2.6.35.14-97.fc14

9 files changed, 1709 insertions, 1 deletions

diff --git a/freed-ora/current/f14/Ecryptfs-Add-mount-option-to-check-uid-of-device-bei.patch b/freed-ora/current/f14/Ecryptfs-Add-mount-option-to-check-uid-of-device-bei.patch
new file mode 100644
index 000000000..1d67ff8b3
--- /dev/null
+++ b/freed-ora/current/f14/Ecryptfs-Add-mount-option-to-check-uid-of-device-bei.patch
@@ -0,0 +1,130 @@
+From ed62f63919f93dcb040109959ee19983eda8ea84 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 15 Sep 2011 12:48:12 -0400
+Subject: [PATCH] Ecryptfs: Add mount option to check uid of device being
+ mounted = expect uid
+
+Close a TOCTOU race for mounts done via ecryptfs-mount-private.  The mount
+source (device) can be raced when the ownership test is done in userspace.
+Provide Ecryptfs a means to force the uid check at mount time.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+
+Backported to 2.6.35.14 by Josh Boyer <jwboyer@redhat.com>
+---
+ fs/ecryptfs/main.c |   27 ++++++++++++++++++++++-----
+ 1 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
+index cbd4e18..c249d14 100644
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -208,7 +208,7 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig,
+        ecryptfs_opt_passthrough, ecryptfs_opt_xattr_metadata,
+        ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig,
+        ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes,
+-       ecryptfs_opt_unlink_sigs, ecryptfs_opt_err };
++       ecryptfs_opt_unlink_sigs, ecryptfs_opt_check_dev_ruid, ecryptfs_opt_err };
+ 
+ static const match_table_t tokens = {
+ 	{ecryptfs_opt_sig, "sig=%s"},
+@@ -223,6 +223,7 @@ static const match_table_t tokens = {
+ 	{ecryptfs_opt_fn_cipher, "ecryptfs_fn_cipher=%s"},
+ 	{ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"},
+ 	{ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"},
++	{ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"},
+ 	{ecryptfs_opt_err, NULL}
+ };
+ 
+@@ -266,6 +267,7 @@ static void ecryptfs_init_mount_crypt_stat(
+  * ecryptfs_parse_options
+  * @sb: The ecryptfs super block
+  * @options: The options pased to the kernel
++ * @check_ruid: set to 1 if device uid should be checked against the ruid
+  *
+  * Parse mount options:
+  * debug=N 	   - ecryptfs_verbosity level for debug output
+@@ -281,7 +283,7 @@ static void ecryptfs_init_mount_crypt_stat(
+  *
+  * Returns zero on success; non-zero on error
+  */
+-static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
++static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options, uid_t *check_ruid)
+ {
+ 	char *p;
+ 	int rc = 0;
+@@ -306,6 +308,8 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
+ 	char *cipher_key_bytes_src;
+ 	char *fn_cipher_key_bytes_src;
+ 
++	*check_ruid = 0;
++
+ 	if (!options) {
+ 		rc = -EINVAL;
+ 		goto out;
+@@ -406,6 +410,9 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
+ 		case ecryptfs_opt_unlink_sigs:
+ 			mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS;
+ 			break;
++		case ecryptfs_opt_check_dev_ruid:
++			*check_ruid = 1;
++			break;
+ 		case ecryptfs_opt_err:
+ 		default:
+ 			printk(KERN_WARNING
+@@ -494,7 +501,7 @@ static struct file_system_type ecryptfs_fs_type;
+  * ecryptfs_interpose to create our initial inode and super block
+  * struct.
+  */
+-static int ecryptfs_read_super(struct super_block *sb, const char *dev_name)
++static int ecryptfs_read_super(struct super_block *sb, const char *dev_name, uid_t check_ruid)
+ {
+ 	struct path path;
+ 	int rc;
+@@ -511,6 +518,15 @@ static int ecryptfs_read_super(struct super_block *sb, const char *dev_name)
+ 			"known incompatibilities\n");
+ 		goto out_free;
+ 	}
++
++	if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) {
++		rc = -EPERM;
++		printk(KERN_ERR "Mount of device (uid: %d) not owned by "
++		       "requested user (uid: %d)\n",
++		       path.dentry->d_inode->i_uid, current_uid());
++		goto out_free;
++	}
++
+ 	ecryptfs_set_superblock_lower(sb, path.dentry->d_sb);
+ 	sb->s_maxbytes = path.dentry->d_sb->s_maxbytes;
+ 	sb->s_blocksize = path.dentry->d_sb->s_blocksize;
+@@ -549,6 +565,7 @@ static int ecryptfs_get_sb(struct file_system_type *fs_type, int flags,
+ 	struct ecryptfs_dentry_info *root_info;
+ 	const char *err = "Getting sb failed";
+ 	int rc;
++	uid_t check_ruid;
+ 
+ 	sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL);
+ 	if (!sbi) {
+@@ -556,7 +573,7 @@ static int ecryptfs_get_sb(struct file_system_type *fs_type, int flags,
+ 		goto out;
+ 	}
+ 
+-	rc = ecryptfs_parse_options(sbi, raw_data);
++	rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid);
+ 	if (rc) {
+ 		err = "Error parsing options";
+ 		goto out;
+@@ -601,7 +618,7 @@ static int ecryptfs_get_sb(struct file_system_type *fs_type, int flags,
+ 	/* ->kill_sb() will take care of root_info */
+ 	ecryptfs_set_dentry_private(s->s_root, root_info);
+ 	s->s_flags |= MS_ACTIVE;
+-	rc = ecryptfs_read_super(s, dev_name);
++	rc = ecryptfs_read_super(s, dev_name, check_ruid);
+ 	if (rc) {
+ 		deactivate_locked_super(s);
+ 		err = "Reading sb failed";
+-- 
+1.7.6
+
diff --git a/freed-ora/current/f14/befs-Validate-length-of-long-symbolic-links.patch b/freed-ora/current/f14/befs-Validate-length-of-long-symbolic-links.patch
new file mode 100644
index 000000000..f53dfbfad
--- /dev/null
+++ b/freed-ora/current/f14/befs-Validate-length-of-long-symbolic-links.patch
@@ -0,0 +1,50 @@
+From 338d0f0a6fbc82407864606f5b64b75aeb3c70f2 Mon Sep 17 00:00:00 2001
+From: Timo Warns <Warns@pre-sense.de>
+Date: Wed, 17 Aug 2011 17:59:56 +0200
+Subject: [PATCH] befs: Validate length of long symbolic links.
