Security fixes - bugs #73000, #74384, #74392, #74464, #74465.

author: Tim Yamin <plasmaroo@gentoo.org> 2004-12-20 19:48:48 +0000
committer: Tim Yamin <plasmaroo@gentoo.org> 2004-12-20 19:48:48 +0000
commit: fbc5f6ba094ebd5795edab44f2a06574d494e34f (patch)
tree: a29fc3c5f5effc70bf7744b0cd05bfc184309bdf /sys-kernel
parent: added ~ppc64 to KEYWORDS (diff)
download: historical-fbc5f6ba094ebd5795edab44f2a06574d494e34f.tar.gz
historical-fbc5f6ba094ebd5795edab44f2a06574d494e34f.tar.bz2
historical-fbc5f6ba094ebd5795edab44f2a06574d494e34f.zip
8 files changed, 534 insertions, 5 deletions
diff --git a/sys-kernel/ac-sources/ChangeLog b/sys-kernel/ac-sources/ChangeLog
index e73bcfec95e0..388e342633ad 100644
--- a/sys-kernel/ac-sources/ChangeLog
+++ b/sys-kernel/ac-sources/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for sys-kernel/ac-sources
 # Copyright 1999-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ac-sources/ChangeLog,v 1.45 2004/12/03 20:11:26 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ac-sources/ChangeLog,v 1.46 2004/12/20 19:48:48 plasmaroo Exp $
+
+  20 Dec 2004; <plasmaroo@gentoo.org> ac-sources-2.6.9-r12.ebuild,
+  +files/ac-sources-2.6.9.CAN-2004-1016.patch,
+  +files/ac-sources-2.6.9.CAN-2004-1056.patch,
+  +files/ac-sources-2.6.9.CAN-2004-1137.patch,
+  +files/ac-sources-2.6.9.CAN-2004-1151.patch,
+  +files/ac-sources-2.6.9.shmLocking.patch:
+  Security fixes - bugs #73000, #74384, #74392, #74464, #74465.
 
   03 Dec 2004; <plasmaroo@gentoo.org> ac-sources-2.6.9-r12.ebuild,
   +files/ac-sources-2.6.9.vma.patch:
diff --git a/sys-kernel/ac-sources/Manifest b/sys-kernel/ac-sources/Manifest
index 86ce8f99b2e8..2695b1bab286 100644
--- a/sys-kernel/ac-sources/Manifest
+++ b/sys-kernel/ac-sources/Manifest
@@ -1,22 +1,27 @@
-MD5 1d12419e42afe9f2d5bf44c396df9d87 ChangeLog 1692
+MD5 bebed356d86d44de605b732ee7c90725 ChangeLog 2056
 MD5 bdfad395e5db0239947540c7c97da8c1 ac-sources-2.6.9-r10.ebuild 1047
 MD5 2d0ac3655d40b781c84031301a780024 ac-sources-2.6.9-r1.ebuild 1091
 MD5 7b1073a9db1f527fe9a3395daedbc635 ac-sources-2.6.9-r8.ebuild 1046
 MD5 2ce96c96088db3544980dcad624fa8f1 ac-sources-2.6.9-r2.ebuild 1046
 MD5 e502ce25770e74e2b621c08b6357ddbf ac-sources-2.6.9-r9.ebuild 1046
 MD5 2b0cfdcefc398952a818684668e808f1 metadata.xml 384
-MD5 a371765079c2f571c1c90e1d33871d70 ac-sources-2.6.9-r12.ebuild 1075
+MD5 b88d3d053ae2500f17544f19f8c4bcdc ac-sources-2.6.9-r12.ebuild 1262
 MD5 c0c053ed0824614431987101ab4bf24d ac-sources-2.6.9-r6.ebuild 1046
 MD5 4112cf99cee9056a4e23fe5d5e075f3a ac-sources-2.6.9-r5.ebuild 1046
 MD5 3d01c0d70363ac20f04b6e16b3669550 ac-sources-2.6.9-r7.ebuild 1083
+MD5 26b8e3797f4269779dc15d1a11ccfc65 files/ac-sources-2.6.9.shmLocking.patch 1765
 MD5 2c667e2fa7172f460e6e9c2699acded2 files/2.6.9-ac1-fix-extraversion.patch 1288
+MD5 6aa8f7a7c2d55734389b53d3bcf78570 files/ac-sources-2.6.9.CAN-2004-1016.patch 2835
