Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 44549 Details for
Bug 72006
patch for 2.6.7 to update alsa and fix snd-ioctl32
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
1120-CAN-2004-0415.patch
1120-CAN-2004-0415.patch (text/plain), 108.01 KB, created by
Jeremy Huddleston (RETIRED)
on 2004-11-23 04:24:22 UTC
(
hide
)
Description:
1120-CAN-2004-0415.patch
Filename:
MIME Type:
Creator:
Jeremy Huddleston (RETIRED)
Created:
2004-11-23 04:24:22 UTC
Size:
108.01 KB
patch
obsolete
>diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/cris/arch-v10/drivers/eeprom.c linux-2.6.7-viroized/arch/cris/arch-v10/drivers/eeprom.c >--- linux-2.6.7/arch/cris/arch-v10/drivers/eeprom.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/arch/cris/arch-v10/drivers/eeprom.c 2004-06-27 21:49:16.000000000 +0100 >@@ -95,6 +95,7 @@ > #include <linux/delay.h> > #include <linux/interrupt.h> > #include <asm/uaccess.h> >+#include <asm/semaphore.h> > #include "i2c.h" > > #define D(x) >@@ -137,8 +138,6 @@ > int adapt_state; /* 1 = To high , 0 = Even, -1 = To low */ > > /* this one is to keep the read/write operations atomic */ >- wait_queue_head_t wait_q; >- volatile int busy; > int retry_cnt_addr; /* Used to keep track of number of retries for > adaptive timing adjustments */ > int retry_cnt_read; >@@ -164,6 +163,7 @@ > > /* chip description */ > static struct eeprom_type eeprom; >+static DECLARE_MUTEX(eeprom_mutex); > > /* This is the exported file-operations structure for this device. */ > struct file_operations eeprom_fops = >@@ -179,9 +179,6 @@ > > int __init eeprom_init(void) > { >- init_waitqueue_head(&eeprom.wait_q); >- eeprom.busy = 0; >- > #ifdef CONFIG_ETRAX_I2C_EEPROM_PROBE > #define EETEXT "Found" > #else >@@ -461,43 +458,40 @@ > > /* Changes the current file position. */ > >+/* XXX - requires a lock as does the read etc side */ >+ > static loff_t eeprom_lseek(struct file * file, loff_t offset, int orig) > { >+ loff_t pos; > /* > * orig 0: position from begning of eeprom > * orig 1: relative from current position > * orig 2: position from last eeprom address > */ >+ down(&eeprom_lock); > > switch (orig) > { > case 0: >- file->f_pos = offset; >+ pos = offset; > break; > case 1: >- file->f_pos += offset; >+ pos = file->f_pos + offset; > break; > case 2: >- file->f_pos = eeprom.size - offset; >+ pos = eeprom.size - offset; > break; > default: > return -EINVAL; > } > > /* truncate position */ >- if (file->f_pos < 0) >- { >- file->f_pos = 0; >- return(-EOVERFLOW); >- } >- >- if (file->f_pos >= eeprom.size) >+ if (pos < 0 || pos >= eeprom.size) > { >- file->f_pos = eeprom.size - 1; >+ up(&eeprom_lock); > return(-EOVERFLOW); > } >- >- return ( file->f_pos ); >+ return ( file->f_pos = pos ); > } > > /* Reads data from eeprom. */ >@@ -517,26 +511,19 @@ > static ssize_t eeprom_read(struct file * file, char * buf, size_t count, loff_t *off) > { > int read=0; >- unsigned long p = file->f_pos; >+ loff_t p = *off; > > unsigned char page; > >- if(p >= eeprom.size) /* Address i 0 - (size-1) */ >- { >- return -EFAULT; >- } >- >- while(eeprom.busy) >- { >- interruptible_sleep_on(&eeprom.wait_q); > >- /* bail out if we get interrupted */ >- if (signal_pending(current)) >- return -EINTR; >- >- } >- eeprom.busy++; >+ if(down_interruptible(&eeprom_lock)) >+ return -EINTR; > >+ if(p >= eeprom.size || count > eeprom.size - p) /* Address i 0 - (size-1) */ >+ { >+ up(&eeprom_lock); >+ return -EINVAL; >+ } > page = (unsigned char) (p >> 8); > > if(!eeprom_address(p)) >@@ -546,8 +533,7 @@ > i2c_stop(); > > /* don't forget to wake them up */ >- eeprom.busy--; >- wake_up_interruptible(&eeprom.wait_q); >+ up(&eeprom_lock); > return -EFAULT; > } > >@@ -571,11 +557,10 @@ > > if(read > 0) > { >- file->f_pos += read; >+ *off = p + read; > } > >- eeprom.busy--; >- wake_up_interruptible(&eeprom.wait_q); >+ up(&eeprom_lock); > return read; > } > >@@ -604,19 +589,14 @@ > return -EFAULT; > } > >- while(eeprom.busy) >- { >- interruptible_sleep_on(&eeprom.wait_q); >- /* bail out if we get interrupted */ >- if (signal_pending(current)) >- return -EINTR; >- } >- eeprom.busy++; >+ if(down_interruptible(&eeprom_lock)) >+ return -EINTR; >+ > for(i = 0; (i < EEPROM_RETRIES) && (restart > 0); i++) > { > restart = 0; > written = 0; >- p = file->f_pos; >+ p = *off; > > > while( (written < count) && (p < eeprom.size)) >@@ -629,9 +609,8 @@ > i2c_stop(); > > /* don't forget to wake them up */ >- eeprom.busy--; >- wake_up_interruptible(&eeprom.wait_q); >- return -EFAULT; >+ up(&eeprom_lock); >+ return -EIO; > } > #ifdef EEPROM_ADAPTIVE_TIMING > /* Adaptive algorithm to adjust timing */ >@@ -742,12 +721,12 @@ > } /* while */ > } /* for */ > >- eeprom.busy--; >- wake_up_interruptible(&eeprom.wait_q); >- if (written == 0 && file->f_pos >= eeprom.size){ >+ if (written == 0 && p >= eeprom.size){ >+ up(&eeprom_lock); > return -ENOSPC; > } >- file->f_pos += written; >+ *off = p; >+ up(&eeprom_lock); > return written; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/i386/kernel/cpuid.c linux-2.6.7-viroized/arch/i386/kernel/cpuid.c >--- linux-2.6.7/arch/i386/kernel/cpuid.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/arch/i386/kernel/cpuid.c 2004-06-27 19:44:22.000000000 +0100 >@@ -41,6 +41,9 @@ > #include <asm/msr.h> > #include <asm/uaccess.h> > #include <asm/system.h> >+#include <asm/semaphore.h> >+ >+static DECLARE_MUTEX(cpuid_lock); > > #ifdef CONFIG_SMP > >@@ -88,8 +91,8 @@ > { > loff_t ret; > >- lock_kernel(); >- >+ down(&cpuid_lock); >+ > switch (orig) { > case 0: > file->f_pos = offset; >@@ -102,8 +105,7 @@ > default: > ret = -EINVAL; > } >- >- unlock_kernel(); >+ up(&cpuid_lock); > return ret; > } > >@@ -113,21 +115,32 @@ > char __user *tmp = buf; > u32 data[4]; > size_t rv; >- u32 reg = *ppos; >+ u32 reg; > int cpu = iminor(file->f_dentry->d_inode); >+ int err = -EINVAL; > > if (count % 16) > return -EINVAL; /* Invalid chunk size */ > >+ down(&cpuid_lock); >+ if(*ppos > 0xFFFFFFFF) >+ goto error; >+ reg = *ppos; >+ err = -EFAULT; > for (rv = 0; count; count -= 16) { > do_cpuid(cpu, reg, data); > if (copy_to_user(tmp, &data, 16)) >- return -EFAULT; >+ goto error; > tmp += 16; > *ppos = reg++; > } >- >- return tmp - buf; >+ err = 0; >+ >+error: >+ up(&cpuid_lock); >+ if(tmp != buf) >+ return tmp - buf; >+ return err; > } > > static int cpuid_open(struct inode *inode, struct file *file) >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/i386/kernel/msr.c linux-2.6.7-viroized/arch/i386/kernel/msr.c >--- linux-2.6.7/arch/i386/kernel/msr.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/arch/i386/kernel/msr.c 2004-06-27 18:31:39.000000000 +0100 >@@ -41,6 +41,8 @@ > #include <asm/uaccess.h> > #include <asm/system.h> > >+static DECLARE_MUTEX(msr_lock); >+ > /* Note: "err" is handled in a funny way below. Otherwise one version > of gcc or another breaks. */ > >@@ -167,7 +169,7 @@ > { > loff_t ret = -EINVAL; > >- lock_kernel(); >+ down(&msr_lock); > switch (orig) { > case 0: > file->f_pos = offset; >@@ -176,8 +178,11 @@ > case 1: > file->f_pos += offset; > ret = file->f_pos; >+ break; >+ default: >+ ret = -EINVAL; > } >- unlock_kernel(); >+ up(&msr_lock); > return ret; > } > >@@ -187,23 +192,36 @@ > u32 __user *tmp = (u32 __user *) buf; > u32 data[2]; > size_t rv; >- u32 reg = *ppos; >+ u32 reg; > int cpu = iminor(file->f_dentry->d_inode); >- int err; >+ int err = -EINVAL; > > if (count % 8) > return -EINVAL; /* Invalid chunk size */ > >+ down(&msr_lock); >+ if(*ppos > 0xFFFFFFFF) >+ goto error; >+ >+ reg = *ppos; > for (rv = 0; count; count -= 8) { > err = do_rdmsr(cpu, reg, &data[0], &data[1]); > if (err) >- return err; >+ goto error; > if (copy_to_user(tmp, &data, 8)) >- return -EFAULT; >+ { >+ err = -EFAULT; >+ goto error; >+ } > tmp += 2; >+ /* XXX API - should seek on */ > } >- >- return ((char __user *)tmp) - buf; >+ /* Invariant: err = 0 here */ >+error: >+ up(&msr_lock); >+ if(tmp != buf) >+ return ((char __user *)tmp) - buf; >+ return err; > } > > static ssize_t msr_write(struct file *file, const char __user *buf, >@@ -212,23 +230,36 @@ > const u32 __user *tmp = (const u32 __user *)buf; > u32 data[2]; > size_t rv; >- u32 reg = *ppos; >+ u32 reg; > int cpu = iminor(file->f_dentry->d_inode); >- int err; >+ int err = -EINVAL; > > if (count % 8) > return -EINVAL; /* Invalid chunk size */ > >+ down(&msr_lock); >+ if(*ppos > 0xFFFFFFFF) >+ goto error; >+ reg = *ppos; >+ > for (rv = 0; count; count -= 8) { > if (copy_from_user(&data, tmp, 8)) >- return -EFAULT; >+ { >+ err = -EFAULT; >+ goto error; >+ } > err = do_wrmsr(cpu, reg, data[0], data[1]); > if (err) >- return err; >+ goto error; > tmp += 2; > } >- >- return ((char __user *)tmp) - buf; >+ /* Invariant err = 0 here */ >+ >+error: >+ up(&msr_lock); >+ if(tmp != buf) >+ return ((char __user *)tmp) - buf; >+ return err; > } > > static int msr_open(struct inode *inode, struct file *file) >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/ia64/kernel/salinfo.c linux-2.6.7-viroized/arch/ia64/kernel/salinfo.c >--- linux-2.6.7/arch/ia64/kernel/salinfo.c 2004-06-16 21:10:24.000000000 +0100 >+++ linux-2.6.7-viroized/arch/ia64/kernel/salinfo.c 2004-06-27 17:51:10.000000000 +0100 >@@ -430,6 +430,9 @@ > size_t size; > u8 *buf; > u64 bufsize; >+ loff_t pos = *ppos; >+ >+ /* FIXME: needs seek/parallel-lock */ > > if (data->state == STATE_LOG_RECORD) { > buf = data->log_buffer; >@@ -441,7 +444,7 @@ > buf = NULL; > bufsize = 0; > } >- if (*ppos >= bufsize) >+ if (pos >= bufsize) > return 0; > > saldata = buf + file->f_pos; >@@ -451,7 +454,7 @@ > if (copy_to_user(buffer, saldata, size)) > return -EFAULT; > >- *ppos += size; >+ *ppos = pos + size; > return size; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/mips/sibyte/sb1250/bcm1250_tbprof.c linux-2.6.7-viroized/arch/mips/sibyte/sb1250/bcm1250_tbprof.c >--- linux-2.6.7/arch/mips/sibyte/sb1250/bcm1250_tbprof.c 2004-06-16 21:10:18.000000000 +0100 >+++ linux-2.6.7-viroized/arch/mips/sibyte/sb1250/bcm1250_tbprof.c 2004-06-27 17:51:51.000000000 +0100 >@@ -300,6 +300,9 @@ > int count = 0; > char *dest = buf; > long cur_off = *offp; >+ >+ if(curr_off < 0) >+ return -EINVAL; > > count = 0; > cur_sample = cur_off / TB_SAMPLE_SIZE; >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/ppc/kernel/ppc_htab.c linux-2.6.7-viroized/arch/ppc/kernel/ppc_htab.c >--- linux-2.6.7/arch/ppc/kernel/ppc_htab.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/arch/ppc/kernel/ppc_htab.c 2004-07-02 21:48:39.000000000 +0100 >@@ -106,8 +106,11 @@ > PTE *ptr; > #endif /* CONFIG_PPC_STD_MMU */ > char buffer[512]; >+ loff_t pos = *ppos; > >- if (count < 0) >+ /* FIXME - needs seek/pos locking */ >+ >+ if (pos < 0 || pos > 512) > return -EINVAL; > > if (cur_cpu_spec[0]->cpu_features & CPU_FTR_604_PERF_MON) { >@@ -188,15 +191,15 @@ > "Non-error misses: %lu\n" > "Error misses\t: %lu\n", > pte_misses, pte_errors); >- if (*ppos >= strlen(buffer)) >+ if (pos >= strlen(buffer)) > return 0; >- if (n > strlen(buffer) - *ppos) >- n = strlen(buffer) - *ppos; >+ if (n > strlen(buffer) - pos) >+ n = strlen(buffer) - pos; > if (n > count) > n = count; >- if (copy_to_user(buf, buffer + *ppos, n)) >+ if (copy_to_user(buf, buffer + pos, n)) > return -EFAULT; >- *ppos += n; >+ *ppos = pos + n; > return n; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/ppc/platforms/proc_rtas.c linux-2.6.7-viroized/arch/ppc/platforms/proc_rtas.c >--- linux-2.6.7/arch/ppc/platforms/proc_rtas.c 2004-06-16 21:10:23.000000000 +0100 >+++ linux-2.6.7-viroized/arch/ppc/platforms/proc_rtas.c 2004-06-27 18:05:19.000000000 +0100 >@@ -265,18 +265,21 @@ > size_t count, loff_t *ppos) > { > int n; >+ loff_t pos = *ppos; >+ >+ /* XXX - needs seek locking */ > if (power_on_time == 0) > n = sprintf(buf, "Power on time not set\n"); > else > n = sprintf(buf, "%lu\n", power_on_time); > >- if (*ppos >= strlen(buf)) >+ if (pos != (unsigned int)pos || pos >= strlen(buf)) > return 0; >- if (n > strlen(buf) - *ppos) >- n = strlen(buf) - *ppos; >+ if (n > strlen(buf) - pos) >+ n = strlen(buf) - pos; > if (n > count) > n = count; >- *ppos += n; >+ *ppos = pos + n; > return n; > } > >@@ -302,15 +305,19 @@ > size_t count, loff_t *ppos) > { > int n = 0; >+ loff_t pos = *ppos; >+ >+ /* XXX - needs seek locking */ >+ > if (progress_led != NULL) > n = sprintf (buf, "%s\n", progress_led); >- if (*ppos >= strlen(buf)) >+ if (pos != (unsigned int)pos || pos >= strlen(buf)) > return 0; >- if (n > strlen(buf) - *ppos) >- n = strlen(buf) - *ppos; >+ if (n > strlen(buf) - pos) >+ n = strlen(buf) - pos; > if (n > count) > n = count; >- *ppos += n; >+ *ppos = pos + n; > return n; > } > >@@ -346,7 +353,13 @@ > { > unsigned int year, mon, day, hour, min, sec; > unsigned long *ret = kmalloc(4*8, GFP_KERNEL); >+ loff_t pos = *ppos; > int n, error; >+ >+ if(ret == NULL) >+ return -ENOMEM; >+ >+ /* Needs seek locking */ > > error = call_rtas("get-time-of-day", 0, 8, ret); > >@@ -362,13 +375,13 @@ > } > kfree(ret); > >- if (*ppos >= strlen(buf)) >+ if (pos != (unsigned int)pos || pos >= strlen(buf)) > return 0; >- if (n > strlen(buf) - *ppos) >- n = strlen(buf) - *ppos; >+ if (n > strlen(buf) - pos) >+ n = strlen(buf) - pos; > if (n > count) > n = count; >- *ppos += n; >+ *ppos = pos + n; > return n; > } > >@@ -734,15 +747,19 @@ > size_t count, loff_t *ppos) > { > int n; >+ loff_t pos = *ppos; >+ >+ /* XXX - needs seek locking */ >+ > n = sprintf(buf, "%lu\n", rtas_tone_frequency); > >- if (*ppos >= strlen(buf)) >+ if (pos != (unsigned long)pos || pos >= strlen(buf)) > return 