r2666 - in trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian: . patches patches/series
Andres Salomon
dilinger-guest@costa.debian.org
Fri, 11 Mar 2005 00:26:14 +0100
Author: dilinger-guest
Date: 2005-03-11 00:26:10 +0100 (Fri, 11 Mar 2005)
New Revision: 2666
Added:
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/088-ibmvscsi_event_struct_use_after_free.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/089-i386_acpi_backwards_ifdef.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/090-alsa_midi_emulation_chorus_reverb_swap.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/091-alsa_emu8000_load_fx_skip_header.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/092-net_sched_police_locate_sanity_check_input.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/093-e1000_eeprom_read_off_by_one.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/094-scsi_device_set_state_missing_oldstate.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/095-jffs2_build_filesystem_memory_leak.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/096-mtd_formatblock_zero_before_assignment.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/097-mtd_s3c2410_nand_inithw_calc_rate_fix.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/098-jffs2_do_mount_fs_init_bad_count.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/099-jfs_commit_inode_commit_race.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/101-ppc64_hugetlb_mm_free_pgd_unlock.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/102-cosa_sppp_channel_init_delay_attach.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/104-wan_sdla_firmware_cap_sys_rawio_addition.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/105-cmsg_compat_ok_proper_cmsghdr_struct.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/106-smbfs_input_validation_and_int_checks.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/107-xfs_finish_reclaim_always_inode.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/108-xfs_attrmulti_by_handle_limit_mem_alloc.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/109-binfmt_elf_loader_solar_designer_fixes.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/110-load_module_arg_checking.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/111-security_seclvl_kconfig_dep.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/112-audit_receive_skb_double_negative_return_val.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/114-netfilter_private_queues.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/115-proc_file_read_nbytes_signedness_fix.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/116-n_tty_copy_from_read_buf_signedness_fixes.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/117-reiserfs_file_64bit_size_t_fixes.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/118-i2c_sis5595_setup_pci_config_return_checks.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/119-i2c_viapro_i2cdump_overflow.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/120-openpromfs_property_read_fix.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/121-cpufreq_resume_readd.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/122-cpufreq_resume_readd_2.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/123-atm_get_addr_signedness_fix.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/125-netfilter_private_queues_2.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/126-ftdi_sio_set_serial_info_baud_base_check.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/127-ia64_ptrace_corner_case.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/129-video_cg3_screen_blanking.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/130-sparc_prom_nodematch_check_getproperty.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/131-sparc_check_prom_getproperty.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/132-sparc32_get_tv32_use_correct_variable.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/133-scsi_advansys_build_with_non_pci.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/134-cciss_scsi_detect_put_host_on_error.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/135-64bit_sys_shmget_compat_size_t_overflow.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/136-64bit_sys_compat_overflows.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/137-ppc64_prom_initialize_tce_table_typo.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/138-tulip_de_init_one_irq_init.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/139-pci_dma_free_coherent.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/140-s390_memset_arg_order_fixes.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/141-pci_devices_dont_disable_dev_if_busy.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/142-r8169_dev_alloc_skb_alignment_fix.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/143-sysfs_write_file_signedness_problem.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/144-sys_epoll_wait_int_overflow.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6
Log:
Add 50 or so patches to 2.6.10. Next stop, compileville!
Modified: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog 2005-03-10 23:26:10 UTC (rev 2666)
@@ -44,9 +44,260 @@
* sparc64-sb1500-clock-2.6.dpatch by David Miller: enable recognition
of the clock chip on SunBlade 1500, it won't boot otherwise.
(Jurij Smakov).
+
+ * 088-ibmvscsi_event_struct_use_after_free.dpatch
+ The ibmvscsi driver has paths that free evt_struct, and then proceed to
+ use it. That's clearly a no-no in SMP/threaded contexts; once an evt_struct
+ is free, something else may grab it. So, this patch:
+ - moves the free_event_struct() to after usage of the evt_struct
+ - creates a single path for cleanup
+ - calls evt_struct->done during cleanup, which is something that
+ should've been happening.
+ (Andres Salomon)
+
+ * 089-i386_acpi_backwards_ifdef.dpatch
+ [I386] An ACPI related printk is wrapped in an #ifdef that should be an
+ #ifndef. Correct that (Andres Salomon).
- -- Frederik Schüler <fs@gmx.net> Fri, 25 Feb 2005 22:49:22 +0100
+ * 090-alsa_midi_emulation_chorus_reverb_swap.dpatch
+ [ALSA] seq_midi_emul.c had CHORUS_MODE and REVERB_MODE swapped in sysex().
+ This patch fixes that (Andres Salomon).
+ * 091-alsa_emu8000_load_fx_skip_header.patch
+ [ALSA] emu8000's load_fx() loads a userspace blob, and should be skipping
+ over the header (Andres Salomon).
+
+ * 092-net_sched_police_locate_sanity_check_input.dpatch
+ [NET] Some sanity checks are needed to ensure payloads are the same size
+ as the structures they're being copied into. AFAICT, there's no way for a
+ malicious user to inject a payload in here (it looks like police_locate
+ stuff is called during routing changes by root); however, I can't say that
+ I'm too familiar w/ tcf stuff (Andres Salomon).
+
+ * 093-e1000_eeprom_read_off_by_one.dpatch
+ The e1000 driver's read_eeprom and write_eeprom functions allowed a bit to
+ much data to be read/written; an extra word. Fix that (Andres Salomon).
+
+ * 094-scsi_device_set_state_missing_oldstate.dpatch
+ [SCSI] scsi_device_set_state() might be setting a device offline, w/ an
+ oldstate of BLOCK; that shouldn't be considered an error. Add the missing
+ state transition (Andres Salomon).
+
+ * 095-jffs2_build_filesystem_memory_leak.dpatch
+ [JFFS2] Fix memory leak in jffs2_build_filesystem(), if jffs2_scan_medium
+ fails (Andres Salomon).
+
+ * 096-mtd_formatblock_zero_before_assignment.dpatch
+ [MTD] Inside NFTL_formatblock and INFTL_formatblock, the code was previously
+ assigning values to instr, then zero'ing out the values. Instead, move the
+ assignment to after the memset (Andres Salomon).
+
+ * 097-mtd_s3c2410_nand_inithw_calc_rate_fix.dpatch
+ [MTD] s3c2410_nand_inithw() was pulling timing information from the wrong
+ place, making the timing incorrect. This patch makes it pull the info from
+ the right place (Andres Salomon).
+
+ * 098-jffs2_do_mount_fs_init_bad_count.dpatch
+ [JFFS2] Initialize each eraseblock's bad_count to 0 in jffs2_do_mount_fs().
+ Unitialized memory sure is fun, eh? (Andres Salomon)
+
+ * 099-jfs_commit_inode_commit_race.dpatch
+ [JFS] Fix race in jfs_commit_inode(); before actually doing the commit,
+ retest to ensure that the inode is both dirty and linked (Andres Salomon).
+
+ * 101-ppc64_hugetlb_mm_free_pgd_unlock.dpatch
+ [PPC64] In hugetlb_mm_free_pgd(), mm->page_table_lock is locked, but never
+ unlocked in the event of an error. This patch fixes that (Andres Salomon).
+
+ * 102-cosa_sppp_channel_init_delay_attach.dpatch
+ Fix buglet in cosa's sppp_channel_init(); do not call sppp_attach() until
+ the netdev contains info that sppp_attach needs (Andres Salomon).
+
+ * 104-wan_sdla_firmware_cap_sys_rawio_addition.dpatch
+ [SECURITY] The SDLA driver only checked CAP_NET_ADMIN when doing firmware
+ uploads. This patch adds an additional check for CAP_SYS_RAWIO, as well
+ (Andres Salomon).
+
+ * 105-cmsg_compat_ok_proper_cmsghdr_struct.dpatch
+ [NET] CMSG_COMPAT_OK() does a sanity check using the size of a cmsghdr
+ struct, when it should be using a compat_cmsghdr struct, instead. This
+ fixes that (Andres Salomon).
+
+ * 106-smbfs_input_validation_and_int_checks.dpatch
+ [SECURITY] This patch adds various input validation and sanity checks to
+ the smbfs driver; fixes include integer underflow checks in
+ smb_proc_readX_data and smb_recv_trans2 (Andres Salomon).
+
+ * 107-xfs_finish_reclaim_always_inode.dpatch
+ [XFS] In xfs_finish_reclaim(), xfs_ireclaim() should always be called
+ (unless there's some sort of locking problem) before returning
+ (Andres Salomon).
+
+ * 108-xfs_attrmulti_by_handle_limit_mem_alloc.dpatch
+ [SECURITY] xfs_ioctl(XFS_IOC_ATTRMULTI_BY_HANDLE) calls
+ xfs_attrmulti_by_handle, which allocates memory based on user input. This
+ patch adds a check for a max size of memory to alloc; otherwise, a user
+ can potentially DoS the system by exhausting memory. Not sure whether root
+ is required to open the vnode device, but to be on the safe side...
+ (Andres Salomon)
+
+ * 109-binfmt_elf_loader_solar_designer_fixes.dpatch
+ [SECURITY] Fix from Solar Designer; the binfmt_elf load routines are
+ returning incorrect values, and are not strict enough in checking the
+ number of program headers (Andres Salomon).
+
+ * 110-load_module_arg_checking.dpatch
+ If the parsing of module args failed, the module could still be loaded
+ successfully. Fix that (Andres Salomon).
+
+ * 111-security_seclvl_kconfig_dep.dpatch
+ Add a Kconfig dependency on CRYPTO for SECURITY_SECLVL (Andres Salomon).
+
+ * 112-audit_receive_skb_double_negative_return_val.dpatch
+ audit_receive_skb negates the err it receives from audit_receive_msg. It
+ shouldn't do that (Andres Salomon).
+
+ * 114-netfilter_private_queues.dpatch
+ [NETFILTER] Amongst netfilter users, skb frag queues were shared. This
+ could cause problems. See
+ http://oss.sgi.com/archives/netdev/2005-01/threads.html#01036 for more
+ details (Andres Salomon).
+
+ * 115-proc_file_read_nbytes_signedness_fix.dpatch
+ [SECURITY] Heap overflow fix in /proc; WDYBTGT3-1 on
+ http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
+ No CAN# assigned yet, afaik (Andres Salomon).
+
+ * 116-n_tty_copy_from_read_buf_signedness_fixes.dpatch
+ [SECURITY] copy_from_read_buf() fix; WDYBTGT3-2 on
+ http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
+ No CAN#, yet (Andres Salomon).
+
+ * 117-reiserfs_file_64bit_size_t_fixes.dpatch
+ [SECURITY] reiserfs integer fixes; WDYBTGT3-4 on
+ http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
+ (Andres Salomon).
+
+ * 118-i2c_sis5595_setup_pci_config_return_checks.dpatch
+ [I2C] The i2c-sis5595 was forward ported from 2.4, but the calls to
+ read the pci config registers were never updated for 2.6. As such, they
+ are incorrectly handling the results of the function calls
+ (Andres Salomon).
+
+ * 119-i2c_viapro_i2cdump_overflow.dpatch
+ [SECURITY] Fix a very hard to exploit buffer overflow in the i2c-viapro
+ driver (Andres Salomon).
+
+ * 120-openpromfs_property_read_fix.dpatch
+ Fix an oopsable condition in Openpromfs's property_read() (Andres Salomon).
+
+ * 121-cpufreq_resume_readd.dpatch
+ [CPUFREQ] Somewhere around 2.6.6, a call to cpufreq_driver->resume() was
+ accidentally dropped. Readd it (Andres Salomon).
+
+ * 122-cpufreq_resume_readd_2.dpatch
+ [CPUFREQ] Fix a problem w/ 121-cpufreq_resume_readd.patch, where a return
+ value was not being checked correctly (Andres Salomon).
+
+ * 123-atm_get_addr_signedness_fix.dpatch
+ [SECURITY] Fix atm_get_addr()'s usage of its size arg, by making it
+ unsigned. WDYBTGT3-3 on
+ http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
+ (Andres Salomon).
+
+ * 125-netfilter_private_queues_2.dpatch
+ [SECURITY] Add missing bits needed to make 114-netfilter_private_queues.patch
+ compile. Patch stolen from ubuntu (mainly to keep the same ABI)
+ (Andres Salomon).
+
+ * 126-ftdi_sio_set_serial_info_baud_base_check.dpatch
+ [USB] Change ftdi_sio's set_serial_info() to do a correct check for baud_base;
+ it should be checking if baud_base<9600 if the baud_base has changed
+ (Andres Salomon).
+
+ * 127-ia64_ptrace_corner_case.dpatch
+ [IA64] Fix some ptrace corner cases in ia64. Nasty stuff (Andres Salomon).
+
+ * 129-video_cg3_screen_blanking.dpatch
+ [SPARC] Fix cg3 blanking; the driver was setting _ENABLE_VIDEO on POWERDOWN,
+ instead of unsetting it (Andres Salomon).
+
+ * 130-sparc_prom_nodematch_check_getproperty.dpatch
+ [SPARC] In prom_nodematch, check whether prom_getproperty() actually
+ succeeds before using the string it sets (Andres Salomon).
+
+ * 131-sparc_check_prom_getproperty.dpatch
+ [SPARC] Check return value from prom_getproperty() in various places where
+ it wasn't being checked (Andres Salomon).
+
+ * 132-sparc32_get_tv32_use_correct_variable.dpatch
+ [SPARC] get_tv32() uses a non-existent variable 'tv32'. Fix that
+ (Andres Salomon).
+
+ * 133-scsi_advansys_build_with_non_pci.dpatch
+ [SCSI] Allow advansys driver to compile if CONFIG_PCI isn't set
+ (Andres Salomon).
+
+ * 134-cciss_scsi_detect_put_host_on_error.dpatch
+ [SCSI] cciss_scsi_detect() calls scsi_add_host(), which bumps the refcount
+ (even in the event of an error). Thus, if scsi_add_host fails, the
+ scsi host refcount needs to be decremented; so, call scsi_host_put upon
+ error (Andres Salomon).
+
+ * 135-64bit_sys_shmget_compat_size_t_overflow.dpatch
+ 64bit archs that offer 32bit compat wrappers for sys_shmget were mostly
+ passing the second arg as a 32bit signed int; what would happen then is,
+ it would be casted to a size_t (64bit unsigned), and the sign would cause
+ it to overflow. Instead, we need to cast to a 32bit unsigned value first,
+ and then cast to 64bit unsigned (Andres Salomon).
+
+ * 136-64bit_sys_compat_overflows.dpatch
+ More of the same as 135*.dpatch, except for stuff like sys_ipc, sys_semget,
+ sys_msgsnd, etc (Andres Salomon).
+
+ * 137-ppc64_prom_initialize_tce_table_typo.dpatch
+ [PPC64] prom_initialize_tce_table() refers to 'vbase', which doesn't
+ actually exist; instead, 'base' was what was meant (Andres Salomon).
+
+ * 138-tulip_de_init_one_irq_init.dpatch
+ The tulip driver's de_init_one() was using pdev->irq before it had been
+ initialized. Move its usage until after it has been initted
+ (Andres Salomon).
+
+ * 139-pci_dma_free_coherent.dpatch
+ [I386] dma_free_coherent() was calling kmalloc with its args reversed;
+ clearly incorrect (Andres Salomon).
+
+ * 140-s390_memset_arg_order_fixes.dpatch
+ [S390] Fix various drivers that call memset() with args in the wrong order
+ (Andres Salomon).
+
+ * 141-pci_devices_dont_disable_dev_if_busy.dpatch
+ For various pci devices, if pci_request_regions fails (because resources
+ are already in use), don't disable the pci device (someone else is using it)
+ (Andres Salomon).
+
+ * 142-r8169_dev_alloc_skb_alignment_fix.dpatch
+ The r8169 driver wasn't alloc'ing enough memory for skbs; the size should
+ be padded by NET_IP_ALIGN (Andres Salomon).
+
+ * 143-sysfs_write_file_signedness_problem.dpatch
+ [SYSFS] sysfs_write_file assigns the result of fill_write_buffer (which is
+ signed and returns negative upon error) to an unsigned int. Clearly, bad
+ and wrong.. (Andres Salomon)
+
+ * 144-sys_epoll_wait_int_overflow.dpatch
+ [SECURITY] sys_epoll_wait contains an integer overflow; see
+ http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html for additional
+ details (Andres Salomon).
+
+ * ipv4-fragment-queues.dpatch, ipv4-fragment-queues-2.dpatch:
+ Drop netfilter frag queue stuff, as a) it's an ABI change,
+ b) it's fixed in 2.6.11, and c) it's not that critical. It's more
+ important to get other 2.6.10 fixes out to people (Andres Salomon).
+
+ -- Andres Salomon <dilinger@voxel.net> Thu, 10 Mar 2005 18:25:39 -0500
+
kernel-source-2.6.10 (2.6.10-5) unstable; urgency=low
* Change $((exp) | exp) to $( (exp) | exp), so things work with dash
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/088-ibmvscsi_event_struct_use_after_free.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/088-ibmvscsi_event_struct_use_after_free.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/088-ibmvscsi_event_struct_use_after_free.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,104 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] ibmvscsi: fix dangling pointer reference
+## DP: Patch author: sleddog@us.ibm.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/31 13:33:47-06:00 sleddog@us.ibm.com
+# [PATCH] ibmvscsi: fix dangling pointer reference
+#
+# This code has been problematic for a while and still contained a leg
+# where free_event_struct was called....followed by a reference to the
+# event_struct. Restructure to make the code cleaner and fix the
+# dangling pointer reference.
+#
+# Signed-off-by: Dave Boutcher <boutcher@us.ibm.com>
+# Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
+#
+# drivers/scsi/ibmvscsi/ibmvscsi.c
+# 2004/12/31 09:59:46-06:00 sleddog@us.ibm.com +24 -25
+# ibmvscsi: fix dangling pointer reference
+#
+diff -Nru a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c
+--- a/drivers/scsi/ibmvscsi/ibmvscsi.c 2005-02-14 05:09:06 -08:00
++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c 2005-02-14 05:09:06 -08:00
+@@ -467,7 +467,7 @@
+ static int ibmvscsi_send_srp_event(struct srp_event_struct *evt_struct,
+ struct ibmvscsi_host_data *hostdata)
+ {
+- struct scsi_cmnd *cmnd = evt_struct->cmnd;
++ struct scsi_cmnd *cmnd;
+ u64 *crq_as_u64 = (u64 *) &evt_struct->crq;
+ int rc;
+
+@@ -479,22 +479,15 @@
+ if ((evt_struct->crq.format == VIOSRP_SRP_FORMAT) &&
+ (atomic_dec_if_positive(&hostdata->request_limit) < 0)) {
+ /* See if the adapter is disabled */
+- if (atomic_read(&hostdata->request_limit) < 0) {
+- if (cmnd)
+- cmnd->result = DID_ERROR << 16;
+- if (evt_struct->cmnd_done)
+- evt_struct->cmnd_done(cmnd);
+- unmap_cmd_data(&evt_struct->iu.srp.cmd,
+- hostdata->dev);
+- free_event_struct(&hostdata->pool, evt_struct);
+- return 0;
+- } else {
+- printk("ibmvscsi: Warning, request_limit exceeded\n");
+- unmap_cmd_data(&evt_struct->iu.srp.cmd,
+- hostdata->dev);
+- free_event_struct(&hostdata->pool, evt_struct);
+- return SCSI_MLQUEUE_HOST_BUSY;
+- }
++ if (atomic_read(&hostdata->request_limit) < 0)
++ goto send_error;
++
++ printk(KERN_WARNING
++ "ibmvscsi: Warning, request_limit exceeded\n");
++ unmap_cmd_data(&evt_struct->iu.srp.cmd,
++ hostdata->dev);
++ free_event_struct(&hostdata->pool, evt_struct);
++ return SCSI_MLQUEUE_HOST_BUSY;
+ }
+
+ /* Copy the IU into the transfer area */
+@@ -511,17 +504,23 @@
+ ibmvscsi_send_crq(hostdata, crq_as_u64[0], crq_as_u64[1])) != 0) {
+ list_del(&evt_struct->list);
+
+- cmnd = evt_struct->cmnd;
+ printk(KERN_ERR "ibmvscsi: failed to send event struct rc %d\n",
+ rc);
+- unmap_cmd_data(&evt_struct->iu.srp.cmd, hostdata->dev);
+- free_event_struct(&hostdata->pool, evt_struct);
+- if (cmnd)
+- cmnd->result = DID_ERROR << 16;
+- if (evt_struct->cmnd_done)
+- evt_struct->cmnd_done(cmnd);
++ goto send_error;
+ }
+
++ return 0;
++
++ send_error:
++ unmap_cmd_data(&evt_struct->iu.srp.cmd, hostdata->dev);
++
++ if ((cmnd = evt_struct->cmnd) != NULL) {
++ cmnd->result = DID_ERROR << 16;
++ evt_struct->cmnd_done(cmnd);
++ } else if (evt_struct->done)
++ evt_struct->done(evt_struct);
++
++ free_event_struct(&hostdata->pool, evt_struct);
+ return 0;
+ }
+
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/089-i386_acpi_backwards_ifdef.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/089-i386_acpi_backwards_ifdef.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/089-i386_acpi_backwards_ifdef.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,35 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [ACPI] fix polarity of CONFIG_X86_SPEEDSTEP_CENTRINO_ACPI message
+## DP: Patch author: len.brown@intel.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/08 00:40:23-05:00 len.brown@intel.com
+# [ACPI] fix polarity of CONFIG_X86_SPEEDSTEP_CENTRINO_ACPI message
+#
+# Signed-off-by: Len Brown <len.brown@intel.com>
+#
+# arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c
+# 2004/12/08 00:36:27-05:00 len.brown@intel.com +1 -1
+# complain about CONFIG_X86_SPEEDSTEP_CENTRINO_ACPI missing only when it is missing
+#
+diff -Nru a/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c b/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c
+--- a/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2005-02-14 00:35:39 -08:00
++++ b/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2005-02-14 00:35:39 -08:00
+@@ -249,7 +249,7 @@
+ /* Matched a non-match */
+ printk(KERN_INFO PFX "no table support for CPU model \"%s\": \n",
+ cpu->x86_model_id);
+-#ifdef CONFIG_X86_SPEEDSTEP_CENTRINO_ACPI
++#ifndef CONFIG_X86_SPEEDSTEP_CENTRINO_ACPI
+ printk(KERN_INFO PFX "try compiling with CONFIG_X86_SPEEDSTEP_CENTRINO_ACPI enabled\n");
+ #endif
+ return -ENOENT;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/090-alsa_midi_emulation_chorus_reverb_swap.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/090-alsa_midi_emulation_chorus_reverb_swap.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/090-alsa_midi_emulation_chorus_reverb_swap.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,52 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [ALSA] fix MIDI GS chorus/reverb mode
+## DP: Patch author: perex@suse.cz
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/29 09:05:55+01:00 perex@suse.cz
+# [ALSA] fix MIDI GS chorus/reverb mode
+#
+# ALSA sequencer
+# Fixed the parsing of MIDI GS chorus/reverb mode SYSEX messages.
+# They were swapped.
+#
+# Signed-off-by: Takashi Iwai <tiwai@suse.de>
+#
+# sound/core/seq/seq_midi_emul.c
+# 2004/11/16 08:41:03+01:00 perex@suse.cz +2 -2
+# [ALSA] fix MIDI GS chorus/reverb mode
+#
+# D:2004/11/16 15:41:03
+# C:ALSA sequencer
+# F:core/seq/seq_midi_emul.c:1.11->1.12
+# L:Fixed the parsing of MIDI GS chorus/reverb mode SYSEX messages.
+# L:They were swapped.
+# Signed-off-by: Takashi Iwai <tiwai@suse.de>
+#
+diff -Nru a/sound/core/seq/seq_midi_emul.c b/sound/core/seq/seq_midi_emul.c
+--- a/sound/core/seq/seq_midi_emul.c 2005-02-14 03:21:19 -08:00
++++ b/sound/core/seq/seq_midi_emul.c 2005-02-14 03:21:19 -08:00
+@@ -549,12 +549,12 @@
+
+ } else if (buf[5] == 0x01 && buf[6] == 0x30) {
+ /* reverb mode */
+- parsed = SNDRV_MIDI_SYSEX_GS_CHORUS_MODE;
++ parsed = SNDRV_MIDI_SYSEX_GS_REVERB_MODE;
+ chset->gs_reverb_mode = buf[7];
+
+ } else if (buf[5] == 0x01 && buf[6] == 0x38) {
+ /* chorus mode */
+- parsed = SNDRV_MIDI_SYSEX_GS_REVERB_MODE;
++ parsed = SNDRV_MIDI_SYSEX_GS_CHORUS_MODE;
+ chset->gs_chorus_mode = buf[7];
+
+ } else if (buf[5] == 0x00 && buf[6] == 0x04) {
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/091-alsa_emu8000_load_fx_skip_header.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/091-alsa_emu8000_load_fx_skip_header.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/091-alsa_emu8000_load_fx_skip_header.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,48 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [ALSA] fix chorus/reverb FX loader
+## DP: Patch author: perex@suse.cz
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/29 09:06:58+01:00 perex@suse.cz
+# [ALSA] fix chorus/reverb FX loader
+#
+# EMU8000 driver
+# Fixed the chorus/reverb FX loader callback.
+# The header bytes must be eliminated.