 MD5 57db481c11c638064759462051c41af6 files/digest-ac-sources-2.6.9-r9 129
 MD5 c615cce31b3bce3e255e497291bcd76f files/digest-ac-sources-2.6.9-r6 129
+MD5 09e9f1cad6f2f28fe81682cbad8e3011 files/ac-sources-2.6.9.CAN-2004-1137.patch 2551
 MD5 0262502f5f3933de605488011f3b8211 files/digest-ac-sources-2.6.9-r12 131
 MD5 42b42f2a4f260fad2fef264b82aff2ae files/ac-sources-2.6.9.vma.patch 8952
 MD5 d9127fc038c80114d40b69d761803ed2 files/ac-sources-2.6.9.binfmt_elf.patch 1929
+MD5 6bcdd0bb63e2db559a5c6465c73a7f89 files/ac-sources-2.6.9.CAN-2004-1151.patch 1143
 MD5 cd09c274efab61c5d471a09ff36ff6af files/digest-ac-sources-2.6.9-r2 129
 MD5 88135e20957a282cf6212fd5b09f0593 files/digest-ac-sources-2.6.9-r10 131
+MD5 001b0a631c9fc28133013a1f8f78f74c files/ac-sources-2.6.9.CAN-2004-1056.patch 8458
 MD5 508c49456dcb30096fe21b4619e9e8aa files/digest-ac-sources-2.6.9-r1 129
 MD5 ab11de7d3a6b41dc2d9889a0094c0012 files/digest-ac-sources-2.6.9-r7 129
 MD5 2d7e3663eacd4f3e8e96b6645e97ed91 files/digest-ac-sources-2.6.9-r8 129
diff --git a/sys-kernel/ac-sources/ac-sources-2.6.9-r12.ebuild b/sys-kernel/ac-sources/ac-sources-2.6.9-r12.ebuild
index bbe09219f96a..f24b1d74ca5b 100644
--- a/sys-kernel/ac-sources/ac-sources-2.6.9-r12.ebuild
+++ b/sys-kernel/ac-sources/ac-sources-2.6.9-r12.ebuild
@@ -1,9 +1,14 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ac-sources/ac-sources-2.6.9-r12.ebuild,v 1.2 2004/12/03 20:11:26 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ac-sources/ac-sources-2.6.9-r12.ebuild,v 1.3 2004/12/20 19:48:48 plasmaroo Exp $
 
 UNIPATCH_LIST="${DISTDIR}/patch-${KV}.bz2
-	${FILESDIR}/${P}.vma.patch"
+	${FILESDIR}/${P}.vma.patch
+	${FILESDIR}/${P}.CAN-2004-1016.patch
+	${FILESDIR}/${P}.CAN-2004-1056.patch
+	${FILESDIR}/${P}.CAN-2004-1137.patch
+	${FILESDIR}/${P}.CAN-2004-1151.patch
+	${FILESDIR}/${P}.shmLocking.patch"
 K_PREPATCHED="yes"
 UNIPATCH_STRICTORDER="yes"
 
diff --git a/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1016.patch b/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1016.patch
new file mode 100644
index 000000000000..aa25ac95ed61
--- /dev/null
+++ b/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1016.patch
@@ -0,0 +1,75 @@
+===== include/linux/socket.h 1.12 vs edited =====
+--- 1.12/include/linux/socket.h	2004-09-09 06:40:01 +10:00
++++ edited/include/linux/socket.h	2004-11-27 11:53:40 +11:00
+@@ -90,6 +90,10 @@
+ 				  (struct cmsghdr *)(ctl) : \
+ 				  (struct cmsghdr *)NULL)
+ #define CMSG_FIRSTHDR(msg)	__CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \
++			     (cmsg)->cmsg_len <= (unsigned long) \
++			     ((mhdr)->msg_controllen - \
++			      ((char *)(cmsg) - (char *)(mhdr)->msg_control)))
+ 
+ /*
+  *	This mess will go away with glibc
+===== net/core/scm.c 1.10 vs edited =====
+--- 1.10/net/core/scm.c	2004-05-31 05:08:14 +10:00
++++ edited/net/core/scm.c	2004-11-27 11:48:55 +11:00
+@@ -127,9 +127,7 @@
+ 		   for too short ancillary data object at all! Oops.
