Security bump; bugs #72452, #74384, #74392, #74464.

20 files changed, 1493 insertions, 22 deletions

diff --git a/sys-kernel/gentoo-sources/ChangeLog b/sys-kernel/gentoo-sources/ChangeLog
index 7982063c70f6..ba6f749221c2 100644
--- a/sys-kernel/gentoo-sources/ChangeLog
+++ b/sys-kernel/gentoo-sources/ChangeLog
@@ -1,6 +1,24 @@
 # ChangeLog for sys-kernel/gentoo-sources
 # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/ChangeLog,v 1.96 2004/11/27 20:57:39 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/ChangeLog,v 1.97 2004/12/24 18:23:50 plasmaroo Exp $
+
+*gentoo-sources-2.4.22-r21 (24 Dec 2004)
+
+  24 Dec 2004; <plasmaroo@gentoo.org> -gentoo-sources-2.4.20-r29.ebuild,
+  +gentoo-sources-2.4.20-r30.ebuild, -gentoo-sources-2.4.22-r20.ebuild,
+  +gentoo-sources-2.4.22-r21.ebuild, -gentoo-sources-2.4.25-r13.ebuild,
+  +gentoo-sources-2.4.25-r14.ebuild, -gentoo-sources-2.4.26-r13.ebuild,
+  +gentoo-sources-2.4.26-r14.ebuild, -gentoo-sources-2.4.27-r5.ebuild,
+  +gentoo-sources-2.4.27-r6.ebuild, -gentoo-sources-2.4.28-r2.ebuild,
+  +gentoo-sources-2.4.28-r3.ebuild,
+  +files/gentoo-sources-2.4.20-CAN-2004-1056.patch,
+  +files/gentoo-sources-2.4.22-CAN-2004-1016.patch,
+  +files/gentoo-sources-2.4.22-vma.patch,
+  +files/gentoo-sources-2.4.CAN-2004-1016.patch,
+  +files/gentoo-sources-2.4.CAN-2004-1056.patch,
+  +files/gentoo-sources-2.4.CAN-2004-1137.patch,
+  +files/gentoo-sources-2.4.vma.patch:
+  Security bump; bugs #72452, #74384, #74392, #74464.
 
 *gentoo-sources-2.4.20-r29 (27 Nov 2004)
 
