Security bump; bugs #72452, #74392, #74464.

7 files changed, 749 insertions, 7 deletions

diff --git a/sys-kernel/alpha-sources/ChangeLog b/sys-kernel/alpha-sources/ChangeLog
index b0e4be4dd36f..793cec236775 100644
--- a/sys-kernel/alpha-sources/ChangeLog
+++ b/sys-kernel/alpha-sources/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-kernel/alpha-sources
 # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/alpha-sources/ChangeLog,v 1.38 2004/11/27 17:22:56 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/alpha-sources/ChangeLog,v 1.39 2004/12/24 15:33:50 plasmaroo Exp $
+
+*alpha-sources-2.4.21-r17 (24 Dec 2004)
+
+  24 Dec 2004; <plasmaroo@gentoo.org> -alpha-sources-2.4.21-r16.ebuild,
+  +alpha-sources-2.4.21-r17.ebuild, +files/alpha-sources.CAN-2004-1016.patch,
+  +files/alpha-sources.CAN-2004-1056.patch, +files/alpha-sources.vma.patch:
+  Security bump; bugs #72452, #74392, #74464.
 
 *alpha-sources-2.4.21-r16 (27 Nov 2004)
 
diff --git a/sys-kernel/alpha-sources/Manifest b/sys-kernel/alpha-sources/Manifest
index b66d450331fe..250e1b06f34d 100644
--- a/sys-kernel/alpha-sources/Manifest
+++ b/sys-kernel/alpha-sources/Manifest
@@ -1,6 +1,7 @@
-MD5 5b33ee28ca94333ee96be884d2c00f71 alpha-sources-2.4.21-r16.ebuild 4779
-MD5 f24529241dd1b78a6aa2b29b0645b0cc ChangeLog 7263
+MD5 5317bf9f386df1da174ad192c535a9c3 alpha-sources-2.4.21-r17.ebuild 5047
+MD5 a7b72aeac75dba580bfa853f1465c52a ChangeLog 7577
 MD5 2b3ddb8b8b15f8da35ade38544b57857 files/alpha-sources.XDRWrapFix.patch 1499
+MD5 6ed89b8ac0b47a4c25d3a616ef9245cc files/alpha-sources.vma.patch 11369
 MD5 5bf9836a632a861728d33f9736bb7431 files/alpha-sources.CAN-2004-0133.patch 427
 MD5 d1ccc2047be533c992f67270a150a210 files/alpha-sources.cmdlineLeak.patch 388
 MD5 c460ea130cb4ae84a5063ba044e3ce72 files/alpha-sources.CAN-2004-0427.patch 460
@@ -16,11 +17,13 @@ MD5 174438d215b70cad5ffb00ca8123c062 files/alpha-sources.munmap.patch 837
 MD5 60d25ff310fc6abfdce39ec9e47345af files/alpha-sources.CAN-2004-0685.patch 2809
 MD5 3bdf00d5f80fe9dfbfe8220e076cd04c files/alpha-sources.CAN-2004-0497.patch 707
 MD5 e77a93fdf26f06cf3ea5080b27211725 files/alpha-sources.CAN-2003-0985.patch 414
+MD5 76cc0c8530da5b9d8f6db7182df4d591 files/digest-alpha-sources-2.4.21-r17 304
 MD5 9971231cef0a944990e47a3c1e4b717c files/alpha-sources.smbfs.patch 2790
 MD5 de75cfa969ed092578d9ddda6c5be334 files/alpha-sources.CAN-2004-0181.patch 1233
 MD5 eaeda68a619caaddd5b8fdc5e7c39932 files/alpha-sources.CAN-2004-0177.patch 384
 MD5 21f3a4f186017d925067335e24db36a1 files/alpha-sources.CAN-2004-0109.patch 1877
 MD5 ac42024b6e6ee1e2165914db4b22a61c files/alpha-sources.CAN-2004-0178.patch 424
-MD5 76cc0c8530da5b9d8f6db7182df4d591 files/digest-alpha-sources-2.4.21-r16 304
 MD5 082e410301c2522521b0d3843db19c9e files/alpha-sources.CAN-2004-0535.patch 502
+MD5 e47f4118ace22fbcd917d36fdc648c3c files/alpha-sources.CAN-2004-1056.patch 11020
+MD5 370cc17582bbb17605090009d24eba51 files/alpha-sources.CAN-2004-1016.patch 2168
 MD5 e637c6fa41097ea2c4693d0766f2e1c5 files/do_brk_fix.patch 242
diff --git a/sys-kernel/alpha-sources/alpha-sources-2.4.21-r16.ebuild b/sys-kernel/alpha-sources/alpha-sources-2.4.21-r17.ebuild
index 94a35ab5d985..6f049e4f6ed4 100644
--- a/sys-kernel/alpha-sources/alpha-sources-2.4.21-r16.ebuild
+++ b/sys-kernel/alpha-sources/alpha-sources-2.4.21-r17.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/alpha-sources/alpha-sources-2.4.21-r16.ebuild,v 1.1 2004/11/27 17:22:56 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/alpha-sources/alpha-sources-2.4.21-r17.ebuild,v 1.1 2004/12/24 15:33:50 plasmaroo Exp $
 
