Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-kernel/xbox-sources/files
diff options
context:
space:
mode:
authorTim Yamin <plasmaroo@gentoo.org>2004-12-24 19:52:45 +0000
committerTim Yamin <plasmaroo@gentoo.org>2004-12-24 19:52:45 +0000
commit1b823db8294ca4da8dd664733d9af859035caf31 (patch)
tree2e26feeb322958872a7be2eac0f5b61f196c2854 /sys-kernel/xbox-sources/files
parentFixed ChangeLog header. Fixed broken Manifest. (diff)
downloadgentoo-2-1b823db8294ca4da8dd664733d9af859035caf31.tar.gz
gentoo-2-1b823db8294ca4da8dd664733d9af859035caf31.tar.bz2
gentoo-2-1b823db8294ca4da8dd664733d9af859035caf31.zip
Security bump; bugs #72452, #74384, #74392, #74464.
Diffstat (limited to 'sys-kernel/xbox-sources/files')
-rw-r--r--sys-kernel/xbox-sources/files/digest-xbox-sources-2.4.28-r2 (renamed from sys-kernel/xbox-sources/files/digest-xbox-sources-2.4.28-r1)0
-rw-r--r--sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1016.patch75
-rw-r--r--sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1056.patch321
-rw-r--r--sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1137.patch59
-rw-r--r--sys-kernel/xbox-sources/files/xbox-sources-2.4.28.vma.patch246
5 files changed, 701 insertions, 0 deletions
diff --git a/sys-kernel/xbox-sources/files/digest-xbox-sources-2.4.28-r1 b/sys-kernel/xbox-sources/files/digest-xbox-sources-2.4.28-r2
index 44a45c606aa5..44a45c606aa5 100644
--- a/sys-kernel/xbox-sources/files/digest-xbox-sources-2.4.28-r1
+++ b/sys-kernel/xbox-sources/files/digest-xbox-sources-2.4.28-r2
diff --git a/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1016.patch b/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1016.patch
new file mode 100644
index 000000000000..aa25ac95ed61
--- /dev/null
+++ b/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1016.patch
@@ -0,0 +1,75 @@
+===== include/linux/socket.h 1.12 vs edited =====
+--- 1.12/include/linux/socket.h 2004-09-09 06:40:01 +10:00
++++ edited/include/linux/socket.h 2004-11-27 11:53:40 +11:00
+@@ -90,6 +90,10 @@
+ (struct cmsghdr *)(ctl) : \
+ (struct cmsghdr *)NULL)
+ #define CMSG_FIRSTHDR(msg) __CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \
++ (cmsg)->cmsg_len <= (unsigned long) \
++ ((mhdr)->msg_controllen - \
++ ((char *)(cmsg) - (char *)(mhdr)->msg_control)))
+
+ /*
+ * This mess will go away with glibc
+===== net/core/scm.c 1.10 vs edited =====
+--- 1.10/net/core/scm.c 2004-05-31 05:08:14 +10:00
++++ edited/net/core/scm.c 2004-11-27 11:48:55 +11:00
+@@ -127,9 +127,7 @@
+ for too short ancillary data object at all! Oops.
+ OK, let's add it...
+ */
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen)
++ if (!CMSG_OK(msg, cmsg))
+ goto error;
+
+ if (cmsg->cmsg_level != SOL_SOCKET)
+===== net/ipv4/ip_sockglue.c 1.26 vs edited =====
+--- 1.26/net/ipv4/ip_sockglue.c 2004-07-01 06:10:53 +10:00
++++ edited/net/ipv4/ip_sockglue.c 2004-11-27 11:49:45 +11:00
+@@ -146,11 +146,8 @@
+ struct cmsghdr *cmsg;
+
+ for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg))
+ return -EINVAL;
+- }
+ if (cmsg->cmsg_level != SOL_IP)
+ continue;
+ switch (cmsg->cmsg_type) {
+===== net/ipv6/datagram.c 1.20 vs edited =====
+--- 1.20/net/ipv6/datagram.c 2004-11-10 17:57:03 +11:00
++++ edited/net/ipv6/datagram.c 2004-11-27 11:51:15 +11:00
+@@ -427,9 +427,7 @@
+ int addr_type;
+ struct net_device *dev = NULL;
+
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg)) {
+ err = -EINVAL;
+ goto exit_f;
+ }
+===== net/sctp/socket.c 1.129 vs edited =====
+--- 1.129/net/sctp/socket.c 2004-11-19 08:43:18 +11:00
++++ edited/net/sctp/socket.c 2004-11-27 11:52:11 +11:00
+@@ -4098,12 +4098,8 @@
+ for (cmsg = CMSG_FIRSTHDR(msg);
+ cmsg != NULL;
+ cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) {
+- /* Check for minimum length. The SCM code has this check. */
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg))
+ return -EINVAL;
+- }
+
+ /* Should we parse this header or ignore? */
+ if (cmsg->cmsg_level != IPPROTO_SCTP)
diff --git a/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1056.patch b/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1056.patch
new file mode 100644
index 000000000000..53b777acaac5
--- /dev/null
+++ b/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1056.patch
@@ -0,0 +1,321 @@