+ 		   OK, let's add it...
+ 		 */
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen)
++		if (!CMSG_OK(msg, cmsg))
+ 			goto error;
+ 
+ 		if (cmsg->cmsg_level != SOL_SOCKET)
+===== net/ipv4/ip_sockglue.c 1.26 vs edited =====
+--- 1.26/net/ipv4/ip_sockglue.c	2004-07-01 06:10:53 +10:00
++++ edited/net/ipv4/ip_sockglue.c	2004-11-27 11:49:45 +11:00
+@@ -146,11 +146,8 @@
+ 	struct cmsghdr *cmsg;
+ 
+ 	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg))
+ 			return -EINVAL;
+-		}
+ 		if (cmsg->cmsg_level != SOL_IP)
+ 			continue;
+ 		switch (cmsg->cmsg_type) {
+===== net/ipv6/datagram.c 1.20 vs edited =====
+--- 1.20/net/ipv6/datagram.c	2004-11-10 17:57:03 +11:00
++++ edited/net/ipv6/datagram.c	2004-11-27 11:51:15 +11:00
+@@ -427,9 +427,7 @@
+ 		int addr_type;
+ 		struct net_device *dev = NULL;
+ 
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg)) {
+ 			err = -EINVAL;
+ 			goto exit_f;
+ 		}
+===== net/sctp/socket.c 1.129 vs edited =====
+--- 1.129/net/sctp/socket.c	2004-11-19 08:43:18 +11:00
++++ edited/net/sctp/socket.c	2004-11-27 11:52:11 +11:00
+@@ -4098,12 +4098,8 @@
+ 	for (cmsg = CMSG_FIRSTHDR(msg);
+ 	     cmsg != NULL;
+ 	     cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) {
+-		/* Check for minimum length.  The SCM code has this check.  */
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg))
+ 			return -EINVAL;
+-		}
+ 
+ 		/* Should we parse this header or ignore?  */
+ 		if (cmsg->cmsg_level != IPPROTO_SCTP)
diff --git a/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1056.patch b/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1056.patch
new file mode 100644
index 000000000000..cd8d7af324c2
--- /dev/null
+++ b/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1056.patch
@@ -0,0 +1,268 @@
+diff -ur linux-2.6.9/drivers/char/drm/i810_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i810_dma.c
+--- linux-2.6.9/drivers/char/drm/i810_dma.c	2004-10-18 22:53:46.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i810_dma.c	2004-12-19 22:46:33.317446112 +0000
+@@ -1030,10 +1030,7 @@
+    	drm_file_t	  *priv	  = filp->private_data;
+    	drm_device_t	  *dev	  = priv->dev;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+    	i810_flush_queue(dev);
+    	return 0;
+@@ -1055,10 +1052,7 @@
+ 	if (copy_from_user(&vertex, (drm_i810_vertex_t __user *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+ 	DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1090,10 +1084,7 @@
+    	if (copy_from_user(&clear, (drm_i810_clear_t __user *)arg, sizeof(clear)))
+ 		return -EFAULT;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+  	/* GH: Someone's doing nasty things... */
+  	if (!dev->dev_private) {
+@@ -1114,10 +1105,8 @@
+ 
+ 	DRM_DEBUG("i810_swap_bufs\n");
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	i810_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1152,10 +1141,7 @@
+    	if (copy_from_user(&d, (drm_i810_dma_t __user *)arg, sizeof(d)))
+ 		return -EFAULT;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	d.granted = 0;
+ 
+@@ -1266,10 +1252,7 @@
+ 		return -EFAULT;
+ 
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_mc called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	if (mc.idx >= dma->buf_count || mc.idx < 0)
+ 		return -EINVAL;
+@@ -1317,10 +1300,7 @@
+ 	drm_device_t *dev = priv->dev;
+ 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_fstatus called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 	return I810_READ(0x30008);
+ }
+ 
+@@ -1331,10 +1311,7 @@
+ 	drm_device_t *dev = priv->dev;
+ 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_ov0_flip called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	//Tell the overlay to update
+ 	I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+@@ -1376,10 +1353,7 @@
+ 
+ 	DRM_DEBUG("%s\n", __FUNCTION__);
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_flip_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+ 	if (!dev_priv->page_flipping) 
+ 		i810_do_init_pageflip( dev );
+diff -ur linux-2.6.9/drivers/char/drm/i830_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_dma.c
+--- linux-2.6.9/drivers/char/drm/i830_dma.c	2004-10-18 22:53:12.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_dma.c	2004-12-19 22:46:33.319445808 +0000
+@@ -1319,10 +1319,7 @@
+    	drm_file_t	  *priv	  = filp->private_data;
+    	drm_device_t	  *dev	  = priv->dev;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+    	i830_flush_queue(dev);