 # OKV=original kernel version, KV=patched kernel version.  They can be the same.
 
@@ -16,7 +16,7 @@ S=${WORKDIR}/linux-${KV}
 
 DESCRIPTION="Full sources for the Gentoo Linux Alpha kernel"
 SRC_URI="mirror://kernel/linux/kernel/v2.4/linux-${OKV}.tar.bz2
-	mirror://gentoo/patches-${KV/16/3}.tar.bz2
+	mirror://gentoo/patches-${KV/17/3}.tar.bz2
 	http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/linux-${OKV}-CAN-2004-0415.patch
 	http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/${P}-CAN-2004-0814.patch"
 SLOT="${KV}"
@@ -25,7 +25,7 @@ KEYWORDS="alpha -sparc -x86 -ppc -hppa -mips"
 src_unpack() {
 	unpack ${A}
 	mv linux-${OKV} linux-${KV} || die
-	cd ${WORKDIR}/${KV/16/1}
+	cd ${WORKDIR}/${KV/17/1}
 
 	# This is the crypt USE flag, keeps {USAGI/superfreeswan/patch-int/loop-jari}
 	if ! use crypt; then
@@ -84,6 +84,9 @@ src_unpack() {
 	epatch ${FILESDIR}/${PN}.smbfs.patch || die "Failed to apply the SMBFS fix!"
 	epatch ${FILESDIR}/${PN}.AF_UNIX.patch || die "Failed to apply the AF_UNIX patch!"
 	epatch ${FILESDIR}/${PN}.binfmt_a.out.patch || die "Failed to apply the a.out patch!"
+	epatch ${FILESDIR}/${PN}.vma.patch || die "Failed to apply the VMA patch!"
+	epatch ${FILESDIR}/${PN}.CAN-2004-1016.patch || die "Failed to apply the CAN-2004-1016 patch!"
+	epatch ${FILESDIR}/${PN}.CAN-2004-1056.patch || die "Failed to apply the CAN-2004-1056 patch!"
 
 	# Fix multi-line literal in include/asm-alpha/xor.h -- see bug 38354
 	# If this script "dies" then that means it's no longer applicable.
diff --git a/sys-kernel/alpha-sources/files/alpha-sources.CAN-2004-1016.patch b/sys-kernel/alpha-sources/files/alpha-sources.CAN-2004-1016.patch
new file mode 100644
index 000000000000..ad0b0dde0d47
--- /dev/null
+++ b/sys-kernel/alpha-sources/files/alpha-sources.CAN-2004-1016.patch
@@ -0,0 +1,58 @@
+===== include/linux/socket.h 1.12 vs edited =====
+--- 1.12/include/linux/socket.h	2004-09-09 06:40:01 +10:00
++++ edited/include/linux/socket.h	2004-11-27 11:53:40 +11:00
+@@ -90,6 +90,10 @@
+ 				  (struct cmsghdr *)(ctl) : \
+ 				  (struct cmsghdr *)NULL)
+ #define CMSG_FIRSTHDR(msg)	__CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \
++			     (cmsg)->cmsg_len <= (unsigned long) \
++			     ((mhdr)->msg_controllen - \
++			      ((char *)(cmsg) - (char *)(mhdr)->msg_control)))
+ 
+ /*
+  *	This mess will go away with glibc
+===== net/core/scm.c 1.10 vs edited =====
+--- 1.10/net/core/scm.c	2004-05-31 05:08:14 +10:00
++++ edited/net/core/scm.c	2004-11-27 11:48:55 +11:00
+@@ -127,9 +127,7 @@
+ 		   for too short ancillary data object at all! Oops.