+
+Signed-off-by: Timo Warns <warns@pre-sense.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ fs/befs/linuxvfs.c |   23 ++++++++++++++---------
+ 1 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
+index 54b8c28..720d885 100644
+--- a/fs/befs/linuxvfs.c
++++ b/fs/befs/linuxvfs.c
+@@ -474,17 +474,22 @@ befs_follow_link(struct dentry *dentry, struct nameidata *nd)
+ 		befs_data_stream *data = &befs_ino->i_data.ds;
+ 		befs_off_t len = data->size;
+ 
+-		befs_debug(sb, "Follow long symlink");
+-
+-		link = kmalloc(len, GFP_NOFS);
+-		if (!link) {
+-			link = ERR_PTR(-ENOMEM);
+-		} else if (befs_read_lsymlink(sb, data, link, len) != len) {
+-			kfree(link);
+-			befs_error(sb, "Failed to read entire long symlink");
++		if (len == 0) {
++			befs_error(sb, "Long symlink with illegal length");
+ 			link = ERR_PTR(-EIO);
+ 		} else {
+-			link[len - 1] = '\0';
++			befs_debug(sb, "Follow long symlink");
++
++			link = kmalloc(len, GFP_NOFS);
++			if (!link) {
++				link = ERR_PTR(-ENOMEM);
++			} else if (befs_read_lsymlink(sb, data, link, len) != len) {
++				kfree(link);
++				befs_error(sb, "Failed to read entire long symlink");
++				link = ERR_PTR(-EIO);
++			} else {
++				link[len - 1] = '\0';
++			}
+ 		}
+ 	} else {
+ 		link = befs_ino->i_data.symlink;
+-- 
+1.7.6
+
diff --git a/freed-ora/current/f14/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch b/freed-ora/current/f14/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
new file mode 100644
index 000000000..06fc5c74a
--- /dev/null
+++ b/freed-ora/current/f14/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
@@ -0,0 +1,82 @@
+Path: news.gmane.org!not-for-mail
+From: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
+Newsgroups: gmane.linux.kernel.cifs
+Subject: [PATCH] cifs: fix possible memory corruption in CIFSFindNext
+Date: Tue, 23 Aug 2011 07:21:28 -0400
+Lines: 37
+Approved: news@gmane.org
+Message-ID: <1314098488-1547-1-git-send-email-jlayton@redhat.com>
+NNTP-Posting-Host: lo.gmane.org
+X-Trace: dough.gmane.org 1314098501 27164 80.91.229.12 (23 Aug 2011 11:21:41 GMT)
+X-Complaints-To: usenet@dough.gmane.org
+NNTP-Posting-Date: Tue, 23 Aug 2011 11:21:41 +0000 (UTC)
+Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org
+To: smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
+Original-X-From: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Tue Aug 23 13:21:37 2011
+Return-path: <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
+Envelope-to: glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+	by lo.gmane.org with esmtp (Exim 4.69)
+	(envelope-from <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>)
+	id 1Qvp33-0003JC-05
+	for glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org; Tue, 23 Aug 2011 13:21:37 +0200
+Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org) by vger.kernel.org via listexpand
+	id S1752435Ab1HWLVg (ORCPT <rfc822;glkc-linux-cifs@m.gmane.org>);
+	Tue, 23 Aug 2011 07:21:36 -0400
+Original-Received: from mail-gy0-f174.google.com ([209.85.160.174]:43114 "EHLO
+	mail-gy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+	with ESMTP id S1751065Ab1HWLVf (ORCPT
+	<rfc822;linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>); Tue, 23 Aug 2011 07:21:35 -0400
+Original-Received: by gya6 with SMTP id 6so4228912gya.19
+        for <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>; Tue, 23 Aug 2011 04:21:35 -0700 (PDT)
+Original-Received: by 10.101.144.18 with SMTP id w18mr3505731ann.133.1314098494691;
+        Tue, 23 Aug 2011 04:21:34 -0700 (PDT)
+Original-Received: from salusa.poochiereds.net (cpe-075-177-182-191.nc.res.rr.com [75.177.182.191])
+        by mx.google.com with ESMTPS id d33sm48355ano.35.2011.08.23.04.21.32
+        (version=SSLv3 cipher=OTHER);
+        Tue, 23 Aug 2011 04:21:33 -0700 (PDT)
+X-Mailer: git-send-email 1.7.6
+Original-Sender: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
+Precedence: bulk
+List-ID: <linux-cifs.vger.kernel.org>
+X-Mailing-List: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
+Xref: news.gmane.org gmane.linux.kernel.cifs:4006
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.cifs/4006>
+
+The name_len variable in CIFSFindNext is a signed int that gets set to
+the resume_name_len in the cifs_search_info. The resume_name_len however
+is unsigned and for some infolevels is populated directly from a 32 bit
+value sent by the server.
+
+If the server sends a very large value for this, then that value could
+look negative when converted to a signed int. That would make that
+value pass the PATH_MAX check later in CIFSFindNext. The name_len would
+then be used as a length value for a memcpy. It would then be treated
+as unsigned again, and the memcpy scribbles over a ton of memory.
+
+Fix this by making the name_len an unsigned value in CIFSFindNext.
