summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Yamin <plasmaroo@gentoo.org>2004-06-25 21:13:15 +0000
committerTim Yamin <plasmaroo@gentoo.org>2004-06-25 21:13:15 +0000
commit12e14d04271350efa6516cef2ce65a739bae7a95 (patch)
tree2bf03018aedb0dc01add45522e47583968bc5a67 /sys-kernel
parentAdd depend on automake 1.7.9 to close bug 54498. (Manifest recommit) (diff)
downloadgentoo-2-12e14d04271350efa6516cef2ce65a739bae7a95.tar.gz
gentoo-2-12e14d04271350efa6516cef2ce65a739bae7a95.tar.bz2
gentoo-2-12e14d04271350efa6516cef2ce65a739bae7a95.zip
Security patch for the CAN-2004-0495 and CAN-2004-0535 vulnerabilities.
Diffstat (limited to 'sys-kernel')
-rw-r--r--sys-kernel/ck-sources/ChangeLog8
-rw-r--r--sys-kernel/ck-sources/ck-sources-2.4.26-r1.ebuild4
-rw-r--r--sys-kernel/ck-sources/ck-sources-2.6.4-r2.ebuild31
-rw-r--r--sys-kernel/ck-sources/files/ck-sources-2.4.26.CAN-2004-0495.patch655
-rw-r--r--sys-kernel/ck-sources/files/ck-sources-2.4.26.CAN-2004-0535.patch12
-rw-r--r--sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0075.patch39
-rw-r--r--sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0109.patch88
-rw-r--r--sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0181.patch39
-rw-r--r--sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0228.patch11
-rw-r--r--sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0229.patch11
-rw-r--r--sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0427.patch11
-rw-r--r--sys-kernel/ck-sources/files/ck-sources-2.6.4.FPULockup-53804.patch24
-rw-r--r--sys-kernel/ck-sources/files/digest-ck-sources-2.6.4-r22
13 files changed, 677 insertions, 258 deletions
diff --git a/sys-kernel/ck-sources/ChangeLog b/sys-kernel/ck-sources/ChangeLog
index 16c8a1ceaa09..537e6376087d 100644
--- a/sys-kernel/ck-sources/ChangeLog
+++ b/sys-kernel/ck-sources/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for sys-kernel/ck-sources
# Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.39 2004/06/24 22:55:31 agriffis Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.40 2004/06/25 21:13:15 plasmaroo Exp $
+
+ 25 Jun 2004; <plasmaroo@gentoo.org> ck-sources-2.4.26-r1.ebuild,
+ -ck-sources-2.6.4-r2.ebuild, +files/ck-sources-2.4.26.CAN-2004-0495.patch,
+ +files/ck-sources-2.4.26.CAN-2004-0535.patch:
+ Security patch for the CAN-2004-0495 and CAN-2004-0535 vulnerabilities. Old
+ 2.6.4 version removed.
*ck-sources-2.6.7-r1 (20 Jun 2004)
diff --git a/sys-kernel/ck-sources/ck-sources-2.4.26-r1.ebuild b/sys-kernel/ck-sources/ck-sources-2.4.26-r1.ebuild
index 14fdcbb41fd9..53891cda90db 100644
--- a/sys-kernel/ck-sources/ck-sources-2.4.26-r1.ebuild
+++ b/sys-kernel/ck-sources/ck-sources-2.4.26-r1.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.4.26-r1.ebuild,v 1.3 2004/06/24 22:55:31 agriffis Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.4.26-r1.ebuild,v 1.4 2004/06/25 21:13:15 plasmaroo Exp $
IUSE=""
@@ -59,6 +59,8 @@ src_unpack() {
bzcat ${DISTDIR}/patch-${KV}.bz2|patch -p1 || die "-lck patch failed!"
epatch ${FILESDIR}/${P}.CAN-2004-0394.patch || die "Failed to add the CAN-2004-0394 patch!"
+ epatch ${FILESDIR}/${P}.CAN-2004-0495.patch || die "Failed to add the CAN-2004-0495 patch!"
+ epatch ${FILESDIR}/${P}.CAN-2004-0535.patch || die "Failed to add the CAN-2004-0535 patch!"
epatch ${FILESDIR}/${P}.FPULockup-53804.patch || die "Failed to apply FPU-lockup patch!"
kernel_universal_unpack
}
diff --git a/sys-kernel/ck-sources/ck-sources-2.6.4-r2.ebuild b/sys-kernel/ck-sources/ck-sources-2.6.4-r2.ebuild
deleted file mode 100644
index 93c60930c4e8..000000000000
--- a/sys-kernel/ck-sources/ck-sources-2.6.4-r2.ebuild
+++ /dev/null
@@ -1,31 +0,0 @@
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.6.4-r2.ebuild,v 1.7 2004/06/24 22:55:31 agriffis Exp $
-
-UNIPATCH_LIST="${DISTDIR}/patch-${KV}.bz2 ${FILESDIR}/${P}.CAN-2004-0075.patch ${FILESDIR}/${P}.CAN-2004-0109.patch ${FILESDIR}/${P}.CAN-2004-0181.patch ${FILESDIR}/${P}.CAN-2004-0228.patch ${FILESDIR}/${P}.CAN-2004-0229.patch ${FILESDIR}/${P}.CAN-2004-0427.patch ${FILESDIR}/${P}.FPULockup-53804.patch"
-K_PREPATCHED="yes"
-UNIPATCH_STRICTORDER="yes"
-
-K_NOUSENAME="yes"
-ETYPE="sources"
-inherit kernel-2
-detect_version
-IUSE=""
-
-DESCRIPTION="Full sources for the Stock Linux kernel Con Kolivas's high performance patchset"
-HOMEPAGE="http://members.optusnet.com.au/ckolivas/kernel/"
-SRC_URI="${KERNEL_URI} http://ck.kolivas.org/patches/2.6/${KV/-ck*/}/${KV}/patch-${KV}.bz2"
-
-KEYWORDS="~x86 ~ppc"
-
-pkg_postinst() {
- postinst_sources
-
- ewarn "IMPORTANT:"
- ewarn "ptyfs support has now been dropped from devfs and as a"
- ewarn "result you are now required to compile this support into"
- ewarn "the kernel. You can do so by enabling the following options"
- ewarn " Device Drivers -> Character devices -> Unix98 PTY Support"
- ewarn " File systems -> Pseudo filesystems -> /dev/pts filesystem."
