Security fixes: #77666, #78362, #78363, #74070, #77666, #81106, #82141.

(Portage version: 2.0.51.16)

11 files changed, 752 insertions, 5 deletions

diff --git a/sys-kernel/ck-sources/ChangeLog b/sys-kernel/ck-sources/ChangeLog
index ceb5f31f2862..e6f2013dc29a 100644
--- a/sys-kernel/ck-sources/ChangeLog
+++ b/sys-kernel/ck-sources/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sys-kernel/ck-sources
 # Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.83 2005/01/20 05:01:44 marineam Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.84 2005/02/15 21:50:55 plasmaroo Exp $
+
+*ck-sources-2.4.28-r3 (15 Feb 2005)
+
+  15 Feb 2005; <plasmaroo@gentoo.org> -ck-sources-2.4.28-r2.ebuild,
+  +ck-sources-2.4.28-r3.ebuild, ck-sources-2.6.10-r5.ebuild,
+  +files/ck-sources-2.4.28.77666.patch, +files/ck-sources-2.4.28.78362.patch,
+  +files/ck-sources-2.4.28.78363.patch, +files/ck-sources-2.6.10-74070.patch,
+  +files/ck-sources-2.6.10-77666.patch, +files/ck-sources-2.6.10-82141.patch,
+  +files/ck-sources-81106.patch:
+  Security fixes: #77666, #78362, #78363, #74070, #77666, #81106, #82141.
 
 *ck-sources-2.6.10-r5 (19 Jan 2005)
 
diff --git a/sys-kernel/ck-sources/ck-sources-2.4.28-r2.ebuild b/sys-kernel/ck-sources/ck-sources-2.4.28-r3.ebuild
index bff239d530f3..42b88941f47b 100644
--- a/sys-kernel/ck-sources/ck-sources-2.4.28-r2.ebuild
+++ b/sys-kernel/ck-sources/ck-sources-2.4.28-r3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2005 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.4.28-r2.ebuild,v 1.1 2005/01/08 17:30:04 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.4.28-r3.ebuild,v 1.1 2005/02/15 21:50:55 plasmaroo Exp $
 
 ETYPE="sources"
 
@@ -23,7 +23,11 @@ UNIPATCH_LIST="${DISTDIR}/patch-${PV}-lck${CKV}.bz2
 	${FILESDIR}/${P}.vma.patch
 	${FILESDIR}/${P}.brk-locked.patch
 	${DISTDIR}/${P}-CAN-2004-0814.patch
-	${FILESDIR}/${P}.77094.patch"
+	${FILESDIR}/${P}.77094.patch
+	${FILESDIR}/${P}.77666.patch
+	${FILESDIR}/${P}.78362.patch
+	${FILESDIR}/${P}.78363.patch
+	${FILESDIR}/${PN}-81106.patch"
 
 DESCRIPTION="Full sources for the Stock Linux kernel Con Kolivas's high performance patchset"
 HOMEPAGE="http://members.optusnet.com.au/ckolivas/kernel/"
diff --git a/sys-kernel/ck-sources/ck-sources-2.6.10-r5.ebuild b/sys-kernel/ck-sources/ck-sources-2.6.10-r5.ebuild
index b53d0cabeafe..1306b086af21 100644
--- a/sys-kernel/ck-sources/ck-sources-2.6.10-r5.ebuild
+++ b/sys-kernel/ck-sources/ck-sources-2.6.10-r5.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2005 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.6.10-r5.ebuild,v 1.1 2005/01/20 05:01:44 marineam Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.6.10-r5.ebuild,v 1.2 2005/02/15 21:50:55 plasmaroo Exp $
 
 K_PREPATCHED="yes"
 UNIPATCH_STRICTORDER="yes"
@@ -15,7 +15,10 @@ CK_PATCH="patch-${KV_FULL}.bz2"
 UNIPATCH_LIST="
 	${DISTDIR}/${CK_PATCH}
 	${FILESDIR}/${P}-drm-dos-fix.patch
-	${FILESDIR}/${P}-smbfs-dos-fix.patch"
+	${FILESDIR}/${P}-smbfs-dos-fix.patch
+	${FILESDIR}/${P}-74070.patch
+	${FILESDIR}/${PN}-81106.patch
+	${FILESDIR}/${P}-82141.patch"
 IUSE=""
 
 DESCRIPTION="Full sources for the Stock Linux kernel and Con Kolivas's high performance patchset"
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.4.28.77666.patch b/sys-kernel/ck-sources/files/ck-sources-2.4.28.77666.patch
new file mode 100644
index 000000000000..6b687788f912
--- /dev/null
+++ b/sys-kernel/ck-sources/files/ck-sources-2.4.28.77666.patch
@@ -0,0 +1,44 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/01/12 09:14:50-02:00 marcelo.tosatti@cyclades.com 
+#   [PATCH] Fix expand_stack() SMP race
+#   
+#   Description: Fix expand_stack() SMP race
+#   
+#   Two threads sharing the same VMA can race in expand_stack, resulting in incorrect VMA
+#   size accounting and possibly a "uncovered-by-VMA" pte leak.