+
+Cc: <stable-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
+Reported-by: Darren Lavender <dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org>
+Signed-off-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
+---
+ fs/cifs/cifssmb.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index f4d0988..950464d 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -4089,7 +4089,8 @@ int CIFSFindNext(const int xid, struct cifs_tcon *tcon,
+ 	T2_FNEXT_RSP_PARMS *parms;
+ 	char *response_data;
+ 	int rc = 0;
+-	int bytes_returned, name_len;
++	int bytes_returned;
++	unsigned int name_len;
+ 	__u16 params, byte_count;
+ 
+ 	cFYI(1, "In FindNext");
+-- 
+1.7.6
+
diff --git a/freed-ora/current/f14/crypto-Move-md5_transform-to-lib-md5.c.patch b/freed-ora/current/f14/crypto-Move-md5_transform-to-lib-md5.c.patch
new file mode 100644
index 000000000..ef12c3b00
--- /dev/null
+++ b/freed-ora/current/f14/crypto-Move-md5_transform-to-lib-md5.c.patch
@@ -0,0 +1,258 @@
+From 44c943562c2e204cddf46db131c53c326b47bd47 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Fri, 16 Sep 2011 17:10:29 -0400
+Subject: [PATCH 1/2] crypto: Move md5_transform to lib/md5.c
+
+We are going to use this for TCP/IP sequence number and fragment ID
+generation.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+Backported to 2.6.25.14 by Josh Boyer <jwboyer@redhat.com>
+---
+ crypto/md5.c               |   92 +------------------------------------------
+ include/linux/cryptohash.h |    5 ++
+ lib/Makefile               |    2 +-
+ lib/md5.c                  |   95 ++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 102 insertions(+), 92 deletions(-)
+ create mode 100644 lib/md5.c
+
+diff --git a/crypto/md5.c b/crypto/md5.c
+index 30efc7d..7febeaa 100644
+--- a/crypto/md5.c
++++ b/crypto/md5.c
+@@ -21,99 +21,9 @@
+ #include <linux/module.h>
+ #include <linux/string.h>
+ #include <linux/types.h>
++#include <linux/cryptohash.h>
+ #include <asm/byteorder.h>
+ 
+-#define F1(x, y, z)	(z ^ (x & (y ^ z)))
+-#define F2(x, y, z)	F1(z, x, y)
+-#define F3(x, y, z)	(x ^ y ^ z)
+-#define F4(x, y, z)	(y ^ (x | ~z))
+-
+-#define MD5STEP(f, w, x, y, z, in, s) \
+-	(w += f(x, y, z) + in, w = (w<<s | w>>(32-s)) + x)
+-
+-static void md5_transform(u32 *hash, u32 const *in)
+-{
+-	u32 a, b, c, d;
+-
+-	a = hash[0];
+-	b = hash[1];
+-	c = hash[2];
+-	d = hash[3];
+-
+-	MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
+-	MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
+-	MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
+-	MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
+-	MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
+-	MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
+-	MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
+-	MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
+-	MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
+-	MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
+-	MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
+-	MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
+-	MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
+-	MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
+-	MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
+-	MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
+-
+-	MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
+-	MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
+-	MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
+-	MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
+-	MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
+-	MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
+-	MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
+-	MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
+-	MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
+-	MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
+-	MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
+-	MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
+-	MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
+-	MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
+-	MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
+-	MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
+-
+-	MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
+-	MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
+-	MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
+-	MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
+-	MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
+-	MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
+-	MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
+-	MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
+-	MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
+-	MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
+-	MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
+-	MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
+-	MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
+-	MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
+-	MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
+-	MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
+-
+-	MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
+-	MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
+-	MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
+-	MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
+-	MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
+-	MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
+-	MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
+-	MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
+-	MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
+-	MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
+-	MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
+-	MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
+-	MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
+-	MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
+-	MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
+-	MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
+-
+-	hash[0] += a;
+-	hash[1] += b;
+-	hash[2] += c;
+-	hash[3] += d;
+-}
+-
+ /* XXX: this stuff can be optimized */
+ static inline void le32_to_cpu_array(u32 *buf, unsigned int words)
+ {
+diff --git a/include/linux/cryptohash.h b/include/linux/cryptohash.h
+index ec78a4b..d2984fb 100644
+--- a/include/linux/cryptohash.h
++++ b/include/linux/cryptohash.h
+@@ -8,6 +8,11 @@
+ void sha_init(__u32 *buf);
+ void sha_transform(__u32 *digest, const char *data, __u32 *W);
+ 
++#define MD5_DIGEST_WORDS 4
++#define MD5_MESSAGE_BYTES 64
++
++void md5_transform(__u32 *hash, __u32 const *in);
++
+ __u32 half_md4_transform(__u32 buf[4], __u32 const in[8]);
+ 
+ #endif
+diff --git a/lib/Makefile b/lib/Makefile
+index 0bfabba..d07eef3 100644
+--- a/lib/Makefile
++++ b/lib/Makefile
+@@ -10,7 +10,7 @@ endif
+ lib-y := ctype.o string.o vsprintf.o cmdline.o \
+ 	 rbtree.o radix-tree.o dump_stack.o \
+ 	 idr.o int_sqrt.o extable.o prio_tree.o \
+-	 sha1.o irq_regs.o reciprocal_div.o argv_split.o \
++	 sha1.o md5.o irq_regs.o reciprocal_div.o argv_split.o \
+ 	 proportions.o prio_heap.o ratelimit.o show_mem.o \
+ 	 is_single_threaded.o plist.o decompress.o flex_array.o
+ 
+diff --git a/lib/md5.c b/lib/md5.c
+new file mode 100644
+index 0000000..c777180
+--- /dev/null
++++ b/lib/md5.c
+@@ -0,0 +1,95 @@
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/cryptohash.h>
++
++#define F1(x, y, z)	(z ^ (x & (y ^ z)))
++#define F2(x, y, z)	F1(z, x, y)
++#define F3(x, y, z)	(x ^ y ^ z)
++#define F4(x, y, z)	(y ^ (x | ~z))
++
++#define MD5STEP(f, w, x, y, z, in, s) \
++	(w += f(x, y, z) + in, w = (w<<s | w>>(32-s)) + x)
++
++void md5_transform(__u32 *hash, __u32 const *in)
++{
++	u32 a, b, c, d;
++
++	a = hash[0];
++	b = hash[1];
++	c = hash[2];
++	d = hash[3];
++
++	MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
++	MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
++	MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
++	MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
++	MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
++	MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
++	MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
++	MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
++	MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
++	MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
++	MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
++	MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
++	MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
++	MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
++	MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
++	MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
++
++	MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
++	MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
++	MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
++	MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
++	MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
++	MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
++	MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
++	MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
++	MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
++	MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
++	MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
++	MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
++	MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
++	MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
++	MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
++	MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
++
++	MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
++	MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
++	MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
++	MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
++	MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
++	MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
++	MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
++	MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
++	MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
++	MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
++	MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
++	MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
++	MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
++	MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
++	MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
++	MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
++
++	MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
++	MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
++	MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
++	MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
++	MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
++	MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
++	MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
++	MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
++	MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
++	MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
++	MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
++	MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
++	MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
++	MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
++	MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
++	MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
++
++	hash[0] += a;
++	hash[1] += b;
++	hash[2] += c;
++	hash[3] += d;
++}
++EXPORT_SYMBOL(md5_transform);
+-- 
+1.7.6
+
diff --git a/freed-ora/current/f14/gro-Only-reset-frag0-when-skb-can-be-pulled.patch b/freed-ora/current/f14/gro-Only-reset-frag0-when-skb-can-be-pulled.patch
new file mode 100644
index 000000000..385fd8657
--- /dev/null
+++ b/freed-ora/current/f14/gro-Only-reset-frag0-when-skb-can-be-pulled.patch
@@ -0,0 +1,39 @@
+From 17dd759c67f21e34f2156abcf415e1f60605a188 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Wed, 27 Jul 2011 06:16:28 -0700
+Subject: [PATCH] gro: Only reset frag0 when skb can be pulled
+
+Currently skb_gro_header_slow unconditionally resets frag0 and
+frag0_len.  However, when we can't pull on the skb this leaves
+the GRO fields in an inconsistent state.