- echo
-}
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.4.26.CAN-2004-0495.patch b/sys-kernel/ck-sources/files/ck-sources-2.4.26.CAN-2004-0495.patch
new file mode 100644
index 000000000000..bea80eac69a9
--- /dev/null
+++ b/sys-kernel/ck-sources/files/ck-sources-2.4.26.CAN-2004-0495.patch
@@ -0,0 +1,655 @@
+--- linux/net/decnet/dn_dev.c.bak Wed Jun 16 14:42:24 2004
++++ linux/net/decnet/dn_dev.c Wed Jun 16 14:42:34 2004
+@@ -1070,31 +1070,39 @@ int dnet_gifconf(struct net_device *dev,
+ {
+ struct dn_dev *dn_db = (struct dn_dev *)dev->dn_ptr;
+ struct dn_ifaddr *ifa;
+- struct ifreq *ifr = (struct ifreq *)buf;
++ char buffer[DN_IFREQ_SIZE];
++ struct ifreq *ifr = (struct ifreq *)buffer;
++ struct sockaddr_dn *addr = (struct sockaddr_dn *)&ifr->ifr_addr;
+ int done = 0;
+
+ if ((dn_db == NULL) || ((ifa = dn_db->ifa_list) == NULL))
+ return 0;
+
+ for(; ifa; ifa = ifa->ifa_next) {
+- if (!ifr) {
++ if (!buf) {
+ done += sizeof(DN_IFREQ_SIZE);
+ continue;
+ }
+ if (len < DN_IFREQ_SIZE)
+ return done;
+- memset(ifr, 0, DN_IFREQ_SIZE);
++ memset(buffer, 0, DN_IFREQ_SIZE);
+
+ if (ifa->ifa_label)
+ strcpy(ifr->ifr_name, ifa->ifa_label);
+ else
+ strcpy(ifr->ifr_name, dev->name);
+
+- (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_family = AF_DECnet;
+- (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_len = 2;
+- (*(dn_address *)(*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_addr) = ifa->ifa_local;
++ addr->sdn_family = AF_DECnet;
++ addr->sdn_add.a_len = 2;
++ memcpy(addr->sdn_add.a_addr, &ifa->ifa_local,
++ sizeof(dn_address));
+
+- ifr = (struct ifreq *)((char *)ifr + DN_IFREQ_SIZE);
++ if (copy_to_user(buf, buffer, DN_IFREQ_SIZE)) {
++ done = -EFAULT;
++ break;
++ }
++
++ buf += DN_IFREQ_SIZE;
+ len -= DN_IFREQ_SIZE;
+ done += DN_IFREQ_SIZE;
+ }
+--- linux-2.4.21/drivers/net/wireless/airo.c 2003-06-13 15:51:35.000000000 +0100
++++ linux-2.4.21/drivers/net/wireless/airo.c.plasmaroo 2004-06-24 11:09:08.260352168 +0100
+@@ -3012,19 +3012,22 @@
+ size_t len,
+ loff_t *offset )
+ {
+- int i;
+- int pos;
++ loff_t pos = *offset;
+ struct proc_data *priv = (struct proc_data*)file->private_data;
+
+- if( !priv->rbuffer ) return -EINVAL;
++ if (!priv->rbuffer)
++ return -EINVAL;
+
+- pos = *offset;
+- for( i = 0; i+pos < priv->readlen && i < len; i++ ) {
+- if (put_user( priv->rbuffer[i+pos], buffer+i ))
+- return -EFAULT;
+- }
+- *offset += i;
+- return i;
++ if (pos < 0)
++ return -EINVAL;
++ if (pos >= priv->readlen)
++ return 0;
++ if (len > priv->readlen - pos)
++ len = priv->readlen - pos;
++ if (copy_to_user(buffer, priv->rbuffer + pos, len))
++ return -EFAULT;
++ *offset = pos + len;
++ return len;
+ }
+
+ /*
+@@ -3036,24 +3039,24 @@
+ size_t len,
+ loff_t *offset )
+ {
+- int i;
+- int pos;
++ loff_t pos = *offset;
+ struct proc_data *priv = (struct proc_data*)file->private_data;
+
+- if ( !priv->wbuffer ) {
++ if (!priv->wbuffer)
+ return -EINVAL;
+- }
+-
+- pos = *offset;
+
+- for( i = 0; i + pos < priv->maxwritelen &&
+- i < len; i++ ) {
+- if (get_user( priv->wbuffer[i+pos], buffer + i ))
+- return -EFAULT;
+- }
+- if ( i+pos > priv->writelen ) priv->writelen = i+file->f_pos;
+- *offset += i;
+- return i;
++ if (pos < 0)
++ return -EINVAL;
++ if (pos >= priv->maxwritelen)
++ return 0;
++ if (len > priv->maxwritelen - pos)
++ len = priv->maxwritelen - pos;
++ if (copy_from_user(priv->wbuffer + pos, buffer, len))
++ return -EFAULT;
++ if (pos + len > priv->writelen)
++ priv->writelen = pos + len;
++ *offset = pos + len;
++ return len;
+ }
+
+ static int proc_status_open( struct inode *inode, struct file *file ) {
+--- linux/drivers/sound/mpu401.c.bak Wed Jun 16 14:42:24 2004
++++ linux/drivers/sound/mpu401.c Wed Jun 16 14:42:34 2004
+@@ -1493,14 +1493,16 @@ static unsigned long mpu_timer_get_time(
+ static int mpu_timer_ioctl(int dev, unsigned int command, caddr_t arg)
