diff options
Diffstat (limited to 'sys-kernel/ck-sources')
-rw-r--r-- | sys-kernel/ck-sources/ChangeLog | 11 | ||||
-rw-r--r-- | sys-kernel/ck-sources/Manifest | 4 | ||||
-rw-r--r-- | sys-kernel/ck-sources/ck-sources-2.6.10-r5.ebuild (renamed from sys-kernel/ck-sources/ck-sources-2.6.10-r4.ebuild) | 5 | ||||
-rw-r--r-- | sys-kernel/ck-sources/files/ck-sources-2.6.10-drm-dos-fix.patch | 268 | ||||
-rw-r--r-- | sys-kernel/ck-sources/files/ck-sources-2.6.10-drm-i915-fix.patch | 66 | ||||
-rw-r--r-- | sys-kernel/ck-sources/files/ck-sources-2.6.10-smbfs-dos-fix.patch | 141 | ||||
-rw-r--r-- | sys-kernel/ck-sources/files/digest-ck-sources-2.6.10-r5 (renamed from sys-kernel/ck-sources/files/digest-ck-sources-2.6.10-r4) | 2 |
7 files changed, 427 insertions, 70 deletions
diff --git a/sys-kernel/ck-sources/ChangeLog b/sys-kernel/ck-sources/ChangeLog index 5318bd756c0d..ceb5f31f2862 100644 --- a/sys-kernel/ck-sources/ChangeLog +++ b/sys-kernel/ck-sources/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for sys-kernel/ck-sources # Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.82 2005/01/13 17:24:52 marineam Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.83 2005/01/20 05:01:44 marineam Exp $ + +*ck-sources-2.6.10-r5 (19 Jan 2005) + + 19 Jan 2005; Micheal Marineau <marineam@gentoo.org> + +files/ck-sources-2.6.10-drm-dos-fix.patch, + -files/ck-sources-2.6.10-drm-i915-fix.patch, + +files/ck-sources-2.6.10-smbfs-dos-fix.patch, -ck-sources-2.6.10-r4.ebuild, + +ck-sources-2.6.10-r5.ebuild: + Bump to ck5 and add fixes that were dropped in this release. *ck-sources-2.6.10-r4 (13 Jan 2005) diff --git a/sys-kernel/ck-sources/Manifest b/sys-kernel/ck-sources/Manifest index c3213c5c9ed6..7a1c395f29e3 100644 --- a/sys-kernel/ck-sources/Manifest +++ b/sys-kernel/ck-sources/Manifest @@ -1,3 +1,4 @@ +MD5 6dfac6d1b57a97007be732cf61cb3338 ck-sources-2.6.10-r5.ebuild 809 MD5 745d41af4314f13105c6ad5248535dd9 ck-sources-2.6.10-r4.ebuild 772 MD5 3c99b06b9782c24519b9da98b9795ce2 ck-sources-2.4.28-r2.ebuild 1152 MD5 37bba268d210811aa6367fd5857943a7 ChangeLog 17964 @@ -5,6 +6,8 @@ MD5 7187b8c28501f454a2412c9e4a7fcf53 metadata.xml 421 MD5 1d78b90e495e432432e095ee47bbc2fc files/ck-sources-2.4.28.77094.patch 452 MD5 5e564e4a8472baa4902fbeafab32d7c8 files/ck-sources-2.6.10-drm-i915-fix.patch 2254 MD5 8c35751caf824a9dacb02e80d6189b2e files/ck-sources-2.4.28.CAN-2004-1137.patch 1764 +MD5 0286d7c662e35f00f8d5b8e25b58f23a files/ck-sources-2.6.10-smbfs-dos-fix.patch 5325 +MD5 001b0a631c9fc28133013a1f8f78f74c files/ck-sources-2.6.10-drm-dos-fix.patch 8458 MD5 6aa8f7a7c2d55734389b53d3bcf78570 files/ck-sources-2.4.28.CAN-2004-1016.patch 2835 MD5 6cf860a301930c8cac126ab0c4d859d4 files/ck-sources-2.4.28.brk-locked.patch 8202 MD5 d1ccc2047be533c992f67270a150a210 files/ck-sources-2.4.28.cmdlineLeak.patch 388 @@ -14,3 +17,4 @@ MD5 79a76d3cb0029b85d4303b0019e788a8 files/ck-sources-2.4.28.compileFix.patch 20 MD5 b9a94233e1457787352e5f85e3e3582d files/ck-sources-2.4.28.binfmt_a.out.patch 2009 MD5 757ee1239c3f14645ccea3640d551e11 files/ck-sources-2.4.28.CAN-2004-1056.patch 11249 MD5 a65e4754ab687ce73dfdd9e3989a2e65 files/digest-ck-sources-2.6.10-r4 131 +MD5 039b47422c7f0f36c1012ba93ebed0ec files/digest-ck-sources-2.6.10-r5 131 diff --git a/sys-kernel/ck-sources/ck-sources-2.6.10-r4.ebuild b/sys-kernel/ck-sources/ck-sources-2.6.10-r5.ebuild index 5de59eb6f546..b53d0cabeafe 100644 --- a/sys-kernel/ck-sources/ck-sources-2.6.10-r4.ebuild +++ b/sys-kernel/ck-sources/ck-sources-2.6.10-r5.