0; >- if (n > strlen(buf) - *ppos) >- n = strlen(buf) - *ppos; >+ if (n > strlen(buf) - pos) >+ n = strlen(buf) - pos; > if (n > count) > n = count; >- *ppos += n; >+ *ppos = pos + n; > return n; > } > /* ****************************************************************** */ >@@ -774,15 +791,16 @@ > static ssize_t ppc_rtas_tone_volume_read(struct file * file, char * buf, > size_t count, loff_t *ppos) > { >- int n; >- n = sprintf(buf, "%lu\n", rtas_tone_volume); >+ int n = sprintf(buf, "%lu\n", rtas_tone_volume); >+ loff_t pos = *ppos; > >- if (*ppos >= strlen(buf)) >+ /* XXX - Needs locking - actual shouldnt these all have ONE helper */ >+ if (pos != (unsigned int) pos || pos >= strlen(buf)) > return 0; >- if (n > strlen(buf) - *ppos) >- n = strlen(buf) - *ppos; >+ if (n > strlen(buf) - pos) >+ n = strlen(buf) - pos; > if (n > count) > n = count; >- *ppos += n; >+ *ppos = pos + n; > return n; > } >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/ppc64/kernel/nvram.c linux-2.6.7-viroized/arch/ppc64/kernel/nvram.c >--- linux-2.6.7/arch/ppc64/kernel/nvram.c 2004-06-16 21:10:20.000000000 +0100 >+++ linux-2.6.7-viroized/arch/ppc64/kernel/nvram.c 2004-07-29 17:31:32.000000000 +0100 >@@ -57,6 +57,7 @@ > static loff_t dev_nvram_llseek(struct file *file, loff_t offset, int origin) > { > int size; >+ /* XXX needs locking */ > > if (ppc_md.nvram_size == NULL) > return -ENODEV; >@@ -83,6 +84,7 @@ > ssize_t len; > char *tmp_buffer; > int size; >+ loff_t pos = *ppos; > > if (ppc_md.nvram_size == NULL) > return -ENODEV; >@@ -90,7 +92,7 @@ > > if (verify_area(VERIFY_WRITE, buf, count)) > return -EFAULT; >- if (*ppos >= size) >+ if (pos >= size || pos < 0) > return 0; > if (count > size) > count = size; >@@ -101,7 +103,9 @@ > return -ENOMEM; > } > >- len = ppc_md.nvram_read(tmp_buffer, count, ppos); >+ len = ppc_md.nvram_read(tmp_buffer, count, &pos); >+ *ppos = pos; >+ > if ((long)len <= 0) { > kfree(tmp_buffer); > return len; >@@ -123,6 +127,7 @@ > ssize_t len; > char * tmp_buffer; > int size; >+ loff_t pos = *ppos; > > if (ppc_md.nvram_size == NULL) > return -ENODEV; >@@ -130,7 +135,7 @@ > > if (verify_area(VERIFY_READ, buf, count)) > return -EFAULT; >- if (*ppos >= size) >+ if (pos >= size || pos < 0) > return 0; > if (count > size) > count = size; >@@ -146,7 +151,9 @@ > return -EFAULT; > } > >- len = ppc_md.nvram_write(tmp_buffer, count, ppos); >+ len = ppc_md.nvram_write(tmp_buffer, count, &pos); >+ *ppos = pos; >+ > if ((long)len <= 0) { > kfree(tmp_buffer); > return len; >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/ppc64/kernel/proc_ppc64.c linux-2.6.7-viroized/arch/ppc64/kernel/proc_ppc64.c >--- linux-2.6.7/arch/ppc64/kernel/proc_ppc64.c 2004-06-16 21:10:19.000000000 +0100 >+++ linux-2.6.7-viroized/arch/ppc64/kernel/proc_ppc64.c 2004-07-02 21:54:49.000000000 +0100 >@@ -140,6 +140,7 @@ > > static loff_t page_map_seek( struct file *file, loff_t off, int whence) > { >+ /* XXX - locking needed */ > loff_t new; > struct proc_dir_entry *dp = PDE(file->f_dentry->d_inode); > >@@ -163,10 +164,10 @@ > > static ssize_t page_map_read( struct file *file, char *buf, size_t nbytes, loff_t *ppos) > { >- unsigned pos = *ppos; >+ loff_t pos = *ppos; > struct proc_dir_entry *dp = PDE(file->f_dentry->d_inode); > >- if ( pos >= dp->size ) >+ if ( pos < 0 || pos >= dp->size ) > return 0; > if ( nbytes >= dp->size ) > nbytes = dp->size; >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/ppc64/kernel/rtas_flash.c linux-2.6.7-viroized/arch/ppc64/kernel/rtas_flash.c >--- linux-2.6.7/arch/ppc64/kernel/rtas_flash.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/arch/ppc64/kernel/rtas_flash.c 2004-07-02 21:56:16.000000000 +0100 >@@ -238,7 +238,7 @@ > if (msglen > count) > msglen = count; > >- if (ppos && *ppos != 0) >+ if (*ppos != 0) > return 0; /* be cheap */ > > error = verify_area(VERIFY_WRITE, buf, msglen); >@@ -248,8 +248,7 @@ > if (copy_to_user(buf, msg, msglen)) > return -EFAULT; > >- if (ppos) >- *ppos = msglen; >+ *ppos = msglen; > return msglen; > } > >@@ -375,7 +374,7 @@ > if (msglen > count) > msglen = count; > >- if (ppos && *ppos != 0) >+ if (*ppos != 0) > return 0; /* be cheap */ > > error = verify_area(VERIFY_WRITE, buf, msglen); >@@ -385,8 +384,7 @@ > if (copy_to_user(buf, msg, msglen)) > return -EFAULT; > >- if (ppos) >- *ppos = msglen; >+ *ppos = msglen; > return msglen; > } > >@@ -481,7 +479,7 @@ > > args_buf = (struct rtas_validate_flash_t *) dp->data; > >- if (ppos && *ppos != 0) >+ if (*ppos != 0) > return 0; /* be cheap */ > > msglen = get_validate_flash_msg(args_buf, msg); >@@ -495,8 +493,7 @@ > if (copy_to_user(buf, msg, msglen)) > return -EFAULT; > >- if (ppos) >- *ppos = msglen; >+ *ppos = msglen; > return msglen; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/ppc64/kernel/rtas-proc.c linux-2.6.7-viroized/arch/ppc64/kernel/rtas-proc.c >--- linux-2.6.7/arch/ppc64/kernel/rtas-proc.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/arch/ppc64/kernel/rtas-proc.c 2004-06-27 18:18:59.000000000 +0100 >@@ -282,22 +282,24 @@ > { > char stkbuf[40]; /* its small, its on stack */ > int n, sn; >+ loff_t pos = *ppos; >+ > if (power_on_time == 0) > n = scnprintf(stkbuf,sizeof(stkbuf),"Power on time not set\n"); > else > n = scnprintf(stkbuf,sizeof(stkbuf),"%lu\n",power_on_time); > > sn = strlen (stkbuf) +1; >- if (*ppos >= sn) >+ if (pos != (unsigned int)pos || pos >= sn) > return 0; >- if (n > sn - *ppos) >- n = sn - *ppos; >+ if (n > sn - pos) >+ n = sn - pos; > if (n > count) > n = count; >- if (copy_to_user (buf, stkbuf + (*ppos), n)) { >+ if (copy_to_user (buf, stkbuf + pos, n)) { > return -EFAULT; > } >- *ppos += n; >+ *ppos = pos + n; > return n; > } > >@@ -329,6 +331,7 @@ > { > int sn, n = 0; > char *tmpbuf; >+ loff_t pos = *ppos; > > if (progress_led == NULL) return 0; > >@@ -340,20 +343,20 @@ > n = sprintf (tmpbuf, "%s\n", progress_led); > > sn = strlen (tmpbuf) +1; >- if (*ppos >= sn) { >+ if (pos != (unsigned int)pos || pos >= sn) { > kfree (tmpbuf); > return 0; > } >- if (n > sn - *ppos) >- n = sn - *ppos; >+ if (n > sn - pos) >+ n = sn - pos; > if (n > count) > n = count; >- if (copy_to_user (buf, tmpbuf + (*ppos), n)) { >+ if (copy_to_user (buf, tmpbuf + pos, n)) { > kfree (tmpbuf); > return -EFAULT; > } > kfree (tmpbuf); >- *ppos += n; >+ *ppos = pos + n; > return n; > } > >@@ -397,7 +400,11 @@ > unsigned long *ret = kmalloc(4*8, GFP_KERNEL); > int n, sn, error; > char stkbuf[40]; /* its small, its on stack */ >+ loff_t pos = *ppos; > >+ if(ret == NULL) >+ return -ENOMEM; >+ > error = rtas_call(rtas_token("get-time-of-day"), 0, 8, ret); > > year = ret[0]; mon = ret[1]; day = ret[2]; >@@ -414,16 +421,16 @@ > kfree(ret); > > sn = strlen (stkbuf) +1; >- if (*ppos >= sn) >+ if (pos != (unsigned int)pos || pos >= sn) > return 0; >- if (n > sn - *ppos) >- n = sn - *ppos; >+ if (n > sn - pos) >+ n = sn - pos; > if (n > count) > n = count; >- if (copy_to_user (buf, stkbuf + (*ppos), n)) { >+ if (copy_to_user (buf, stkbuf + pos, n)) { > return -EFAULT; > } >- *ppos += n; >+ *ppos = pos + n; > return n; > } > >@@ -834,7 +841,8 @@ > char *dest; > int error; > >- if (39 < count) count = 39; >+ if (39 < count) >+ count = 39; > if (copy_from_user (stkbuf, buf, count)) { > return -EFAULT; > } >@@ -859,20 +867,21 @@ > { > int n, sn; > char stkbuf[40]; /* its small, its on stack */ >+ loff_t pos = *ppos; > > n = scnprintf(stkbuf, 40, "%lu\n", rtas_tone_frequency); > > sn = strlen (stkbuf) +1; >- if (*ppos >= sn) >+ if (pos != (unsigned int)pos || pos >= sn) > return 0; >- if (n > sn - *ppos) >- n = sn - *ppos; >+ if (n > sn - pos) >+ n = sn - pos; > if (n > count) > n = count; >- if (copy_to_user (buf, stkbuf + (*ppos), n)) { >+ if (copy_to_user (buf, stkbuf + pos, n)) { > return -EFAULT; > } >- *ppos += n; >+ *ppos = pos + n; > return n; > } > /* ****************************************************************** */ >@@ -913,20 +922,21 @@ > { > int n, sn; > char stkbuf[40]; /* its small, its on stack */ >+ loff_t pos = *ppos; > > n = scnprintf(stkbuf, 40, "%lu\n", rtas_tone_volume); > > sn = strlen (stkbuf) +1; >- if (*ppos >= sn) >+ if (pos != (unsigned int)pos || pos >= sn) > return 0; >- if (n > sn - *ppos) >- n = sn - *ppos; >+ if (n > sn - pos) >+ n = sn - pos; > if (n > count) > n = count; > if (copy_to_user (buf, stkbuf + (*ppos), n)) { > return -EFAULT; > } >- *ppos += n; >+ *ppos = pos + n; > return n; > } > >@@ -943,14 +953,13 @@ > if (n > count) > n = count; > >- if (ppos && *ppos != 0) >+ if (*ppos != 0) > return 0; > > if (copy_to_user(buf, kbuf, n)) > return -EFAULT; > >- if (ppos) >- *ppos = n; >+ *ppos = n; > > return n; > } >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/arch/s390/kernel/debug.c linux-2.6.7-viroized/arch/s390/kernel/debug.c >--- linux-2.6.7/arch/s390/kernel/debug.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/arch/s390/kernel/debug.c 2004-06-27 18:20:44.000000000 +0100 >@@ -427,7 +427,7 @@ > > p_info = ((file_private_info_t *) file->private_data); > if (*offset != p_info->offset) >- return -EPIPE; >+ return -ESPIPE; > if(p_info->act_area >= p_info->debug_info_snap->nr_areas) > return 0; > >@@ -449,7 +449,7 @@ > goto out; > } > out: >- p_info->offset = *offset + count; >+ p_info->offset += count; > p_info->act_entry_offset = size; > *offset = p_info->offset; > return count; >@@ -964,7 +964,7 @@ > input_buf[0]); > } > out: >- *offset += in_buf_size; >+ *offset = in_buf_size; > return rc; /* number of input characters */ > } > >@@ -1031,7 +1031,7 @@ > printk(KERN_INFO "debug: area `%c` is not valid\n", input_buf[0]); > > out: >- *offset += in_buf_size; >+ *offset = in_buf_size; > return rc; /* number of input characters */ > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/acpi/system.c linux-2.6.7-viroized/drivers/acpi/system.c >--- linux-2.6.7/drivers/acpi/system.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/acpi/system.c 2004-06-27 18:23:52.000000000 +0100 >@@ -94,16 +94,22 @@ > struct acpi_buffer dsdt = {ACPI_ALLOCATE_BUFFER, NULL}; > void *data = 0; > size_t size = 0; >+ loff_t pos = *ppos; > > ACPI_FUNCTION_TRACE("acpi_system_read_dsdt"); >+ >+ /* XXX - seek locking required */ > > status = acpi_get_table(ACPI_TABLE_DSDT, 1, &dsdt); > if (ACPI_FAILURE(status)) > return_VALUE(-ENODEV); > >- if (*ppos < dsdt.length) { >- data = dsdt.pointer + file->f_pos; >- size = dsdt.length - file->f_pos; >+ if (pos < 0) >+ return -EINVAL; >+ >+ if (pos < dsdt.length) { >+ data = dsdt.pointer + pos; >+ size = dsdt.length - pos; > if (size > count) > size = count; > if (copy_to_user(buffer, data, size)) { >@@ -114,7 +120,7 @@ > > acpi_os_free(dsdt.pointer); > >- *ppos += size; >+ *ppos = pos + size; > > return_VALUE(size); > } >@@ -137,6 +143,7 @@ > struct acpi_buffer fadt = {ACPI_ALLOCATE_BUFFER, NULL}; > void *data = 0; > size_t size = 0; >+ loff_t pos = *ppos; > > ACPI_FUNCTION_TRACE("acpi_system_read_fadt"); > >@@ -144,9 +151,13 @@ > if (ACPI_FAILURE(status)) > return_VALUE(-ENODEV); > >- if (*ppos < fadt.length) { >- data = fadt.pointer + file->f_pos; >- size = fadt.length - file->f_pos; >+ /* XXX - seek locking required */ >+ if (pos < 0) >+ return -EINVAL; >+ >+ if (pos < fadt.length) { >+ data = fadt.pointer + pos; >+ size = fadt.length - pos; > if (size > count) > size = count; > if (copy_to_user(buffer, data, size)) { >@@ -157,7 +168,7 @@ > > acpi_os_free(fadt.pointer); > >- *ppos += size; >+ *ppos = pos + size; > > return_VALUE(size); > } >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/block/acsi_slm.c linux-2.6.7-viroized/drivers/block/acsi_slm.c >--- linux-2.6.7/drivers/block/acsi_slm.c 2004-06-16 21:10:03.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/block/acsi_slm.c 2004-06-27 18:25:29.000000000 +0100 >@@ -366,10 +366,12 @@ > { > struct inode *node = file->f_dentry->d_inode; > unsigned long page; >+ loff_t pos = *ppos; > int length; > int end; > >- if (count < 0) >+ /* XXX - seek locking required */ >+ if (count < 0 || pos < 0) > return( -EINVAL ); > if (!(page = __get_free_page( GFP_KERNEL ))) > return( -ENOMEM ); >@@ -379,18 +381,18 @@ > count = length; > goto out; > } >- if (file->f_pos >= length) { >+ if (pos >= length) { > count = 0; > goto out; > } >- if (count + file->f_pos > length) >- count = length - file->f_pos; >- end = count + file->f_pos; >- if (copy_to_user(buf, (char *)page + file->f_pos, count)) { >+ if (count + pos > length) >+ count = length - pos; >+ end = count + pos; >+ if (copy_to_user(buf, (char *)page + pos, count)) { > count = -EFAULT; > goto out; > } >- file->f_pos = end; >+ *ppos = end; > out: free_page( page ); > return( count ); > } >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/char/generic_nvram.c linux-2.6.7-viroized/drivers/char/generic_nvram.c >--- linux-2.6.7/drivers/char/generic_nvram.c 2004-06-16 21:09:52.