r2874 - in trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian: . patches patches/series
Andres Salomon
dilinger@costa.debian.org
Sat, 02 Apr 2005 01:10:38 +0000
Author: dilinger
Date: 2005-04-02 01:10:36 +0000 (Sat, 02 Apr 2005)
New Revision: 2874
Added:
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/patch-2.6.11.6.patch
Modified:
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog
trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-2
Log:
* net-bluetooth-signdness-fix.patch, fs-ext2-info-leak.patch,
fs-isofs-range-check-1.patch, fs-isofs-range-check-2.patch,
fs-isofs-range-check-3.patch, fs-binfmt_elf-dos.patch:
Drop broken out 2.6.11.6 patches (Andres Salomon).
* Merge in 2.6.11.6; this includes:
o isofs: more defensive checks against corrupt isofs images
o Potential DOS in load_elf_library
o isofs: Handle corupted rock-ridge info slightly better [CAN-2005-0815]
o isofs: more "corrupted iso image" error cases
o Fix signedness problem at socket creation [CAN-2005-0750]
o Suspected information leak (mem pages) in ext2 [CAN-2005-0400]
(Andres Salomon).
Modified: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog 2005-04-01 10:42:00 UTC (rev 2873)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/changelog 2005-04-02 01:10:36 UTC (rev 2874)
@@ -51,6 +51,20 @@
fix AIO panic on PPC64 caused by is_hugepage_only_range().
See CAN-2005-0916. (Simon Horman) (closes: #302352)
+ * net-bluetooth-signdness-fix.patch, fs-ext2-info-leak.patch,
+ fs-isofs-range-check-1.patch, fs-isofs-range-check-2.patch,
+ fs-isofs-range-check-3.patch, fs-binfmt_elf-dos.patch:
+ Drop broken out 2.6.11.6 patches (Andres Salomon).
+
+ * Merge in 2.6.11.6; this includes:
+ o isofs: more defensive checks against corrupt isofs images
+ o Potential DOS in load_elf_library
+ o isofs: Handle corupted rock-ridge info slightly better [CAN-2005-0815]
+ o isofs: more "corrupted iso image" error cases
+ o Fix signedness problem at socket creation [CAN-2005-0750]
+ o Suspected information leak (mem pages) in ext2 [CAN-2005-0400]
+ (Andres Salomon).
+
-- Simon Horman <horms@debian.org> Fri, 1 Apr 2005 18:05:25 +0900
kernel-source-2.6.11 (2.6.11-1) unstable; urgency=low
Added: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/patch-2.6.11.6.patch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/patch-2.6.11.6.patch 2005-04-01 10:42:00 UTC (rev 2873)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/patch-2.6.11.6.patch 2005-04-02 01:10:36 UTC (rev 2874)
@@ -0,0 +1,954 @@
+diff -Nru a/arch/ppc/oprofile/op_model_fsl_booke.c b/arch/ppc/oprofile/op_model_fsl_booke.c
+--- a/arch/ppc/oprofile/op_model_fsl_booke.c 2005-03-25 19:28:57 -08:00
++++ b/arch/ppc/oprofile/op_model_fsl_booke.c 2005-03-25 19:28:57 -08:00
+@@ -150,7 +150,6 @@
+ int is_kernel;
+ int val;
+ int i;
+- unsigned int cpu = smp_processor_id();
+
+ /* set the PMM bit (see comment below) */
+ mtmsr(mfmsr() | MSR_PMM);
+@@ -162,7 +161,7 @@
+ val = ctr_read(i);
+ if (val < 0) {
+ if (oprofile_running && ctr[i].enabled) {
+- oprofile_add_sample(pc, is_kernel, i, cpu);
++ oprofile_add_pc(pc, is_kernel, i);
+ ctr_write(i, reset_value[i]);
+ } else {
+ ctr_write(i, 0);
+diff -Nru a/arch/ppc/platforms/4xx/ebony.h b/arch/ppc/platforms/4xx/ebony.h
+--- a/arch/ppc/platforms/4xx/ebony.h 2005-03-25 19:28:57 -08:00
++++ b/arch/ppc/platforms/4xx/ebony.h 2005-03-25 19:28:57 -08:00
+@@ -61,8 +61,8 @@
+ */
+
+ /* OpenBIOS defined UART mappings, used before early_serial_setup */
+-#define UART0_IO_BASE (u8 *) 0xE0000200
+-#define UART1_IO_BASE (u8 *) 0xE0000300
++#define UART0_IO_BASE 0xE0000200
++#define UART1_IO_BASE 0xE0000300
+
+ /* external Epson SG-615P */
+ #define BASE_BAUD 691200
+diff -Nru a/arch/ppc/platforms/4xx/luan.h b/arch/ppc/platforms/4xx/luan.h
+--- a/arch/ppc/platforms/4xx/luan.h 2005-03-25 19:28:57 -08:00
++++ b/arch/ppc/platforms/4xx/luan.h 2005-03-25 19:28:57 -08:00
+@@ -47,9 +47,9 @@
+ #define RS_TABLE_SIZE 3
+
+ /* PIBS defined UART mappings, used before early_serial_setup */
+-#define UART0_IO_BASE (u8 *) 0xa0000200