+#   
+#   Fix is to check if the stack has already been expanded after acquiring a lock which
+#   guarantees exclusivity (page_table_lock in v2.4 and vma_anon lock in v2.6).
+# 
+# include/linux/mm.h
+#   2005/01/07 14:51:21-02:00 marcelo.tosatti@cyclades.com +10 -3
+#   Fix expand_stack() SMP race
+# 
+diff -Nru a/include/linux/mm.h b/include/linux/mm.h
+--- a/include/linux/mm.h	2005-01-13 04:59:30 -08:00
++++ b/include/linux/mm.h	2005-01-13 04:59:30 -08:00
+@@ -648,12 +648,19 @@
+ 	unsigned long grow;
+ 
+ 	/*
+-	 * vma->vm_start/vm_end cannot change under us because the caller is required
+-	 * to hold the mmap_sem in write mode. We need to get the spinlock only
+-	 * before relocating the vma range ourself.
++	 * vma->vm_start/vm_end cannot change under us because the caller
++	 * is required to hold the mmap_sem in read mode.  We need the
++	 * page_table_lock lock to serialize against concurrent expand_stacks.
+ 	 */
+ 	address &= PAGE_MASK;
+  	spin_lock(&vma->vm_mm->page_table_lock);
++
++	/* already expanded while we were spinning? */
++	if (vma->vm_start <= address) {
++		spin_unlock(&vma->vm_mm->page_table_lock);
++		return 0;
++	}
++
+ 	grow = (vma->vm_start - address) >> PAGE_SHIFT;
+ 	if (vma->vm_end - address > current->rlim[RLIMIT_STACK].rlim_cur ||
+ 	    ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) > current->rlim[RLIMIT_AS].rlim_cur) {
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.4.28.78362.patch b/sys-kernel/ck-sources/files/ck-sources-2.4.28.78362.patch
new file mode 100644
index 000000000000..a55aba8a0938
--- /dev/null
+++ b/sys-kernel/ck-sources/files/ck-sources-2.4.28.78362.patch
@@ -0,0 +1,274 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2004/12/08 13:33:08-08:00 davem@nuts.davemloft.net 
+#   [NET]: CMSG compat code needs signedness fixes too.
+#   
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+# arch/ia64/ia32/sys_ia32.c
+#   2004/12/08 13:32:46-08:00 davem@nuts.davemloft.net +6 -4
+#   [NET]: CMSG compat code needs signedness fixes too.
+# 
+# arch/mips64/kernel/linux32.c
+#   2004/12/08 13:32:46-08:00 davem@nuts.davemloft.net +7 -5
+#   [NET]: CMSG compat code needs signedness fixes too.
+# 
+# arch/parisc/kernel/sys_parisc32.c
+#   2004/12/08 13:32:46-08:00 davem@nuts.davemloft.net +6 -5
+#   [NET]: CMSG compat code needs signedness fixes too.
+# 
+# arch/ppc64/kernel/sys_ppc32.c
+#   2004/12/08 13:32:46-08:00 davem@nuts.davemloft.net +6 -5
+#   [NET]: CMSG compat code needs signedness fixes too.
+# 
+# arch/s390x/kernel/linux32.c
+#   2004/12/08 13:32:46-08:00 davem@nuts.davemloft.net +6 -5
+#   [NET]: CMSG compat code needs signedness fixes too.
+# 
+# arch/sparc64/kernel/sys_sparc32.c
+#   2004/12/08 13:32:46-08:00 davem@nuts.davemloft.net +6 -5
+#   [NET]: CMSG compat code needs signedness fixes too.
+# 
+# arch/x86_64/ia32/socket32.c
+#   2004/12/08 13:32:46-08:00 davem@nuts.davemloft.net +2 -5
+#   [NET]: CMSG compat code needs signedness fixes too.
+# 
+# include/asm-x86_64/socket32.h
+#   2004/12/08 13:32:46-08:00 davem@nuts.davemloft.net +5 -0
+#   [NET]: CMSG compat code needs signedness fixes too.