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/char/generic_nvram.c 2004-07-03 00:13:14.000000000 +0100 >@@ -22,12 +22,16 @@ > #include <linux/smp_lock.h> > #include <asm/uaccess.h> > #include <asm/nvram.h> >+#include <asm/semaphore.h> > > #define NVRAM_SIZE 8192 > >+static DECLARE_MUTEX(nvram_sem); >+ > static loff_t nvram_llseek(struct file *file, loff_t offset, int origin) > { >- lock_kernel(); >+ down(&nvram_sem); >+ > switch (origin) { > case 1: > offset += file->f_pos; >@@ -37,48 +41,59 @@ > break; > } > if (offset < 0) { >- unlock_kernel(); >+ up(&nvram_sem); > return -EINVAL; > } > file->f_pos = offset; >- unlock_kernel(); >+ up(&nvram_sem); > return file->f_pos; > } > > static ssize_t read_nvram(struct file *file, char __user *buf, > size_t count, loff_t *ppos) > { >- unsigned int i; >+ loff_t i; > char __user *p = buf; >- >+ > if (verify_area(VERIFY_WRITE, buf, count)) > return -EFAULT; >- if (*ppos >= NVRAM_SIZE) >- return 0; >+ >+ down(&nvram_sem); >+ /* If we are already off the end then we report 0 anyway .. */ > for (i = *ppos; count > 0 && i < NVRAM_SIZE; ++i, ++p, --count) > if (__put_user(nvram_read_byte(i), p)) >+ { >+ up(&nvram_sem); > return -EFAULT; >+ } > *ppos = i; >+ up(&nvram_sem); > return p - buf; > } > > static ssize_t write_nvram(struct file *file, const char __user *buf, > size_t count, loff_t *ppos) > { >- unsigned int i; >+ loff_t i; > const char __user *p = buf; > char c; >+ struct semaphore *s = &file->f_dentry->d_inode->i_sem; > > if (verify_area(VERIFY_READ, buf, count)) > return -EFAULT; >- if (*ppos >= NVRAM_SIZE) >- return 0; >+ >+ down(&nvram_sem); >+ /* if *ppos > end then we return 0 anyway */ > for (i = *ppos; count > 0 && i < NVRAM_SIZE; ++i, ++p, --count) { > if (__get_user(c, p)) >+ { >+ up(&nvram_sem); > return -EFAULT; >+ } > nvram_write_byte(c, i); > } > *ppos = i; >+ up(&nvram_sem); > return p - buf; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/char/i8k.c linux-2.6.7-viroized/drivers/char/i8k.c >--- linux-2.6.7/drivers/char/i8k.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/char/i8k.c 2004-06-27 18:27:16.000000000 +0100 >@@ -464,27 +464,32 @@ > > static ssize_t i8k_read(struct file *f, char __user *buffer, size_t len, loff_t *fpos) > { >+ loff_t pos = *fpos; > int n; > char info[128]; >+ >+ /* XXX - seek locking required */ > > n = i8k_get_info(info, NULL, 0, 128); >- if (n <= 0) { >+ if (n <= 0) > return n; >- } >+ >+ if (pos < 0) >+ return -EINVAL; > >- if (*fpos >= n) { >+ if (pos >= n) { > return 0; > } > >- if ((*fpos + len) >= n) { >- len = n - *fpos; >+ if (pos + len >= n) { >+ len = n - pos; > } > > if (copy_to_user(buffer, info, len) != 0) { > return -EFAULT; > } > >- *fpos += len; >+ *fpos = pos + len; > return len; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/char/istallion.c linux-2.6.7-viroized/drivers/char/istallion.c >--- linux-2.6.7/drivers/char/istallion.c 2004-06-16 21:09:53.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/char/istallion.c 2004-06-27 18:30:05.000000000 +0100 >@@ -4821,6 +4821,7 @@ > void *memptr; > stlibrd_t *brdp; > int brdnr, size, n; >+ loff_t pos = *offp; > > #if DEBUG > printk(KERN_DEBUG "stli_memread(fp=%x,buf=%x,count=%x,offp=%x)\n", >@@ -4835,26 +4836,27 @@ > return(-ENODEV); > if (brdp->state == 0) > return(-ENODEV); >- if (fp->f_pos >= brdp->memsize) >+ if (pos < 0 || pos >= brdp->memsize) > return(0); > >- size = MIN(count, (brdp->memsize - fp->f_pos)); >+ size = MIN(count, (brdp->memsize - pos)); > > save_flags(flags); > cli(); > EBRDENABLE(brdp); > while (size > 0) { > memptr = (void *) EBRDGETMEMPTR(brdp, fp->f_pos); >- n = MIN(size, (brdp->pagesize - (((unsigned long) fp->f_pos) % brdp->pagesize))); >+ n = MIN(size, (brdp->pagesize - (((unsigned long) pos) % brdp->pagesize))); > if (copy_to_user(buf, memptr, n)) { > count = -EFAULT; > goto out; > } >- fp->f_pos += n; >+ pos += n; > buf += n; > size -= n; > } > out: >+ *ppos = pos; > EBRDDISABLE(brdp); > restore_flags(flags); > >@@ -4876,7 +4878,8 @@ > stlibrd_t *brdp; > char *chbuf; > int brdnr, size, n; >- >+ loff_t pos = *ppos; >+ > #if DEBUG > printk(KERN_DEBUG "stli_memwrite(fp=%x,buf=%x,count=%x,offp=%x)\n", > (int) fp, (int) buf, count, (int) offp); >@@ -4890,26 +4893,27 @@ > return(-ENODEV); > if (brdp->state == 0) > return(-ENODEV); >- if (fp->f_pos >= brdp->memsize) >+ if (pos < 0 || pos >= brdp->memsize) > return(0); > > chbuf = (char *) buf; >- size = MIN(count, (brdp->memsize - fp->f_pos)); >+ size = MIN(count, (brdp->memsize - pos)); > > save_flags(flags); > cli(); > EBRDENABLE(brdp); > while (size > 0) { >- memptr = (void *) EBRDGETMEMPTR(brdp, fp->f_pos); >- n = MIN(size, (brdp->pagesize - (((unsigned long) fp->f_pos) % brdp->pagesize))); >+ memptr = (void *) EBRDGETMEMPTR(brdp, pos); >+ n = MIN(size, (brdp->pagesize - (((unsigned long) pos) % brdp->pagesize))); > if (copy_from_user(memptr, chbuf, n)) { > count = -EFAULT; > goto out; > } >- fp->f_pos += n; >+ pos += n; > chbuf += n; > size -= n; > } >+ *ppos = pos; > out: > EBRDDISABLE(brdp); > restore_flags(flags); >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/char/mem.c linux-2.6.7-viroized/drivers/char/mem.c >--- linux-2.6.7/drivers/char/mem.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/char/mem.c 2004-06-28 14:48:13.000000000 +0100 >@@ -143,7 +143,7 @@ > return -EFAULT; > } > written += count; >- *ppos += written; >+ *ppos = realp + written; > return written; > } > >@@ -180,7 +180,7 @@ > if (copy_to_user(buf, __va(p), count)) > return -EFAULT; > read += count; >- *ppos += read; >+ *ppos = p + read; > return read; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/char/nvram.c linux-2.6.7-viroized/drivers/char/nvram.c >--- linux-2.6.7/drivers/char/nvram.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/char/nvram.c 2004-07-03 00:16:14.000000000 +0100 >@@ -233,7 +233,7 @@ > > static loff_t nvram_llseek(struct file *file,loff_t offset, int origin ) > { >- lock_kernel(); >+ spin_lock_irq(&rtc_lock); > switch (origin) { > case 0: > /* nothing to do */ >@@ -245,35 +245,39 @@ > offset += NVRAM_BYTES; > break; > } >- unlock_kernel(); >- return (offset >= 0) ? (file->f_pos = offset) : -EINVAL; >+ if(offset < 0 || offset > NVRAM_BYTES) >+ offset = -EINVAL; >+ else >+ file->f_pos = offset; >+ spin_unlock_irq(&rtc_lock); >+ return offset; > } > > static ssize_t > nvram_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) > { > unsigned char contents[NVRAM_BYTES]; >- unsigned i = *ppos; >+ loff_t i; > unsigned char *tmp; >- >+ > spin_lock_irq(&rtc_lock); >- > if (!__nvram_check_checksum()) > goto checksum_err; >+ >+ i = *ppos; > > for (tmp = contents; count-- > 0 && i < NVRAM_BYTES; ++i, ++tmp) > *tmp = __nvram_read_byte(i); > >+ *ppos = i; > spin_unlock_irq(&rtc_lock); > > if (copy_to_user(buf, contents, tmp - contents)) > return -EFAULT; > >- *ppos = i; >- > return tmp - contents; > >- checksum_err: >+checksum_err: > spin_unlock_irq(&rtc_lock); > return -EIO; > } >@@ -282,31 +286,37 @@ > nvram_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) > { > unsigned char contents[NVRAM_BYTES]; >- unsigned i = *ppos; >+ loff_t i; > unsigned char *tmp; >- int len; >+ int len = count; > >- len = (NVRAM_BYTES - i) < count ? (NVRAM_BYTES - i) : count; >+ if (len > NVRAM_BYTES) >+ len = NVRAM_BYTES; >+ > if (copy_from_user(contents, buf, len)) >+ { >+ > return -EFAULT; >+ } > > spin_lock_irq(&rtc_lock); > >+ i = *ppos; >+ > if (!__nvram_check_checksum()) > goto checksum_err; > >- for (tmp = contents; count-- > 0 && i < NVRAM_BYTES; ++i, ++tmp) >+ for (tmp = contents; len-- > 0 && i < NVRAM_BYTES; ++i, ++tmp) > __nvram_write_byte(*tmp, i); > > __nvram_set_checksum(); > >- spin_unlock_irq(&rtc_lock); >- > *ppos = i; >+ spin_unlock_irq(&rtc_lock); > > return tmp - contents; > >- checksum_err: >+checksum_err: > spin_unlock_irq(&rtc_lock); > return -EIO; > } >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/char/nwflash.c linux-2.6.7-viroized/drivers/char/nwflash.c >--- linux-2.6.7/drivers/char/nwflash.c 2004-06-16 21:09:53.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/char/nwflash.c 2004-07-03 00:18:13.000000000 +0100 >@@ -134,7 +134,7 @@ > > static ssize_t flash_read(struct file *file, char *buf, size_t size, loff_t * ppos) > { >- unsigned long p = *ppos; >+ loff_t p; > unsigned int count = size; > int ret = 0; > >@@ -145,6 +145,10 @@ > if (count) > ret = -ENXIO; > >+ if (down_interruptible(&nwflash_sem)) >+ return -ERESTARTSYS; >+ p = *ppos; >+ > if (p < gbFlashSize) { > if (count > gbFlashSize - p) > count = gbFlashSize - p; >@@ -152,8 +156,6 @@ > /* > * We now lock against reads and writes. --rmk > */ >- if (down_interruptible(&nwflash_sem)) >- return -ERESTARTSYS; > > ret = copy_to_user(buf, (void *)(FLASH_BASE + p), count); > if (ret == 0) { >@@ -161,14 +163,14 @@ > *ppos += count; > } else > ret = -EFAULT; >- up(&nwflash_sem); > } >+ up(&nwflash_sem); > return ret; > } > > static ssize_t flash_write(struct file *file, const char *buf, size_t size, loff_t * ppos) > { >- unsigned long p = *ppos; >+ loff_t p; > unsigned int count = size; > int written; > int nBlock, temp, rc; >@@ -181,26 +183,38 @@ > if (!gbWriteEnable) > return -EINVAL; > >+ /* >+ * We now lock against reads and writes. --rmk >+ */ >+ if (down_interruptible(&nwflash_sem)) >+ return -ERESTARTSYS; >+ >+ >+ p = *ppos; > if (p < 64 * 1024 && (!gbWriteBase64Enable)) >- return -EINVAL; >+ { >+ written = -EINVAL; >+ goto error; >+ } > > /* > * check for out of range pos or count > */ > if (p >= gbFlashSize) >- return count ? -ENXIO : 0; >+ { >+ written = 0; >+ goto error; >+ } > > if (count > gbFlashSize - p) > count = gbFlashSize - p; > > if (verify_area(VERIFY_READ, buf, count)) >- return -EFAULT; >+ { >+ written = -EFAULT; >+ goto error; >+ } > >- /* >- * We now lock against reads and writes. --rmk >- */ >- if (down_interruptible(&nwflash_sem)) >- return -ERESTARTSYS; > > written = 0; > >@@ -286,9 +300,8 @@ > * restore reg on exit > */ > leds_event(led_release); >- >+error: > up(&nwflash_sem); >- > return written; > } > >@@ -305,11 +318,11 @@ > { > loff_t ret; > >- lock_kernel(); > if (flashdebug) > printk(KERN_DEBUG "flash_llseek: offset=0x%X, orig=0x%X.\n", > (unsigned int) offset, orig); > >+ down(&nwflash_sem); > switch (orig) { > case 0: > if (offset < 0) { >@@ -340,7 +353,7 @@ > default: > ret = -EINVAL; > } >- unlock_kernel(); >+ up(&nwflash_sem); > return ret; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/ieee1394/pcilynx.c linux-2.6.7-viroized/drivers/ieee1394/pcilynx.c >--- linux-2.6.7/drivers/ieee1394/pcilynx.c 2004-06-16 21:10:03.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/ieee1394/pcilynx.c 2004-07-03 00:23:17.000000000 +0100 >@@ -1052,12 +1052,13 @@ > ssize_t retval; > void *membase; > >- if ((off + count) > PCILYNX_MAX_MEMORY+1) { >- count = PCILYNX_MAX_MEMORY+1 - off; >- } >- if (count == 0 || off > PCILYNX_MAX_MEMORY) { >+ /* XXX - should do proper locking instead */ >+ if (off < 0) >+ return -EINVAL; >+ if (off > PCILYNX_MAX_MEMORY) > return -ENOSPC; >- } >+ if (count > PCILYNX_MAX_MEMORY + 1 - off) >+ count = PCILYNX_MAX_MEMORY + 1 - off; > > switch (md->type) { > case rom: >@@ -1078,6 +1079,7 @@ > > if (count < mem_mindma) { > memcpy_fromio(md->lynx->mem_dma_buffer, membase+off, count); >+ off += count; > goto out; > } > >@@ -1099,7 +1101,12 @@ > while (bcount >= 4) { > retval = mem_dmaread(md, md->lynx->mem_dma_buffer_dma > + count - bcount, bcount, off); >- if (retval < 0) return retval; >+ if (retval < 0) >+ { >+ /* FIXME - ought to report short read on error */ >+ up(&md->lynx->mem_dma_mutex); >+ return retval; >+ } > > bcount -= retval; > off += retval; >@@ -1108,14 +1115,16 @@ > if (bcount) { > memcpy_fromio(md->lynx->mem_dma_buffer + count - bcount, > membase+off, bcount); >+ off += bcount; > } > > out: > retval = copy_to_user(buffer, md->lynx->mem_dma_buffer, count); > up(&md->lynx->mem_dma_mutex); > >- if (retval) return -EFAULT; >- *offset += count; >+ if (retval < 0) >+ return -EFAULT; >+ *offset = off; > return count; > } > >@@ -1124,32 +1133,37 @@ > loff_t *offset) > { > struct memdata *md = (struct memdata *)file->private_data; >+ loff_t off = * offset; >+ > >- if (((*offset) + count) > PCILYNX_MAX_MEMORY+1) { >- count = PCILYNX_MAX_MEMORY+1 - *offset; >- } >- if (count == 0 || *offset > PCILYNX_MAX_MEMORY) { >- return -ENOSPC; >- } >+ if (!count) >+ return 0; >+ if (off < 0) >+ return -EINVAL; >+ if (off > PCILYNX_MAX_MEMORY) >+ return -ENOSPC; >+ >+ if (count) > PCILYNX_MAX_MEMORY + 1 - off) >+ count = PCILYNX_MAX_MEMORY + 1 - off; > > /* FIXME: dereferencing pointers to PCI mem doesn't work everywhere */ > switch (md->type) { > case aux: >- if (copy_from_user(md->lynx->aux_port+(*offset), buffer, count)) >+ if (copy_from_user(md->lynx->aux_port+off, buffer, count)) > return -EFAULT; > break; > case ram: >- if (copy_from_user(md->lynx->local_ram+(*offset), buffer, count)) >+ if (copy_from_user(md->lynx->local_ram+off, buffer, count)) > return -EFAULT; > break; > case rom: > /* the ROM may be writeable */ >- if (copy_from_user(md->lynx->local_rom+(*offset), buffer, count)) >+ if (copy_from_user(md->lynx->local_rom+off, buffer, count)) > return -EFAULT; > break; > } > >- file->f_pos += count; >+ *offset = off + count; > return count; > } > #endif /* CONFIG_IEEE1394_PCILYNX_PORTS */ >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/isdn/divert/divert_procfs.c linux-2.6.7-viroized/drivers/isdn/divert/divert_procfs.c >--- linux-2.6.7/drivers/isdn/divert/divert_procfs.c 2004-06-16 21:10:00.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/isdn/divert/divert_procfs.c 2004-06-27 18:42:56.000000000 +0100 >@@ -79,6 +79,7 @@ > isdn_divert_read(struct file *file, char *buf, size_t count, loff_t * off) > { > struct divert_info *inf; >+ loff_t pos = *off; > int len; > > if (!*((struct divert_info **) file->private_data)) { >@@ -94,8 +95,8 @@ > if ((len = strlen(inf->info_start)) <= count) { > if (copy_to_user(buf, inf->info_start, len)) > return -EFAULT; >- file->f_pos += len; >- return (len); >+ *off = pos + len; >+ return len; > } > return (0); > } /* isdn_divert_read */ >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/isdn/hysdn/hysdn_procconf.c linux-2.6.7-viroized/drivers/isdn/hysdn/hysdn_procconf.c >--- linux-2.6.7/drivers/isdn/hysdn/hysdn_procconf.c 2004-06-16 21:09:59.