+-#define UART1_IO_BASE (u8 *) 0xa0000300
+-#define UART2_IO_BASE (u8 *) 0xa0000600
++#define UART0_IO_BASE 0xa0000200
++#define UART1_IO_BASE 0xa0000300
++#define UART2_IO_BASE 0xa0000600
+
+ #define BASE_BAUD 11059200
+ #define STD_UART_OP(num) \
+diff -Nru a/arch/ppc/platforms/4xx/ocotea.h b/arch/ppc/platforms/4xx/ocotea.h
+--- a/arch/ppc/platforms/4xx/ocotea.h 2005-03-25 19:28:57 -08:00
++++ b/arch/ppc/platforms/4xx/ocotea.h 2005-03-25 19:28:57 -08:00
+@@ -56,8 +56,8 @@
+ #define RS_TABLE_SIZE 2
+
+ /* OpenBIOS defined UART mappings, used before early_serial_setup */
+-#define UART0_IO_BASE (u8 *) 0xE0000200
+-#define UART1_IO_BASE (u8 *) 0xE0000300
++#define UART0_IO_BASE 0xE0000200
++#define UART1_IO_BASE 0xE0000300
+
+ #define BASE_BAUD 11059200/16
+ #define STD_UART_OP(num) \
+diff -Nru a/drivers/char/drm/drm_ioctl.c b/drivers/char/drm/drm_ioctl.c
+--- a/drivers/char/drm/drm_ioctl.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/char/drm/drm_ioctl.c 2005-03-25 19:28:57 -08:00
+@@ -326,6 +326,8 @@
+
+ DRM_COPY_FROM_USER_IOCTL(sv, argp, sizeof(sv));
+
++ memset(&version, 0, sizeof(version));
++
+ dev->driver->version(&version);
+ retv.drm_di_major = DRM_IF_MAJOR;
+ retv.drm_di_minor = DRM_IF_MINOR;
+diff -Nru a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
+--- a/drivers/input/serio/i8042-x86ia64io.h 2005-03-25 19:28:57 -08:00
++++ b/drivers/input/serio/i8042-x86ia64io.h 2005-03-25 19:28:57 -08:00
+@@ -88,7 +88,7 @@
+ };
+ #endif
+
+-#ifdef CONFIG_ACPI
++#if defined(__ia64__) && defined(CONFIG_ACPI)
+ #include <linux/acpi.h>
+ #include <acpi/acpi_bus.h>
+
+@@ -281,7 +281,7 @@
+ i8042_kbd_irq = I8042_MAP_IRQ(1);
+ i8042_aux_irq = I8042_MAP_IRQ(12);
+
+-#ifdef CONFIG_ACPI
++#if defined(__ia64__) && defined(CONFIG_ACPI)
+ if (i8042_acpi_init())
+ return -1;
+ #endif
+@@ -300,7 +300,7 @@
+
+ static inline void i8042_platform_exit(void)
+ {
+-#ifdef CONFIG_ACPI
++#if defined(__ia64__) && defined(CONFIG_ACPI)
+ i8042_acpi_exit();
+ #endif
+ }
+diff -Nru a/drivers/md/raid6altivec.uc b/drivers/md/raid6altivec.uc
+--- a/drivers/md/raid6altivec.uc 2005-03-25 19:28:57 -08:00
++++ b/drivers/md/raid6altivec.uc 2005-03-25 19:28:57 -08:00
+@@ -108,7 +108,11 @@
+ int raid6_have_altivec(void)
+ {
+ /* This assumes either all CPUs have Altivec or none does */
++#ifdef CONFIG_PPC64
+ return cur_cpu_spec->cpu_features & CPU_FTR_ALTIVEC;
++#else
++ return cur_cpu_spec[0]->cpu_features & CPU_FTR_ALTIVEC;
++#endif
+ }
+ #endif
+
+diff -Nru a/drivers/media/video/adv7170.c b/drivers/media/video/adv7170.c
+--- a/drivers/media/video/adv7170.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/media/video/adv7170.c 2005-03-25 19:28:57 -08:00
+@@ -130,7 +130,7 @@
+ u8 block_data[32];
+
+ msg.addr = client->addr;
+- msg.flags = client->flags;
++ msg.flags = 0;
+ while (len >= 2) {
+ msg.buf = (char *) block_data;
+ msg.len = 0;
+diff -Nru a/drivers/media/video/adv7175.c b/drivers/media/video/adv7175.c
+--- a/drivers/media/video/adv7175.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/media/video/adv7175.c 2005-03-25 19:28:57 -08:00
+@@ -126,7 +126,7 @@
+ u8 block_data[32];
+
+ msg.addr = client->addr;
+- msg.flags = client->flags;
++ msg.flags = 0;
+ while (len >= 2) {
+ msg.buf = (char *) block_data;
+ msg.len = 0;
+diff -Nru a/drivers/media/video/bt819.c b/drivers/media/video/bt819.c
+--- a/drivers/media/video/bt819.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/media/video/bt819.c 2005-03-25 19:28:57 -08:00
+@@ -146,7 +146,7 @@
+ u8 block_data[32];
+
+ msg.addr = client->addr;
+- msg.flags = client->flags;
++ msg.flags = 0;
+ while (len >= 2) {
+ msg.buf = (char *) block_data;
+ msg.len = 0;
+diff -Nru a/drivers/media/video/saa7110.c b/drivers/media/video/saa7110.c
+--- a/drivers/media/video/saa7110.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/media/video/saa7110.c 2005-03-25 19:28:57 -08:00
+@@ -60,8 +60,10 @@
+
+ #define I2C_SAA7110 0x9C /* or 0x9E */
+
++#define SAA7110_NR_REG 0x35
++
+ struct saa7110 {
+- unsigned char reg[54];
++ u8 reg[SAA7110_NR_REG];
+