+ 		   OK, let's add it...
+ 		 */
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen)
++		if (!CMSG_OK(msg, cmsg))
+ 			goto error;
+ 
+ 		if (cmsg->cmsg_level != SOL_SOCKET)
+===== net/ipv4/ip_sockglue.c 1.26 vs edited =====
+--- 1.26/net/ipv4/ip_sockglue.c	2004-07-01 06:10:53 +10:00
++++ edited/net/ipv4/ip_sockglue.c	2004-11-27 11:49:45 +11:00
+@@ -146,11 +146,8 @@
+ 	struct cmsghdr *cmsg;
+ 
+ 	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg))
+ 			return -EINVAL;
+-		}
+ 		if (cmsg->cmsg_level != SOL_IP)
+ 			continue;
+ 		switch (cmsg->cmsg_type) {
+===== net/ipv6/datagram.c 1.20 vs edited =====
+--- 1.20/net/ipv6/datagram.c	2004-11-10 17:57:03 +11:00
++++ edited/net/ipv6/datagram.c	2004-11-27 11:51:15 +11:00
+@@ -427,9 +427,7 @@
+ 		int addr_type;
+ 		struct net_device *dev = NULL;
+ 
+-		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+-		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+-				    + cmsg->cmsg_len) > msg->msg_controllen) {
++		if (!CMSG_OK(msg, cmsg)) {
+ 			err = -EINVAL;
+ 			goto exit_f;
+ 		}
diff --git a/sys-kernel/alpha-sources/files/alpha-sources.CAN-2004-1056.patch b/sys-kernel/alpha-sources/files/alpha-sources.CAN-2004-1056.patch
new file mode 100644
index 000000000000..b0b2a6d65598
--- /dev/null
+++ b/sys-kernel/alpha-sources/files/alpha-sources.CAN-2004-1056.patch
@@ -0,0 +1,319 @@
+diff -ur linux-2.4.22/drivers/char/drm/i810.h linux-2.4.22.plasmaroo/drivers/char/drm/i810.h
+--- linux-2.4.22/drivers/char/drm/i810.h	2001-08-08 17:42:14.000000000 +0100
++++ linux-2.4.22.plasmaroo/drivers/char/drm/i810.h	2004-12-24 14:56:13.644644456 +0000
+@@ -113,4 +113,14 @@
+ #define DRIVER_AGP_BUFFERS_MAP( dev )					\
+ 	((drm_i810_private_t *)((dev)->dev_private))->buffer_map
+ 
++#define LOCK_TEST_WITH_RETURN( dev )                                    \
++do {                                                                    \
++        if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) ||           \
++             dev->lock.pid != current->pid ) {                          \
++                DRM_ERROR( "%s called without lock held\n",             \
++                           __FUNCTION__ );                              \
++                return -EINVAL;                                         \
++        }                                                               \
++} while (0)
++
+ #endif
+diff -ur linux-2.4.22/drivers/char/drm/i810_dma.c linux-2.4.22.plasmaroo/drivers/char/drm/i810_dma.c
+--- linux-2.4.22/drivers/char/drm/i810_dma.c	2002-11-28 23:53:12.000000000 +0000
++++ linux-2.4.22.plasmaroo/drivers/char/drm/i810_dma.c	2004-12-24 14:57:28.626245520 +0000
+@@ -1071,10 +1071,7 @@
+    	drm_device_t	  *dev	  = priv->dev;
+ 
+    	DRM_DEBUG("i810_flush_ioctl\n");
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+    	i810_flush_queue(dev);
+    	return 0;
+@@ -1096,10 +1093,7 @@
+ 	if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1130,10 +1124,7 @@
+    	if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+  	/* GH: Someone's doing nasty things... */
+  	if (!dev->dev_private) {
+@@ -1154,10 +1145,7 @@
+ 
+ 	DRM_DEBUG("i810_swap_bufs\n");
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	i810_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1193,10 +1181,7 @@
+    	if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	d.granted = 0;
+ 
+@@ -1226,10 +1211,7 @@
