kernel26-magellan/patches-2.6.21-r4/0103-2.6.21.4-all-fixes.patch

diff --git a/drivers/char/random.c b/drivers/char/random.c
index b9dc7aa..fa5b95b 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -760,7 +760,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
 
 static void extract_buf(struct entropy_store *r, __u8 *out)
 {
-	int i, x;
+	int i;
 	__u32 data[16], buf[5 + SHA_WORKSPACE_WORDS];
 
 	sha_init(buf);
@@ -772,9 +772,11 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
 	 * attempts to find previous ouputs), unless the hash
 	 * function can be inverted.
 	 */
-	for (i = 0, x = 0; i < r->poolinfo->poolwords; i += 16, x+=2) {
-		sha_transform(buf, (__u8 *)r->pool+i, buf + 5);
-		add_entropy_words(r, &buf[x % 5], 1);
+	for (i = 0; i < r->poolinfo->poolwords; i += 16) {
+		/* hash blocks of 16 words = 512 bits */
+		sha_transform(buf, (__u8 *)(r->pool + i), buf + 5);
+		/* feed back portion of the resulting hash */
+		add_entropy_words(r, &buf[i % 5], 1);
 	}
 
 	/*
@@ -782,7 +784,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
 	 * portion of the pool while mixing, and hash one
 	 * final time.
 	 */
-	__add_entropy_words(r, &buf[x % 5], 1, data);
+	__add_entropy_words(r, &buf[i % 5], 1, data);
 	sha_transform(buf, (__u8 *)data, buf + 5);
 
 	/*
@@ -1022,37 +1024,44 @@ random_poll(struct file *file, poll_table * wait)
 	return mask;
 }
 
-static ssize_t
-random_write(struct file * file, const char __user * buffer,
-	     size_t count, loff_t *ppos)
+static int
+write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
 {
-	int ret = 0;
 	size_t bytes;
 	__u32 buf[16];
 	const char __user *p = buffer;
-	size_t c = count;
 
-	while (c > 0) {
-		bytes = min(c, sizeof(buf));
+	while (count > 0) {
+		bytes = min(count, sizeof(buf));
+		if (copy_from_user(&buf, p, bytes))
+			return -EFAULT;
 
-		bytes -= copy_from_user(&buf, p, bytes);
-		if (!bytes) {
-			ret = -EFAULT;
-			break;
-		}
-		c -= bytes;
+		count -= bytes;
 		p += bytes;
 
-		add_entropy_words(&input_pool, buf, (bytes + 3) / 4);
-	}
-	if (p == buffer) {
-		return (ssize_t)ret;
-	} else {
-		struct inode *inode = file->f_path.dentry->d_inode;
-	        inode->i_mtime = current_fs_time(inode->i_sb);
-		mark_inode_dirty(inode);
-		return (ssize_t)(p - buffer);
+		add_entropy_words(r, buf, (bytes + 3) / 4);
 	}
+
+	return 0;
+}
+
+static ssize_t
+random_write(struct file * file, const char __user * buffer,
+	     size_t count, loff_t *ppos)
+{
+	size_t ret;
+	struct inode *inode = file->f_path.dentry->d_inode;
+
+	ret = write_pool(&blocking_pool, buffer, count);
+	if (ret)
+		return ret;
+	ret = write_pool(&nonblocking_pool, buffer, count);
+	if (ret)
+		return ret;
+
+	inode->i_mtime = current_fs_time(inode->i_sb);
+	mark_inode_dirty(inode);
+	return (ssize_t)count;
 }
 
 static int
@@ -1091,8 +1100,8 @@ random_ioctl(struct inode * inode, struct file * file,
 			return -EINVAL;
 		if (get_user(size, p++))
 			return -EFAULT;
-		retval = random_write(file, (const char __user *) p,
-				      size, &file->f_pos);
+		retval = write_pool(&input_pool, (const char __user *)p,
+				    size);
 		if (retval < 0)
 			return retval;
 		credit_entropy_store(&input_pool, ent_count);
diff --git a/kernel/cpuset.c b/kernel/cpuset.c
index f382b0f..9e45dd1 100644
--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -1751,12 +1751,7 @@ static ssize_t cpuset_tasks_read(struct file *file, char __user *buf,
 {
 	struct ctr_struct *ctr = file->private_data;
 