+
+This patch fixes this by only resetting those fields after the
+pskb_may_pull test.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/linux/netdevice.h |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 1d92acc..661a077 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1649,9 +1649,12 @@ static inline int skb_gro_header_hard(struct sk_buff *skb, unsigned int hlen)
+ static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
+ 					unsigned int offset)
+ {
++	if (!pskb_may_pull(skb, hlen))
++		return NULL;
++
+ 	NAPI_GRO_CB(skb)->frag0 = NULL;
+ 	NAPI_GRO_CB(skb)->frag0_len = 0;
+-	return pskb_may_pull(skb, hlen) ? skb->data + offset : NULL;
++	return skb->data + offset;
+ }
+ 
+ static inline void *skb_gro_mac_header(struct sk_buff *skb)
+-- 
+1.7.6
+
diff --git a/freed-ora/current/f14/kernel.spec b/freed-ora/current/f14/kernel.spec
index 2e366d6c1..a797162ae 100644
--- a/freed-ora/current/f14/kernel.spec
+++ b/freed-ora/current/f14/kernel.spec
@@ -48,7 +48,7 @@ Summary: The Linux kernel
 # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
 # scripts/rebase.sh should be made to do that for you, actually.
 #
-%global baserelease 96
+%global baserelease 97
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -887,6 +887,28 @@ Patch14040: asix-add-USB-ID-for-Logitec-LAN-GTJ-U2A.patch
 # RHBZ #665109
 Patch14050: x86-PCI-don-t-use-native-Broadcom-CNB20LE-driver-whe.patch
 
+# RHBZ #648571
+Patch14051: modules-Fix-module_bug_list-list-corruption-race.patch
+
+# CVE-2011-2723
+Patch14052: gro-Only-reset-frag0-when-skb-can-be-pulled.patch
+
+# CVE-2011-2928
+Patch14053: befs-Validate-length-of-long-symbolic-links.patch
+
+# CVE-2011-3191
+Patch14054: cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
+
+# CVE-2011-1833
+Patch14055: Ecryptfs-Add-mount-option-to-check-uid-of-device-bei.patch
+
+# CVE-2011-2918
+Patch14056: perf-Fix-software-event-overflow.patch
+
+# CVE-2011-3188
+Patch14057: crypto-Move-md5_transform-to-lib-md5.c.patch
+Patch14058: net-Compute-protocol-sequence-numbers-and-fragment-I.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1673,6 +1695,28 @@ ApplyPatch asix-add-USB-ID-for-Logitec-LAN-GTJ-U2A.patch
 # RHBZ #665109
 ApplyPatch x86-PCI-don-t-use-native-Broadcom-CNB20LE-driver-whe.patch
 
+# RHBZ #648571
+ApplyPatch modules-Fix-module_bug_list-list-corruption-race.patch
+
+# CVE-2011-2723
+ApplyPatch gro-Only-reset-frag0-when-skb-can-be-pulled.patch
+
+# CVE-2011-2928
+ApplyPatch befs-Validate-length-of-long-symbolic-links.patch
+
+# CVE-2011-3191
+ApplyPatch cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
+
+# CVE-2011-1833
+ApplyPatch Ecryptfs-Add-mount-option-to-check-uid-of-device-bei.patch
+
+# CVE-2011-2918
+ApplyPatch perf-Fix-software-event-overflow.patch
+
+# CVE-2011-3188
+ApplyPatch crypto-Move-md5_transform-to-lib-md5.c.patch
+ApplyPatch net-Compute-protocol-sequence-numbers-and-fragment-I.patch
+
 # END OF PATCH APPLICATIONS
 
 # Linux-libre-specific, added by Koko's request for BLAG.
@@ -2262,6 +2306,19 @@ fi
 # and build.
 
 %changelog
+* Fri Sep 16 2011 Josh Boyer <jwboyer@redhat.com> 2.6.35.14-97
+- CVE-2011-2918: perf: Fix software event overflow
+- CVE-2011-3188: net: improve sequence number generation
+
+* Thu Sep 15 2011 Josh Boyer <jwboyer@redhat.com>
+- CVE-2011-2723: gro: Only reset frag0 when skb can be pulled
+- CVE-2011-2928: befs: Validate length of long symbolic links
+- CVE-2011-3191: cifs: fix possible memory corruption in CIFSFindNext
+- CVE-2011-1833: ecryptfs: mount source TOCTOU race
+
+* Mon Sep 12 2011 Josh Boyer <jwboyer@redhat.com>
+- Backport 5336377d to fix RHBZ #648571
+
 * Wed Aug 31 2011 Josh Boyer <jwboyer@redhat.com> 2.6.35.14-96
 - Add patch to fix RHBZ #665109
 
diff --git a/freed-ora/current/f14/modules-Fix-module_bug_list-list-corruption-race.patch b/freed-ora/current/f14/modules-Fix-module_bug_list-list-corruption-race.patch
new file mode 100644
index 000000000..ab62ae6aa
--- /dev/null
+++ b/freed-ora/current/f14/modules-Fix-module_bug_list-list-corruption-race.patch
@@ -0,0 +1,271 @@
+From 9aad2d11106f9a42593ee8eb3f10bc469873a18e Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 5 Oct 2010 11:29:27 -0700
+Subject: [PATCH] modules: Fix module_bug_list list corruption race
+
+With all the recent module loading cleanups, we've minimized the code
+that sits under module_mutex, fixing various deadlocks and making it
+possible to do most of the module loading in parallel.