+ 	drm_i810_buf_priv_t *buf_priv;
+ 	drm_device_dma_t *dma = dev->dma;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+    	if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+@@ -1334,11 +1316,7 @@
+ 	if (copy_from_user(&mc, (drm_i810_mc_t *)arg, sizeof(mc)))
+ 		return -EFAULT;
+ 
+-
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_mc called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used,
+ 		mc.last_render );
+@@ -1382,10 +1360,7 @@
+ 	drm_device_t *dev = priv->dev;
+ 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_fstatus called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 	return I810_READ(0x30008);
+ }
+ 
+@@ -1396,10 +1371,7 @@
+ 	drm_device_t *dev = priv->dev;
+ 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_ov0_flip called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	//Tell the overlay to update
+ 	I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+diff -ur linux-2.4.22/drivers/char/drm/i830.h linux-2.4.22.plasmaroo/drivers/char/drm/i830.h
+--- linux-2.4.22/drivers/char/drm/i830.h	2002-11-28 23:53:12.000000000 +0000
++++ linux-2.4.22.plasmaroo/drivers/char/drm/i830.h	2004-12-24 14:56:13.658642328 +0000
+@@ -113,4 +113,14 @@
+ #define DRIVER_AGP_BUFFERS_MAP( dev )					\
+ 	((drm_i830_private_t *)((dev)->dev_private))->buffer_map
+ 
++#define LOCK_TEST_WITH_RETURN( dev )                                    \
++do {                                                                    \
++        if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) ||           \
++             dev->lock.pid != current->pid ) {                          \
++                DRM_ERROR( "%s called without lock held\n",             \
++                           __FUNCTION__ );                              \
++                return -EINVAL;                                         \
++        }                                                               \
++} while (0)
++
+ #endif
+diff -ur linux-2.4.22/drivers/char/drm/i830_dma.c linux-2.4.22.plasmaroo/drivers/char/drm/i830_dma.c
+--- linux-2.4.22/drivers/char/drm/i830_dma.c	2002-11-28 23:53:12.000000000 +0000
++++ linux-2.4.22.plasmaroo/drivers/char/drm/i830_dma.c	2004-12-24 14:57:55.225201864 +0000
+@@ -1187,10 +1187,8 @@
+    	drm_device_t	  *dev	  = priv->dev;
+    
+    	DRM_DEBUG("i830_flush_ioctl\n");
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+    	i830_flush_queue(dev);
+    	return 0;
+@@ -1211,10 +1209,7 @@
+ 	if (copy_from_user(&vertex, (drm_i830_vertex_t *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1241,10 +1236,7 @@
+    	if (copy_from_user(&clear, (drm_i830_clear_t *)arg, sizeof(clear)))
+ 		return -EFAULT;
+    
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	/* GH: Someone's doing nasty things... */
+ 	if (!dev->dev_private) {
+@@ -1266,10 +1258,7 @@
+    
+ 	DRM_DEBUG("i830_swap_bufs\n");
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 
+ 	i830_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1305,10 +1294,7 @@
+    	if (copy_from_user(&d, (drm_i830_dma_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+    
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev); 
+ 	
+ 	d.granted = 0;
+ 
+@@ -1338,10 +1324,7 @@
+ 	drm_i830_buf_priv_t *buf_priv;
+ 	drm_device_dma_t *dma = dev->dma;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i830_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+    