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/isdn/hysdn/hysdn_procconf.c 2004-06-27 18:44:13.000000000 +0100 >@@ -211,29 +211,27 @@ > static ssize_t > hysdn_conf_read(struct file *file, char *buf, size_t count, loff_t * off) > { >+ loff_t pos = *off; > char *cp; > int i; > > if (off != &file->f_pos) /* fs error check */ > return -ESPIPE; > >- if (file->f_mode & FMODE_READ) { >- if (!(cp = file->private_data)) >- return (-EFAULT); /* should never happen */ >- i = strlen(cp); /* get total string length */ >- if (*off < i) { >- /* still bytes to transfer */ >- cp += *off; /* point to desired data offset */ >- i -= *off; /* remaining length */ >- if (i > count) >- i = count; /* limit length to transfer */ >- if (copy_to_user(buf, cp, i)) >- return (-EFAULT); /* copy error */ >- *off += i; /* adjust offset */ >- } else >- return (0); >+ if (!(cp = file->private_data)) >+ return (-EFAULT); /* should never happen */ >+ i = strlen(cp); /* get total string length */ >+ if (pos == (unsigned)pos && pos < i) { >+ /* still bytes to transfer */ >+ cp += pos; /* point to desired data offset */ >+ i -= pos; /* remaining length */ >+ if (i > count) >+ i = count; /* limit length to transfer */ >+ if (copy_to_user(buf, cp, i)) >+ return (-EFAULT); /* copy error */ >+ *off = pos + i; /* adjust offset */ > } else >- return (-EPERM); /* no permission to read */ >+ return 0; > > return (i); > } /* hysdn_conf_read */ >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/isdn/hysdn/hysdn_proclog.c linux-2.6.7-viroized/drivers/isdn/hysdn/hysdn_proclog.c >--- linux-2.6.7/drivers/isdn/hysdn/hysdn_proclog.c 2004-06-16 21:09:59.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/isdn/hysdn/hysdn_proclog.c 2004-06-27 18:45:01.000000000 +0100 >@@ -210,6 +210,7 @@ > struct proc_dir_entry *pde = PDE(file->f_dentry->d_inode); > struct procdata *pd = NULL; > hysdn_card *card; >+ loff_t pos = *off; > > if (!*((struct log_data **) file->private_data)) { > if (file->f_flags & O_NONBLOCK) >@@ -237,7 +238,7 @@ > if ((len = strlen(inf->log_start)) <= count) { > if (copy_to_user(buf, inf->log_start, len)) > return -EFAULT; >- file->f_pos += len; >+ *off = pos + len; > return (len); > } > return (0); >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/isdn/i4l/isdn_common.c linux-2.6.7-viroized/drivers/isdn/i4l/isdn_common.c >--- linux-2.6.7/drivers/isdn/i4l/isdn_common.c 2004-06-16 21:11:35.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/isdn/i4l/isdn_common.c 2004-07-29 17:30:30.000000000 +0100 >@@ -937,7 +937,7 @@ > } > > static ssize_t >-isdn_read(struct file *file, char *buf, size_t count, loff_t * off) >+isdn_read(struct file *file, char __user *buf, size_t count, loff_t * poff) > { > uint minor = MINOR(file->f_dentry->d_inode->i_rdev); > int len = 0; >@@ -945,11 +945,14 @@ > int chidx; > int retval; > char *p; >+ loff_t off; > >- if (off != &file->f_pos) >+ if (poff != &file->f_pos) > return -ESPIPE; > > lock_kernel(); >+ off = *poff; >+ > if (minor == ISDN_MINOR_STATUS) { > if (!file->private_data) { > if (file->f_flags & O_NONBLOCK) { >@@ -965,7 +968,7 @@ > retval = -EFAULT; > goto out; > } >- *off += len; >+ off += len; > retval = len; > goto out; > } >@@ -994,7 +997,7 @@ > } > len = isdn_readbchan(drvidx, chidx, p, 0, count, > &dev->drv[drvidx]->rcv_waitq[chidx]); >- *off += len; >+ off += len; > if (copy_to_user(buf,p,len)) > len = -EFAULT; > kfree(p); >@@ -1027,7 +1030,7 @@ > dev->drv[drvidx]->stavail -= len; > else > dev->drv[drvidx]->stavail = 0; >- *off += len; >+ off += len; > retval = len; > goto out; > } >@@ -1039,6 +1042,7 @@ > #endif > retval = -ENODEV; > out: >+ *poff = off; > unlock_kernel(); > return retval; > } >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/macintosh/ans-lcd.c linux-2.6.7-viroized/drivers/macintosh/ans-lcd.c >--- linux-2.6.7/drivers/macintosh/ans-lcd.c 2004-06-16 21:10:09.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/macintosh/ans-lcd.c 2004-06-27 18:49:16.000000000 +0100 >@@ -22,6 +22,7 @@ > static unsigned long anslcd_short_delay = 80; > static unsigned long anslcd_long_delay = 3280; > static volatile unsigned char* anslcd_ptr; >+static DECLARE_MUTEX(anslcd_lock); > > #undef DEBUG > >@@ -61,13 +62,15 @@ > > if ( verify_area(VERIFY_READ, buf, count) ) > return -EFAULT; >- for ( i = *ppos; count > 0; ++i, ++p, --count ) >+ >+ down(&anslcd_lock); >+ for (; count > 0; ++p, --count ) > { > char c; > __get_user(c, p); > anslcd_write_byte_data( c ); > } >- *ppos = i; >+ up(&anslcd_lock); > return p - buf; > } > >@@ -76,11 +79,14 @@ > unsigned int cmd, unsigned long arg ) > { > char ch, *temp; >- >+ int ret = 0; >+ > #ifdef DEBUG > printk(KERN_DEBUG "LCD: ioctl(%d,%d)\n",cmd,arg); > #endif > >+ down(&anslcd_lock); >+ > switch ( cmd ) > { > case ANSLCD_CLEAR: >@@ -89,7 +95,7 @@ > anslcd_write_byte_ctrl ( 0x06 ); > anslcd_write_byte_ctrl ( 0x01 ); > anslcd_write_byte_ctrl ( 0x02 ); >- return 0; >+ break; > case ANSLCD_SENDCTRL: > temp = (char *) arg; > __get_user(ch, temp); >@@ -97,20 +103,24 @@ > anslcd_write_byte_ctrl ( ch ); > __get_user(ch, temp); > } >- return 0; >+ break; > case ANSLCD_SETSHORTDELAY: > if (!capable(CAP_SYS_ADMIN)) >- return -EACCES; >- anslcd_short_delay=arg; >- return 0; >+ ret = -EACCES; >+ else >+ anslcd_short_delay=arg; >+ break; > case ANSLCD_SETLONGDELAY: > if (!capable(CAP_SYS_ADMIN)) >- return -EACCES; >- anslcd_long_delay=arg; >- return 0; >+ ret = -EACCES; >+ else >+ anslcd_long_delay=arg; >+ break; > default: >- return -EINVAL; >+ ret = -EINVAL; > } >+ up(&anslcd_lock); >+ return ret; > } > > static int __pmac >@@ -121,6 +131,7 @@ > > struct file_operations anslcd_fops = { > .write = anslcd_write, >+ .llseek = no_llseek, > .ioctl = anslcd_ioctl, > .open = anslcd_open, > }; >@@ -150,9 +161,16 @@ > return -ENODEV; > > anslcd_ptr = (volatile unsigned char*)ioremap(ANSLCD_ADDR, 0x20); >- >+ if(anslcd_ptr == NULL) >+ return -ENOMEM; >+ >+ down(&anslcd_lock); >+ /* Locked so that an opener cannot race the init writes to the >+ chip after misc_register */ >+ > retval = misc_register(&anslcd_dev); > if(retval < 0){ >+ up(&anslcd_lock); > printk(KERN_INFO "LCD: misc_register failed\n"); > iounmap(anslcd_ptr); > return retval; >@@ -170,6 +188,7 @@ > for(a=0;a<80;a++) { > anslcd_write_byte_data(anslcd_logo[a]); > } >+ up(&anslcd_lock); > return 0; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/macintosh/nvram.c linux-2.6.7-viroized/drivers/macintosh/nvram.c >--- linux-2.6.7/drivers/macintosh/nvram.c 2004-06-16 21:10:09.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/macintosh/nvram.c 2004-06-27 22:18:04.000000000 +0100 >@@ -16,12 +16,16 @@ > #include <linux/smp_lock.h> > #include <asm/uaccess.h> > #include <asm/nvram.h> >+#include <asm/semaphore.h> >+ >+static DECLARE_MUTEX(nvram_mutex); > > #define NVRAM_SIZE 8192 > >+ > static loff_t nvram_llseek(struct file *file, loff_t offset, int origin) > { >- lock_kernel(); >+ down(&nvram_mutex); > switch (origin) { > case 1: > offset += file->f_pos; >@@ -31,11 +35,11 @@ > break; > } > if (offset < 0) { >- unlock_kernel(); >+ up(s); > return -EINVAL; > } > file->f_pos = offset; >- unlock_kernel(); >+ up(&nvram_mutex); > return file->f_pos; > } > >@@ -44,15 +48,18 @@ > { > unsigned int i; > char __user *p = buf; >- > if (verify_area(VERIFY_WRITE, buf, count)) > return -EFAULT; >- if (*ppos >= NVRAM_SIZE) >- return 0; >+ >+ down(&nvram_mutex); > for (i = *ppos; count > 0 && i < NVRAM_SIZE; ++i, ++p, --count) > if (__put_user(nvram_read_byte(i), p)) >+ { >+ up(&nvram_mutex); > return -EFAULT; >+ } > *ppos = i; >+ up(&nvram_mutex); > return p - buf; > } > >@@ -65,14 +72,18 @@ > > if (verify_area(VERIFY_READ, buf, count)) > return -EFAULT; >- if (*ppos >= NVRAM_SIZE) >- return 0; >+ >+ down(&nvram_mutex); > for (i = *ppos; count > 0 && i < NVRAM_SIZE; ++i, ++p, --count) { > if (__get_user(c, p)) >+ { >+ up(&nvram_mutex); > return -EFAULT; >+ } > nvram_write_byte(c, i); > } > *ppos = i; >+ up(&nvram_mutex); > return p - buf; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/mtd/mtdcore.c linux-2.6.7-viroized/drivers/mtd/mtdcore.c >--- linux-2.6.7/drivers/mtd/mtdcore.c 2004-06-16 21:09:58.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/mtd/mtdcore.c 2004-06-27 22:44:28.000000000 +0100 >@@ -59,6 +59,7 @@ > mtd_table[i] = mtd; > mtd->index = i; > mtd->usecount = 0; >+ init_MUTEX(&mtd->mutex); > > DEBUG(0, "mtd: Giving out device %d to %s\n",i, mtd->name); > /* No need to get a refcount on the module containing >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/mtd/mtdchar.c linux-2.6.7-viroized/drivers/mtd/mtdchar.c >--- linux-2.6.7/drivers/mtd/mtdchar.c 2004-06-16 21:09:58.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/mtd/mtdchar.c 2004-07-29 17:54:48.000000000 +0100 >@@ -30,6 +30,8 @@ > { > struct mtd_info *mtd=(struct mtd_info *)file->private_data; > >+ >+ down(&mtd->mutex); > switch (orig) { > case 0: > /* SEEK_SET */ >@@ -44,14 +46,16 @@ > file->f_pos =mtd->size + offset; > break; > default: >+ up(&mtd->mutex); > return -EINVAL; > } > >+ /* XXX Should return -EINVAL surely ?? */ > if (file->f_pos < 0) > file->f_pos = 0; > else if (file->f_pos >= mtd->size) > file->f_pos = mtd->size - 1; >- >+ up(&mtd->mutex); > return file->f_pos; > } > >@@ -127,11 +131,16 @@ > > DEBUG(MTD_DEBUG_LEVEL0,"MTD_read\n"); > >- if (*ppos + count > mtd->size) >+ down(&mtd->mutex); >+ >+ if (count > mtd->size - *ppos) > count = mtd->size - *ppos; > > if (!count) >+ { >+ up(&mtd->mutex); > return 0; >+ } > > /* FIXME: Use kiovec in 2.5 to lock down the user's buffers > and pass them directly to the MTD functions */ >@@ -143,13 +152,18 @@ > > kbuf=kmalloc(len,GFP_KERNEL); > if (!kbuf) >+ { >+ up(&mtd->mutex); >+ /* API error - should return I/O done so far if > 0 */ > return -ENOMEM; >- >+ } > ret = MTD_READ(mtd, *ppos, len, &retlen, kbuf); > if (!ret) { > *ppos += retlen; > if (copy_to_user(buf, kbuf, retlen)) { > kfree(kbuf); >+ up(&mtd->mutex); >+ /* API error - should return I/O done so far if > 0 */ > return -EFAULT; > } > else >@@ -160,12 +174,13 @@ > } > else { > kfree(kbuf); >+ up(&mtd->mutex); > return ret; > } > > kfree(kbuf); > } >- >+ up(&mtd->mutex); > return total_retlen; > } /* mtd_read */ > >@@ -179,15 +194,22 @@ > int len; > > DEBUG(MTD_DEBUG_LEVEL0,"MTD_write\n"); >- >- if (*ppos == mtd->size) >+ >+ down(&mtd->mutex); >+ if (*ppos >= mtd->size) >+ { >+ up(&mtd->mutex); > return -ENOSPC; >+ } > >- if (*ppos + count > mtd->size) >+ if (count > mtd->size - *ppos) > count = mtd->size - *ppos; > > if (!count) >+ { >+ up(&mtd->mutex); > return 0; >+ } > > while (count) { > if (count > MAX_KMALLOC_SIZE) >@@ -197,11 +219,14 @@ > > kbuf=kmalloc(len,GFP_KERNEL); > if (!kbuf) { >- printk("kmalloc is null\n"); >+// printk("kmalloc is null\n"); >+ /* API bug should report I/O completed */ >+ up(&mtd->mutex); > return -ENOMEM; > } > > if (copy_from_user(kbuf, buf, len)) { >+ up(&mtd->mutex); > kfree(kbuf); > return -EFAULT; > } >@@ -214,13 +239,15 @@ > buf += retlen; > } > else { >+ up(&mtd->mutex); > kfree(kbuf); >+ /* API bug ?? */ > return ret; > } > > kfree(kbuf); > } >- >+ up(&mtd->mutex); > return total_retlen; > } /* mtd_write */ > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/oprofile/oprofilefs.c linux-2.6.7-viroized/drivers/oprofile/oprofilefs.c >--- linux-2.6.7/drivers/oprofile/oprofilefs.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/oprofile/oprofilefs.c 2004-06-27 18:54:34.000000000 +0100 >@@ -48,20 +48,25 @@ > ssize_t oprofilefs_str_to_user(char const * str, char __user * buf, size_t count, loff_t * offset) > { > size_t len = strlen(str); >+ loff_t pos = *offset; >+ >+ /* XXX - should do proper seek locking instead */ >+ if(pos < 0) >+ return -EINVAL; > > if (!count) > return 0; > >- if (*offset > len) >+ if (pos > len) > return 0; > >- if (count > len - *offset) >- count = len - *offset; >+ if (count > len - pos) >+ count = len - pos; > >- if (copy_to_user(buf, str + *offset, count)) >+ if (copy_to_user(buf, str + pos, count)) > return -EFAULT; > >- *offset += count; >+ *offset = pos + count; > > return count; > } >@@ -73,9 +78,14 @@ > { > char tmpbuf[TMPBUFSIZE]; > size_t maxlen; >+ loff_t pos = *offset; > > if (!count) > return 0; >+ >+ /* XXX - should do proper seek locking instead */ >+ if(pos < 0) >+ return -EINVAL; > > spin_lock(&oprofilefs_lock); > maxlen = snprintf(tmpbuf, TMPBUFSIZE, "%lu\n", val); >@@ -83,16 +93,16 @@ > if (maxlen > TMPBUFSIZE) > maxlen = TMPBUFSIZE; > >- if (*offset > maxlen) >+ if (pos > maxlen) > return 0; > >- if (count > maxlen - *offset) >- count = maxlen - *offset; >+ if (count > maxlen - pos) >+ count = maxlen - pos; > >- if (copy_to_user(buf, tmpbuf + *offset, count)) >+ if (copy_to_user(buf, tmpbuf + pos, count)) > return -EFAULT; > >- *offset += count; >+ *offset = pos + count; > > return count; > } >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/parisc/eisa_eeprom.c linux-2.6.7-viroized/drivers/parisc/eisa_eeprom.c >--- linux-2.6.7/drivers/parisc/eisa_eeprom.c 2004-06-16 21:10:07.