+    	return 0;
+@@ -1343,10 +1340,7 @@
+ 	if (copy_from_user(&vertex, (drm_i830_vertex_t __user *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1373,10 +1367,7 @@
+    	if (copy_from_user(&clear, (drm_i830_clear_t __user *)arg, sizeof(clear)))
+ 		return -EFAULT;
+    
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	/* GH: Someone's doing nasty things... */
+ 	if (!dev->dev_private) {
+@@ -1398,10 +1389,7 @@
+    
+ 	DRM_DEBUG("i830_swap_bufs\n");
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	i830_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1442,10 +1430,7 @@
+ 
+ 	DRM_DEBUG("%s\n", __FUNCTION__);
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_flip_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	if (!dev_priv->page_flipping) 
+ 		i830_do_init_pageflip( dev );
+@@ -1484,10 +1469,7 @@
+    	if (copy_from_user(&d, (drm_i830_dma_t __user *)arg, sizeof(d)))
+ 		return -EFAULT;
+    
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 	
+ 	d.granted = 0;
+ 
+diff -ur linux-2.6.9/drivers/char/drm/i830_irq.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_irq.c
+--- linux-2.6.9/drivers/char/drm/i830_irq.c	2004-10-18 22:54:54.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_irq.c	2004-12-19 22:46:33.320445656 +0000
+@@ -129,10 +129,7 @@
+ 	drm_i830_irq_emit_t emit;
+ 	int result;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_irq_emit called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp ); 
+ 
+ 	if ( !dev_priv ) {
+ 		DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );
+diff -ur linux-2.6.9/drivers/char/drm/i915_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_dma.c
+--- linux-2.6.9/drivers/char/drm/i915_dma.c	2004-10-18 22:53:51.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_dma.c	2004-12-19 22:46:33.321445504 +0000
+@@ -545,10 +545,7 @@
+ {
+ 	DRM_DEVICE;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i915_flush_ioctl called without lock held\n");
+-		return DRM_ERR(EINVAL);
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+ 	return i915_quiescent(dev);
+ }
+@@ -574,10 +571,7 @@
+ 	DRM_DEBUG("i915 batchbuffer, start %x used %d cliprects %d\n",
+ 		  batch.start, batch.used, batch.num_cliprects);
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i915_batchbuffer called without lock held\n");
+-		return DRM_ERR(EINVAL);
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+ 	if (batch.num_cliprects && DRM_VERIFYAREA_READ(batch.cliprects,
+ 						       batch.num_cliprects *
+@@ -606,10 +600,7 @@
+ 	DRM_DEBUG("i915 cmdbuffer, buf %p sz %d cliprects %d\n",
+ 		  cmdbuf.buf, cmdbuf.sz, cmdbuf.num_cliprects);
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i915_cmdbuffer called without lock held\n");
+-		return DRM_ERR(EINVAL);
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+ 	if (cmdbuf.num_cliprects &&
+ 	    DRM_VERIFYAREA_READ(cmdbuf.cliprects,
+@@ -645,10 +636,7 @@
+ 	DRM_DEVICE;
+ 
+ 	DRM_DEBUG("%s\n", __FUNCTION__);
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i915_flip_buf called without lock held\n");
+-		return DRM_ERR(EINVAL);
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+ 	return i915_dispatch_flip(dev);
+ }
+diff -ur linux-2.6.9/drivers/char/drm/i915_irq.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_irq.c
+--- linux-2.6.9/drivers/char/drm/i915_irq.c	2004-10-18 22:53:51.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_irq.c	2004-12-19 22:46:33.321445504 +0000
+@@ -92,10 +92,7 @@
+ 	drm_i915_irq_emit_t emit;
+ 	int result;
+ 
+-	if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i915_irq_emit called without lock held\n");
+-		return DRM_ERR(EINVAL);
+-	}
++	LOCK_TEST_WITH_RETURN( dev, filp );
+ 
+ 	if (!dev_priv) {
+ 		DRM_ERROR("%s called with no initialization\n", __FUNCTION__);
diff --git a/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1137.patch b/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1137.patch
new file mode 100644
index 000000000000..0a54680f6f4b
--- /dev/null
+++ b/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1137.patch
@@ -0,0 +1,77 @@
+# ChangeSet
+#   2004/12/14 11:06:25-08:00 chrisw@osdl.org 
+#   [IPV4/IPV6]: IGMP source filter fixes
+#   
+#   When adding or deleting from the source list make sure to find matches
+#   by comparing against the new source address, not the group address.