+diff -ur linux-2.4.28/drivers/char/drm/i810.h linux-2.4.28.plasmaroo/drivers/char/drm/i810.h
+--- linux-2.4.28/drivers/char/drm/i810.h 2003-11-28 18:26:20.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810.h 2004-12-23 16:26:31.000000000 +0000
+@@ -114,4 +114,14 @@
+ #define DRIVER_AGP_BUFFERS_MAP( dev ) \
+ ((drm_i810_private_t *)((dev)->dev_private))->buffer_map
+
++#define LOCK_TEST_WITH_RETURN( dev ) \
++do { \
++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \
++ dev->lock.pid != current->pid ) { \
++ DRM_ERROR( "%s called without lock held\n", \
++ __FUNCTION__ ); \
++ return -EINVAL; \
++ } \
++} while (0)
++
+ #endif
+diff -ur linux-2.4.28/drivers/char/drm/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c
+--- linux-2.4.28/drivers/char/drm/i810_dma.c 2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c 2004-12-23 16:27:16.000000000 +0000
+@@ -948,10 +948,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_flush_queue(dev);
+ return 0;
+@@ -973,10 +970,7 @@
+ if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
+
+@@ -1004,10 +998,7 @@
+ if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1026,10 +1017,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_dma_dispatch_swap( dev );
+ return 0;
+@@ -1064,10 +1052,7 @@
+ if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ d.granted = 0;
+
+@@ -1174,11 +1159,7 @@
+ if (copy_from_user(&mc, (drm_i810_mc_t *)arg, sizeof(mc)))
+ return -EFAULT;
+
+-
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_mc called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used,
+ mc.last_render );
+@@ -1223,10 +1204,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_fstatus called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+ return I810_READ(0x30008);
+ }
+
+@@ -1237,10 +1215,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_ov0_flip called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ //Tell the overlay to update
+ I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+diff -ur linux-2.4.28/drivers/char/drm/i830.h linux-2.4.28.plasmaroo/drivers/char/drm/i830.h
+--- linux-2.4.28/drivers/char/drm/i830.h 2003-11-28 18:26:20.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830.h 2004-12-23 16:31:33.000000000 +0000
+@@ -154,4 +154,14 @@
+ #define DRIVER_AGP_BUFFERS_MAP( dev ) \
+ ((drm_i830_private_t *)((dev)->dev_private))->buffer_map
+
++#define LOCK_TEST_WITH_RETURN( dev ) \
++do { \
++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \
++ dev->lock.pid != current->pid ) { \
++ DRM_ERROR( "%s called without lock held\n", \
++ __FUNCTION__ ); \
++ return -EINVAL; \
++ } \
++} while (0)
++
+ #endif
+diff -ur linux-2.4.28/drivers/char/drm/i830_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c
+--- linux-2.4.28/drivers/char/drm/i830_dma.c 2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c 2004-12-23 16:32:08.000000000 +0000
+@@ -1330,10 +1330,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i830_flush_queue(dev);
+ return 0;
+@@ -1354,10 +1351,7 @@
+ if (copy_from_user(&vertex, (drm_i830_vertex_t *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1384,10 +1378,7 @@
+ if (copy_from_user(&clear, (drm_i830_clear_t *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1409,10 +1400,7 @@
+
+ DRM_DEBUG("i830_swap_bufs\n");
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i830_dma_dispatch_swap( dev );
+ return 0;
+@@ -1453,10 +1441,7 @@
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flip_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ if (!dev_priv->page_flipping)
+ i830_do_init_pageflip( dev );
+@@ -1495,10 +1480,7 @@
+ if (copy_from_user(&d, (drm_i830_dma_t *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ d.granted = 0;
+
+diff -ur linux-2.4.28/drivers/char/drm/i830_irq.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c
+--- linux-2.4.28/drivers/char/drm/i830_irq.c 2003-11-28 18:26:20.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c 2004-12-23 16:39:47.000000000 +0000
+@@ -130,10 +130,7 @@
+ drm_i830_irq_emit_t emit;
+ int result;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_irq_emit called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ if ( !dev_priv ) {
+ DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );