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/parisc/eisa_eeprom.c 2004-06-27 22:20:51.000000000 +0100 >@@ -29,13 +29,16 @@ > #include <asm/io.h> > #include <asm/uaccess.h> > #include <asm/eisa_eeprom.h> >+#include <asm/semaphore.h> > > #define EISA_EEPROM_MINOR 241 > > static unsigned long eeprom_addr; >+static DECLARE_MUTEX(eeprom_mutex); > > static loff_t eisa_eeprom_llseek(struct file *file, loff_t offset, int origin ) > { >+ down(&eeprom_mutex); > switch (origin) { > case 0: > /* nothing to do */ >@@ -47,18 +50,24 @@ > offset += HPEE_MAX_LENGTH; > break; > } >- return (offset >= 0 && offset < HPEE_MAX_LENGTH) ? (file->f_pos = offset) : -EINVAL; >+ if(offset >= 0 && offset < HPEE_MAX_LENGTH) >+ file->f_pos = offset; >+ else >+ offset = EINVAL; >+ up(&eeprom_mutex); >+ return offset; > } > > static ssize_t eisa_eeprom_read(struct file * file, > char *buf, size_t count, loff_t *ppos ) > { > unsigned char *tmp; >- ssize_t ret; >+ ssize_t ret = 0; > int i; >- >+ >+ down(&eeprom_mutex); > if (*ppos >= HPEE_MAX_LENGTH) >- return 0; >+ goto done; > > count = *ppos + count < HPEE_MAX_LENGTH ? count : HPEE_MAX_LENGTH - *ppos; > tmp = kmalloc(count, GFP_KERNEL); >@@ -73,7 +82,9 @@ > kfree (tmp); > } else > ret = -ENOMEM; >- >+ >+done: >+ up(&eeprom_mutex); > return ret; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/pci/proc.c linux-2.6.7-viroized/drivers/pci/proc.c >--- linux-2.6.7/drivers/pci/proc.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/pci/proc.c 2004-07-04 17:39:40.000000000 +0100 >@@ -47,10 +47,10 @@ > static ssize_t > proc_bus_pci_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) > { >- const struct inode *ino = file->f_dentry->d_inode; >+ struct inode *ino = file->f_dentry->d_inode; > const struct proc_dir_entry *dp = PDE(ino); > struct pci_dev *dev = dp->data; >- unsigned int pos = *ppos; >+ unsigned int pos; > unsigned int cnt, size; > > /* >@@ -66,8 +66,13 @@ > else > size = 64; > >- if (pos >= size) >+ down(&ino->i_sem); >+ if (*ppos >= size) >+ { >+ up(&ino->i_sem); > return 0; >+ } >+ pos = *ppos; > if (nbytes >= size) > nbytes = size; > if (pos + nbytes > size) >@@ -75,7 +80,10 @@ > cnt = nbytes; > > if (!access_ok(VERIFY_WRITE, buf, cnt)) >- return -EINVAL; >+ { >+ up(&ino->i_sem); >+ return -EFAULT; >+ } > > if ((pos & 1) && cnt) { > unsigned char val; >@@ -123,21 +131,28 @@ > } > > *ppos = pos; >+ up(&ino->i_sem); > return nbytes; > } > > static ssize_t > proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, loff_t *ppos) > { >- const struct inode *ino = file->f_dentry->d_inode; >+ struct inode *ino = file->f_dentry->d_inode; > const struct proc_dir_entry *dp = PDE(ino); > struct pci_dev *dev = dp->data; >- int pos = *ppos; >+ unsigned int pos; > int size = dev->cfg_size; > int cnt; > >- if (pos >= size) >+ down(&ino->i_sem); >+ if (*ppos >= size) >+ { >+ up(&ino->i_sem); > return 0; >+ } >+ pos = *ppos; >+ > if (nbytes >= size) > nbytes = size; > if (pos + nbytes > size) >@@ -145,8 +160,10 @@ > cnt = nbytes; > > if (!access_ok(VERIFY_READ, buf, cnt)) >- return -EINVAL; >- >+ { >+ up(&ino->i_sem); >+ return -EFAULT; >+ } > if ((pos & 1) && cnt) { > unsigned char val; > __get_user(val, buf); >@@ -191,8 +208,8 @@ > pos++; > cnt--; > } >- > *ppos = pos; >+ up(&ino->i_sem); > return nbytes; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/pnp/isapnp/proc.c linux-2.6.7-viroized/drivers/pnp/isapnp/proc.c >--- linux-2.6.7/drivers/pnp/isapnp/proc.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/pnp/isapnp/proc.c 2004-07-04 17:41:29.000000000 +0100 >@@ -26,6 +26,9 @@ > #include <linux/init.h> > #include <linux/smp_lock.h> > #include <asm/uaccess.h> >+#include <asm/semaphore.h> >+ >+static DECLARE_MUTEX(isapnp_mutex); /* Don't whack two things at once */ > > extern struct pnp_protocol isapnp_protocol; > >@@ -35,7 +38,7 @@ > { > loff_t new = -1; > >- lock_kernel(); >+ down(&isapnp_mutex); > switch (whence) { > case 0: > new = off; >@@ -48,11 +51,12 @@ > break; > } > if (new < 0 || new > 256) { >- unlock_kernel(); >+ up(&isapnp_mutex); > return -EINVAL; > } >- unlock_kernel(); >- return (file->f_pos = new); >+ file->f_pos = new; >+ up(&isapnp_mutex); >+ return new; > } > > static ssize_t isapnp_proc_bus_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) >@@ -60,11 +64,16 @@ > struct inode *ino = file->f_dentry->d_inode; > struct proc_dir_entry *dp = PDE(ino); > struct pnp_dev *dev = dp->data; >- int pos = *ppos; >+ loff_t pos; > int cnt, size = 256; > >+ down(&isapnp_mutex); >+ pos = *ppos; > if (pos >= size) >+ { >+ up(&isapnp_mutex); > return 0; >+ } > if (nbytes >= size) > nbytes = size; > if (pos + nbytes > size) >@@ -72,7 +81,10 @@ > cnt = nbytes; > > if (!access_ok(VERIFY_WRITE, buf, cnt)) >- return -EINVAL; >+ { >+ up(&isapnp_mutex); >+ return -EFAULT; >+ } > > isapnp_cfg_begin(dev->card->number, dev->number); > for ( ; pos < 256 && cnt > 0; pos++, buf++, cnt--) { >@@ -83,6 +95,7 @@ > isapnp_cfg_end(); > > *ppos = pos; >+ up(&isapnp_mutex); > return nbytes; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/s390/char/tape_char.c linux-2.6.7-viroized/drivers/s390/char/tape_char.c >--- linux-2.6.7/drivers/s390/char/tape_char.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/s390/char/tape_char.c 2004-06-27 19:02:47.000000000 +0100 >@@ -142,7 +142,10 @@ > struct tape_request *request; > size_t block_size; > int rc; >+ loff_t pos = *ppos; > >+ /* XXX - driver needs proper read/write/seek locks it seems */ >+ > DBF_EVENT(6, "TCHAR:read\n"); > device = (struct tape_device *) filp->private_data; > /* Check position. */ >@@ -153,7 +156,7 @@ > * read work... > */ > DBF_EVENT(6, "TCHAR:ppos wrong\n"); >- return -EOVERFLOW; >+ return -ESPIPE; > } > > /* >@@ -196,11 +199,13 @@ > if (rc == 0) { > rc = block_size - request->rescnt; > DBF_EVENT(6, "TCHAR:rbytes: %x\n", rc); >- filp->f_pos += rc; >+ pos += rc; > /* Copy data from idal buffer to user space. */ > if (idal_buffer_to_user(device->char_data.idal_buf, > data, rc) != 0) > rc = -EFAULT; >+ else >+ *ppos = pos; > } > tape_free_request(request); > return rc; >@@ -218,6 +223,9 @@ > size_t written; > int nblocks; > int i, rc; >+ loff_t pos = *ppos; >+ >+ /* XXX - driver needs proper read/write/seek locks it seems */ > > DBF_EVENT(6, "TCHAR:write\n"); > device = (struct tape_device *) filp->private_data; >@@ -225,7 +233,7 @@ > if (ppos != &filp->f_pos) { > /* "A request was outside the capabilities of the device." */ > DBF_EVENT(6, "TCHAR:ppos wrong\n"); >- return -EOVERFLOW; >+ return -ESPIPE; > } > /* Find out block size and number of blocks */ > if (device->char_data.block_size != 0) { >@@ -270,7 +278,7 @@ > break; > DBF_EVENT(6, "TCHAR:wbytes: %lx\n", > block_size - request->rescnt); >- filp->f_pos += block_size - request->rescnt; >+ pos += block_size - request->rescnt; > written += block_size - request->rescnt; > if (request->rescnt != 0) > break; >@@ -297,7 +305,10 @@ > * tapemark it doesn't hurt to write two marks again. > */ > if (!rc) >+ { > device->required_tapemarks = 2; >+ *ppos = pos; >+ } > > return rc ? rc : written; > } >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/sbus/char/flash.c linux-2.6.7-viroized/drivers/sbus/char/flash.c >--- linux-2.6.7/drivers/sbus/char/flash.c 2004-06-16 21:09:58.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/sbus/char/flash.c 2004-06-27 22:28:45.000000000 +0100 >@@ -2,6 +2,8 @@ > * flash.c: Allow mmap access to the OBP Flash, for OBP updates. > * > * Copyright (C) 1997 Eddie C. Dost (ecd@skynet.be) >+ * >+ * Added printk levels and locks for 2.6 (Alan Cox) > */ > > #include <linux/config.h> >@@ -22,8 +24,11 @@ > #include <asm/io.h> > #include <asm/sbus.h> > #include <asm/ebus.h> >+#include <asm/semaphore.h> > > static spinlock_t flash_lock = SPIN_LOCK_UNLOCKED; >+static DECLARE_MUTEX(flash_mutex); >+ > static struct { > unsigned long read_base; /* Physical read address */ > unsigned long write_base; /* Physical write address */ >@@ -83,7 +88,7 @@ > static long long > flash_llseek(struct file *file, long long offset, int origin) > { >- lock_kernel(); >+ down(&flash_mutex); > switch (origin) { > case 0: > file->f_pos = offset; >@@ -97,10 +102,10 @@ > file->f_pos = flash.read_size; > break; > default: >- unlock_kernel(); >+ up(&flash_mutex); > return -EINVAL; > } >- unlock_kernel(); >+ up(&flash_mutex); > return file->f_pos; > } > >@@ -108,20 +113,26 @@ > flash_read(struct file * file, char * buf, > size_t count, loff_t *ppos) > { >- unsigned long p = file->f_pos; >+ loff_t p; > int i; > >+ down(&flash_mutex); >+ p = *ppos; > if (count > flash.read_size - p) > count = flash.read_size - p; > > for (i = 0; i < count; i++) { > u8 data = readb(flash.read_base + p + i); > if (put_user(data, buf)) >+ { >+ up(&flash_mutex); > return -EFAULT; >+ } > buf++; > } > >- file->f_pos += count; >+ *ppos = p + count; >+ up(&flash_mutex); > return count; > } > >@@ -204,7 +215,7 @@ > > len = prom_getproperty(edev->prom_node, "reg", (void *)regs, sizeof(regs)); > if ((len % sizeof(regs[0])) != 0) { >- printk("flash: Strange reg property size %d\n", len); >+ printk(KERN_WARNING "flash: Strange reg property size %d\n", len); > return -ENODEV; > } > >@@ -220,7 +231,7 @@ > flash.write_base = edev->resource[1].start; > flash.write_size = regs[1].reg_size; > } else { >- printk("flash: Strange number of regs %d\n", nregs); >+ printk(KERN_WARNING "flash: Strange number of regs %d\n", nregs); > return -ENODEV; > } > >@@ -231,7 +242,7 @@ > #endif > } > >- printk("OBP Flash: RD %lx[%lx] WR %lx[%lx]\n", >+ printk(KERN_INFO "OBP Flash: RD %lx[%lx] WR %lx[%lx]\n", > flash.read_base, flash.read_size, > flash.write_base, flash.write_size); > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/sbus/char/jsflash.c linux-2.6.7-viroized/drivers/sbus/char/jsflash.c >--- linux-2.6.7/drivers/sbus/char/jsflash.c 2004-06-16 21:09:58.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/sbus/char/jsflash.c 2004-06-27 23:16:40.000000000 +0100 >@@ -46,6 +46,7 @@ > #include <asm/io.h> > #include <asm/pcic.h> > #include <asm/oplib.h> >+#include <asm/semaphore.h> > > #include <asm/jsflash.h> /* ioctl arguments. <linux/> ?? */ > #define JSFIDSZ (sizeof(struct jsflash_ident_arg)) >@@ -72,6 +73,7 @@ > #define JSF_PART_BITS 2 /* 2 bits of minors to cover JSF_NPART */ > #define JSF_PART_MASK 0x3 /* 2 bits mask */ > >+static DECLARE_MUTEX(jsflash_mutex); > /* > * Access functions. > * We could ioremap(), but it's easier this way. >@@ -229,7 +231,7 @@ > { > loff_t ret; > >- lock_kernel(); >+ down(&jsflash_mutex); > switch (orig) { > case 0: > file->f_pos = offset; >@@ -242,7 +244,7 @@ > default: > ret = -EINVAL; > } >- unlock_kernel(); >+ up(&jsflash_mutex); > return ret; > } > >@@ -252,7 +254,7 @@ > static ssize_t jsf_read(struct file * file, char * buf, > size_t togo, loff_t *ppos) > { >- unsigned long p = *ppos; >+ unsigned long p; > char *tmp = buf; > > union byte4 { >@@ -260,9 +262,14 @@ > unsigned int n; > } b; > >- if (p < JSF_BASE_ALL || p >= JSF_BASE_TOP) { >+ down(&jsflash_mutex); >+ >+ /* Range check in loff_t, then cut down for use */ >+ if (*ppos < JSF_BASE_ALL || *ppos >= JSF_BASE_TOP) { >+ up(&jsflash_mutex); > return 0; > } >+ p = *ppos; > > if ((p + togo) < p /* wrap */ > || (p + togo) >= JSF_BASE_TOP) { >@@ -283,6 +290,7 @@ > * without regard to modversions, > * so we cannot build a module. > */ >+ up(&jsflash_mutex); > return 0; > #endif > } >@@ -291,7 +299,10 @@ > togo -= 4; > b.n = jsf_inl(p); > if (copy_to_user(tmp, b.s, 4)) >+ { >+ up(&jsflash_mutex); > return -EFAULT; >+ } > tmp += 4; > p += 4; > } >@@ -302,6 +313,7 @@ > */ > > *ppos = p; >+ up(&jsflash_mutex); > return tmp-buf; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/scsi/osst.c linux-2.6.7-viroized/drivers/scsi/osst.c >--- linux-2.6.7/drivers/scsi/osst.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/scsi/osst.c 2004-07-04 17:43:56.000000000 +0100 >@@ -3187,7 +3187,7 @@ > > if (ppos != &filp->f_pos) { > /* "A request was outside the capabilities of the device." */ >- retval = (-ENXIO); >+ retval = (-ESPIPE); > goto out; > } > >@@ -3514,7 +3514,7 @@ > > if (ppos != &filp->f_pos) { > /* "A request was outside the capabilities of the device." */ >- retval = (-ENXIO); >+ retval = (-ESPIPE); > goto out; > } > >@@ -5386,6 +5386,7 @@ > .owner = THIS_MODULE, > .read = osst_read, > .write = osst_write, >+ .llseek = no_llseek, > .ioctl = osst_ioctl, > .open = os_scsi_tape_open, > .flush = os_scsi_tape_flush, >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/scsi/st.c linux-2.6.7-viroized/drivers/scsi/st.c >--- linux-2.6.7/drivers/scsi/st.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/scsi/st.c 2004-06-27 20:06:02.000000000 +0100 >@@ -1220,7 +1220,7 @@ > > if (ppos != &filp->f_pos) { > /* "A request was outside the capabilities of the device." */ >- retval = (-ENXIO); >+ retval = (-ESPIPE); > goto out; > } > >@@ -3715,6 +3715,7 @@ > .read = st_read, > .write = st_write, > .ioctl = st_ioctl, >+ .llseek = no_llseek, > .open = st_open, > .flush = st_flush, > .release = st_release, >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/telephony/ixj.c linux-2.6.7-viroized/drivers/telephony/ixj.c >--- linux-2.6.7/drivers/telephony/ixj.c 2004-06-16 21:09:53.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/telephony/ixj.c 2004-06-27 19:15:04.000000000 +0100 >@@ -2857,7 +2857,7 @@ > > static ssize_t ixj_read(struct file * file_p, char *buf, size_t length, loff_t * ppos) > { >- unsigned long i = *ppos; >+ unsigned long i; > IXJ * j = get_ixj(NUM(file_p->f_dentry->d_inode)); > > DECLARE_WAITQUEUE(wait, current); >@@ -2937,7 +2937,7 @@ > > static ssize_t ixj_write(struct file *file_p, const char *buf, size_t count, loff_t * ppos) > { >- unsigned long i = *ppos; >+ unsigned long i; > IXJ *j = file_p->private_data; > > DECLARE_WAITQUEUE(wait, current); >@@ -2983,7 +2983,7 @@ > j->flags.inwrite = 0; > return -EFAULT; > } >- if(j->play_codec == ALAW) >+ if(j->play_codec == ALAW) > alaw2ulaw(j->write_buffer_wp, min(count, j->write_buffer_size)); > j->flags.inwrite = 0; > return min(count, j->write_buffer_size); >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/usb/core/devices.c linux-2.6.7-viroized/drivers/usb/core/devices.c >--- linux-2.6.7/drivers/usb/core/devices.