+#
+# Signed-off-by: Takashi Iwai <tiwai@suse.de>
+#
+# sound/isa/sb/emu8000_callback.c
+# 2004/11/16 08:43:28+01:00 perex@suse.cz +4 -0
+# [ALSA] fix chorus/reverb FX loader
+#
+# D:2004/11/16 15:43:28
+# C:EMU8000 driver
+# F:isa/sb/emu8000_callback.c:1.10->1.11
+# L:Fixed the chorus/reverb FX loader callback.
+# L:The header bytes must be eliminated.
+# Signed-off-by: Takashi Iwai <tiwai@suse.de>
+#
+diff -Nru a/sound/isa/sb/emu8000_callback.c b/sound/isa/sb/emu8000_callback.c
+--- a/sound/isa/sb/emu8000_callback.c 2005-02-14 03:21:39 -08:00
++++ b/sound/isa/sb/emu8000_callback.c 2005-02-14 03:21:39 -08:00
+@@ -528,6 +528,10 @@
+ emu8000_t *hw;
+ hw = emu->hw;
+
++ /* skip header */
++ buf += 16;
++ len -= 16;
++
+ switch (type) {
+ case SNDRV_EMU8000_LOAD_CHORUS_FX:
+ return snd_emu8000_load_chorus_fx(hw, mode, buf, len);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/092-net_sched_police_locate_sanity_check_input.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/092-net_sched_police_locate_sanity_check_input.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/092-net_sched_police_locate_sanity_check_input.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,92 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PKT_SCHED]: Validate policer configuration TLVs.
+## DP: Patch author: tgraf@suug.ch
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/27 18:06:57-08:00 tgraf@suug.ch
+# [PKT_SCHED]: Validate policer configuration TLVs.
+#
+# Signed-off-by: Thomas Graf <tgraf@suug.ch>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/sched/police.c
+# 2004/12/27 18:06:37-08:00 tgraf@suug.ch +22 -8
+# [PKT_SCHED]: Validate policer configuration TLVs.
+#
+# Signed-off-by: Thomas Graf <tgraf@suug.ch>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/net/sched/police.c b/net/sched/police.c
+--- a/net/sched/police.c 2005-02-14 02:43:40 -08:00
++++ b/net/sched/police.c 2005-02-14 02:43:40 -08:00
+@@ -180,7 +180,8 @@
+ if (rtattr_parse(tb, TCA_POLICE_MAX, RTA_DATA(rta), RTA_PAYLOAD(rta)) < 0)
+ return -1;
+
+- if (tb[TCA_POLICE_TBF-1] == NULL)
++ if (tb[TCA_POLICE_TBF-1] == NULL ||
++ RTA_PAYLOAD(tb[TCA_POLICE_TBF-1]) != sizeof(*parm))
+ return -1;
+
+ parm = RTA_DATA(tb[TCA_POLICE_TBF-1]);
+@@ -220,11 +221,17 @@
+ goto failure;
+ }
+ }
+- if (tb[TCA_POLICE_RESULT-1])
+- p->result = *(int*)RTA_DATA(tb[TCA_POLICE_RESULT-1]);
++ if (tb[TCA_POLICE_RESULT-1]) {
++ if (RTA_PAYLOAD(tb[TCA_POLICE_RESULT-1]) != sizeof(u32))
++ goto failure;
++ p->result = *(u32*)RTA_DATA(tb[TCA_POLICE_RESULT-1]);
++ }
+ #ifdef CONFIG_NET_ESTIMATOR
+- if (tb[TCA_POLICE_AVRATE-1])
++ if (tb[TCA_POLICE_AVRATE-1]) {
++ if (RTA_PAYLOAD(tb[TCA_POLICE_AVRATE-1]) != sizeof(u32))
++ goto failure;
+ p->ewma_rate = *(u32*)RTA_DATA(tb[TCA_POLICE_AVRATE-1]);
++ }
+ #endif
+ p->toks = p->burst = parm->burst;
+ p->mtu = parm->mtu;
+@@ -424,7 +431,8 @@
+ if (rtattr_parse(tb, TCA_POLICE_MAX, RTA_DATA(rta), RTA_PAYLOAD(rta)) < 0)
+ return NULL;
+
+- if (tb[TCA_POLICE_TBF-1] == NULL)
++ if (tb[TCA_POLICE_TBF-1] == NULL ||
++ RTA_PAYLOAD(tb[TCA_POLICE_TBF-1]) != sizeof(*parm))
+ return NULL;
+
+ parm = RTA_DATA(tb[TCA_POLICE_TBF-1]);
+@@ -449,11 +457,17 @@
+ (p->P_tab = qdisc_get_rtab(&parm->peakrate, tb[TCA_POLICE_PEAKRATE-1])) == NULL)
+ goto failure;
+ }
+- if (tb[TCA_POLICE_RESULT-1])
+- p->result = *(int*)RTA_DATA(tb[TCA_POLICE_RESULT-1]);
++ if (tb[TCA_POLICE_RESULT-1]) {
++ if (RTA_PAYLOAD(tb[TCA_POLICE_RESULT-1]) != sizeof(u32))
++ goto failure;
++ p->result = *(u32*)RTA_DATA(tb[TCA_POLICE_RESULT-1]);
++ }
+ #ifdef CONFIG_NET_ESTIMATOR
+- if (tb[TCA_POLICE_AVRATE-1])
++ if (tb[TCA_POLICE_AVRATE-1]) {
++ if (RTA_PAYLOAD(tb[TCA_POLICE_AVRATE-1]) != sizeof(u32))
++ goto failure;
+ p->ewma_rate = *(u32*)RTA_DATA(tb[TCA_POLICE_AVRATE-1]);
++ }
+ #endif
+ p->toks = p->burst = parm->burst;
+ p->mtu = parm->mtu;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/093-e1000_eeprom_read_off_by_one.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/093-e1000_eeprom_read_off_by_one.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/093-e1000_eeprom_read_off_by_one.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,47 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] e1000: Applied eeprom fix where it was possible to read/write
+## DP: Patch author: ganesh.venkatesan@intel.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/06 21:30:30-05:00 ganesh.venkatesan@intel.com
+# [PATCH] e1000: Applied eeprom fix where it was possible to read/write
+# one more word than what should have been possible.
+#
+# Signed-off-by: Ganesh Venkatesan <ganesh.venkatesan@intel.com>
+# Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
+#
+# drivers/net/e1000/e1000_hw.c
+# 2004/12/03 10:24:38-05:00 ganesh.venkatesan@intel.com +2 -2
+# e1000: Applied eeprom fix where it was possible to read/write one more
+# word than what should have been possible.
+#
+diff -Nru a/drivers/net/e1000/e1000_hw.c b/drivers/net/e1000/e1000_hw.c
+--- a/drivers/net/e1000/e1000_hw.c 2005-02-14 01:05:26 -08:00
++++ b/drivers/net/e1000/e1000_hw.c 2005-02-14 01:05:26 -08:00
+@@ -3504,7 +3504,7 @@
+ /* A check for invalid values: offset too large, too many words, and not
+ * enough words.
+ */
+- if((offset > eeprom->word_size) || (words > eeprom->word_size - offset) ||
++ if((offset >= eeprom->word_size) || (words > eeprom->word_size - offset) ||
+ (words == 0)) {
+ DEBUGOUT("\"words\" parameter out of bounds\n");
+ return -E1000_ERR_EEPROM;
+@@ -3652,7 +3652,7 @@
+ /* A check for invalid values: offset too large, too many words, and not
+ * enough words.
+ */
+- if((offset > eeprom->word_size) || (words > eeprom->word_size - offset) ||
++ if((offset >= eeprom->word_size) || (words > eeprom->word_size - offset) ||
+ (words == 0)) {
+ DEBUGOUT("\"words\" parameter out of bounds\n");
+ return -E1000_ERR_EEPROM;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/094-scsi_device_set_state_missing_oldstate.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/094-scsi_device_set_state_missing_oldstate.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/094-scsi_device_set_state_missing_oldstate.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,36 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: SCSI: Add missing state transition BLOCK->OFFLINE
+## DP: Patch author: jejb@mulgrave.(none)
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/16 16:05:58-06:00 jejb@mulgrave.(none)
+# SCSI: Add missing state transition BLOCK->OFFLINE
+#
+# From: James.Smart@Emulex.Com
+#
+# Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
+#
+# drivers/scsi/scsi_lib.c
+# 2004/11/16 16:05:38-06:00 jejb@mulgrave.(none) +1 -0
+# SCSI: Add missing state transition BLOCK->OFFLINE
+#
+diff -Nru a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+--- a/drivers/scsi/scsi_lib.c 2005-02-14 06:20:03 -08:00
++++ b/drivers/scsi/scsi_lib.c 2005-02-14 06:20:03 -08:00
+@@ -1672,6 +1672,7 @@
+ case SDEV_CREATED:
+ case SDEV_RUNNING:
+ case SDEV_QUIESCE:
++ case SDEV_BLOCK:
+ break;
+ default:
+ goto illegal;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/095-jffs2_build_filesystem_memory_leak.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/095-jffs2_build_filesystem_memory_leak.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/095-jffs2_build_filesystem_memory_leak.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,102 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: JFFS2: Fix memory leak if jffs2_scan_medium() fails.
+## DP: Patch author: dwmw2@shinybook.infradead.org
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/20 10:58:16+00:00 dwmw2@shinybook.infradead.org
+# JFFS2: Fix memory leak if jffs2_scan_medium() fails.
+#
+# We weren't releasing all the temporary dirent structures we may have
+# built up during the first part of the scan.
+#
+# Signed-off-by: Artem Bityuckiy <dedekind@infradead.org>
+# Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+#
+# fs/jffs2/build.c
+# 2004/11/20 10:57:52+00:00 dwmw2@shinybook.infradead.org +17 -6
+# revision 1.64
+# date: 2004/11/20 10:44:07; author: dwmw2; state: Exp; lines: +1 -2
+# wbuf_sem is now nand-only
+# ----------------------------
+# revision 1.63
+# date: 2004/11/20 08:45:15; author: dwmw2; state: Exp; lines: +2 -2
+# remove double semicolon
+# ----------------------------
+# revision 1.62
+# date: 2004/11/19 13:41:16; author: dedekind; state: Exp; lines: +2 -1
+# Bugfix: fix the race bug when a writed and reader concurrently access
+# the wbuf. Introduce new rw semaphore to fix this.
+# ----------------------------
+# revision 1.61
+# date: 2004/11/18 11:17:41; author: dedekind; state: Exp; lines: +17 -6
+# Bugfix: do not forget to free memory if the jffs2_scan_inode_node()
+# fails.
+#
+diff -Nru a/fs/jffs2/build.c b/fs/jffs2/build.c
+--- a/fs/jffs2/build.c 2005-02-18 23:45:11 -08:00
++++ b/fs/jffs2/build.c 2005-02-18 23:45:11 -08:00
+@@ -89,6 +89,7 @@
+ int ret;
+ int i;
+ struct jffs2_inode_cache *ic;
++ struct jffs2_full_dirent *fd;
+ struct jffs2_full_dirent *dead_fds = NULL;
+
+ /* First, scan the medium and build all the inode caches with
+@@ -97,7 +98,7 @@
+ c->flags |= JFFS2_SB_FLAG_MOUNTING;
+
+ if (ret)
+- return ret;
++ goto exit;
+
+ D1(printk(KERN_DEBUG "Scanned flash completely\n"));
+ D2(jffs2_dump_block_lists(c));
+@@ -136,9 +137,7 @@
+ D1(printk(KERN_DEBUG "Pass 2a starting\n"));
+
+ while (dead_fds) {
+- struct jffs2_inode_cache *ic;
+- struct jffs2_full_dirent *fd = dead_fds;
+-
++ fd = dead_fds;
+ dead_fds = fd->next;
+
+ ic = jffs2_get_ino_cache(c, fd->ino);
+@@ -153,7 +152,6 @@
+
+ /* Finally, we can scan again and free the dirent structs */
+ for_each_inode(i, c, ic) {
+- struct jffs2_full_dirent *fd;
+ D1(printk(KERN_DEBUG "Pass 3: ino #%u, ic %p, nodes %p\n", ic->ino, ic, ic->nodes));
+
+ while(ic->scan_dents) {
+@@ -169,6 +167,19 @@
+
+ /* Rotate the lists by some number to ensure wear levelling */
+ jffs2_rotate_lists(c);
++
++ ret = 0;
++
++exit:
++ if (ret) {
++ for_each_inode(i, c, ic) {
++ while(ic->scan_dents) {
++ fd = ic->scan_dents;
++ ic->scan_dents = fd->next;
++ jffs2_free_full_dirent(fd);
++ }
++ }
++ }
+
+ return ret;
+ }
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/096-mtd_formatblock_zero_before_assignment.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/096-mtd_formatblock_zero_before_assignment.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/096-mtd_formatblock_zero_before_assignment.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,111 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: MTD: Fix oops on erase in NFTL/INFTL (again).
+## DP: Patch author: dwmw2@shinybook.infradead.org
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/27 22:59:41+00:00 dwmw2@shinybook.infradead.org
+# MTD: Fix oops on erase in NFTL/INFTL (again).
+#
+# Only this time, set the field we were dereferencing _after_ we zero it not before.
+#
+# Signed-off-by: Kalev Lember <kalev@colleduc.ee>
+# Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+#
+# drivers/mtd/inftlmount.c
+# 2004/11/27 22:59:16+00:00 dwmw2@shinybook.infradead.org +3 -4
+# revision 1.16
+# date: 2004/11/22 13:50:53; author: kalev; state: Exp; lines: +3 -4
+# fix oops
+# (the instr was zeroed _after_ setting instr->mtd)
+#
+# drivers/mtd/nftlmount.c
+# 2004/11/27 22:59:16+00:00 dwmw2@shinybook.infradead.org +3 -4
+# revision 1.40
+# date: 2004/11/22 14:38:29; author: kalev; state: Exp; lines: +3 -4
+# fix oops
+#
+diff -Nru a/drivers/mtd/inftlmount.c b/drivers/mtd/inftlmount.c
+--- a/drivers/mtd/inftlmount.c 2005-02-14 05:15:02 -08:00
++++ b/drivers/mtd/inftlmount.c 2005-02-14 05:15:02 -08:00
+@@ -8,7 +8,7 @@
+ * Author: Fabrice Bellard (fabrice.bellard@netgem.com)
+ * Copyright (C) 2000 Netgem S.A.
+ *
+- * $Id: inftlmount.c,v 1.15 2004/11/05 21:55:55 kalev Exp $
++ * $Id: inftlmount.c,v 1.16 2004/11/22 13:50:53 kalev Exp $
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -41,7 +41,7 @@
+ #include <linux/mtd/inftl.h>
+ #include <linux/mtd/compatmac.h>
+
+-char inftlmountrev[]="$Revision: 1.15 $";
++char inftlmountrev[]="$Revision: 1.16 $";
+
+ /*
+ * find_boot_record: Find the INFTL Media Header and its Spare copy which
+@@ -389,8 +389,6 @@
+ struct erase_info *instr = &inftl->instr;
+ int physblock;
+
+- instr->mtd = inftl->mbd.mtd;
+-
+ DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_formatblock(inftl=%p,"
+ "block=%d)\n", inftl, block);
+
+@@ -400,6 +398,7 @@
+ _first_? */
+
+ /* Use async erase interface, test return code */
++ instr->mtd = inftl->mbd.mtd;
+ instr->addr = block * inftl->EraseSize;
+ instr->len = inftl->mbd.mtd->erasesize;
+ /* Erase one physical eraseblock at a time, even though the NAND api
+diff -Nru a/drivers/mtd/nftlmount.c b/drivers/mtd/nftlmount.c
+--- a/drivers/mtd/nftlmount.c 2005-02-14 05:15:02 -08:00
++++ b/drivers/mtd/nftlmount.c 2005-02-14 05:15:02 -08:00
+@@ -4,7 +4,7 @@
+ * Author: Fabrice Bellard (fabrice.bellard@netgem.com)
+ * Copyright (C) 2000 Netgem S.A.
+ *
+- * $Id: nftlmount.c,v 1.39 2004/11/05 22:51:41 kalev Exp $
++ * $Id: nftlmount.c,v 1.40 2004/11/22 14:38:29 kalev Exp $
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -31,7 +31,7 @@
+
+ #define SECTORSIZE 512
+
+-char nftlmountrev[]="$Revision: 1.39 $";
++char nftlmountrev[]="$Revision: 1.40 $";
+
+ /* find_boot_record: Find the NFTL Media Header and its Spare copy which contains the
+ * various device information of the NFTL partition and Bad Unit Table. Update
+@@ -302,8 +302,6 @@
+ struct nftl_uci1 uci;
+ struct erase_info *instr = &nftl->instr;
+
+- instr->mtd = nftl->mbd.mtd;
+-
+ /* Read the Unit Control Information #1 for Wear-Leveling */
+ if (MTD_READOOB(nftl->mbd.mtd, block * nftl->EraseSize + SECTORSIZE + 8,
+ 8, &retlen, (char *)&uci) < 0)
+@@ -320,6 +318,7 @@
+ memset(instr, 0, sizeof(struct erase_info));
+
+ /* XXX: use async erase interface, XXX: test return code */
++ instr->mtd = nftl->mbd.mtd;
+ instr->addr = block * nftl->EraseSize;
+ instr->len = nftl->EraseSize;
+ MTD_ERASE(nftl->mbd.mtd, instr);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/097-mtd_s3c2410_nand_inithw_calc_rate_fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/097-mtd_s3c2410_nand_inithw_calc_rate_fix.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/097-mtd_s3c2410_nand_inithw_calc_rate_fix.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,53 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: MTD: Fix timing setup for NAND flash on Samsung S3C2410.
+## DP: Patch author: dwmw2@shinybook.infradead.org
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/27 23:02:48+00:00 dwmw2@shinybook.infradead.org
+# MTD: Fix timing setup for NAND flash on Samsung S3C2410.
+#
+# Spotted by Shannon Holland.
+#
+# Signed-off-by: Ben Dooks <ben@simtec.co.uk>
+# Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+#
+# drivers/mtd/nand/s3c2410.c
+# 2004/11/27 23:02:28+00:00 dwmw2@shinybook.infradead.org +2 -2
+# revision 1.6
+# date: 2004/11/24 12:25:48; author: bjd; state: Exp; lines: +2 -2
+# correct timing setup to use plat->twrph1 instead of
+# plat->twrph0 for timing setup for the NAND controllers
+# twrph1 configuration
+#
+# Thanks to Shannon Holland for pointing this out
+#
+diff -Nru a/drivers/mtd/nand/s3c2410.c b/drivers/mtd/nand/s3c2410.c
+--- a/drivers/mtd/nand/s3c2410.c 2005-02-14 05:15:46 -08:00
++++ b/drivers/mtd/nand/s3c2410.c 2005-02-14 05:15:46 -08:00
+@@ -11,7 +11,7 @@
+ * 28-Sep-2004 BJD Fixed ECC placement for Hardware mode
+ * 12-Oct-2004 BJD Fixed errors in use of platform data
+ *
+- * $Id: s3c2410.c,v 1.5 2004/10/12 10:10:15 bjd Exp $
++ * $Id: s3c2410.c,v 1.6 2004/11/24 12:25:48 bjd Exp $
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -167,7 +167,7 @@
+ if (plat != NULL) {
+ tacls = s3c2410_nand_calc_rate(plat->tacls, clkrate, 8);
+ twrph0 = s3c2410_nand_calc_rate(plat->twrph0, clkrate, 8);
+- twrph1 = s3c2410_nand_calc_rate(plat->twrph0, clkrate, 8);
++ twrph1 = s3c2410_nand_calc_rate(plat->twrph1, clkrate, 8);
+ } else {
+ /* default timings */
+ tacls = 8;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/098-jffs2_do_mount_fs_init_bad_count.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/098-jffs2_do_mount_fs_init_bad_count.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/098-jffs2_do_mount_fs_init_bad_count.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,37 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: JFFS2: Initialise bad_count for each eraseblock correctly.
+## DP: Patch author: dwmw2@shinybook.infradead.org
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/28 00:11:59+00:00 dwmw2@shinybook.infradead.org
+# JFFS2: Initialise bad_count for each eraseblock correctly.
+#
+# Patch from Estelle Hammache <estelle.hammache@st.com>
+# Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+#
+# fs/jffs2/build.c
+# 2004/11/28 00:11:36+00:00 dwmw2@shinybook.infradead.org +2 -1
+# revision 1.66
+# date: 2004/11/20 19:18:07; author: dwmw2; state: Exp; lines: +2 -1
+# Patch from Estelle Hammache: initialise bad_count.
+#
+diff -Nru a/fs/jffs2/build.c b/fs/jffs2/build.c
+--- a/fs/jffs2/build.c 2005-02-14 01:25:59 -08:00
++++ b/fs/jffs2/build.c 2005-02-14 01:25:59 -08:00
+@@ -325,6 +325,7 @@
+ c->blocks[i].used_size = 0;
+ c->blocks[i].first_node = NULL;
+ c->blocks[i].last_node = NULL;
++ c->blocks[i].bad_count = 0;
+ }
+
+ init_MUTEX(&c->alloc_sem);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/099-jfs_commit_inode_commit_race.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/099-jfs_commit_inode_commit_race.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/099-jfs_commit_inode_commit_race.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,57 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: JFS: fix race in jfs_commit_inode
+## DP: Patch author: shaggy@austin.ibm.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/11/17 12:51:43-06:00 shaggy@austin.ibm.com
+# JFS: fix race in jfs_commit_inode
+#
+# There was a race that resulted in old, deleted inodes being written
+# to disk after the inode number had been reused. jfs_commit_inode
+# needs to verify that the inode is still linked and dirty before
+# committing it.
+#
+# Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
+#
+# fs/jfs/inode.c
+# 2004/11/17 12:51:26-06:00 shaggy@austin.ibm.com +8 -3
+# jfs_commit_inode needs to re-verify that inode is still linked
+# and dirty
+#
+diff -Nru a/fs/jfs/inode.c b/fs/jfs/inode.c
+--- a/fs/jfs/inode.c 2005-02-14 05:02:36 -08:00
++++ b/fs/jfs/inode.c 2005-02-14 05:02:36 -08:00
+@@ -81,8 +81,7 @@
+ * Don't commit if inode has been committed since last being
+ * marked dirty, or if it has been deleted.
+ */
+- if (test_cflag(COMMIT_Nolink, inode) ||
+- !test_cflag(COMMIT_Dirty, inode))
++ if (inode->i_nlink == 0 || !test_cflag(COMMIT_Dirty, inode))
+ return 0;
+
+ if (isReadOnly(inode)) {
+@@ -100,7 +99,13 @@
+
+ tid = txBegin(inode->i_sb, COMMIT_INODE);
+ down(&JFS_IP(inode)->commit_sem);
+- rc = txCommit(tid, 1, &inode, wait ? COMMIT_SYNC : 0);
++
++ /*
++ * Retest inode state after taking commit_sem
++ */
++ if (inode->i_nlink && test_cflag(COMMIT_Dirty, inode))
++ rc = txCommit(tid, 1, &inode, wait ? COMMIT_SYNC : 0);
++
+ txEnd(tid);
+ up(&JFS_IP(inode)->commit_sem);
+ return rc;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/101-ppc64_hugetlb_mm_free_pgd_unlock.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/101-ppc64_hugetlb_mm_free_pgd_unlock.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/101-ppc64_hugetlb_mm_free_pgd_unlock.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,49 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] ppc64: hugepage bugfix
+## DP: Patch author: david@gibson.dropbear.id.au
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 07:46:04-08:00 david@gibson.dropbear.id.au
+# [PATCH] ppc64: hugepage bugfix
+#
+# Fix a stupid unbalanced lock bug in the ppc64 hugepage code. Lead
+# rapidly to a crash if both CONFIG_HUGETLB_PAGE and CONFIG_PREEMPT were
+# enabled (even without actually using hugepages at all).
+#
+# Signed-off-by: David Gibson <dwg@au1.ibm.com>
+# Acked-by: William Irwin <wli@holomorphy.com>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# arch/ppc64/mm/hugetlbpage.c
+# 2005/01/09 20:16:25-08:00 david@gibson.dropbear.id.au +2 -1
+# ppc64: hugepage bugfix
+#
+diff -Nru a/arch/ppc64/mm/hugetlbpage.c b/arch/ppc64/mm/hugetlbpage.c
+--- a/arch/ppc64/mm/hugetlbpage.c 2005-02-14 04:17:07 -08:00
++++ b/arch/ppc64/mm/hugetlbpage.c 2005-02-14 04:17:07 -08:00
+@@ -745,7 +745,7 @@
+
+ pgdir = mm->context.huge_pgdir;
+ if (! pgdir)
+- return;
++ goto out;
+
+ mm->context.huge_pgdir = NULL;
+
+@@ -768,6 +768,7 @@
+ BUG_ON(memcmp(pgdir, empty_zero_page, PAGE_SIZE));
+ kmem_cache_free(zero_cache, pgdir);
+
++ out:
+ spin_unlock(&mm->page_table_lock);
+ }
+
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/102-cosa_sppp_channel_init_delay_attach.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/102-cosa_sppp_channel_init_delay_attach.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/102-cosa_sppp_channel_init_delay_attach.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,43 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] cosa.c intialization crash
+## DP: Patch author: kas@fi.muni.cz
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/06 16:35:24-08:00 kas@fi.muni.cz
+# [PATCH] cosa.c intialization crash
+#
+# This fixes crash on insmod of the cosa.ko module - the sppp_attach() was
+# called too early when dev->priv has not been set up yet.