-	if (*ppos + nbytes > ctr->bufsz)
-		nbytes = ctr->bufsz - *ppos;
-	if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
-		return -EFAULT;
-	*ppos += nbytes;
-	return nbytes;
+	return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
 }
 
 static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
index e694299..b86479a 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
@@ -460,7 +460,8 @@ static int sctp_new(struct ip_conntrack *conntrack,
 						SCTP_CONNTRACK_NONE, sch->type);
 
 		/* Invalid: delete conntrack */
-		if (newconntrack == SCTP_CONNTRACK_MAX) {
+		if (newconntrack == SCTP_CONNTRACK_NONE ||
+		    newconntrack == SCTP_CONNTRACK_MAX) {
 			DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
 			return 0;
 		}
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 3c80558..b53bc64 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -469,7 +469,8 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
 					 SCTP_CONNTRACK_NONE, sch->type);
 
 		/* Invalid: delete conntrack */
-		if (newconntrack == SCTP_CONNTRACK_MAX) {
+		if (newconntrack == SCTP_CONNTRACK_NONE ||
+		    newconntrack == SCTP_CONNTRACK_MAX) {
 			DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
 			return 0;
 		}
1	diff --git a/drivers/char/random.c b/drivers/char/random.c
2	index b9dc7aa..fa5b95b 100644
3	--- a/drivers/char/random.c
4	+++ b/drivers/char/random.c
5	@@ -760,7 +760,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
6
7	static void extract_buf(struct entropy_store r, __u8 out)
8	{
9	- int i, x;
10	+ int i;
11	__u32 data[16], buf[5 + SHA_WORKSPACE_WORDS];
12
13	sha_init(buf);
14	@@ -772,9 +772,11 @@ static void extract_buf(struct entropy_store r, __u8 out)
15	* attempts to find previous ouputs), unless the hash
16	* function can be inverted.
17	*/
18	- for (i = 0, x = 0; i < r->poolinfo->poolwords; i += 16, x+=2) {
19	- sha_transform(buf, (__u8 *)r->pool+i, buf + 5);
20	- add_entropy_words(r, &buf[x % 5], 1);
21	+ for (i = 0; i < r->poolinfo->poolwords; i += 16) {
22	+ /* hash blocks of 16 words = 512 bits */
23	+ sha_transform(buf, (__u8 *)(r->pool + i), buf + 5);
24	+ /* feed back portion of the resulting hash */
25	+ add_entropy_words(r, &buf[i % 5], 1);
26	}
27
28	/*
29	@@ -782,7 +784,7 @@ static void extract_buf(struct entropy_store r, __u8 out)
30	* portion of the pool while mixing, and hash one
31	* final time.
32	*/
33	- __add_entropy_words(r, &buf[x % 5], 1, data);
34	+ __add_entropy_words(r, &buf[i % 5], 1, data);
35	sha_transform(buf, (__u8 *)data, buf + 5);
36
37	/*
38	@@ -1022,37 +1024,44 @@ random_poll(struct file file, poll_table wait)
39	return mask;
40	}
41
42	-static ssize_t
43	-random_write(struct file * file, const char __user * buffer,
44	- size_t count, loff_t *ppos)
45	+static int
46	+write_pool(struct entropy_store r, const char __user buffer, size_t count)
47	{
48	- int ret = 0;
49	size_t bytes;
50	__u32 buf[16];
51	const char __user *p = buffer;
52	- size_t c = count;
53
54	- while (c > 0) {
55	- bytes = min(c, sizeof(buf));
56	+ while (count > 0) {
57	+ bytes = min(count, sizeof(buf));
58	+ if (copy_from_user(&buf, p, bytes))
59	+ return -EFAULT;
60
61	- bytes -= copy_from_user(&buf, p, bytes);
62	- if (!bytes) {
