# ChangeLog for sys-kernel/ck-sources
# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.82 2005/01/13 17:24:52 marineam Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.83 2005/01/20 05:01:44 marineam Exp $
+
+*ck-sources-2.6.10-r5 (19 Jan 2005)
+
+ 19 Jan 2005; Micheal Marineau <marineam@gentoo.org>
+ +files/ck-sources-2.6.10-drm-dos-fix.patch,
+ -files/ck-sources-2.6.10-drm-i915-fix.patch,
+ +files/ck-sources-2.6.10-smbfs-dos-fix.patch, -ck-sources-2.6.10-r4.ebuild,
+ +ck-sources-2.6.10-r5.ebuild:
+ Bump to ck5 and add fixes that were dropped in this release.
*ck-sources-2.6.10-r4 (13 Jan 2005)
-MD5 745d41af4314f13105c6ad5248535dd9 ck-sources-2.6.10-r4.ebuild 772
+MD5 93f97f04f53037d10d22a30307289be3 ck-sources-2.6.10-r5.ebuild 809
MD5 3c99b06b9782c24519b9da98b9795ce2 ck-sources-2.4.28-r2.ebuild 1152
-MD5 37bba268d210811aa6367fd5857943a7 ChangeLog 17964
+MD5 00fda376478f1637298c376bdd3f29f2 ChangeLog 18322
MD5 7187b8c28501f454a2412c9e4a7fcf53 metadata.xml 421
MD5 1d78b90e495e432432e095ee47bbc2fc files/ck-sources-2.4.28.77094.patch 452
-MD5 5e564e4a8472baa4902fbeafab32d7c8 files/ck-sources-2.6.10-drm-i915-fix.patch 2254
MD5 8c35751caf824a9dacb02e80d6189b2e files/ck-sources-2.4.28.CAN-2004-1137.patch 1764
+MD5 0286d7c662e35f00f8d5b8e25b58f23a files/ck-sources-2.6.10-smbfs-dos-fix.patch 5325
+MD5 001b0a631c9fc28133013a1f8f78f74c files/ck-sources-2.6.10-drm-dos-fix.patch 8458
MD5 6aa8f7a7c2d55734389b53d3bcf78570 files/ck-sources-2.4.28.CAN-2004-1016.patch 2835
MD5 6cf860a301930c8cac126ab0c4d859d4 files/ck-sources-2.4.28.brk-locked.patch 8202
MD5 d1ccc2047be533c992f67270a150a210 files/ck-sources-2.4.28.cmdlineLeak.patch 388
MD5 79a76d3cb0029b85d4303b0019e788a8 files/ck-sources-2.4.28.compileFix.patch 2070
MD5 b9a94233e1457787352e5f85e3e3582d files/ck-sources-2.4.28.binfmt_a.out.patch 2009
MD5 757ee1239c3f14645ccea3640d551e11 files/ck-sources-2.4.28.CAN-2004-1056.patch 11249
-MD5 a65e4754ab687ce73dfdd9e3989a2e65 files/digest-ck-sources-2.6.10-r4 131
+MD5 039b47422c7f0f36c1012ba93ebed0ec files/digest-ck-sources-2.6.10-r5 131
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.6.10-r4.ebuild,v 1.1 2005/01/13 17:24:52 marineam Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.6.10-r5.ebuild,v 1.1 2005/01/20 05:01:44 marineam Exp $
K_PREPATCHED="yes"
UNIPATCH_STRICTORDER="yes"
CK_PATCH="patch-${KV_FULL}.bz2"
UNIPATCH_LIST="
${DISTDIR}/${CK_PATCH}
- ${FILESDIR}/${P}-drm-i915-fix.patch"
+ ${FILESDIR}/${P}-drm-dos-fix.patch
+ ${FILESDIR}/${P}-smbfs-dos-fix.patch"
IUSE=""
DESCRIPTION="Full sources for the Stock Linux kernel and Con Kolivas's high performance patchset"
--- /dev/null
+diff -ur linux-2.6.9/drivers/char/drm/i810_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i810_dma.c
+--- linux-2.6.9/drivers/char/drm/i810_dma.c 2004-10-18 22:53:46.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i810_dma.c 2004-12-19 22:46:33.317446112 +0000
+@@ -1030,10 +1030,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i810_flush_queue(dev);
+ return 0;
+@@ -1055,10 +1052,7 @@
+ if (copy_from_user(&vertex, (drm_i810_vertex_t __user *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1090,10 +1084,7 @@
+ if (copy_from_user(&clear, (drm_i810_clear_t __user *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1114,10 +1105,8 @@
+
+ DRM_DEBUG("i810_swap_bufs\n");
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i810_dma_dispatch_swap( dev );
+ return 0;
+@@ -1152,10 +1141,7 @@
+ if (copy_from_user(&d, (drm_i810_dma_t __user *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ d.granted = 0;
+
+@@ -1266,10 +1252,7 @@
+ return -EFAULT;
+
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_mc called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (mc.idx >= dma->buf_count || mc.idx < 0)
+ return -EINVAL;
+@@ -1317,10 +1300,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_fstatus called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+ return I810_READ(0x30008);
+ }
+
+@@ -1331,10 +1311,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_ov0_flip called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ //Tell the overlay to update
+ I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+@@ -1376,10 +1353,7 @@