+ {
+ int midi_dev = sound_timer_devs[dev]->devlink;
++ int *p = (int *)arg;
+
+ switch (command)
+ {
+ case SNDCTL_TMR_SOURCE:
+ {
+ int parm;
+-
+- parm = *(int *) arg;
++
++ if (get_user(parm, p))
++ return -EFAULT;
+ parm &= timer_caps;
+
+ if (parm != 0)
+@@ -1512,7 +1514,9 @@ static int mpu_timer_ioctl(int dev, unsi
+ else if (timer_mode & TMR_MODE_SMPTE)
+ mpu_cmd(midi_dev, 0x3d, 0); /* Use SMPTE sync */
+ }
+- return (*(int *) arg = timer_mode);
++ if (put_user(timer_mode, p))
++ return -EFAULT;
++ return timer_mode;
+ }
+ break;
+
+@@ -1537,10 +1541,13 @@ static int mpu_timer_ioctl(int dev, unsi
+ {
+ int val;
+
+- val = *(int *) arg;
++ if (get_user(val, p))
++ return -EFAULT;
+ if (val)
+ set_timebase(midi_dev, val);
+- return (*(int *) arg = curr_timebase);
++ if (put_user(curr_timebase, p))
++ return -EFAULT;
++ return curr_timebase;
+ }
+ break;
+
+@@ -1549,7 +1556,8 @@ static int mpu_timer_ioctl(int dev, unsi
+ int val;
+ int ret;
+
+- val = *(int *) arg;
++ if (get_user(val, p))
++ return -EFAULT;
+
+ if (val)
+ {
+@@ -1564,7 +1572,9 @@ static int mpu_timer_ioctl(int dev, unsi
+ }
+ curr_tempo = val;
+ }
+- return (*(int *) arg = curr_tempo);
++ if (put_user(curr_tempo, p))
++ return -EFAULT;
++ return curr_tempo;
+ }
+ break;
+
+@@ -1572,18 +1582,25 @@ static int mpu_timer_ioctl(int dev, unsi
+ {
+ int val;
+
+- val = *(int *) arg;
++ if (get_user(val, p))
++ return -EFAULT;
+ if (val != 0) /* Can't change */
+ return -EINVAL;
+- return (*(int *) arg = ((curr_tempo * curr_timebase) + 30) / 60);
++ val = (curr_tempo * curr_timebase + 30) / 60;
++ if (put_user(val, p))
++ return -EFAULT;
++ return val;
+ }
+ break;
+
+ case SNDCTL_SEQ_GETTIME:
+- return (*(int *) arg = curr_ticks);
++ if (put_user(curr_ticks, p))
++ return -EFAULT;
++ return curr_ticks;
+
+ case SNDCTL_TMR_METRONOME:
+- metronome_mode = *(int *) arg;
++ if (get_user(metronome_mode, p))
++ return -EFAULT;
+ setup_metronome(midi_dev);
+ return 0;
+
+--- linux/drivers/sound/msnd.c.bak Wed Jun 16 14:42:24 2004
++++ linux/drivers/sound/msnd.c Wed Jun 16 14:42:34 2004
+@@ -155,13 +155,10 @@ void msnd_fifo_make_empty(msnd_fifo *f)
+ f->len = f->tail = f->head = 0;
+ }
+
+-int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user)
++int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len)
+ {
+ int count = 0;
+
+- if (f->len == f->n)
+- return 0;
+-
+ while ((count < len) && (f->len != f->n)) {
+
+ int nwritten;
+@@ -177,11 +174,7 @@ int msnd_fifo_write(msnd_fifo *f, const
+ nwritten = len - count;
+ }
+
+- if (user) {
+- if (copy_from_user(f->data + f->tail, buf, nwritten))
+- return -EFAULT;
+- } else
+- isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten);
++ isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten);
+
+ count += nwritten;
+ buf += nwritten;
+@@ -193,13 +186,10 @@ int msnd_fifo_write(msnd_fifo *f, const
+ return count;
+ }
+
+-int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user)
++int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len)
+ {
+ int count = 0;
+
+- if (f->len == 0)
+- return f->len;
+-
+ while ((count < len) && (f->len > 0)) {
+
+ int nread;
+@@ -215,11 +205,7 @@ int msnd_fifo_read(msnd_fifo *f, char *b
+ nread = len - count;
+ }
+
+- if (user) {
+- if (copy_to_user(buf, f->data + f->head, nread))
+- return -EFAULT;
+- } else
+- isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread);
++ isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread);
+
+ count += nread;
+ buf += nread;
+--- linux/drivers/sound/msnd.h.bak Wed Jun 16 14:42:24 2004
++++ linux/drivers/sound/msnd.h Wed Jun 16 14:42:34 2004
+@@ -266,8 +266,8 @@ void msnd_fifo_init(msnd_fifo *f);
+ void msnd_fifo_free(msnd_fifo *f);
+ int msnd_fifo_alloc(msnd_fifo *f, size_t n);
+ void msnd_fifo_make_empty(msnd_fifo *f);
+-int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user);