+ int norm;
+ int input;
+@@ -95,31 +97,28 @@
+ unsigned int len)
+ {
+ int ret = -1;
+- u8 reg = *data++;
++ u8 reg = *data; /* first register to write to */
+
+- len--;
++ /* Sanity check */
++ if (reg + (len - 1) > SAA7110_NR_REG)
++ return ret;
+
+ /* the saa7110 has an autoincrement function, use it if
+ * the adapter understands raw I2C */
+ if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
+ struct saa7110 *decoder = i2c_get_clientdata(client);
+ struct i2c_msg msg;
+- u8 block_data[54];
+
+- msg.len = 0;
+- msg.buf = (char *) block_data;
++ msg.len = len;
++ msg.buf = (char *) data;
+ msg.addr = client->addr;
+- msg.flags = client->flags;
+- while (len >= 1) {
+- msg.len = 0;
+- block_data[msg.len++] = reg;
+- while (len-- >= 1 && msg.len < 54)
+- block_data[msg.len++] =
+- decoder->reg[reg++] = *data++;
+- ret = i2c_transfer(client->adapter, &msg, 1);
+- }
++ msg.flags = 0;
++ ret = i2c_transfer(client->adapter, &msg, 1);
++
++ /* Cache the written data */
++ memcpy(decoder->reg + reg, data + 1, len - 1);
+ } else {
+- while (len-- >= 1) {
++ for (++data, --len; len; len--) {
+ if ((ret = saa7110_write(client, reg++,
+ *data++)) < 0)
+ break;
+@@ -192,7 +191,7 @@
+ return 0;
+ }
+
+-static const unsigned char initseq[] = {
++static const unsigned char initseq[1 + SAA7110_NR_REG] = {
+ 0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00,
+ /* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90,
+ /* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA,
+diff -Nru a/drivers/media/video/saa7114.c b/drivers/media/video/saa7114.c
+--- a/drivers/media/video/saa7114.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/media/video/saa7114.c 2005-03-25 19:28:57 -08:00
+@@ -163,7 +163,7 @@
+ u8 block_data[32];
+
+ msg.addr = client->addr;
+- msg.flags = client->flags;
++ msg.flags = 0;
+ while (len >= 2) {
+ msg.buf = (char *) block_data;
+ msg.len = 0;
+diff -Nru a/drivers/media/video/saa7185.c b/drivers/media/video/saa7185.c
+--- a/drivers/media/video/saa7185.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/media/video/saa7185.c 2005-03-25 19:28:57 -08:00
+@@ -118,7 +118,7 @@
+ u8 block_data[32];
+
+ msg.addr = client->addr;
+- msg.flags = client->flags;
++ msg.flags = 0;
+ while (len >= 2) {
+ msg.buf = (char *) block_data;
+ msg.len = 0;
+diff -Nru a/drivers/net/amd8111e.c b/drivers/net/amd8111e.c
+--- a/drivers/net/amd8111e.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/net/amd8111e.c 2005-03-25 19:28:57 -08:00
+@@ -1381,6 +1381,8 @@
+
+ if(amd8111e_restart(dev)){
+ spin_unlock_irq(&lp->lock);
++ if (dev->irq)
++ free_irq(dev->irq, dev);
+ return -ENOMEM;
+ }
+ /* Start ipg timer */
+diff -Nru a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
+--- a/drivers/net/ppp_async.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/net/ppp_async.c 2005-03-25 19:28:57 -08:00
+@@ -1000,7 +1000,7 @@
+ data += 4;
+ dlen -= 4;
+ /* data[0] is code, data[1] is length */
+- while (dlen >= 2 && dlen >= data[1]) {
++ while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
+ switch (data[0]) {
+ case LCP_MRU:
+ val = (data[2] << 8) + data[3];
+diff -Nru a/drivers/net/r8169.c b/drivers/net/r8169.c
+--- a/drivers/net/r8169.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/net/r8169.c 2005-03-25 19:28:57 -08:00
+@@ -1683,16 +1683,19 @@
+ rtl8169_make_unusable_by_asic(desc);
+ }
+
+-static inline void rtl8169_return_to_asic(struct RxDesc *desc, int rx_buf_sz)
++static inline void rtl8169_mark_to_asic(struct RxDesc *desc, u32 rx_buf_sz)
+ {
+- desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
++ u32 eor = le32_to_cpu(desc->opts1) & RingEnd;
++
++ desc->opts1 = cpu_to_le32(DescOwn | eor | rx_buf_sz);
+ }
+
+-static inline void rtl8169_give_to_asic(struct RxDesc *desc, dma_addr_t mapping,
+- int rx_buf_sz)
++static inline void rtl8169_map_to_asic(struct RxDesc *desc, dma_addr_t mapping,
++ u32 rx_buf_sz)
+ {
+ desc->addr = cpu_to_le64(mapping);
+- desc->opts1 |= cpu_to_le32(DescOwn + rx_buf_sz);
++ wmb();
++ rtl8169_mark_to_asic(desc, rx_buf_sz);