+#   Also, check each addr in the list rather than just the first one.
+#   And, finally, only delete from list when there's a match rather than
+#   vice-versa.  Drop the effort to keep list sorted, since it's not done
+#   on full-state api and can create an sl_addr entry that the delta api
+#   won't be able to delete. Without these fixes sl_count can be corrupted
+#   which can allow for kernel memory corruption.
+#   
+#   Signed-off-by: Chris Wright <chrisw@osdl.org>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+diff -Nru a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+--- a/net/ipv4/igmp.c	2004-12-20 11:32:15 -08:00
++++ b/net/ipv4/igmp.c	2004-12-20 11:32:15 -08:00
+@@ -1778,12 +1778,12 @@
+ 			goto done;
+ 		rv = !0;
+ 		for (i=0; i<psl->sl_count; i++) {
+-			rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++			rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ 				sizeof(__u32));
+-			if (rv >= 0)
++			if (rv == 0)
+ 				break;
+ 		}
+-		if (!rv)	/* source not found */
++		if (rv)		/* source not found */
+ 			goto done;
+ 
+ 		/* update the interface filter */
+@@ -1825,9 +1825,9 @@
+ 	}
+ 	rv = 1;	/* > 0 for insert logic below if sl_count is 0 */
+ 	for (i=0; i<psl->sl_count; i++) {
+-		rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++		rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ 			sizeof(__u32));
+-		if (rv >= 0)
++		if (rv == 0)
+ 			break;
+ 	}
+ 	if (rv == 0)		/* address already there is an error */
+diff -Nru a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+--- a/net/ipv6/mcast.c	2004-12-20 11:32:15 -08:00
++++ b/net/ipv6/mcast.c	2004-12-20 11:32:15 -08:00
+@@ -391,12 +391,12 @@
+ 			goto done;
+ 		rv = !0;
+ 		for (i=0; i<psl->sl_count; i++) {
+-			rv = memcmp(&psl->sl_addr, group,
++			rv = memcmp(&psl->sl_addr[i], source,
+ 				sizeof(struct in6_addr));
+-			if (rv >= 0)
++			if (rv == 0)
+ 				break;
+ 		}
+-		if (!rv)	/* source not found */
++		if (rv)		/* source not found */
+ 			goto done;
+ 
+ 		/* update the interface filter */
+@@ -437,8 +437,8 @@
+ 	}
+ 	rv = 1;	/* > 0 for insert logic below if sl_count is 0 */
+ 	for (i=0; i<psl->sl_count; i++) {
+-		rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr));
+-		if (rv >= 0)
++		rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr));
++		if (rv == 0)
+ 			break;
+ 	}
+ 	if (rv == 0)		/* address already there is an error */
diff --git a/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1151.patch b/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1151.patch
new file mode 100644
index 000000000000..fc4289e4f444
--- /dev/null
+++ b/sys-kernel/ac-sources/files/ac-sources-2.6.9.CAN-2004-1151.patch
@@ -0,0 +1,35 @@
+--- 1.74/arch/x86_64/ia32/sys_ia32.c	2004-12-19 10:58:02 -08:00
++++ 1.75/arch/x86_64/ia32/sys_ia32.c	2004-12-19 10:58:02 -08:00
+@@ -525,11 +525,12 @@
+ int sys32_ni_syscall(int call)
+ { 
+ 	struct task_struct *me = current;
+-	static char lastcomm[8];
+-	if (strcmp(lastcomm, me->comm)) {
+-	printk(KERN_INFO "IA32 syscall %d from %s not implemented\n", call,
+-	       current->comm);
+-		strcpy(lastcomm, me->comm); 
++	static char lastcomm[sizeof(me->comm)];
++
++	if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) {