+
+However, that whole conversion totally missed the rather obscure code
+that adds a new module to the list for BUG() handling.  That code was
+doubly obscure because (a) the code itself lives in lib/bugs.c (for
+dubious reasons) and (b) it gets called from the architecture-specific
+"module_finalize()" rather than from generic code.
+
+Calling it from arch-specific code makes no sense what-so-ever to begin
+with, and is now actively wrong since that code isn't protected by the
+module loading lock any more.
+
+So this commit moves the "module_bug_{finalize,cleanup}()" calls away
+from the arch-specific code, and into the generic code - and in the
+process protects it with the module_mutex so that the list operations
+are now safe.
+
+Future fixups:
+ - move the module list handling code into kernel/module.c where it
+   belongs.
+ - get rid of 'module_bug_list' and just use the regular list of modules
+   (called 'modules' - imagine that) that we already create and maintain
+   for other reasons.
+
+Reported-and-tested-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Rusty Russell <rusty@rustcorp.com.au>
+Cc: Adrian Bunk <bunk@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ arch/avr32/kernel/module.c   |    3 +--
+ arch/h8300/kernel/module.c   |    3 +--
+ arch/mn10300/kernel/module.c |    3 +--
+ arch/parisc/kernel/module.c  |    3 +--
+ arch/powerpc/kernel/module.c |    5 -----
+ arch/s390/kernel/module.c    |    3 +--
+ arch/sh/kernel/module.c      |    2 --
+ arch/x86/kernel/module.c     |    3 +--
+ include/linux/module.h       |    5 ++---
+ kernel/module.c              |    4 ++++
+ lib/bug.c                    |    6 ++----
+ 11 files changed, 14 insertions(+), 26 deletions(-)
+
+diff --git a/arch/avr32/kernel/module.c b/arch/avr32/kernel/module.c
+index 98f94d0..a727f54 100644
+--- a/arch/avr32/kernel/module.c
++++ b/arch/avr32/kernel/module.c
+@@ -314,10 +314,9 @@ int module_finalize(const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs,
+ 	vfree(module->arch.syminfo);
+ 	module->arch.syminfo = NULL;
+ 
+-	return module_bug_finalize(hdr, sechdrs, module);
++	return 0;
+ }
+ 
+ void module_arch_cleanup(struct module *module)
+ {
+-	module_bug_cleanup(module);
+ }
+diff --git a/arch/h8300/kernel/module.c b/arch/h8300/kernel/module.c
+index 0865e29..db4953d 100644
+--- a/arch/h8300/kernel/module.c
++++ b/arch/h8300/kernel/module.c
+@@ -112,10 +112,9 @@ int module_finalize(const Elf_Ehdr *hdr,
+ 		    const Elf_Shdr *sechdrs,
+ 		    struct module *me)
+ {
+-	return module_bug_finalize(hdr, sechdrs, me);
++	return 0;
+ }
+ 
+ void module_arch_cleanup(struct module *mod)
+ {
+-	module_bug_cleanup(mod);
+ }
+diff --git a/arch/mn10300/kernel/module.c b/arch/mn10300/kernel/module.c
+index 6aea7fd..196a111 100644
+--- a/arch/mn10300/kernel/module.c
++++ b/arch/mn10300/kernel/module.c
+@@ -206,7 +206,7 @@ int module_finalize(const Elf_Ehdr *hdr,
+ 		    const Elf_Shdr *sechdrs,
+ 		    struct module *me)
+ {
+-	return module_bug_finalize(hdr, sechdrs, me);
++	return 0;
+ }
+ 
+ /*
+@@ -214,5 +214,4 @@ int module_finalize(const Elf_Ehdr *hdr,
+  */
+ void module_arch_cleanup(struct module *mod)
+ {
+-	module_bug_cleanup(mod);
+ }
+diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
+index 159a2b8..6e81bb5 100644
+--- a/arch/parisc/kernel/module.c
++++ b/arch/parisc/kernel/module.c
+@@ -941,11 +941,10 @@ int module_finalize(const Elf_Ehdr *hdr,
+ 	nsyms = newptr - (Elf_Sym *)symhdr->sh_addr;
+ 	DEBUGP("NEW num_symtab %lu\n", nsyms);
+ 	symhdr->sh_size = nsyms * sizeof(Elf_Sym);
+-	return module_bug_finalize(hdr, sechdrs, me);
++	return 0;
+ }
+ 
+ void module_arch_cleanup(struct module *mod)
+ {
+ 	deregister_unwind_table(mod);
+-	module_bug_cleanup(mod);
+ }
+diff --git a/arch/powerpc/kernel/module.c b/arch/powerpc/kernel/module.c
+index 477c663..4ef93ae 100644
+--- a/arch/powerpc/kernel/module.c
++++ b/arch/powerpc/kernel/module.c
+@@ -65,10 +65,6 @@ int module_finalize(const Elf_Ehdr *hdr,
+ 	const Elf_Shdr *sect;
+ 	int err;
+ 
+-	err = module_bug_finalize(hdr, sechdrs, me);
+-	if (err)
+-		return err;
+-
+ 	/* Apply feature fixups */
+ 	sect = find_section(hdr, sechdrs, "__ftr_fixup");
+ 	if (sect != NULL)
+@@ -101,5 +97,4 @@ int module_finalize(const Elf_Ehdr *hdr,
+ 
+ void module_arch_cleanup(struct module *mod)
+ {
+-	module_bug_cleanup(mod);
+ }
+diff --git a/arch/s390/kernel/module.c b/arch/s390/kernel/module.c
+index 22cfd63..f7167ee 100644
+--- a/arch/s390/kernel/module.c
++++ b/arch/s390/kernel/module.c
+@@ -407,10 +407,9 @@ int module_finalize(const Elf_Ehdr *hdr,
+ {
+ 	vfree(me->arch.syminfo);
+ 	me->arch.syminfo = NULL;