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/usb/core/devices.c 2004-07-12 14:29:38.000000000 +0100 >@@ -572,18 +572,24 @@ > { > struct list_head *buslist; > struct usb_bus *bus; >- ssize_t ret, total_written = 0; >+ ssize_t ret = 0, total_written = 0; > loff_t skip_bytes = *ppos; > >- if (*ppos < 0) >- return -EINVAL; >+ down (&usb_bus_list_lock); >+ >+ if (skip_bytes < 0) >+ { >+ ret = -EINVAL; >+ goto error; >+ } > if (nbytes <= 0) >- return 0; >+ goto error; > if (!access_ok(VERIFY_WRITE, buf, nbytes)) >- return -EFAULT; >- >+ { >+ ret = -EFAULT; >+ goto error; >+ } > /* enumerate busses */ >- down (&usb_bus_list_lock); > for (buslist = usb_bus_list.next; buslist != &usb_bus_list; buslist = buslist->next) { > /* print devices for this bus */ > bus = list_entry(buslist, struct usb_bus, bus_list); >@@ -593,13 +599,14 @@ > ret = usb_device_dump(&buf, &nbytes, &skip_bytes, ppos, bus->root_hub, bus, 0, 0, 0); > up(&bus->root_hub->serialize); > if (ret < 0) { >- up(&usb_bus_list_lock); >- return ret; >+ goto error; > } > total_written += ret; > } >+ ret = total_written; >+error: > up (&usb_bus_list_lock); >- return total_written; >+ return ret; > } > > /* Kernel lock for "lastev" protection */ >@@ -661,7 +668,8 @@ > { > loff_t ret; > >- lock_kernel(); >+ /* This already guards the other users */ >+ down(&usb_bus_list_lock); > > switch (orig) { > case 0: >@@ -677,7 +685,7 @@ > ret = -EINVAL; > } > >- unlock_kernel(); >+ up(&usb_bus_list_lock); > return ret; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/usb/core/devio.c linux-2.6.7-viroized/drivers/usb/core/devio.c >--- linux-2.6.7/drivers/usb/core/devio.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/usb/core/devio.c 2004-06-27 19:15:04.000000000 +0100 >@@ -80,9 +80,10 @@ > static loff_t usbdev_lseek(struct file *file, loff_t offset, int orig) > { > loff_t ret; >+ struct dev_state *ps = (struct dev_state *)file->private_data; >+ struct usb_device *dev = ps->dev; > >- lock_kernel(); >- >+ down(&dev->serialize); > switch (orig) { > case 0: > file->f_pos = offset; >@@ -96,8 +97,7 @@ > default: > ret = -EINVAL; > } >- >- unlock_kernel(); >+ up(&dev->serialize); > return ret; > } > >@@ -110,8 +110,8 @@ > loff_t pos; > int i; > >- pos = *ppos; > down(&dev->serialize); >+ pos = *ppos; > if (!connected(dev)) { > ret = -ENODEV; > goto err; >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/usb/host/uhci-debug.c linux-2.6.7-viroized/drivers/usb/host/uhci-debug.c >--- linux-2.6.7/drivers/usb/host/uhci-debug.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/usb/host/uhci-debug.c 2004-07-04 17:47:57.000000000 +0100 >@@ -14,9 +14,12 @@ > #include <linux/proc_fs.h> > #include <linux/smp_lock.h> > #include <asm/io.h> >+#include <asm/semaphore.h> > > #include "uhci-hcd.h" > >+DECLARE_MUTEX(uhci_debug_lock); >+ > /* Handle REALLY large printk's so we don't overflow buffers */ > static inline void lprintk(char *buf) > { >@@ -545,11 +548,12 @@ > > static loff_t uhci_proc_lseek(struct file *file, loff_t off, int whence) > { >- struct uhci_proc *up; >+ struct uhci_proc *uproc; > loff_t new = -1; > >- lock_kernel(); >- up = file->private_data; >+ down(&uhci_debug_lock); >+ >+ uproc = file->private_data; > > switch (whence) { > case 0: >@@ -559,33 +563,38 @@ > new = file->f_pos + off; > break; > } >- if (new < 0 || new > up->size) { >- unlock_kernel(); >+ if (new < 0 || new > uproc->size) { >+ up(&uhci_debug_lock); > return -EINVAL; > } >- unlock_kernel(); >- return (file->f_pos = new); >+ file->f_pos = new; >+ up(&uhci_debug_lock); >+ return new; > } > > static ssize_t uhci_proc_read(struct file *file, char __user *buf, > size_t nbytes, loff_t *ppos) > { >- struct uhci_proc *up = file->private_data; >+ struct uhci_proc *uproc = file->private_data; > unsigned int pos; > unsigned int size; > >+ down(&uhci_debug_lock); >+ > pos = *ppos; >- size = up->size; >+ size = uproc->size; >+ > if (pos >= size) >- return 0; >- if (nbytes > size - pos) >+ nbytes = 0; >+ else if (nbytes > size - pos) > nbytes = size - pos; > >- if (copy_to_user(buf, up->data + pos, nbytes)) >- return -EFAULT; >- >- *ppos += nbytes; >+ if (copy_to_user(buf, uproc->data + pos, nbytes)) >+ nbytes = -EFAULT; >+ else >+ *ppos += nbytes; > >+ up(&uhci_debug_lock); > return nbytes; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/usb/media/pwc-if.c linux-2.6.7-viroized/drivers/usb/media/pwc-if.c >--- linux-2.6.7/drivers/usb/media/pwc-if.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/usb/media/pwc-if.c 2004-06-27 20:16:22.000000000 +0100 >@@ -1140,7 +1140,7 @@ > int noblock = file->f_flags & O_NONBLOCK; > DECLARE_WAITQUEUE(wait, current); > >- Trace(TRACE_READ, "video_read(0x%p, %p, %d) called.\n", vdev, buf, count); >+ Trace(TRACE_READ, "video_read(0x%p, %p, %lu) called.\n", vdev, buf, count); > if (vdev == NULL) > return -EFAULT; > pdev = vdev->priv; >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/usb/media/vicam.c linux-2.6.7-viroized/drivers/usb/media/vicam.c >--- linux-2.6.7/drivers/usb/media/vicam.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/usb/media/vicam.c 2004-06-27 19:15:18.000000000 +0100 >@@ -864,6 +864,8 @@ > { > /* vicam_decode_color - Convert from Vicam Y-Cr-Cb to RGB > * Copyright (C) 2002 Monroe Williams (monroe@pobox.com) >+ * >+ * FIXME: camera should use V4L2 YCrCb return type now > */ > > int i, prevY, nextY; >@@ -1009,8 +1011,10 @@ > > DBG("read %d bytes.\n", (int) count); > >+ down(&cam->cam_lock); > if (*ppos >= VICAM_MAX_FRAME_SIZE) { > *ppos = 0; >+ up(&cam->cam_lock); > return 0; > } > >@@ -1032,7 +1036,7 @@ > if (count == VICAM_MAX_FRAME_SIZE) { > *ppos = 0; > } >- >+ up(&cam->cam_lock); > return count; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/usb/misc/auerswald.c linux-2.6.7-viroized/drivers/usb/misc/auerswald.c >--- linux-2.6.7/drivers/usb/misc/auerswald.c 2004-06-16 21:10:08.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/usb/misc/auerswald.c 2004-06-27 19:15:18.000000000 +0100 >@@ -1591,7 +1591,7 @@ > /* Error checking */ > if (!ccp) > return -EIO; >- if (*ppos) >+ if (ppos != &file->f_pos) > return -ESPIPE; > if (count == 0) > return 0; >@@ -1723,8 +1723,8 @@ > /* Error checking */ > if (!ccp) > return -EIO; >- if (*ppos) >- return -ESPIPE; >+ if (ppos != &file->f_pos) >+ return -ESPIPE; > if (len == 0) > return 0; > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/video/aty/radeon_base.c linux-2.6.7-viroized/drivers/video/aty/radeon_base.c >--- linux-2.6.7/drivers/video/aty/radeon_base.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/video/aty/radeon_base.c 2004-07-29 17:41:36.000000000 +0100 >@@ -1698,59 +1698,74 @@ > > static ssize_t radeonfb_read(struct file *file, char *buf, size_t count, loff_t *ppos) > { >- unsigned long p = *ppos; >+ unsigned long p; > struct inode *inode = file->f_dentry->d_inode; > int fbidx = iminor(inode); > struct fb_info *info = registered_fb[fbidx]; > struct radeonfb_info *rinfo = info->par; > >- if (p >= rinfo->mapped_vram) >- return 0; >+ down(&info->mutex); >+ p = *ppos; >+ if (*ppos >= rinfo->mapped_vram || p + count > p) >+ { >+ up(&info->mutex); >+ return 0; >+ } > if (count >= rinfo->mapped_vram) >- count = rinfo->mapped_vram; >- if (count + p > rinfo->mapped_vram) >+ count = rinfo->mapped_vram; >+ if (count > rinfo->mapped_vram - p) > count = rinfo->mapped_vram - p; > radeonfb_sync(info); >+ > if (count) { >- char *base_addr; >+ char *base_addr; > >- base_addr = info->screen_base; >- count -= copy_to_user(buf, base_addr+p, count); >- if (!count) >- return -EFAULT; >- *ppos += count; >+ base_addr = info->screen_base; >+ count -= copy_to_user(buf, base_addr+p, count); >+ if (!count) >+ count = -EFAULT; >+ else >+ *ppos += count; > } >+ up(&info->mutex); > return count; > } > > static ssize_t radeonfb_write(struct file *file, const char *buf, size_t count, > loff_t *ppos) > { >- unsigned long p = *ppos; >+ unsigned long p; > struct inode *inode = file->f_dentry->d_inode; > int fbidx = iminor(inode); > struct fb_info *info = registered_fb[fbidx]; > struct radeonfb_info *rinfo = info->par; > int err; > >- if (p > rinfo->mapped_vram) >- return -ENOSPC; >+ down(&info->mutex); >+ p = *ppos; /* truncated */ >+ if (*ppos > rinfo->mapped_vram || p + count > p) >+ { >+ up(&info->mutex); >+ return -ENOSPC; >+ } > if (count >= rinfo->mapped_vram) >- count = rinfo->mapped_vram; >+ count = rinfo->mapped_vram; > err = 0; >- if (count + p > rinfo->mapped_vram) { >- count = rinfo->mapped_vram - p; >- err = -ENOSPC; >+ if (count > p - rinfo->mapped_vram) { >+ count = rinfo->mapped_vram - p; >+ err = -ENOSPC; > } > radeonfb_sync(info); >+ > if (count) { >- char *base_addr; >+ char *base_addr; > >- base_addr = info->screen_base; >- count -= copy_from_user(base_addr+p, buf, count); >- *ppos += count; >- err = -EFAULT; >+ base_addr = info->screen_base; >+ count -= copy_from_user(base_addr+p, buf, count); >+ *ppos += count; >+ err = -EFAULT; > } >+ up(&info->mutex); > if (count) > return count; > return err; >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/video/fbmem.c linux-2.6.7-viroized/drivers/video/fbmem.c >--- linux-2.6.7/drivers/video/fbmem.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/video/fbmem.c 2004-07-29 17:40:17.000000000 +0100 >@@ -804,7 +804,7 @@ > static ssize_t > fb_read(struct file *file, char *buf, size_t count, loff_t *ppos) > { >- unsigned long p = *ppos; >+ loff_t p; > struct inode *inode = file->f_dentry->d_inode; > int fbidx = iminor(inode); > struct fb_info *info = registered_fb[fbidx]; >@@ -817,35 +817,42 @@ > > if (info->fbops->fb_read) > return info->fbops->fb_read(file, buf, count, ppos); >+ >+ down(&info->mutex); >+ if (*ppos >= info->fix.smem_len) >+ { >+ count = 0; >+ goto error; >+ } >+ p = *ppos; > >- if (p >= info->fix.smem_len) >- return 0; >- if (count >= info->fix.smem_len) >- count = info->fix.smem_len; >- if (count + p > info->fix.smem_len) >+ if (count > info->fix.smem_len - p) > count = info->fix.smem_len - p; > if (info->fbops->fb_sync) > info->fbops->fb_sync(info); > if (count) { >- char *base_addr; >+ char *base_addr; > >- base_addr = info->screen_base; >- count -= copy_to_user(buf, base_addr+p, count); >- if (!count) >- return -EFAULT; >- *ppos += count; >+ base_addr = info->screen_base; >+ count -= copy_to_user(buf, base_addr + p, count); >+ if (!count) >+ count = -EFAULT; >+ else >+ *ppos += count; > } >+error: >+ up(&info->mutex); > return count; > } > > static ssize_t > fb_write(struct file *file, const char *buf, size_t count, loff_t *ppos) > { >- unsigned long p = *ppos; >+ loff_t p; > struct inode *inode = file->f_dentry->d_inode; > int fbidx = iminor(inode); > struct fb_info *info = registered_fb[fbidx]; >- int err; >+ int err = -ENOSPC; > > if (!info || !info->screen_base) > return -ENODEV; >@@ -856,30 +863,56 @@ > if (info->fbops->fb_write) > return info->fbops->fb_write(file, buf, count, ppos); > >- if (p > info->fix.smem_len) >- return -ENOSPC; >- if (count >= info->fix.smem_len) >- count = info->fix.smem_len; >+ down(&info->mutex); >+ if (*ppos >= info->fix.smem_len) >+ goto err; >+ p = *ppos; >+ if (count > info->fix.smem_len - p) >+ count = info->fix.smem_len - p; >+ > err = 0; >- if (count + p > info->fix.smem_len) { >- count = info->fix.smem_len - p; >- err = -ENOSPC; >- } > if (info->fbops->fb_sync) > info->fbops->fb_sync(info); > if (count) { >- char *base_addr; >- >- base_addr = info->screen_base; >+ char *base_addr = info->screen_base; > count -= copy_from_user(base_addr+p, buf, count); > *ppos += count; > err = -EFAULT; >+ if (count) >+ err = count; > } >- if (count) >- return count; >+err: >+ up(&info->mutex); > return err; > } > >+loff_t fb_llseek(struct file *file, loff_t offset, int origin) >+{ >+ struct inode *inode = file->f_dentry->d_inode; >+ int fbidx = iminor(inode); >+ struct fb_info *info = registered_fb[fbidx]; >+ loff_t retval; >+ >+ down(&info->mutex); >+ switch (origin) { >+ case 2: >+ offset += i_size_read(file->f_dentry->d_inode); >+ break; >+ case 1: >+ offset += file->f_pos; >+ } >+ retval = -EINVAL; >+ if (offset >= 0) { >+ if (offset != file->f_pos) { >+ file->f_pos = offset; >+ file->f_version = 0; >+ } >+ retval = offset; >+ } >+ up(&info->mutex); >+ return retval; >+} >+ > #ifdef CONFIG_KMOD > static void try_to_load(int fb) > { >@@ -1254,6 +1287,7 @@ > .owner = THIS_MODULE, > .read = fb_read, > .write = fb_write, >+ .llseek = fb_llseek, > .ioctl = fb_ioctl, > .mmap = fb_mmap, > .open = fb_open, >@@ -1327,6 +1361,7 @@ > if (fb_info->sprite.inbuf == NULL) > fb_info->sprite.inbuf = fb_sys_inbuf; > >+ init_MUTEX(&fb_info->mutex); > registered_fb[i] = fb_info; > > devfs_mk_cdev(MKDEV(FB_MAJOR, i), >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/video/pvr2fb.c linux-2.6.7-viroized/drivers/video/pvr2fb.c >--- linux-2.6.7/drivers/video/pvr2fb.c 2004-06-16 21:10:01.