+    	if (copy_from_user(&d, (drm_i830_copy_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+diff -ur linux-2.4.22/drivers/char/drm-4.0/drmP.h linux-2.4.22.plasmaroo/drivers/char/drm-4.0/drmP.h
+--- linux-2.4.22/drivers/char/drm-4.0/drmP.h	2002-02-25 19:37:57.000000000 +0000
++++ linux-2.4.22.plasmaroo/drivers/char/drm-4.0/drmP.h	2004-12-24 14:56:16.389227216 +0000
+@@ -294,6 +294,16 @@
+ #define DRM_BUFCOUNT(x) ((x)->count - DRM_LEFTCOUNT(x))
+ #define DRM_WAITCOUNT(dev,idx) DRM_BUFCOUNT(&dev->queuelist[idx]->waitlist)
+ 
++#define LOCK_TEST_WITH_RETURN( dev )                                    \
++do {                                                                    \
++        if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) ||           \
++             dev->lock.pid != current->pid ) {                          \
++                DRM_ERROR( "%s called without lock held\n",             \
++                           __FUNCTION__ );                              \
++                return -EINVAL;                                         \
++        }                                                               \
++} while (0)
++
+ typedef int drm_ioctl_t(struct inode *inode, struct file *filp,
+ 			unsigned int cmd, unsigned long arg);
+ 
+diff -ur linux-2.4.22/drivers/char/drm-4.0/i810_dma.c linux-2.4.22.plasmaroo/drivers/char/drm-4.0/i810_dma.c
+--- linux-2.4.22/drivers/char/drm-4.0/i810_dma.c	2003-06-13 15:51:32.000000000 +0100
++++ linux-2.4.22.plasmaroo/drivers/char/drm-4.0/i810_dma.c	2004-12-24 14:56:16.401225392 +0000
+@@ -1249,10 +1249,7 @@
+    	drm_device_t	  *dev	  = priv->dev;
+    
+    	DRM_DEBUG("i810_flush_ioctl\n");
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_flush_ioctl called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+    	i810_flush_queue(dev);
+    	return 0;
+@@ -1274,10 +1271,7 @@
+ 	if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ 		return -EFAULT;
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma_vertex called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ 		  vertex.idx, vertex.used, vertex.discard);
+@@ -1308,10 +1302,7 @@
+    	if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ 		return -EFAULT;
+    
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_clear_bufs called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	i810_dma_dispatch_clear( dev, clear.flags, 
+ 				 clear.clear_color, 
+@@ -1327,10 +1318,7 @@
+    
+ 	DRM_DEBUG("i810_swap_bufs\n");
+ 
+-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_swap_buf called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 
+ 	i810_dma_dispatch_swap( dev );
+    	return 0;
+@@ -1366,10 +1354,7 @@
+    	if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ 		return -EFAULT;
+    
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+ 	
+ 	d.granted = 0;
+ 
+@@ -1399,10 +1384,7 @@
+ 	drm_i810_buf_priv_t *buf_priv;
+ 	drm_device_dma_t *dma = dev->dma;
+ 
+-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+-		DRM_ERROR("i810_dma called without lock held\n");
+-		return -EINVAL;
+-	}
++	LOCK_TEST_WITH_RETURN(dev);
+    
+    	if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
+ 		return -EFAULT;
diff --git a/sys-kernel/alpha-sources/files/alpha-sources.vma.patch b/sys-kernel/alpha-sources/files/alpha-sources.vma.patch
new file mode 100644
index 000000000000..188da50f6655
--- /dev/null
+++ b/sys-kernel/alpha-sources/files/alpha-sources.vma.patch