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.6.10-r4.ebuild,v 1.1 2005/01/13 17:24:52 marineam Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.6.10-r5.ebuild,v 1.1 2005/01/20 05:01:44 marineam Exp $ K_PREPATCHED="yes" UNIPATCH_STRICTORDER="yes" @@ -14,7 +14,8 @@ detect_version CK_PATCH="patch-${KV_FULL}.bz2" UNIPATCH_LIST=" ${DISTDIR}/${CK_PATCH} - ${FILESDIR}/${P}-drm-i915-fix.patch" + ${FILESDIR}/${P}-drm-dos-fix.patch + ${FILESDIR}/${P}-smbfs-dos-fix.patch" IUSE="" DESCRIPTION="Full sources for the Stock Linux kernel and Con Kolivas's high performance patchset" diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.10-drm-dos-fix.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.10-drm-dos-fix.patch new file mode 100644 index 000000000000..cd8d7af324c2 --- /dev/null +++ b/sys-kernel/ck-sources/files/ck-sources-2.6.10-drm-dos-fix.patch @@ -0,0 +1,268 @@ +diff -ur linux-2.6.9/drivers/char/drm/i810_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i810_dma.c +--- linux-2.6.9/drivers/char/drm/i810_dma.c 2004-10-18 22:53:46.000000000 +0100 ++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i810_dma.c 2004-12-19 22:46:33.317446112 +0000 +@@ -1030,10 +1030,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i810_flush_queue(dev); + return 0; +@@ -1055,10 +1052,7 @@ + if (copy_from_user(&vertex, (drm_i810_vertex_t __user *)arg, sizeof(vertex))) + return -EFAULT; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1090,10 +1084,7 @@ + if (copy_from_user(&clear, (drm_i810_clear_t __user *)arg, sizeof(clear))) + return -EFAULT; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1114,10 +1105,8 @@ + + DRM_DEBUG("i810_swap_bufs\n"); + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i810_dma_dispatch_swap( dev ); + return 0; +@@ -1152,10 +1141,7 @@ + if (copy_from_user(&d, (drm_i810_dma_t __user *)arg, sizeof(d))) + return -EFAULT; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + d.granted = 0; + +@@ -1266,10 +1252,7 @@ + return -EFAULT; + + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_mc called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (mc.idx >= dma->buf_count || mc.idx < 0) + return -EINVAL; +@@ -1317,10 +1300,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_fstatus called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + return I810_READ(0x30008); + } + +@@ -1331,10 +1311,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_ov0_flip called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + //Tell the overlay to update + I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000); +@@ -1376,10 +1353,7 @@ + + DRM_DEBUG("%s\n", __FUNCTION__); + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flip_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (!dev_priv->page_flipping) + i810_do_init_pageflip( dev ); +diff -ur linux-2.6.9/drivers/char/drm/i830_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_dma.c +--- linux-2.6.9/drivers/char/drm/i830_dma.c 2004-10-18 22:53:12.000000000 +0100 ++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_dma.c 2004-12-19 22:46:33.319445808 +0000 +@@ -1319,10 +1319,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i830_flush_queue(dev); + return 0; +@@ -1343,10 +1340,7 @@ + if (copy_from_user(&vertex, (drm_i830_vertex_t __user *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1373,10 +1367,7 @@ + if (copy_from_user(&clear, (drm_i830_clear_t __user *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1398,10 +1389,7 @@ + + DRM_DEBUG("i830_swap_bufs\n"); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i830_dma_dispatch_swap( dev ); + return 0; +@@ -1442,10 +1430,7 @@ + + DRM_DEBUG("%s\n", __FUNCTION__); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flip_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (!dev_priv->page_flipping) + i830_do_init_pageflip( dev ); +@@ -1484,10 +1469,7 @@ + if (copy_from_user(&d, (drm_i830_dma_t __user *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + d.granted = 0; + +diff -ur linux-2.6.9/drivers/char/drm/i830_irq.