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/video/pvr2fb.c 2004-06-27 22:37:30.000000000 +0100 >@@ -678,6 +678,9 @@ > static ssize_t pvr2fb_write(struct file *file, const char *buf, > size_t count, loff_t *ppos) > { >+ struct inode *inode = file->f_dentry->d_inode; >+ int fbidx = iminor(inode); >+ struct fb_info *info = registered_fb[fbidx]; > unsigned long dst, start, end, len; > unsigned int nr_pages; > struct page **pages; >@@ -701,7 +704,8 @@ > } > > dma_configure_channel(shdma, 0x12c1); >- >+ >+ down(&info->mutex); > dst = (unsigned long)fb_info->screen_base + *ppos; > start = (unsigned long)page_address(pages[0]); > end = (unsigned long)page_address(pages[nr_pages]); >@@ -712,7 +716,7 @@ > /* As we do this in one shot, it's either all or nothing.. */ > if ((*ppos + len) > fb_info->fix.smem_len) { > ret = -ENOSPC; >- goto out_unmap; >+ goto out_unmap_unlock; > } > > dma_write(shdma, start, 0, len); >@@ -726,7 +730,7 @@ > for (i = 0; i < nr_pages; i++, dst += PAGE_SIZE) { > if ((*ppos + (i << PAGE_SHIFT)) > fb_info->fix.smem_len) { > ret = -ENOSPC; >- goto out_unmap; >+ goto out_unmap_unlock; > } > > dma_write_page(shdma, (unsigned long)page_address(pages[i]), 0); >@@ -738,6 +742,8 @@ > *ppos += count; > ret = count; > >+out_unmap_unlock: >+ up(&info->mutex); > out_unmap: > for (i = 0; i < nr_pages; i++) > page_cache_release(pages[i]); >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/video/stifb.c linux-2.6.7-viroized/drivers/video/stifb.c >--- linux-2.6.7/drivers/video/stifb.c 2004-06-16 21:10:01.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/video/stifb.c 2004-06-27 22:38:24.000000000 +0100 >@@ -916,7 +916,7 @@ > static ssize_t > stifb_read(struct file *file, char *buf, size_t count, loff_t *ppos) > { >- unsigned long p = *ppos; >+ unsigned long p; > struct inode *inode = file->f_dentry->d_inode; > int fbidx = iminor(inode); > struct fb_info *info = registered_fb[fbidx]; >@@ -925,24 +925,33 @@ > if (!info || ! info->screen_base) > return -ENODEV; > >- if (p >= info->fix.smem_len) >- return 0; >+ down(&info->mutex); >+ >+ p = *ppos; >+ >+ if (*ppos >= info->fix.smem_len || count + p > p) >+ { >+ up(&info->mutex); >+ return 0; >+ } > if (count >= info->fix.smem_len) >- count = info->fix.smem_len; >+ count = info->fix.smem_len; > if (count + p > info->fix.smem_len) > count = info->fix.smem_len - p; > if (count > sizeof(tmpbuf)) > count = sizeof(tmpbuf); > if (count) { >- char *base_addr; >+ char *base_addr; > >- base_addr = info->screen_base; >- memcpy_fromio(&tmpbuf, base_addr+p, count); >- count -= copy_to_user(buf, &tmpbuf, count); >- if (!count) >- return -EFAULT; >- *ppos += count; >+ base_addr = info->screen_base; >+ memcpy_fromio(&tmpbuf, base_addr + p, count); >+ count -= copy_to_user(buf, &tmpbuf, count); >+ if (!count) >+ count = -EFAULT; >+ else >+ *ppos += count; > } >+ up(&info->mutex); > return count; > } > >@@ -952,7 +961,7 @@ > struct inode *inode = file->f_dentry->d_inode; > int fbidx = iminor(inode); > struct fb_info *info = registered_fb[fbidx]; >- unsigned long p = *ppos; >+ unsigned long p; > size_t c; > int err; > char tmpbuf[TMPBUFLEN]; >@@ -960,31 +969,39 @@ > if (!info || !info->screen_base) > return -ENODEV; > >- if (p > info->fix.smem_len) >- return -ENOSPC; >+ down(&info->mutex); >+ p = *ppos; /* Truncated version */ >+ >+ if (*ppos > info->fix.smem_len || p + count > p) >+ { >+ up(&info->mutex); >+ return -ENOSPC; >+ } >+ > if (count >= info->fix.smem_len) >- count = info->fix.smem_len; >+ count = info->fix.smem_len; > err = 0; > if (count + p > info->fix.smem_len) { >- count = info->fix.smem_len - p; >- err = -ENOSPC; >+ count = info->fix.smem_len - p; >+ err = -ENOSPC; > } > > p += (unsigned long)info->screen_base; > c = count; > while (c) { >- int len = c > sizeof(tmpbuf) ? sizeof(tmpbuf) : c; >- err = -EFAULT; >- if (copy_from_user(&tmpbuf, buf, len)) >- break; >- memcpy_toio(p, &tmpbuf, len); >- c -= len; >- p += len; >- buf += len; >- *ppos += len; >- } >- if (count-c) >- return (count-c); >+ int len = c > sizeof(tmpbuf) ? sizeof(tmpbuf) : c; >+ err = -EFAULT; >+ if (copy_from_user(&tmpbuf, buf, len)) >+ break; >+ memcpy_toio(p, &tmpbuf, len); >+ c -= len; >+ p += len; >+ buf += len; >+ *ppos += len; >+ } >+ up(&info->mutex); >+ if (count - c) >+ return count - c; > return err; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/drivers/zorro/proc.c linux-2.6.7-viroized/drivers/zorro/proc.c >--- linux-2.6.7/drivers/zorro/proc.c 2004-06-16 21:09:54.000000000 +0100 >+++ linux-2.6.7-viroized/drivers/zorro/proc.c 2004-07-12 14:25:50.000000000 +0100 >@@ -18,13 +18,17 @@ > #include <asm/uaccess.h> > #include <asm/amigahw.h> > #include <asm/setup.h> >+#include <asm/semaphore.h> >+ >+static DECLARE_MUTEX(zorro_proc_lock); > > static loff_t > proc_bus_zorro_lseek(struct file *file, loff_t off, int whence) > { > loff_t new = -1; > >- lock_kernel(); >+ down(&zorro_proc_lock); >+ > switch (whence) { > case 0: > new = off; >@@ -37,11 +41,12 @@ > break; > } > if (new < 0 || new > sizeof(struct ConfigDev)) { >- unlock_kernel(); >+ up(&zorro_proc_lock); > return -EINVAL; > } >- unlock_kernel(); >- return (file->f_pos = new); >+ file->f_pos = new; >+ up(&zorro_proc_lock); >+ return file->f_pos; > } > > static ssize_t >@@ -51,10 +56,16 @@ > struct proc_dir_entry *dp = PDE(ino); > struct zorro_dev *z = dp->data; > struct ConfigDev cd; >- loff_t pos = *ppos; >+ loff_t pos; >+ >+ down(&zorro_proc_lock); > >+ pos = *ppos; > if (pos >= sizeof(struct ConfigDev)) >+ { >+ up(&zorro_proc_lock); > return 0; >+ } > if (nbytes >= sizeof(struct ConfigDev)) > nbytes = sizeof(struct ConfigDev); > if (pos + nbytes > sizeof(struct ConfigDev)) >@@ -69,9 +80,12 @@ > cd.cd_BoardSize = zorro_resource_len(z); > > if (copy_to_user(buf, &cd, nbytes)) >+ { >+ up(&zorro_proc_lock); > return -EFAULT; >+ } > *ppos += nbytes; >- >+ up(&zorro_proc_lock); > return nbytes; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/fs/cifs/file.c linux-2.6.7-viroized/fs/cifs/file.c >--- linux-2.6.7/fs/cifs/file.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/fs/cifs/file.c 2004-06-28 14:47:28.000000000 +0100 >@@ -584,6 +584,7 @@ > struct cifsTconInfo *pTcon; > int xid, long_op; > struct cifsFileInfo * open_file; >+ loff_t offset = *poffset; > > if(file->f_dentry == NULL) > return -EBADF; >@@ -608,7 +609,7 @@ > return -EBADF; > } > >- if (*poffset > file->f_dentry->d_inode->i_size) >+ if (offset > file->f_dentry->d_inode->i_size) > long_op = 2; /* writes past end of file can take a long time */ > else > long_op = 1; >@@ -649,8 +650,10 @@ > FreeXid(xid); > return rc; > } >- } else >- *poffset += bytes_written; >+ } else { >+ offset += bytes_written; >+ *poffset = offset; >+ } > long_op = FALSE; /* subsequent writes fast - 15 seconds is plenty */ > } > >@@ -966,6 +969,7 @@ > int xid; > char * current_offset; > struct cifsFileInfo * open_file; >+ loff_t loffset = * poffset; > > xid = GetXid(); > cifs_sb = CIFS_SB(file->f_dentry->d_sb); >@@ -995,7 +999,7 @@ > > rc = CIFSSMBRead(xid, pTcon, > open_file->netfid, >- current_read_size, *poffset, >+ current_read_size, loffset, > &bytes_read, ¤t_offset); > } > if (rc || (bytes_read == 0)) { >@@ -1012,7 +1016,8 @@ > pTcon->bytes_read += total_read; > spin_unlock(&pTcon->stat_lock); > #endif >- *poffset += bytes_read; >+ loffset += bytes_read; >+ *poffset = loffset; > } > } > FreeXid(xid); >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/fs/openpromfs/inode.c linux-2.6.7-viroized/fs/openpromfs/inode.c >--- linux-2.6.7/fs/openpromfs/inode.c 2004-06-16 21:10:27.000000000 +0100 >+++ linux-2.6.7-viroized/fs/openpromfs/inode.c 2004-06-27 19:25:09.000000000 +0100 >@@ -68,18 +68,21 @@ > size_t count, loff_t *ppos) > { > struct inode *inode = file->f_dentry->d_inode; >+ loff_t pos = *ppos; > char buffer[10]; > >+ /* FIXME: add proper seek locking */ >+ if (pos != (unsigned int)pos || pos >= 9) >+ return -0; >+ > if (count < 0 || !inode->u.generic_ip) > return -EINVAL; > sprintf (buffer, "%8.8x\n", (u32)(long)(inode->u.generic_ip)); >- if (file->f_pos >= 9) >- return 0; >- if (count > 9 - file->f_pos) >- count = 9 - file->f_pos; >- if (copy_to_user(buf, buffer + file->f_pos, count)) >+ if (count > 9 - pos) >+ count = 9 - pos; >+ if (copy_to_user(buf, buffer + pos, count)) > return -EFAULT; >- file->f_pos += count; >+ *ppos = pos + count; > return count; > } > >@@ -93,8 +96,11 @@ > u32 *q; > openprom_property *op; > char buffer[64]; >+ loff_t pos = *ppos; > >- if (filp->f_pos >= 0xffffff || count >= 0xffffff) >+ /* FIXME: add proper seek locking */ >+ >+ if (pos < 0 || pos >= 0xffffff || count >= 0xffffff) > return -EINVAL; > if (!filp->private_data) { > node = nodes[(u16)((long)inode->u.generic_ip)].node; >@@ -180,7 +186,7 @@ > } else { > i = (op->len << 1) + 1; > } >- k = filp->f_pos; >+ k = pos; > if (k >= i) return 0; > if (count > i - k) count = i - k; > if (op->flag & OPP_STRING) { >@@ -197,7 +203,7 @@ > j = count; > > if (j >= 0) { >- if (copy_to_user(buf + k - filp->f_pos, >+ if (copy_to_user(buf + k - pos, > op->value + k - 1, j)) > return -EFAULT; > count -= j; >@@ -205,11 +211,11 @@ > } > > if (count) { >- if (put_user('\'', &buf [k++ - filp->f_pos])) >+ if (put_user('\'', &buf [k++ - pos])) > return -EFAULT; > } > if (count > 1) { >- if (put_user('\n', &buf [k++ - filp->f_pos])) >+ if (put_user('\n', &buf [k++ - pos])) > return -EFAULT; > } > } else if (op->flag & OPP_STRINGLIST) { >@@ -287,7 +293,7 @@ > if ((k < i - 1) && (k & 1)) { > sprintf (buffer, "%02x", > (unsigned char) *(op->value + (k >> 1)) & 0xff); >- if (put_user(buffer[1], &buf[k++ - filp->f_pos])) >+ if (put_user(buffer[1], &buf[k++ - pos])) > return -EFAULT; > count--; > } >@@ -295,7 +301,7 @@ > for (; (count > 1) && (k < i - 1); k += 2) { > sprintf (buffer, "%02x", > (unsigned char) *(op->value + (k >> 1)) & 0xff); >- if (copy_to_user(buf + k - filp->f_pos, buffer, 2)) >+ if (copy_to_user(buf + k - pos, buffer, 2)) > return -EFAULT; > count -= 2; > } >@@ -303,38 +309,41 @@ > if (count && (k < i - 1)) { > sprintf (buffer, "%02x", > (unsigned char) *(op->value + (k >> 1)) & 0xff); >- if (put_user(buffer[0], &buf[k++ - filp->f_pos])) >+ if (put_user(buffer[0], &buf[k++ - pos])) > return -EFAULT; > count--; > } > > if (count) { >- if (put_user('\n', &buf [k++ - filp->f_pos])) >+ if (put_user('\n', &buf [k++ - pos])) > return -EFAULT; > } > } >- count = k - filp->f_pos; >- filp->f_pos = k; >+ count = k - pos; >+ *ppos = k; > return count; > } > > static ssize_t property_write(struct file *filp, const char *buf, > size_t count, loff_t *ppos) > { >+ loff_t pos = *ppos; > int i, j, k; > char *p; > u32 *q; > void *b; > openprom_property *op; > >- if (filp->f_pos >= 0xffffff || count >= 0xffffff) >+ /* FIXME: add proper seek locking */ >+ >+ if (pos < 0 || pos >= 0xffffff || count >= 0xffffff) > return -EINVAL; > if (!filp->private_data) { > i = property_read (filp, NULL, 0, 0); > if (i) > return i; > } >- k = filp->f_pos; >+ k = pos; > op = (openprom_property *)filp->private_data; > if (!(op->flag & OPP_STRING)) { > u32 *first, *last; >@@ -462,7 +471,7 @@ > op->len = i; > } else > op->len = i; >- filp->f_pos += count; >+ pos += count; > } > write_try_string: > if (!(op->flag & OPP_BINARY)) { >@@ -480,7 +489,8 @@ > op->flag |= OPP_QUOTED; > buf++; > count--; >- filp->f_pos++; >+ pos++; >+ *ppos = pos; > if (!count) { > op->flag |= OPP_STRING; > return 1; >@@ -489,9 +499,9 @@ > op->flag |= OPP_NOTQUOTED; > } > op->flag |= OPP_STRING; >- if (op->alloclen <= count + filp->f_pos) { >+ if (op->alloclen <= count + pos) { > b = kmalloc (sizeof (openprom_property) >- + 2 * (count + filp->f_pos), GFP_KERNEL); >+ + 2 * (count + pos), GFP_KERNEL); > if (!b) > return -ENOMEM; > memcpy (b, filp->private_data, >@@ -499,14 +509,14 @@ > + strlen (op->name) + op->alloclen); > memset (((char *)b) + sizeof (openprom_property) > + strlen (op->name) + op->alloclen, >- 0, 2*(count - filp->f_pos) - op->alloclen); >+ 0, 2*(count - pos) - op->alloclen); > op = (openprom_property *)b; >- op->alloclen = 2*(count + filp->f_pos); >+ op->alloclen = 2*(count + pos); > b = filp->private_data; > filp->private_data = (void *)op; > kfree (b); > } >- p = op->value + filp->f_pos - ((op->flag & OPP_QUOTED) ? 1 : 0); >+ p = op->value + pos - ((op->flag & OPP_QUOTED) ? 1 : 0); > if (copy_from_user(p, buf, count)) > return -EFAULT; > op->flag |= OPP_DIRTY; >@@ -517,17 +527,19 @@ > } > if (i < count) { > op->len = p - op->value; >- filp->f_pos += i + 1; >+ pos += i + 1; >+ *ppos = pos; > if ((p > op->value) && (op->flag & OPP_QUOTED) > && (*(p - 1) == '\'')) > op->len--; > } else { > if (p - op->value > op->len) > op->len = p - op->value; >- filp->f_pos += count; >+ pos += count; >+ *ppos = pos; > } > } >- return filp->f_pos - k; >+ return pos - k; > } > > int property_release (struct inode *inode, struct file *filp) >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/fs/proc/base.c linux-2.6.7-viroized/fs/proc/base.c >--- linux-2.6.7/fs/proc/base.