diff --git a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.20-r29 b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.20-r30
index cf24929f42e8..cf24929f42e8 100644
--- a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.20-r29
+++ b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.20-r30
diff --git a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.22-r20 b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.22-r21
index ae62b02192ec..ae62b02192ec 100644
--- a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.22-r20
+++ b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.22-r21
diff --git a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.25-r13 b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.25-r14
index ddf72226d1b3..ddf72226d1b3 100644
--- a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.25-r13
+++ b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.25-r14
diff --git a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.26-r13 b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.26-r14
index 33596a1b91ba..33596a1b91ba 100644
--- a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.26-r13
+++ b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.26-r14
diff --git a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.27-r5 b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.27-r6
index cb0002e288c5..cb0002e288c5 100644
--- a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.27-r5
+++ b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.27-r6
diff --git a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.28-r2 b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.28-r3
index 400db3a891d3..400db3a891d3 100644
--- a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.28-r2
+++ b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.28-r3
diff --git a/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.20-CAN-2004-1056.patch b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.20-CAN-2004-1056.patch
new file mode 100644
index 000000000000..b0b2a6d65598
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.20-CAN-2004-1056.patch
@@ -0,0 +1,319 @@
+diff -ur linux-2.4.22/drivers/char/drm/i810.h linux-2.4.22.plasmaroo/drivers/char/drm/i810.h
+--- linux-2.4.22/drivers/char/drm/i810.h	2001-08-08 17:42:14.000000000 +0100
++++ linux-2.4.22.plasmaroo/drivers/char/drm/i810.h	2004-12-24 14:56:13.644644456 +0000
+@@ -113,4 +113,14 @@
+ #define DRIVER_AGP_BUFFERS_MAP( dev )					\
+ 	((drm_i810_private_t *)((dev)->dev_private))->buffer_map
+ 
++#define LOCK_TEST_WITH_RETURN( dev )                                    \
++do {                                                                    \
++        if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) ||           \
++             dev->lock.pid != current->pid ) {                          \
++                DRM_ERROR( "%s called without lock held\n",             \
++                           __FUNCTION__ );                              \
++                return -EINVAL;                                         \
++        }                                                               \
++} while (0)
++
+ #endif
+diff -ur linux-2.4.22/drivers/char/drm/i810_dma.c linux-2.4.22.plasmaroo/drivers/char/drm/i810_dma.c
+--- linux-2.4.22/drivers/char/drm/i810_dma.c	2002-11-28 23:53:12.000000000 +0000
++++ linux-2.4.22.plasmaroo/drivers/char/drm/i810_dma.c	2004-12-24 14:57:28.626245520 +0000
+@@ -1071,10 +1071,7 @@
+    	drm_device_t	  *dev	  = priv->dev;
+ 
+    	DRM_DEBUG("i810_flush_ioctl\n");
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+    	i810_flush_queue(dev);
+    	return 0;
+@@ -1096,10 +1093,7 @@
+ 	if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1130,10 +1124,7 @@
+    	if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+  	/* GH: Someone's doing nasty things... */
+  	if (!dev->dev_private) {
+@@ -1154,10 +1145,7 @@
+ 
+ 	DRM_DEBUG("i810_swap_bufs\n");
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	i810_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1193,10 +1181,7 @@
+    	if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	d.granted = 0;
+ 
+@@ -1226,10 +1211,7 @@
+ 	drm_i810_buf_priv_t *buf_priv;
+ 	drm_device_dma_t *dma = dev->dma;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+    	if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+@@ -1334,11 +1316,7 @@
+ 	if (copy_from_user(&mc, (drm_i810_mc_t *)arg, sizeof(mc)))
+ 		return -EFAULT;
+ 
+-
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_mc called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used,
+ 		mc.last_render );
+@@ -1382,10 +1360,7 @@
+ 	drm_device_t *dev = priv->dev;
+ 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_fstatus called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 	return I810_READ(0x30008);
+ }
+ 
+@@ -1396,10 +1371,7 @@
+ 	drm_device_t *dev = priv->dev;
+ 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_ov0_flip called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	//Tell the overlay to update
+ 	I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+diff -ur linux-2.4.22/drivers/char/drm/i830.h linux-2.4.22.plasmaroo/drivers/char/drm/i830.h
+--- linux-2.4.22/drivers/char/drm/i830.h	2002-11-28 23:53:12.000000000 +0000
++++ linux-2.4.22.plasmaroo/drivers/char/drm/i830.h	2004-12-24 14:56:13.658642328 +0000
+@@ -113,4 +113,14 @@
+ #define DRIVER_AGP_BUFFERS_MAP( dev )					\
+ 	((drm_i830_private_t *)((dev)->dev_private))->buffer_map
+ 
++#define LOCK_TEST_WITH_RETURN( dev )                                    \
++do {                                                                    \
++        if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) ||           \
++             dev->lock.pid != current->pid ) {                          \
++                DRM_ERROR( "%s called without lock held\n",             \
++                           __FUNCTION__ );                              \
++                return -EINVAL;                                         \
++        }                                                               \
++} while (0)
++
+ #endif
+diff -ur linux-2.4.22/drivers/char/drm/i830_dma.c linux-2.4.22.plasmaroo/drivers/char/drm/i830_dma.c
+--- linux-2.4.22/drivers/char/drm/i830_dma.c	2002-11-28 23:53:12.000000000 +0000
++++ linux-2.4.22.plasmaroo/drivers/char/drm/i830_dma.c	2004-12-24 14:57:55.225201864 +0000
+@@ -1187,10 +1187,8 @@
+    	drm_device_t	  *dev	  = priv->dev;
+    
+    	DRM_DEBUG("i830_flush_ioctl\n");
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+    	i830_flush_queue(dev);
+    	return 0;
+@@ -1211,10 +1209,7 @@
+ 	if (copy_from_user(&vertex, (drm_i830_vertex_t *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1241,10 +1236,7 @@
+    	if (copy_from_user(&clear, (drm_i830_clear_t *)arg, sizeof(clear)))
+ 		return -EFAULT;
+    
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	/* GH: Someone's doing nasty things... */
+ 	if (!dev->dev_private) {
+@@ -1266,10 +1258,7 @@
+    
+ 	DRM_DEBUG("i830_swap_bufs\n");
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	i830_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1305,10 +1294,7 @@
+    	if (copy_from_user(&d, (drm_i830_dma_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+    
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 	
+ 	d.granted = 0;
+ 
+@@ -1338,10 +1324,7 @@
+ 	drm_i830_buf_priv_t *buf_priv;
+ 	drm_device_dma_t *dma = dev->dma;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+    
+    	if (copy_from_user(&d, (drm_i830_copy_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+diff -ur linux-2.4.22/drivers/char/drm-4.0/drmP.h linux-2.4.22.plasmaroo/drivers/char/drm-4.0/drmP.h
+--- linux-2.4.22/drivers/char/drm-4.0/drmP.h	2002-02-25 19:37:57.000000000 +0000
++++ linux-2.4.22.plasmaroo/drivers/char/drm-4.0/drmP.h	2004-12-24 14:56:16.389227216 +0000
+@@ -294,6 +294,16 @@
+ #define DRM_BUFCOUNT(x) ((x)->count - DRM_LEFTCOUNT(x))
+ #define DRM_WAITCOUNT(dev,idx) DRM_BUFCOUNT(&dev->queuelist[idx]->waitlist)
+ 
++#define LOCK_TEST_WITH_RETURN( dev )                                    \
++do {                                                                    \
++        if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) ||           \
++             dev->lock.pid != current->pid ) {                          \
++                DRM_ERROR( "%s called without lock held\n",             \
++                           __FUNCTION__ );                              \
++                return -EINVAL;                                         \