+# 
+# ChangeSet
+#   2004/12/15 09:25:31-02:00 marcelo@logos.cnet 
+#   [PATCH] Make sure VC resizing fits in s16
+#   
+#   Noted by George Guninski
+# 
+# drivers/char/console.c
+#   2004/12/15 10:58:17-02:00 marcelo@logos.cnet +6 -0
+#   Import patch vc-patch
+# 
+diff -Nru a/arch/ia64/ia32/sys_ia32.c b/arch/ia64/ia32/sys_ia32.c
+--- a/arch/ia64/ia32/sys_ia32.c	2005-02-15 11:50:28 -08:00
++++ b/arch/ia64/ia32/sys_ia32.c	2005-02-15 11:50:28 -08:00
+@@ -1369,6 +1369,11 @@
+ #define __CMSG32_FIRSTHDR(ctl,len) \
+ 	((len) >= sizeof(struct cmsghdr32) ? (struct cmsghdr32 *)(ctl) : (struct cmsghdr32 *)NULL)
+ #define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
++	((ucmlen) >= sizeof(struct cmsghdr) && \
++	 (ucmlen) <= (unsigned long) \
++	 ((mhdr)->msg_controllen - \
++	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
+ 
+ static inline struct cmsghdr32 *
+ __cmsg32_nxthdr (void *ctl, __kernel_size_t size, struct cmsghdr32 *cmsg, int cmsg_len)
+@@ -1429,10 +1434,7 @@
+ 			return -EFAULT;
+ 
+ 		/* Catch bogons. */
+-		if (CMSG32_ALIGN(ucmlen) < CMSG32_ALIGN(sizeof(struct cmsghdr32)))
+-			return -EINVAL;
+-		if ((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control) + ucmlen)
+-		    > kmsg->msg_controllen)
++		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
+ 			return -EINVAL;
+ 
+ 		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
+diff -Nru a/arch/mips64/kernel/linux32.c b/arch/mips64/kernel/linux32.c
+--- a/arch/mips64/kernel/linux32.c	2005-02-15 11:50:28 -08:00
++++ b/arch/mips64/kernel/linux32.c	2005-02-15 11:50:28 -08:00
+@@ -2483,6 +2483,12 @@
+ 				    (struct cmsghdr32 *)(ctl) : \
+ 				    (struct cmsghdr32 *)NULL)
+ #define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
++	((ucmlen) >= sizeof(struct cmsghdr) && \
++	 (ucmlen) <= (unsigned long) \
++	 ((mhdr)->msg_controllen - \
++	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
++
+ 
+ __inline__ struct cmsghdr32 *__cmsg32_nxthdr(void *__ctl, __kernel_size_t __size,
+ 					      struct cmsghdr32 *__cmsg, int __cmsg_len)
+@@ -2623,11 +2629,7 @@
+ 			return -EFAULT;
+ 
+ 		/* Catch bogons. */
+-		if(CMSG32_ALIGN(ucmlen) <
+-		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
+-			return -ENOBUFS;
+-		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
+-				   + ucmlen) > kmsg->msg_controllen)
++		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
+ 			return -EINVAL;
+ 
+ 		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
+diff -Nru a/arch/parisc/kernel/sys_parisc32.c b/arch/parisc/kernel/sys_parisc32.c
+--- a/arch/parisc/kernel/sys_parisc32.c	2005-02-15 11:50:28 -08:00
++++ b/arch/parisc/kernel/sys_parisc32.c	2005-02-15 11:50:28 -08:00
+@@ -1814,6 +1814,11 @@
+ 				    (struct cmsghdr32 *)(ctl) : \
+ 				    (struct cmsghdr32 *)NULL)
+ #define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
++	((ucmlen) >= sizeof(struct cmsghdr) && \
++	 (ucmlen) <= (unsigned long) \
++	 ((mhdr)->msg_controllen - \
++	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
+ 
+ __inline__ struct cmsghdr32 *__cmsg32_nxthdr(void *__ctl, __kernel_size_t __size,
+ 					      struct cmsghdr32 *__cmsg, int __cmsg_len)
+@@ -1940,11 +1945,7 @@
+ 			return -EFAULT;
+ 
+ 		/* Catch bogons. */
+-		if(CMSG32_ALIGN(ucmlen) <
+-		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
+-			return -EINVAL;
+-		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
+-				   + ucmlen) > kmsg->msg_controllen)
++		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
+ 			return -EINVAL;
+ 
+ 		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
+diff -Nru a/arch/ppc64/kernel/sys_ppc32.c b/arch/ppc64/kernel/sys_ppc32.c
+--- a/arch/ppc64/kernel/sys_ppc32.c	2005-02-15 11:50:28 -08:00
++++ b/arch/ppc64/kernel/sys_ppc32.c	2005-02-15 11:50:28 -08:00
+@@ -3273,6 +3273,11 @@
+ 				    (struct cmsghdr32 *)(ctl) : \
+ 				    (struct cmsghdr32 *)NULL)
+ #define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
++	((ucmlen) >= sizeof(struct cmsghdr) && \
++	 (ucmlen) <= (unsigned long) \
++	 ((mhdr)->msg_controllen - \
++	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
+ 
+ struct msghdr32
+ {
+@@ -3448,11 +3453,7 @@
+ 			return -EFAULT;
+ 
+ 		/* Catch bogons. */
+-		if(CMSG32_ALIGN(ucmlen) <
+-		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
+-			return -EINVAL;
+-		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
+-				   + ucmlen) > kmsg->msg_controllen)
++		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
+ 			return -EINVAL;
+ 
+ 		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
+diff -Nru a/arch/s390x/kernel/linux32.c b/arch/s390x/kernel/linux32.c