+-int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user);
++int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len);
++int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len);
+
+ int msnd_wait_TXDE(multisound_dev_t *dev);
+ int msnd_wait_HC0(multisound_dev_t *dev);
+--- linux/drivers/sound/msnd_pinnacle.c.bak Wed Jun 16 14:42:24 2004
++++ linux/drivers/sound/msnd_pinnacle.c Wed Jun 16 14:42:34 2004
+@@ -804,7 +804,7 @@ static int dev_release(struct inode *ino
+
+ static __inline__ int pack_DARQ_to_DARF(register int bank)
+ {
+- register int size, n, timeout = 3;
++ register int size, timeout = 3;
+ register WORD wTmp;
+ LPDAQD DAQD;
+
+@@ -825,13 +825,10 @@ static __inline__ int pack_DARQ_to_DARF(
+ /* Read data from the head (unprotected bank 1 access okay
+ since this is only called inside an interrupt) */
+ outb(HPBLKSEL_1, dev.io + HP_BLKS);
+- if ((n = msnd_fifo_write(
++ msnd_fifo_write(
+ &dev.DARF,
+ (char *)(dev.base + bank * DAR_BUFF_SIZE),
+- size, 0)) <= 0) {
+- outb(HPBLKSEL_0, dev.io + HP_BLKS);
+- return n;
+- }
++ size);
+ outb(HPBLKSEL_0, dev.io + HP_BLKS);
+
+ return 1;
+@@ -853,21 +850,16 @@ static __inline__ int pack_DAPF_to_DAPQ(
+ if (protect) {
+ /* Critical section: protect fifo in non-interrupt */
+ spin_lock_irqsave(&dev.lock, flags);
+- if ((n = msnd_fifo_read(
++ n = msnd_fifo_read(
+ &dev.DAPF,
+ (char *)(dev.base + bank_num * DAP_BUFF_SIZE),
+- DAP_BUFF_SIZE, 0)) < 0) {
+- spin_unlock_irqrestore(&dev.lock, flags);
+- return n;
+- }
++ DAP_BUFF_SIZE);
+ spin_unlock_irqrestore(&dev.lock, flags);
+ } else {
+- if ((n = msnd_fifo_read(
++ n = msnd_fifo_read(
+ &dev.DAPF,
+ (char *)(dev.base + bank_num * DAP_BUFF_SIZE),
+- DAP_BUFF_SIZE, 0)) < 0) {
+- return n;
+- }
++ DAP_BUFF_SIZE);
+ }
+ if (!n)
+ break;
+@@ -894,30 +886,43 @@ static __inline__ int pack_DAPF_to_DAPQ(
+ static int dsp_read(char *buf, size_t len)
+ {
+ int count = len;
++ char *page = (char *)__get_free_page(PAGE_SIZE);
++
++ if (!page)
++ return -ENOMEM;
+
+ while (count > 0) {
+- int n;
++ int n, k;
+ unsigned long flags;
+
++ k = PAGE_SIZE;
++ if (k > count)
++ k = count;
++
+ /* Critical section: protect fifo in non-interrupt */
+ spin_lock_irqsave(&dev.lock, flags);
+- if ((n = msnd_fifo_read(&dev.DARF, buf, count, 1)) < 0) {
+- printk(KERN_WARNING LOGNAME ": FIFO read error\n");
+- spin_unlock_irqrestore(&dev.lock, flags);
+- return n;
+- }
++ n = msnd_fifo_read(&dev.DARF, page, k);
+ spin_unlock_irqrestore(&dev.lock, flags);
++ if (copy_to_user(buf, page, n)) {
++ free_page((unsigned long)page);
++ return -EFAULT;
++ }
+ buf += n;
+ count -= n;
+
++ if (n == k && count)
++ continue;
++
+ if (!test_bit(F_READING, &dev.flags) && dev.mode & FMODE_READ) {
+ dev.last_recbank = -1;
+ if (chk_send_dsp_cmd(&dev, HDEX_RECORD_START) == 0)
+ set_bit(F_READING, &dev.flags);
+ }
+
+- if (dev.rec_ndelay)
++ if (dev.rec_ndelay) {
++ free_page((unsigned long)page);
+ return count == len ? -EAGAIN : len - count;
++ }
+
+ if (count > 0) {
+ set_bit(F_READBLOCK, &dev.flags);
+@@ -926,41 +931,57 @@ static int dsp_read(char *buf, size_t le
+ get_rec_delay_jiffies(DAR_BUFF_SIZE)))
+ clear_bit(F_READING, &dev.flags);
+ clear_bit(F_READBLOCK, &dev.flags);
+- if (signal_pending(current))
++ if (signal_pending(current)) {
++ free_page((unsigned long)page);
+ return -EINTR;
++ }
+ }
+ }
+-
++ free_page((unsigned long)page);
+ return len - count;
+ }
+
+ static int dsp_write(const char *buf, size_t len)
+ {
+ int count = len;
++ char *page = (char *)__get_free_page(GFP_KERNEL);
++
++ if (!page)
++ return -ENOMEM;
+
+ while (count > 0) {
+- int n;
++ int n, k;
+ unsigned long flags;
+
++ k = PAGE_SIZE;
++ if (k > count)
++ k = count;
++
++ if (copy_from_user(page, buf, k)) {
++ free_page((unsigned long)page);
++ return -EFAULT;
++ }
++
+ /* Critical section: protect fifo in non-interrupt */