+ }
+
+ static int rtl8169_alloc_rx_skb(struct pci_dev *pdev, struct sk_buff **sk_buff,
+@@ -1712,7 +1715,7 @@
+ mapping = pci_map_single(pdev, skb->tail, rx_buf_sz,
+ PCI_DMA_FROMDEVICE);
+
+- rtl8169_give_to_asic(desc, mapping, rx_buf_sz);
++ rtl8169_map_to_asic(desc, mapping, rx_buf_sz);
+
+ out:
+ return ret;
+@@ -2150,7 +2153,7 @@
+ skb_reserve(skb, NET_IP_ALIGN);
+ eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0);
+ *sk_buff = skb;
+- rtl8169_return_to_asic(desc, rx_buf_sz);
++ rtl8169_mark_to_asic(desc, rx_buf_sz);
+ ret = 0;
+ }
+ }
+diff -Nru a/drivers/net/sis900.c b/drivers/net/sis900.c
+--- a/drivers/net/sis900.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/net/sis900.c 2005-03-25 19:28:57 -08:00
+@@ -236,7 +236,7 @@
+ signature = (u16) read_eeprom(ioaddr, EEPROMSignature);
+ if (signature == 0xffff || signature == 0x0000) {
+ printk (KERN_INFO "%s: Error EERPOM read %x\n",
+- net_dev->name, signature);
++ pci_name(pci_dev), signature);
+ return 0;
+ }
+
+@@ -268,7 +268,7 @@
+ if (!isa_bridge)
+ isa_bridge = pci_get_device(PCI_VENDOR_ID_SI, 0x0018, isa_bridge);
+ if (!isa_bridge) {
+- printk("%s: Can not find ISA bridge\n", net_dev->name);
++ printk("%s: Can not find ISA bridge\n", pci_name(pci_dev));
+ return 0;
+ }
+ pci_read_config_byte(isa_bridge, 0x48, ®);
+@@ -456,10 +456,6 @@
+ net_dev->tx_timeout = sis900_tx_timeout;
+ net_dev->watchdog_timeo = TX_TIMEOUT;
+ net_dev->ethtool_ops = &sis900_ethtool_ops;
+-
+- ret = register_netdev(net_dev);
+- if (ret)
+- goto err_unmap_rx;
+
+ /* Get Mac address according to the chip revision */
+ pci_read_config_byte(pci_dev, PCI_CLASS_REVISION, &revision);
+@@ -476,7 +472,7 @@
+
+ if (ret == 0) {
+ ret = -ENODEV;
+- goto err_out_unregister;
++ goto err_unmap_rx;
+ }
+
+ /* 630ET : set the mii access mode as software-mode */
+@@ -486,7 +482,7 @@
+ /* probe for mii transceiver */
+ if (sis900_mii_probe(net_dev) == 0) {
+ ret = -ENODEV;
+- goto err_out_unregister;
++ goto err_unmap_rx;
+ }
+
+ /* save our host bridge revision */
+@@ -496,6 +492,10 @@
+ pci_dev_put(dev);
+ }
+
++ ret = register_netdev(net_dev);
++ if (ret)
++ goto err_unmap_rx;
++
+ /* print some information about our NIC */
+ printk(KERN_INFO "%s: %s at %#lx, IRQ %d, ", net_dev->name,
+ card_name, ioaddr, net_dev->irq);
+@@ -505,8 +505,6 @@
+
+ return 0;
+
+- err_out_unregister:
+- unregister_netdev(net_dev);
+ err_unmap_rx:
+ pci_free_consistent(pci_dev, RX_TOTAL_SIZE, sis_priv->rx_ring,
+ sis_priv->rx_ring_dma);
+@@ -533,6 +531,7 @@
+ static int __init sis900_mii_probe(struct net_device * net_dev)
+ {
+ struct sis900_private * sis_priv = net_dev->priv;
++ const char *dev_name = pci_name(sis_priv->pci_dev);
+ u16 poll_bit = MII_STAT_LINK, status = 0;
+ unsigned long timeout = jiffies + 5 * HZ;
+ int phy_addr;
+@@ -582,21 +581,20 @@
+ mii_phy->phy_types =
+ (mii_status & (MII_STAT_CAN_TX_FDX | MII_STAT_CAN_TX)) ? LAN : HOME;
+ printk(KERN_INFO "%s: %s transceiver found at address %d.\n",
+- net_dev->name, mii_chip_table[i].name,
++ dev_name, mii_chip_table[i].name,
+ phy_addr);
+ break;
+ }
+
+ if( !mii_chip_table[i].phy_id1 ) {
+ printk(KERN_INFO "%s: Unknown PHY transceiver found at address %d.\n",
+- net_dev->name, phy_addr);
++ dev_name, phy_addr);
+ mii_phy->phy_types = UNKNOWN;
+ }
+ }
+
+ if (sis_priv->mii == NULL) {
+- printk(KERN_INFO "%s: No MII transceivers found!\n",
+- net_dev->name);
++ printk(KERN_INFO "%s: No MII transceivers found!\n", dev_name);
+ return 0;
+ }
+
+@@ -621,7 +619,7 @@
+ poll_bit ^= (mdio_read(net_dev, sis_priv->cur_phy, MII_STATUS) & poll_bit);
+ if (time_after_eq(jiffies, timeout)) {
+ printk(KERN_WARNING "%s: reset phy and link down now\n",
+- net_dev->name);
++ dev_name);
+ return -ETIME;
+ }
+ }
+@@ -691,7 +689,7 @@
+ sis_priv->mii = default_phy;
+ sis_priv->cur_phy = default_phy->phy_addr;
+ printk(KERN_INFO "%s: Using transceiver found at address %d as default\n",
+- net_dev->name,sis_priv->cur_phy);
++ pci_name(sis_priv->pci_dev), sis_priv->cur_phy);
+ }
+
+ status = mdio_read(net_dev, sis_priv->cur_phy, MII_CONTROL);