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_irq.c +--- linux-2.6.9/drivers/char/drm/i830_irq.c 2004-10-18 22:54:54.000000000 +0100 ++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_irq.c 2004-12-19 22:46:33.320445656 +0000 +@@ -129,10 +129,7 @@ + drm_i830_irq_emit_t emit; + int result; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_irq_emit called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if ( !dev_priv ) { + DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ ); +diff -ur linux-2.6.9/drivers/char/drm/i915_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_dma.c +--- linux-2.6.9/drivers/char/drm/i915_dma.c 2004-10-18 22:53:51.000000000 +0100 ++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_dma.c 2004-12-19 22:46:33.321445504 +0000 +@@ -545,10 +545,7 @@ + { + DRM_DEVICE; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i915_flush_ioctl called without lock held\n"); +- return DRM_ERR(EINVAL); +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + return i915_quiescent(dev); + } +@@ -574,10 +571,7 @@ + DRM_DEBUG("i915 batchbuffer, start %x used %d cliprects %d\n", + batch.start, batch.used, batch.num_cliprects); + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i915_batchbuffer called without lock held\n"); +- return DRM_ERR(EINVAL); +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (batch.num_cliprects && DRM_VERIFYAREA_READ(batch.cliprects, + batch.num_cliprects * +@@ -606,10 +600,7 @@ + DRM_DEBUG("i915 cmdbuffer, buf %p sz %d cliprects %d\n", + cmdbuf.buf, cmdbuf.sz, cmdbuf.num_cliprects); + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i915_cmdbuffer called without lock held\n"); +- return DRM_ERR(EINVAL); +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (cmdbuf.num_cliprects && + DRM_VERIFYAREA_READ(cmdbuf.cliprects, +@@ -645,10 +636,7 @@ + DRM_DEVICE; + + DRM_DEBUG("%s\n", __FUNCTION__); +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i915_flip_buf called without lock held\n"); +- return DRM_ERR(EINVAL); +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + return i915_dispatch_flip(dev); + } +diff -ur linux-2.6.9/drivers/char/drm/i915_irq.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_irq.c +--- linux-2.6.9/drivers/char/drm/i915_irq.c 2004-10-18 22:53:51.000000000 +0100 ++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_irq.c 2004-12-19 22:46:33.321445504 +0000 +@@ -92,10 +92,7 @@ + drm_i915_irq_emit_t emit; + int result; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i915_irq_emit called without lock held\n"); +- return DRM_ERR(EINVAL); +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (!dev_priv) { + DRM_ERROR("%s called with no initialization\n", __FUNCTION__); diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.10-drm-i915-fix.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.10-drm-i915-fix.patch deleted file mode 100644 index da46077e909c..000000000000 --- a/sys-kernel/ck-sources/files/ck-sources-2.6.10-drm-i915-fix.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff -ru linux-2.6.10-ck3.orig/drivers/char/drm/i915_dma.c linux-2.6.10-ck3/drivers/char/drm/i915_dma.c ---- linux-2.6.10-ck3.orig/drivers/char/drm/i915_dma.c 2004-12-24 13:34:31.000000000 -0800 -+++ linux-2.6.10-ck3/drivers/char/drm/i915_dma.c 2005-01-11 20:16:49.245435707 -0800 -@@ -545,10 +545,7 @@ - { - DRM_DEVICE; - -- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { -- DRM_ERROR("i915_flush_ioctl called without lock held\n"); -- return DRM_ERR(EINVAL); -- } -+ LOCK_TEST_WITH_RETURN( dev, filp ); - - return i915_quiescent(dev); - } -@@ -574,10 +571,7 @@ - DRM_DEBUG("i915 batchbuffer, start %x used %d cliprects %d\n", - batch.start, batch.used, batch.num_cliprects); - -- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { -- DRM_ERROR("i915_batchbuffer called