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flip_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv->page_flipping)
+ i810_do_init_pageflip( dev );
+diff -ur linux-2.6.9/drivers/char/drm/i830_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_dma.c
+--- linux-2.6.9/drivers/char/drm/i830_dma.c 2004-10-18 22:53:12.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_dma.c 2004-12-19 22:46:33.319445808 +0000
+@@ -1319,10 +1319,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i830_flush_queue(dev);
+ return 0;
+@@ -1343,10 +1340,7 @@
+ if (copy_from_user(&vertex, (drm_i830_vertex_t __user *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1373,10 +1367,7 @@
+ if (copy_from_user(&clear, (drm_i830_clear_t __user *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1398,10 +1389,7 @@
+
+ DRM_DEBUG("i830_swap_bufs\n");
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i830_dma_dispatch_swap( dev );
+ return 0;
+@@ -1442,10 +1430,7 @@
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flip_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv->page_flipping)
+ i830_do_init_pageflip( dev );
+@@ -1484,10 +1469,7 @@
+ if (copy_from_user(&d, (drm_i830_dma_t __user *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ d.granted = 0;
+
+diff -ur linux-2.6.9/drivers/char/drm/i830_irq.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_irq.c
+--- linux-2.6.9/drivers/char/drm/i830_irq.c 2004-10-18 22:54:54.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_irq.c 2004-12-19 22:46:33.320445656 +0000
+@@ -129,10 +129,7 @@
+ drm_i830_irq_emit_t emit;
+ int result;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_irq_emit called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if ( !dev_priv ) {
+ DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );
+diff -ur linux-2.6.9/drivers/char/drm/i915_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_dma.c
+--- linux-2.6.9/drivers/char/drm/i915_dma.c 2004-10-18 22:53:51.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_dma.c 2004-12-19 22:46:33.321445504 +0000
+@@ -545,10 +545,7 @@
+ {
+ DRM_DEVICE;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_flush_ioctl called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ return i915_quiescent(dev);
+ }
+@@ -574,10 +571,7 @@
+ DRM_DEBUG("i915 batchbuffer, start %x used %d cliprects %d\n",
+ batch.start, batch.used, batch.num_cliprects);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_batchbuffer called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (batch.num_cliprects && DRM_VERIFYAREA_READ(batch.cliprects,
+ batch.num_cliprects *
+@@ -606,10 +600,7 @@
+ DRM_DEBUG("i915 cmdbuffer, buf %p sz %d cliprects %d\n",
+ cmdbuf.buf, cmdbuf.sz, cmdbuf.num_cliprects);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_cmdbuffer called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (cmdbuf.num_cliprects &&
+ DRM_VERIFYAREA_READ(cmdbuf.cliprects,
+@@ -645,10 +636,7 @@
+ DRM_DEVICE;
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_flip_buf called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ return i915_dispatch_flip(dev);
+ }
+diff -ur linux-2.6.9/drivers/char/drm/i915_irq.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_irq.c
+--- linux-2.6.9/drivers/char/drm/i915_irq.c 2004-10-18 22:53:51.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_irq.c 2004-12-19 22:46:33.321445504 +0000
+@@ -92,10 +92,7 @@
+ drm_i915_irq_emit_t emit;
+ int result;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_irq_emit called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv) {
+ DRM_ERROR("%s called with no initialization\n", __FUNCTION__);
+++ /dev/null
-diff -ru linux-2.6.10-ck3.orig/drivers/char/drm/i915_dma.c linux-2.6.10-ck3/drivers/char/drm/i915_dma.c
---- linux-2.6.10-ck3.orig/drivers/char/drm/i915_dma.c 2004-12-24 13:34:31.000000000 -0800
-+++ linux-2.6.10-ck3/drivers/char/drm/i915_dma.c 2005-01-11 20:16:49.245435707 -0800
-@@ -545,10 +545,7 @@
- {
- DRM_DEVICE;
-
-- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-- DRM_ERROR("i915_flush_ioctl called without lock held\n");
-- return DRM_ERR(EINVAL);
-- }
-+ LOCK_TEST_WITH_RETURN( dev, filp );
-
- return i915_quiescent(dev);
- }
-@@ -574,10 +571,7 @@
- DRM_DEBUG("i915 batchbuffer, start %x used %d cliprects %d\n",