+diff -Nru a/drivers/net/tun.c b/drivers/net/tun.c
+--- a/drivers/net/tun.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/net/tun.c 2005-03-25 19:28:57 -08:00
+@@ -229,7 +229,7 @@
+ size_t len = count;
+
+ if (!(tun->flags & TUN_NO_PI)) {
+- if ((len -= sizeof(pi)) > len)
++ if ((len -= sizeof(pi)) > count)
+ return -EINVAL;
+
+ if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
+diff -Nru a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c
+--- a/drivers/net/via-rhine.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/net/via-rhine.c 2005-03-25 19:28:57 -08:00
+@@ -1197,8 +1197,10 @@
+ dev->name, rp->pdev->irq);
+
+ rc = alloc_ring(dev);
+- if (rc)
++ if (rc) {
++ free_irq(rp->pdev->irq, dev);
+ return rc;
++ }
+ alloc_rbufs(dev);
+ alloc_tbufs(dev);
+ rhine_chip_reset(dev);
+@@ -1898,6 +1900,9 @@
+ struct net_device *dev = pci_get_drvdata(pdev);
+ struct rhine_private *rp = netdev_priv(dev);
+ void __iomem *ioaddr = rp->base;
++
++ if (!(rp->quirks & rqWOL))
++ return; /* Nothing to do for non-WOL adapters */
+
+ rhine_power_init(dev);
+
+diff -Nru a/drivers/net/wan/hd6457x.c b/drivers/net/wan/hd6457x.c
+--- a/drivers/net/wan/hd6457x.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/net/wan/hd6457x.c 2005-03-25 19:28:57 -08:00
+@@ -315,7 +315,7 @@
+ #endif
+ stats->rx_packets++;
+ stats->rx_bytes += skb->len;
+- skb->dev->last_rx = jiffies;
++ dev->last_rx = jiffies;
+ skb->protocol = hdlc_type_trans(skb, dev);
+ netif_rx(skb);
+ }
+diff -Nru a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c
+--- a/drivers/pci/hotplug/pciehp_ctrl.c 2005-03-25 19:28:57 -08:00
++++ b/drivers/pci/hotplug/pciehp_ctrl.c 2005-03-25 19:28:57 -08:00
+@@ -1354,10 +1354,11 @@
+ dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n",
+ ctrl->seg, func->bus, func->device, func->function);
+ bridge_slot_remove(func);
+- } else
++ } else {
+ dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n",
+ ctrl->seg, func->bus, func->device, func->function);
+ slot_remove(func);
++ }
+
+ func = pciehp_slot_find(ctrl->slot_bus, device, 0);
+ }
+diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2005-03-25 19:28:57 -08:00
++++ b/fs/binfmt_elf.c 2005-03-25 19:28:57 -08:00
+@@ -1008,6 +1008,7 @@
+ static int load_elf_library(struct file *file)
+ {
+ struct elf_phdr *elf_phdata;
++ struct elf_phdr *eppnt;
+ unsigned long elf_bss, bss, len;
+ int retval, error, i, j;
+ struct elfhdr elf_ex;
+@@ -1031,44 +1032,47 @@
+ /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
+
+ error = -ENOMEM;
+- elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
++ elf_phdata = kmalloc(j, GFP_KERNEL);
+ if (!elf_phdata)
+ goto out;
+
++ eppnt = elf_phdata;
+ error = -ENOEXEC;
+- retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
++ retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
+ if (retval != j)
+ goto out_free_ph;
+
+ for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
+- if ((elf_phdata + i)->p_type == PT_LOAD) j++;
++ if ((eppnt + i)->p_type == PT_LOAD)
++ j++;
+ if (j != 1)
+ goto out_free_ph;
+
+- while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
++ while (eppnt->p_type != PT_LOAD)
++ eppnt++;
+
+ /* Now use mmap to map the library into memory. */
+ down_write(¤t->mm->mmap_sem);
+ error = do_mmap(file,
+- ELF_PAGESTART(elf_phdata->p_vaddr),
+- (elf_phdata->p_filesz +
+- ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
++ ELF_PAGESTART(eppnt->p_vaddr),
++ (eppnt->p_filesz +
++ ELF_PAGEOFFSET(eppnt->p_vaddr)),
+ PROT_READ | PROT_WRITE | PROT_EXEC,
+ MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
+- (elf_phdata->p_offset -
+- ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
++ (eppnt->p_offset -
++ ELF_PAGEOFFSET(eppnt->p_vaddr)));
+ up_write(¤t->mm->mmap_sem);
+- if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
++ if (error != ELF_PAGESTART(eppnt->p_vaddr))
+ goto out_free_ph;
+
+- elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
++ elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
+ if (padzero(elf_bss)) {