+-	return module_bug_finalize(hdr, sechdrs, me);
++	return 0;
+ }
+ 
+ void module_arch_cleanup(struct module *mod)
+ {
+-	module_bug_cleanup(mod);
+ }
+diff --git a/arch/sh/kernel/module.c b/arch/sh/kernel/module.c
+index 43adddf..ae0be69 100644
+--- a/arch/sh/kernel/module.c
++++ b/arch/sh/kernel/module.c
+@@ -149,13 +149,11 @@ int module_finalize(const Elf_Ehdr *hdr,
+ 	int ret = 0;
+ 
+ 	ret |= module_dwarf_finalize(hdr, sechdrs, me);
+-	ret |= module_bug_finalize(hdr, sechdrs, me);
+ 
+ 	return ret;
+ }
+ 
+ void module_arch_cleanup(struct module *mod)
+ {
+-	module_bug_cleanup(mod);
+ 	module_dwarf_cleanup(mod);
+ }
+diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
+index e0bc186..1c355c5 100644
+--- a/arch/x86/kernel/module.c
++++ b/arch/x86/kernel/module.c
+@@ -239,11 +239,10 @@ int module_finalize(const Elf_Ehdr *hdr,
+ 		apply_paravirt(pseg, pseg + para->sh_size);
+ 	}
+ 
+-	return module_bug_finalize(hdr, sechdrs, me);
++	return 0;
+ }
+ 
+ void module_arch_cleanup(struct module *mod)
+ {
+ 	alternatives_smp_module_del(mod);
+-	module_bug_cleanup(mod);
+ }
+diff --git a/include/linux/module.h b/include/linux/module.h
+index 8a6b9fd..aace066 100644
+--- a/include/linux/module.h
++++ b/include/linux/module.h
+@@ -686,17 +686,16 @@ extern int module_sysfs_initialized;
+ 
+ 
+ #ifdef CONFIG_GENERIC_BUG
+-int  module_bug_finalize(const Elf_Ehdr *, const Elf_Shdr *,
++void module_bug_finalize(const Elf_Ehdr *, const Elf_Shdr *,
+ 			 struct module *);
+ void module_bug_cleanup(struct module *);
+ 
+ #else	/* !CONFIG_GENERIC_BUG */
+ 
+-static inline int  module_bug_finalize(const Elf_Ehdr *hdr,
++static inline void module_bug_finalize(const Elf_Ehdr *hdr,
+ 					const Elf_Shdr *sechdrs,
+ 					struct module *mod)
+ {
+-	return 0;
+ }
+ static inline void module_bug_cleanup(struct module *mod) {}
+ #endif	/* CONFIG_GENERIC_BUG */
+diff --git a/kernel/module.c b/kernel/module.c
+index 6c56282..eca6e02 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1533,6 +1533,7 @@ static int __unlink_module(void *_mod)
+ {
+ 	struct module *mod = _mod;
+ 	list_del(&mod->list);
++	module_bug_cleanup(mod);
+ 	return 0;
+ }
+ 
+@@ -2538,6 +2539,7 @@ static noinline struct module *load_module(void __user *umod,
+ 	if (err < 0)
+ 		goto ddebug;
+ 
++	module_bug_finalize(hdr, sechdrs, mod);
+ 	list_add_rcu(&mod->list, &modules);
+ 	mutex_unlock(&module_mutex);
+ 
+@@ -2564,6 +2566,8 @@ static noinline struct module *load_module(void __user *umod,
+ 	mutex_lock(&module_mutex);
+ 	/* Unlink carefully: kallsyms could be walking list. */
+ 	list_del_rcu(&mod->list);
++	module_bug_cleanup(mod);
++
+  ddebug:
+ 	dynamic_debug_remove(debug);
+  unlock:
+diff --git a/lib/bug.c b/lib/bug.c
+index f13daf4..c005615 100644
+--- a/lib/bug.c
++++ b/lib/bug.c
+@@ -72,8 +72,8 @@ static const struct bug_entry *module_find_bug(unsigned long bugaddr)
+ 	return NULL;
+ }
+ 
+-int module_bug_finalize(const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs,
+-			struct module *mod)
++void module_bug_finalize(const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs,
++			 struct module *mod)
+ {
+ 	char *secstrings;
+ 	unsigned int i;
+@@ -97,8 +97,6 @@ int module_bug_finalize(const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs,
+ 	 * could potentially lead to deadlock and thus be counter-productive.
+ 	 */
+ 	list_add(&mod->bug_list, &module_bug_list);
+-
+-	return 0;
+ }
+ 
+ void module_bug_cleanup(struct module *mod)
+-- 
+1.7.6
+
diff --git a/freed-ora/current/f14/net-Compute-protocol-sequence-numbers-and-fragment-I.patch b/freed-ora/current/f14/net-Compute-protocol-sequence-numbers-and-fragment-I.patch
new file mode 100644
index 000000000..35271d21b
--- /dev/null
+++ b/freed-ora/current/f14/net-Compute-protocol-sequence-numbers-and-fragment-I.patch
@@ -0,0 +1,781 @@
+From 23d90cc07ae73b8d9e2bdc4cde4e8c3642ada804 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Fri, 16 Sep 2011 17:13:05 -0400
+Subject: [PATCH 2/2] net: Compute protocol sequence numbers and fragment IDs
+ using MD5.
+
+Computers have become a lot faster since we compromised on the
+partial MD4 hash which we use currently for performance reasons.
+
+MD5 is a much safer choice, and is inline with both RFC1948 and
+other ISS generators (OpenBSD, Solaris, etc.)
+
+Furthermore, only having 24-bits of the sequence number be truly
+unpredictable is a very serious limitation.  So the periodic
+regeneration and 8-bit counter have been removed.  We compute and
+use a full 32-bit sequence number.
+
+For ipv6, DCCP was found to use a 32-bit truncated initial sequence
+number (it needs 43-bits) and that is fixed here as well.