++        }                                                               \
++} while (0)
++
+ typedef int drm_ioctl_t(struct inode *inode, struct file *filp,
+ 			unsigned int cmd, unsigned long arg);
+ 
+diff -ur linux-2.4.22/drivers/char/drm-4.0/i810_dma.c linux-2.4.22.plasmaroo/drivers/char/drm-4.0/i810_dma.c
+--- linux-2.4.22/drivers/char/drm-4.0/i810_dma.c	2003-06-13 15:51:32.000000000 +0100
++++ linux-2.4.22.plasmaroo/drivers/char/drm-4.0/i810_dma.c	2004-12-24 14:56:16.401225392 +0000
+@@ -1249,10 +1249,7 @@
+    	drm_device_t	  *dev	  = priv->dev;
+    
+    	DRM_DEBUG("i810_flush_ioctl\n");
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+    	i810_flush_queue(dev);
+    	return 0;
+@@ -1274,10 +1271,7 @@
+ 	if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1308,10 +1302,7 @@
+    	if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ 		return -EFAULT;
+    
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	i810_dma_dispatch_clear( dev, clear.flags, 
+ 				 clear.clear_color, 
+@@ -1327,10 +1318,7 @@
+    
+ 	DRM_DEBUG("i810_swap_bufs\n");
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	i810_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1366,10 +1354,7 @@
+    	if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+    
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 	
+ 	d.granted = 0;
+ 
+@@ -1399,10 +1384,7 @@
+ 	drm_i810_buf_priv_t *buf_priv;
+ 	drm_device_dma_t *dma = dev->dma;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+    
+    	if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
+ 		return -EFAULT;
diff --git a/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.22-CAN-2004-1016.patch b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.22-CAN-2004-1016.patch
new file mode 100644
index 000000000000..ad0b0dde0d47
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.22-CAN-2004-1016.patch
@@ -0,0 +1,58 @@
+===== include/linux/socket.h 1.12 vs edited =====
+--- 1.12/include/linux/socket.h	2004-09-09 06:40:01 +10:00
++++ edited/include/linux/socket.h	2004-11-27 11:53:40 +11:00
+@@ -90,6 +90,10 @@
+ 				  (struct cmsghdr *)(ctl) : \
+ 				  (struct cmsghdr *)NULL)
+ #define CMSG_FIRSTHDR(msg)	__CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \
++			     (cmsg)->cmsg_len <= (unsigned long) \
++			     ((mhdr)->msg_controllen - \
++			      ((char *)(cmsg) - (char *)(mhdr)->msg_control)))
+ 
+ /*
+  *	This mess will go away with glibc
+===== net/core/scm.c 1.10 vs edited =====
+--- 1.10/net/core/scm.c	2004-05-31 05:08:14 +10:00
++++ edited/net/core/scm.c	2004-11-27 11:48:55 +11:00
+@@ -127,9 +127,7 @@
+ 		   for too short ancillary data object at all! Oops.
+ 		   OK, let's add it...
+ 		 */
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen)
++		if (!CMSG_OK(msg, cmsg))
+ 			goto error;
+ 
+ 		if (cmsg->cmsg_level != SOL_SOCKET)
+===== net/ipv4/ip_sockglue.c 1.26 vs edited =====
+--- 1.26/net/ipv4/ip_sockglue.c	2004-07-01 06:10:53 +10:00
++++ edited/net/ipv4/ip_sockglue.c	2004-11-27 11:49:45 +11:00
+@@ -146,11 +146,8 @@
+ 	struct cmsghdr *cmsg;
+ 
+ 	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg))
+ 			return -EINVAL;
+-		}
+ 		if (cmsg->cmsg_level != SOL_IP)
+ 			continue;
+ 		switch (cmsg->cmsg_type) {
+===== net/ipv6/datagram.c 1.20 vs edited =====
+--- 1.20/net/ipv6/datagram.c	2004-11-10 17:57:03 +11:00
++++ edited/net/ipv6/datagram.c	2004-11-27 11:51:15 +11:00
+@@ -427,9 +427,7 @@
+ 		int addr_type;
+ 		struct net_device *dev = NULL;
+ 
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg)) {
+ 			err = -EINVAL;
+ 			goto exit_f;
+ 		}
diff --git a/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.22-vma.patch b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.22-vma.patch
new file mode 100644
index 000000000000..2469dd5ab2c5
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.22-vma.patch
@@ -0,0 +1,246 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2004/12/17 21:45:58-02:00 chrisw@osdl.org 
+#   [PATCH] Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().  
+#   
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error
+#   rather than BUG().  This eliminates a user triggerable BUG() when user
+#   created a large vma that overlapped with arg pages during exec (could be
+#   triggered with a.out on i386 and x86_64 and elf on ia64).
+#   
+#   Signed-off-by: Chris Wright <chrisw@osdl.org>
+#   
+#   ===== arch/ia64/ia32/binfmt_elf32.c 1.13 vs edited =====
+# 
+# arch/ia64/ia32/binfmt_elf32.c
+#   2004/12/17 17:22:06-02:00 chrisw@osdl.org +16 -4
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().
+# 
+# arch/ia64/mm/init.c
+#   2004/12/17 15:25:47-02:00 chrisw@osdl.org +14 -2
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). 
+# 
+# arch/s390x/kernel/exec32.c
+#   2004/12/17 15:32:42-02:00 chrisw@osdl.org +6 -2
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().  This eliminates a user triggerable BUG() when user
+# 
+# arch/x86_64/ia32/ia32_binfmt.c
+#   2004/12/17 15:34:21-02:00 chrisw@osdl.org +6 -2
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().  This eliminates a user triggerable BUG() when user
+# 
+# fs/exec.c
+#   2004/12/17 15:54:18-02:00 chrisw@osdl.org +6 -2
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().  
+# 
+# include/linux/mm.h
+#   2004/12/16 20:38:37-02:00 chrisw@osdl.org +1 -1
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().  This eliminates a user triggerable BUG() when user
+# 
+# mm/mmap.c
+#   2004/12/16 20:43:15-02:00 chrisw@osdl.org +3 -2
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().
+# 
+diff -Nru a/arch/ia64/ia32/binfmt_elf32.c b/arch/ia64/ia32/binfmt_elf32.c
+--- a/arch/ia64/ia32/binfmt_elf32.c	2004-12-19 07:39:49 -08:00
++++ b/arch/ia64/ia32/binfmt_elf32.c	2004-12-19 07:39:49 -08:00
+@@ -95,7 +95,11 @@
+ 		vma->vm_private_data = NULL;
+ 		down_write(&current->mm->mmap_sem);
+ 		{
+-			insert_vm_struct(current->mm, vma);
++			if (insert_vm_struct(current->mm, vma)) {
++				kmem_cache_free(vm_area_cachep, vma);
++				up_write(&current->mm->mmap_sem);
++				return;
++			}
+ 		}
+ 		up_write(&current->mm->mmap_sem);
+ 	}
+@@ -117,7 +121,11 @@
+ 		vma->vm_private_data = NULL;
+ 		down_write(&current->mm->mmap_sem);
+ 		{
+-			insert_vm_struct(current->mm, vma);
++			if (insert_vm_struct(current->mm, vma)) {
++				kmem_cache_free(vm_area_cachep, vma);
++				up_write(&current->mm->mmap_sem);
++				return;
++			}
+ 		}
+ 		up_write(&current->mm->mmap_sem);
+ 	}
+@@ -164,7 +172,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -188,7 +196,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	}
+ 
+diff -Nru a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c
+--- a/arch/ia64/mm/init.c	2004-12-19 07:39:49 -08:00
++++ b/arch/ia64/mm/init.c	2004-12-19 07:39:49 -08:00
+@@ -105,7 +105,13 @@
+ 		vma->vm_pgoff = 0;
+ 		vma->vm_file = NULL;
+ 		vma->vm_private_data = NULL;
+-		insert_vm_struct(current->mm, vma);
++		down_write(&current->mm->mmap_sem);
++		if (insert_vm_struct(current->mm, vma)) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, vma);
++			return;
++		}
++		up_write(&current->mm->mmap_sem);
+ 	}
+ 
+ 	/* map NaT-page at address zero to speed up speculative dereferencing of NULL: */
+@@ -117,7 +123,13 @@
+ 			vma->vm_end = PAGE_SIZE;
+ 			vma->vm_page_prot = __pgprot(pgprot_val(PAGE_READONLY) | _PAGE_MA_NAT);
+ 			vma->vm_flags = VM_READ | VM_MAYREAD | VM_IO | VM_RESERVED;
+-			insert_vm_struct(current->mm, vma);
++			down_write(&current->mm->mmap_sem);
++			if (insert_vm_struct(current->mm, vma)) {
++				up_write(&current->mm->mmap_sem);
++				kmem_cache_free(vm_area_cachep, vma);
++				return;
++			}
++			up_write(&current->mm->mmap_sem);
+ 		}
+ 	}
+ }
+diff -Nru a/arch/s390x/kernel/exec32.c b/arch/s390x/kernel/exec32.c
+--- a/arch/s390x/kernel/exec32.c	2004-12-19 07:39:49 -08:00
++++ b/arch/s390x/kernel/exec32.c	2004-12-19 07:39:49 -08:00
+@@ -41,7 +41,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -65,7 +65,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	} 
+ 
+diff -Nru a/arch/x86_64/ia32/ia32_binfmt.c b/arch/x86_64/ia32/ia32_binfmt.c
+--- a/arch/x86_64/ia32/ia32_binfmt.c	2004-12-19 07:39:49 -08:00
++++ b/arch/x86_64/ia32/ia32_binfmt.c	2004-12-19 07:39:49 -08:00
+@@ -225,7 +225,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -250,7 +250,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	} 
+ 
+diff -Nru a/fs/exec.c b/fs/exec.c
+--- a/fs/exec.c	2004-12-19 07:39:49 -08:00
++++ b/fs/exec.c	2004-12-19 07:39:49 -08:00
+@@ -327,7 +327,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -387,7 +387,6 @@