+ error = -EFAULT;
+ goto out_free_ph;
+ }
+
+- len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
+- bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
++ len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
++ bss = eppnt->p_memsz + eppnt->p_vaddr;
+ if (bss > len) {
+ down_write(¤t->mm->mmap_sem);
+ do_brk(len, bss - len);
+diff -Nru a/fs/cramfs/inode.c b/fs/cramfs/inode.c
+--- a/fs/cramfs/inode.c 2005-03-25 19:28:57 -08:00
++++ b/fs/cramfs/inode.c 2005-03-25 19:28:57 -08:00
+@@ -70,6 +70,7 @@
+ inode->i_data.a_ops = &cramfs_aops;
+ } else {
+ inode->i_size = 0;
++ inode->i_blocks = 0;
+ init_special_inode(inode, inode->i_mode,
+ old_decode_dev(cramfs_inode->size));
+ }
+diff -Nru a/fs/eventpoll.c b/fs/eventpoll.c
+--- a/fs/eventpoll.c 2005-03-25 19:28:57 -08:00
++++ b/fs/eventpoll.c 2005-03-25 19:28:57 -08:00
+@@ -619,6 +619,7 @@
+ return error;
+ }
+
++#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
+
+ /*
+ * Implement the event wait interface for the eventpoll file. It is the kernel
+@@ -635,7 +636,7 @@
+ current, epfd, events, maxevents, timeout));
+
+ /* The maximum number of event must be greater than zero */
+- if (maxevents <= 0)
++ if (maxevents <= 0 || maxevents > MAX_EVENTS)
+ return -EINVAL;
+
+ /* Verify that the area passed by the user is writeable */
+diff -Nru a/fs/exec.c b/fs/exec.c
+--- a/fs/exec.c 2005-03-25 19:28:57 -08:00
++++ b/fs/exec.c 2005-03-25 19:28:57 -08:00
+@@ -814,7 +814,7 @@
+ {
+ /* buf must be at least sizeof(tsk->comm) in size */
+ task_lock(tsk);
+- memcpy(buf, tsk->comm, sizeof(tsk->comm));
++ strncpy(buf, tsk->comm, sizeof(tsk->comm));
+ task_unlock(tsk);
+ }
+
+diff -Nru a/fs/ext2/dir.c b/fs/ext2/dir.c
+--- a/fs/ext2/dir.c 2005-03-25 19:28:57 -08:00
++++ b/fs/ext2/dir.c 2005-03-25 19:28:57 -08:00
+@@ -592,6 +592,7 @@
+ goto fail;
+ }
+ kaddr = kmap_atomic(page, KM_USER0);
++ memset(kaddr, 0, chunk_size);
+ de = (struct ext2_dir_entry_2 *)kaddr;
+ de->name_len = 1;
+ de->rec_len = cpu_to_le16(EXT2_DIR_REC_LEN(1));
+diff -Nru a/fs/isofs/inode.c b/fs/isofs/inode.c
+--- a/fs/isofs/inode.c 2005-03-25 19:28:57 -08:00
++++ b/fs/isofs/inode.c 2005-03-25 19:28:57 -08:00
+@@ -685,6 +685,8 @@
+ sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
+ sbi->s_max_size = isonum_733(h_pri->volume_space_size);
+ } else {
++ if (!pri)
++ goto out_freebh;
+ rootp = (struct iso_directory_record *) pri->root_directory_record;
+ sbi->s_nzones = isonum_733 (pri->volume_space_size);
+ sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
+@@ -1394,6 +1396,9 @@
+ unsigned long hashval;
+ struct inode *inode;
+ struct isofs_iget5_callback_data data;
++
++ if (offset >= 1ul << sb->s_blocksize_bits)
++ return NULL;
+
+ data.block = block;
+ data.offset = offset;
+diff -Nru a/fs/isofs/rock.c b/fs/isofs/rock.c
+--- a/fs/isofs/rock.c 2005-03-25 19:28:57 -08:00
++++ b/fs/isofs/rock.c 2005-03-25 19:28:57 -08:00
+@@ -53,6 +53,7 @@
+ if(LEN & 1) LEN++; \
+ CHR = ((unsigned char *) DE) + LEN; \
+ LEN = *((unsigned char *) DE) - LEN; \
++ if (LEN<0) LEN=0; \
+ if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1) \
+ { \
+ LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset; \
+@@ -73,6 +74,10 @@
+ offset1 = 0; \
+ pbh = sb_bread(DEV->i_sb, block); \
+ if(pbh){ \
++ if (offset > pbh->b_size || offset + cont_size > pbh->b_size){ \
++ brelse(pbh); \
++ goto out; \
++ } \
+ memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
+ brelse(pbh); \
+ chr = (unsigned char *) buffer; \
+@@ -103,12 +108,13 @@
+ struct rock_ridge * rr;
+ int sig;
+
+- while (len > 1){ /* There may be one byte for padding somewhere */
++ while (len > 2){ /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0) goto out; /* Something got screwed up here */
++ if (rr->len < 3) goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0) goto out; /* corrupted isofs */
+
+ switch(sig){
+ case SIG('R','R'):
+@@ -122,6 +128,7 @@
+ break;
+ case SIG('N','M'):
+ if (truncate) break;
++ if (rr->len < 5) break;
+ /*
+ * If the flags are 2 or 4, this indicates '.' or '..'.