+ spin_lock_irqsave(&dev.lock, flags);
+- if ((n = msnd_fifo_write(&dev.DAPF, buf, count, 1)) < 0) {
+- printk(KERN_WARNING LOGNAME ": FIFO write error\n");
+- spin_unlock_irqrestore(&dev.lock, flags);
+- return n;
+- }
++ n = msnd_fifo_write(&dev.DAPF, page, k);
+ spin_unlock_irqrestore(&dev.lock, flags);
+ buf += n;
+ count -= n;
+
++ if (count && n == k)
++ continue;
++
+ if (!test_bit(F_WRITING, &dev.flags) && (dev.mode & FMODE_WRITE)) {
+ dev.last_playbank = -1;
+ if (pack_DAPF_to_DAPQ(1) > 0)
+ set_bit(F_WRITING, &dev.flags);
+ }
+
+- if (dev.play_ndelay)
++ if (dev.play_ndelay) {
++ free_page((unsigned long)page);
+ return count == len ? -EAGAIN : len - count;
++ }
+
+ if (count > 0) {
+ set_bit(F_WRITEBLOCK, &dev.flags);
+@@ -968,11 +989,14 @@ static int dsp_write(const char *buf, si
+ &dev.writeblock,
+ get_play_delay_jiffies(DAP_BUFF_SIZE));
+ clear_bit(F_WRITEBLOCK, &dev.flags);
+- if (signal_pending(current))
++ if (signal_pending(current)) {
++ free_page((unsigned long)page);
+ return -EINTR;
++ }
+ }
+ }
+
++ free_page((unsigned long)page);
+ return len - count;
+ }
+
+--- linux/drivers/sound/pss.c.bak Wed Jun 16 14:42:24 2004
++++ linux/drivers/sound/pss.c Wed Jun 16 14:42:34 2004
+@@ -450,20 +450,36 @@ static void pss_mixer_reset(pss_confdata
+ }
+ }
+
+-static void arg_to_volume_mono(unsigned int volume, int *aleft)
++static int set_volume_mono(caddr_t p, int *aleft)
+ {
+ int left;
++ unsigned volume;
++ if (get_user(volume, (unsigned *)p))
++ return -EFAULT;
+
+- left = volume & 0x00ff;
++ left = volume & 0xff;
+ if (left > 100)
+ left = 100;
+ *aleft = left;
++ return 0;
+ }
+
+-static void arg_to_volume_stereo(unsigned int volume, int *aleft, int *aright)
++static int set_volume_stereo(caddr_t p, int *aleft, int *aright)
+ {
+- arg_to_volume_mono(volume, aleft);
+- arg_to_volume_mono(volume >> 8, aright);
++ int left, right;
++ unsigned volume;
++ if (get_user(volume, (unsigned *)p))
++ return -EFAULT;
++
++ left = volume & 0xff;
++ if (left > 100)
++ left = 100;
++ right = (volume >> 8) & 0xff;
++ if (right > 100)
++ right = 100;
++ *aleft = left;
++ *aright = right;
++ return 0;
+ }
+
+ static int ret_vol_mono(int left)
+@@ -510,33 +526,38 @@ static int pss_mixer_ioctl (int dev, uns
+ return call_ad_mixer(devc, cmd, arg);
+ else
+ {
+- if (*(int *)arg != 0)
++ int v;
++ if (get_user(v, (int *)arg))
++ return -EFAULT;
++ if (v != 0)
+ return -EINVAL;
+ return 0;
+ }
+ case SOUND_MIXER_VOLUME:
+- arg_to_volume_stereo(*(unsigned int *)arg, &devc->mixer.volume_l,
+- &devc->mixer.volume_r);
++ if (set_volume_stereo(arg,
++ &devc->mixer.volume_l,
++ &devc->mixer.volume_r))
++ return -EFAULT;
+ set_master_volume(devc, devc->mixer.volume_l,
+ devc->mixer.volume_r);
+ return ret_vol_stereo(devc->mixer.volume_l,
+ devc->mixer.volume_r);
+
+ case SOUND_MIXER_BASS:
+- arg_to_volume_mono(*(unsigned int *)arg,
+- &devc->mixer.bass);
++ if (set_volume_mono(arg, &devc->mixer.bass))
++ return -EFAULT;
+ set_bass(devc, devc->mixer.bass);
+ return ret_vol_mono(devc->mixer.bass);
+
+ case SOUND_MIXER_TREBLE:
+- arg_to_volume_mono(*(unsigned int *)arg,
+- &devc->mixer.treble);
++ if (set_volume_mono(arg, &devc->mixer.treble))
++ return -EFAULT;
+ set_treble(devc, devc->mixer.treble);
+ return ret_vol_mono(devc->mixer.treble);
+
+ case SOUND_MIXER_SYNTH:
+- arg_to_volume_mono(*(unsigned int *)arg,
+- &devc->mixer.synth);
++ if (set_volume_mono(arg, &devc->mixer.synth))
++ return -EFAULT;
+ set_synth_volume(devc, devc->mixer.synth);
+ return ret_vol_mono(devc->mixer.synth);
+
+@@ -546,54 +567,67 @@ static int pss_mixer_ioctl (int dev, uns
+ }
+ else
+ {
++ int val, and_mask = 0, or_mask = 0;
+ /*
+ * Return parameters
+ */
+ switch (cmdf)
+ {
+-
+ case SOUND_MIXER_DEVMASK:
+ if (call_ad_mixer(devc, cmd, arg) == -EINVAL)
+- *(int *)arg = 0; /* no mixer devices */