+diff -ur linux-2.4.28/drivers/char/drm-4.0/drmP.h linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h
+--- linux-2.4.28/drivers/char/drm-4.0/drmP.h 2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h 2004-12-23 16:21:30.000000000 +0000
+@@ -294,6 +294,16 @@
+ #define DRM_BUFCOUNT(x) ((x)->count - DRM_LEFTCOUNT(x))
+ #define DRM_WAITCOUNT(dev,idx) DRM_BUFCOUNT(&dev->queuelist[idx]->waitlist)
+
++#define LOCK_TEST_WITH_RETURN( dev ) \
++do { \
++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \
++ dev->lock.pid != current->pid ) { \
++ DRM_ERROR( "%s called without lock held\n", \
++ __FUNCTION__ ); \
++ return -EINVAL; \
++ } \
++} while (0)
++
+ typedef int drm_ioctl_t(struct inode *inode, struct file *filp,
+ unsigned int cmd, unsigned long arg);
+
+diff -ur linux-2.4.28/drivers/char/drm-4.0/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c
+--- linux-2.4.28/drivers/char/drm-4.0/i810_dma.c 2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c 2004-12-23 16:21:30.000000000 +0000
+@@ -1249,10 +1249,7 @@
+ drm_device_t *dev = priv->dev;
+
+ DRM_DEBUG("i810_flush_ioctl\n");
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_flush_queue(dev);
+ return 0;
+@@ -1274,10 +1271,7 @@
+ if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1308,10 +1302,7 @@
+ if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_dma_dispatch_clear( dev, clear.flags,
+ clear.clear_color,
+@@ -1327,10 +1318,7 @@
+
+ DRM_DEBUG("i810_swap_bufs\n");
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_dma_dispatch_swap( dev );
+ return 0;
+@@ -1366,10 +1354,7 @@
+ if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ d.granted = 0;
+
+@@ -1399,10 +1384,7 @@
+ drm_i810_buf_priv_t *buf_priv;
+ drm_device_dma_t *dma = dev->dma;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
+ return -EFAULT;
diff --git a/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1137.patch b/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1137.patch
new file mode 100644
index 000000000000..161806ce79d7
--- /dev/null
+++ b/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.CAN-2004-1137.patch
@@ -0,0 +1,59 @@
+--- linux-2.4.28-orig/net/ipv4/igmp.c 2004-08-08 01:26:06.000000000 +0200
++++ linux-2.4.28/net/ipv4/igmp.c 2004-12-15 22:12:48.000000000 +0100
+@@ -1757,12 +1757,12 @@
+ goto done;
+ rv = !0;
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ sizeof(__u32));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+- if (!rv) /* source not found */
++ if (rv) /* source not found */
+ goto done;
+
+ /* update the interface filter */
+@@ -1804,9 +1804,9 @@
+ }
+ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ sizeof(__u32));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+ if (rv == 0) /* address already there is an error */
+--- linux-2.4.28-orig/net/ipv6/mcast.c 2004-11-17 12:54:22.000000000 +0100
++++ linux-2.4.28/net/ipv6/mcast.c 2004-12-15 22:14:07.000000000 +0100
+@@ -386,12 +386,12 @@
+ goto done;
+ rv = !0;
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, group,
++ rv = memcmp(&psl->sl_addr[i], source,
+ sizeof(struct in6_addr));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+- if (!rv) /* source not found */
++ if (rv) /* source not found */
+ goto done;
+
+ /* update the interface filter */
+@@ -432,8 +432,8 @@
+ }
+ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr));
+- if (rv >= 0)
++ rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr));
++ if (rv == 0)
+ break;
+ }
+ if (rv == 0) /* address already there is an error */
diff --git a/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.vma.patch b/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.vma.patch
new file mode 100644
index 000000000000..2469dd5ab2c5
--- /dev/null
+++ b/sys-kernel/xbox-sources/files/xbox-sources-2.4.28.vma.patch
@@ -0,0 +1,246 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/17 21:45:58-02:00 chrisw@osdl.org
+# [PATCH] Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().
+#
+# Backport of 2.6 fix to insert_vm_struct to make it return an error
+# rather than BUG(). This eliminates a user triggerable BUG() when user
+# created a large vma that overlapped with arg pages during exec (could be
+# triggered with a.out on i386 and x86_64 and elf on ia64).