- batch.start, batch.used, batch.num_cliprects);
-
-- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-- DRM_ERROR("i915_batchbuffer called without lock held\n");
-- return DRM_ERR(EINVAL);
-- }
-+ LOCK_TEST_WITH_RETURN( dev, filp );
-
- if (batch.num_cliprects && DRM_VERIFYAREA_READ(batch.cliprects,
- batch.num_cliprects *
-@@ -606,10 +600,7 @@
- DRM_DEBUG("i915 cmdbuffer, buf %p sz %d cliprects %d\n",
- cmdbuf.buf, cmdbuf.sz, cmdbuf.num_cliprects);
-
-- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-- DRM_ERROR("i915_cmdbuffer called without lock held\n");
-- return DRM_ERR(EINVAL);
-- }
-+ LOCK_TEST_WITH_RETURN( dev, filp );
-
- if (cmdbuf.num_cliprects &&
- DRM_VERIFYAREA_READ(cmdbuf.cliprects,
-@@ -645,10 +636,7 @@
- DRM_DEVICE;
-
- DRM_DEBUG("%s\n", __FUNCTION__);
-- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-- DRM_ERROR("i915_flip_buf called without lock held\n");
-- return DRM_ERR(EINVAL);
-- }
-+ LOCK_TEST_WITH_RETURN( dev, filp );
-
- return i915_dispatch_flip(dev);
- }
-diff -ru linux-2.6.10-ck3.orig/drivers/char/drm/i915_irq.c linux-2.6.10-ck3/drivers/char/drm/i915_irq.c
---- linux-2.6.10-ck3.orig/drivers/char/drm/i915_irq.c 2004-12-24 13:34:31.000000000 -0800
-+++ linux-2.6.10-ck3/drivers/char/drm/i915_irq.c 2005-01-11 20:16:49.246435564 -0800
-@@ -92,10 +92,7 @@
- drm_i915_irq_emit_t emit;
- int result;
-
-- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-- DRM_ERROR("i915_irq_emit called without lock held\n");
-- return DRM_ERR(EINVAL);
-- }
-+ LOCK_TEST_WITH_RETURN( dev, filp );
-
- if (!dev_priv) {
- DRM_ERROR("%s called with no initialization\n", __FUNCTION__);
--- /dev/null
+From: Chuck Ebbert <76306.1226@compuserve.com>
+Subject: [PATCH] SMB security fixes for 2.6.9
+To: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Cc: linux-kernel <linux-kernel@vger.kernel.org>
+Message-ID: <200411222138_MC3-1-8F38-414@compuserve.com>
+
+ The SMB patch in 2.6.9-ac10 is broken. When a reply is received and it
+contains no data (only parms), the data_offset is zero. Since no data will
+be copied, zero offset is perfectly valid. This patch, based on the one in
+-ac, works for me. I also cleaned up the message printing (%u vs. %d for
+unsigned), added unlikely() where appropriate, and removed some extra code.
+
+Comments welcome. Like I said, at least I can use SMB servers now.
+With the original patch very bad things happened, like trying to save
+files from a text editor truncated them to 0 bytes, followed by editor
+freezing for many seconds then asking for a new name to save the file as.
+
+Rediff.
+
+diff -X dontdiff -urNp linux-2.6.10/fs/smbfs/proc.c linux-dsd/fs/smbfs/proc.c
+--- linux-2.6.10/fs/smbfs/proc.c 2004-12-24 21:34:00.000000000 +0000
++++ linux-dsd/fs/smbfs/proc.c 2005-01-13 22:58:21.681636192 +0000
+@@ -1427,9 +1427,9 @@ smb_proc_readX_data(struct smb_request *
+ * So we must first calculate the amount of padding used by the server.
+ */
+ data_off -= hdrlen;
+- if (data_off > SMB_READX_MAX_PAD) {
+- PARANOIA("offset is larger than max pad!\n");
+- PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD);
++ if (data_off > SMB_READX_MAX_PAD || data_off < 0) {
++ PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n");
++ PARANOIA("%d > %d || %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off);
+ req->rq_rlen = req->rq_bufsize + 1;
+ return;
+ }
+diff -X dontdiff -urNp linux-2.6.10/fs/smbfs/request.c linux-dsd/fs/smbfs/request.c
+--- linux-2.6.10/fs/smbfs/request.c 2004-12-24 21:35:40.000000000 +0000
++++ linux-dsd/fs/smbfs/request.c 2005-01-13 23:03:51.295527264 +0000
+@@ -588,8 +588,18 @@ static int smb_recv_trans2(struct smb_sb
+ data_count = WVAL(inbuf, smb_drcnt);
+
+ /* Modify offset for the split header/buffer we use */
+- data_offset -= hdrlen;
+- parm_offset -= hdrlen;
++ if (data_count || data_offset) {
++ if (unlikely(data_offset < hdrlen))
++ goto out_bad_data;
++ else
++ data_offset -= hdrlen;
++ }
++ if (parm_count || parm_offset) {
++ if (unlikely(parm_offset < hdrlen))
++ goto out_bad_parm;
++ else
++ parm_offset -= hdrlen;
++ }
+
+ if (parm_count == parm_tot && data_count == data_tot) {
+ /*
+@@ -600,18 +610,22 @@ static int smb_recv_trans2(struct smb_sb
+ * response that fits.
