@@ -70,7 +70,7 @@
+ return &cache[(RCACHE_MASK & uuid[1])];
+ }
+
+-static void
++void
+ izo_rep_cache_clean(struct presto_file_set *fset)
+ {
+ int i;
+@@ -80,28 +80,25 @@
+ if (fset->fset_clients == NULL)
+ return;
+ for (i = 0; i < RCACHE_SIZE; i++) {
+- tmp = bucket = &fset->fset_clients[i];
+
+- tmp = tmp->next;
+- while (tmp != bucket) {
+- struct izo_offset_rec *offrec;
+- tmp = tmp->next;
+- list_del(tmp);
+- offrec = list_entry(tmp, struct izo_offset_rec,
+- or_list);
+- PRESTO_FREE(offrec, sizeof(struct izo_offset_rec));
++ list_for_each_safe(tmp,bucket,&fset->fset_clients[i])
++ {
++ struct izo_offset_rec *offrec;
++ list_del(tmp);
++ offrec = list_entry(tmp, struct izo_offset_rec,or_list);
++ PRESTO_FREE(offrec, sizeof(struct izo_offset_rec));
++ }
+ }
+- }
++ PRESTO_FREE(fset->fset_clients,sizeof(struct list_head) * RCACHE_SIZE);
+ }
+
+ struct izo_offset_rec *
+ izo_rep_cache_find(struct presto_file_set *fset, char *uuid)
+ {
+- struct list_head *buck = izo_rep_hash(fset->fset_clients, uuid);
+- struct list_head *tmp = buck;
++ struct list_head *tmp, *buck = izo_rep_hash(fset->fset_clients, uuid);
+ struct izo_offset_rec *rec = NULL;
+
+- while ( (tmp = tmp->next) != buck ) {
++ list_for_each(tmp, buck) {
+ rec = list_entry(tmp, struct izo_offset_rec, or_list);
+ if ( memcmp(rec->or_uuid, uuid, sizeof(rec->or_uuid)) == 0 )
+ return rec;
+===== fs/intermezzo/dir.c 1.4 vs 1.5 =====
+--- 1.4/fs/intermezzo/dir.c 2002-10-11 07:24:51 +09:00
++++ 1.5/fs/intermezzo/dir.c 2003-10-01 00:51:52 +09:00
+@@ -300,10 +300,7 @@
+ /* some file systems have no read_inode: set methods here */
+ if (dentry->d_inode)
+ presto_set_ops(dentry->d_inode, cache->cache_filter);
+-
+- filter_setup_dentry_ops(cache->cache_filter,
+- dentry->d_op, &presto_dentry_ops);
+- dentry->d_op = filter_c2udops(cache->cache_filter);
++ /* dentry->d_op is now hooked in dcache.c:presto_set_dd */
+
+ /* In lookup we will tolerate EROFS return codes from presto_set_dd
+ * to placate NFS. EROFS indicates that a fileset was not found but
+===== fs/intermezzo/psdev.c 1.8 vs 1.9 =====
+--- 1.8/fs/intermezzo/psdev.c 2004-08-17 21:18:34 +09:00
++++ 1.9/fs/intermezzo/psdev.c 2003-10-01 00:51:52 +09:00
+@@ -102,8 +102,7 @@
+ struct list_head *lh;
+ struct upc_req *req;
+ CERROR("WARNING: setpid & processing not empty!\n");
+- lh = &channel->uc_processing;
+- while ( (lh = lh->next) != &channel->uc_processing) {
++ list_for_each(lh, &channel->uc_processing) {
+ req = list_entry(lh, struct upc_req, rq_chain);
+ /* freeing of req and data is done by the sleeper */
+ wake_up(&req->rq_sleep);
+@@ -208,8 +207,7 @@
+
+ spin_lock(&channel->uc_lock);
+ /* Look for the message on the processing queue. */
+- lh = &channel->uc_processing;
+- while ( (lh = lh->next) != &channel->uc_processing ) {
++ list_for_each(lh, &channel->uc_processing) {
+ tmp = list_entry(lh, struct upc_req , rq_chain);
+ if (tmp->rq_unique == hdr.unique) {
+ req = tmp;
+@@ -340,8 +338,7 @@
+ /* Wake up clients so they can return. */
+ CDEBUG(D_PSDEV, "Wake up clients sleeping for pending.\n");
+ spin_lock(&channel->uc_lock);
+- lh = &channel->uc_pending;