+ 
+ 	down_write(&current->mm->mmap_sem);
+ 	{
+-		struct vm_area_struct *vma;
+ 		mpnt->vm_mm = current->mm;
+ 		mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
+ 		mpnt->vm_end = STACK_TOP;
+@@ -402,13 +401,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
+-		vma = find_vma(current->mm, mpnt->vm_start);
+-		if (vma) {
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
+ 			up_write(&current->mm->mmap_sem);
+ 			kmem_cache_free(vm_area_cachep, mpnt);
+-			return -ENOMEM;
++			return ret;
+ 		}
+-		insert_vm_struct(current->mm, mpnt);
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	} 
+ 
+diff -Nru a/include/linux/mm.h b/include/linux/mm.h
+--- a/include/linux/mm.h	2004-12-19 07:39:49 -08:00
++++ b/include/linux/mm.h	2004-12-19 07:39:49 -08:00
+@@ -548,7 +548,7 @@
+ /* mmap.c */
+ extern void lock_vma_mappings(struct vm_area_struct *);
+ extern void unlock_vma_mappings(struct vm_area_struct *);
+-extern void insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
++extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void __insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void build_mmap_rb(struct mm_struct *);
+ extern void exit_mmap(struct mm_struct *);
+diff -Nru a/mm/mmap.c b/mm/mmap.c
+--- a/mm/mmap.c	2004-12-19 07:39:49 -08:00
++++ b/mm/mmap.c	2004-12-19 07:39:49 -08:00
+@@ -1193,14 +1193,15 @@
+ 	validate_mm(mm);
+ }
+ 
+-void insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
++int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+ {
+ 	struct vm_area_struct * __vma, * prev;
+ 	rb_node_t ** rb_link, * rb_parent;
+ 
+ 	__vma = find_vma_prepare(mm, vma->vm_start, &prev, &rb_link, &rb_parent);
+ 	if (__vma && __vma->vm_start < vma->vm_end)
+-		BUG();
++		return -ENOMEM;
+ 	vma_link(mm, vma, prev, rb_link, rb_parent);
+ 	validate_mm(mm);
++	return 0;
+ }
diff --git a/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.CAN-2004-1016.patch b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.CAN-2004-1016.patch
new file mode 100644
index 000000000000..aa25ac95ed61
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.CAN-2004-1016.patch
@@ -0,0 +1,75 @@
+===== include/linux/socket.h 1.12 vs edited =====
+--- 1.12/include/linux/socket.h	2004-09-09 06:40:01 +10:00
++++ edited/include/linux/socket.h	2004-11-27 11:53:40 +11:00
+@@ -90,6 +90,10 @@
+ 				  (struct cmsghdr *)(ctl) : \
+ 				  (struct cmsghdr *)NULL)
+ #define CMSG_FIRSTHDR(msg)	__CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \
++			     (cmsg)->cmsg_len <= (unsigned long) \
++			     ((mhdr)->msg_controllen - \
++			      ((char *)(cmsg) - (char *)(mhdr)->msg_control)))
+ 
+ /*
+  *	This mess will go away with glibc
+===== net/core/scm.c 1.10 vs edited =====
+--- 1.10/net/core/scm.c	2004-05-31 05:08:14 +10:00
++++ edited/net/core/scm.c	2004-11-27 11:48:55 +11:00
+@@ -127,9 +127,7 @@
+ 		   for too short ancillary data object at all! Oops.
+ 		   OK, let's add it...
+ 		 */
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen)
++		if (!CMSG_OK(msg, cmsg))
+ 			goto error;
+ 
+ 		if (cmsg->cmsg_level != SOL_SOCKET)
+===== net/ipv4/ip_sockglue.c 1.26 vs edited =====
+--- 1.26/net/ipv4/ip_sockglue.c	2004-07-01 06:10:53 +10:00
++++ edited/net/ipv4/ip_sockglue.c	2004-11-27 11:49:45 +11:00
+@@ -146,11 +146,8 @@
+ 	struct cmsghdr *cmsg;
+ 
+ 	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg))
+ 			return -EINVAL;
+-		}
+ 		if (cmsg->cmsg_level != SOL_IP)
+ 			continue;
+ 		switch (cmsg->cmsg_type) {
+===== net/ipv6/datagram.c 1.20 vs edited =====
+--- 1.20/net/ipv6/datagram.c	2004-11-10 17:57:03 +11:00
++++ edited/net/ipv6/datagram.c	2004-11-27 11:51:15 +11:00
+@@ -427,9 +427,7 @@
+ 		int addr_type;
+ 		struct net_device *dev = NULL;
+ 
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg)) {
+ 			err = -EINVAL;
+ 			goto exit_f;
+ 		}
+===== net/sctp/socket.c 1.129 vs edited =====
+--- 1.129/net/sctp/socket.c	2004-11-19 08:43:18 +11:00
++++ edited/net/sctp/socket.c	2004-11-27 11:52:11 +11:00
+@@ -4098,12 +4098,8 @@
+ 	for (cmsg = CMSG_FIRSTHDR(msg);
+ 	     cmsg != NULL;
+ 	     cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) {
+-		/* Check for minimum length.  The SCM code has this check.  */
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg))
+ 			return -EINVAL;
+-		}
+ 
+ 		/* Should we parse this header or ignore?  */
+ 		if (cmsg->cmsg_level != IPPROTO_SCTP)
diff --git a/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.CAN-2004-1056.patch b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.CAN-2004-1056.patch
new file mode 100644
index 000000000000..53b777acaac5
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.CAN-2004-1056.patch
@@ -0,0 +1,321 @@
+diff -ur linux-2.4.28/drivers/char/drm/i810.h linux-2.4.28.plasmaroo/drivers/char/drm/i810.h
+--- linux-2.4.28/drivers/char/drm/i810.h	2003-11-28 18:26:20.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810.h	2004-12-23 16:26:31.000000000 +0000
+@@ -114,4 +114,14 @@
+ #define DRIVER_AGP_BUFFERS_MAP( dev )					\
+ 	((drm_i810_private_t *)((dev)->dev_private))->buffer_map
+ 
++#define LOCK_TEST_WITH_RETURN( dev )                                    \
++do {                                                                    \
++        if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) ||           \
++             dev->lock.pid != current->pid ) {                          \
++                DRM_ERROR( "%s called without lock held\n",             \
++                           __FUNCTION__ );                              \
++                return -EINVAL;                                         \
++        }                                                               \
++} while (0)
++
+ #endif
+diff -ur linux-2.4.28/drivers/char/drm/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c
+--- linux-2.4.28/drivers/char/drm/i810_dma.c	2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c	2004-12-23 16:27:16.000000000 +0000
+@@ -948,10 +948,7 @@
+    	drm_file_t	  *priv	  = filp->private_data;
+    	drm_device_t	  *dev	  = priv->dev;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+    	i810_flush_queue(dev);
+    	return 0;
+@@ -973,10 +970,7 @@
+ 	if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
+ 
+@@ -1004,10 +998,7 @@
+    	if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+  	/* GH: Someone's doing nasty things... */
+  	if (!dev->dev_private) {
+@@ -1026,10 +1017,7 @@
+ 	drm_file_t *priv = filp->private_data;
+ 	drm_device_t *dev = priv->dev;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	i810_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1064,10 +1052,7 @@
+    	if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	d.granted = 0;
+ 
+@@ -1174,11 +1159,7 @@
+ 	if (copy_from_user(&mc, (drm_i810_mc_t *)arg, sizeof(mc)))
+ 		return -EFAULT;
+ 
+-
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_mc called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used,
+ 		mc.last_render );
+@@ -1223,10 +1204,7 @@
+ 	drm_device_t *dev = priv->dev;
+ 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_fstatus called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 	return I810_READ(0x30008);
+ }
+ 
+@@ -1237,10 +1215,7 @@
+ 	drm_device_t *dev = priv->dev;
+ 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_ov0_flip called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	//Tell the overlay to update
+ 	I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+diff -ur linux-2.4.28/drivers/char/drm/i830.h linux-2.4.28.plasmaroo/drivers/char/drm/i830.h
+--- linux-2.4.28/drivers/char/drm/i830.h	2003-11-28 18:26:20.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830.h	2004-12-23 16:31:33.000000000 +0000
+@@ -154,4 +154,14 @@
+ #define DRIVER_AGP_BUFFERS_MAP( dev )					\
+ 	((drm_i830_private_t *)((dev)->dev_private))->buffer_map
+ 
++#define LOCK_TEST_WITH_RETURN( dev )                                    \
++do {                                                                    \
++        if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) ||           \
++             dev->lock.pid != current->pid ) {                          \
++                DRM_ERROR( "%s called without lock held\n",             \
++                           __FUNCTION__ );                              \
++                return -EINVAL;                                         \
++        }                                                               \
++} while (0)
++
+ #endif
+diff -ur linux-2.4.28/drivers/char/drm/i830_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c