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+#
+# ===== arch/ia64/ia32/binfmt_elf32.c 1.13 vs edited =====
+#
+# arch/ia64/ia32/binfmt_elf32.c
+# 2004/12/17 17:22:06-02:00 chrisw@osdl.org +16 -4
+# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().
+#
+# arch/ia64/mm/init.c
+# 2004/12/17 15:25:47-02:00 chrisw@osdl.org +14 -2
+# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().
+#
+# arch/s390x/kernel/exec32.c
+# 2004/12/17 15:32:42-02:00 chrisw@osdl.org +6 -2
+# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). This eliminates a user triggerable BUG() when user
+#
+# arch/x86_64/ia32/ia32_binfmt.c
+# 2004/12/17 15:34:21-02:00 chrisw@osdl.org +6 -2
+# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). This eliminates a user triggerable BUG() when user
+#
+# fs/exec.c
+# 2004/12/17 15:54:18-02:00 chrisw@osdl.org +6 -2
+# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().
+#
+# include/linux/mm.h
+# 2004/12/16 20:38:37-02:00 chrisw@osdl.org +1 -1
+# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). This eliminates a user triggerable BUG() when user
+#
+# mm/mmap.c
+# 2004/12/16 20:43:15-02:00 chrisw@osdl.org +3 -2
+# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().
+#
+diff -Nru a/arch/ia64/ia32/binfmt_elf32.c b/arch/ia64/ia32/binfmt_elf32.c
+--- a/arch/ia64/ia32/binfmt_elf32.c 2004-12-19 07:39:49 -08:00
++++ b/arch/ia64/ia32/binfmt_elf32.c 2004-12-19 07:39:49 -08:00
+@@ -95,7 +95,11 @@
+ vma->vm_private_data = NULL;
+ down_write(&current->mm->mmap_sem);
+ {
+- insert_vm_struct(current->mm, vma);
++ if (insert_vm_struct(current->mm, vma)) {
++ kmem_cache_free(vm_area_cachep, vma);
++ up_write(&current->mm->mmap_sem);
++ return;
++ }
+ }
+ up_write(&current->mm->mmap_sem);
+ }
+@@ -117,7 +121,11 @@
+ vma->vm_private_data = NULL;
+ down_write(&current->mm->mmap_sem);
+ {
+- insert_vm_struct(current->mm, vma);
++ if (insert_vm_struct(current->mm, vma)) {
++ kmem_cache_free(vm_area_cachep, vma);
++ up_write(&current->mm->mmap_sem);
++ return;
++ }
+ }
+ up_write(&current->mm->mmap_sem);
+ }
+@@ -164,7 +172,7 @@
+ {
+ unsigned long stack_base;
+ struct vm_area_struct *mpnt;
+- int i;
++ int i, ret;
+
+ stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+
+@@ -188,7 +196,11 @@
+ mpnt->vm_pgoff = 0;
+ mpnt->vm_file = NULL;
+ mpnt->vm_private_data = 0;
+- insert_vm_struct(current->mm, mpnt);
++ if ((ret = insert_vm_struct(current->mm, mpnt))) {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, mpnt);
++ return ret;
++ }
+ current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ }
+
+diff -Nru a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c
+--- a/arch/ia64/mm/init.c 2004-12-19 07:39:49 -08:00
++++ b/arch/ia64/mm/init.c 2004-12-19 07:39:49 -08:00
+@@ -105,7 +105,13 @@
+ vma->vm_pgoff = 0;
+ vma->vm_file = NULL;
+ vma->vm_private_data = NULL;
+- insert_vm_struct(current->mm, vma);
++ down_write(&current->mm->mmap_sem);
++ if (insert_vm_struct(current->mm, vma)) {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, vma);
++ return;
++ }
++ up_write(&current->mm->mmap_sem);
+ }
+
+ /* map NaT-page at address zero to speed up speculative dereferencing of NULL: */
+@@ -117,7 +123,13 @@
+ vma->vm_end = PAGE_SIZE;
+ vma->vm_page_prot = __pgprot(pgprot_val(PAGE_READONLY) | _PAGE_MA_NAT);
+ vma->vm_flags = VM_READ | VM_MAYREAD | VM_IO | VM_RESERVED;
+- insert_vm_struct(current->mm, vma);
++ down_write(&current->mm->mmap_sem);
++ if (insert_vm_struct(current->mm, vma)) {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, vma);
++ return;
++ }
++ up_write(&current->mm->mmap_sem);