without lock held\n"); -- return DRM_ERR(EINVAL); -- } -+ LOCK_TEST_WITH_RETURN( dev, filp ); - - if (batch.num_cliprects && DRM_VERIFYAREA_READ(batch.cliprects, - batch.num_cliprects * -@@ -606,10 +600,7 @@ - DRM_DEBUG("i915 cmdbuffer, buf %p sz %d cliprects %d\n", - cmdbuf.buf, cmdbuf.sz, cmdbuf.num_cliprects); - -- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { -- DRM_ERROR("i915_cmdbuffer called without lock held\n"); -- return DRM_ERR(EINVAL); -- } -+ LOCK_TEST_WITH_RETURN( dev, filp ); - - if (cmdbuf.num_cliprects && - DRM_VERIFYAREA_READ(cmdbuf.cliprects, -@@ -645,10 +636,7 @@ - DRM_DEVICE; - - DRM_DEBUG("%s\n", __FUNCTION__); -- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { -- DRM_ERROR("i915_flip_buf called without lock held\n"); -- return DRM_ERR(EINVAL); -- } -+ LOCK_TEST_WITH_RETURN( dev, filp ); - - return i915_dispatch_flip(dev); - } -diff -ru linux-2.6.10-ck3.orig/drivers/char/drm/i915_irq.c linux-2.6.10-ck3/drivers/char/drm/i915_irq.c ---- linux-2.6.10-ck3.orig/drivers/char/drm/i915_irq.c 2004-12-24 13:34:31.000000000 -0800 -+++ linux-2.6.10-ck3/drivers/char/drm/i915_irq.c 2005-01-11 20:16:49.246435564 -0800 -@@ -92,10 +92,7 @@ - drm_i915_irq_emit_t emit; - int result; - -- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { -- DRM_ERROR("i915_irq_emit called without lock held\n"); -- return DRM_ERR(EINVAL); -- } -+ LOCK_TEST_WITH_RETURN( dev, filp ); - - if (!dev_priv) { - DRM_ERROR("%s called with no initialization\n", __FUNCTION__); diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.10-smbfs-dos-fix.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.10-smbfs-dos-fix.patch new file mode 100644 index 000000000000..0a4d0539f2d8 --- /dev/null +++ b/sys-kernel/ck-sources/files/ck-sources-2.6.10-smbfs-dos-fix.patch @@ -0,0 +1,141 @@ +From: Chuck Ebbert <76306.1226@compuserve.com> +Subject: [PATCH] SMB security fixes for 2.6.9 +To: Alan Cox <alan@lxorguk.ukuu.org.uk> +Cc: linux-kernel <linux-kernel@vger.kernel.org> +Message-ID: <200411222138_MC3-1-8F38-414@compuserve.com> + + The SMB patch in 2.6.9-ac10 is broken. When a reply is received and it +contains no data (only parms), the data_offset is zero. Since no data will +be copied, zero offset is perfectly valid. This patch, based on the one in +-ac, works for me. I also cleaned up the message printing (%u vs. %d for +unsigned), added unlikely() where appropriate, and removed some extra code. + +Comments welcome. Like I said, at least I can use SMB servers now. +With the original patch very bad things happened, like trying to save +files from a text editor truncated them to 0 bytes, followed by editor +freezing for many seconds then asking for a new name to save the file as. + +Rediff. + +diff -X dontdiff -urNp linux-2.6.10/fs/smbfs/proc.c linux-dsd/fs/smbfs/proc.c +--- linux-2.6.10/fs/smbfs/proc.c 2004-12-24 21:34:00.000000000 +0000 ++++ linux-dsd/fs/smbfs/proc.c 2005-01-13 22:58:21.681636192 +0000 +@@ -1427,9 +1427,9 @@ smb_proc_readX_data(struct smb_request * + * So we must first calculate the amount of padding used by the server. + */ + data_off -= hdrlen; +- if (data_off > SMB_READX_MAX_PAD) { +- PARANOIA("offset is larger than max pad!\n"); +- PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD); ++ if (data_off > SMB_READX_MAX_PAD || data_off < 0) { ++ PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n"); ++ PARANOIA("%d > %d || %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off); + req->rq_rlen = req->rq_bufsize + 1; + return; + } +diff -X dontdiff -urNp linux-2.6.10/fs/smbfs/request.c linux-dsd/fs/smbfs/request.c +--- linux-2.6.10/fs/smbfs/request.c 2004-12-24 21:35:40.000000000 +0000 ++++ linux-dsd/fs/smbfs/request.c 2005-01-13 23:03:51.295527264 +0000 +@@ -588,8 +588,18 @@ static int smb_recv_trans2(struct