+ * We don't want to do anything with this, because it
+@@ -186,12 +193,13 @@
+ struct rock_ridge * rr;
+ int rootflag;
+
+- while (len > 1){ /* There may be one byte for padding somewhere */
++ while (len > 2){ /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0) goto out; /* Something got screwed up here */
++ if (rr->len < 3) goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0) goto out; /* corrupted isofs */
+
+ switch(sig){
+ #ifndef CONFIG_ZISOFS /* No flag for SF or ZF */
+@@ -462,7 +470,7 @@
+ struct rock_ridge *rr;
+
+ if (!ISOFS_SB(inode->i_sb)->s_rock)
+- panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
++ goto error;
+
+ block = ei->i_iget5_block;
+ lock_kernel();
+@@ -487,13 +495,15 @@
+ SETUP_ROCK_RIDGE(raw_inode, chr, len);
+
+ repeat:
+- while (len > 1) { /* There may be one byte for padding somewhere */
++ while (len > 2) { /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0)
++ if (rr->len < 3)
+ goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0)
++ goto out; /* corrupted isofs */
+
+ switch (sig) {
+ case SIG('R', 'R'):
+@@ -543,6 +553,7 @@
+ fail:
+ brelse(bh);
+ unlock_kernel();
++ error:
+ SetPageError(page);
+ kunmap(page);
+ unlock_page(page);
+diff -Nru a/kernel/signal.c b/kernel/signal.c
+--- a/kernel/signal.c 2005-03-25 19:28:57 -08:00
++++ b/kernel/signal.c 2005-03-25 19:28:57 -08:00
+@@ -1728,6 +1728,7 @@
+ * with another processor delivering a stop signal,
+ * then the SIGCONT that wakes us up should clear it.
+ */
++ read_unlock(&tasklist_lock);
+ return 0;
+ }
+
+diff -Nru a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
+--- a/net/bluetooth/af_bluetooth.c 2005-03-25 19:28:57 -08:00
++++ b/net/bluetooth/af_bluetooth.c 2005-03-25 19:28:57 -08:00
+@@ -64,7 +64,7 @@
+
+ int bt_sock_register(int proto, struct net_proto_family *ops)
+ {
+- if (proto >= BT_MAX_PROTO)
++ if (proto < 0 || proto >= BT_MAX_PROTO)
+ return -EINVAL;
+
+ if (bt_proto[proto])
+@@ -77,7 +77,7 @@
+
+ int bt_sock_unregister(int proto)
+ {
+- if (proto >= BT_MAX_PROTO)
++ if (proto < 0 || proto >= BT_MAX_PROTO)
+ return -EINVAL;
+
+ if (!bt_proto[proto])
+@@ -92,7 +92,7 @@
+ {
+ int err = 0;
+
+- if (proto >= BT_MAX_PROTO)
++ if (proto < 0 || proto >= BT_MAX_PROTO)
+ return -EINVAL;
+
+ #if defined(CONFIG_KMOD)
+diff -Nru a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c
+--- a/net/ipv4/fib_hash.c 2005-03-25 19:28:57 -08:00
++++ b/net/ipv4/fib_hash.c 2005-03-25 19:28:57 -08:00
+@@ -919,13 +919,23 @@
+ return fa;
+ }
+
++static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos)
++{
++ struct fib_alias *fa = fib_get_first(seq);
++
++ if (fa)
++ while (pos && (fa = fib_get_next(seq)))
++ --pos;
++ return pos ? NULL : fa;
++}
++
+ static void *fib_seq_start(struct seq_file *seq, loff_t *pos)
+ {
+ void *v = NULL;
+
+ read_lock(&fib_hash_lock);
+ if (ip_fib_main_table)
+- v = *pos ? fib_get_next(seq) : SEQ_START_TOKEN;
++ v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
+ return v;
+ }
+
+diff -Nru a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
+--- a/net/ipv4/tcp_timer.c 2005-03-25 19:28:57 -08:00
++++ b/net/ipv4/tcp_timer.c 2005-03-25 19:28:57 -08:00
+@@ -38,6 +38,7 @@
+
+ #ifdef TCP_DEBUG
+ const char tcp_timer_bug_msg[] = KERN_DEBUG "tcpbug: unknown timer value\n";
++EXPORT_SYMBOL(tcp_timer_bug_msg);
+ #endif
+
+ /*
+diff -Nru a/net/netrom/nr_in.c b/net/netrom/nr_in.c
+--- a/net/netrom/nr_in.c 2005-03-25 19:28:57 -08:00
++++ b/net/netrom/nr_in.c 2005-03-25 19:28:57 -08:00
+@@ -74,7 +74,6 @@
+ static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
+ int frametype)
+ {
+- bh_lock_sock(sk);
+ switch (frametype) {
+ case NR_CONNACK: {
+ nr_cb *nr = nr_sk(sk);
+@@ -103,8 +102,6 @@
+ default:
+ break;
+ }
+- bh_unlock_sock(sk);
+-
+ return 0;
+ }
+
+@@ -116,7 +113,6 @@
+ static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
+ int frametype)
+ {
+- bh_lock_sock(sk);
+ switch (frametype) {