+- return (*(int *)arg |= SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH);
++ break;
++ and_mask = ~0;
++ or_mask = SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH;
++ break;
+
+ case SOUND_MIXER_STEREODEVS:
+ if (call_ad_mixer(devc, cmd, arg) == -EINVAL)
+- *(int *)arg = 0; /* no stereo devices */
+- return (*(int *)arg |= SOUND_MASK_VOLUME);
++ break;
++ and_mask = ~0;
++ or_mask = SOUND_MASK_VOLUME;
++ break;
+
+ case SOUND_MIXER_RECMASK:
+ if (devc->ad_mixer_dev != NO_WSS_MIXER)
+ return call_ad_mixer(devc, cmd, arg);
+- else
+- return (*(int *)arg = 0); /* no record devices */
++ break;
+
+ case SOUND_MIXER_CAPS:
+ if (devc->ad_mixer_dev != NO_WSS_MIXER)
+ return call_ad_mixer(devc, cmd, arg);
+- else
+- return (*(int *)arg = SOUND_CAP_EXCL_INPUT);
++ or_mask = SOUND_CAP_EXCL_INPUT;
++ break;
+
+ case SOUND_MIXER_RECSRC:
+ if (devc->ad_mixer_dev != NO_WSS_MIXER)
+ return call_ad_mixer(devc, cmd, arg);
+- else
+- return (*(int *)arg = 0); /* no record source */
++ break;
+
+ case SOUND_MIXER_VOLUME:
+- return (*(int *)arg = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r));
++ or_mask = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r);
++ break;
+
+ case SOUND_MIXER_BASS:
+- return (*(int *)arg = ret_vol_mono(devc->mixer.bass));
++ or_mask = ret_vol_mono(devc->mixer.bass);
++ break;
+
+ case SOUND_MIXER_TREBLE:
+- return (*(int *)arg = ret_vol_mono(devc->mixer.treble));
++ or_mask = ret_vol_mono(devc->mixer.treble);
++ break;
+
+ case SOUND_MIXER_SYNTH:
+- return (*(int *)arg = ret_vol_mono(devc->mixer.synth));
++ or_mask = ret_vol_mono(devc->mixer.synth);
++ break;
+ default:
+ return -EINVAL;
+ }
++ if (get_user(val, (int *)arg))
++ return -EFAULT;
++ val &= and_mask;
++ val |= or_mask;
++ if (put_user(val, (int *)arg))
++ return -EFAULT;
++ return val;
+ }
+ }
+
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.4.26.CAN-2004-0535.patch b/sys-kernel/ck-sources/files/ck-sources-2.4.26.CAN-2004-0535.patch
new file mode 100644
index 000000000000..669fc5fd32fb
--- /dev/null
+++ b/sys-kernel/ck-sources/files/ck-sources-2.4.26.CAN-2004-0535.patch
@@ -0,0 +1,12 @@
+--- drivers/net/e1000/e1000_ethtool.c 2003-06-13 15:51:34.000000000 +0100
++++ drivers/net/e1000/e1000_ethtool.c.plasmaroo 2004-06-24 11:23:32.524963976 +0100
+@@ -468,6 +468,9 @@
+
+ if(copy_from_user(&regs, addr, sizeof(regs)))
+ return -EFAULT;
++ memset(regs_buff, 0, sizeof(regs_buff));
++ if (regs.len > E1000_REGS_LEN)
++ regs.len = E1000_REGS_LEN;
+ e1000_ethtool_gregs(adapter, &regs, regs_buff);
+ if(copy_to_user(addr, &regs, sizeof(regs)))
+ return -EFAULT;
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0075.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0075.patch
deleted file mode 100644
index e131c957cb0a..000000000000
--- a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0075.patch
+++ /dev/null
@@ -1,39 +0,0 @@
---- linux-2.6.6-rc1/drivers/usb/media/vicam.c 2004-04-15 11:18:18.000000000 +0200
-+++ linux-2.6.6-rc1-mich/drivers/usb/media/vicam.c 2004-04-15 11:50:02.791604312 +0200
-@@ -612,15 +612,20 @@ vicam_ioctl(struct inode *inode, struct
-
- case VIDIOCSPICT:
- {
-- struct video_picture *vp = (struct video_picture *) arg;
--
-- DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp->depth,
-- vp->palette);
-+ struct video_picture vp;
-+
-+ if (copy_from_user(&vp, arg, sizeof(vp))) {
-+ retval = -EFAULT;
-+ break;
-+ }
-+
-+ DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp.depth,
-+ vp.palette);
-
-- cam->gain = vp->brightness >> 8;
-+ cam->gain = vp.brightness >> 8;
-
-- if (vp->depth != 24
-- || vp->palette != VIDEO_PALETTE_RGB24)
-+ if (vp.depth != 24
-+ || vp.palette != VIDEO_PALETTE_RGB24)
- retval = -EINVAL;
-
- break;
-@@ -659,7 +659,7 @@
- {
-
- struct video_window *vw = (struct video_window *) arg;
-- DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