+#
+# Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# drivers/net/wan/cosa.c
+# 2004/11/14 17:26:39-08:00 kas@fi.muni.cz +1 -1
+# cosa.c intialization crash
+#
+diff -Nru a/drivers/net/wan/cosa.c b/drivers/net/wan/cosa.c
+--- a/drivers/net/wan/cosa.c 2005-02-14 00:38:42 -08:00
++++ b/drivers/net/wan/cosa.c 2005-02-14 00:38:42 -08:00
+@@ -642,11 +642,11 @@
+ return;
+ }
+ chan->pppdev.dev = d;
+- sppp_attach(&chan->pppdev);
+ d->base_addr = chan->cosa->datareg;
+ d->irq = chan->cosa->irq;
+ d->dma = chan->cosa->dma;
+ d->priv = chan;
++ sppp_attach(&chan->pppdev);
+ if (register_netdev(d)) {
+ printk(KERN_WARNING "%s: register_netdev failed.\n", d->name);
+ sppp_detach(d);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/104-wan_sdla_firmware_cap_sys_rawio_addition.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/104-wan_sdla_firmware_cap_sys_rawio_addition.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/104-wan_sdla_firmware_cap_sys_rawio_addition.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,37 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] SDLA firmware upgrade should require CAP_SYS_RAWIO (not just CAP_NET_ADMIN)
+## DP: Patch author: alan@lxorguk.ukuu.org.uk
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/08 19:59:53-08:00 alan@lxorguk.ukuu.org.uk
+# [PATCH] SDLA firmware upgrade should require CAP_SYS_RAWIO (not just CAP_NET_ADMIN)
+#
+# There were a few variants on the list trying to work out what the valid
+# ranges to verify for write are but they sort of missed the point, if you
+# can load new firmware you can have fun anyway.
+#
+# drivers/net/wan/sdla.c
+# 2005/01/07 07:49:56-08:00 alan@lxorguk.ukuu.org.uk +2 -0
+# SDLA firmware upgrade should require CAP_SYS_RAWIO (not just CAP_NET_ADMIN)
+#
+diff -Nru a/drivers/net/wan/sdla.c b/drivers/net/wan/sdla.c
+--- a/drivers/net/wan/sdla.c 2005-02-14 04:24:03 -08:00
++++ b/drivers/net/wan/sdla.c 2005-02-14 04:24:03 -08:00
+@@ -1306,6 +1306,8 @@
+
+ case SDLA_WRITEMEM:
+ case SDLA_READMEM:
++ if(!capable(CAP_SYS_RAWIO))
++ return -EPERM;
+ return(sdla_xfer(dev, ifr->ifr_data, cmd == SDLA_READMEM));
+
+ case SDLA_START:
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/105-cmsg_compat_ok_proper_cmsghdr_struct.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/105-cmsg_compat_ok_proper_cmsghdr_struct.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/105-cmsg_compat_ok_proper_cmsghdr_struct.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,45 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [NET]: Fix CMSG_COMPAT_OK length check.
+## DP: Patch author: okir@suse.de
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 12:27:49-08:00 okir@suse.de
+# [NET]: Fix CMSG_COMPAT_OK length check.
+#
+# Need to check against struct compat_cmsghdr
+# not struct cmsghdr.
+#
+# Signed-off-by: Olaf Kirch <okir@suse.de>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/compat.c
+# 2005/01/10 12:27:28-08:00 okir@suse.de +1 -1
+# [NET]: Fix CMSG_COMPAT_OK length check.
+#
+# Need to check against struct compat_cmsghdr
+# not struct cmsghdr.
+#
+# Signed-off-by: Olaf Kirch <okir@suse.de>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/net/compat.c b/net/compat.c
+--- a/net/compat.c 2005-02-14 00:26:02 -08:00
++++ b/net/compat.c 2005-02-14 00:26:02 -08:00
+@@ -125,7 +125,7 @@
+ (struct compat_cmsghdr __user *)NULL)
+
+ #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
+- ((ucmlen) >= sizeof(struct cmsghdr) && \
++ ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
+ (ucmlen) <= (unsigned long) \
+ ((mhdr)->msg_controllen - \
+ ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/106-smbfs_input_validation_and_int_checks.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/106-smbfs_input_validation_and_int_checks.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/106-smbfs_input_validation_and_int_checks.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,153 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] smbfs fixes
+## DP: Patch author: alan@lxorguk.ukuu.org.uk
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/15 15:34:03-08:00 alan@lxorguk.ukuu.org.uk
+# [PATCH] smbfs fixes
+#
+# Fixes for various smbfs data leak bugs from Alan, Chuck Ebbert and various
+# people on various mailing lists.
+#
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/smbfs/proc.c
+# 2005/01/15 14:01:58-08:00 alan@lxorguk.ukuu.org.uk +3 -3
+# smbfs fixes
+#
+# fs/smbfs/request.c
+# 2005/01/15 14:01:58-08:00 alan@lxorguk.ukuu.org.uk +33 -19
+# smbfs fixes
+#
+diff -Nru a/fs/smbfs/proc.c b/fs/smbfs/proc.c
+--- a/fs/smbfs/proc.c 2005-02-14 00:46:54 -08:00
++++ b/fs/smbfs/proc.c 2005-02-14 00:46:54 -08:00
+@@ -1427,9 +1427,9 @@
+ * So we must first calculate the amount of padding used by the server.
+ */
+ data_off -= hdrlen;
+- if (data_off > SMB_READX_MAX_PAD) {
+- PARANOIA("offset is larger than max pad!\n");
+- PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD);
++ if (data_off > SMB_READX_MAX_PAD || data_off < 0) {
++ PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n");
++ PARANOIA("%d > %d || %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off);
+ req->rq_rlen = req->rq_bufsize + 1;
+ return;
+ }
+diff -Nru a/fs/smbfs/request.c b/fs/smbfs/request.c
+--- a/fs/smbfs/request.c 2005-02-14 00:46:54 -08:00
++++ b/fs/smbfs/request.c 2005-02-14 00:46:54 -08:00
+@@ -590,8 +590,18 @@
+ data_count = WVAL(inbuf, smb_drcnt);
+
+ /* Modify offset for the split header/buffer we use */
+- data_offset -= hdrlen;
+- parm_offset -= hdrlen;
++ if (data_count || data_offset) {
++ if (unlikely(data_offset < hdrlen))
++ goto out_bad_data;
++ else
++ data_offset -= hdrlen;
++ }
++ if (parm_count || parm_offset) {
++ if (unlikely(parm_offset < hdrlen))
++ goto out_bad_parm;
++ else
++ parm_offset -= hdrlen;
++ }
+
+ if (parm_count == parm_tot && data_count == data_tot) {
+ /*
+@@ -602,18 +612,22 @@
+ * response that fits.
+ */
+ VERBOSE("single trans2 response "
+- "dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",
++ "dcnt=%u, pcnt=%u, doff=%u, poff=%u\n",
+ data_count, parm_count,
+ data_offset, parm_offset);
+ req->rq_ldata = data_count;
+ req->rq_lparm = parm_count;
+ req->rq_data = req->rq_buffer + data_offset;
+ req->rq_parm = req->rq_buffer + parm_offset;
++ if (unlikely(parm_offset + parm_count > req->rq_rlen))
++ goto out_bad_parm;
++ if (unlikely(data_offset + data_count > req->rq_rlen))
++ goto out_bad_data;
+ return 0;
+ }
+
+ VERBOSE("multi trans2 response "
+- "frag=%d, dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",
++ "frag=%d, dcnt=%u, pcnt=%u, doff=%u, poff=%u\n",
+ req->rq_fragment,
+ data_count, parm_count,
+ data_offset, parm_offset);
+@@ -640,13 +654,15 @@
+
+ req->rq_parm = req->rq_trans2buffer;
+ req->rq_data = req->rq_trans2buffer + parm_tot;
+- } else if (req->rq_total_data < data_tot ||
+- req->rq_total_parm < parm_tot)
++ } else if (unlikely(req->rq_total_data < data_tot ||
++ req->rq_total_parm < parm_tot))
+ goto out_data_grew;
+
+- if (parm_disp + parm_count > req->rq_total_parm)
++ if (unlikely(parm_disp + parm_count > req->rq_total_parm ||
++ parm_offset + parm_count > req->rq_rlen))
+ goto out_bad_parm;
+- if (data_disp + data_count > req->rq_total_data)
++ if (unlikely(data_disp + data_count > req->rq_total_data ||
++ data_offset + data_count > req->rq_rlen))
+ goto out_bad_data;
+
+ inbuf = req->rq_buffer;
+@@ -668,10 +684,9 @@
+ return 1;
+
+ out_too_long:
+- printk(KERN_ERR "smb_trans2: data/param too long, data=%d, parm=%d\n",
++ printk(KERN_ERR "smb_trans2: data/param too long, data=%u, parm=%u\n",
+ data_tot, parm_tot);
+- req->rq_errno = -EIO;
+- goto out;
++ goto out_EIO;
+ out_no_mem:
+ printk(KERN_ERR "smb_trans2: couldn't allocate data area of %d bytes\n",
+ req->rq_trans2bufsize);
+@@ -679,16 +694,15 @@
+ goto out;
+ out_data_grew:
+ printk(KERN_ERR "smb_trans2: data/params grew!\n");
+- req->rq_errno = -EIO;
+- goto out;
++ goto out_EIO;
+ out_bad_parm:
+- printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n",
+- parm_disp, parm_count, parm_tot);
+- req->rq_errno = -EIO;
+- goto out;
++ printk(KERN_ERR "smb_trans2: invalid parms, disp=%u, cnt=%u, tot=%u, ofs=%u\n",
++ parm_disp, parm_count, parm_tot, parm_offset);
++ goto out_EIO;
+ out_bad_data:
+- printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n",
+- data_disp, data_count, data_tot);
++ printk(KERN_ERR "smb_trans2: invalid data, disp=%u, cnt=%u, tot=%u, ofs=%u\n",
++ data_disp, data_count, data_tot, data_offset);
++out_EIO:
+ req->rq_errno = -EIO;
+ out:
+ return req->rq_errno;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/107-xfs_finish_reclaim_always_inode.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/107-xfs_finish_reclaim_always_inode.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/107-xfs_finish_reclaim_always_inode.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,56 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [XFS] make sure to always reclaim inodes in xfs_finish_reclaim
+## DP: Patch author: hch@sgi.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/11 15:12:26+11:00 hch@sgi.com
+# [XFS] make sure to always reclaim inodes in xfs_finish_reclaim
+#
+# SGI-PV: 921072
+# SGI-Modid: xfs-linux:xfs-kern:184505a
+# Signed-off-by: Christoph Hellwig <hch@sgi.com>
+# Signed-off-by: Nathan Scott <nathans@sgi.com>
+#
+# fs/xfs/xfs_vnodeops.c
+# 2005/01/11 15:11:56+11:00 hch@sgi.com +3 -3
+# [XFS] make sure to always reclaim inodes in xfs_finish_reclaim
+#
+diff -Nru a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
+--- a/fs/xfs/xfs_vnodeops.c 2005-02-14 00:57:55 -08:00
++++ b/fs/xfs/xfs_vnodeops.c 2005-02-14 00:57:55 -08:00
+@@ -3900,7 +3900,7 @@
+ int error;
+
+ if (vp && VN_BAD(vp))
+- return 0;
++ goto reclaim;
+
+ /* The hash lock here protects a thread in xfs_iget_core from
+ * racing with us on linking the inode back with a vnode.
+@@ -3948,8 +3948,7 @@
+ */
+ if (error) {
+ xfs_iunlock(ip, XFS_ILOCK_EXCL);
+- xfs_ireclaim(ip);
+- return (0);
++ goto reclaim;
+ }
+ xfs_iflock(ip); /* synchronize with xfs_iflush_done */
+ }
+@@ -3968,6 +3967,7 @@
+ xfs_iunlock(ip, XFS_ILOCK_EXCL);
+ }
+
++ reclaim:
+ xfs_ireclaim(ip);
+ return 0;
+ }
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/108-xfs_attrmulti_by_handle_limit_mem_alloc.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/108-xfs_attrmulti_by_handle_limit_mem_alloc.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/108-xfs_attrmulti_by_handle_limit_mem_alloc.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,49 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [XFS] Add sanity checks before use of attr_multi opcount parameter.
+## DP: Patch author: nathans@sgi.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/11 15:17:24+11:00 nathans@sgi.com
+# [XFS] Add sanity checks before use of attr_multi opcount parameter.
+#
+# SGI-PV: 927535
+# SGI-Modid: xfs-linux:xfs-kern:20991a
+# Signed-off-by: Nathan Scott <nathans@sgi.com>
+#
+# fs/xfs/linux-2.6/xfs_ioctl.c
+# 2005/01/11 15:16:56+11:00 nathans@sgi.com +6 -1
+# [XFS] Add sanity checks before use of attr_multi opcount parameter.
+#
+diff -Nru a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
+--- a/fs/xfs/linux-2.6/xfs_ioctl.c 2005-02-14 00:59:04 -08:00
++++ b/fs/xfs/linux-2.6/xfs_ioctl.c 2005-02-14 00:59:04 -08:00
+@@ -499,7 +499,7 @@
+ xfs_fsop_attrmulti_handlereq_t am_hreq;
+ struct inode *inode;
+ vnode_t *vp;
+- int i, size;
++ unsigned int i, size;
+
+ error = xfs_vget_fsop_handlereq(mp, parinode, CAP_SYS_ADMIN, arg,
+ sizeof(xfs_fsop_attrmulti_handlereq_t),
+@@ -509,6 +509,11 @@
+ return -error;
+
+ size = am_hreq.opcount * sizeof(attr_multiop_t);
++ if (!size || size > 16 * PAGE_SIZE) {
++ VN_RELE(vp);
++ return -XFS_ERROR(E2BIG);
++ }
++
+ ops = (xfs_attr_multiop_t *)kmalloc(size, GFP_KERNEL);
+ if (!ops) {
+ VN_RELE(vp);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/109-binfmt_elf_loader_solar_designer_fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/109-binfmt_elf_loader_solar_designer_fixes.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/109-binfmt_elf_loader_solar_designer_fixes.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,101 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] binfmt_elf fix return error codes and early corrupt binary detection
+## DP: Patch author: marcelo.tosatti@cyclades.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/11 19:18:34-08:00 marcelo.tosatti@cyclades.com
+# [PATCH] binfmt_elf fix return error codes and early corrupt binary detection
+#
+# With Solar Designer <solar@openwall.com>
+#
+# The following patch changes the following on ELF parsing/loading code
+# (fs/binfmt_elf):
+#
+# - Stronger validity checks on ELF files:
+# treat e_phnum (program header count) < 1 as invalid
+# treat p_filesz (file size) < 2 invalid on program header interp. case
+# - Saner return error codes
+# - Make sure SIGKILL is delivered on error handling
+#
+#
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/binfmt_elf.c
+# 2005/01/11 16:42:58-08:00 marcelo.tosatti@cyclades.com +13 -8
+# binfmt_elf fix return error codes and early corrupt binary detection
+#
+diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2005-02-14 04:59:06 -08:00
++++ b/fs/binfmt_elf.c 2005-02-14 04:59:06 -08:00
+@@ -322,7 +322,8 @@
+ */
+ if (interp_elf_ex->e_phentsize != sizeof(struct elf_phdr))
+ goto out;
+- if (interp_elf_ex->e_phnum > 65536U / sizeof(struct elf_phdr))
++ if (interp_elf_ex->e_phnum < 1 ||
++ interp_elf_ex->e_phnum > 65536U / sizeof(struct elf_phdr))
+ goto out;
+
+ /* Now read in all of the header information */
+@@ -524,12 +525,13 @@
+
+ /* Now read in all of the header information */
+
+- retval = -ENOMEM;
+ if (loc->elf_ex.e_phentsize != sizeof(struct elf_phdr))
+ goto out;
+- if (loc->elf_ex.e_phnum > 65536U / sizeof(struct elf_phdr))
++ if (loc->elf_ex.e_phnum < 1 ||
++ loc->elf_ex.e_phnum > 65536U / sizeof(struct elf_phdr))
+ goto out;
+ size = loc->elf_ex.e_phnum * sizeof(struct elf_phdr);
++ retval = -ENOMEM;
+ elf_phdata = (struct elf_phdr *) kmalloc(size, GFP_KERNEL);
+ if (!elf_phdata)
+ goto out;
+@@ -575,10 +577,12 @@
+ * is an a.out format binary
+ */
+
+- retval = -ENOMEM;
++ retval = -ENOEXEC;
+ if (elf_ppnt->p_filesz > PATH_MAX ||
+- elf_ppnt->p_filesz == 0)
++ elf_ppnt->p_filesz < 2)
+ goto out_free_file;
++
++ retval = -ENOMEM;
+ elf_interpreter = (char *) kmalloc(elf_ppnt->p_filesz,
+ GFP_KERNEL);
+ if (!elf_interpreter)
+@@ -593,7 +597,7 @@
+ goto out_free_interp;
+ }
+ /* make sure path is NULL terminated */
+- retval = -EINVAL;
++ retval = -ENOEXEC;
+ if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
+ goto out_free_interp;
+
+@@ -868,8 +872,9 @@
+ interpreter,
+ &interp_load_addr);
+ if (BAD_ADDR(elf_entry)) {
+- printk(KERN_ERR "Unable to load interpreter\n");
+- send_sig(SIGSEGV, current, 0);
++ printk(KERN_ERR "Unable to load interpreter %.128s\n",
++ elf_interpreter);
++ force_sig(SIGSEGV, current);
+ retval = -ENOEXEC; /* Nobody gets to see this, but.. */
+ goto out_free_dentry;
+ }
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/110-load_module_arg_checking.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/110-load_module_arg_checking.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/110-load_module_arg_checking.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,41 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] Catch module parameter parsing failures
+## DP: Patch author: rusty@rustcorp.com.au
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/11 19:18:21-08:00 rusty@rustcorp.com.au
+# [PATCH] Catch module parameter parsing failures
+#
+# Radheka Godse <radheka.godse@intel.com> pointed out that parameter parsing
+# failures allow a module still to be loaded. Trivial fix.
+#
+# Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# kernel/module.c
+# 2005/01/11 16:42:57-08:00 rusty@rustcorp.com.au +3 -0
+# Catch module parameter parsing failures
+#
+diff -Nru a/kernel/module.c b/kernel/module.c
+--- a/kernel/module.c 2005-02-14 04:58:26 -08:00
++++ b/kernel/module.c 2005-02-14 04:58:26 -08:00
+@@ -1691,6 +1691,9 @@
+ / sizeof(struct kernel_param),
+ NULL);
+ }
++ if (err < 0)
++ goto arch_cleanup;
++
+ err = mod_sysfs_setup(mod,
+ (struct kernel_param *)
+ sechdrs[setupindex].sh_addr,
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/111-security_seclvl_kconfig_dep.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/111-security_seclvl_kconfig_dep.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/111-security_seclvl_kconfig_dep.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,41 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] seclvl: add missing dependency
+## DP: Patch author: amgta@yacht.ocn.ne.jp
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/11 19:17:41-08:00 amgta@yacht.ocn.ne.jp
+# [PATCH] seclvl: add missing dependency
+#
+# *** Warning: "crypto_free_tfm" [security/seclvl.ko] undefined!
+# *** Warning: "crypto_alloc_tfm" [security/seclvl.ko] undefined!
+# *** Warning: "crypto_unregister_alg" [crypto/sha1.ko] undefined!
+# *** Warning: "crypto_register_alg" [crypto/sha1.ko] undefined!
+#
+# Signed-off-by: Akinobu Mita <amgta@yacht.ocn.ne.jp>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# security/Kconfig
+# 2005/01/11 16:42:57-08:00 amgta@yacht.ocn.ne.jp +1 -0
+# seclvl: add missing dependency
+#
+diff -Nru a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig 2005-02-14 04:57:09 -08:00
++++ b/security/Kconfig 2005-02-14 04:57:09 -08:00
+@@ -76,6 +76,7 @@
+ config SECURITY_SECLVL
+ tristate "BSD Secure Levels"
+ depends on SECURITY
++ select CRYPTO
+ select CRYPTO_SHA1
+ help
+ Implements BSD Secure Levels as an LSM. See
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/112-audit_receive_skb_double_negative_return_val.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/112-audit_receive_skb_double_negative_return_val.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/112-audit_receive_skb_double_negative_return_val.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,68 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] audit return code and log format fix
+## DP: Patch author: peterm@redhat.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/11 19:17:55-08:00 peterm@redhat.com
+# [PATCH] audit return code and log format fix
+#
+# A couple of one liners to resolve two issues that have come up regarding
+# audit.
+#
+# Roger reported a problem with audit.c:audit_receive_skb which improperly
+# negates the errno argument when netlink_ack is called.
+#
+# The second issue was reported by Steve on the linux-audit list,
+# auditsc.s:audit_log_exit using %u instead of %d in the audit_log_format
+# call.
+#
+# Please note, there is a mailing list available for audit discussion at
+# https://www.redhat.com/archives/linux-audit/
+#
+# Signed-off-by: Peter Martuccelli <peterm@redhat.com>
+# Signed-off-by: Steve Grubb <sgrubb@redhat.com>
+# Signed-off-by: Roger Luethi <rl@hellgate.ch>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# kernel/audit.c
+# 2005/01/11 16:42:57-08:00 peterm@redhat.com +1 -1
+# audit return code and log format fix
+#
+# kernel/auditsc.c
+# 2005/01/11 16:42:57-08:00 peterm@redhat.com +1 -1
+# audit return code and log format fix
+#
+diff -Nru a/kernel/audit.c b/kernel/audit.c
+--- a/kernel/audit.c 2005-02-14 04:57:25 -08:00
++++ b/kernel/audit.c 2005-02-14 04:57:25 -08:00
+@@ -419,7 +419,7 @@
+ if (rlen > skb->len)
+ rlen = skb->len;
+ if ((err = audit_receive_msg(skb, nlh))) {
+- netlink_ack(skb, nlh, -err);
++ netlink_ack(skb, nlh, err);
+ } else if (nlh->nlmsg_flags & NLM_F_ACK)
+ netlink_ack(skb, nlh, 0);
+ skb_pull(skb, rlen);
+diff -Nru a/kernel/auditsc.c b/kernel/auditsc.c
+--- a/kernel/auditsc.c 2005-02-14 04:57:25 -08:00
++++ b/kernel/auditsc.c 2005-02-14 04:57:25 -08:00
+@@ -591,7 +591,7 @@
+ if (context->personality != PER_LINUX)
+ audit_log_format(ab, " per=%lx", context->personality);
+ if (context->return_valid)
+- audit_log_format(ab, " exit=%u", context->return_code);
++ audit_log_format(ab, " exit=%d", context->return_code);
+ audit_log_format(ab,
+ " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
+ " pid=%d loginuid=%d uid=%d gid=%d"
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/114-netfilter_private_queues.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/114-netfilter_private_queues.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/114-netfilter_private_queues.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,409 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [IPV4]: Keep fragment queues private to each user.
+## DP: Patch author: kaber@trash.net
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/26 22:03:38-08:00 kaber@trash.net
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# include/linux/netfilter_ipv4/ip_conntrack.h
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +1 -2
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# include/net/ip.h
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +14 -3
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_fragment.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +13 -20
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_input.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +2 -2
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ipvs/ip_vs_core.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +11 -8
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/netfilter/ip_conntrack_core.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +2 -9
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/netfilter/ip_conntrack_standalone.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +4 -7
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/netfilter/ip_nat_standalone.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +1 -1
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
+--- a/include/linux/netfilter_ipv4/ip_conntrack.h 2005-02-14 05:58:34 -08:00
++++ b/include/linux/netfilter_ipv4/ip_conntrack.h 2005-02-14 05:58:34 -08:00
+@@ -262,10 +262,9 @@
+ /* Fake conntrack entry for untracked connections */
+ extern struct ip_conntrack ip_conntrack_untracked;
+
+-extern int ip_ct_no_defrag;
+ /* Returns new sk_buff, or NULL */
+ struct sk_buff *
+-ip_ct_gather_frags(struct sk_buff *skb);
++ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user);
+
+ /* Iterate over all conntracks: if iter returns true, it's deleted. */
+ extern void
+diff -Nru a/include/net/ip.h b/include/net/ip.h
+--- a/include/net/ip.h 2005-02-14 05:58:34 -08:00
++++ b/include/net/ip.h 2005-02-14 05:58:34 -08:00
+@@ -286,9 +286,20 @@
+ /*
+ * Functions provided by ip_fragment.o
+ */
+-
+-struct sk_buff *ip_defrag(struct sk_buff *skb);
+-extern void ipfrag_flush(void);
++
++enum ip_defrag_users
++{
++ IP_DEFRAG_LOCAL_DELIVER,
++ IP_DEFRAG_CALL_RA_CHAIN,
++ IP_DEFRAG_CONNTRACK_IN,
++ IP_DEFRAG_CONNTRACK_OUT,
++ IP_DEFRAG_NAT_OUT,
++ IP_DEFRAG_VS_IN,
++ IP_DEFRAG_VS_OUT,
++ IP_DEFRAG_VS_FWD
++};
++
++struct sk_buff *ip_defrag(struct sk_buff *skb, u32 user);
+ extern int ip_frag_nqueues;
+ extern atomic_t ip_frag_mem;
+
+diff -Nru a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+--- a/net/ipv4/ip_fragment.c 2005-02-14 05:58:34 -08:00
++++ b/net/ipv4/ip_fragment.c 2005-02-14 05:58:34 -08:00
+@@ -73,6 +73,7 @@
+ struct ipq {
+ struct ipq *next; /* linked list pointers */
+ struct list_head lru_list; /* lru list member */
++ u32 user;
+ u32 saddr;
+ u32 daddr;
+ u16 id;
+@@ -243,13 +244,13 @@
+ /* Memory limiting on fragments. Evictor trashes the oldest
+ * fragment queue until we are back under the threshold.