++		printk(KERN_INFO "IA32 syscall %d from %s not implemented\n",
++		       call, me->comm);
++		strncpy(lastcomm, me->comm, sizeof(lastcomm));
+ 	} 
+ 	return -ENOSYS;	       
+ } 
+@@ -1125,11 +1126,11 @@
+ long sys32_vm86_warning(void)
+ { 
+ 	struct task_struct *me = current;
+-	static char lastcomm[8];
+-	if (strcmp(lastcomm, me->comm)) {
++	static char lastcomm[sizeof(me->comm)];
++	if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) {
+ 		printk(KERN_INFO "%s: vm86 mode not supported on 64 bit kernel\n",
+ 		       me->comm);
+-		strcpy(lastcomm, me->comm); 
++		strncpy(lastcomm, me->comm, sizeof(lastcomm));
+ 	} 
+ 	return -ENOSYS;
+ } 
diff --git a/sys-kernel/ac-sources/files/ac-sources-2.6.9.shmLocking.patch b/sys-kernel/ac-sources/files/ac-sources-2.6.9.shmLocking.patch
new file mode 100644
index 000000000000..dba7c9ca796f
--- /dev/null
+++ b/sys-kernel/ac-sources/files/ac-sources-2.6.9.shmLocking.patch
@@ -0,0 +1,56 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2004/12/13 08:30:17-08:00 hugh@veritas.com 
+#   [PATCH] shmctl SHM_LOCK perms
+#   
+#   Michael Kerrisk has observed that at present any process can SHM_LOCK any
+#   shm segment of size within process RLIMIT_MEMLOCK, despite having no
+#   permissions on the segment: surprising, though not obviously evil.  And any
+#   process can SHM_UNLOCK any shm segment, despite no permissions on it: that
+#   is surely wrong.
+#   
+#   Unless CAP_IPC_LOCK, restrict both SHM_LOCK and SHM_UNLOCK to when the
+#   process euid matches the shm owner or creator: that seems the least
+#   surprising behaviour, which could be relaxed if a need appears later.
+#   
+#   Signed-off-by: Hugh Dickins <hugh@veritas.com>
+#   Signed-off-by: Andrew Morton <akpm@osdl.org>
+#   Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+# 
+# ipc/shm.c
+#   2004/12/13 02:47:27-08:00 hugh@veritas.com +10 -5
+#   shmctl SHM_LOCK perms
+# 
+diff -Nru a/ipc/shm.c b/ipc/shm.c
+--- a/ipc/shm.c	2004-12-20 10:32:59 -08:00
++++ b/ipc/shm.c	2004-12-20 10:32:59 -08:00
+@@ -511,11 +511,6 @@
+ 	case SHM_LOCK:
+ 	case SHM_UNLOCK:
+ 	{
+-		/* Allow superuser to lock segment in memory */
+-		if (!can_do_mlock() && cmd == SHM_LOCK) {
+-			err = -EPERM;
+-			goto out;
+-		}
+ 		shp = shm_lock(shmid);
+ 		if(shp==NULL) {
+ 			err = -EINVAL;
+@@ -524,6 +519,16 @@
+ 		err = shm_checkid(shp,shmid);
+ 		if(err)
+ 			goto out_unlock;
++
++		if (!capable(CAP_IPC_LOCK)) {
++			err = -EPERM;
++			if (current->euid != shp->shm_perm.uid &&
++			    current->euid != shp->shm_perm.cuid)
++				goto out_unlock;
++			if (cmd == SHM_LOCK &&
++			    !current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur)
++				goto out_unlock;
++		}
+ 
+ 		err = security_shm_shmctl(shp, cmd);
+ 		if (err)
author	Tim Yamin <plasmaroo@gentoo.org>	2004-12-20 19:48:48 +0000
committer	Tim Yamin <plasmaroo@gentoo.org>	2004-12-20 19:48:48 +0000
commit	fbc5f6ba094ebd5795edab44f2a06574d494e34f (patch)
tree	a29fc3c5f5effc70bf7744b0cd05bfc184309bdf /sys-kernel
parent	added ~ppc64 to KEYWORDS (diff)
download	historical-fbc5f6ba094ebd5795edab44f2a06574d494e34f.tar.gz historical-fbc5f6ba094ebd5795edab44f2a06574d494e34f.tar.bz2 historical-fbc5f6ba094ebd5795edab44f2a06574d494e34f.zip