+
+Reported-by: Dan Kaminsky <dan@doxpara.com>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/char/random.c                    |  334 +-----------------------------
+ include/linux/random.h                   |   11 -
+ include/net/secure_seq.h                 |   20 ++
+ net/core/Makefile                        |    2 +-
+ net/core/secure_seq.c                    |  184 ++++++++++++++++
+ net/dccp/ipv4.c                          |    1 +
+ net/dccp/ipv6.c                          |    9 +-
+ net/ipv4/inet_hashtables.c               |    1 +
+ net/ipv4/inetpeer.c                      |    1 +
+ net/ipv4/netfilter/nf_nat_proto_common.c |    1 +
+ net/ipv4/route.c                         |    1 +
+ net/ipv4/tcp_ipv4.c                      |    1 +
+ net/ipv6/inet6_hashtables.c              |    1 +
+ net/ipv6/tcp_ipv6.c                      |    1 +
+ 14 files changed, 223 insertions(+), 345 deletions(-)
+ create mode 100644 include/net/secure_seq.h
+ create mode 100644 net/core/secure_seq.c
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 8d85587..1e07bbe 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1291,330 +1291,14 @@ ctl_table random_table[] = {
+ };
+ #endif 	/* CONFIG_SYSCTL */
+ 
+-/********************************************************************
+- *
+- * Random functions for networking
+- *
+- ********************************************************************/
+-
+-/*
+- * TCP initial sequence number picking.  This uses the random number
+- * generator to pick an initial secret value.  This value is hashed
+- * along with the TCP endpoint information to provide a unique
+- * starting point for each pair of TCP endpoints.  This defeats
+- * attacks which rely on guessing the initial TCP sequence number.
+- * This algorithm was suggested by Steve Bellovin.
+- *
+- * Using a very strong hash was taking an appreciable amount of the total
+- * TCP connection establishment time, so this is a weaker hash,
+- * compensated for by changing the secret periodically.
+- */
+-
+-/* F, G and H are basic MD4 functions: selection, majority, parity */
+-#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
+-#define G(x, y, z) (((x) & (y)) + (((x) ^ (y)) & (z)))
+-#define H(x, y, z) ((x) ^ (y) ^ (z))
+-
+-/*
+- * The generic round function.  The application is so specific that
+- * we don't bother protecting all the arguments with parens, as is generally
+- * good macro practice, in favor of extra legibility.
+- * Rotation is separate from addition to prevent recomputation
+- */
+-#define ROUND(f, a, b, c, d, x, s)	\
+-	(a += f(b, c, d) + x, a = (a << s) | (a >> (32 - s)))
+-#define K1 0
+-#define K2 013240474631UL
+-#define K3 015666365641UL
++static u32 random_int_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
+ 
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+-
+-static __u32 twothirdsMD4Transform(__u32 const buf[4], __u32 const in[12])
++static int __init random_int_secret_init(void)
+ {
+-	__u32 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
+-
+-	/* Round 1 */
+-	ROUND(F, a, b, c, d, in[ 0] + K1,  3);
+-	ROUND(F, d, a, b, c, in[ 1] + K1,  7);
+-	ROUND(F, c, d, a, b, in[ 2] + K1, 11);
+-	ROUND(F, b, c, d, a, in[ 3] + K1, 19);
+-	ROUND(F, a, b, c, d, in[ 4] + K1,  3);
+-	ROUND(F, d, a, b, c, in[ 5] + K1,  7);
+-	ROUND(F, c, d, a, b, in[ 6] + K1, 11);
+-	ROUND(F, b, c, d, a, in[ 7] + K1, 19);
+-	ROUND(F, a, b, c, d, in[ 8] + K1,  3);
+-	ROUND(F, d, a, b, c, in[ 9] + K1,  7);
+-	ROUND(F, c, d, a, b, in[10] + K1, 11);
+-	ROUND(F, b, c, d, a, in[11] + K1, 19);
+-
+-	/* Round 2 */
+-	ROUND(G, a, b, c, d, in[ 1] + K2,  3);
+-	ROUND(G, d, a, b, c, in[ 3] + K2,  5);
+-	ROUND(G, c, d, a, b, in[ 5] + K2,  9);
+-	ROUND(G, b, c, d, a, in[ 7] + K2, 13);
+-	ROUND(G, a, b, c, d, in[ 9] + K2,  3);
+-	ROUND(G, d, a, b, c, in[11] + K2,  5);
+-	ROUND(G, c, d, a, b, in[ 0] + K2,  9);
+-	ROUND(G, b, c, d, a, in[ 2] + K2, 13);
+-	ROUND(G, a, b, c, d, in[ 4] + K2,  3);
+-	ROUND(G, d, a, b, c, in[ 6] + K2,  5);
+-	ROUND(G, c, d, a, b, in[ 8] + K2,  9);
+-	ROUND(G, b, c, d, a, in[10] + K2, 13);
+-
+-	/* Round 3 */
+-	ROUND(H, a, b, c, d, in[ 3] + K3,  3);
+-	ROUND(H, d, a, b, c, in[ 7] + K3,  9);
+-	ROUND(H, c, d, a, b, in[11] + K3, 11);
+-	ROUND(H, b, c, d, a, in[ 2] + K3, 15);
+-	ROUND(H, a, b, c, d, in[ 6] + K3,  3);
+-	ROUND(H, d, a, b, c, in[10] + K3,  9);
+-	ROUND(H, c, d, a, b, in[ 1] + K3, 11);
+-	ROUND(H, b, c, d, a, in[ 5] + K3, 15);
+-	ROUND(H, a, b, c, d, in[ 9] + K3,  3);
+-	ROUND(H, d, a, b, c, in[ 0] + K3,  9);
+-	ROUND(H, c, d, a, b, in[ 4] + K3, 11);
+-	ROUND(H, b, c, d, a, in[ 8] + K3, 15);
+-
+-	return buf[1] + b; /* "most hashed" word */
+-	/* Alternative: return sum of all words? */
+-}
+-#endif
+-
+-#undef ROUND
+-#undef F
+-#undef G
+-#undef H
+-#undef K1
+-#undef K2
+-#undef K3
+-
+-/* This should not be decreased so low that ISNs wrap too fast. */
+-#define REKEY_INTERVAL (300 * HZ)
+-/*
+- * Bit layout of the tcp sequence numbers (before adding current time):
+- * bit 24-31: increased after every key exchange
+- * bit 0-23: hash(source,dest)
+- *
+- * The implementation is similar to the algorithm described
+- * in the Appendix of RFC 1185, except that
+- * - it uses a 1 MHz clock instead of a 250 kHz clock
+- * - it performs a rekey every 5 minutes, which is equivalent
+- * 	to a (source,dest) tulple dependent forward jump of the
+- * 	clock by 0..2^(HASH_BITS+1)
+- *
+- * Thus the average ISN wraparound time is 68 minutes instead of
+- * 4.55 hours.