@@ -0,0 +1,352 @@
+diff -ur linux-2.4.28-gentoo-r2/arch/ia64/ia32/binfmt_elf32.c linux-2.4.28-gentoo-r3/arch/ia64/ia32/binfmt_elf32.c
+--- linux-2.4.28-gentoo-r2/arch/ia64/ia32/binfmt_elf32.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/ia64/ia32/binfmt_elf32.c	2004-12-24 14:34:29.531899728 +0000
+@@ -95,7 +95,11 @@
+ 		vma->vm_private_data = NULL;
+ 		down_write(&current->mm->mmap_sem);
+ 		{
+-			insert_vm_struct(current->mm, vma);
++			if (insert_vm_struct(current->mm, vma)) {
++				kmem_cache_free(vm_area_cachep, vma);
++				up_write(&current->mm->mmap_sem);
++				return;
++			}
+ 		}
+ 		up_write(&current->mm->mmap_sem);
+ 	}
+@@ -117,7 +121,11 @@
+ 		vma->vm_private_data = NULL;
+ 		down_write(&current->mm->mmap_sem);
+ 		{
+-			insert_vm_struct(current->mm, vma);
++			if (insert_vm_struct(current->mm, vma)) {
++				kmem_cache_free(vm_area_cachep, vma);
++				up_write(&current->mm->mmap_sem);
++				return;
++			}
+ 		}
+ 		up_write(&current->mm->mmap_sem);
+ 	}
+@@ -164,7 +172,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -188,7 +196,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	}
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/ia64/kernel/perfmon.c linux-2.4.28-gentoo-r3/arch/ia64/kernel/perfmon.c
+--- linux-2.4.28-gentoo-r2/arch/ia64/kernel/perfmon.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/ia64/kernel/perfmon.c	2004-12-24 14:34:29.534899272 +0000
+@@ -967,7 +967,8 @@
+ 	 * now insert the vma in the vm list for the process, must be
+ 	 * done with mmap lock held
+ 	 */
+-	insert_vm_struct(mm, vma);
++	if(insert_vm_struct(mm, vma)) /* Handle -ENOMEM et al. */
++		goto error;
+ 
+ 	mm->total_vm  += size >> PAGE_SHIFT;
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/ia64/mm/init.c linux-2.4.28-gentoo-r3/arch/ia64/mm/init.c
+--- linux-2.4.28-gentoo-r2/arch/ia64/mm/init.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/ia64/mm/init.c	2004-12-24 14:34:29.535899120 +0000
+@@ -105,7 +105,13 @@
+ 		vma->vm_pgoff = 0;
+ 		vma->vm_file = NULL;
+ 		vma->vm_private_data = NULL;
+-		insert_vm_struct(current->mm, vma);
++		down_write(&current->mm->mmap_sem);
++		if (insert_vm_struct(current->mm, vma)) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, vma);
++			return;
++		}
++		up_write(&current->mm->mmap_sem);
+ 	}
+ 
+ 	/* map NaT-page at address zero to speed up speculative dereferencing of NULL: */
+@@ -117,7 +123,13 @@
+ 			vma->vm_end = PAGE_SIZE;
+ 			vma->vm_page_prot = __pgprot(pgprot_val(PAGE_READONLY) | _PAGE_MA_NAT);
+ 			vma->vm_flags = VM_READ | VM_MAYREAD | VM_IO | VM_RESERVED;
+-			insert_vm_struct(current->mm, vma);
++			down_write(&current->mm->mmap_sem);
++			if (insert_vm_struct(current->mm, vma)) {
++				up_write(&current->mm->mmap_sem);
++				kmem_cache_free(vm_area_cachep, vma);
++				return;
++			}
++			up_write(&current->mm->mmap_sem);
+ 		}
+ 	}
+ }
+diff -ur linux-2.4.28-gentoo-r2/arch/ppc/mm/fault.c linux-2.4.28-gentoo-r3/arch/ppc/mm/fault.c
+--- linux-2.4.28-gentoo-r2/arch/ppc/mm/fault.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/ppc/mm/fault.c	2004-12-24 14:34:29.543897904 +0000
+@@ -83,8 +83,10 @@
+ 	nopage:		pax_syscall_nopage,
+ };
+ 
+-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
+ {
++	int ret;
++
+ 	vma->vm_mm = current->mm;
+ 	vma->vm_start = addr;
+ 	vma->vm_end = addr + PAGE_SIZE;
+@@ -94,8 +96,15 @@
+ 	vma->vm_pgoff = 0UL;