+--- a/arch/s390x/kernel/linux32.c	2005-02-15 11:50:28 -08:00
++++ b/arch/s390x/kernel/linux32.c	2005-02-15 11:50:28 -08:00
+@@ -2306,6 +2306,11 @@
+ 				    (struct cmsghdr32 *)(ctl) : \
+ 				    (struct cmsghdr32 *)NULL)
+ #define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
++	((ucmlen) >= sizeof(struct cmsghdr) && \
++	 (ucmlen) <= (unsigned long) \
++	 ((mhdr)->msg_controllen - \
++	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
+ 
+ __inline__ struct cmsghdr32 *__cmsg32_nxthdr(void *__ctl, __kernel_size_t __size,
+ 					      struct cmsghdr32 *__cmsg, int __cmsg_len)
+@@ -2432,11 +2437,7 @@
+ 			return -EFAULT;
+ 
+ 		/* Catch bogons. */
+-		if(CMSG32_ALIGN(ucmlen) <
+-		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
+-			return -EINVAL;
+-		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
+-				   + ucmlen) > kmsg->msg_controllen)
++		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
+ 			return -EINVAL;
+ 
+ 		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
+diff -Nru a/arch/sparc64/kernel/sys_sparc32.c b/arch/sparc64/kernel/sys_sparc32.c
+--- a/arch/sparc64/kernel/sys_sparc32.c	2005-02-15 11:50:28 -08:00
++++ b/arch/sparc64/kernel/sys_sparc32.c	2005-02-15 11:50:28 -08:00
+@@ -2354,6 +2354,11 @@
+ 				    (struct cmsghdr32 *)(ctl) : \
+ 				    (struct cmsghdr32 *)NULL)
+ #define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
++	((ucmlen) >= sizeof(struct cmsghdr) && \
++	 (ucmlen) <= (unsigned long) \
++	 ((mhdr)->msg_controllen - \
++	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
+ 
+ __inline__ struct cmsghdr32 *__cmsg32_nxthdr(void *__ctl, __kernel_size_t __size,
+ 					      struct cmsghdr32 *__cmsg, int __cmsg_len)
+@@ -2480,11 +2485,7 @@
+ 			return -EFAULT;
+ 
+ 		/* Catch bogons. */
+-		if(CMSG32_ALIGN(ucmlen) <
+-		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
+-			return -EINVAL;
+-		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
+-				   + ucmlen) > kmsg->msg_controllen)
++		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
+ 			return -EINVAL;
+ 
+ 		tmp = ((ucmlen - CMSG32_ALIGN(sizeof(*ucmsg))) +
+diff -Nru a/arch/x86_64/ia32/socket32.c b/arch/x86_64/ia32/socket32.c
+--- a/arch/x86_64/ia32/socket32.c	2005-02-15 11:50:28 -08:00
++++ b/arch/x86_64/ia32/socket32.c	2005-02-15 11:50:28 -08:00
+@@ -136,12 +136,9 @@
+ 			return -EFAULT;
+ 
+ 		/* Catch bogons. */
+-		if(CMSG32_ALIGN(ucmlen) <
+-		   CMSG32_ALIGN(sizeof(struct cmsghdr32)))
+-			return -EINVAL;
+-		if((unsigned long)(((char *)ucmsg - (char *)kmsg->msg_control)
+-				   + ucmlen) > kmsg->msg_controllen)
++		if (!CMSG32_OK(ucmlen, ucmsg, kmsg))
+ 			return -EINVAL;
++
+ 		if (kmsg->msg_controllen > 65536) 
+ 			return -EINVAL;
+ 
+diff -Nru a/include/asm-x86_64/socket32.h b/include/asm-x86_64/socket32.h
+--- a/include/asm-x86_64/socket32.h	2005-02-15 11:50:28 -08:00
++++ b/include/asm-x86_64/socket32.h	2005-02-15 11:50:28 -08:00
+@@ -45,6 +45,11 @@
+ 				    (struct cmsghdr32 *)(ctl) : \
+ 				    (struct cmsghdr32 *)NULL)
+ #define CMSG32_FIRSTHDR(msg)	__CMSG32_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG32_OK(ucmlen, ucmsg, mhdr) \
++	((ucmlen) >= sizeof(struct cmsghdr) && \
++	 (ucmlen) <= (unsigned long) \
++	 ((mhdr)->msg_controllen - \
++	  ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
+ 
+ __inline__ struct cmsghdr32 *__cmsg32_nxthdr(void *__ctl, __kernel_size_t __size,
+ 					      struct cmsghdr32 *__cmsg, int __cmsg_len)
+diff -Nru a/drivers/char/console.c b/drivers/char/console.c
+--- a/drivers/char/console.c	2005-02-15 11:52:04 -08:00
++++ b/drivers/char/console.c	2005-02-15 11:52:04 -08:00
+@@ -705,6 +705,9 @@
+ 	return 0;
+ }
+ 
++#define VC_RESIZE_MAXCOL (32767)
++#define VC_RESIZE_MAXROW (32767)
++
+ /*
+  * Change # of rows and columns (0 means unchanged/the size of fg_console)
+  * [this is to be used together with some user program
+@@ -716,6 +719,9 @@
+ 	unsigned int cc, ll, ss, sr, todo = 0;
+ 	unsigned int currcons = fg_console, i;
+ 	unsigned short *newscreens[MAX_NR_CONSOLES];
++
++	if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
++		return -EINVAL;
+ 
+ 	cc = (cols ? cols : video_num_columns);
+ 	ll = (lines ? lines : video_num_lines);
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.4.28.78363.patch b/sys-kernel/ck-sources/files/ck-sources-2.4.28.78363.patch
new file mode 100644
index 000000000000..852807ddc96f
--- /dev/null
+++ b/sys-kernel/ck-sources/files/ck-sources-2.4.28.78363.patch
@@ -0,0 +1,29 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2004/12/08 12:39:15-08:00 davem@nuts.davemloft.net 
+#   [IPV4]: Do not leak IP options.