+--- linux-2.4.28/drivers/char/drm/i830_dma.c	2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c	2004-12-23 16:32:08.000000000 +0000
+@@ -1330,10 +1330,7 @@
+    	drm_file_t	  *priv	  = filp->private_data;
+    	drm_device_t	  *dev	  = priv->dev;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+    	i830_flush_queue(dev);
+    	return 0;
+@@ -1354,10 +1351,7 @@
+ 	if (copy_from_user(&vertex, (drm_i830_vertex_t *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1384,10 +1378,7 @@
+    	if (copy_from_user(&clear, (drm_i830_clear_t *)arg, sizeof(clear)))
+ 		return -EFAULT;
+    
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	/* GH: Someone's doing nasty things... */
+ 	if (!dev->dev_private) {
+@@ -1409,10 +1400,7 @@
+    
+ 	DRM_DEBUG("i830_swap_bufs\n");
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	i830_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1453,10 +1441,7 @@
+ 
+ 	DRM_DEBUG("%s\n", __FUNCTION__);
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_flip_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	if (!dev_priv->page_flipping) 
+ 		i830_do_init_pageflip( dev );
+@@ -1495,10 +1480,7 @@
+    	if (copy_from_user(&d, (drm_i830_dma_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+    
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 	
+ 	d.granted = 0;
+ 
+diff -ur linux-2.4.28/drivers/char/drm/i830_irq.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c
+--- linux-2.4.28/drivers/char/drm/i830_irq.c	2003-11-28 18:26:20.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c	2004-12-23 16:39:47.000000000 +0000
+@@ -130,10 +130,7 @@
+ 	drm_i830_irq_emit_t emit;
+ 	int result;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_irq_emit called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	if ( !dev_priv ) {
+ 		DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );
+diff -ur linux-2.4.28/drivers/char/drm-4.0/drmP.h linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h
+--- linux-2.4.28/drivers/char/drm-4.0/drmP.h	2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h	2004-12-23 16:21:30.000000000 +0000
+@@ -294,6 +294,16 @@
+ #define DRM_BUFCOUNT(x) ((x)->count - DRM_LEFTCOUNT(x))
+ #define DRM_WAITCOUNT(dev,idx) DRM_BUFCOUNT(&dev->queuelist[idx]->waitlist)
+ 
++#define LOCK_TEST_WITH_RETURN( dev )                                    \
++do {                                                                    \
++        if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) ||           \
++             dev->lock.pid != current->pid ) {                          \
++                DRM_ERROR( "%s called without lock held\n",             \
++                           __FUNCTION__ );                              \
++                return -EINVAL;                                         \
++        }                                                               \
++} while (0)
++
+ typedef int drm_ioctl_t(struct inode *inode, struct file *filp,
+ 			unsigned int cmd, unsigned long arg);
+ 
+diff -ur linux-2.4.28/drivers/char/drm-4.0/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c
+--- linux-2.4.28/drivers/char/drm-4.0/i810_dma.c	2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c	2004-12-23 16:21:30.000000000 +0000
+@@ -1249,10 +1249,7 @@
+    	drm_device_t	  *dev	  = priv->dev;
+    
+    	DRM_DEBUG("i810_flush_ioctl\n");
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+    	i810_flush_queue(dev);
+    	return 0;
+@@ -1274,10 +1271,7 @@
+ 	if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1308,10 +1302,7 @@
+    	if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ 		return -EFAULT;
+    
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	i810_dma_dispatch_clear( dev, clear.flags, 
+ 				 clear.clear_color, 
+@@ -1327,10 +1318,7 @@
+    
+ 	DRM_DEBUG("i810_swap_bufs\n");
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	i810_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1366,10 +1354,7 @@
+    	if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+    
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 	
+ 	d.granted = 0;
+ 
+@@ -1399,10 +1384,7 @@
+ 	drm_i810_buf_priv_t *buf_priv;
+ 	drm_device_dma_t *dma = dev->dma;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+    
+    	if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
+ 		return -EFAULT;
diff --git a/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.CAN-2004-1137.patch b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.CAN-2004-1137.patch
new file mode 100644
index 000000000000..161806ce79d7
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.CAN-2004-1137.patch
@@ -0,0 +1,59 @@
+--- linux-2.4.28-orig/net/ipv4/igmp.c	2004-08-08 01:26:06.000000000 +0200
++++ linux-2.4.28/net/ipv4/igmp.c	2004-12-15 22:12:48.000000000 +0100
+@@ -1757,12 +1757,12 @@
+ 			goto done;
+ 		rv = !0;
+ 		for (i=0; i<psl->sl_count; i++) {
+-			rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++			rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ 				sizeof(__u32));
+-			if (rv >= 0)
++			if (rv == 0)
+ 				break;
+ 		}
+-		if (!rv)	/* source not found */
++		if (rv)		/* source not found */
+ 			goto done;
+ 
+ 		/* update the interface filter */
+@@ -1804,9 +1804,9 @@
+ 	}
+ 	rv = 1;	/* > 0 for insert logic below if sl_count is 0 */
+ 	for (i=0; i<psl->sl_count; i++) {
+-		rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++		rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ 			sizeof(__u32));
+-		if (rv >= 0)
++		if (rv == 0)
+ 			break;
+ 	}
+ 	if (rv == 0)		/* address already there is an error */
+--- linux-2.4.28-orig/net/ipv6/mcast.c	2004-11-17 12:54:22.000000000 +0100
++++ linux-2.4.28/net/ipv6/mcast.c	2004-12-15 22:14:07.000000000 +0100
+@@ -386,12 +386,12 @@
+ 			goto done;
+ 		rv = !0;
+ 		for (i=0; i<psl->sl_count; i++) {
+-			rv = memcmp(&psl->sl_addr, group,
++			rv = memcmp(&psl->sl_addr[i], source,
+ 				sizeof(struct in6_addr));
+-			if (rv >= 0)
++			if (rv == 0)
+ 				break;
+ 		}
+-		if (!rv)	/* source not found */
++		if (rv)		/* source not found */
+ 			goto done;
+ 
+ 		/* update the interface filter */
+@@ -432,8 +432,8 @@
+ 	}
+ 	rv = 1;	/* > 0 for insert logic below if sl_count is 0 */
+ 	for (i=0; i<psl->sl_count; i++) {
+-		rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr));
+-		if (rv >= 0)
++		rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr));
++		if (rv == 0)
+ 			break;
+ 	}
+ 	if (rv == 0)		/* address already there is an error */
diff --git a/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.vma.patch b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.vma.patch
new file mode 100644
index 000000000000..188da50f6655
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.vma.patch
@@ -0,0 +1,352 @@
+diff -ur linux-2.4.28-gentoo-r2/arch/ia64/ia32/binfmt_elf32.c linux-2.4.28-gentoo-r3/arch/ia64/ia32/binfmt_elf32.c
+--- linux-2.4.28-gentoo-r2/arch/ia64/ia32/binfmt_elf32.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/ia64/ia32/binfmt_elf32.c	2004-12-24 14:34:29.531899728 +0000
+@@ -95,7 +95,11 @@
+ 		vma->vm_private_data = NULL;
+ 		down_write(&current->mm->mmap_sem);
+ 		{
+-			insert_vm_struct(current->mm, vma);
++			if (insert_vm_struct(current->mm, vma)) {
++				kmem_cache_free(vm_area_cachep, vma);
++				up_write(&current->mm->mmap_sem);
++				return;
++			}
+ 		}
+ 		up_write(&current->mm->mmap_sem);
+ 	}
+@@ -117,7 +121,11 @@
+ 		vma->vm_private_data = NULL;
+ 		down_write(&current->mm->mmap_sem);
+ 		{
+-			insert_vm_struct(current->mm, vma);
++			if (insert_vm_struct(current->mm, vma)) {
++				kmem_cache_free(vm_area_cachep, vma);
++				up_write(&current->mm->mmap_sem);
++				return;
++			}
+ 		}
+ 		up_write(&current->mm->mmap_sem);
+ 	}
+@@ -164,7 +172,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -188,7 +196,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	}
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/ia64/kernel/perfmon.c linux-2.4.28-gentoo-r3/arch/ia64/kernel/perfmon.c
+--- linux-2.4.28-gentoo-r2/arch/ia64/kernel/perfmon.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/ia64/kernel/perfmon.c	2004-12-24 14:34:29.534899272 +0000
+@@ -967,7 +967,8 @@
+ 	 * now insert the vma in the vm list for the process, must be
+ 	 * done with mmap lock held
+ 	 */
+-	insert_vm_struct(mm, vma);
++	if(insert_vm_struct(mm, vma)) /* Handle -ENOMEM et al. */
++		goto error;
+ 
+ 	mm->total_vm  += size >> PAGE_SHIFT;
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/ia64/mm/init.c linux-2.4.28-gentoo-r3/arch/ia64/mm/init.c