+ */
+ VERBOSE("single trans2 response "
+- "dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",
++ "dcnt=%u, pcnt=%u, doff=%u, poff=%u\n",
+ data_count, parm_count,
+ data_offset, parm_offset);
+ req->rq_ldata = data_count;
+ req->rq_lparm = parm_count;
+ req->rq_data = req->rq_buffer + data_offset;
+ req->rq_parm = req->rq_buffer + parm_offset;
++ if (unlikely(parm_offset + parm_count > req->rq_rlen))
++ goto out_bad_parm;
++ if (unlikely(data_offset + data_count > req->rq_rlen))
++ goto out_bad_data;
+ return 0;
+ }
+
+ VERBOSE("multi trans2 response "
+- "frag=%d, dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",
++ "frag=%d, dcnt=%u, pcnt=%u, doff=%u, poff=%u\n",
+ req->rq_fragment,
+ data_count, parm_count,
+ data_offset, parm_offset);
+@@ -638,13 +652,15 @@ static int smb_recv_trans2(struct smb_sb
+
+ req->rq_parm = req->rq_trans2buffer;
+ req->rq_data = req->rq_trans2buffer + parm_tot;
+- } else if (req->rq_total_data < data_tot ||
+- req->rq_total_parm < parm_tot)
++ } else if (unlikely(req->rq_total_data < data_tot ||
++ req->rq_total_parm < parm_tot))
+ goto out_data_grew;
+
+- if (parm_disp + parm_count > req->rq_total_parm)
++ if (unlikely(parm_disp + parm_count > req->rq_total_parm ||
++ parm_offset + parm_count > req->rq_rlen))
+ goto out_bad_parm;
+- if (data_disp + data_count > req->rq_total_data)
++ if (unlikely(data_disp + data_count > req->rq_total_data ||
++ data_offset + data_count > req->rq_rlen))
+ goto out_bad_data;
+
+ inbuf = req->rq_buffer;
+@@ -666,10 +682,9 @@ static int smb_recv_trans2(struct smb_sb
+ return 1;
+
+ out_too_long:
+- printk(KERN_ERR "smb_trans2: data/param too long, data=%d, parm=%d\n",
++ printk(KERN_ERR "smb_trans2: data/param too long, data=%u, parm=%u\n",
+ data_tot, parm_tot);
+- req->rq_errno = -EIO;
+- goto out;
++ goto out_EIO;
+ out_no_mem:
+ printk(KERN_ERR "smb_trans2: couldn't allocate data area of %d bytes\n",
+ req->rq_trans2bufsize);
+@@ -677,16 +692,15 @@ out_no_mem:
+ goto out;
+ out_data_grew:
+ printk(KERN_ERR "smb_trans2: data/params grew!\n");
+- req->rq_errno = -EIO;
+- goto out;
++ goto out_EIO;
+ out_bad_parm:
+- printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n",
+- parm_disp, parm_count, parm_tot);
+- req->rq_errno = -EIO;
+- goto out;
++ printk(KERN_ERR "smb_trans2: invalid parms, disp=%u, cnt=%u, tot=%u, ofs=%u\n",
++ parm_disp, parm_count, parm_tot, parm_offset);
++ goto out_EIO;
+ out_bad_data:
+- printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n",
+- data_disp, data_count, data_tot);
++ printk(KERN_ERR "smb_trans2: invalid data, disp=%u, cnt=%u, tot=%u, ofs=%u\n",
++ data_disp, data_count, data_tot, data_offset);
++out_EIO:
+ req->rq_errno = -EIO;
+ out:
+ return req->rq_errno;
MD5 cffcd2919d9c8ef793ce1ac07a440eda linux-2.6.10.tar.bz2 36533484
-MD5 d2640f4147a966d20a785e3c5bdce034 patch-2.6.10-ck4.bz2 56535
+MD5 78e47c160382350a881735883964bd31 patch-2.6.10-ck5.bz2 41801
projects / gentoo.git / commitdiff