+#   
+#   If the user makes ip_cmsg_send call ip_options_get
+#   multiple times, we leak kmalloced IP options data.
+#   
+#   Noticed by Georgi Guninski.
+#   
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+# net/ipv4/ip_options.c
+#   2004/12/08 12:38:09-08:00 davem@nuts.davemloft.net +2 -0
+#   [IPV4]: Do not leak IP options.
+# 
+diff -Nru a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
+--- a/net/ipv4/ip_options.c	2005-02-15 11:47:16 -08:00
++++ b/net/ipv4/ip_options.c	2005-02-15 11:47:16 -08:00
+@@ -515,6 +515,8 @@
+ 		kfree(opt);
+ 		return -EINVAL;
+ 	}
++	if (*optp)
++		kfree(*optp);
+ 	*optp = opt;
+ 	return 0;
+ }
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.10-74070.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.10-74070.patch
new file mode 100644
index 000000000000..3b4ee332f9e9
--- /dev/null
+++ b/sys-kernel/ck-sources/files/ck-sources-2.6.10-74070.patch
@@ -0,0 +1,11 @@
+--- linux-2.6.10/net/sunrpc/svc.c.orig	2005-01-18 03:18:08.235362992 +0000
++++ linux-2.6.10/net/sunrpc/svc.c	2005-01-18 03:18:28.532277392 +0000
+@@ -446,7 +446,7 @@ err_bad_auth:
+ err_bad_prog:
+ #ifdef RPC_PARANOIA
+ 	if (prog != 100227 || progp->pg_prog != 100003)
+-		printk("svc: unknown program %d (me %d)\n", prog, progp->pg_prog);
++		printk("svc: unknown program %d (me %d)\n", prog, serv->sv_program->pg_prog);
+ 	/* else it is just a Solaris client seeing if ACLs are supported */
+ #endif
+ 	serv->sv_stats->rpcbadfmt++;
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.10-77666.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.10-77666.patch
new file mode 100644
index 000000000000..5855606c106b
--- /dev/null
+++ b/sys-kernel/ck-sources/files/ck-sources-2.6.10-77666.patch
@@ -0,0 +1,149 @@
+# <plasmaroo>	Bug #77666; this is a ck-sources modified version; attID #48582
+#		minus hunk 2.
+#
+# ChangeSet #3
+#   2005/01/12 08:09:20-08:00 torvalds@ppc970.osdl.org
+#   Handle two threads both trying to expand their stack simultaneously.
+#
+#   We had all the locking right, but we didn't check whether one of the
+#   threads now no longer needed to expand, so we could incorrectly _shrink_
+#   the stack in the other thread instead (not only causing segfaults, but
+#   since we didn't do a proper unmap, we'd possibly leak pages too).
+#
+#   So re-check the need for expand after getting the lock.
+#
+#   Noticed by Paul Starzetz.
+#
+# ChangeSet #2
+#   2005/01/10 11:23:42-08:00 torvalds@ppc970.osdl.org
+#   Clean up stack growth checks and move them into a common function.
+#
+#   The grows-up and grows-down cases had all the same issues, but
+#   differered in the details. Additionlly, historical evolution of
+#   the tests had caused the result to be pretty unreadable with some
+#   rather long and complex conditionals.
+#
+#   Fix it all up in a more readable helper function.
+#
+#   This also adds the missing RLIMIT_MEMLOCK test.
+#
+# ChangeSet #1
+#   2005/01/11 07:40:07-08:00 chrisw@osdl.org 
+#   [PATCH] acct_stack_growth nitpicks
+#   
+#   - allow CAP_IPC_LOCK to override mlock rlimit during stack expansion as
+#     in all other cases
+#   
+#   Signed-off-by: Chris Wright <chrisw@osdl.org>
+#   Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+# 
+# mm/mmap.c
+#   2005/01/10 19:34:05-08:00 chrisw@osdl.org +1 -1
+#   acct_stack_growth nitpicks
+#
+diff -urNp linux-2.6.10/mm/mmap.c linux-2.6.10.plasmaroo/mm/mmap.c
+--- linux-2.6.10/mm/mmap.c	2004-12-24 21:35:00.000000000 +0000
++++ linux-2.6.10.plasmaroo/mm/mmap.c	2005-01-15 21:49:26.000000000 +0000
+@@ -1319,13 +1319,57 @@ out:
+ 	return prev ? prev->vm_next : vma;
+ }
+ 
++/*
++ * Verify that the stack growth is acceptable and
++ * update accounting. This is shared with both the
++ * grow-up and grow-down cases.