+- while ( (lh = lh->next) != &channel->uc_pending) {
++ list_for_each(lh, &channel->uc_pending) {
+ req = list_entry(lh, struct upc_req, rq_chain);
+
+ /* Async requests stay around for a new lento */
+@@ -354,8 +351,7 @@
+ }
+
+ CDEBUG(D_PSDEV, "Wake up clients sleeping for processing\n");
+- lh = &channel->uc_processing;
+- while ( (lh = lh->next) != &channel->uc_processing) {
++ list_for_each(lh, &channel->uc_processing) {
+ req = list_entry(lh, struct upc_req, rq_chain);
+ /* freeing of req and data is done by the sleeper */
+ req->rq_flags |= REQ_DEAD;
+@@ -421,7 +417,7 @@
+
+ for ( i = 0 ; i < MAX_CHANNEL ; i++ ) {
+ struct upc_channel *channel = &(izo_channels[i]);
+- struct list_head *lh;
++ struct list_head *lh, *next;
+
+ spin_lock(&channel->uc_lock);
+ if ( ! list_empty(&channel->uc_pending)) {
+@@ -433,12 +429,10 @@
+ if ( ! list_empty(&channel->uc_cache_list)) {
+ CERROR("Weird, tell Peter: module cleanup and cache listnot empty dev %d\n", i);
+ }
+- lh = channel->uc_pending.next;
+- while ( lh != &channel->uc_pending) {
++ list_for_each_safe(lh, next, &channel->uc_pending) {
+ struct upc_req *req;
+
+ req = list_entry(lh, struct upc_req, rq_chain);
+- lh = lh->next;
+ if ( req->rq_flags & REQ_ASYNC ) {
+ list_del(&(req->rq_chain));
+ CDEBUG(D_UPCALL, "free pending upcall type %d\n",
+@@ -450,8 +444,7 @@
+ wake_up(&req->rq_sleep);
+ }
+ }
+- lh = &channel->uc_processing;
+- while ( (lh = lh->next) != &channel->uc_processing ) {
++ list_for_each(lh, &channel->uc_processing) {
+ struct upc_req *req;
+ req = list_entry(lh, struct upc_req, rq_chain);
+ list_del(&(req->rq_chain));
+===== fs/intermezzo/cache.c 1.3 vs 1.4 =====
+--- 1.3/fs/intermezzo/cache.c 2004-08-17 11:02:58 +09:00
++++ 1.4/fs/intermezzo/cache.c 2003-10-01 00:51:52 +09:00
+@@ -163,6 +163,9 @@
+ cache->cache_sb->s_root->d_fsdata = NULL;
+ }
+
++ if (cache->cache_type)
++ PRESTO_FREE(cache->cache_type, strlen(cache->cache_type) + 1 );
++
+ PRESTO_FREE(cache, sizeof(struct presto_cache));
+ }
+
+===== include/linux/intermezzo_fs.h 1.5 vs 1.6 =====
+--- 1.5/include/linux/intermezzo_fs.h 2004-08-17 20:45:58 +09:00
++++ 1.6/include/linux/intermezzo_fs.h 2003-10-01 00:51:52 +09:00
+@@ -651,6 +651,7 @@
+ int izo_repstatus(struct presto_file_set *fset, __u64 client_kmlsize,
+ struct izo_rcvd_rec *lr_client, struct izo_rcvd_rec *lr_server);
+ int izo_rep_cache_init(struct presto_file_set *);
++void izo_rep_cache_clean(struct presto_file_set *fset);
+ loff_t izo_rcvd_get(struct izo_rcvd_rec *, struct presto_file_set *, char *uuid);
+ loff_t izo_rcvd_write(struct presto_file_set *, struct izo_rcvd_rec *);
+ loff_t izo_rcvd_upd_remote(struct presto_file_set *fset, char * uuid, __u64 remote_recno,
+@@ -708,10 +709,17 @@
+ static inline char *strdup(char *str)
+ {
+ char *tmp;
+- tmp = kmalloc(strlen(str) + 1, GFP_KERNEL);
+- if (tmp)
+- memcpy(tmp, str, strlen(str) + 1);
+-
++ long int s;
++
++ s=strlen(str) + 1;
++ tmp = kmalloc(s, GFP_KERNEL);
++ if (tmp){
++ memcpy(tmp, str, s);
++ presto_kmem_inc(tmp, s);
++ }
++ CDEBUG(D_MALLOC, "kmalloced: %ld at %p (tot %ld).\n",
++ s, tmp, presto_kmemory);
++
+ return tmp;
+ }
+
+===== fs/intermezzo/fileset.c 1.1 vs 1.2 =====
