Okay, now while we are at fixing security holes, is there any chance we
can _finally_ get the attached patch in?

The Vicam USB driver in all Linux Kernels 2.6 mainline does not use the
copy_from_user function when copying data from userspace to kernel space,
which crosses security boundaries and allows local users to cause a denial
of service.

Already ACKed by Greg. Only complaint was inproper coding style which is done
with attached patch ;)

ciao, Marc

into kroah.com:/home/greg/linux/BK/usb-2.6

The RCU code was missing cpus_empty() in one place, required with large
cpumasks.

Fix a corruption bug, we were copying too much information back off
the signal frame.

While in the area help with gccs sign extension optimisation problems
and convert some things to long. (Saves about 30 instructions in signal.c)

into ppc970.osdl.org:/home/torvalds/v2.6/linux

Merged in 2.4, and various vendor kernels..

  iDefense reported a buffer overflow flaw in the ISO9660 filesystem code.
  An attacker could create a malicious filesystem in such a way that they
  could gain root privileges if that filesystem is mounted. The Common
  Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
  CAN-2004-0109 to this issue.

Ernie Petrides came up with the following patch which I fixed up a slight
reject in to apply to 2.6. Otherwise, unchanged from the 2.4 patch.

I just want to explain the changes I've made, since I tried to adhere to the
more organized structure in the 2.6 visor module to incorporate my changes.

I didn't want to pollute this with some ugly hack.

I created a new device id table with name clie_id_5_table to cleanly separate
the UX50/TH55 from the rest.

Along with this I added a new usb_serial_device_type which is essentially a
copy of handspring_device but has its own attach function.

This new attach function ( clie_5_attach ) will do the actual magic.

I think it is justified to introduce a new type ( which I called clie_5 )
since I suspect that Sony is intentionally changing the interface spec ( As
it has done so in the past ). I dare to predict that we will see more clie
devices coming this year which will require this new attachment procedure. At
the moment I am only aware of the UX50 and TH55 to implement that weird
configuration.

Hi Greg, this patch bumps the speedtouch driver's version number.
It also adds the version number to the module description, so people
can see it with modinfo.  I also added a MODULE_VERSION line (why?
because it was there...)  The patch is against your 2.6 kernel tree.

Hi Greg, this patch fixes a memory leak in the speedtouch driver.
The leak occurs when the ATM layer submits a skbuff for transmission,
but the driver rejects it (because the device has been unplugged for
example).  The ATM layer requires the driver to free the skbuff in this
case.  The patch is against your 2.6 kernel tree.

Hi Greg, this causes the speedtouch driver to output non-verbose
debugging messages if the kernel was configured with CONFIG_USB_DEBUG.
The patch is against your 2.6 kernel tree.

Various fixes and cleanups for x86-64. 

 - Update defconfig
 - Fix some problems in ROM resource scanning (Rene Herman) 
 - Initialize APIC id of CPU 0 (Venkatesh Pallipadi)
 - Always enable swiotlb for GART_IOMMU
 - Fix compilation without IOMMU_GART
 - Remove nodes_present; use standard node_online_map instead.
   This also fixes a bug with no memory on node 0.
 - Switch node<->cpu mapping to arrays. This fixes some awkward
   special cases with no nodes and empty nodes. 
 - Move K8 fallback node setup to common code
 - Eliminate old fake_node.
 - Fix wrong fields in MCE handling (Marc Bevand)
 - Make pci_dma_consistent behave more similar to i386 to fix Alsa

From: Dave Jones <davej@redhat.com>

2.4 already had this fixed, but uses a somewhat larger value to clip at.
For uniformity sake, perhaps they should be the same?  Patch below makes
it match 2.4-bk

From: "Nguyen, Tom L" <tom.l.nguyen@intel.com>

The patch showed up in Linus' tree last night breaks the
"generic_defconfig" build for ia64.

Fix it by adding the NR_VECTORS device to ia64.

It should be unconditional.

When I converted journal_write_metadata_buffer() to kmap_atomic() I screwed
up the handling of the copyout buffers - we're currently writing four zeroes
into the user's page rather than into the data which is to be written to the
journal (oops).

Net effect: any block which starts with 0xC03B3998 gets scribbled on in
data=journal mode.

ide_ioreg_t is deprecated and hasn't been used by IDE driver for some time.
Use unsigned long directly on alpha, arm26, arm, mips, parisc, ppc64 and sh.

asm-ia64/ide.h (ide_ioreg_t is unsigned short) and asm-m68knommu/ide.h
(broken - ide_ioreg_t is not defined) are the only users of ide_ioreg_t left.

Use it on all archs which define ide_ioreg_t to unsigned long.

Disable code doing outb() without any locking in /proc handler.
Otherwise 'cat /proc/ide/hpt366' crashes if done during I/O.

Noticed by John Stoffel <stoffel@lucent.com>.

From: Geert Uytterhoeven <geert@linux-m68k.org>

Apparently some IDE drives (e.g. a pile of 80 GB ST380020ACE drives I have
access to) advertise to support LBA48, but don't, causing kernels that support
LBA48 (i.e. anything newer than 2.4.18, including 2.4.25 and 2.6.4) to fail on
them.  Older kernels (including 2.2.20 on the Debian woody CDs) work fine.

Check for id->lba_capacity_2 being non-zero in idedisk_supports_lba48().

The driver was copied from the very-buggy r8169 (pre-Francois),
and is for hardware that isn't even out of the lab yet.

into redhat.com:/spare/repo/net-drivers-2.6

into redhat.com:/spare/repo/net-drivers-2.6

into redhat.com:/spare/repo/net-drivers-2.6

into redhat.com:/spare/repo/net-drivers-2.6

into redhat.com:/spare/repo/net-drivers-2.6

into redhat.com:/spare/repo/net-drivers-2.6

into redhat.com:/spare/repo/net-drivers-2.6

The irq handler must not return 1 when the status register is null
during the firt iteration.

If the pcnet32 interface is not up, running the loopback test may hang or
crash the system.  This patch provided by Jim Lewis fixes that problem.
Tested on ia32 and ppc systems.