++ */
++static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, unsigned long grow)
++{
++	struct mm_struct *mm = vma->vm_mm;
++	struct rlimit *rlim = current->signal->rlim;
++
++	/* address space limit tests */
++	rlim = current->signal->rlim;
++	if (mm->total_vm + grow > rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT)
++		return -ENOMEM;
++
++	/* Stack limit test */
++	if (size > rlim[RLIMIT_STACK].rlim_cur)
++		return -ENOMEM;
++
++	/* mlock limit tests */
++	if (vma->vm_flags & VM_LOCKED) {
++		unsigned long locked;
++		unsigned long limit;
++		locked = mm->locked_vm + grow;
++		limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
++		if (locked > limit && !capable(CAP_IPC_LOCK))
++			return -ENOMEM;
++	}
++
++	/*
++	 * Overcommit..  This must be the final test, as it will
++	 * update security statistics.
++	 */
++	if (security_vm_enough_memory(grow))
++		return -ENOMEM;
++
++	/* Ok, everything looks good - let it rip */
++	mm->total_vm += grow;
++	if (vma->vm_flags & VM_LOCKED)
++		mm->locked_vm += grow;
++	__vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow);
++	return 0;
++}
++
+ #ifdef CONFIG_STACK_GROWSUP
+ /*
+  * vma is the first one with address > vma->vm_end.  Have to extend vma.
+  */
+ int expand_stack(struct vm_area_struct * vma, unsigned long address)
+ {
+-	unsigned long grow;
++	int error;
+ 
+ 	if (!(vma->vm_flags & VM_GROWSUP))
+ 		return -EFAULT;
+@@ -1407,29 +1448,23 @@ int expand_stack(struct vm_area_struct *
+ 	 * anon_vma lock to serialize against concurrent expand_stacks.
+ 	 */
+ 	address &= PAGE_MASK;
+-	grow = (vma->vm_start - address) >> PAGE_SHIFT;
++	error = 0;
+ 
+-	/* Overcommit.. */
+-	if (security_vm_enough_memory(grow)) {
+-		anon_vma_unlock(vma);
+-		return -ENOMEM;
+-	}
+-	
+-	if (vma->vm_end - address > current->signal->rlim[RLIMIT_STACK].rlim_cur ||
+-			((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) >
+-			current->signal->rlim[RLIMIT_AS].rlim_cur) {
+-		anon_vma_unlock(vma);
+-		vm_unacct_memory(grow);
+-		return -ENOMEM;
++	/* Somebody else might have raced and expanded it already */
++	if (address < vma->vm_start) {
++		unsigned long size, grow;
++
++		size = vma->vm_end - address;
++		grow = (vma->vm_start - address) >> PAGE_SHIFT;
++
++		error = acct_stack_growth(vma, size, grow);
++		if (!error) {
++			vma->vm_start = address;
++			vma->vm_pgoff -= grow;
++		}
+ 	}
+-	vma->vm_start = address;
+-	vma->vm_pgoff -= grow;
+-	vma->vm_mm->total_vm += grow;
+-	if (vma->vm_flags & VM_LOCKED)
+-		vma->vm_mm->locked_vm += grow;
+-	__vm_stat_account(vma->vm_mm, vma->vm_flags, vma->vm_file, grow);
+ 	anon_vma_unlock(vma);
+-	return 0;
++	return error;
+ }
+ 
+ struct vm_area_struct *
diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.10-82141.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.10-82141.patch
new file mode 100644
index 000000000000..b4a02f7871fb
--- /dev/null
+++ b/sys-kernel/ck-sources/files/ck-sources-2.6.10-82141.patch
@@ -0,0 +1,191 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/02/02 17:41:06-08:00 guninski@guninski.com 
+#   [PATCH] Fix sign checks in copy_from_read_buf()
+#   
+#   Fix signedness and remove the now unnecessary cast.
+#   
+#   Acked-by: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
+#   Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+# 
+# drivers/char/n_tty.c
+#   2005/01/30 07:56:05-08:00 guninski@guninski.com +2 -2
+#   Fix sign checks in copy_from_read_buf()
+# 
+# ChangeSet
+#   2005/02/02 17:42:38-08:00 guninski@guninski.com 
+#   [PATCH] Fix signed compare in fs/proc/generic.c::proc_file_read()
+#   
+#   Acked-by: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
+#   Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+# 
+# fs/proc/generic.c
+#   2005/01/30 07:58:00-08:00 guninski@guninski.com +1 -1
+#   Fix signed compare in fs/proc/generic.c::proc_file_read()
+# 
+# ChangeSet
+#   2005/02/02 17:45:11-08:00 guninski@guninski.com 
+#   [PATCH] reiserfs: use proper 64-bit clean types
+#   
+#   reiserfs_file_write() casts its (size_t) count parameter to int, which can become
+#   a problem on 64-bit architectures
+#   
+#   This attempts to fix this by changing the variables dealing with count
+#   and offset and the "min_t" comparisons to use "size_t" through-out.
+#   
+#   Acked-by: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
+#   Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+# 
+# fs/reiserfs/file.c
+#   2005/01/26 07:28:12-08:00 guninski@guninski.com +11 -12
+#   reiserfs: use proper 64-bit clean types
+# 
+# ChangeSet
+#   2005/02/08 07:59:56-08:00 torvalds@ppc970.osdl.org 
+#   Fix ATM copy-to-user usage.