+ */
+-static void __ip_evictor(int threshold)
++static void ip_evictor(void)
+ {
+ struct ipq *qp;
+ struct list_head *tmp;
+ int work;
+
+- work = atomic_read(&ip_frag_mem) - threshold;
++ work = atomic_read(&ip_frag_mem) - sysctl_ipfrag_low_thresh;
+ if (work <= 0)
+ return;
+
+@@ -274,11 +275,6 @@
+ }
+ }
+
+-static inline void ip_evictor(void)
+-{
+- __ip_evictor(sysctl_ipfrag_low_thresh);
+-}
+-
+ /*
+ * Oops, a fragment queue timed out. Kill it and send an ICMP reply.
+ */
+@@ -325,7 +321,8 @@
+ if(qp->id == qp_in->id &&
+ qp->saddr == qp_in->saddr &&
+ qp->daddr == qp_in->daddr &&
+- qp->protocol == qp_in->protocol) {
++ qp->protocol == qp_in->protocol &&
++ qp->user == qp_in->user) {
+ atomic_inc(&qp->refcnt);
+ write_unlock(&ipfrag_lock);
+ qp_in->last_in |= COMPLETE;
+@@ -352,7 +349,7 @@
+ }
+
+ /* Add an entry to the 'ipq' queue for a newly received IP datagram. */
+-static struct ipq *ip_frag_create(unsigned hash, struct iphdr *iph)
++static struct ipq *ip_frag_create(unsigned hash, struct iphdr *iph, u32 user)
+ {
+ struct ipq *qp;
+
+@@ -364,6 +361,7 @@
+ qp->id = iph->id;
+ qp->saddr = iph->saddr;
+ qp->daddr = iph->daddr;
++ qp->user = user;
+ qp->len = 0;
+ qp->meat = 0;
+ qp->fragments = NULL;
+@@ -386,7 +384,7 @@
+ /* Find the correct entry in the "incomplete datagrams" queue for
+ * this IP datagram, and create new one, if nothing is found.
+ */
+-static inline struct ipq *ip_find(struct iphdr *iph)
++static inline struct ipq *ip_find(struct iphdr *iph, u32 user)
+ {
+ __u16 id = iph->id;
+ __u32 saddr = iph->saddr;
+@@ -400,7 +398,8 @@
+ if(qp->id == id &&
+ qp->saddr == saddr &&
+ qp->daddr == daddr &&
+- qp->protocol == protocol) {
++ qp->protocol == protocol &&
++ qp->user == user) {
+ atomic_inc(&qp->refcnt);
+ read_unlock(&ipfrag_lock);
+ return qp;
+@@ -408,7 +407,7 @@
+ }
+ read_unlock(&ipfrag_lock);
+
+- return ip_frag_create(hash, iph);
++ return ip_frag_create(hash, iph, user);
+ }
+
+ /* Add new segment to existing queue. */
+@@ -642,7 +641,7 @@
+ }
+
+ /* Process an incoming IP datagram fragment. */
+-struct sk_buff *ip_defrag(struct sk_buff *skb)
++struct sk_buff *ip_defrag(struct sk_buff *skb, u32 user)
+ {
+ struct iphdr *iph = skb->nh.iph;
+ struct ipq *qp;
+@@ -657,7 +656,7 @@
+ dev = skb->dev;
+
+ /* Lookup (or create) queue header */
+- if ((qp = ip_find(iph)) != NULL) {
++ if ((qp = ip_find(iph, user)) != NULL) {
+ struct sk_buff *ret = NULL;
+
+ spin_lock(&qp->lock);
+@@ -689,10 +688,4 @@
+ add_timer(&ipfrag_secret_timer);
+ }
+
+-void ipfrag_flush(void)
+-{
+- __ip_evictor(0);
+-}
+-
+ EXPORT_SYMBOL(ip_defrag);
+-EXPORT_SYMBOL(ipfrag_flush);
+diff -Nru a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
+--- a/net/ipv4/ip_input.c 2005-02-14 05:58:34 -08:00
++++ b/net/ipv4/ip_input.c 2005-02-14 05:58:34 -08:00
+@@ -172,7 +172,7 @@
+ (!sk->sk_bound_dev_if ||
+ sk->sk_bound_dev_if == skb->dev->ifindex)) {
+ if (skb->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, IP_DEFRAG_CALL_RA_CHAIN);
+ if (skb == NULL) {
+ read_unlock(&ip_ra_lock);
+ return 1;
+@@ -273,7 +273,7 @@
+ */
+
+ if (skb->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, IP_DEFRAG_LOCAL_DELIVER);
+ if (!skb)
+ return 0;
+ }
+diff -Nru a/net/ipv4/ipvs/ip_vs_core.c b/net/ipv4/ipvs/ip_vs_core.c
+--- a/net/ipv4/ipvs/ip_vs_core.c 2005-02-14 05:58:34 -08:00
++++ b/net/ipv4/ipvs/ip_vs_core.c 2005-02-14 05:58:34 -08:00
+@@ -544,9 +544,9 @@
+ }
+
+ static inline struct sk_buff *
+-ip_vs_gather_frags(struct sk_buff *skb)
++ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user)
+ {
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, user);
+ if (skb)
+ ip_send_check(skb->nh.iph);
+ return skb;
+@@ -620,7 +620,7 @@
+
+ /* reassemble IP fragments */
+ if (skb->nh.iph->frag_off & __constant_htons(IP_MF|IP_OFFSET)) {
+- skb = ip_vs_gather_frags(skb);
++ skb = ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT);
+ if (!skb)
+ return NF_STOLEN;
+ *pskb = skb;
+@@ -759,7 +759,7 @@
+ /* reassemble IP fragments */
+ if (unlikely(iph->frag_off & __constant_htons(IP_MF|IP_OFFSET) &&
+ !pp->dont_defrag)) {
+- skb = ip_vs_gather_frags(skb);
++ skb = ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT);
+ if (!skb)
+ return NF_STOLEN;
+ iph = skb->nh.iph;
+@@ -839,7 +839,8 @@
+ * forward to the right destination host if relevant.
+ * Currently handles error types - unreachable, quench, ttl exceeded.
+ */
+-static int ip_vs_in_icmp(struct sk_buff **pskb, int *related)
++static int
++ip_vs_in_icmp(struct sk_buff **pskb, int *related, unsigned int hooknum)
+ {
+ struct sk_buff *skb = *pskb;
+ struct iphdr *iph;
+@@ -853,7 +854,9 @@
+
+ /* reassemble IP fragments */
+ if (skb->nh.iph->frag_off & __constant_htons(IP_MF|IP_OFFSET)) {
+- skb = ip_vs_gather_frags(skb);
++ skb = ip_vs_gather_frags(skb,
++ hooknum == NF_IP_LOCAL_IN ?
++ IP_DEFRAG_VS_IN : IP_DEFRAG_VS_FWD);
+ if (!skb)
+ return NF_STOLEN;
+ *pskb = skb;
+@@ -962,7 +965,7 @@
+
+ iph = skb->nh.iph;
+ if (unlikely(iph->protocol == IPPROTO_ICMP)) {
+- int related, verdict = ip_vs_in_icmp(pskb, &related);
++ int related, verdict = ip_vs_in_icmp(pskb, &related, hooknum);
+
+ if (related)
+ return verdict;
+@@ -1057,7 +1060,7 @@
+ if ((*pskb)->nh.iph->protocol != IPPROTO_ICMP)
+ return NF_ACCEPT;
+
+- return ip_vs_in_icmp(pskb, &r);
++ return ip_vs_in_icmp(pskb, &r, hooknum);
+ }
+
+
+diff -Nru a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
+--- a/net/ipv4/netfilter/ip_conntrack_core.c 2005-02-14 05:58:34 -08:00
++++ b/net/ipv4/netfilter/ip_conntrack_core.c 2005-02-14 05:58:34 -08:00
+@@ -936,29 +936,22 @@
+ }
+ }
+
+-int ip_ct_no_defrag;
+-
+ /* Returns new sk_buff, or NULL */
+ struct sk_buff *
+-ip_ct_gather_frags(struct sk_buff *skb)
++ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user)
+ {
+ struct sock *sk = skb->sk;
+ #ifdef CONFIG_NETFILTER_DEBUG
+ unsigned int olddebug = skb->nf_debug;
+ #endif
+
+- if (unlikely(ip_ct_no_defrag)) {
+- kfree_skb(skb);
+- return NULL;
+- }
+-
+ if (sk) {
+ sock_hold(sk);
+ skb_orphan(skb);
+ }
+
+ local_bh_disable();
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, user);
+ local_bh_enable();
+
+ if (!skb) {
+diff -Nru a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
+--- a/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-14 05:58:34 -08:00
++++ b/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-14 05:58:34 -08:00
+@@ -391,7 +391,10 @@
+
+ /* Gather fragments. */
+ if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- *pskb = ip_ct_gather_frags(*pskb);
++ *pskb = ip_ct_gather_frags(*pskb,
++ hooknum == NF_IP_PRE_ROUTING ?
++ IP_DEFRAG_CONNTRACK_IN :
++ IP_DEFRAG_CONNTRACK_OUT);
+ if (!*pskb)
+ return NF_STOLEN;
+ }
+@@ -823,12 +826,6 @@
+ cleanup_defraglocalops:
+ nf_unregister_hook(&ip_conntrack_defrag_local_out_ops);
+ cleanup_defragops:
+- /* Frag queues may hold fragments with skb->dst == NULL */
+- ip_ct_no_defrag = 1;
+- synchronize_net();
+- local_bh_disable();
+- ipfrag_flush();
+- local_bh_enable();
+ nf_unregister_hook(&ip_conntrack_defrag_ops);
+ cleanup_proc_stat:
+ #ifdef CONFIG_PROC_FS
+diff -Nru a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
+--- a/net/ipv4/netfilter/ip_nat_standalone.c 2005-02-14 05:58:34 -08:00
++++ b/net/ipv4/netfilter/ip_nat_standalone.c 2005-02-14 05:58:34 -08:00
+@@ -195,7 +195,7 @@
+ I'm starting to have nightmares about fragments. */
+
+ if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- *pskb = ip_ct_gather_frags(*pskb);
++ *pskb = ip_ct_gather_frags(*pskb, IP_DEFRAG_NAT_OUT);
+
+ if (!*pskb)
+ return NF_STOLEN;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/115-proc_file_read_nbytes_signedness_fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/115-proc_file_read_nbytes_signedness_fix.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/115-proc_file_read_nbytes_signedness_fix.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,36 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] Fix signed compare in fs/proc/generic.c::proc_file_read()
+## DP: Patch author: guninski@guninski.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/02 17:42:38-08:00 guninski@guninski.com
+# [PATCH] Fix signed compare in fs/proc/generic.c::proc_file_read()
+#
+# Acked-by: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/proc/generic.c
+# 2005/01/30 07:58:00-08:00 guninski@guninski.com +1 -1
+# Fix signed compare in fs/proc/generic.c::proc_file_read()
+#
+diff -Nru a/fs/proc/generic.c b/fs/proc/generic.c
+--- a/fs/proc/generic.c 2005-02-14 01:28:32 -08:00
++++ b/fs/proc/generic.c 2005-02-14 01:28:32 -08:00
+@@ -60,7 +60,7 @@
+ return -ENOMEM;
+
+ while ((nbytes > 0) && !eof) {
+- count = min_t(ssize_t, PROC_BLOCK_SIZE, nbytes);
++ count = min_t(size_t, PROC_BLOCK_SIZE, nbytes);
+
+ start = NULL;
+ if (dp->get_info) {
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/116-n_tty_copy_from_read_buf_signedness_fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/116-n_tty_copy_from_read_buf_signedness_fixes.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/116-n_tty_copy_from_read_buf_signedness_fixes.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,45 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] Fix sign checks in copy_from_read_buf()
+## DP: Patch author: guninski@guninski.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/02 17:41:06-08:00 guninski@guninski.com
+# [PATCH] Fix sign checks in copy_from_read_buf()
+#
+# Fix signedness and remove the now unnecessary cast.
+#
+# Acked-by: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# drivers/char/n_tty.c
+# 2005/01/30 07:56:05-08:00 guninski@guninski.com +2 -2
+# Fix sign checks in copy_from_read_buf()
+#
+diff -Nru a/drivers/char/n_tty.c b/drivers/char/n_tty.c
+--- a/drivers/char/n_tty.c 2005-02-14 01:28:08 -08:00
++++ b/drivers/char/n_tty.c 2005-02-14 01:28:08 -08:00
+@@ -1143,13 +1143,13 @@
+
+ {
+ int retval;
+- ssize_t n;
++ size_t n;
+ unsigned long flags;
+
+ retval = 0;
+ spin_lock_irqsave(&tty->read_lock, flags);
+ n = min(tty->read_cnt, N_TTY_BUF_SIZE - tty->read_tail);
+- n = min((ssize_t)*nr, n);
++ n = min(*nr, n);
+ spin_unlock_irqrestore(&tty->read_lock, flags);
+ if (n) {
+ mb();
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/117-reiserfs_file_64bit_size_t_fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/117-reiserfs_file_64bit_size_t_fixes.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/117-reiserfs_file_64bit_size_t_fixes.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,106 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] reiserfs: use proper 64-bit clean types
+## DP: Patch author: guninski@guninski.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/02 17:45:11-08:00 guninski@guninski.com
+# [PATCH] reiserfs: use proper 64-bit clean types
+#
+# reiserfs_file_write() casts its (size_t) count parameter to int, which can become
+# a problem on 64-bit architectures
+#
+# This attempts to fix this by changing the variables dealing with count
+# and offset and the "min_t" comparisons to use "size_t" through-out.
+#
+# Acked-by: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/reiserfs/file.c
+# 2005/01/26 07:28:12-08:00 guninski@guninski.com +11 -12
+# reiserfs: use proper 64-bit clean types
+#
+diff -Nru a/fs/reiserfs/file.c b/fs/reiserfs/file.c
+--- a/fs/reiserfs/file.c 2005-02-14 01:29:00 -08:00
++++ b/fs/reiserfs/file.c 2005-02-14 01:29:00 -08:00
+@@ -588,7 +588,7 @@
+
+ /* Unlock pages prepared by reiserfs_prepare_file_region_for_write */
+ void reiserfs_unprepare_pages(struct page **prepared_pages, /* list of locked pages */
+- int num_pages /* amount of pages */) {
++ size_t num_pages /* amount of pages */) {
+ int i; // loop counter
+
+ for (i=0; i < num_pages ; i++) {
+@@ -619,7 +619,7 @@
+ int offset; // offset in page
+
+ for ( i = 0, offset = (pos & (PAGE_CACHE_SIZE-1)); i < num_pages ; i++,offset=0) {
+- int count = min_t(int,PAGE_CACHE_SIZE-offset,write_bytes); // How much of bytes to write to this page
++ size_t count = min_t(size_t,PAGE_CACHE_SIZE-offset,write_bytes); // How much of bytes to write to this page
+ struct page *page=prepared_pages[i]; // Current page we process.
+
+ fault_in_pages_readable( buf, count);
+@@ -718,8 +718,8 @@
+ struct reiserfs_transaction_handle *th,
+ struct inode *inode,
+ loff_t pos, /* Writing position offset */
+- int num_pages, /* Number of pages to write */
+- int write_bytes, /* number of bytes to write */
++ size_t num_pages, /* Number of pages to write */
++ size_t write_bytes, /* number of bytes to write */
+ struct page **prepared_pages /* list of pages */
+ )
+ {
+@@ -854,9 +854,9 @@
+ static int reiserfs_prepare_file_region_for_write(
+ struct inode *inode /* Inode of the file */,
+ loff_t pos, /* position in the file */
+- int num_pages, /* number of pages to
++ size_t num_pages, /* number of pages to
+ prepare */
+- int write_bytes, /* Amount of bytes to be
++ size_t write_bytes, /* Amount of bytes to be
+ overwritten from
+ @pos */
+ struct page **prepared_pages /* pointer to array
+@@ -1252,10 +1252,9 @@
+ while ( count > 0) {
+ /* This is the main loop in which we running until some error occures
+ or until we write all of the data. */
+- int num_pages;/* amount of pages we are going to write this iteration */
+- int write_bytes; /* amount of bytes to write during this iteration */
+- int blocks_to_allocate; /* how much blocks we need to allocate for
+- this iteration */
++ size_t num_pages;/* amount of pages we are going to write this iteration */
++ size_t write_bytes; /* amount of bytes to write during this iteration */
++ size_t blocks_to_allocate; /* how much blocks we need to allocate for this iteration */
+
+ /* (pos & (PAGE_CACHE_SIZE-1)) is an idiom for offset into a page of pos*/
+ num_pages = !!((pos+count) & (PAGE_CACHE_SIZE - 1)) + /* round up partial
+@@ -1269,7 +1268,7 @@
+ /* If we were asked to write more data than we want to or if there
+ is not that much space, then we shorten amount of data to write
+ for this iteration. */
+- num_pages = min_t(int, REISERFS_WRITE_PAGES_AT_A_TIME, reiserfs_can_fit_pages(inode->i_sb));
++ num_pages = min_t(size_t, REISERFS_WRITE_PAGES_AT_A_TIME, reiserfs_can_fit_pages(inode->i_sb));
+ /* Also we should not forget to set size in bytes accordingly */
+ write_bytes = (num_pages << PAGE_CACHE_SHIFT) -
+ (pos & (PAGE_CACHE_SIZE-1));
+@@ -1295,7 +1294,7 @@
+ // But overwriting files on absolutelly full volumes would not
+ // be very efficient. Well, people are not supposed to fill
+ // 100% of disk space anyway.
+- write_bytes = min_t(int, count, inode->i_sb->s_blocksize - (pos & (inode->i_sb->s_blocksize - 1)));
++ write_bytes = min_t(size_t, count, inode->i_sb->s_blocksize - (pos & (inode->i_sb->s_blocksize - 1)));
+ num_pages = 1;
+ // No blocks were claimed before, so do it now.
+ reiserfs_claim_blocks_to_be_allocated(inode->i_sb, 1 << (PAGE_CACHE_SHIFT - inode->i_blkbits));
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/118-i2c_sis5595_setup_pci_config_return_checks.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/118-i2c_sis5595_setup_pci_config_return_checks.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/118-i2c_sis5595_setup_pci_config_return_checks.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,75 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] I2C: Fix i2c-sis5595 pci configuration accesses
+## DP: Patch author: khali@linux-fr.org
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/03 00:30:21-08:00 khali@linux-fr.org
+# [PATCH] I2C: Fix i2c-sis5595 pci configuration accesses
+#
+# The i2c-sis5595 bus driver has logic errors on pci configuration
+# accesses. It returns an error on success and vice versa. The 2.4 kernel
+# version of the driver, as found in the lm_sensors CVS repository, is
+# correct, so the problem was introducted when the driver was ported to
+# the 2.6 kernel tree (in 2.6.0-test6). As odd as it sounds, the driver
+# has been sitting here broken and unusable for 17 months and nobody ever
+# reported, until yesterday.
+#
+# Credits go to Sebastian Hesselbarth for discovering and analyzing the
+# problem.
+#
+# Here is a patch that fixes the problem, succesfully tested by Aurelien
+# Jarno and Sebastian Hesselbarth. Please apply.
+#
+# Signed-off-by: Jean Delvare <khali@linux-fr.org>
+# Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
+#
+# drivers/i2c/busses/i2c-sis5595.c
+# 2005/02/02 22:34:13-08:00 khali@linux-fr.org +10 -5
+# I2C: Fix i2c-sis5595 pci configuration accesses
+#
+diff -Nru a/drivers/i2c/busses/i2c-sis5595.c b/drivers/i2c/busses/i2c-sis5595.c
+--- a/drivers/i2c/busses/i2c-sis5595.c 2005-02-14 05:06:08 -08:00
++++ b/drivers/i2c/busses/i2c-sis5595.c 2005-02-14 05:06:08 -08:00
+@@ -181,9 +181,11 @@
+
+ if (force_addr) {
+ dev_info(&SIS5595_dev->dev, "forcing ISA address 0x%04X\n", sis5595_base);
+- if (!pci_write_config_word(SIS5595_dev, ACPI_BASE, sis5595_base))
++ if (pci_write_config_word(SIS5595_dev, ACPI_BASE, sis5595_base)
++ != PCIBIOS_SUCCESSFUL)
+ goto error;
+- if (!pci_read_config_word(SIS5595_dev, ACPI_BASE, &a))
++ if (pci_read_config_word(SIS5595_dev, ACPI_BASE, &a)
++ != PCIBIOS_SUCCESSFUL)
+ goto error;
+ if ((a & ~(SIS5595_EXTENT - 1)) != sis5595_base) {
+ /* doesn't work for some chips! */
+@@ -192,13 +194,16 @@
+ }
+ }
+
+- if (!pci_read_config_byte(SIS5595_dev, SIS5595_ENABLE_REG, &val))
++ if (pci_read_config_byte(SIS5595_dev, SIS5595_ENABLE_REG, &val)
++ != PCIBIOS_SUCCESSFUL)
+ goto error;
+ if ((val & 0x80) == 0) {
+ dev_info(&SIS5595_dev->dev, "enabling ACPI\n");
+- if (!pci_write_config_byte(SIS5595_dev, SIS5595_ENABLE_REG, val | 0x80))
++ if (pci_write_config_byte(SIS5595_dev, SIS5595_ENABLE_REG, val | 0x80)
++ != PCIBIOS_SUCCESSFUL)
+ goto error;
+- if (!pci_read_config_byte(SIS5595_dev, SIS5595_ENABLE_REG, &val))
++ if (pci_read_config_byte(SIS5595_dev, SIS5595_ENABLE_REG, &val)
++ != PCIBIOS_SUCCESSFUL)
+ goto error;
+ if ((val & 0x80) == 0) {
+ /* doesn't work for some chips? */
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/119-i2c_viapro_i2cdump_overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/119-i2c_viapro_i2cdump_overflow.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/119-i2c_viapro_i2cdump_overflow.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,182 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] I2C: Prevent buffer overflow on SMBus block read in
+## DP: Patch author: khali@linux-fr.org
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/03 00:31:16-08:00 khali@linux-fr.org
+# [PATCH] I2C: Prevent buffer overflow on SMBus block read in
+#
+# Hi Greg, Linus, all,
+#
+# I just hit a buffer overflow while playing around with i2cdump and
+# i2c-viapro through i2c-dev. This is caused by a missing length check on
+# a buffer operation when doing a SMBus block read in the i2c-viapro
+# driver. The problem was already known and had been fixed upon report by
+# Sergey Vlasov back in August 2003 in lm_sensors (2.4 kernel version of
+# the driver) but for some reason it was never ported to the 2.6 kernel
+# version.
+#
+# I am not a security expert but I would guess that such a buffer overflow
+# could possibly be used to run arbitrary code in kernel space from user
+# space through i2c-dev. The severity obviously depends on the permisions
+# set on the i2c device files in /dev. Maybe it wouldn't be a bad idea to
+# push this patch upstream rather sooner than later.
+#
+# While I was at it, I also changed a similar size check (for SMBus block
+# write this time) in the same driver to use the correct constant
+# I2C_SMBUS_BLOCK_MAX instead of its current numerical value. This doesn't
+# change a thing at the moment but prevents another potential buffer
+# overflow in case the value of I2C_SMBUS_BLOCK_MAX were to be changed in
+# the future (admittedly unlikely though).
+#
+# > Now if we have broken hardware, then we might have a problem here, but
+# > otherwise I don't see it as a security issue right now.
+#
+# It doesn't take broken hardware.
+#
+# (Warning: I am going technical at this point, people not interested in
+# the gory details of the I2C and SMBus protocols should better stop here
+# ;))
+#
+# It just depends on what part of the SMBus and I2C specifications a given
+# client chip supports. SMBus block reads are no different from SMBus byte
+# reads, except that the master (here the VIA Pro) goes on reading after
+# the first byte sent by the slave (which could be about anything, from
+# hardware monitoring chip to EEPROM). In that respect, it also doesn't
+# much differ from the I2C block read, which also starts in the exact same
+# way. The difference between SMBus block read and I2C block read is that
+# the first byte returned by the slave on SMBus block read is supposed to
+# be the remaining number of data byte to be sent, while this is simply
+# the first data byte for I2C block reads.
+#
+# To make it clearer, here comes the detail of the byte read, SMBus block
+# read and I2C block read commands (-> means from master to slave, <-
+# means from slave to master). See the official specifications for I2C and
+# SMBus for nicer graphics and additional details.
+#
+# Byte read:
+# -> client address, write mode
+# -> register address
+# -> client address, read mode
+# <- data byte
+#
+# SMBus block read:
+# -> client address, write mode
+# -> register address
+# -> client address, read mode
+# <- length byte (1 <=3D N <=3D 32)
+# <- first byte
+# <- next byte
+# <- ...