-+ DBG("VIDIOCSWIN %d x %d\n", vw.width, vw.height);
-
- if ( vw->width != 320 || vw->height != 240 )
- retval = -EFAULT;
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0109.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0109.patch
deleted file mode 100644
index d7726c2e5aaf..000000000000
--- a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0109.patch
+++ /dev/null
@@ -1,88 +0,0 @@
---- linux/fs/isofs/rock.c.orig
-+++ linux/fs/isofs/rock.c
-@@ -14,6 +14,7 @@
- #include <linux/slab.h>
- #include <linux/pagemap.h>
- #include <linux/smp_lock.h>
- #include <linux/buffer_head.h>
-+#include <asm/page.h>
-
- #include "rock.h"
-@@ -419,7 +420,7 @@ int parse_rock_ridge_inode_internal(stru
- return 0;
- }
-
--static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr)
-+static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr, char *plimit)
- {
- int slen;
- int rootflag;
-@@ -431,16 +432,25 @@ static char *get_symlink_chunk(char *rpn
- rootflag = 0;
- switch (slp->flags & ~1) {
- case 0:
-+ if (slp->len > plimit - rpnt)
-+ return NULL;
- memcpy(rpnt, slp->text, slp->len);
- rpnt+=slp->len;
- break;
-+ case 2:
-+ if (rpnt >= plimit)
-+ return NULL;
-+ *rpnt++='.';
-+ break;
- case 4:
-+ if (2 > plimit - rpnt)
-+ return NULL;
- *rpnt++='.';
-- /* fallthru */
-- case 2:
- *rpnt++='.';
- break;
- case 8:
-+ if (rpnt >= plimit)
-+ return NULL;
- rootflag = 1;
- *rpnt++='/';
- break;
-@@ -457,17 +467,23 @@ static char *get_symlink_chunk(char *rpn
- * If there is another SL record, and this component
- * record isn't continued, then add a slash.
- */
-- if ((!rootflag) && (rr->u.SL.flags & 1) && !(oldslp->flags & 1))
-+ if ((!rootflag) && (rr->u.SL.flags & 1) &&
-+ !(oldslp->flags & 1)) {
-+ if (rpnt >= plimit)
-+ return NULL;
- *rpnt++='/';
-+ }
- break;
- }
-
- /*
- * If this component record isn't continued, then append a '/'.
- */
-- if (!rootflag && !(oldslp->flags & 1))
-+ if (!rootflag && !(oldslp->flags & 1)) {
-+ if (rpnt >= plimit)
-+ return NULL;
- *rpnt++='/';
--
-+ }
- }
- return rpnt;
- }
-@@ -548,7 +564,10 @@ static int rock_ridge_symlink_readpage(s
- CHECK_SP(goto out);
- break;
- case SIG('S', 'L'):
-- rpnt = get_symlink_chunk(rpnt, rr);
-+ rpnt = get_symlink_chunk(rpnt, rr,
-+ link + (PAGE_SIZE - 1));
-+ if (rpnt == NULL)
-+ goto out;
- break;
- case SIG('C', 'E'):
- /* This tells is if there is a continuation record */
-
-
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0181.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0181.patch
deleted file mode 100644
index 4f4742b992f0..000000000000
--- a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0181.patch
+++ /dev/null
@@ -1,39 +0,0 @@
---- linux-2.6.3/fs/jfs/jfs_logmgr.c.zy62.orig 2004-02-17 20:57:59.000000000 -0700
-+++ linux-2.6.3/fs/jfs/jfs_logmgr.c 2004-04-02 16:57:38.000000000 -0700
-@@ -1702,7 +1702,7 @@
- lbuf = kmalloc(sizeof(struct lbuf), GFP_KERNEL);
- if (lbuf == 0)
- goto error;
-- lbuf->l_ldata = (char *) __get_free_page(GFP_KERNEL);
-+ lbuf->l_ldata = (char *) get_zeroed_page(GFP_KERNEL);
- if (lbuf->l_ldata == 0) {
- kfree(lbuf);
- goto error;
---- linux-2.6.3/fs/jfs/jfs_metapage.c.zy62.orig 2004-02-17 20:57:20.000000000 -0700
-+++ linux-2.6.3/fs/jfs/jfs_metapage.c 2004-04-02 16:29:03.000000000 -0700
-@@ -341,6 +341,10 @@
- }
- mp->data = kmap(mp->page) + page_offset;
- }
-+
-+ if (new)
-+ memset(mp->data, 0, PSIZE);
-+
- jfs_info("__get_metapage: returning = 0x%p", mp);
- return mp;
-
---- linux-2.6.3/fs/jfs/super.c.zy62.orig 2004-02-17 20:57:48.000000000 -0700
-+++ linux-2.6.3/fs/jfs/super.c 2004-04-02 17:57:02.903281078 -0700
-@@ -549,11 +549,11 @@
-
- if ((flags & (SLAB_CTOR_VERIFY | SLAB_CTOR_CONSTRUCTOR)) ==
- SLAB_CTOR_CONSTRUCTOR) {
-+ memset(jfs_ip, 0, sizeof(struct jfs_inode_info));
- INIT_LIST_HEAD(&jfs_ip->anon_inode_list);
- init_rwsem(&jfs_ip->rdwrlock);
- init_MUTEX(&jfs_ip->commit_sem);