+ case NR_CONNACK | NR_CHOKE_FLAG:
+ nr_disconnect(sk, ECONNRESET);
+@@ -132,8 +128,6 @@
+ default:
+ break;
+ }
+- bh_unlock_sock(sk);
+-
+ return 0;
+ }
+
+@@ -154,7 +148,6 @@
+ nr = skb->data[18];
+ ns = skb->data[17];
+
+- bh_lock_sock(sk);
+ switch (frametype) {
+ case NR_CONNREQ:
+ nr_write_internal(sk, NR_CONNACK);
+@@ -265,8 +258,6 @@
+ default:
+ break;
+ }
+- bh_unlock_sock(sk);
+-
+ return queued;
+ }
+
+diff -Nru a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+--- a/net/xfrm/xfrm_state.c 2005-03-25 19:28:57 -08:00
++++ b/net/xfrm/xfrm_state.c 2005-03-25 19:28:57 -08:00
+@@ -609,7 +609,7 @@
+
+ for (i = 0; i < XFRM_DST_HSIZE; i++) {
+ list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
+- if (x->km.seq == seq) {
++ if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
+ xfrm_state_hold(x);
+ return x;
+ }
+diff -Nru a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
+--- a/sound/pci/ac97/ac97_codec.c 2005-03-25 19:28:57 -08:00
++++ b/sound/pci/ac97/ac97_codec.c 2005-03-25 19:28:57 -08:00
+@@ -1185,7 +1185,7 @@
+ /*
+ * create mute switch(es) for normal stereo controls
+ */
+-static int snd_ac97_cmute_new(snd_card_t *card, char *name, int reg, ac97_t *ac97)
++static int snd_ac97_cmute_new_stereo(snd_card_t *card, char *name, int reg, int check_stereo, ac97_t *ac97)
+ {
+ snd_kcontrol_t *kctl;
+ int err;
+@@ -1196,7 +1196,7 @@
+
+ mute_mask = 0x8000;
+ val = snd_ac97_read(ac97, reg);
+- if (ac97->flags & AC97_STEREO_MUTES) {
++ if (check_stereo || (ac97->flags & AC97_STEREO_MUTES)) {
+ /* check whether both mute bits work */
+ val1 = val | 0x8080;
+ snd_ac97_write(ac97, reg, val1);
+@@ -1254,7 +1254,7 @@
+ /*
+ * create a mute-switch and a volume for normal stereo/mono controls
+ */
+-static int snd_ac97_cmix_new(snd_card_t *card, const char *pfx, int reg, ac97_t *ac97)
++static int snd_ac97_cmix_new_stereo(snd_card_t *card, const char *pfx, int reg, int check_stereo, ac97_t *ac97)
+ {
+ int err;
+ char name[44];
+@@ -1265,7 +1265,7 @@
+
+ if (snd_ac97_try_bit(ac97, reg, 15)) {
+ sprintf(name, "%s Switch", pfx);
+- if ((err = snd_ac97_cmute_new(card, name, reg, ac97)) < 0)
++ if ((err = snd_ac97_cmute_new_stereo(card, name, reg, check_stereo, ac97)) < 0)
+ return err;
+ }
+ check_volume_resolution(ac97, reg, &lo_max, &hi_max);
+@@ -1277,6 +1277,8 @@
+ return 0;
+ }
+
++#define snd_ac97_cmix_new(card, pfx, reg, ac97) snd_ac97_cmix_new_stereo(card, pfx, reg, 0, ac97)
++#define snd_ac97_cmute_new(card, name, reg, ac97) snd_ac97_cmute_new_stereo(card, name, reg, 0, ac97)
+
+ static unsigned int snd_ac97_determine_spdif_rates(ac97_t *ac97);
+
+@@ -1327,7 +1329,8 @@
+
+ /* build surround controls */
+ if (snd_ac97_try_volume_mix(ac97, AC97_SURROUND_MASTER)) {
+- if ((err = snd_ac97_cmix_new(card, "Surround Playback", AC97_SURROUND_MASTER, ac97)) < 0)
++ /* Surround Master (0x38) is with stereo mutes */
++ if ((err = snd_ac97_cmix_new_stereo(card, "Surround Playback", AC97_SURROUND_MASTER, 1, ac97)) < 0)
+ return err;
+ }
+
Modified: trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-2
===================================================================
--- trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-2 2005-04-01 10:42:00 UTC (rev 2873)
+++ trunk/kernel/source/kernel-source-2.6.11-2.6.11/debian/patches/series/2.6.11-2 2005-04-02 01:10:36 UTC (rev 2874)
@@ -2,12 +2,6 @@
+ fs-asfs-2.patch
+ powerpc-pmac-cache-power34-fix.patch
+ drivers-input-serio-nmouse.patch
-+ net-bluetooth-signdness-fix.patch
-+ fs-ext2-info-leak.patch
-+ fs-isofs-range-check-1.patch
-+ fs-isofs-range-check-2.patch
-+ fs-isofs-range-check-3.patch
-+ fs-binfmt_elf-dos.patch
X drivers/scsi/qla2xxx/Makefile
X drivers/scsi/qla2xxx/Kconfig
+ qla2xxx-removed.patch
@@ -16,3 +10,5 @@
+ drivers-media-video-tuner-update-2.patch
+ drivers-media-video-v4l-mpeg-support.patch
+ arch-ppc64-hugepage-aio-panic.patch
+- patch-2.6.11.5.patch
++ patch-2.6.11.6.patch