+# <- last (Nth) byte
+#
+# I2C block read:
+# -> client address, write mode
+# -> register address
+# -> client address, read mode
+# <- first byte
+# <- next byte
+# <- ...
+# <- last byte
+#
+# In each case, the *master* decides when to stop the transfer, not the
+# slave.
+#
+# There are two consequences for us here:
+#
+# 1* The client chip cannot differenciate between byte read and SMBus block
+# read until after it sent a first byte - which basically means that a
+# given register address is specified to be read with either command, not
+# both, and not using the correct one returns bogus results. i2c-dev
+# allows arbitrary commands so it is possible to ask for a SMBus block
+# read on a register that expects a simple byte read. The client
+# innocently will answer with the register value - which the master will
+# interpret as a length, and the master will then request that many
+# additional data bytes. If the client features autoincrement in this
+# register address range, it will most likely provide the value of the
+# next registers, if not it will dumbly return the same register value
+# again and again.
+#
+# This illustrates the fact that it doesn't take a broken chip to cause a
+# buffer overflow. It only takes a SMBus block read command on a register
+# for which the client did not expect it (and almost no client actually
+# supports SMBus block reads at the moment). If it happens that the
+# register value was greater than 32, the buffer overflow will occur
+# (without Sergey's fix, that is). So, with write access to the i2c
+# device files, it is actually very easy to trigger the buffer overflow,
+# providing there is at least one chip on the VIA Pro SMBus.
+#
+# 2* A client chip can obviously only implement SMBus block read or I2C
+# block read for a given register address, since the sequence sent by the
+# master is exactly the same. Not a big deal since a client chip is
+# designed either as an I2C slave or as a SMBus slave. However the master
+# doesn't know this, and i2c-dev allows arbitrary commands, so it is
+# possible to use an SMBus block read on an I2C slave which expected
+# instead an I2C block read, causing weird results.
+#
+# EEPROMs are such I2C slaves and they support I2C block reads. Now,
+# imagine that a non-write-protected EEPROM hangs on my VIA Pro SMBus (a
+# memory module SPD EEPROM would probably do), and for some reason i2c-dev
+# gives me access to it. I can write arbitrary bytes to the EEPROM using
+# simple byte writes. I could write the following bytes, in order, at some
+# location: 0x80, 34 null bytes, 94 bytes of nasty code. Then, still
+# through i2c-dev, I request a SMBus block read from the same location.
+# The EEPROM will answer as if it were an I2C block read (it can't
+# differenciate and doesn't support SMBus block reads anyway), i.e. it
+# will return as many bytes as requested, in order. The VIA Pro master
+# will however interpret the first byte (0x80) as a length, and will read
+# 128 bytes from the EEPROM, 34 of which will fill the data buffer, and 94
+# will overflow. Providing I know how the kernel works, these 94 bytes
+# could be used for doing presumably bad things.
+#
+# This illustrates the fact that the user may actually control the buffer
+# overflow, indirectly, depending on what hardware is present on the bus.
+# EEPROMs are the most obvious way to do it, but some hardware monitoring
+# chips have RAM arrays that could presumably be used in a similar way.
+#
+# As a conclusion, I definitely agree that this buffer overflow isn't easy
+# to exploit, as it takes a particular combination of hardware and
+# non-standard permissions on i2c device files, and also requires very
+# good knowledge of the I2C and SMBus protocols; it is not impossible
+# though.
+#
+#
+# Signed-off-by: Jean Delvare <khali@linux-fr.org>
+# Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
+#
+# drivers/i2c/busses/i2c-viapro.c
+# 2005/02/02 22:33:16-08:00 khali@linux-fr.org +4 -2
+# I2C: Prevent buffer overflow on SMBus block read in
+#
+diff -Nru a/drivers/i2c/busses/i2c-viapro.c b/drivers/i2c/busses/i2c-viapro.c
+--- a/drivers/i2c/busses/i2c-viapro.c 2005-02-14 05:06:44 -08:00
++++ b/drivers/i2c/busses/i2c-viapro.c 2005-02-14 05:06:44 -08:00
+@@ -233,8 +233,8 @@
+ len = data->block[0];
+ if (len < 0)
+ len = 0;
+- if (len > 32)
+- len = 32;
++ if (len > I2C_SMBUS_BLOCK_MAX)
++ len = I2C_SMBUS_BLOCK_MAX;
+ outb_p(len, SMBHSTDAT0);
+ i = inb_p(SMBHSTCNT); /* Reset SMBBLKDAT */
+ for (i = 1; i <= len; i++)
+@@ -268,6 +268,8 @@
+ break;
+ case VT596_BLOCK_DATA:
+ data->block[0] = inb_p(SMBHSTDAT0);
++ if (data->block[0] > I2C_SMBUS_BLOCK_MAX)
++ data->block[0] = I2C_SMBUS_BLOCK_MAX;
+ i = inb_p(SMBHSTCNT); /* Reset SMBBLKDAT */
+ for (i = 1; i <= data->block[0]; i++)
+ data->block[i] = inb_p(SMBBLKDAT);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/120-openpromfs_property_read_fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/120-openpromfs_property_read_fix.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/120-openpromfs_property_read_fix.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,54 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] openpromfs property_read() fix
+## DP: Patch author: viro@parcelfarce.linux.theplanet.co.uk
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/02 13:15:59-08:00 viro@parcelfarce.linux.theplanet.co.uk
+# [PATCH] openpromfs property_read() fix
+#
+# openpromfs property_read() is slightly abused by property_write() - the
+# latter calls property_read(file, NULL, 0, NULL) if we still hadn't done
+# any IO on that file; property_read() will do setup work and, since it's
+# called with count equal to 0, do nothing else.
+#
+# That stopped working - now we check if *ppos is sane before doing
+# anything else and that, of course, oopses. Trivial fix is to move the
+# check past that for count == 0...
+#
+# Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/openpromfs/inode.c
+# 2005/02/01 23:45:36-08:00 viro@parcelfarce.linux.theplanet.co.uk +2 -2
+# openpromfs property_read() fix
+#
+diff -Nru a/fs/openpromfs/inode.c b/fs/openpromfs/inode.c
+--- a/fs/openpromfs/inode.c 2005-02-14 04:45:14 -08:00
++++ b/fs/openpromfs/inode.c 2005-02-14 04:45:14 -08:00
+@@ -94,8 +94,6 @@
+ openprom_property *op;
+ char buffer[64];
+
+- if (*ppos >= 0xffffff || count >= 0xffffff)
+- return -EINVAL;
+ if (!filp->private_data) {
+ node = nodes[(u16)((long)inode->u.generic_ip)].node;
+ i = ((u32)(long)inode->u.generic_ip) >> 16;
+@@ -168,6 +166,8 @@
+ op = (openprom_property *)filp->private_data;
+ if (!count || !(op->len || (op->flag & OPP_ASCIIZ)))
+ return 0;
++ if (*ppos >= 0xffffff || count >= 0xffffff)
++ return -EINVAL;
+ if (op->flag & OPP_STRINGLIST) {
+ for (k = 0, p = op->value; p < op->value + op->len; p++)
+ if (!*p)
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/121-cpufreq_resume_readd.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/121-cpufreq_resume_readd.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/121-cpufreq_resume_readd.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,54 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [CPUFREQ] re-add call to cpufreq_driver->resume()
+## DP: Patch author: davej@redhat.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/29 02:42:43-05:00 davej@redhat.com
+# [CPUFREQ] re-add call to cpufreq_driver->resume()
+#
+# (if anyone has a brown spare paper bag, feel free to send it to me:)
+#
+# The call to cpufreq_driver->resume() got lost in 2.6.6. Re-add it at the
+# proper place.
+#
+# Signed-off-by: Dominik Brodowski <linux@brodo.de>
+# Signed-off-by: Dave Jones <davej@redhat.com>
+#
+# drivers/cpufreq/cpufreq.c
+# 2004/12/29 02:42:27-05:00 davej@redhat.com +7 -0
+# [CPUFREQ] re-add call to cpufreq_driver->resume()
+#
+# (if anyone has a brown spare paper bag, feel free to send it to me:)
+#
+# The call to cpufreq_driver->resume() got lost in 2.6.6. Re-add it at the
+# proper place.
+#
+# Signed-off-by: Dominik Brodowski <linux@brodo.de>
+# Signed-off-by: Dave Jones <davej@redhat.com>
+#
+diff -Nru a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+--- a/drivers/cpufreq/cpufreq.c 2005-02-14 05:47:41 -08:00
++++ b/drivers/cpufreq/cpufreq.c 2005-02-14 05:47:41 -08:00
+@@ -893,6 +893,13 @@
+ return 0;
+ }
+
++ if (cpufreq_driver->resume) {
++ ret = cpufreq_driver->resume(cpu_policy);
++ printk(KERN_ERR "cpufreq: resume failed in ->resume step on CPU %u\n", cpu_policy->cpu);
++ cpufreq_cpu_put(cpu_policy);
++ return (ret);
++ }
++
+ if (!(cpufreq_driver->flags & CPUFREQ_CONST_LOOPS)) {
+ unsigned int cur_freq = 0;
+
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/122-cpufreq_resume_readd_2.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/122-cpufreq_resume_readd_2.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/122-cpufreq_resume_readd_2.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,50 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] cpufreq_resume() fix
+## DP: Patch author: dilinger@voxel.net
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/03 17:01:33-08:00 dilinger@voxel.net
+# [PATCH] cpufreq_resume() fix
+#
+# Since acpi_cpufreq_resume and speedstep_resume appear to return 0 upon
+# success, it seems like the attached patch is what the desired behavior
+# would be. Otherwise, cpufreq_resume() always prints an error and exits
+# early if using a cpufreq_driver that supports resume.
+#
+# Signed-off-by: Dominik Brodowski <linux@brodo.de>
+# Signed-off-by: Dave Jones <davej@redhat.com>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# drivers/cpufreq/cpufreq.c
+# 2005/02/03 06:42:40-08:00 dilinger@voxel.net +6 -3
+# cpufreq_resume() fix
+#
+diff -Nru a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+--- a/drivers/cpufreq/cpufreq.c 2005-02-14 04:55:45 -08:00
++++ b/drivers/cpufreq/cpufreq.c 2005-02-14 04:55:45 -08:00
+@@ -900,9 +900,12 @@
+
+ if (cpufreq_driver->resume) {
+ ret = cpufreq_driver->resume(cpu_policy);
+- printk(KERN_ERR "cpufreq: resume failed in ->resume step on CPU %u\n", cpu_policy->cpu);
+- cpufreq_cpu_put(cpu_policy);
+- return (ret);
++ if (ret) {
++ printk(KERN_ERR "cpufreq: resume failed in ->resume "
++ "step on CPU %u\n", cpu_policy->cpu);
++ cpufreq_cpu_put(cpu_policy);
++ return ret;
++ }
+ }
+
+ if (!(cpufreq_driver->flags & CPUFREQ_CONST_LOOPS)) {
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/123-atm_get_addr_signedness_fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/123-atm_get_addr_signedness_fix.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/123-atm_get_addr_signedness_fix.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,54 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix ATM copy-to-user usage.
+## DP: Patch author: torvalds@ppc970.osdl.org
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/08 07:59:56-08:00 torvalds@ppc970.osdl.org
+# Fix ATM copy-to-user usage.
+#
+# More of the Guninski "copy_to_user() takes a size_t" series.
+#
+# net/atm/addr.c
+# 2005/02/08 07:59:48-08:00 torvalds@ppc970.osdl.org +1 -1
+# Fix ATM copy-to-user usage.
+#
+# More of the Guninski "copy_to_user() takes a size_t" series.
+#
+# net/atm/addr.h
+# 2005/02/08 07:59:48-08:00 torvalds@ppc970.osdl.org +1 -1
+# Fix ATM copy-to-user usage.
+#
+# More of the Guninski "copy_to_user() takes a size_t" series.
+#
+diff -Nru a/net/atm/addr.c b/net/atm/addr.c
+--- a/net/atm/addr.c 2004-10-18 17:53:08.000000000 -0400
++++ b/net/atm/addr.c 2005-02-22 04:09:27.014499056 -0500
+@@ -114,7 +114,7 @@
+ }
+
+
+-int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc __user *buf,int size)
++int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc __user *buf,size_t size)
+ {
+ unsigned long flags;
+ struct atm_dev_addr *walk;
+diff -Nru a/net/atm/addr.h b/net/atm/addr.h
+--- a/net/atm/addr.h 2005-02-14 04:38:48 -08:00
++++ b/net/atm/addr.h 2005-02-14 04:38:48 -08:00
+@@ -13,6 +13,6 @@
+ void atm_reset_addr(struct atm_dev *dev);
+ int atm_add_addr(struct atm_dev *dev,struct sockaddr_atmsvc *addr);
+ int atm_del_addr(struct atm_dev *dev,struct sockaddr_atmsvc *addr);
+-int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc __user *buf,int size);
++int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc __user *buf,size_t size);
+
+ #endif
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/125-netfilter_private_queues_2.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/125-netfilter_private_queues_2.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/125-netfilter_private_queues_2.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,34 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] Add missing bits needed for 114-*.dpatch
+## DP: Patch author: ?
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+diff -Nru a/include/net/ip.h b/include/net/ip.h
+--- a/include/net/ip.h 2005-02-22 20:39:57.303721808 -0500
++++ b/include/net/ip.h 2005-02-22 20:40:09.034938392 -0500
+@@ -261,6 +261,7 @@
+ IP_DEFRAG_CONNTRACK_IN,
+ IP_DEFRAG_CONNTRACK_OUT,
+ IP_DEFRAG_NAT_OUT,
++ IP_DEFRAG_FW_COMPAT,
+ IP_DEFRAG_VS_IN,
+ IP_DEFRAG_VS_OUT,
+ IP_DEFRAG_VS_FWD
+diff -Nru a/net/ipv4/netfilter/ip_fw_compat.c b/net/ipv4/netfilter/ip_fw_compat.c
+--- a/net/ipv4/netfilter/ip_fw_compat.c 2005-02-22 20:45:29.032291400 -0500
++++ b/net/ipv4/netfilter/ip_fw_compat.c 2005-02-22 20:45:41.167446576 -0500
+@@ -80,7 +80,7 @@
+ &redirpt, pskb);
+
+ if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- *pskb = ip_ct_gather_frags(*pskb);
++ *pskb = ip_ct_gather_frags(*pskb, IP_DEFRAG_NAT_OUT);
+
+ if (!*pskb)
+ return NF_STOLEN;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/126-ftdi_sio_set_serial_info_baud_base_check.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/126-ftdi_sio_set_serial_info_baud_base_check.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/126-ftdi_sio_set_serial_info_baud_base_check.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,54 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] Re: Bug when using custom baud rates....
+## DP: Patch author: R.E.Wolff@harddisk-recovery.nl
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/03 01:37:12-08:00 R.E.Wolff@harddisk-recovery.nl
+# [PATCH] Re: Bug when using custom baud rates....
+#
+# When using custom baud rates, the code does:
+#
+#
+# if ((new_serial.baud_base != priv->baud_base) ||
+# (new_serial.baud_base < 9600))
+# return -EINVAL;
+#
+# Which translates to english as:
+#
+# If you changed the baud-base, OR the new one is
+# invalid, return invalid.
+#
+# but it should be:
+#
+# If you changed the baud-base, OR the new one is
+# invalid, return invalid.
+#
+#
+# From: Rogier Wolff <R.E.Wolff@harddisk-recovery.nl>
+# Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
+#
+# drivers/usb/serial/ftdi_sio.c
+# 2005/02/02 22:20:59-08:00 R.E.Wolff@harddisk-recovery.nl +1 -1
+# Re: Bug when using custom baud rates....
+#
+diff -Nru a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+--- a/drivers/usb/serial/ftdi_sio.c 2005-02-14 04:48:19 -08:00
++++ b/drivers/usb/serial/ftdi_sio.c 2005-02-14 04:48:19 -08:00
+@@ -1140,7 +1140,7 @@
+ goto check_and_exit;
+ }
+
+- if ((new_serial.baud_base != priv->baud_base) ||
++ if ((new_serial.baud_base != priv->baud_base) &&
+ (new_serial.baud_base < 9600))
+ return -EINVAL;
+
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/127-ia64_ptrace_corner_case.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/127-ia64_ptrace_corner_case.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/127-ia64_ptrace_corner_case.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,252 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [IA64] clean up ptrace corner cases
+## DP: Patch author: tony.luck@intel.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/22 14:21:34-08:00 tony.luck@intel.com
+# [IA64] clean up ptrace corner cases
+#
+# Patch from yanmin.zhang@intel.com to fix up some corner cases
+# in ptrace. Many thanks to davidm for reviewing and improving.
+#
+# Signed-off-by: Tony Luck <tony.luck@intel.com>
+#
+# arch/ia64/kernel/entry.S
+# 2005/01/22 14:18:28-08:00 tony.luck@intel.com +19 -7
+# clean up ptrace corner cases
+#
+# arch/ia64/kernel/fsys.S
+# 2005/01/22 14:19:11-08:00 tony.luck@intel.com +3 -2
+# clean up ptrace corner cases
+#
+# arch/ia64/kernel/gate.S
+# 2005/01/22 14:19:18-08:00 tony.luck@intel.com +3 -1
+# clean up ptrace corner cases
+#
+# arch/ia64/kernel/ivt.S
+# 2005/01/22 14:19:19-08:00 tony.luck@intel.com +20 -5
+# clean up ptrace corner cases
+#
+# arch/ia64/kernel/process.c
+# 2005/01/22 14:19:21-08:00 tony.luck@intel.com +1 -1
+# clean up ptrace corner cases
+#
+# include/asm-ia64/unistd.h
+# 2005/01/22 14:19:22-08:00 tony.luck@intel.com +1 -1
+# clean up ptrace corner cases
+#
+diff -Nru a/arch/ia64/kernel/entry.S b/arch/ia64/kernel/entry.S
+--- a/arch/ia64/kernel/entry.S 2005-02-14 02:54:07 -08:00
++++ b/arch/ia64/kernel/entry.S 2005-02-14 02:54:07 -08:00
+@@ -51,8 +51,11 @@
+ * setup a null register window frame.
+ */
+ ENTRY(ia64_execve)
+- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(3)
+- alloc loc1=ar.pfs,3,2,4,0
++ /*
++ * Allocate 8 input registers since ptrace() may clobber them
++ */
++ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8)
++ alloc loc1=ar.pfs,8,2,4,0
+ mov loc0=rp
+ .body
+ mov out0=in0 // filename
+@@ -113,8 +116,11 @@
+ * u64 tls)
+ */
+ GLOBAL_ENTRY(sys_clone2)
+- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(6)
+- alloc r16=ar.pfs,6,2,6,0
++ /*
++ * Allocate 8 input registers since ptrace() may clobber them
++ */
++ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8)
++ alloc r16=ar.pfs,8,2,6,0
+ DO_SAVE_SWITCH_STACK
+ adds r2=PT(R16)+IA64_SWITCH_STACK_SIZE+16,sp
+ mov loc0=rp
+@@ -142,8 +148,11 @@
+ * Deprecated. Use sys_clone2() instead.
+ */
+ GLOBAL_ENTRY(sys_clone)
+- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(5)
+- alloc r16=ar.pfs,5,2,6,0
++ /*
++ * Allocate 8 input registers since ptrace() may clobber them
++ */
++ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8)
++ alloc r16=ar.pfs,8,2,6,0
+ DO_SAVE_SWITCH_STACK
+ adds r2=PT(R16)+IA64_SWITCH_STACK_SIZE+16,sp
+ mov loc0=rp
+@@ -1212,7 +1221,10 @@
+
+ ENTRY(sys_rt_sigreturn)
+ PT_REGS_UNWIND_INFO(0)
+- alloc r2=ar.pfs,0,0,1,0
++ /*
++ * Allocate 8 input registers since ptrace() may clobber them
++ */
++ alloc r2=ar.pfs,8,0,1,0
+ .prologue
+ PT_REGS_SAVES(16)
+ adds sp=-16,sp
+diff -Nru a/arch/ia64/kernel/fsys.S b/arch/ia64/kernel/fsys.S
+--- a/arch/ia64/kernel/fsys.S 2005-02-14 02:54:07 -08:00
++++ b/arch/ia64/kernel/fsys.S 2005-02-14 02:54:07 -08:00
+@@ -612,8 +612,9 @@
+ ;;
+ mov rp=r2 // set the real return addr
+ tbit.z p8,p0=r3,TIF_SYSCALL_TRACE
+-
+-(p8) br.call.sptk.many b6=b6 // ignore this return addr
++ ;;
++(p10) br.cond.spnt.many ia64_ret_from_syscall // p10==true means out registers are more than 8
++(p8) br.call.sptk.many b6=b6 // ignore this return addr
+ br.cond.sptk ia64_trace_syscall
+ END(fsys_bubble_down)
+
+diff -Nru a/arch/ia64/kernel/gate.S b/arch/ia64/kernel/gate.S
+--- a/arch/ia64/kernel/gate.S 2005-02-14 02:54:07 -08:00
++++ b/arch/ia64/kernel/gate.S 2005-02-14 02:54:07 -08:00
+@@ -81,6 +81,7 @@
+ LOAD_FSYSCALL_TABLE(r14)
+
+ mov r16=IA64_KR(CURRENT) // 12 cycle read latency
++ tnat.nz p10,p9=r15
+ mov r19=NR_syscalls-1
+ ;;
+ shladd r18=r17,3,r14
+@@ -119,7 +120,8 @@
+ #endif
+
+ mov r10=-1
+- mov r8=ENOSYS
++(p10) mov r8=EINVAL
++(p9) mov r8=ENOSYS
+ FSYS_RETURN
+ END(__kernel_syscall_via_epc)
+
+diff -Nru a/arch/ia64/kernel/ivt.S b/arch/ia64/kernel/ivt.S
+--- a/arch/ia64/kernel/ivt.S 2005-02-14 02:54:07 -08:00
++++ b/arch/ia64/kernel/ivt.S 2005-02-14 02:54:07 -08:00
+@@ -51,6 +51,7 @@
+ #include <asm/system.h>
+ #include <asm/thread_info.h>
+ #include <asm/unistd.h>
++#include <asm/errno.h>
+
+ #if 1
+ # define PSR_DEFAULT_BITS psr.ac
+@@ -732,10 +733,12 @@
+ ssm psr.ic | PSR_DEFAULT_BITS
+ ;;
+ srlz.i // guarantee that interruption collection is on
++ mov r3=NR_syscalls - 1
+ ;;
+ (p15) ssm psr.i // restore psr.i
++ // p10==true means out registers are more than 8 or r15's Nat is true
++(p10) br.cond.spnt.many ia64_ret_from_syscall
+ ;;
+- mov r3=NR_syscalls - 1
+ movl r16=sys_call_table
+
+ adds r15=-1024,r15 // r15 contains the syscall number---subtract 1024
+@@ -836,8 +839,11 @@
+ * On exit:
+ * - executing on bank 1 registers
+ * - psr.ic enabled, interrupts restored
++ * - p10: TRUE if syscall is invoked with more than 8 out
++ * registers or r15's Nat is true
+ * - r1: kernel's gp
+ * - r3: preserved (same as on entry)
++ * - r8: -EINVAL if p10 is true
+ * - r12: points to kernel stack
+ * - r13: points to current task
+ * - p15: TRUE if interrupts need to be re-enabled
+@@ -871,12 +877,17 @@
+ ;;
+
+ st8 [r16]=r19,PT(AR_RNAT)-PT(CR_IFS) // store ar.pfs.pfm in cr.ifs
++ extr.u r11=r19,7,7 // I0 // get sol of ar.pfs
++ and r8=0x7f,r19 // A // get sof of ar.pfs
++
+ st8 [r17]=r27,PT(AR_BSPSTORE)-PT(AR_RSC)// save ar.rsc
++ tbit.nz p15,p0=r29,IA64_PSR_I_BIT // I0
+ (p9) mov in1=-1
++ ;;
+
+ (pUStk) sub r18=r18,r22 // r18=RSE.ndirty*8
+- tbit.nz p15,p0=r29,IA64_PSR_I_BIT
+ tnat.nz p10,p0=in2
++ add r11=8,r11
+ ;;
+ (pKStk) adds r16=PT(PR)-PT(AR_RNAT),r16 // skip over ar_rnat field
+ (pKStk) adds r17=PT(B0)-PT(AR_BSPSTORE),r17 // skip over ar_bspstore field
+@@ -904,25 +915,29 @@
+ (p13) mov in5=-1
+ ;;
+ st8 [r16]=r21,PT(R8)-PT(AR_FPSR) // save ar.fpsr
+- st8.spill [r17]=r15 // save r15
+ tnat.nz p14,p0=in6
++ cmp.lt p10,p9=r11,r8 // frame size can't be more than local+8
+ ;;
+ stf8 [r16]=f1 // ensure pt_regs.r8 != 0 (see handle_syscall_error)
++(p9) tnat.nz p10,p0=r15
+ adds r12=-16,r1 // switch to kernel memory stack (with 16 bytes of scratch)
++
++ st8.spill [r17]=r15 // save r15
+ tnat.nz p8,p0=in7
++ nop.i 0
+
+ mov r13=r2 // establish `current'
+ movl r1=__gp // establish kernel global pointer
+ ;;
+ (p14) mov in6=-1
+ (p8) mov in7=-1
+- tnat.nz p9,p0=r15
++ nop.i 0
+
+ cmp.eq pSys,pNonSys=r0,r0 // set pSys=1, pNonSys=0
+ movl r17=FPSR_DEFAULT
+ ;;
+ mov.m ar.fpsr=r17 // set ar.fpsr to kernel default value
+-(p9) mov r15=-1
++(p10) mov r8=-EINVAL
+ br.ret.sptk.many b7
+ END(ia64_syscall_setup)
+
+diff -Nru a/arch/ia64/kernel/process.c b/arch/ia64/kernel/process.c
+--- a/arch/ia64/kernel/process.c 2005-02-14 02:54:07 -08:00
++++ b/arch/ia64/kernel/process.c 2005-02-14 02:54:07 -08:00
+@@ -632,7 +632,7 @@
+ return 1; /* f0-f31 are always valid so we always return 1 */
+ }
+
+-asmlinkage long
++long
+ sys_execve (char __user *filename, char __user * __user *argv, char __user * __user *envp,
+ struct pt_regs *regs)
+ {
+diff -Nru a/include/asm-ia64/unistd.h b/include/asm-ia64/unistd.h
+--- a/include/asm-ia64/unistd.h 2005-02-14 02:54:07 -08:00
++++ b/include/asm-ia64/unistd.h 2005-02-14 02:54:07 -08:00
+@@ -374,7 +374,7 @@
+ int fd, long pgoff);
+ struct pt_regs;
+ struct sigaction;
+-asmlinkage long sys_execve(char __user *filename, char __user * __user *argv,
++long sys_execve(char __user *filename, char __user * __user *argv,
+ char __user * __user *envp, struct pt_regs *regs);
+ asmlinkage long sys_pipe(long arg0, long arg1, long arg2, long arg3,
+ long arg4, long arg5, long arg6, long arg7, long stack);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/129-video_cg3_screen_blanking.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/129-video_cg3_screen_blanking.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/129-video_cg3_screen_blanking.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,38 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SPARC]: Fix cg3 fb blanking.