+--- linux-2.4.28-gentoo-r2/arch/ia64/mm/init.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/ia64/mm/init.c	2004-12-24 14:34:29.535899120 +0000
+@@ -105,7 +105,13 @@
+ 		vma->vm_pgoff = 0;
+ 		vma->vm_file = NULL;
+ 		vma->vm_private_data = NULL;
+-		insert_vm_struct(current->mm, vma);
++		down_write(&current->mm->mmap_sem);
++		if (insert_vm_struct(current->mm, vma)) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, vma);
++			return;
++		}
++		up_write(&current->mm->mmap_sem);
+ 	}
+ 
+ 	/* map NaT-page at address zero to speed up speculative dereferencing of NULL: */
+@@ -117,7 +123,13 @@
+ 			vma->vm_end = PAGE_SIZE;
+ 			vma->vm_page_prot = __pgprot(pgprot_val(PAGE_READONLY) | _PAGE_MA_NAT);
+ 			vma->vm_flags = VM_READ | VM_MAYREAD | VM_IO | VM_RESERVED;
+-			insert_vm_struct(current->mm, vma);
++			down_write(&current->mm->mmap_sem);
++			if (insert_vm_struct(current->mm, vma)) {
++				up_write(&current->mm->mmap_sem);
++				kmem_cache_free(vm_area_cachep, vma);
++				return;
++			}
++			up_write(&current->mm->mmap_sem);
+ 		}
+ 	}
+ }
+diff -ur linux-2.4.28-gentoo-r2/arch/ppc/mm/fault.c linux-2.4.28-gentoo-r3/arch/ppc/mm/fault.c
+--- linux-2.4.28-gentoo-r2/arch/ppc/mm/fault.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/ppc/mm/fault.c	2004-12-24 14:34:29.543897904 +0000
+@@ -83,8 +83,10 @@
+ 	nopage:		pax_syscall_nopage,
+ };
+ 
+-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
+ {
++	int ret;
++
+ 	vma->vm_mm = current->mm;
+ 	vma->vm_start = addr;
+ 	vma->vm_end = addr + PAGE_SIZE;
+@@ -94,8 +96,15 @@
+ 	vma->vm_pgoff = 0UL;
+ 	vma->vm_file = NULL;
+ 	vma->vm_private_data = NULL;
+-	insert_vm_struct(current->mm, vma);
++	ret = insert_vm_struct(current->mm, vma);
++	if(ret != 0)
++	{
++		up_write(&current->mm->mmap_sem);
++		kmem_cache_free(vm_area_cachep, vma);
++		return ret;
++	}
+ 	++current->mm->total_vm;
++	return 0;
+ }
+ #endif
+ 
+@@ -333,7 +342,8 @@
+ 				return 1;
+ 			}
+ 
+-			pax_insert_vma(vma, call_syscall);
++			if(pax_insert_vma(vma, call_syscall))
++				return 1; /* VMA overlapping attempt; bye bye! */
+ 			current->mm->call_syscall = call_syscall;
+ 			up_write(&current->mm->mmap_sem);
+ 
+@@ -377,7 +387,8 @@
+ 				return 1;
+ 			}
+ 
+-			pax_insert_vma(vma, call_syscall);
++			if(pax_insert_vma(vma, call_syscall))
++				return 1; /* VMA overlapping attempt; bye bye! */
+ 			current->mm->call_syscall = call_syscall;
+ 			up_write(&current->mm->mmap_sem);
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/s390x/kernel/exec32.c linux-2.4.28-gentoo-r3/arch/s390x/kernel/exec32.c
+--- linux-2.4.28-gentoo-r2/arch/s390x/kernel/exec32.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/s390x/kernel/exec32.c	2004-12-24 14:34:29.543897904 +0000
+@@ -41,7 +41,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -65,7 +65,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	} 
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/sparc/mm/fault.c linux-2.4.28-gentoo-r3/arch/sparc/mm/fault.c
+--- linux-2.4.28-gentoo-r2/arch/sparc/mm/fault.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/sparc/mm/fault.c	2004-12-24 14:34:29.544897752 +0000
+@@ -250,8 +250,10 @@
+ 	nopage:		pax_emuplt_nopage,
+ };
+ 
+-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
+ {
++	int ret;
++
+ 	vma->vm_mm = current->mm;
+ 	vma->vm_start = addr;
+ 	vma->vm_end = addr + PAGE_SIZE;
+@@ -261,8 +263,15 @@
+ 	vma->vm_pgoff = 0UL;
+ 	vma->vm_file = NULL;
+ 	vma->vm_private_data = NULL;
+-	insert_vm_struct(current->mm, vma);
++	ret = insert_vm_struct(current->mm, vma);
++	if(ret != 0)
++	{
++		up_write(&current->mm->mmap_sem);
++		kmem_cache_free(vm_area_cachep, vma);
++		return ret;
++	}
+ 	++current->mm->total_vm;
++	return 0;
+ }
+ 
+ /*
+@@ -423,7 +432,8 @@
+ 					return 1;
+ 				}
+ 
+-				pax_insert_vma(vma, call_dl_resolve);
++				if(pax_insert_vma(vma, call_dl_resolve))
++					return 1; /* VMA overlapping attempt; bye bye! */
+ 				current->mm->call_dl_resolve = call_dl_resolve;
+ 				up_write(&current->mm->mmap_sem);
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/sparc64/mm/fault.c linux-2.4.28-gentoo-r3/arch/sparc64/mm/fault.c
+--- linux-2.4.28-gentoo-r2/arch/sparc64/mm/fault.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/sparc64/mm/fault.c	2004-12-24 14:34:29.559895472 +0000
+@@ -338,8 +338,10 @@
+ 	nopage:		pax_emuplt_nopage,
+ };
+ 
+-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
+ {
++	int ret;
++
+ 	vma->vm_mm = current->mm;
+ 	vma->vm_start = addr;
+ 	vma->vm_end = addr + PAGE_SIZE;
+@@ -349,8 +351,15 @@
+ 	vma->vm_pgoff = 0UL; 
+ 	vma->vm_file = NULL;
+ 	vma->vm_private_data = NULL;
+-	insert_vm_struct(current->mm, vma);
++	ret = insert_vm_struct(current->mm, vma);
++	if(ret != 0)
++	{
++		up_write(&current->mm->mmap_sem);
++		kmem_cache_free(vm_area_cachep, vma);
++		return ret;
++	}
+ 	++current->mm->total_vm;
++	return 0;
+ }
+ #endif
+ 
+@@ -609,7 +618,8 @@
+ 					return 1;
+ 				}
+ 
+-				pax_insert_vma(vma, call_dl_resolve);
++				if(pax_insert_vma(vma, call_dl_resolve))
++					return 1; /* VMA overlapping attempt; bye bye! */
+ 				current->mm->call_dl_resolve = call_dl_resolve;
+ 				up_write(&current->mm->mmap_sem);
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/x86_64/ia32/ia32_binfmt.c linux-2.4.28-gentoo-r3/arch/x86_64/ia32/ia32_binfmt.c
+--- linux-2.4.28-gentoo-r2/arch/x86_64/ia32/ia32_binfmt.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/x86_64/ia32/ia32_binfmt.c	2004-12-24 14:34:29.559895472 +0000
+@@ -225,7 +225,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -250,7 +250,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	} 
+ 
+diff -ur linux-2.4.28-gentoo-r2/fs/exec.c linux-2.4.28-gentoo-r3/fs/exec.c
+--- linux-2.4.28-gentoo-r2/fs/exec.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/fs/exec.c	2004-12-24 14:35:52.000000000 +0000
+@@ -358,7 +358,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ #ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
+ 	struct vm_area_struct *mpnt_m = NULL;
+@@ -387,7 +387,6 @@
+ 
+ 	down_write(&current->mm->mmap_sem);
+ 	{
+-		struct vm_area_struct *vma;
+ 		mpnt->vm_mm = current->mm;
+ 		mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
+ 		mpnt->vm_end = STACK_TOP;
+@@ -402,13 +401,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
+-		vma = find_vma(current->mm, mpnt->vm_start);
+-		if (vma) {
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
+ 			up_write(&current->mm->mmap_sem);
+ 			kmem_cache_free(vm_area_cachep, mpnt);
+-			return -ENOMEM;
++			return ret;
+ 		}
+-		insert_vm_struct(current->mm, mpnt);
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 
+ #ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
+diff -ur linux-2.4.28-gentoo-r2/include/linux/mm.h linux-2.4.28-gentoo-r3/include/linux/mm.h
+--- linux-2.4.28-gentoo-r2/include/linux/mm.h	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/include/linux/mm.h	2004-12-24 14:34:29.000000000 +0000
+@@ -577,7 +577,7 @@
+ /* mmap.c */
+ extern void lock_vma_mappings(struct vm_area_struct *);
+ extern void unlock_vma_mappings(struct vm_area_struct *);
+-extern void insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
++extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void __insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void build_mmap_rb(struct mm_struct *);
+ extern void exit_mmap(struct mm_struct *);
+diff -ur linux-2.4.28-gentoo-r2/mm/mmap.c linux-2.4.28-gentoo-r3/mm/mmap.c
+--- linux-2.4.28-gentoo-r2/mm/mmap.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/mm/mmap.c	2004-12-24 14:34:29.000000000 +0000
+@@ -1480,14 +1480,15 @@
+ 	validate_mm(mm);
+ }
+ 
+-void insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
++int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+ {
+ 	struct vm_area_struct * __vma, * prev;
+ 	rb_node_t ** rb_link, * rb_parent;
+ 
+ 	__vma = find_vma_prepare(mm, vma->vm_start, &prev, &rb_link, &rb_parent);
+ 	if (__vma && __vma->vm_start < vma->vm_end)
+-		BUG();
++		return -ENOMEM;
+ 	vma_link(mm, vma, prev, rb_link, rb_parent);
+ 	validate_mm(mm);
++	return 0;
+ }
diff --git a/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r29.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r30.ebuild
index 0148cfa68f03..fd26b75f8c2d 100644
--- a/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r29.ebuild
+++ b/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r30.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r29.ebuild,v 1.1 2004/11/27 20:57:39 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r30.ebuild,v 1.1 2004/12/24 18:23:50 plasmaroo Exp $
 