+#   
+#   More of the Guninski "copy_to_user() takes a size_t" series.
+# 
+# net/atm/addr.c
+#   2005/02/08 07:59:48-08:00 torvalds@ppc970.osdl.org +1 -1
+#   Fix ATM copy-to-user usage.
+#   
+#   More of the Guninski "copy_to_user() takes a size_t" series.
+# 
+# net/atm/addr.h
+#   2005/02/08 07:59:48-08:00 torvalds@ppc970.osdl.org +1 -1
+#   Fix ATM copy-to-user usage.
+#   
+#   More of the Guninski "copy_to_user() takes a size_t" series.
+# 
+diff -Nru a/drivers/char/n_tty.c b/drivers/char/n_tty.c
+--- a/drivers/char/n_tty.c	2005-02-15 11:56:06 -08:00
++++ b/drivers/char/n_tty.c	2005-02-15 11:56:06 -08:00
+@@ -1143,13 +1143,13 @@
+ 
+ {
+ 	int retval;
+-	ssize_t n;
++	size_t n;
+ 	unsigned long flags;
+ 
+ 	retval = 0;
+ 	spin_lock_irqsave(&tty->read_lock, flags);
+ 	n = min(tty->read_cnt, N_TTY_BUF_SIZE - tty->read_tail);
+-	n = min((ssize_t)*nr, n);
++	n = min(*nr, n);
+ 	spin_unlock_irqrestore(&tty->read_lock, flags);
+ 	if (n) {
+ 		mb();
+diff -Nru a/fs/proc/generic.c b/fs/proc/generic.c
+--- a/fs/proc/generic.c	2005-02-15 11:55:35 -08:00
++++ b/fs/proc/generic.c	2005-02-15 11:55:35 -08:00
+@@ -60,7 +60,7 @@
+ 		return -ENOMEM;
+ 
+ 	while ((nbytes > 0) && !eof) {
+-		count = min_t(ssize_t, PROC_BLOCK_SIZE, nbytes);
++		count = min_t(size_t, PROC_BLOCK_SIZE, nbytes);
+ 
+ 		start = NULL;
+ 		if (dp->get_info) {
+diff -Nru a/fs/reiserfs/file.c b/fs/reiserfs/file.c
+--- a/fs/reiserfs/file.c	2005-02-15 11:56:07 -08:00
++++ b/fs/reiserfs/file.c	2005-02-15 11:56:07 -08:00
+@@ -588,7 +588,7 @@
+ 
+ /* Unlock pages prepared by reiserfs_prepare_file_region_for_write */
+ void reiserfs_unprepare_pages(struct page **prepared_pages, /* list of locked pages */
+-			      int num_pages /* amount of pages */) {
++			      size_t num_pages /* amount of pages */) {
+     int i; // loop counter
+ 
+     for (i=0; i < num_pages ; i++) {
+@@ -619,7 +619,7 @@
+     int offset; // offset in page
+ 
+     for ( i = 0, offset = (pos & (PAGE_CACHE_SIZE-1)); i < num_pages ; i++,offset=0) {
+-	int count = min_t(int,PAGE_CACHE_SIZE-offset,write_bytes); // How much of bytes to write to this page
++	size_t count = min_t(size_t,PAGE_CACHE_SIZE-offset,write_bytes); // How much of bytes to write to this page
+ 	struct page *page=prepared_pages[i]; // Current page we process.
+ 
+ 	fault_in_pages_readable( buf, count);
+@@ -718,8 +718,8 @@
+ 				struct reiserfs_transaction_handle *th,
+ 				struct inode *inode,
+ 				loff_t pos, /* Writing position offset */
+-				int num_pages, /* Number of pages to write */
+-				int write_bytes, /* number of bytes to write */
++				size_t num_pages, /* Number of pages to write */
++				size_t write_bytes, /* number of bytes to write */
+ 				struct page **prepared_pages /* list of pages */
+ 				)
+ {
+@@ -854,9 +854,9 @@
+ static int reiserfs_prepare_file_region_for_write(
+ 				struct inode *inode /* Inode of the file */,
+ 				loff_t pos, /* position in the file */
+-				int num_pages, /* number of pages to
++				size_t num_pages, /* number of pages to
+ 					          prepare */
+-				int write_bytes, /* Amount of bytes to be
++				size_t write_bytes, /* Amount of bytes to be
+ 						    overwritten from
+ 						    @pos */
+ 				struct page **prepared_pages /* pointer to array
+@@ -1252,10 +1252,9 @@
+     while ( count > 0) {
+ 	/* This is the main loop in which we running until some error occures
+ 	   or until we write all of the data. */
+-	int num_pages;/* amount of pages we are going to write this iteration */
+-	int write_bytes; /* amount of bytes to write during this iteration */
+-	int blocks_to_allocate; /* how much blocks we need to allocate for
+-				   this iteration */
++	size_t num_pages;/* amount of pages we are going to write this iteration */
++	size_t write_bytes; /* amount of bytes to write during this iteration */
++	size_t blocks_to_allocate; /* how much blocks we need to allocate for this iteration */
+         
+         /*  (pos & (PAGE_CACHE_SIZE-1)) is an idiom for offset into a page of pos*/
+ 	num_pages = !!((pos+count) & (PAGE_CACHE_SIZE - 1)) + /* round up partial
+@@ -1269,7 +1268,7 @@
+ 	    /* If we were asked to write more data than we want to or if there
+ 	       is not that much space, then we shorten amount of data to write
+ 	       for this iteration. */
+-	    num_pages = min_t(int, REISERFS_WRITE_PAGES_AT_A_TIME, reiserfs_can_fit_pages(inode->i_sb));
++	    num_pages = min_t(size_t, REISERFS_WRITE_PAGES_AT_A_TIME, reiserfs_can_fit_pages(inode->i_sb));
+ 	    /* Also we should not forget to set size in bytes accordingly */
+ 	    write_bytes = (num_pages << PAGE_CACHE_SHIFT) - 
+ 			    (pos & (PAGE_CACHE_SIZE-1));
+@@ -1295,7 +1294,7 @@
+ 	    // But overwriting files on absolutelly full volumes would not
+ 	    // be very efficient. Well, people are not supposed to fill
+ 	    // 100% of disk space anyway.