+## DP: Patch author: davem@nuts.davemloft.net
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/15 07:41:38-08:00 davem@nuts.davemloft.net
+# [SPARC]: Fix cg3 fb blanking.
+#
+# cg3_blank() needs to clear the video enable register bit
+# to blank the screen, not set it.
+#
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# drivers/video/cg3.c
+# 2005/02/15 07:40:51-08:00 davem@nuts.davemloft.net +1 -1
+# [SPARC]: Fix cg3 fb blanking.
+#
+diff -Nru a/drivers/video/cg3.c b/drivers/video/cg3.c
+--- a/drivers/video/cg3.c 2005-02-24 23:33:57 -08:00
++++ b/drivers/video/cg3.c 2005-02-24 23:33:57 -08:00
+@@ -209,7 +209,7 @@
+ case FB_BLANK_HSYNC_SUSPEND: /* VESA blank (hsync off) */
+ case FB_BLANK_POWERDOWN: /* Poweroff */
+ val = sbus_readb(®s->control);
+- val |= CG3_CR_ENABLE_VIDEO;
++ val &= ~CG3_CR_ENABLE_VIDEO;
+ sbus_writeb(val, ®s->control);
+ par->flags |= CG3_FLAG_BLANKED;
+ break;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/130-sparc_prom_nodematch_check_getproperty.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/130-sparc_prom_nodematch_check_getproperty.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/130-sparc_prom_nodematch_check_getproperty.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,41 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SPARC]:Check prom_getproperty() return value in prom_nodematch().
+## DP: Patch author: ahaas@airmail.net
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/15 09:35:53-08:00 ahaas@airmail.net
+# [SPARC]:Check prom_getproperty() return value in prom_nodematch().
+#
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# arch/sparc/prom/tree.c
+# 2005/02/15 09:35:23-08:00 ahaas@airmail.net +4 -1
+# [SPARC]:Check prom_getproperty() return value in prom_nodematch().
+#
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/arch/sparc/prom/tree.c b/arch/sparc/prom/tree.c
+--- a/arch/sparc/prom/tree.c 2005-02-24 23:41:20 -08:00
++++ b/arch/sparc/prom/tree.c 2005-02-24 23:41:20 -08:00
+@@ -176,8 +176,11 @@
+ */
+ int prom_nodematch(int node, char *name)
+ {
++ int error;
++
+ static char namebuf[128];
+- prom_getproperty(node, "name", namebuf, sizeof(namebuf));
++ error = prom_getproperty(node, "name", namebuf, sizeof(namebuf));
++ if (error == -1) return 0;
+ if(strcmp(namebuf, name) == 0) return 1;
+ return 0;
+ }
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/131-sparc_check_prom_getproperty.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/131-sparc_check_prom_getproperty.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/131-sparc_check_prom_getproperty.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,308 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SPARC]: Check prom_getproperty return value.
+## DP: Patch author: breuerr@mc.net
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/15 18:44:43-08:00 breuerr@mc.net
+# [SPARC]: Check prom_getproperty return value.
+#
+# Errors should not be ignored, so add __must_check
+# tag to this function as well.
+#
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# arch/sparc/kernel/auxio.c
+# 2005/02/15 18:43:33-08:00 breuerr@mc.net +4 -2
+# [SPARC]: Check prom_getproperty return value.
+#
+# arch/sparc/kernel/idprom.c
+# 2005/02/15 18:43:33-08:00 breuerr@mc.net +4 -5
+# [SPARC]: Check prom_getproperty return value.
+#
+# arch/sparc/kernel/sun4c_irq.c
+# 2005/02/15 18:43:33-08:00 breuerr@mc.net +11 -6
+# [SPARC]: Check prom_getproperty return value.
+#
+# arch/sparc/mm/io-unit.c
+# 2005/02/15 18:43:33-08:00 breuerr@mc.net +9 -7
+# [SPARC]: Check prom_getproperty return value.
+#
+# arch/sparc/mm/iommu.c
+# 2005/02/15 18:43:33-08:00 breuerr@mc.net +10 -8
+# [SPARC]: Check prom_getproperty return value.
+#
+# arch/sparc/mm/sun4c.c
+# 2005/02/15 18:43:33-08:00 breuerr@mc.net +2 -1
+# [SPARC]: Check prom_getproperty return value.
+#
+# arch/sparc/prom/console.c
+# 2005/02/15 18:43:33-08:00 breuerr@mc.net +25 -18
+# [SPARC]: Check prom_getproperty return value.
+#
+# include/asm-sparc/floppy.h
+# 2005/02/15 18:43:33-08:00 breuerr@mc.net +2 -2
+# [SPARC]: Check prom_getproperty return value.
+#
+# include/asm-sparc/oplib.h
+# 2005/02/15 18:43:33-08:00 breuerr@mc.net +3 -2
+# [SPARC]: Check prom_getproperty return value.
+#
+diff -Nru a/arch/sparc/kernel/auxio.c b/arch/sparc/kernel/auxio.c
+--- a/arch/sparc/kernel/auxio.c 2005-02-24 23:41:51 -08:00
++++ b/arch/sparc/kernel/auxio.c 2005-02-24 23:41:51 -08:00
+@@ -53,7 +53,8 @@
+ #endif
+ }
+ }
+- prom_getproperty(auxio_nd, "reg", (char *) auxregs, sizeof(auxregs));
++ if(prom_getproperty(auxio_nd, "reg", (char *) auxregs, sizeof(auxregs)) <= 0)
++ return;
+ prom_apply_obio_ranges(auxregs, 0x1);
+ /* Map the register both read and write */
+ r.flags = auxregs[0].which_io & 0xF;
+@@ -121,7 +122,8 @@
+ return;
+
+ /* Map the power control register. */
+- prom_getproperty(node, "reg", (char *)®s, sizeof(regs));
++ if (prom_getproperty(node, "reg", (char *)®s, sizeof(regs)) <= 0)
++ return;
+ prom_apply_obio_ranges(®s, 1);
+ memset(&r, 0, sizeof(r));
+ r.flags = regs.which_io & 0xF;
+diff -Nru a/arch/sparc/kernel/idprom.c b/arch/sparc/kernel/idprom.c
+--- a/arch/sparc/kernel/idprom.c 2005-02-24 23:41:51 -08:00
++++ b/arch/sparc/kernel/idprom.c 2005-02-24 23:41:51 -08:00
+@@ -53,13 +53,12 @@
+
+ for (i = 0; i < NUM_SUN_MACHINES; i++) {
+ if(Sun_Machines[i].id_machtype == machtype) {
+- if (machtype != (SM_SUN4M_OBP | 0x00))
++ if (machtype != (SM_SUN4M_OBP | 0x00) ||
++ prom_getproperty(prom_root_node, "banner-name",
++ sysname, sizeof(sysname)) <= 0)
+ printk("TYPE: %s\n", Sun_Machines[i].name);
+- else {
+- prom_getproperty(prom_root_node, "banner-name",
+- sysname, sizeof(sysname));
++ else
+ printk("TYPE: %s\n", sysname);
+- }
+ return;
+ }
+ }
+diff -Nru a/arch/sparc/kernel/sun4c_irq.c b/arch/sparc/kernel/sun4c_irq.c
+--- a/arch/sparc/kernel/sun4c_irq.c 2005-02-24 23:41:51 -08:00
++++ b/arch/sparc/kernel/sun4c_irq.c 2005-02-24 23:41:51 -08:00
+@@ -217,13 +217,18 @@
+ panic("Cannot find /interrupt-enable node");
+
+ /* Depending on the "address" property is bad news... */
+- prom_getproperty(ie_node, "reg", (char *) int_regs, sizeof(int_regs));
+- memset(&phyres, 0, sizeof(struct resource));
+- phyres.flags = int_regs[0].which_io;
+- phyres.start = int_regs[0].phys_addr;
+- interrupt_enable = (char *) sbus_ioremap(&phyres, 0,
+- int_regs[0].reg_size, "sun4c_intr");
++ interrupt_enable = NULL;
++ if (prom_getproperty(ie_node, "reg", (char *) int_regs,
++ sizeof(int_regs)) != -1) {
++ memset(&phyres, 0, sizeof(struct resource));
++ phyres.flags = int_regs[0].which_io;
++ phyres.start = int_regs[0].phys_addr;
++ interrupt_enable = (char *) sbus_ioremap(&phyres, 0,
++ int_regs[0].reg_size, "sun4c_intr");
++ }
+ }
++ if (!interrupt_enable)
++ panic("Cannot map interrupt_enable");
+
+ BTFIXUPSET_CALL(sbint_to_irq, sun4c_sbint_to_irq, BTFIXUPCALL_NORM);
+ BTFIXUPSET_CALL(enable_irq, sun4c_enable_irq, BTFIXUPCALL_NORM);
+diff -Nru a/arch/sparc/mm/io-unit.c b/arch/sparc/mm/io-unit.c
+--- a/arch/sparc/mm/io-unit.c 2005-02-24 23:41:51 -08:00
++++ b/arch/sparc/mm/io-unit.c 2005-02-24 23:41:51 -08:00
+@@ -52,13 +52,15 @@
+ iounit->rotor[1] = IOUNIT_BMAP2_START;
+ iounit->rotor[2] = IOUNIT_BMAPM_START;
+
+- prom_getproperty(sbi_node, "reg", (void *) iommu_promregs,
+- sizeof(iommu_promregs));
+- prom_apply_generic_ranges(io_node, 0, iommu_promregs, 3);
+- memset(&r, 0, sizeof(r));
+- r.flags = iommu_promregs[2].which_io;
+- r.start = iommu_promregs[2].phys_addr;
+- xpt = (iopte_t *) sbus_ioremap(&r, 0, PAGE_SIZE * 16, "XPT");
++ xpt = NULL;
++ if(prom_getproperty(sbi_node, "reg", (void *) iommu_promregs,
++ sizeof(iommu_promregs)) != -1) {
++ prom_apply_generic_ranges(io_node, 0, iommu_promregs, 3);
++ memset(&r, 0, sizeof(r));
++ r.flags = iommu_promregs[2].which_io;
++ r.start = iommu_promregs[2].phys_addr;
++ xpt = (iopte_t *) sbus_ioremap(&r, 0, PAGE_SIZE * 16, "XPT");
++ }
+ if(!xpt) panic("Cannot map External Page Table.");
+
+ sbus->iommu = (struct iommu_struct *)iounit;
+diff -Nru a/arch/sparc/mm/iommu.c b/arch/sparc/mm/iommu.c
+--- a/arch/sparc/mm/iommu.c 2005-02-24 23:41:51 -08:00
++++ b/arch/sparc/mm/iommu.c 2005-02-24 23:41:51 -08:00
+@@ -71,14 +71,16 @@
+ prom_printf("Unable to allocate iommu structure\n");
+ prom_halt();
+ }
+- prom_getproperty(iommund, "reg", (void *) iommu_promregs,
+- sizeof(iommu_promregs));
+- memset(&r, 0, sizeof(r));
+- r.flags = iommu_promregs[0].which_io;
+- r.start = iommu_promregs[0].phys_addr;
+- iommu->regs = (struct iommu_regs *)
+- sbus_ioremap(&r, 0, PAGE_SIZE * 3, "iommu_regs");
+- if(!iommu->regs) {
++ iommu->regs = NULL;
++ if (prom_getproperty(iommund, "reg", (void *) iommu_promregs,
++ sizeof(iommu_promregs)) != -1) {
++ memset(&r, 0, sizeof(r));
++ r.flags = iommu_promregs[0].which_io;
++ r.start = iommu_promregs[0].phys_addr;
++ iommu->regs = (struct iommu_regs *)
++ sbus_ioremap(&r, 0, PAGE_SIZE * 3, "iommu_regs");
++ }
++ if (!iommu->regs) {
+ prom_printf("Cannot map IOMMU registers\n");
+ prom_halt();
+ }
+diff -Nru a/arch/sparc/mm/sun4c.c b/arch/sparc/mm/sun4c.c
+--- a/arch/sparc/mm/sun4c.c 2005-02-24 23:41:51 -08:00
++++ b/arch/sparc/mm/sun4c.c 2005-02-24 23:41:51 -08:00
+@@ -511,7 +511,8 @@
+ node = prom_searchsiblings(prom_root_node, "memory-error");
+ if (!node)
+ return;
+- prom_getproperty(node, "reg", (char *)regs, sizeof(regs));
++ if (prom_getproperty(node, "reg", (char *)regs, sizeof(regs)) <= 0)
++ return;
+ /* hmm I think regs[0].which_io is zero here anyways */
+ sun4c_memerr_reg = ioremap(regs[0].phys_addr, regs[0].reg_size);
+ }
+diff -Nru a/arch/sparc/prom/console.c b/arch/sparc/prom/console.c
+--- a/arch/sparc/prom/console.c 2005-02-24 23:41:51 -08:00
++++ b/arch/sparc/prom/console.c 2005-02-24 23:41:51 -08:00
+@@ -111,6 +111,7 @@
+ int st_p;
+ char propb[64];
+ char *p;
++ int propl;
+
+ switch(prom_vers) {
+ case PROM_V0:
+@@ -139,14 +140,16 @@
+ if(strncmp(propb, "serial", sizeof("serial")))
+ return PROMDEV_I_UNK;
+ }
+- prom_getproperty(prom_root_node, "stdin-path", propb, sizeof(propb));
+- p = propb;
+- while(*p) p++; p -= 2;
+- if(p[0] == ':') {
+- if(p[1] == 'a')
+- return PROMDEV_ITTYA;
+- else if(p[1] == 'b')
+- return PROMDEV_ITTYB;
++ propl = prom_getproperty(prom_root_node, "stdin-path", propb, sizeof(propb));
++ if(propl > 2) {
++ p = propb;
++ while(*p) p++; p -= 2;
++ if(p[0] == ':') {
++ if(p[1] == 'a')
++ return PROMDEV_ITTYA;
++ else if(p[1] == 'b')
++ return PROMDEV_ITTYB;
++ }
+ }
+ return PROMDEV_I_UNK;
+ }
+@@ -179,7 +182,7 @@
+ restore_current();
+ spin_unlock_irqrestore(&prom_lock, flags);
+ propl = prom_getproperty(st_p, "device_type", propb, sizeof(propb));
+- if (propl >= 0 && propl == sizeof("display") &&
++ if (propl == sizeof("display") &&
+ strncmp("display", propb, sizeof("display")) == 0)
+ {
+ return PROMDEV_OSCREEN;
+@@ -188,16 +191,20 @@
+ if(propl >= 0 &&
+ strncmp("serial", propb, sizeof("serial")) != 0)
+ return PROMDEV_O_UNK;
+- prom_getproperty(prom_root_node, "stdout-path", propb, sizeof(propb));
+- if(strncmp(propb, con_name_jmc, CON_SIZE_JMC) == 0)
++ propl = prom_getproperty(prom_root_node, "stdout-path",
++ propb, sizeof(propb));
++ if(propl == CON_SIZE_JMC &&
++ strncmp(propb, con_name_jmc, CON_SIZE_JMC) == 0)
+ return PROMDEV_OTTYA;
+- p = propb;
+- while(*p) p++; p -= 2;
+- if(p[0]==':') {
+- if(p[1] == 'a')
+- return PROMDEV_OTTYA;
+- else if(p[1] == 'b')
+- return PROMDEV_OTTYB;
++ if(propl > 2) {
++ p = propb;
++ while(*p) p++; p-= 2;
++ if(p[0]==':') {
++ if(p[1] == 'a')
++ return PROMDEV_OTTYA;
++ else if(p[1] == 'b')
++ return PROMDEV_OTTYB;
++ }
+ }
+ } else {
+ switch(*romvec->pv_stdin) {
+diff -Nru a/include/asm-sparc/floppy.h b/include/asm-sparc/floppy.h
+--- a/include/asm-sparc/floppy.h 2005-02-24 23:41:51 -08:00
++++ b/include/asm-sparc/floppy.h 2005-02-24 23:41:51 -08:00
+@@ -312,8 +312,8 @@
+ }
+
+ /* The sun4m lets us know if the controller is actually usable. */
+- if(sparc_cpu_model == sun4m) {
+- prom_getproperty(fd_node, "status", state, sizeof(state));
++ if(sparc_cpu_model == sun4m &&
++ prom_getproperty(fd_node, "status", state, sizeof(state)) != -1) {
+ if(!strcmp(state, "disabled")) {
+ goto no_sun_fdc;
+ }
+diff -Nru a/include/asm-sparc/oplib.h b/include/asm-sparc/oplib.h
+--- a/include/asm-sparc/oplib.h 2005-02-24 23:41:51 -08:00
++++ b/include/asm-sparc/oplib.h 2005-02-24 23:41:51 -08:00
+@@ -10,6 +10,7 @@
+
+ #include <asm/openprom.h>
+ #include <linux/spinlock.h>
++#include <linux/compiler.h>
+
+ /* The master romvec pointer... */
+ extern struct linux_romvec *romvec;
+@@ -244,8 +245,8 @@
+ /* Fetch the requested property using the given buffer. Returns
+ * the number of bytes the prom put into your buffer or -1 on error.
+ */
+-extern int prom_getproperty(int thisnode, char *property,
+- char *prop_buffer, int propbuf_size);
++extern int __must_check prom_getproperty(int thisnode, char *property,
++ char *prop_buffer, int propbuf_size);
+
+ /* Acquire an integer property. */
+ extern int prom_getint(int node, char *property);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/132-sparc32_get_tv32_use_correct_variable.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/132-sparc32_get_tv32_use_correct_variable.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/132-sparc32_get_tv32_use_correct_variable.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,35 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SPARC64]: Fix access_ok() args in sys_sparc32.c:get_tv32().
+## DP: Patch author: davem@nuts.davemloft.net
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/17 08:54:52-08:00 davem@nuts.davemloft.net
+# [SPARC64]: Fix access_ok() args in sys_sparc32.c:get_tv32().
+#
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# arch/sparc64/kernel/sys_sparc32.c
+# 2005/02/17 08:54:19-08:00 davem@nuts.davemloft.net +1 -1
+# [SPARC64]: Fix access_ok() args in sys_sparc32.c:get_tv32().
+#
+diff -Nru a/arch/sparc64/kernel/sys_sparc32.c b/arch/sparc64/kernel/sys_sparc32.c
+--- a/arch/sparc64/kernel/sys_sparc32.c 2005-02-24 23:43:34 -08:00
++++ b/arch/sparc64/kernel/sys_sparc32.c 2005-02-24 23:43:34 -08:00
+@@ -242,7 +242,7 @@
+
+ static long get_tv32(struct timeval *o, struct compat_timeval __user *i)
+ {
+- return (!access_ok(VERIFY_READ, tv32, sizeof(*tv32)) ||
++ return (!access_ok(VERIFY_READ, i, sizeof(*i)) ||
+ (__get_user(o->tv_sec, &i->tv_sec) |
+ __get_user(o->tv_usec, &i->tv_usec)));
+ }
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/133-scsi_advansys_build_with_non_pci.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/133-scsi_advansys_build_with_non_pci.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/133-scsi_advansys_build_with_non_pci.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,70 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] scsi/advansys.c fix !CONFIG_PCI
+## DP: Patch author: p_gortmaker@yahoo.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/23 12:37:42-06:00 p_gortmaker@yahoo.com
+# [PATCH] scsi/advansys.c fix !CONFIG_PCI
+#
+# advansys.c fails to build for old ISA cards when CONFIG_PCI is not
+# enabled.
+#
+# Signed-off-by: Paul Gortmaker <p_gortmaker@yahoo.com>
+# Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
+#
+# drivers/scsi/advansys.c
+# 2004/12/19 23:04:35-06:00 p_gortmaker@yahoo.com +5 -5
+# scsi/advansys.c fix !CONFIG_PCI
+#
+diff -Nru a/drivers/scsi/advansys.c b/drivers/scsi/advansys.c
+--- a/drivers/scsi/advansys.c 2005-02-14 00:15:15 -08:00
++++ b/drivers/scsi/advansys.c 2005-02-14 00:15:15 -08:00
+@@ -4322,12 +4322,12 @@
+ int ioport = 0;
+ int share_irq = FALSE;
+ int iolen = 0;
++ struct device *dev = NULL;
+ #ifdef CONFIG_PCI
+ int pci_init_search = 0;
+ struct pci_dev *pci_devicep[ASC_NUM_BOARD_SUPPORTED];
+ int pci_card_cnt_max = 0;
+ int pci_card_cnt = 0;
+- struct device *dev = NULL;
+ struct pci_dev *pci_devp = NULL;
+ int pci_device_id_cnt = 0;
+ unsigned int pci_device_id[ASC_PCI_DEVICE_ID_CNT] = {
+@@ -8944,7 +8944,7 @@
+ #ifdef CONFIG_PCI
+ pci_write_config_byte(to_pci_dev(asc_dvc->cfg->dev), offset, byte_data);
+ #else /* CONFIG_PCI */
+- return 0;
++ return;
+ #endif /* CONFIG_PCI */
+ }
+
+@@ -12014,13 +12014,13 @@
+ PortAddr iop_base;
+ ushort cfg_msw;
+ ushort warn_code;
+- ushort pci_device_id;
++ ushort pci_device_id = 0;
+
+ iop_base = asc_dvc->iop_base;
++#ifdef CONFIG_PCI
+ if (asc_dvc->cfg->dev)
+ pci_device_id = to_pci_dev(asc_dvc->cfg->dev)->device;
+- else
+- pci_device_id = 0;
++#endif
+ warn_code = 0;
+ cfg_msw = AscGetChipCfgMsw(iop_base);
+ if ((cfg_msw & ASC_CFG_MSW_CLR_MASK) != 0) {
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/134-cciss_scsi_detect_put_host_on_error.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/134-cciss_scsi_detect_put_host_on_error.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/134-cciss_scsi_detect_put_host_on_error.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,63 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] cciss: handle scsi_add_host failure
+## DP: Patch author: hch@lst.de
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/10 09:32:03-05:00 hch@lst.de
+# [PATCH] cciss: handle scsi_add_host failure
+#
+# Signed-off-by: Mike Miller <mike.miller@hp.com>
+# Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
+#
+# drivers/block/cciss_scsi.c
+# 2004/12/31 08:42:51-05:00 hch@lst.de +10 -5
+# cciss: handle scsi_add_host failure
+#
+diff -Nru a/drivers/block/cciss_scsi.c b/drivers/block/cciss_scsi.c
+--- a/drivers/block/cciss_scsi.c 2005-02-14 04:10:40 -08:00
++++ b/drivers/block/cciss_scsi.c 2005-02-14 04:10:40 -08:00
+@@ -691,14 +691,13 @@
+ cciss_scsi_detect(int ctlr)
+ {
+ struct Scsi_Host *sh;
++ int error;
+
+ sh = scsi_host_alloc(&cciss_driver_template, sizeof(struct ctlr_info *));
+ if (sh == NULL)
+- return 0;
+-
++ goto fail;
+ sh->io_port = 0; // good enough? FIXME,
+ sh->n_io_port = 0; // I don't think we use these two...