 IUSE="aavm crypt evms2 usagi"
 
@@ -30,7 +30,7 @@ S=${WORKDIR}/linux-${KV}
 
 DESCRIPTION="Full sources for the Gentoo Kernel."
 SRC_URI="mirror://kernel/linux/kernel/v2.4/linux-${OKV}.tar.bz2
-	 http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/patches-${KV/29/28}.tar.bz2
+	 http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/patches-${KV/30/28}.tar.bz2
 	 http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/${P}-CAN-2004-0415.patch
 	 http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/${P}-CAN-2004-0814.patch"
 HOMEPAGE="http://www.gentoo.org/ http://www.kernel.org/"
@@ -42,7 +42,7 @@ src_unpack() {
 	unpack ${A}
 	mv linux-${OKV} linux-${KV} || die "Error moving kernel source tree to linux-${KV}"
 
-	cd ${WORKDIR}/${KV/r29/r28}
+	cd ${WORKDIR}/${KV/r30/r28}
 
 	# This is the *ratified* aavm USE flag, enables aavm support in this kernel
 	if ! use aavm; then
@@ -153,6 +153,9 @@ src_unpack() {
 	epatch ${FILESDIR}/${P}-smbfs.patch || die "Failed to apply the SMBFS patch!"
 	epatch ${FILESDIR}/${PN}-2.4.AF_UNIX.patch || die "Failed to apply the AF_UNIX patch!"
 	epatch ${FILESDIR}/${PN}-2.4.binfmt_a.out.patch || die "Failed to apply the binfmt_a.out patch!"
+	epatch ${FILESDIR}/${PN}-2.4.vma.patch || die "Failed to apply the VMA patch!"
+	epatch ${FILESDIR}/${PN}-2.4.22-CAN-2004-1016.patch || die "Failed to apply the CAN-2004-1016 patch!"
+	epatch ${FILESDIR}/${P}-CAN-2004-1056.patch || die "Failed to apply the CAN-2004-1056 patch!"
 }
 
 pkg_postinst() {
diff --git a/sys-kernel/gentoo-sources/gentoo-sources-2.4.22-r20.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-2.4.22-r21.ebuild
index 6e2a4d115342..c38593ab7c7d 100644
--- a/sys-kernel/gentoo-sources/gentoo-sources-2.4.22-r20.ebuild
+++ b/sys-kernel/gentoo-sources/gentoo-sources-2.4.22-r21.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.22-r20.ebuild,v 1.1 2004/11/27 20:57:39 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.22-r21.ebuild,v 1.1 2004/12/24 18:23:50 plasmaroo Exp $
 
 ETYPE="sources"
 
@@ -9,7 +9,7 @@ detect_version
 
 UNIPATCH_STRICTORDER='Y'
 UNIPATCH_LIST="
-	${DISTDIR}/gentoo-sources-${PVR/20/5}.patch.bz2
+	${DISTDIR}/gentoo-sources-${PVR/21/5}.patch.bz2
 	${FILESDIR}/${PN}-2.4.munmap.patch
 	${FILESDIR}/${PN}-2.4.CAN-2004-0001.patch
 	${FILESDIR}/${PN}-2.4.CAN-2004-0010.patch
@@ -32,13 +32,17 @@ UNIPATCH_LIST="
 	${FILESDIR}/${PN}-2.4.binfmt_elf.patch
 	${FILESDIR}/${PN}-2.4.20-smbfs.patch
 	${FILESDIR}/${PN}-2.4.AF_UNIX.patch
-	${FILESDIR}/${PN}-2.4.binfmt_a.out.patch"
+	${FILESDIR}/${PN}-2.4.binfmt_a.out.patch
+	${FILESDIR}/${P}-vma.patch
+	${FILESDIR}/${P}-CAN-2004-1016.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1056.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1137.patch"
 