+ 	vma->vm_file = NULL;
+ 	vma->vm_private_data = NULL;
+-	insert_vm_struct(current->mm, vma);
++	ret = insert_vm_struct(current->mm, vma);
++	if(ret != 0)
++	{
++		up_write(&current->mm->mmap_sem);
++		kmem_cache_free(vm_area_cachep, vma);
++		return ret;
++	}
+ 	++current->mm->total_vm;
++	return 0;
+ }
+ #endif
+ 
+@@ -333,7 +342,8 @@
+ 				return 1;
+ 			}
+ 
+-			pax_insert_vma(vma, call_syscall);
++			if(pax_insert_vma(vma, call_syscall))
++				return 1; /* VMA overlapping attempt; bye bye! */
+ 			current->mm->call_syscall = call_syscall;
+ 			up_write(&current->mm->mmap_sem);
+ 
+@@ -377,7 +387,8 @@
+ 				return 1;
+ 			}
+ 
+-			pax_insert_vma(vma, call_syscall);
++			if(pax_insert_vma(vma, call_syscall))
++				return 1; /* VMA overlapping attempt; bye bye! */
+ 			current->mm->call_syscall = call_syscall;
+ 			up_write(&current->mm->mmap_sem);
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/s390x/kernel/exec32.c linux-2.4.28-gentoo-r3/arch/s390x/kernel/exec32.c
+--- linux-2.4.28-gentoo-r2/arch/s390x/kernel/exec32.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/s390x/kernel/exec32.c	2004-12-24 14:34:29.543897904 +0000
+@@ -41,7 +41,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -65,7 +65,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	} 
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/sparc/mm/fault.c linux-2.4.28-gentoo-r3/arch/sparc/mm/fault.c
+--- linux-2.4.28-gentoo-r2/arch/sparc/mm/fault.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/sparc/mm/fault.c	2004-12-24 14:34:29.544897752 +0000
+@@ -250,8 +250,10 @@
+ 	nopage:		pax_emuplt_nopage,
+ };
+ 
+-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
+ {
++	int ret;
++
+ 	vma->vm_mm = current->mm;
+ 	vma->vm_start = addr;
+ 	vma->vm_end = addr + PAGE_SIZE;
+@@ -261,8 +263,15 @@
+ 	vma->vm_pgoff = 0UL;
+ 	vma->vm_file = NULL;
+ 	vma->vm_private_data = NULL;
+-	insert_vm_struct(current->mm, vma);
++	ret = insert_vm_struct(current->mm, vma);
++	if(ret != 0)
++	{
++		up_write(&current->mm->mmap_sem);
++		kmem_cache_free(vm_area_cachep, vma);
++		return ret;
++	}
+ 	++current->mm->total_vm;
++	return 0;
+ }
+ 
+ /*
+@@ -423,7 +432,8 @@
+ 					return 1;
+ 				}
+ 
+-				pax_insert_vma(vma, call_dl_resolve);
++				if(pax_insert_vma(vma, call_dl_resolve))
++					return 1; /* VMA overlapping attempt; bye bye! */
+ 				current->mm->call_dl_resolve = call_dl_resolve;
+ 				up_write(&current->mm->mmap_sem);
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/sparc64/mm/fault.c linux-2.4.28-gentoo-r3/arch/sparc64/mm/fault.c
+--- linux-2.4.28-gentoo-r2/arch/sparc64/mm/fault.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/sparc64/mm/fault.c	2004-12-24 14:34:29.559895472 +0000
+@@ -338,8 +338,10 @@
+ 	nopage:		pax_emuplt_nopage,
+ };
+ 
+-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
+ {
++	int ret;
++
+ 	vma->vm_mm = current->mm;
+ 	vma->vm_start = addr;
+ 	vma->vm_end = addr + PAGE_SIZE;
+@@ -349,8 +351,15 @@
+ 	vma->vm_pgoff = 0UL; 
+ 	vma->vm_file = NULL;
+ 	vma->vm_private_data = NULL;
+-	insert_vm_struct(current->mm, vma);
++	ret = insert_vm_struct(current->mm, vma);
++	if(ret != 0)
++	{
++		up_write(&current->mm->mmap_sem);
++		kmem_cache_free(vm_area_cachep, vma);
++		return ret;
++	}
+ 	++current->mm->total_vm;
++	return 0;
+ }
+ #endif
+ 
+@@ -609,7 +618,8 @@
+ 					return 1;
+ 				}
+ 
+-				pax_insert_vma(vma, call_dl_resolve);