+-
+ sh->this_id = SELF_SCSI_ID;
+
+ ((struct cciss_scsi_adapter_data_t *)
+@@ -706,10 +705,16 @@
+ sh->hostdata[0] = (unsigned long) hba[ctlr];
+ sh->irq = hba[ctlr]->intr;
+ sh->unique_id = sh->irq;
+- scsi_add_host(sh, &hba[ctlr]->pdev->dev); /* XXX handle failure */
++ error = scsi_add_host(sh, &hba[ctlr]->pdev->dev);
++ if (error)
++ goto fail_host_put;
+ scsi_scan_host(sh);
+-
+ return 1;
++
++ fail_host_put:
++ scsi_host_put(sh);
++ fail:
++ return 0;
+ }
+
+ static void __exit cleanup_cciss_module(void);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/135-64bit_sys_shmget_compat_size_t_overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/135-64bit_sys_shmget_compat_size_t_overflow.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/135-64bit_sys_shmget_compat_size_t_overflow.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,110 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] Fix compat shmget overflow
+## DP: Patch author: ak@suse.de
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/10 14:39:59-08:00 ak@suse.de
+# [PATCH] Fix compat shmget overflow
+#
+# This fixes an incorrect sign extension in the compat layer that breaks
+# 32bit shmget that are >2GB. sys_shmget has a signed size_t size argument,
+# and the int size argument coming from 32bit user space would get sign
+# extended to 64bit, which is wrong.
+#
+# I fixed it on all compat architectures, except PPC64 which was already ok.
+#
+# It was originally debugged and fixed by Karl Rister @ IBM for SLES9 on x86-64.
+#
+# Signed-off-by: Andi Kleen <ak@suse.de>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# arch/ia64/ia32/sys_ia32.c
+# 2005/02/10 12:32:24-08:00 ak@suse.de +1 -1
+# Fix compat shmget overflow
+#
+# arch/mips/kernel/linux32.c
+# 2005/02/10 12:32:24-08:00 ak@suse.de +1 -1
+# Fix compat shmget overflow
+#
+# arch/s390/kernel/compat_linux.c
+# 2005/02/10 12:32:24-08:00 ak@suse.de +1 -1
+# Fix compat shmget overflow
+#
+# arch/sparc64/kernel/sys_sparc32.c
+# 2005/02/10 12:32:24-08:00 ak@suse.de +1 -1
+# Fix compat shmget overflow
+#
+# arch/x86_64/ia32/ipc32.c
+# 2005/02/10 12:32:24-08:00 ak@suse.de +1 -1
+# Fix compat shmget overflow
+#
+diff -Nru a/arch/ia64/ia32/sys_ia32.c b/arch/ia64/ia32/sys_ia32.c
+--- a/arch/ia64/ia32/sys_ia32.c 2005-02-14 04:13:23 -08:00
++++ b/arch/ia64/ia32/sys_ia32.c 2005-02-14 04:13:23 -08:00
+@@ -1415,7 +1415,7 @@
+ case SHMDT:
+ return sys_shmdt(compat_ptr(ptr));
+ case SHMGET:
+- return sys_shmget(first, second, third);
++ return sys_shmget(first, (unsigned)second, third);
+ case SHMCTL:
+ return compat_sys_shmctl(first, second, compat_ptr(ptr));
+
+diff -Nru a/arch/mips/kernel/linux32.c b/arch/mips/kernel/linux32.c
+--- a/arch/mips/kernel/linux32.c 2005-02-14 04:13:23 -08:00
++++ b/arch/mips/kernel/linux32.c 2005-02-14 04:13:23 -08:00
+@@ -1115,7 +1115,7 @@
+ err = sys_shmdt ((char *)A(ptr));
+ break;
+ case SHMGET:
+- err = sys_shmget (first, second, third);
++ err = sys_shmget (first, (unsigned)second, third);
+ break;
+ case SHMCTL:
+ err = do_sys32_shmctl (first, second, (void *)AA(ptr));
+diff -Nru a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c
+--- a/arch/s390/kernel/compat_linux.c 2005-02-14 04:13:23 -08:00
++++ b/arch/s390/kernel/compat_linux.c 2005-02-14 04:13:23 -08:00
+@@ -331,7 +331,7 @@
+ case SHMDT:
+ return sys_shmdt(compat_ptr(ptr));
+ case SHMGET:
+- return sys_shmget(first, second, third);
++ return sys_shmget(first, (unsigned)second, third);
+ case SHMCTL:
+ return compat_sys_shmctl(first, second, compat_ptr(ptr));
+ }
+diff -Nru a/arch/sparc64/kernel/sys_sparc32.c b/arch/sparc64/kernel/sys_sparc32.c
+--- a/arch/sparc64/kernel/sys_sparc32.c 2005-02-14 04:13:23 -08:00
++++ b/arch/sparc64/kernel/sys_sparc32.c 2005-02-14 04:13:23 -08:00
+@@ -835,7 +835,7 @@
+ err = sys_shmdt(ptr);
+ goto out;
+ case SHMGET:
+- err = sys_shmget(first, second, third);
++ err = sys_shmget(first, (unsigned)second, third);
+ goto out;
+ case SHMCTL:
+ err = do_sys32_shmctl(first, second, ptr);
+diff -Nru a/arch/x86_64/ia32/ipc32.c b/arch/x86_64/ia32/ipc32.c
+--- a/arch/x86_64/ia32/ipc32.c 2005-02-14 04:13:23 -08:00
++++ b/arch/x86_64/ia32/ipc32.c 2005-02-14 04:13:23 -08:00
+@@ -49,7 +49,7 @@
+ case SHMDT:
+ return sys_shmdt(compat_ptr(ptr));
+ case SHMGET:
+- return sys_shmget(first, second, third);
++ return sys_shmget(first, (unsigned)second, third);
+ case SHMCTL:
+ return compat_sys_shmctl(first, second, compat_ptr(ptr));
+ }
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/136-64bit_sys_compat_overflows.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/136-64bit_sys_compat_overflows.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/136-64bit_sys_compat_overflows.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,315 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] Fix shmget for ppc64, s390-64 & sparc64.
+## DP: Patch author: schwidefsky@de.ibm.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/10 14:40:13-08:00 schwidefsky@de.ibm.com
+# [PATCH] Fix shmget for ppc64, s390-64 & sparc64.
+#
+# The second parameter of the sys_ipc system wrapper on ppc64, s390-64 and
+# sparc64 is an "int". sys_shmget gets called with this 32 bit value as the
+# size parameter. This limits the maximum shared memory segment on these
+# three architectures to 2GB. To fix this the second parameter is declared
+# as an "unsigned long" and is then casted to the type required by the The
+# same int vs. unsigned long bug is fixed for sys_msgsnd and sys_msgrcv as
+# well.
+#
+# Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# arch/ppc64/kernel/syscalls.c
+# 2005/02/10 12:32:25-08:00 schwidefsky@de.ibm.com +23 -17
+# Fix shmget for ppc64, s390-64 & sparc64.
+#
+# arch/s390/kernel/sys_s390.c
+# 2005/02/10 12:32:25-08:00 schwidefsky@de.ibm.com +16 -13
+# Fix shmget for ppc64, s390-64 & sparc64.
+#
+# arch/sparc64/kernel/sys_sparc.c
+# 2005/02/10 12:32:25-08:00 schwidefsky@de.ibm.com +15 -12
+# Fix shmget for ppc64, s390-64 & sparc64.
+#
+diff -Nru a/arch/ppc64/kernel/syscalls.c b/arch/ppc64/kernel/syscalls.c
+--- a/arch/ppc64/kernel/syscalls.c 2005-02-14 04:13:52 -08:00
++++ b/arch/ppc64/kernel/syscalls.c 2005-02-14 04:13:52 -08:00
+@@ -57,7 +57,8 @@
+ * This is really horribly ugly.
+ */
+ asmlinkage int
+-sys_ipc (uint call, int first, int second, long third, void __user *ptr, long fifth)
++sys_ipc (uint call, int first, unsigned long second, long third,
++ void __user *ptr, long fifth)
+ {
+ int version, ret;
+
+@@ -67,15 +68,16 @@
+ ret = -ENOSYS;
+ switch (call) {
+ case SEMOP:
+- ret = sys_semtimedop (first, (struct sembuf __user *)ptr, second,
+- NULL);
++ ret = sys_semtimedop(first, (struct sembuf __user *)ptr,
++ (unsigned)second, NULL);
+ break;
+ case SEMTIMEDOP:
+- ret = sys_semtimedop (first, (struct sembuf __user *)ptr, second,
++ ret = sys_semtimedop(first, (struct sembuf __user *)ptr,
++ (unsigned)second,
+ (const struct timespec __user *) fifth);
+ break;
+ case SEMGET:
+- ret = sys_semget (first, second, third);
++ ret = sys_semget (first, (int)second, third);
+ break;
+ case SEMCTL: {
+ union semun fourth;
+@@ -85,11 +87,12 @@
+ break;
+ if ((ret = get_user(fourth.__pad, (void __user * __user *)ptr)))
+ break;
+- ret = sys_semctl (first, second, third, fourth);
++ ret = sys_semctl(first, (int)second, third, fourth);
+ break;
+ }
+ case MSGSND:
+- ret = sys_msgsnd (first, (struct msgbuf __user *) ptr, second, third);
++ ret = sys_msgsnd(first, (struct msgbuf __user *)ptr,
++ (size_t)second, third);
+ break;
+ case MSGRCV:
+ switch (version) {
+@@ -103,27 +106,29 @@
+ (struct ipc_kludge __user *) ptr,
+ sizeof (tmp)) ? -EFAULT : 0))
+ break;
+- ret = sys_msgrcv (first, tmp.msgp, second, tmp.msgtyp,
+- third);
++ ret = sys_msgrcv(first, tmp.msgp, (size_t) second,
++ tmp.msgtyp, third);
+ break;
+ }
+ default:
+ ret = sys_msgrcv (first, (struct msgbuf __user *) ptr,
+- second, fifth, third);
++ (size_t)second, fifth, third);
+ break;
+ }
+ break;
+ case MSGGET:
+- ret = sys_msgget ((key_t) first, second);
++ ret = sys_msgget ((key_t)first, (int)second);
+ break;
+ case MSGCTL:
+- ret = sys_msgctl (first, second, (struct msqid_ds __user *) ptr);
++ ret = sys_msgctl(first, (int)second,
++ (struct msqid_ds __user *)ptr);
+ break;
+ case SHMAT:
+ switch (version) {
+ default: {
+ ulong raddr;
+- ret = do_shmat (first, (char __user *) ptr, second, &raddr);
++ ret = do_shmat(first, (char __user *) ptr,
++ (int)second, &raddr);
+ if (ret)
+ break;
+ ret = put_user (raddr, (ulong __user *) third);
+@@ -133,8 +138,8 @@
+ ret = -EINVAL;
+ if (!segment_eq(get_fs(), get_ds()))
+ break;
+- ret = do_shmat (first, (char __user *) ptr, second,
+- (ulong *) third);
++ ret = do_shmat(first, (char __user *)ptr,
++ (int)second, (ulong *)third);
+ break;
+ }
+ break;
+@@ -142,10 +147,11 @@
+ ret = sys_shmdt ((char __user *)ptr);
+ break;
+ case SHMGET:
+- ret = sys_shmget (first, second, third);
++ ret = sys_shmget (first, (size_t)second, third);
+ break;
+ case SHMCTL:
+- ret = sys_shmctl (first, second, (struct shmid_ds __user *) ptr);
++ ret = sys_shmctl(first, (int)second,
++ (struct shmid_ds __user *)ptr);
+ break;
+ }
+
+diff -Nru a/arch/s390/kernel/sys_s390.c b/arch/s390/kernel/sys_s390.c
+--- a/arch/s390/kernel/sys_s390.c 2005-02-14 04:13:52 -08:00
++++ b/arch/s390/kernel/sys_s390.c 2005-02-14 04:13:52 -08:00
+@@ -145,7 +145,7 @@
+ *
+ * This is really horribly ugly.
+ */
+-asmlinkage long sys_ipc(uint call, int first, int second,
++asmlinkage long sys_ipc(uint call, int first, unsigned long second,
+ unsigned long third, void __user *ptr)
+ {
+ struct ipc_kludge tmp;
+@@ -153,24 +153,25 @@
+
+ switch (call) {
+ case SEMOP:
+- return sys_semtimedop (first, (struct sembuf __user *) ptr, second,
+- NULL);
++ return sys_semtimedop(first, (struct sembuf __user *)ptr,
++ (unsigned)second, NULL);
+ case SEMTIMEDOP:
+- return sys_semtimedop (first, (struct sembuf __user *) ptr, second,
++ return sys_semtimedop(first, (struct sembuf __user *)ptr,
++ (unsigned)second,
+ (const struct timespec __user *) third);
+ case SEMGET:
+- return sys_semget (first, second, third);
++ return sys_semget(first, (int)second, third);
+ case SEMCTL: {
+ union semun fourth;
+ if (!ptr)
+ return -EINVAL;
+ if (get_user(fourth.__pad, (void __user * __user *) ptr))
+ return -EFAULT;
+- return sys_semctl (first, second, third, fourth);
++ return sys_semctl(first, (int)second, third, fourth);
+ }
+ case MSGSND:
+ return sys_msgsnd (first, (struct msgbuf __user *) ptr,
+- second, third);
++ (size_t)second, third);
+ break;
+ case MSGRCV:
+ if (!ptr)
+@@ -179,15 +180,17 @@
+ sizeof (struct ipc_kludge)))
+ return -EFAULT;
+ return sys_msgrcv (first, tmp.msgp,
+- second, tmp.msgtyp, third);
++ (size_t)second, tmp.msgtyp, third);
+ case MSGGET:
+- return sys_msgget ((key_t) first, second);
++ return sys_msgget((key_t)first, (int)second);
+ case MSGCTL:
+- return sys_msgctl (first, second, (struct msqid_ds __user *) ptr);
++ return sys_msgctl(first, (int)second,
++ (struct msqid_ds __user *)ptr);
+
+ case SHMAT: {
+ ulong raddr;
+- ret = do_shmat (first, (char __user *) ptr, second, &raddr);
++ ret = do_shmat(first, (char __user *)ptr,
++ (int)second, &raddr);
+ if (ret)
+ return ret;
+ return put_user (raddr, (ulong __user *) third);
+@@ -196,9 +199,9 @@
+ case SHMDT:
+ return sys_shmdt ((char __user *)ptr);
+ case SHMGET:
+- return sys_shmget (first, second, third);
++ return sys_shmget(first, (size_t)second, third);
+ case SHMCTL:
+- return sys_shmctl (first, second,
++ return sys_shmctl(first, (int)second,
+ (struct shmid_ds __user *) ptr);
+ default:
+ return -ENOSYS;
+diff -Nru a/arch/sparc64/kernel/sys_sparc.c b/arch/sparc64/kernel/sys_sparc.c
+--- a/arch/sparc64/kernel/sys_sparc.c 2005-02-14 04:13:52 -08:00
++++ b/arch/sparc64/kernel/sys_sparc.c 2005-02-14 04:13:52 -08:00
+@@ -199,7 +199,8 @@
+ * This is really horribly ugly.
+ */
+
+-asmlinkage long sys_ipc(unsigned int call, int first, int second, unsigned long third, void __user *ptr, long fifth)
++asmlinkage long sys_ipc(unsigned int call, int first, unsigned long second,
++ unsigned long third, void __user *ptr, long fifth)
+ {
+ int err;
+
+@@ -207,14 +208,15 @@
+ if (call <= SEMCTL) {
+ switch (call) {
+ case SEMOP:
+- err = sys_semtimedop(first, ptr, second, NULL);
++ err = sys_semtimedop(first, ptr,
++ (unsigned)second, NULL);
+ goto out;
+ case SEMTIMEDOP:
+- err = sys_semtimedop(first, ptr, second,
++ err = sys_semtimedop(first, ptr, (unsigned)second,
+ (const struct timespec __user *) fifth);
+ goto out;
+ case SEMGET:
+- err = sys_semget(first, second, (int)third);
++ err = sys_semget(first, (int)second, (int)third);
+ goto out;
+ case SEMCTL: {
+ union semun fourth;
+@@ -225,7 +227,7 @@
+ if (get_user(fourth.__pad,
+ (void __user * __user *) ptr))
+ goto out;
+- err = sys_semctl(first, second | IPC_64,
++ err = sys_semctl(first, (int)second | IPC_64,
+ (int)third, fourth);
+ goto out;
+ }
+@@ -237,17 +239,18 @@
+ if (call <= MSGCTL) {
+ switch (call) {
+ case MSGSND:
+- err = sys_msgsnd(first, ptr, second, (int)third);
++ err = sys_msgsnd(first, ptr, (size_t)second,
++ (int)third);
+ goto out;
+ case MSGRCV:
+- err = sys_msgrcv(first, ptr, second, fifth,
++ err = sys_msgrcv(first, ptr, (size_t)second, fifth,
+ (int)third);
+ goto out;
+ case MSGGET:
+- err = sys_msgget((key_t) first, second);
++ err = sys_msgget((key_t)first, (int)second);
+ goto out;
+ case MSGCTL:
+- err = sys_msgctl(first, second | IPC_64, ptr);
++ err = sys_msgctl(first, (int)second | IPC_64, ptr);
+ goto out;
+ default:
+ err = -ENOSYS;
+@@ -258,7 +261,7 @@
+ switch (call) {
+ case SHMAT: {
+ ulong raddr;
+- err = do_shmat(first, ptr, second, &raddr);
++ err = do_shmat(first, ptr, (int)second, &raddr);
+ if (!err) {
+ if (put_user(raddr,
+ (ulong __user *) third))
+@@ -270,10 +273,10 @@
+ err = sys_shmdt(ptr);
+ goto out;
+ case SHMGET:
+- err = sys_shmget(first, second, (int)third);
++ err = sys_shmget(first, (size_t)second, (int)third);
+ goto out;
+ case SHMCTL:
+- err = sys_shmctl(first, second | IPC_64, ptr);
++ err = sys_shmctl(first, (int)second | IPC_64, ptr);
+ goto out;
+ default:
+ err = -ENOSYS;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/137-ppc64_prom_initialize_tce_table_typo.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/137-ppc64_prom_initialize_tce_table_typo.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/137-ppc64_prom_initialize_tce_table_typo.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,39 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] ppc64: typo in arch/ppc64/kernel/prom_init.c prom_debug
+## DP: Patch author: olh@suse.de
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/10 14:41:26-08:00 olh@suse.de
+# [PATCH] ppc64: typo in arch/ppc64/kernel/prom_init.c prom_debug
+#
+# local variable is base, not vbase.
+#
+# Signed-off-by: Olaf Hering <olh@suse.de>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# arch/ppc64/kernel/prom_init.c
+# 2005/02/10 12:33:18-08:00 olh@suse.de +1 -1
+# ppc64: typo in arch/ppc64/kernel/prom_init.c prom_debug
+#
+diff -Nru a/arch/ppc64/kernel/prom_init.c b/arch/ppc64/kernel/prom_init.c
+--- a/arch/ppc64/kernel/prom_init.c 2005-02-14 00:21:33 -08:00
++++ b/arch/ppc64/kernel/prom_init.c 2005-02-14 00:21:33 -08:00
+@@ -845,7 +845,7 @@
+
+ prom_debug("TCE table: %s\n", path);
+ prom_debug("\tnode = 0x%x\n", node);
+- prom_debug("\tbase = 0x%x\n", vbase);
++ prom_debug("\tbase = 0x%x\n", base);
+ prom_debug("\tsize = 0x%x\n", minsize);
+
+ /* Initialize the table to have a one-to-one mapping
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/138-tulip_de_init_one_irq_init.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/138-tulip_de_init_one_irq_init.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/138-tulip_de_init_one_irq_init.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,49 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] de214x.c uses uninitialized pci_dev->irq
+## DP: Patch author: bjorn-helgaas@comcast.net
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/11 17:09:07-05:00 bjorn-helgaas@comcast.net
+# [PATCH] de214x.c uses uninitialized pci_dev->irq
+#
+# Don't use pci_dev->irq until after pci_enable_device().
+# Andy Esten reported that his NIC stopped working in
+# 2.6.10 because of this problem.
+#
+# Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
+# Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
+#
+# drivers/net/tulip/de2104x.c
+# 2005/02/07 11:51:57-05:00 bjorn-helgaas@comcast.net +2 -2
+# de214x.c uses uninitialized pci_dev->irq
+#
+diff -Nru a/drivers/net/tulip/de2104x.c b/drivers/net/tulip/de2104x.c
+--- a/drivers/net/tulip/de2104x.c 2005-02-14 00:02:02 -08:00
++++ b/drivers/net/tulip/de2104x.c 2005-02-14 00:02:02 -08:00
+@@ -1960,8 +1960,6 @@
+ dev->tx_timeout = de_tx_timeout;
+ dev->watchdog_timeo = TX_TIMEOUT;
+
+- dev->irq = pdev->irq;
+-
+ de = dev->priv;
+ de->de21040 = ent->driver_data == 0 ? 1 : 0;
+ de->pdev = pdev;
+@@ -1996,6 +1994,8 @@
+ pdev->irq, pci_name(pdev));
+ goto err_out_res;
+ }
++
++ dev->irq = pdev->irq;
+
+ /* obtain and check validity of PCI I/O address */
+ pciaddr = pci_resource_start(pdev, 1);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/139-pci_dma_free_coherent.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/139-pci_dma_free_coherent.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/139-pci_dma_free_coherent.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,44 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] kmalloc() bug in pci-dma.c
+## DP: Patch author: venkatesh.pallipadi@intel.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/11 18:03:23-08:00 venkatesh.pallipadi@intel.com
+# [PATCH] kmalloc() bug in pci-dma.c
+#
+# dma_declare_coherent_memory() is calling kmalloc with wrong arguments.
+#
+# Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# arch/i386/kernel/pci-dma.c
+# 2005/02/11 17:33:28-08:00 venkatesh.pallipadi@intel.com +2 -2
+# kmalloc() bug in pci-dma.c
+#
+diff -Nru a/arch/i386/kernel/pci-dma.c b/arch/i386/kernel/pci-dma.c
+--- a/arch/i386/kernel/pci-dma.c 2005-02-14 00:02:10 -08:00
++++ b/arch/i386/kernel/pci-dma.c 2005-02-14 00:02:10 -08:00
+@@ -89,11 +89,11 @@
+ if (!mem_base)
+ goto out;
+
+- dev->dma_mem = kmalloc(GFP_KERNEL, sizeof(struct dma_coherent_mem));
++ dev->dma_mem = kmalloc(sizeof(struct dma_coherent_mem), GFP_KERNEL);
+ if (!dev->dma_mem)
+ goto out;
+ memset(dev->dma_mem, 0, sizeof(struct dma_coherent_mem));
+- dev->dma_mem->bitmap = kmalloc(GFP_KERNEL, bitmap_size);
++ dev->dma_mem->bitmap = kmalloc(bitmap_size, GFP_KERNEL);
+ if (!dev->dma_mem->bitmap)
+ goto free1_out;
+ memset(dev->dma_mem->bitmap, 0, bitmap_size);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/140-s390_memset_arg_order_fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/140-s390_memset_arg_order_fixes.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/140-s390_memset_arg_order_fixes.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,82 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] memset argument order misuses
+## DP: Patch author: joe.korty@ccur.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/12 20:23:14-08:00 joe.korty@ccur.com
+# [PATCH] memset argument order misuses
+#
+# A simple 'grep memset.*\<0);' shows argument order errors in several
+# uses of memset.
+#
+# This grep was inspired by Al Viro's recent patch, megaraid_mbox fix,
+# which fixed this problem in the megaraid driver.
+#
+# drivers/s390/block/dasd_genhd.c
+# 2005/02/12 18:55:49-08:00 joe.korty@ccur.com +2 -2
+# memset argument order misuses
+#
+# drivers/s390/cio/cmf.c
+# 2005/02/12 18:56:08-08:00 joe.korty@ccur.com +2 -2
+# memset argument order misuses
+#
+# drivers/s390/cio/css.c
+# 2005/02/12 18:56:20-08:00 joe.korty@ccur.com +1 -1
+# memset argument order misuses
+#
+diff -Nru a/drivers/s390/block/dasd_genhd.c b/drivers/s390/block/dasd_genhd.c
+--- a/drivers/s390/block/dasd_genhd.c 2005-02-14 00:05:04 -08:00
++++ b/drivers/s390/block/dasd_genhd.c 2005-02-14 00:05:04 -08:00
+@@ -149,8 +149,8 @@
+ * Can't call delete_partitions directly. Use ioctl.
+ * The ioctl also does locking and invalidation.