 S=${WORKDIR}/linux-${KV}
 
 DESCRIPTION="Full sources for the Gentoo Kernel."
 SRC_URI="mirror://kernel/linux/kernel/v2.4/linux-${OKV}.tar.bz2
-	http://dev.gentoo.org/~iggy/gentoo-sources-${PVR/20/5}.patch.bz2
+	http://dev.gentoo.org/~iggy/gentoo-sources-${PVR/21/5}.patch.bz2
 	http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/linux-${OKV}-CAN-2004-0415.patch
 	http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/${P}-CAN-2004-0814.patch"
 KEYWORDS="x86 -*"
diff --git a/sys-kernel/gentoo-sources/gentoo-sources-2.4.25-r13.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-2.4.25-r14.ebuild
index 837a2638b082..68b38553d6a8 100644
--- a/sys-kernel/gentoo-sources/gentoo-sources-2.4.25-r13.ebuild
+++ b/sys-kernel/gentoo-sources/gentoo-sources-2.4.25-r14.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.25-r13.ebuild,v 1.1 2004/11/27 20:57:39 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.25-r14.ebuild,v 1.1 2004/12/24 18:23:50 plasmaroo Exp $
 
 ETYPE="sources"
 inherit kernel-2
@@ -31,7 +31,11 @@ UNIPATCH_LIST="
 	${DISTDIR}/linux-2.4.26-CAN-2004-0415.patch
 	${DISTDIR}/${PN}-2.4.22-CAN-2004-0814.patch
 	${FILESDIR}/${PN}-2.4.AF_UNIX.patch
-	${FILESDIR}/${PN}-2.4.binfmt_a.out.patch"
+	${FILESDIR}/${PN}-2.4.binfmt_a.out.patch
+	${FILESDIR}/${PN}-2.4.vma.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1016.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1056.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1137.patch"
 
 DESCRIPTION="Full sources including the gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree"
 SRC_URI="${KERNEL_URI} http://dev.gentoo.org/~livewire/${P}.patch.bz2
diff --git a/sys-kernel/gentoo-sources/gentoo-sources-2.4.26-r13.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-2.4.26-r14.ebuild
index e006b39ffa1b..bb032d1257ad 100644
--- a/sys-kernel/gentoo-sources/gentoo-sources-2.4.26-r13.ebuild
+++ b/sys-kernel/gentoo-sources/gentoo-sources-2.4.26-r14.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.26-r13.ebuild,v 1.1 2004/11/27 20:57:39 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.26-r14.ebuild,v 1.1 2004/12/24 18:23:50 plasmaroo Exp $
 
 ETYPE="sources"
 inherit kernel-2
@@ -11,7 +11,7 @@ IUSE=''
 
 UNIPATCH_STRICTORDER='Y'
 UNIPATCH_LIST="
-	${DISTDIR}/${PF/r13/r6}.tar.bz2
+	${DISTDIR}/${PF/r14/r6}.tar.bz2
 	${FILESDIR}/${PN}-2.4.CAN-2004-0495.patch
 	${FILESDIR}/${PN}-2.4.CAN-2004-0497.patch
 	${FILESDIR}/${PN}-2.4.CAN-2004-0535.patch
@@ -25,9 +25,13 @@ UNIPATCH_LIST="
 	${DISTDIR}/linux-${OKV}-CAN-2004-0415.patch
 	${DISTDIR}/${PN}-2.4.22-CAN-2004-0814.patch
 	${FILESDIR}/${PN}-2.4.AF_UNIX.patch
-	${FILESDIR}/${PN}-2.4.binfmt_a.out.patch"
+	${FILESDIR}/${PN}-2.4.binfmt_a.out.patch
+	${FILESDIR}/${PN}-2.4.vma.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1016.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1056.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1137.patch"
 
 DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree"
-SRC_URI="${KERNEL_URI} http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/${PF/r13/r6}.tar.bz2
+SRC_URI="${KERNEL_URI} http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/${PF/r14/r6}.tar.bz2
 	 http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/linux-${OKV}-CAN-2004-0415.patch
 	 http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/${PN}-2.4.22-CAN-2004-0814.patch"
diff --git a/sys-kernel/gentoo-sources/gentoo-sources-2.4.27-r5.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-2.4.27-r6.ebuild
index e110180e81e7..78a6b5785229 100644
--- a/sys-kernel/gentoo-sources/gentoo-sources-2.4.27-r5.ebuild
+++ b/sys-kernel/gentoo-sources/gentoo-sources-2.4.27-r6.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.27-r5.ebuild,v 1.1 2004/11/27 20:57:39 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.27-r6.ebuild,v 1.1 2004/12/24 18:23:50 plasmaroo Exp $
 
 ETYPE="sources"
 inherit kernel-2
@@ -10,16 +10,20 @@ KEYWORDS="~x86 -ppc"
 IUSE=''
 
 UNIPATCH_STRICTORDER='Y'
-UNIPATCH_LIST="${DISTDIR}/${PF/r5/r1}.tar.bz2
+UNIPATCH_LIST="${DISTDIR}/${PF/r6/r1}.tar.bz2
 	${DISTDIR}/${PN}-2.4.22-CAN-2004-0814.patch
 	${FILESDIR}/${PN}-2.4.cmdlineLeak.patch
 	${FILESDIR}/${PN}-2.4.XDRWrapFix.patch
 	${FILESDIR}/${PN}-2.4.binfmt_elf.patch
 	${FILESDIR}/${PN}-2.4.smbfs.patch
 	${FILESDIR}/${PN}-2.4.AF_UNIX.patch
-	${FILESDIR}/${PN}-2.4.binfmt_a.out.patch"
+	${FILESDIR}/${PN}-2.4.binfmt_a.out.patch
+	${FILESDIR}/${PN}-2.4.vma.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1016.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1056.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1137.patch"
 
 DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree"
-SRC_URI="${KERNEL_URI} http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/${PF/r5/r1}.tar.bz2
+SRC_URI="${KERNEL_URI} http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/${PF/r6/r1}.tar.bz2
 	 http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/${PN}-2.4.22-CAN-2004-0814.patch"
 
diff --git a/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r2.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r3.ebuild
index be683d4194bd..81c28a2bc57c 100644
--- a/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r2.ebuild
+++ b/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r2.ebuild,v 1.1 2004/11/27 20:57:39 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r3.ebuild,v 1.1 2004/12/24 18:23:50 plasmaroo Exp $
 
 ETYPE="sources"
 inherit kernel-2
@@ -10,11 +10,15 @@ KEYWORDS="~x86 -ppc"
 IUSE=''
 
 UNIPATCH_STRICTORDER='Y'
-UNIPATCH_LIST="${DISTDIR}/${PF/r2/r1}.tar.bz2
+UNIPATCH_LIST="${DISTDIR}/${PF/r3/r1}.tar.bz2
 	${DISTDIR}/${PN}-2.4.22-CAN-2004-0814.patch
 	${FILESDIR}/${PN}-2.4.cmdlineLeak.patch
-	${FILESDIR}/${PN}-2.4.binfmt_a.out.patch"
+	${FILESDIR}/${PN}-2.4.binfmt_a.out.patch
+	${FILESDIR}/${PN}-2.4.vma.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1016.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1056.patch
+	${FILESDIR}/${PN}-2.4.CAN-2004-1137.patch"
 
 DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree"
-SRC_URI="${KERNEL_URI} http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/${PF/r2/r1}.tar.bz2
+SRC_URI="${KERNEL_URI} http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/${PF/r3/r1}.tar.bz2
 	 http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/${PN}-2.4.22-CAN-2004-0814.patch"