63	- ret = -EFAULT;
64	- break;
65	- }
66	- c -= bytes;
67	+ count -= bytes;
68	p += bytes;
69
70	- add_entropy_words(&input_pool, buf, (bytes + 3) / 4);
71	- }
72	- if (p == buffer) {
73	- return (ssize_t)ret;
74	- } else {
75	- struct inode *inode = file->f_path.dentry->d_inode;
76	- inode->i_mtime = current_fs_time(inode->i_sb);
77	- mark_inode_dirty(inode);
78	- return (ssize_t)(p - buffer);
79	+ add_entropy_words(r, buf, (bytes + 3) / 4);
80	}
81	+
82	+ return 0;
83	+}
84	+
85	+static ssize_t
86	+random_write(struct file * file, const char __user * buffer,
87	+ size_t count, loff_t *ppos)
88	+{
89	+ size_t ret;
90	+ struct inode *inode = file->f_path.dentry->d_inode;
91	+
92	+ ret = write_pool(&blocking_pool, buffer, count);
93	+ if (ret)
94	+ return ret;
95	+ ret = write_pool(&nonblocking_pool, buffer, count);
96	+ if (ret)
97	+ return ret;
98	+
99	+ inode->i_mtime = current_fs_time(inode->i_sb);
100	+ mark_inode_dirty(inode);
101	+ return (ssize_t)count;
102	}
103
104	static int
105	@@ -1091,8 +1100,8 @@ random_ioctl(struct inode * inode, struct file * file,
106	return -EINVAL;
107	if (get_user(size, p++))
108	return -EFAULT;
109	- retval = random_write(file, (const char __user *) p,
110	- size, &file->f_pos);
111	+ retval = write_pool(&input_pool, (const char __user *)p,
112	+ size);
113	if (retval < 0)
114	return retval;
115	credit_entropy_store(&input_pool, ent_count);
116	diff --git a/kernel/cpuset.c b/kernel/cpuset.c
117	index f382b0f..9e45dd1 100644
118	--- a/kernel/cpuset.c
119	+++ b/kernel/cpuset.c
120	@@ -1751,12 +1751,7 @@ static ssize_t cpuset_tasks_read(struct file file, char __user buf,
121	{
122	struct ctr_struct *ctr = file->private_data;
123
124	- if (*ppos + nbytes > ctr->bufsz)
125	- nbytes = ctr->bufsz - *ppos;
126	- if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
127	- return -EFAULT;
128	- *ppos += nbytes;
129	- return nbytes;
130	+ return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
131	}
132
133	static int cpuset_tasks_release(struct inode unused_inode, struct file file)
134	diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
135	index e694299..b86479a 100644
136	--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
137	+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
138	@@ -460,7 +460,8 @@ static int sctp_new(struct ip_conntrack *conntrack,
139	SCTP_CONNTRACK_NONE, sch->type);
140
141	/* Invalid: delete conntrack */
142	- if (newconntrack == SCTP_CONNTRACK_MAX) {
143	+ if (newconntrack == SCTP_CONNTRACK_NONE \|\|
144	+ newconntrack == SCTP_CONNTRACK_MAX) {
145	DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
146	return 0;
147	}
148	diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
149	index 3c80558..b53bc64 100644
150	--- a/net/netfilter/nf_conntrack_proto_sctp.c
151	+++ b/net/netfilter/nf_conntrack_proto_sctp.c
152	@@ -469,7 +469,8 @@ static int sctp_new(struct nf_conn conntrack, const struct sk_buff skb,
153	SCTP_CONNTRACK_NONE, sch->type);
154
155	/* Invalid: delete conntrack */
156	- if (newconntrack == SCTP_CONNTRACK_MAX) {
157	+ if (newconntrack == SCTP_CONNTRACK_NONE \|\|
158	+ newconntrack == SCTP_CONNTRACK_MAX) {
159	DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
160	return 0;
161	}