+ }
+ }
+ }
+diff -Nru a/arch/s390x/kernel/exec32.c b/arch/s390x/kernel/exec32.c
+--- a/arch/s390x/kernel/exec32.c 2004-12-19 07:39:49 -08:00
++++ b/arch/s390x/kernel/exec32.c 2004-12-19 07:39:49 -08:00
+@@ -41,7 +41,7 @@
+ {
+ unsigned long stack_base;
+ struct vm_area_struct *mpnt;
+- int i;
++ int i, ret;
+
+ stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+
+@@ -65,7 +65,11 @@
+ mpnt->vm_pgoff = 0;
+ mpnt->vm_file = NULL;
+ mpnt->vm_private_data = (void *) 0;
+- insert_vm_struct(current->mm, mpnt);
++ if ((ret = insert_vm_struct(current->mm, mpnt))) {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, mpnt);
++ return ret;
++ }
+ current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ }
+
+diff -Nru a/arch/x86_64/ia32/ia32_binfmt.c b/arch/x86_64/ia32/ia32_binfmt.c
+--- a/arch/x86_64/ia32/ia32_binfmt.c 2004-12-19 07:39:49 -08:00
++++ b/arch/x86_64/ia32/ia32_binfmt.c 2004-12-19 07:39:49 -08:00
+@@ -225,7 +225,7 @@
+ {
+ unsigned long stack_base;
+ struct vm_area_struct *mpnt;
+- int i;
++ int i, ret;
+
+ stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+
+@@ -250,7 +250,11 @@
+ mpnt->vm_pgoff = 0;
+ mpnt->vm_file = NULL;
+ mpnt->vm_private_data = (void *) 0;
+- insert_vm_struct(current->mm, mpnt);
++ if ((ret = insert_vm_struct(current->mm, mpnt))) {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, mpnt);
++ return ret;
++ }
+ current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ }
+
+diff -Nru a/fs/exec.c b/fs/exec.c
+--- a/fs/exec.c 2004-12-19 07:39:49 -08:00
++++ b/fs/exec.c 2004-12-19 07:39:49 -08:00
+@@ -327,7 +327,7 @@
+ {
+ unsigned long stack_base;
+ struct vm_area_struct *mpnt;
+- int i;
++ int i, ret;
+
+ stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+
+@@ -387,7 +387,6 @@
+
+ down_write(&current->mm->mmap_sem);
+ {
+- struct vm_area_struct *vma;
+ mpnt->vm_mm = current->mm;
+ mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
+ mpnt->vm_end = STACK_TOP;
+@@ -402,13 +401,11 @@
+ mpnt->vm_pgoff = 0;
+ mpnt->vm_file = NULL;
+ mpnt->vm_private_data = (void *) 0;
+- vma = find_vma(current->mm, mpnt->vm_start);
+- if (vma) {
++ if ((ret = insert_vm_struct(current->mm, mpnt))) {
+ up_write(&current->mm->mmap_sem);
+ kmem_cache_free(vm_area_cachep, mpnt);
+- return -ENOMEM;
++ return ret;
+ }
+- insert_vm_struct(current->mm, mpnt);
+ current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ }
+
+diff -Nru a/include/linux/mm.h b/include/linux/mm.h
+--- a/include/linux/mm.h 2004-12-19 07:39:49 -08:00
++++ b/include/linux/mm.h 2004-12-19 07:39:49 -08:00
+@@ -548,7 +548,7 @@
+ /* mmap.c */
+ extern void lock_vma_mappings(struct vm_area_struct *);
+ extern void unlock_vma_mappings(struct vm_area_struct *);
+-extern void insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
++extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void __insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void build_mmap_rb(struct mm_struct *);
+ extern void exit_mmap(struct mm_struct *);
+diff -Nru a/mm/mmap.c b/mm/mmap.c
+--- a/mm/mmap.c 2004-12-19 07:39:49 -08:00
++++ b/mm/mmap.c 2004-12-19 07:39:49 -08:00
+@@ -1193,14 +1193,15 @@
+ validate_mm(mm);
+ }
+
+-void insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
++int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+ {
+ struct vm_area_struct * __vma, * prev;
+ rb_node_t ** rb_link, * rb_parent;
+
+ __vma = find_vma_prepare(mm, vma->vm_start, &prev, &rb_link, &rb_parent);
+ if (__vma && __vma->vm_start < vma->vm_end)
+- BUG();
++ return -ENOMEM;
+ vma_link(mm, vma, prev, rb_link, rb_parent);
+ validate_mm(mm);
++ return 0;
+ }