smb_sb + data_count = WVAL(inbuf, smb_drcnt); + + /* Modify offset for the split header/buffer we use */ +- data_offset -= hdrlen; +- parm_offset -= hdrlen; ++ if (data_count || data_offset) { ++ if (unlikely(data_offset < hdrlen)) ++ goto out_bad_data; ++ else ++ data_offset -= hdrlen; ++ } ++ if (parm_count || parm_offset) { ++ if (unlikely(parm_offset < hdrlen)) ++ goto out_bad_parm; ++ else ++ parm_offset -= hdrlen; ++ } + + if (parm_count == parm_tot && data_count == data_tot) { + /* +@@ -600,18 +610,22 @@ static int smb_recv_trans2(struct smb_sb + * response that fits. + */ + VERBOSE("single trans2 response " +- "dcnt=%d, pcnt=%d, doff=%d, poff=%d\n", ++ "dcnt=%u, pcnt=%u, doff=%u, poff=%u\n", + data_count, parm_count, + data_offset, parm_offset); + req->rq_ldata = data_count; + req->rq_lparm = parm_count; + req->rq_data = req->rq_buffer + data_offset; + req->rq_parm = req->rq_buffer + parm_offset; ++ if (unlikely(parm_offset + parm_count > req->rq_rlen)) ++ goto out_bad_parm; ++ if (unlikely(data_offset + data_count > req->rq_rlen)) ++ goto out_bad_data; + return 0; + } + + VERBOSE("multi trans2 response " +- "frag=%d, dcnt=%d, pcnt=%d, doff=%d, poff=%d\n", ++ "frag=%d, dcnt=%u, pcnt=%u, doff=%u, poff=%u\n", + req->rq_fragment, + data_count, parm_count, + data_offset, parm_offset); +@@ -638,13 +652,15 @@ static int smb_recv_trans2(struct smb_sb + + req->rq_parm = req->rq_trans2buffer; + req->rq_data = req->rq_trans2buffer + parm_tot; +- } else if (req->rq_total_data < data_tot || +- req->rq_total_parm < parm_tot) ++ } else if (unlikely(req->rq_total_data < data_tot || ++ req->rq_total_parm < parm_tot)) + goto out_data_grew; + +- if (parm_disp + parm_count > req->rq_total_parm) ++ if (unlikely(parm_disp + parm_count > req->rq_total_parm || ++ parm_offset + parm_count > req->rq_rlen)) + goto out_bad_parm; +- if (data_disp + data_count > req->rq_total_data) ++ if (unlikely(data_disp + data_count > req->rq_total_data || ++ data_offset + data_count > req->rq_rlen)) + goto out_bad_data; + + inbuf = req->rq_buffer; +@@ -666,10 +682,9 @@ static int smb_recv_trans2(struct smb_sb + return 1; + + out_too_long: +- printk(KERN_ERR "smb_trans2: data/param too long, data=%d, parm=%d\n", ++ printk(KERN_ERR "smb_trans2: data/param too long, data=%u, parm=%u\n", + data_tot, parm_tot); +- req->rq_errno = -EIO; +- goto out; ++ goto out_EIO; + out_no_mem: + printk(KERN_ERR "smb_trans2: couldn't allocate data area of %d bytes\n", + req->rq_trans2bufsize); +@@ -677,16 +692,15 @@ out_no_mem: + goto out; + out_data_grew: + printk(KERN_ERR "smb_trans2: data/params grew!\n"); +- req->rq_errno = -EIO; +- goto out; ++ goto out_EIO; + out_bad_parm: +- printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n", +- parm_disp, parm_count, parm_tot); +- req->rq_errno = -EIO; +- goto out; ++ printk(KERN_ERR "smb_trans2: invalid parms, disp=%u, cnt=%u, tot=%u, ofs=%u\n", ++ parm_disp, parm_count, parm_tot, parm_offset); ++ goto out_EIO; + out_bad_data: +- printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n", +- data_disp, data_count, data_tot); ++ printk(KERN_ERR "smb_trans2: invalid data, disp=%u, cnt=%u, tot=%u, ofs=%u\n", ++ data_disp, data_count, data_tot, data_offset); ++out_EIO: + req->rq_errno = -EIO; + out: + return req->rq_errno; diff --git a/sys-kernel/ck-sources/files/digest-ck-sources-2.6.10-r4 b/sys-kernel/ck-sources/files/digest-ck-sources-2.6.10-r5 index 9e5b35341074..85ee2ecc99c0 100644 --- a/sys-kernel/ck-sources/files/digest-ck-sources-2.6.10-r4 +++ b/sys-kernel/ck-sources/files/digest-ck-sources-2.6.10-r5 @@ -1,2 +1,2 @@ MD5 cffcd2919d9c8ef793ce1ac07a440eda linux-2.6.10.tar.bz2 36533484 -MD5 d2640f4147a966d20a785e3c5bdce034 patch-2.6.10-ck4.bz2 56535 +MD5 78e47c160382350a881735883964bd31 patch-2.6.10-ck5.bz2 41801 |