++				if(pax_insert_vma(vma, call_dl_resolve))
++					return 1; /* VMA overlapping attempt; bye bye! */
+ 				current->mm->call_dl_resolve = call_dl_resolve;
+ 				up_write(&current->mm->mmap_sem);
+ 
+diff -ur linux-2.4.28-gentoo-r2/arch/x86_64/ia32/ia32_binfmt.c linux-2.4.28-gentoo-r3/arch/x86_64/ia32/ia32_binfmt.c
+--- linux-2.4.28-gentoo-r2/arch/x86_64/ia32/ia32_binfmt.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/arch/x86_64/ia32/ia32_binfmt.c	2004-12-24 14:34:29.559895472 +0000
+@@ -225,7 +225,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -250,7 +250,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	} 
+ 
+diff -ur linux-2.4.28-gentoo-r2/fs/exec.c linux-2.4.28-gentoo-r3/fs/exec.c
+--- linux-2.4.28-gentoo-r2/fs/exec.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/fs/exec.c	2004-12-24 14:35:52.000000000 +0000
+@@ -358,7 +358,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ #ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
+ 	struct vm_area_struct *mpnt_m = NULL;
+@@ -387,7 +387,6 @@
+ 
+ 	down_write(&current->mm->mmap_sem);
+ 	{
+-		struct vm_area_struct *vma;
+ 		mpnt->vm_mm = current->mm;
+ 		mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
+ 		mpnt->vm_end = STACK_TOP;
+@@ -402,13 +401,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
+-		vma = find_vma(current->mm, mpnt->vm_start);
+-		if (vma) {
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
+ 			up_write(&current->mm->mmap_sem);
+ 			kmem_cache_free(vm_area_cachep, mpnt);
+-			return -ENOMEM;
++			return ret;
+ 		}
+-		insert_vm_struct(current->mm, mpnt);
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 
+ #ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
+diff -ur linux-2.4.28-gentoo-r2/include/linux/mm.h linux-2.4.28-gentoo-r3/include/linux/mm.h
+--- linux-2.4.28-gentoo-r2/include/linux/mm.h	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/include/linux/mm.h	2004-12-24 14:34:29.000000000 +0000
+@@ -577,7 +577,7 @@
+ /* mmap.c */
+ extern void lock_vma_mappings(struct vm_area_struct *);
+ extern void unlock_vma_mappings(struct vm_area_struct *);
+-extern void insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
++extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void __insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void build_mmap_rb(struct mm_struct *);
+ extern void exit_mmap(struct mm_struct *);
+diff -ur linux-2.4.28-gentoo-r2/mm/mmap.c linux-2.4.28-gentoo-r3/mm/mmap.c
+--- linux-2.4.28-gentoo-r2/mm/mmap.c	2004-11-27 20:50:07.000000000 +0000
++++ linux-2.4.28-gentoo-r3/mm/mmap.c	2004-12-24 14:34:29.000000000 +0000
+@@ -1480,14 +1480,15 @@
+ 	validate_mm(mm);
+ }
+ 
+-void insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
++int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+ {
+ 	struct vm_area_struct * __vma, * prev;
+ 	rb_node_t ** rb_link, * rb_parent;
+ 
+ 	__vma = find_vma_prepare(mm, vma->vm_start, &prev, &rb_link, &rb_parent);
+ 	if (__vma && __vma->vm_start < vma->vm_end)
+-		BUG();
++		return -ENOMEM;
+ 	vma_link(mm, vma, prev, rb_link, rb_parent);
+ 	validate_mm(mm);
++	return 0;
+ }
diff --git a/sys-kernel/alpha-sources/files/digest-alpha-sources-2.4.21-r16 b/sys-kernel/alpha-sources/files/digest-alpha-sources-2.4.21-r17
index d1abbfcbcf8a..d1abbfcbcf8a 100644
--- a/sys-kernel/alpha-sources/files/digest-alpha-sources-2.4.21-r16
+++ b/sys-kernel/alpha-sources/files/digest-alpha-sources-2.4.21-r17