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/fs/proc/base.c 2004-07-29 17:39:33.000000000 +0100 >@@ -519,6 +519,7 @@ > ssize_t length; > ssize_t end; > struct task_struct *task = proc_task(inode); >+ loff_t pos = *ppos; > > if (count > PROC_BLOCK_SIZE) > count = PROC_BLOCK_SIZE; >@@ -532,14 +533,14 @@ > return length; > } > /* Static 4kB (or whatever) block capacity */ >- if (*ppos >= length) { >+ if (pos < 0 || pos >= length) { > free_page(page); > return 0; > } >- if (count + *ppos > length) >- count = length - *ppos; >- end = count + *ppos; >- if (copy_to_user(buf, (char *) page + *ppos, count)) >+ if (count > length - pos) >+ count = length - pos; >+ end = count + pos; >+ if (copy_to_user(buf, (char *) page + pos, count)) > count = -EFAULT; > else > *ppos = end; >@@ -1170,6 +1171,7 @@ > ssize_t length; > ssize_t end; > struct task_struct *task = proc_task(inode); >+ loff_t pos = *ppos; > > if (count > PAGE_SIZE) > count = PAGE_SIZE; >@@ -1188,10 +1190,10 @@ > free_page(page); > return 0; > } >- if (count + *ppos > length) >- count = length - *ppos; >- end = count + *ppos; >- if (copy_to_user(buf, (char *) page + *ppos, count)) >+ if (count > length - pos) >+ count = length - pos; >+ end = count + pos; >+ if (copy_to_user(buf, (char *) page + pos, count)) > count = -EFAULT; > else > *ppos = end; >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/fs/proc/generic.c linux-2.6.7-viroized/fs/proc/generic.c >--- linux-2.6.7/fs/proc/generic.c 2004-06-16 21:10:28.000000000 +0100 >+++ linux-2.6.7-viroized/fs/proc/generic.c 2004-07-12 14:26:37.000000000 +0100 >@@ -53,6 +53,7 @@ > ssize_t n, count; > char *start; > struct proc_dir_entry * dp; >+ loff_t pos = *ppos; > > dp = PDE(inode); > if (!(page = (char*) __get_free_page(GFP_KERNEL))) >@@ -60,11 +61,13 @@ > > while ((nbytes > 0) && !eof) { > count = min_t(ssize_t, PROC_BLOCK_SIZE, nbytes); >- >+ if (pos != (unsigned) pos || pos > INT_MAX) >+ break; >+ > start = NULL; > if (dp->get_info) { > /* Handle old net routines */ >- n = dp->get_info(page, &start, *ppos, count); >+ n = dp->get_info(page, &start, pos, count); > if (n < count) > eof = 1; > } else if (dp->read_proc) { >@@ -115,7 +118,7 @@ > * requested offset advanced by the number of bytes > * absorbed. > */ >- n = dp->read_proc(page, &start, *ppos, >+ n = dp->read_proc(page, &start, pos, > count, &eof, dp->data); > } else > break; >@@ -134,12 +137,12 @@ > "proc_file_read: Apparent buffer overflow!\n"); > n = PAGE_SIZE; > } >- n -= *ppos; >+ n -= pos; > if (n <= 0) > break; > if (n > count) > n = count; >- start = page + *ppos; >+ start = page + pos; > } else if (start < page) { > if (n > PAGE_SIZE) { > printk(KERN_ERR >@@ -172,7 +175,8 @@ > break; > } > >- *ppos += start < page ? (unsigned long)start : n; >+ pos += start < page ? (unsigned long)start : n; >+ *ppos = pos; > nbytes -= n; > buf += n; > retval += n; >@@ -202,6 +206,7 @@ > proc_file_lseek(struct file *file, loff_t offset, int orig) > { > lock_kernel(); >+ /* FIXME - need proper locking for proc/generic */ > > switch (orig) { > case 0: >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/fs/proc/kcore.c linux-2.6.7-viroized/fs/proc/kcore.c >--- linux-2.6.7/fs/proc/kcore.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/fs/proc/kcore.c 2004-06-27 19:31:09.000000000 +0100 >@@ -280,24 +280,25 @@ > size_t elf_buflen; > int nphdr; > unsigned long start; >+ loff_t pos = *fpos; > > read_lock(&kclist_lock); > tsz = get_kcore_size(&nphdr, &elf_buflen); > proc_root_kcore->size = size = tsz + elf_buflen; >- if (buflen == 0 || *fpos >= size) { >+ if (buflen == 0 || pos < 0 || pos >= size) { > read_unlock(&kclist_lock); > return 0; > } > > /* trim buflen to not go beyond EOF */ >- if (buflen > size - *fpos) >- buflen = size - *fpos; >+ if (buflen > size - pos) >+ buflen = size - pos; > > /* construct an ELF core header if we'll need some of it */ >- if (*fpos < elf_buflen) { >+ if (pos < elf_buflen) { > char * elf_buf; > >- tsz = elf_buflen - *fpos; >+ tsz = elf_buflen - pos; > if (buflen < tsz) > tsz = buflen; > elf_buf = kmalloc(elf_buflen, GFP_ATOMIC); >@@ -308,13 +309,14 @@ > memset(elf_buf, 0, elf_buflen); > elf_kcore_store_hdr(elf_buf, nphdr, elf_buflen); > read_unlock(&kclist_lock); >- if (copy_to_user(buffer, elf_buf + *fpos, tsz)) { >+ if (copy_to_user(buffer, elf_buf + pos, tsz)) { > kfree(elf_buf); > return -EFAULT; > } > kfree(elf_buf); > buflen -= tsz; >- *fpos += tsz; >+ pos += tsz; >+ *fpos = pos; > buffer += tsz; > acc += tsz; > >@@ -328,7 +330,7 @@ > * Check to see if our file offset matches with any of > * the addresses in the elf_phdr on our list. > */ >- start = kc_offset_to_vaddr(*fpos - elf_buflen); >+ start = kc_offset_to_vaddr(pos - elf_buflen); > if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen) > tsz = buflen; > >@@ -412,7 +414,8 @@ > } > } > buflen -= tsz; >- *fpos += tsz; >+ pos += tsz; >+ *fpos = pos; > buffer += tsz; > acc += tsz; > start += tsz; >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/fs/proc/proc_misc.c linux-2.6.7-viroized/fs/proc/proc_misc.c >--- linux-2.6.7/fs/proc/proc_misc.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/fs/proc/proc_misc.c 2004-06-27 19:33:48.000000000 +0100 >@@ -564,12 +564,12 @@ > static ssize_t > read_profile(struct file *file, char __user *buf, size_t count, loff_t *ppos) > { >- unsigned long p = *ppos; >+ loff_t p = *ppos; > ssize_t read; > char * pnt; > unsigned int sample_step = 1 << prof_shift; > >- if (p >= (prof_len+1)*sizeof(unsigned int)) >+ if (p < 0 || p >= (prof_len+1)*sizeof(unsigned int)) > return 0; > if (count > (prof_len+1)*sizeof(unsigned int) - p) > count = (prof_len+1)*sizeof(unsigned int) - p; >@@ -583,7 +583,7 @@ > if (copy_to_user(buf,(void *)pnt,count)) > return -EFAULT; > read += count; >- *ppos += read; >+ *ppos = p; > return read; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/fs/udf/file.c linux-2.6.7-viroized/fs/udf/file.c >--- linux-2.6.7/fs/udf/file.c 2004-06-16 21:11:36.000000000 +0100 >+++ linux-2.6.7-viroized/fs/udf/file.c 2004-06-28 14:39:38.000000000 +0100 >@@ -114,15 +114,25 @@ > { > ssize_t retval; > struct inode *inode = file->f_dentry->d_inode; >- int err, pos; >+ int err; >+ loff_t pos; > > if (UDF_I_ALLOCTYPE(inode) == ICBTAG_FLAG_AD_IN_ICB) > { >+ /* FIXME: locking checks needed */ > if (file->f_flags & O_APPEND) > pos = inode->i_size; > else > pos = *ppos; > >+ /* Check limit here, but actual limit is due to variable >+ types in lower order functions. These probaly need to >+ be fixed and pushed down the stack */ >+ if (pos < 0 || pos + count < pos || pos > 0x7FFFFFFF) >+ return -EFBIG;; >+ if (pos + count > 0x7FFFFFFF) >+ count = 0x7FFFFFFF - pos; >+ > if (inode->i_sb->s_blocksize < (udf_file_entry_alloc_offset(inode) + > pos + count)) > { >@@ -142,10 +152,10 @@ > } > } > >- retval = generic_file_write(file, buf, count, ppos); >- >+ retval = generic_file_write(file, buf, count, &pos); > if (retval > 0) > mark_inode_dirty(inode); >+ *ppos = pos; > return retval; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/include/linux/fb.h linux-2.6.7-viroized/include/linux/fb.h >--- linux-2.6.7/include/linux/fb.h 2004-06-16 21:11:37.000000000 +0100 >+++ linux-2.6.7-viroized/include/linux/fb.h 2004-06-27 22:32:36.000000000 +0100 >@@ -522,6 +522,7 @@ > #define FBINFO_STATE_SUSPENDED 1 > u32 state; /* Hardware state i.e suspend */ > >+ struct semaphore mutex; /* Fbmem mutex */ > /* From here on everything is device dependent */ > void *par; > }; >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/include/linux/mtd/mtd.h linux-2.6.7-viroized/include/linux/mtd/mtd.h >--- linux-2.6.7/include/linux/mtd/mtd.h 2004-06-16 21:09:41.000000000 +0100 >+++ linux-2.6.7-viroized/include/linux/mtd/mtd.h 2004-06-27 22:40:24.000000000 +0100 >@@ -222,6 +222,9 @@ > /* Power Management functions */ > int (*suspend) (struct mtd_info *mtd); > void (*resume) (struct mtd_info *mtd); >+ >+ /* Semaphore */ >+ struct semaphore mutex; > > void *priv; > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/net/atm/mpoa_proc.c linux-2.6.7-viroized/net/atm/mpoa_proc.c >--- linux-2.6.7/net/atm/mpoa_proc.c 2004-06-16 21:11:37.000000000 +0100 >+++ linux-2.6.7-viroized/net/atm/mpoa_proc.c 2004-07-29 17:36:36.000000000 +0100 >@@ -98,6 +98,7 @@ > > /* > * READING function - called when the /proc/atm/mpoa file is read from. >+ * FIXME: needs seek locking > */ > static ssize_t proc_mpc_read(struct file *file, char __user *buff, > size_t count, loff_t *pos){ >@@ -110,7 +111,9 @@ > eg_cache_entry *eg_entry; > struct timeval now; > unsigned char ip_string[16]; >- if(count == 0) >+ loff_t n = *pos; >+ >+ if(count == 0 || n < 0) > return 0; > page = get_zeroed_page(GFP_KERNEL); > if(!page) >@@ -151,14 +154,14 @@ > mpc = mpc->next; > } > >- if (*pos >= length) length = 0; >+ if (n >= length) count = 0; > else { >- if ((count + *pos) > length) count = length - *pos; >+ if (count > length - n) count = length - n; > if (copy_to_user(buff, (char *)page , count)) { > free_page(page); > return -EFAULT; > } >- *pos += count; >+ *pos = n + count; > } > > free_page(page); >@@ -196,8 +199,6 @@ > return -EFAULT; > } > >- *ppos += incoming; >- > page[incoming] = '\0'; > retval = parse_qos(page, incoming); > if (retval == 0) >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/net/sunrpc/cache.c linux-2.6.7-viroized/net/sunrpc/cache.c >--- linux-2.6.7/net/sunrpc/cache.c 2004-06-16 21:11:37.000000000 +0100 >+++ linux-2.6.7-viroized/net/sunrpc/cache.c 2004-07-12 14:28:42.000000000 +0100 >@@ -1176,14 +1176,14 @@ > > sprintf(tbuf, "%lu\n", cd->flush_time); > len = strlen(tbuf); >- if (p >= len) >+ if (p != (unsigned int)p || p >= len) > return 0; > len -= p; > if (len > count) len = count; > if (copy_to_user(buf, (void*)(tbuf+p), len)) > len = -EFAULT; > else >- *ppos += len; >+ *ppos = p + len; > return len; > } > >@@ -1207,7 +1207,7 @@ > cd->nextcheck = get_seconds(); > cache_flush(); > >- *ppos += count; >+ *ppos = count; > return count; > } > >diff -u --new-file --recursive --exclude-from /usr/src/exclude linux-2.6.7/security/selinux/selinuxfs.c linux-2.6.7-viroized/security/selinux/selinuxfs.c >--- linux-2.6.7/security/selinux/selinuxfs.c 2004-06-16 21:11:37.000000000 +0100 >+++ linux-2.6.7-viroized/security/selinux/selinuxfs.c 2004-06-28 14:30:38.000000000 +0100 >@@ -74,6 +74,7 @@ > char *page; > ssize_t length; > ssize_t end; >+ loff_t pos = *ppos; > > if (count < 0 || count > PAGE_SIZE) > return -EINVAL; >@@ -87,13 +88,13 @@ > return length; > } > >- if (*ppos >= length) { >+ if (pos != (unsigned int)pos || pos >= length) { > free_page((unsigned long)page); > return 0; > } >- if (count + *ppos > length) >- count = length - *ppos; >- end = count + *ppos; >+ if (count + pos > length) >+ count = length - pos; >+ end = count + pos; > if (copy_to_user(buf, (char *) page + *ppos, count)) { > count = -EFAULT; > goto out; >@@ -141,6 +142,7 @@ > selnl_notify_setenforce(selinux_enforcing); > } > length = count; >+ *ppos = length; > out: > free_page((unsigned long) page); > return length; >@@ -189,6 +191,7 @@ > } > > length = count; >+ *ppos = length; > out: > free_page((unsigned long) page); > return length; >@@ -207,6 +210,7 @@ > char *page; > ssize_t length; > ssize_t end; >+ loff_t pos = *ppos; > > if (count < 0 || count > PAGE_SIZE) > return -EINVAL; >@@ -220,14 +224,14 @@ > return length; > } > >- if (*ppos >= length) { >+ if (pos < 0 || pos >= length) { > free_page((unsigned long)page); > return 0; > } >- if (count + *ppos > length) >- count = length - *ppos; >- end = count + *ppos; >- if (copy_to_user(buf, (char *) page + *ppos, count)) { >+ if (count + pos > length) >+ count = length - pos; >+ end = count + pos; >+ if (copy_to_user(buf, (char *) page + pos, count)) { > count = -EFAULT; > goto out; > } >@@ -250,6 +254,7 @@ > char *page; > ssize_t length; > ssize_t end; >+ loff_t pos = *ppos; > > if (count < 0 || count > PAGE_SIZE) > return -EINVAL; >@@ -263,14 +268,14 @@ > return length; > } > >- if (*ppos >= length) { >+ if (pos < 0 || pos >= length) { > free_page((unsigned long)page); > return 0; > } >- if (count + *ppos > length) >- count = length - *ppos; >- end = count + *ppos; >- if (copy_to_user(buf, (char *) page + *ppos, count)) { >+ if (count + pos > length) >+ count = length - pos; >+ end = count + pos; >+ if (copy_to_user(buf, (char *) page + pos, count)) { > count = -EFAULT; > goto out; > } >@@ -445,10 +450,11 @@ > return rv; > } > >-static ssize_t TA_read(struct file *file, char __user *buf, size_t size, loff_t *pos) >+static ssize_t TA_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) > { > struct argresp *ar; > ssize_t rv = 0; >+ loff_t pos = *ppos; > > if (file->private_data == NULL) > rv = TA_write(file, buf, 0, pos); >@@ -458,13 +464,13 @@ > ar = file->private_data; > if (!ar) > return 0; >- if (*pos >= ar->size) >+ if (pos < 0 || pos >= ar->size) > return 0; >- if (*pos + size > ar->size) >- size = ar->size - *pos; >- if (copy_to_user(buf, ar->data + *pos, size)) >+ if (pos + size > ar->size) >+ size = ar->size - pos; >+ if (copy_to_user(buf, ar->data + pos, size)) > return -EFAULT; >- *pos += size; >+ *ppos = pos + size; > return size; > } > >@@ -753,7 +759,8 @@ > ssize_t ret; > int cur_enforcing; > struct inode *inode; >- >+ loff_t pos = *ppos; >+ > down(&sel_sem); > > ret = -EFAULT; >@@ -786,14 +793,14 @@ > goto out; > } > >- if (*ppos >= length) { >+ if (pos < 0 || pos >= length) { > ret = 0; > goto out; > } >- if (count + *ppos > length) >- count = length - *ppos; >- end = count + *ppos; >- if (copy_to_user(buf, (char *) page + *ppos, count)) { >+ if (count + pos > length) >+ count = length - pos; >+ end = count + pos; >+ if (copy_to_user(buf, (char *) page + pos, count)) { > ret = -EFAULT; > goto out; > } >--- linux-2.6.7/security/selinux/selinuxfs.c~ 2004-08-03 11:21:30.649681327 +0200 >+++ linux-2.6.7/security/selinux/selinuxfs.c 2004-08-03 11:21:30.650681186 +0200 >@@ -457,7 +457,7 @@ > loff_t pos = *ppos; > > if (file->private_data == NULL) >- rv = TA_write(file, buf, 0, pos); >+ rv = TA_write(file, buf, 0, ppos); > if (rv < 0) > return rv; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=44549">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 72006
: 44549 |
44550