- init_rwsem(&jfs_ip->xattr_sem);
-- jfs_ip->atlhead = 0;
- jfs_ip->active_ag = -1;
- #ifdef CONFIG_JFS_POSIX_ACL
- jfs_ip->i_acl = JFS_ACL_NOT_CACHED;
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0228.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0228.patch
deleted file mode 100644
index 746ade9ab1c0..000000000000
--- a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0228.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- linux-2.6.3/drivers/cpufreq/cpufreq_userspace.c.overflow 2004-02-18 04:57:16.000000000 +0100
-+++ linux-2.6.3/drivers/cpufreq/cpufreq_userspace.c 2004-05-14 11:40:37.000000000 +0200
-@@ -168,7 +168,7 @@ cpufreq_procctl(ctl_table *ctl, int writ
- {
- char buf[16], *p;
- int cpu = (int) ctl->extra1;
-- int len, left = *lenp;
-+ unsigned int len, left = *lenp;
-
- if (!left || (filp->f_pos && !write) || !cpu_online(cpu)) {
- *lenp = 0;
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0229.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0229.patch
deleted file mode 100644
index 2b6dfff88e25..000000000000
--- a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0229.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- linux-2.6.3/drivers/video/fbmem.c.zy67 2004-04-23 07:32:22.000000000 -0400
-+++ linux-2.6.3/drivers/video/fbmem.c 2004-04-23 07:33:09.000000000 -0400
-@@ -1042,7 +1042,7 @@
- case FBIOGETCMAP:
- if (copy_from_user(&cmap, (void *) arg, sizeof(cmap)))
- return -EFAULT;
-- return (fb_copy_cmap(&info->cmap, &cmap, 0));
-+ return (fb_copy_cmap(&info->cmap, &cmap, 2));
- case FBIOPAN_DISPLAY:
- if (copy_from_user(&var, (void *) arg, sizeof(var)))
- return -EFAULT;
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0427.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0427.patch
deleted file mode 100644
index adadefd53db2..000000000000
--- a/sys-kernel/ck-sources/files/ck-sources-2.6.4.CAN-2004-0427.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- linux-2.6.3/kernel/fork.c.zy64 2004-04-21 12:26:51.000000000 -0400
-+++ linux-2.6.3/kernel/fork.c 2004-04-21 12:29:34.000000000 -0400
-@@ -1073,6 +1073,8 @@
- exit_namespace(p);
- bad_fork_cleanup_mm:
- exit_mm(p);
-+ if (p->active_mm)
-+ mmdrop(p->active_mm);
- bad_fork_cleanup_signal:
- exit_signal(p);
- bad_fork_cleanup_sighand:
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.4.FPULockup-53804.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.4.FPULockup-53804.patch
deleted file mode 100644
index a813f48ec23b..000000000000
--- a/sys-kernel/ck-sources/files/ck-sources-2.6.4.FPULockup-53804.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -Nru a/include/asm-i386/i387.h b/include/asm-i386/i387.h
---- a/include/asm-i386/i387.h 2004-05-06 12:26:10 -07:00
-+++ b/include/asm-i386/i387.h 2004-06-12 19:12:23 -07:00
-@@ -51,7 +51,7 @@
- #define __clear_fpu( tsk ) \
- do { \
- if ((tsk)->thread_info->status & TS_USEDFPU) { \
-- asm volatile("fwait"); \
-+ asm volatile("fnclex ; fwait"); \
- (tsk)->thread_info->status &= ~TS_USEDFPU; \
- stts(); \
- } \
-diff -Nru a/include/asm-x86_64/i387.h b/include/asm-x86_64/i387.h
---- a/include/asm-x86_64/i387.h 2004-06-13 20:43:56.742530792 +0100
-+++ a/include/asm-x86_64/i387.h 2004-06-13 20:42:59.200278544 +0100
-@@ -46,7 +46,7 @@
-
- #define clear_fpu(tsk) do { \
- if ((tsk)->thread_info->status & TS_USEDFPU) { \
-- asm volatile("fwait"); \
-+ asm volatile("fnclex; fwait"); \
- (tsk)->thread_info->status &= ~TS_USEDFPU; \
- stts(); \
- } \
diff --git a/sys-kernel/ck-sources/files/digest-ck-sources-2.6.4-r2 b/sys-kernel/ck-sources/files/digest-ck-sources-2.6.4-r2
deleted file mode 100644
index e553fe45030b..000000000000
--- a/sys-kernel/ck-sources/files/digest-ck-sources-2.6.4-r2
+++ /dev/null
@@ -1,2 +0,0 @@
-MD5 335f06eba1e5372ba38a0d2b253629bd linux-2.6.4.tar.bz2 34386912
-MD5 40edea9030e43c48055df9c24a8e37c7 patch-2.6.4-ck2.bz2 704169