+ */
+- memset(&bpart, sizeof(struct blkpg_partition), 0);
+- memset(&barg, sizeof(struct blkpg_ioctl_arg), 0);
++ memset(&bpart, 0, sizeof(struct blkpg_partition));
++ memset(&barg, 0, sizeof(struct blkpg_ioctl_arg));
+ barg.data = &bpart;
+ barg.op = BLKPG_DEL_PARTITION;
+ for (bpart.pno = device->gdp->minors - 1; bpart.pno > 0; bpart.pno--)
+diff -Nru a/drivers/s390/cio/cmf.c b/drivers/s390/cio/cmf.c
+--- a/drivers/s390/cio/cmf.c 2005-02-14 00:05:04 -08:00
++++ b/drivers/s390/cio/cmf.c 2005-02-14 00:05:04 -08:00
+@@ -526,7 +526,7 @@
+ time = get_clock() - cdev->private->cmb_start_time;
+ spin_unlock_irqrestore(cdev->ccwlock, flags);
+
+- memset(data, sizeof(struct cmbdata), 0);
++ memset(data, 0, sizeof(struct cmbdata));
+
+ /* we only know values before device_busy_time */
+ data->size = offsetof(struct cmbdata, device_busy_time);
+@@ -736,7 +736,7 @@
+ time = get_clock() - cdev->private->cmb_start_time;
+ spin_unlock_irqrestore(cdev->ccwlock, flags);
+
+- memset (data, sizeof(struct cmbdata), 0);
++ memset (data, 0, sizeof(struct cmbdata));
+
+ /* we only know values before device_busy_time */
+ data->size = offsetof(struct cmbdata, device_busy_time);
+diff -Nru a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
+--- a/drivers/s390/cio/css.c 2005-02-14 00:05:04 -08:00
++++ b/drivers/s390/cio/css.c 2005-02-14 00:05:04 -08:00
+@@ -527,7 +527,7 @@
+ new_slow_sch = kmalloc(sizeof(struct slow_subchannel), GFP_ATOMIC);
+ if (!new_slow_sch)
+ return -ENOMEM;
+- memset(new_slow_sch, sizeof(struct slow_subchannel), 0);
++ memset(new_slow_sch, 0, sizeof(struct slow_subchannel));
+ new_slow_sch->schid = schid;
+ spin_lock_irqsave(&slow_subchannel_lock, flags);
+ list_add_tail(&new_slow_sch->slow_list, &slow_subchannels_head);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/141-pci_devices_dont_disable_dev_if_busy.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/141-pci_devices_dont_disable_dev_if_busy.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/141-pci_devices_dont_disable_dev_if_busy.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,492 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [libata] do not call pci_disable_device() for certain errors
+## DP: Patch author: jgarzik@pobox.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/13 19:58:07-05:00 jgarzik@pobox.com
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+# drivers/scsi/ahci.c
+# 2005/02/13 19:58:01-05:00 jgarzik@pobox.com +6 -2
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+# drivers/scsi/libata-core.c
+# 2005/02/13 19:58:01-05:00 jgarzik@pobox.com +12 -4
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+# drivers/scsi/sata_nv.c
+# 2005/02/13 19:58:01-05:00 jgarzik@pobox.com +6 -2
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+# drivers/scsi/sata_promise.c
+# 2005/02/13 19:58:01-05:00 jgarzik@pobox.com +6 -2
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+# drivers/scsi/sata_sil.c
+# 2005/02/13 19:58:01-05:00 jgarzik@pobox.com +6 -2
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+# drivers/scsi/sata_sis.c
+# 2005/02/13 19:58:01-05:00 jgarzik@pobox.com +6 -2
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+# drivers/scsi/sata_svw.c
+# 2005/02/13 19:58:01-05:00 jgarzik@pobox.com +6 -2
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+# drivers/scsi/sata_sx4.c
+# 2005/02/13 19:58:01-05:00 jgarzik@pobox.com +6 -2
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+# drivers/scsi/sata_uli.c
+# 2005/02/13 19:58:01-05:00 jgarzik@pobox.com +6 -2
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+# drivers/scsi/sata_via.c
+# 2005/02/13 19:58:01-05:00 jgarzik@pobox.com +6 -2
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+# drivers/scsi/sata_vsc.c
+# 2005/02/13 19:58:01-05:00 jgarzik@pobox.com +6 -2
+# [libata] do not call pci_disable_device() for certain errors
+#
+# If PCI request regions fails, then someone else is using the
+# hardware we wish to use. For that one case, calling pci_disable_device()
+# is rather rude.
+#
+diff -Nru a/drivers/scsi/ahci.c b/drivers/scsi/ahci.c
+--- a/drivers/scsi/ahci.c 2005-02-25 00:10:02 -08:00
++++ b/drivers/scsi/ahci.c 2005-02-25 00:10:02 -08:00
+@@ -940,6 +940,7 @@
+ unsigned long base;
+ void *mmio_base;
+ unsigned int board_idx = (unsigned int) ent->driver_data;
++ int pci_dev_busy = 0;
+ int rc;
+
+ VPRINTK("ENTER\n");
+@@ -952,8 +953,10 @@
+ return rc;
+
+ rc = pci_request_regions(pdev, DRV_NAME);
+- if (rc)
++ if (rc) {
++ pci_dev_busy = 1;
+ goto err_out;
++ }
+
+ pci_enable_intx(pdev);
+
+@@ -1015,7 +1018,8 @@
+ err_out_regions:
+ pci_release_regions(pdev);
+ err_out:
+- pci_disable_device(pdev);
++ if (!pci_dev_busy)
++ pci_disable_device(pdev);
+ return rc;
+ }
+
+diff -Nru a/drivers/scsi/libata-core.c b/drivers/scsi/libata-core.c
+--- a/drivers/scsi/libata-core.c 2005-02-25 00:10:02 -08:00
++++ b/drivers/scsi/libata-core.c 2005-02-25 00:10:02 -08:00
+@@ -3656,6 +3656,7 @@
+ struct ata_port_info *port[2];
+ u8 tmp8, mask;
+ unsigned int legacy_mode = 0;
++ int disable_dev_on_err = 1;
+ int rc;
+
+ DPRINTK("ENTER\n");
+@@ -3686,8 +3687,10 @@
+ return rc;
+
+ rc = pci_request_regions(pdev, DRV_NAME);
+- if (rc)
++ if (rc) {
++ disable_dev_on_err = 0;
+ goto err_out;
++ }
+
+ if (legacy_mode) {
+ if (!request_region(0x1f0, 8, "libata")) {
+@@ -3697,8 +3700,10 @@
+ conflict = ____request_resource(&ioport_resource, &res);
+ if (!strcmp(conflict->name, "libata"))
+ legacy_mode |= (1 << 0);
+- else
++ else {
++ disable_dev_on_err = 0;
+ printk(KERN_WARNING "ata: 0x1f0 IDE port busy\n");
++ }
+ } else
+ legacy_mode |= (1 << 0);
+
+@@ -3709,8 +3714,10 @@
+ conflict = ____request_resource(&ioport_resource, &res);
+ if (!strcmp(conflict->name, "libata"))
+ legacy_mode |= (1 << 1);
+- else
++ else {
++ disable_dev_on_err = 0;
+ printk(KERN_WARNING "ata: 0x170 IDE port busy\n");
++ }
+ } else
+ legacy_mode |= (1 << 1);
+ }
+@@ -3763,7 +3770,8 @@
+ release_region(0x170, 8);
+ pci_release_regions(pdev);
+ err_out:
+- pci_disable_device(pdev);
++ if (disable_dev_on_err)
++ pci_disable_device(pdev);
+ return rc;
+ }
+
+diff -Nru a/drivers/scsi/sata_nv.c b/drivers/scsi/sata_nv.c
+--- a/drivers/scsi/sata_nv.c 2005-02-25 00:10:02 -08:00
++++ b/drivers/scsi/sata_nv.c 2005-02-25 00:10:02 -08:00
+@@ -332,6 +332,7 @@
+ struct nv_host *host;
+ struct ata_port_info *ppi;
+ struct ata_probe_ent *probe_ent;
++ int pci_dev_busy = 0;
+ int rc;
+ u32 bar;
+
+@@ -350,8 +351,10 @@
+ goto err_out;
+
+ rc = pci_request_regions(pdev, DRV_NAME);
+- if (rc)
++ if (rc) {
++ pci_dev_busy = 1;
+ goto err_out_disable;
++ }
+
+ rc = pci_set_dma_mask(pdev, ATA_DMA_MASK);
+ if (rc)
+@@ -427,7 +430,8 @@
+ err_out_regions:
+ pci_release_regions(pdev);
+ err_out_disable:
+- pci_disable_device(pdev);
++ if (!pci_dev_busy)
++ pci_disable_device(pdev);
+ err_out:
+ return rc;
+ }
+diff -Nru a/drivers/scsi/sata_promise.c b/drivers/scsi/sata_promise.c
+--- a/drivers/scsi/sata_promise.c 2005-02-25 00:10:02 -08:00
++++ b/drivers/scsi/sata_promise.c 2005-02-25 00:10:02 -08:00
+@@ -556,6 +556,7 @@
+ unsigned long base;
+ void *mmio_base;
+ unsigned int board_idx = (unsigned int) ent->driver_data;
++ int pci_dev_busy = 0;
+ int rc;
+
+ if (!printed_version++)
+@@ -570,8 +571,10 @@
+ return rc;
+
+ rc = pci_request_regions(pdev, DRV_NAME);
+- if (rc)
++ if (rc) {
++ pci_dev_busy = 1;
+ goto err_out;
++ }
+
+ rc = pci_set_dma_mask(pdev, ATA_DMA_MASK);
+ if (rc)
+@@ -650,7 +653,8 @@
+ err_out_regions:
+ pci_release_regions(pdev);
+ err_out:
+- pci_disable_device(pdev);
++ if (!pci_dev_busy)
++ pci_disable_device(pdev);
+ return rc;
+ }
+
+diff -Nru a/drivers/scsi/sata_sil.c b/drivers/scsi/sata_sil.c
+--- a/drivers/scsi/sata_sil.c 2005-02-25 00:10:02 -08:00
++++ b/drivers/scsi/sata_sil.c 2005-02-25 00:10:02 -08:00
+@@ -336,6 +336,7 @@
+ void *mmio_base;
+ int rc;
+ unsigned int i;
++ int pci_dev_busy = 0;
+ u32 tmp, irq_mask;
+
+ if (!printed_version++)
+@@ -350,8 +351,10 @@
+ return rc;
+
+ rc = pci_request_regions(pdev, DRV_NAME);
+- if (rc)
++ if (rc) {
++ pci_dev_busy = 1;
+ goto err_out;
++ }
+
+ rc = pci_set_dma_mask(pdev, ATA_DMA_MASK);
+ if (rc)
+@@ -438,7 +441,8 @@
+ err_out_regions:
+ pci_release_regions(pdev);
+ err_out:
+- pci_disable_device(pdev);
++ if (!pci_dev_busy)
++ pci_disable_device(pdev);
+ return rc;
+ }
+
+diff -Nru a/drivers/scsi/sata_sis.c b/drivers/scsi/sata_sis.c
+--- a/drivers/scsi/sata_sis.c 2005-02-25 00:10:02 -08:00
++++ b/drivers/scsi/sata_sis.c 2005-02-25 00:10:02 -08:00
+@@ -200,14 +200,17 @@
+ int rc;
+ u32 genctl;
+ struct ata_port_info *ppi;
++ int pci_dev_busy = 0;
+
+ rc = pci_enable_device(pdev);
+ if (rc)
+ return rc;
+
+ rc = pci_request_regions(pdev, DRV_NAME);
+- if (rc)
++ if (rc) {
++ pci_dev_busy = 1;
+ goto err_out;
++ }
+
+ rc = pci_set_dma_mask(pdev, ATA_DMA_MASK);
+ if (rc)
+@@ -259,7 +262,8 @@
+ pci_release_regions(pdev);
+
+ err_out:
+- pci_disable_device(pdev);
++ if (!pci_dev_busy)
++ pci_disable_device(pdev);
+ return rc;
+
+ }
+diff -Nru a/drivers/scsi/sata_svw.c b/drivers/scsi/sata_svw.c
+--- a/drivers/scsi/sata_svw.c 2005-02-25 00:10:02 -08:00
++++ b/drivers/scsi/sata_svw.c 2005-02-25 00:10:02 -08:00
+@@ -338,6 +338,7 @@
+ struct ata_probe_ent *probe_ent = NULL;
+ unsigned long base;
+ void *mmio_base;
++ int pci_dev_busy = 0;
+ int rc;
+
+ if (!printed_version++)
+@@ -359,8 +360,10 @@
+
+ /* Request PCI regions */
+ rc = pci_request_regions(pdev, DRV_NAME);
+- if (rc)
++ if (rc) {
++ pci_dev_busy = 1;
+ goto err_out;
++ }
+
+ rc = pci_set_dma_mask(pdev, ATA_DMA_MASK);
+ if (rc)
+@@ -433,7 +436,8 @@
+ err_out_regions:
+ pci_release_regions(pdev);
+ err_out:
+- pci_disable_device(pdev);
++ if (!pci_dev_busy)
++ pci_disable_device(pdev);
+ return rc;
+ }
+
+diff -Nru a/drivers/scsi/sata_sx4.c b/drivers/scsi/sata_sx4.c
+--- a/drivers/scsi/sata_sx4.c 2005-02-25 00:10:02 -08:00
++++ b/drivers/scsi/sata_sx4.c 2005-02-25 00:10:02 -08:00
+@@ -1366,6 +1366,7 @@
+ void *mmio_base, *dimm_mmio = NULL;
+ struct pdc_host_priv *hpriv = NULL;
+ unsigned int board_idx = (unsigned int) ent->driver_data;
++ int pci_dev_busy = 0;
+ int rc;
+
+ if (!printed_version++)
+@@ -1380,8 +1381,10 @@
+ return rc;
+
+ rc = pci_request_regions(pdev, DRV_NAME);
+- if (rc)
++ if (rc) {
++ pci_dev_busy = 1;
+ goto err_out;
++ }
+
+ rc = pci_set_dma_mask(pdev, ATA_DMA_MASK);
+ if (rc)
+@@ -1471,7 +1474,8 @@
+ err_out_regions:
+ pci_release_regions(pdev);
+ err_out:
+- pci_disable_device(pdev);
++ if (!pci_dev_busy)
++ pci_disable_device(pdev);
+ return rc;
+ }
+
+diff -Nru a/drivers/scsi/sata_uli.c b/drivers/scsi/sata_uli.c
+--- a/drivers/scsi/sata_uli.c 2005-02-25 00:10:02 -08:00
++++ b/drivers/scsi/sata_uli.c 2005-02-25 00:10:02 -08:00
+@@ -185,14 +185,17 @@
+ struct ata_port_info *ppi;
+ int rc;
+ unsigned int board_idx = (unsigned int) ent->driver_data;
++ int pci_dev_busy = 0;
+
+ rc = pci_enable_device(pdev);
+ if (rc)
+ return rc;
+
+ rc = pci_request_regions(pdev, DRV_NAME);
+- if (rc)
++ if (rc) {
++ pci_dev_busy = 1;
+ goto err_out;
++ }
+
+ rc = pci_set_dma_mask(pdev, ATA_DMA_MASK);
+ if (rc)
+@@ -260,7 +263,8 @@
+ pci_release_regions(pdev);
+
+ err_out:
+- pci_disable_device(pdev);
++ if (!pci_dev_busy)
++ pci_disable_device(pdev);
+ return rc;
+
+ }
+diff -Nru a/drivers/scsi/sata_via.c b/drivers/scsi/sata_via.c
+--- a/drivers/scsi/sata_via.c 2005-02-25 00:10:02 -08:00
++++ b/drivers/scsi/sata_via.c 2005-02-25 00:10:02 -08:00
+@@ -290,4 +290,5 @@
+ struct ata_probe_ent *probe_ent;
++ int pci_dev_busy = 0;
+ u8 tmp8;
+
+ if (!printed_version++)
+@@ -300,8 +301,10 @@
+ return rc;
+
+ rc = pci_request_regions(pdev, DRV_NAME);
+- if (rc)
++ if (rc) {
++ pci_dev_busy = 1;
+ goto err_out;
++ }
+
+ if (board_id == vt6420) {
+ pci_read_config_byte(pdev, SATA_PATA_SHARING, &tmp8);
+@@ -360,7 +363,8 @@
+ err_out_regions:
+ pci_release_regions(pdev);
+ err_out:
+- pci_disable_device(pdev);
++ if (!pci_dev_busy)
++ pci_disable_device(pdev);
+ return rc;
+ }
+
+diff -Nru a/drivers/scsi/sata_vsc.c b/drivers/scsi/sata_vsc.c
+--- a/drivers/scsi/sata_vsc.c 2005-02-25 00:10:02 -08:00
++++ b/drivers/scsi/sata_vsc.c 2005-02-25 00:10:02 -08:00
+@@ -255,6 +255,7 @@
+ static int printed_version;
+ struct ata_probe_ent *probe_ent = NULL;
+ unsigned long base;
++ int pci_dev_busy = 0;
+ void *mmio_base;
+ int rc;
+
+@@ -274,8 +275,10 @@
+ }
+
+ rc = pci_request_regions(pdev, DRV_NAME);
+- if (rc)
++ if (rc) {
++ pci_dev_busy = 1;
+ goto err_out;
++ }
+
+ /*
+ * Use 32 bit DMA mask, because 64 bit address support is poor.
+@@ -352,7 +355,8 @@
+ err_out_regions:
+ pci_release_regions(pdev);
+ err_out:
+- pci_disable_device(pdev);
++ if (!pci_dev_busy)
++ pci_disable_device(pdev);
+ return rc;
+ }
+
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/142-r8169_dev_alloc_skb_alignment_fix.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/142-r8169_dev_alloc_skb_alignment_fix.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/142-r8169_dev_alloc_skb_alignment_fix.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,58 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] r8169: skb alignment nitpicking
+## DP: Patch author: romieu@fr.zoreil.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/22 20:44:25-05:00 romieu@fr.zoreil.com
+# [PATCH] r8169: skb alignment nitpicking
+#
+# Nail an overrun in skb alignment and remove the relevant magic variable.
+#
+# Signed-off-by: Jon Mason <jdmason@us.ibm.com>
+# Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
+# Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
+#
+# drivers/net/r8169.c
+# 2005/02/17 16:17:25-05:00 romieu@fr.zoreil.com +4 -4
+# r8169: skb alignment nitpicking
+#
+diff -Nru a/drivers/net/r8169.c b/drivers/net/r8169.c
+--- a/drivers/net/r8169.c 2005-02-24 23:45:39 -08:00
++++ b/drivers/net/r8169.c 2005-02-24 23:45:39 -08:00
+@@ -1697,12 +1697,12 @@
+ dma_addr_t mapping;
+ int ret = 0;
+
+- skb = dev_alloc_skb(RX_BUF_SIZE);
++ skb = dev_alloc_skb(RX_BUF_SIZE + NET_IP_ALIGN);
+ if (!skb)
+ goto err_out;
+
+ skb->dev = dev;
+- skb_reserve(skb, 2);
++ skb_reserve(skb, NET_IP_ALIGN);
+ *sk_buff = skb;
+
+ mapping = pci_map_single(pdev, skb->tail, RX_BUF_SIZE,
+@@ -2140,10 +2140,10 @@
+ if (pkt_size < rx_copybreak) {
+ struct sk_buff *skb;
+
+- skb = dev_alloc_skb(pkt_size + 2);
++ skb = dev_alloc_skb(pkt_size + NET_IP_ALIGN);
+ if (skb) {
+ skb->dev = dev;
+- skb_reserve(skb, 2);
++ skb_reserve(skb, NET_IP_ALIGN);
+ eth_copy_and_sum(skb, sk_buff[0]->tail, pkt_size, 0);
+ *sk_buff = skb;
+ rtl8169_return_to_asic(desc, rx_buf_sz);
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/143-sysfs_write_file_signedness_problem.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/143-sysfs_write_file_signedness_problem.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/143-sysfs_write_file_signedness_problem.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,57 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [PATCH] sysfs: fix signedness problem
+## DP: Patch author: greg@kroah.com
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/03/01 16:18:03-08:00 greg@kroah.com
+# [PATCH] sysfs: fix signedness problem
+#
+# count is size_t, fill_write_buffer() may return a negative number
+# which would evade the 'count > 0' checks and do bad things.
+#
+# found by the Coverity tool
+#
+# Signed-off-by: Alexander Nyberg <alexn@dsv.su.se>
+# Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/sysfs/file.c
+# 2005/02/26 06:48:19-08:00 greg@kroah.com +7 -6
+# sysfs: fix signedness problem
+#
+diff -Naru a/fs/sysfs/file.c b/fs/sysfs/file.c
+--- a/fs/sysfs/file.c 2005-03-09 20:20:22 -08:00
++++ b/fs/sysfs/file.c 2005-03-09 20:20:22 -08:00
+@@ -231,15 +231,16 @@
+ sysfs_write_file(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
+ {
+ struct sysfs_buffer * buffer = file->private_data;
++ ssize_t len;
+
+ down(&buffer->sem);
+- count = fill_write_buffer(buffer,buf,count);
+- if (count > 0)
+- count = flush_write_buffer(file->f_dentry,buffer,count);
+- if (count > 0)
+- *ppos += count;
++ len = fill_write_buffer(buffer, buf, count);
++ if (len > 0)
++ len = flush_write_buffer(file->f_dentry, buffer, len);
++ if (len > 0)
++ *ppos += len;
+ up(&buffer->sem);
+- return count;
++ return len;
+ }
+
+ static int check_perm(struct inode * inode, struct file * file)
+
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/144-sys_epoll_wait_int_overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/144-sys_epoll_wait_int_overflow.dpatch 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/144-sys_epoll_wait_int_overflow.dpatch 2005-03-10 23:26:10 UTC (rev 2666)
@@ -0,0 +1,31 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] sys_epoll_wait contains an integer overflow
+## DP: Patch author: ?
+## DP: Upstream status: backported from 2.6.11.2
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+diff -Nru a/fs/eventpoll.c b/fs/eventpoll.c
+--- a/fs/eventpoll.c 2005-03-09 00:13:29 -08:00
++++ b/fs/eventpoll.c 2005-03-09 00:13:29 -08:00
+@@ -619,6 +619,7 @@
+ return error;
+ }
+
++#define MAX_EVENTS (INT_MAX / sizeof(struct epoll_event))
+
+ /*
+ * Implement the event wait interface for the eventpoll file. It is the kernel
+@@ -635,7 +636,7 @@
+ current, epfd, events, maxevents, timeout));
+
+ /* The maximum number of event must be greater than zero */
+- if (maxevents <= 0)
++ if (maxevents <= 0 || maxevents > MAX_EVENTS)
+ return -EINVAL;
+
+ /* Verify that the area passed by the user is writeable */
Modified: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6 2005-03-10 22:22:59 UTC (rev 2665)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6 2005-03-10 23:26:10 UTC (rev 2666)
@@ -4,10 +4,60 @@
+ sparc32-hypersparc-srmmu.dpatch
+ setsid-race.dpatch
+ setsid-race-2.dpatch
-+ ipv4-fragment-queues.dpatch
-+ ipv4-fragment-queues-2.dpatch
+ nls-table-overflow.dpatch
+ amd64-noexec32-backport.dpatch
+ outs.dpatch
- 083-x86_64_switch_mm_context_race.dpatch
+ sparc64-sb1500-clock-2.6.dpatch
++ 088-ibmvscsi_event_struct_use_after_free.patch
++ 089-i386_acpi_backwards_ifdef.patch
++ 090-alsa_midi_emulation_chorus_reverb_swap.patch
++ 091-alsa_emu8000_load_fx_skip_header.patch
++ 092-net_sched_police_locate_sanity_check_input.patch
++ 093-e1000_eeprom_read_off_by_one.patch
++ 094-scsi_device_set_state_missing_oldstate.patch
++ 095-jffs2_build_filesystem_memory_leak.patch
++ 096-mtd_formatblock_zero_before_assignment.patch
++ 097-mtd_s3c2410_nand_inithw_calc_rate_fix.patch
++ 098-jffs2_do_mount_fs_init_bad_count.patch
++ 099-jfs_commit_inode_commit_race.patch
++ 101-ppc64_hugetlb_mm_free_pgd_unlock.patch
++ 102-cosa_sppp_channel_init_delay_attach.patch
++ 104-wan_sdla_firmware_cap_sys_rawio_addition.patch
++ 105-cmsg_compat_ok_proper_cmsghdr_struct.patch
++ 106-smbfs_input_validation_and_int_checks.patch
++ 107-xfs_finish_reclaim_always_inode.patch
++ 108-xfs_attrmulti_by_handle_limit_mem_alloc.patch
++ 109-binfmt_elf_loader_solar_designer_fixes.patch
++ 110-load_module_arg_checking.patch
++ 111-security_seclvl_kconfig_dep.patch
++ 112-audit_receive_skb_double_negative_return_val.patch
++ 114-netfilter_private_queues.patch
++ 115-proc_file_read_nbytes_signedness_fix.patch
++ 116-n_tty_copy_from_read_buf_signedness_fixes.patch
++ 117-reiserfs_file_64bit_size_t_fixes.patch
++ 118-i2c_sis5595_setup_pci_config_return_checks.patch
++ 119-i2c_viapro_i2cdump_overflow.patch
++ 120-openpromfs_property_read_fix.patch
++ 121-cpufreq_resume_readd.patch
++ 122-cpufreq_resume_readd_2.patch
++ 123-atm_get_addr_signedness_fix.patch
++ 125-netfilter_private_queues_2.patch
++ 126-ftdi_sio_set_serial_info_baud_base_check.patch
++ 127-ia64_ptrace_corner_case.patch
++ 129-video_cg3_screen_blanking.patch
++ 130-sparc_prom_nodematch_check_getproperty.patch
++ 131-sparc_check_prom_getproperty.patch
++ 132-sparc32_get_tv32_use_correct_variable.patch
++ 133-scsi_advansys_build_with_non_pci.patch
++ 134-cciss_scsi_detect_put_host_on_error.patch
++ 135-64bit_sys_shmget_compat_size_t_overflow.patch
++ 136-64bit_sys_compat_overflows.patch
++ 137-ppc64_prom_initialize_tce_table_typo.patch
++ 138-tulip_de_init_one_irq_init.patch
++ 139-pci_dma_free_coherent.patch
++ 140-s390_memset_arg_order_fixes.patch
++ 141-pci_devices_dont_disable_dev_if_busy.patch
++ 142-r8169_dev_alloc_skb_alignment_fix.patch
++ 143-sysfs_write_file_signedness_problem.patch
++ 144-sys_epoll_wait_int_overflow.patch