+-	    write_bytes = min_t(int, count, inode->i_sb->s_blocksize - (pos & (inode->i_sb->s_blocksize - 1)));
++	    write_bytes = min_t(size_t, count, inode->i_sb->s_blocksize - (pos & (inode->i_sb->s_blocksize - 1)));
+ 	    num_pages = 1;
+ 	    // No blocks were claimed before, so do it now.
+ 	    reiserfs_claim_blocks_to_be_allocated(inode->i_sb, 1 << (PAGE_CACHE_SHIFT - inode->i_blkbits));
+diff -Nru a/net/atm/addr.c b/net/atm/addr.c
+--- a/net/atm/addr.c	2005-02-15 11:56:16 -08:00
++++ b/net/atm/addr.c	2005-02-15 11:56:16 -08:00
+@@ -114,7 +114,7 @@
+ }
+ 
+ 
+-int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc __user *buf,int size)
++int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc __user *buf,size_t size)
+ {
+ 	unsigned long flags;
+ 	struct atm_dev_addr *walk;
+diff -Nru a/net/atm/addr.h b/net/atm/addr.h
+--- a/net/atm/addr.h	2005-02-15 11:56:16 -08:00
++++ b/net/atm/addr.h	2005-02-15 11:56:16 -08:00
+@@ -13,6 +13,6 @@
+ void atm_reset_addr(struct atm_dev *dev);
+ int atm_add_addr(struct atm_dev *dev,struct sockaddr_atmsvc *addr);
+ int atm_del_addr(struct atm_dev *dev,struct sockaddr_atmsvc *addr);
+-int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc __user *buf,int size);
++int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc __user *buf,size_t size);
+ 
+ #endif
diff --git a/sys-kernel/ck-sources/files/ck-sources-81106.patch b/sys-kernel/ck-sources/files/ck-sources-81106.patch
new file mode 100644
index 000000000000..44abcbca1ac0
--- /dev/null
+++ b/sys-kernel/ck-sources/files/ck-sources-81106.patch
@@ -0,0 +1,32 @@
+# ChangeSet
+#   2005/01/25 10:10:51+00:00 aia21@cantab.net 
+#   NTFS: Add printk rate limiting for ntfs_warning() and ntfs_error() when
+#         compiled without debug.  This avoids a possible denial of service
+#         attack.  Thanks to Carl-Daniel Hailfinger from SuSE for pointing this
+#         out.
+# 
+diff -Nru a/fs/ntfs/debug.c b/fs/ntfs/debug.c
+--- a/fs/ntfs/debug.c	2005-02-15 12:38:26 -08:00
++++ b/fs/ntfs/debug.c	2005-02-15 12:38:26 -08:00
+@@ -53,6 +53,10 @@
+ 	va_list args;
+ 	int flen = 0;
+ 
++#ifndef DEBUG
++	if (!printk_ratelimit())
++		return;
++#endif
+ 	if (function)
+ 		flen = strlen(function);
+ 	spin_lock(&err_buf_lock);
+@@ -93,6 +97,10 @@
+ 	va_list args;
+ 	int flen = 0;
+ 
++#ifndef DEBUG
++	if (!printk_ratelimit())
++		return;
++#endif
+ 	if (function)
+ 		flen = strlen(function);
+ 	spin_lock(&err_buf_lock);
diff --git a/sys-kernel/ck-sources/files/digest-ck-sources-2.4.28-r2 b/sys-kernel/ck-sources/files/digest-ck-sources-2.4.28-r3
index eb0a5120a193..eb0a5120a193 100644
--- a/sys-kernel/ck-sources/files/digest-ck-sources-2.4.28-r2
+++ b/sys-kernel/ck-sources/files/digest-ck-sources-2.4.28-r3