+--- 1.1/fs/intermezzo/fileset.c 2002-10-15 03:57:11 +09:00
++++ 1.2/fs/intermezzo/fileset.c 2003-10-01 00:51:52 +09:00
+@@ -159,7 +159,7 @@
+ CDEBUG(D_INODE, "Error %d\n", error);
+ }
+
+- PRESTO_FREE(path, strlen(path));
++ PRESTO_FREE(path, strlen(path)+1);
+
+ EXIT;
+ return f;
+@@ -259,6 +259,7 @@
+ error = -ENOMEM;
+ goto out_free;
+ }
++
+ presto_d2d(dentry)->dd_fset = fset;
+ list_add(&fset->fset_list, &cache->cache_fset_list);
+
+@@ -343,6 +344,7 @@
+ dput(fset->fset_dentry);
+ mntput(fset->fset_mnt);
+
++ izo_rep_cache_clean(fset);
+ PRESTO_FREE(fset->fset_name, strlen(fset->fset_name) + 1);
+ PRESTO_FREE(fset->fset_reint_buf, 64 * 1024);
+ PRESTO_FREE(fset, sizeof(*fset));
+===== fs/intermezzo/dcache.c 1.5 vs 1.6 =====
+--- 1.5/fs/intermezzo/dcache.c 2002-10-21 19:56:57 +09:00
++++ 1.6/fs/intermezzo/dcache.c 2003-10-01 00:51:52 +09:00
+@@ -324,6 +324,11 @@
+ dentry, dentry->d_name.len, dentry->d_name.name,
+ dentry->d_fsdata);
+ unlock_kernel();
++
++ filter_setup_dentry_ops(fset->fset_cache->cache_filter,
++ dentry->d_op, &presto_dentry_ops);
++ dentry->d_op = filter_c2udops(fset->fset_cache->cache_filter);
++
+ return error;
+ }
+
+===== fs/intermezzo/super.c 1.4 vs 1.5 =====
+--- 1.4/fs/intermezzo/super.c 2002-10-11 07:24:51 +09:00
++++ 1.5/fs/intermezzo/super.c 2003-10-01 00:51:52 +09:00
+@@ -23,8 +23,8 @@
+ * presto's super.c
+ */
+
+-static char rcsid[] __attribute ((unused)) = "$Id: super.c,v 1.41 2002/10/03 03:50:49 rread Exp $";
+-#define INTERMEZZO_VERSION "$Revision: 1.41 $"
++static char rcsid[] __attribute ((unused)) = "$Id: super.c,v 1.42 2003/09/30 15:51:52 sunsetyang Exp $";
++#define INTERMEZZO_VERSION "$Revision: 1.42 $"
+
+ #include <stdarg.h>
+
+@@ -172,6 +172,7 @@
+ minor = izo_psdev_get_free_channel();
+ } else {
+ minor = simple_strtoul(channel, NULL, 0);
++ PRESTO_FREE(channel, strlen(channel) + 1);
+ }
+ if (minor < 0 || minor >= MAX_CHANNEL) {
+ CERROR("all channels in use or channel too large %d\n",
+@@ -286,6 +287,9 @@
+ /* we now know the dev of the cache: hash the cache */
+ presto_cache_add(cache, sb->s_dev);
+ err = izo_prepare_fileset(sb->s_root, fileset);
++
++ if (fileset)
++ PRESTO_FREE(fileset, strlen(fileset) + 1);
+
+ filter_setup_journal_ops(cache->cache_filter, cache->cache_type);
+
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-6
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-6 2004-11-26 06:58:59 UTC (rev 1930)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-6 2004-11-26 09:31:46 UTC (rev 1931)
@@ -27,3 +27,19 @@
+ 097-elf_loader_overflow-2.diff
+ 098-elf_huge_bbs-1.diff
+ 098-elf_huge_bbs-2.diff
++ 099-applicom-leak-fix.diff
++ 100-xfs-lock-leak-fix.diff
++ 101-cbq-sheduler-leak-fix.diff
++ 102-nsc-ircc-oops-fix.diff
++ 103-enter-acpi-early.diff
++ 104-jfs-memory-leak.diff
++ 105-raid1-error-locks-fix.diff
++ 106-sunclinkmp-oops-fix.diff
++ 107-hiddev-devfs-oops-fix.diff
++ 108-usb-devices-crash-fix.diff
++ 109-proc-delete-inode-1.diff
++ 109-proc-delete-inode-2.diff
++ 110-asus-boot-crash-fix.diff
++ 111-smb-client-overflow-fix-1.diff
++ 111-smb-client-overflow-fix-2.diff
++ 112-intermezzo-slab-leak-fix.diff