+- *
+- * SMP cleanup and lock avoidance with poor man's RCU.
+- * 			Manfred Spraul <manfred@colorfullife.com>
+- *
+- */
+-#define COUNT_BITS 8
+-#define COUNT_MASK ((1 << COUNT_BITS) - 1)
+-#define HASH_BITS 24
+-#define HASH_MASK ((1 << HASH_BITS) - 1)
+-
+-static struct keydata {
+-	__u32 count; /* already shifted to the final position */
+-	__u32 secret[12];
+-} ____cacheline_aligned ip_keydata[2];
+-
+-static unsigned int ip_cnt;
+-
+-static void rekey_seq_generator(struct work_struct *work);
+-
+-static DECLARE_DELAYED_WORK(rekey_work, rekey_seq_generator);
+-
+-/*
+- * Lock avoidance:
+- * The ISN generation runs lockless - it's just a hash over random data.
+- * State changes happen every 5 minutes when the random key is replaced.
+- * Synchronization is performed by having two copies of the hash function
+- * state and rekey_seq_generator always updates the inactive copy.
+- * The copy is then activated by updating ip_cnt.
+- * The implementation breaks down if someone blocks the thread
+- * that processes SYN requests for more than 5 minutes. Should never
+- * happen, and even if that happens only a not perfectly compliant
+- * ISN is generated, nothing fatal.
+- */
+-static void rekey_seq_generator(struct work_struct *work)
+-{
+-	struct keydata *keyptr = &ip_keydata[1 ^ (ip_cnt & 1)];
+-
+-	get_random_bytes(keyptr->secret, sizeof(keyptr->secret));
+-	keyptr->count = (ip_cnt & COUNT_MASK) << HASH_BITS;
+-	smp_wmb();
+-	ip_cnt++;
+-	schedule_delayed_work(&rekey_work,
+-			      round_jiffies_relative(REKEY_INTERVAL));
+-}
+-
+-static inline struct keydata *get_keyptr(void)
+-{
+-	struct keydata *keyptr = &ip_keydata[ip_cnt & 1];
+-
+-	smp_rmb();
+-
+-	return keyptr;
+-}
+-
+-static __init int seqgen_init(void)
+-{
+-	rekey_seq_generator(NULL);
++	get_random_bytes(random_int_secret, sizeof(random_int_secret));
+ 	return 0;
+ }
+-late_initcall(seqgen_init);
+-
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+-__u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+-				   __be16 sport, __be16 dport)
+-{
+-	__u32 seq;
+-	__u32 hash[12];
+-	struct keydata *keyptr = get_keyptr();
+-
+-	/* The procedure is the same as for IPv4, but addresses are longer.
+-	 * Thus we must use twothirdsMD4Transform.
+-	 */
+-
+-	memcpy(hash, saddr, 16);
+-	hash[4] = ((__force u16)sport << 16) + (__force u16)dport;
+-	memcpy(&hash[5], keyptr->secret, sizeof(__u32) * 7);
+-
+-	seq = twothirdsMD4Transform((const __u32 *)daddr, hash) & HASH_MASK;
+-	seq += keyptr->count;
+-
+-	seq += ktime_to_ns(ktime_get_real());
+-
+-	return seq;
+-}
+-EXPORT_SYMBOL(secure_tcpv6_sequence_number);
+-#endif
+-
+-/*  The code below is shamelessly stolen from secure_tcp_sequence_number().
+- *  All blames to Andrey V. Savochkin <saw@msu.ru>.
+- */
+-__u32 secure_ip_id(__be32 daddr)
+-{
+-	struct keydata *keyptr;
+-	__u32 hash[4];
+-
+-	keyptr = get_keyptr();
+-
+-	/*
+-	 *  Pick a unique starting offset for each IP destination.
+-	 *  The dest ip address is placed in the starting vector,
+-	 *  which is then hashed with random data.
+-	 */
+-	hash[0] = (__force __u32)daddr;
+-	hash[1] = keyptr->secret[9];
+-	hash[2] = keyptr->secret[10];
+-	hash[3] = keyptr->secret[11];
+-
+-	return half_md4_transform(hash, keyptr->secret);
+-}
+-
+-#ifdef CONFIG_INET
+-
+-__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
+-				 __be16 sport, __be16 dport)
+-{
+-	__u32 seq;
+-	__u32 hash[4];
+-	struct keydata *keyptr = get_keyptr();
+-
+-	/*
+-	 *  Pick a unique starting offset for each TCP connection endpoints
+-	 *  (saddr, daddr, sport, dport).
+-	 *  Note that the words are placed into the starting vector, which is
+-	 *  then mixed with a partial MD4 over random data.
+-	 */
+-	hash[0] = (__force u32)saddr;
+-	hash[1] = (__force u32)daddr;
+-	hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
+-	hash[3] = keyptr->secret[11];
+-
+-	seq = half_md4_transform(hash, keyptr->secret) & HASH_MASK;
+-	seq += keyptr->count;
+-	/*
+-	 *	As close as possible to RFC 793, which
+-	 *	suggests using a 250 kHz clock.
+-	 *	Further reading shows this assumes 2 Mb/s networks.
+-	 *	For 10 Mb/s Ethernet, a 1 MHz clock is appropriate.
+-	 *	For 10 Gb/s Ethernet, a 1 GHz clock should be ok, but
+-	 *	we also need to limit the resolution so that the u32 seq
+-	 *	overlaps less than one time per MSL (2 minutes).
+-	 *	Choosing a clock of 64 ns period is OK. (period of 274 s)
+-	 */
+-	seq += ktime_to_ns(ktime_get_real()) >> 6;
+-
+-	return seq;
+-}
+-
+-/* Generate secure starting point for ephemeral IPV4 transport port search */
+-u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
+-{
+-	struct keydata *keyptr = get_keyptr();
+-	u32 hash[4];
+-
+-	/*
+-	 *  Pick a unique starting offset for each ephemeral port search
+-	 *  (saddr, daddr, dport) and 48bits of random data.
+-	 */
+-	hash[0] = (__force u32)saddr;
+-	hash[1] = (__force u32)daddr;
+-	hash[2] = (__force u32)dport ^ keyptr->secret[10];
+-	hash[3] = keyptr->secret[11];
+-
+-	return half_md4_transform(hash, keyptr->secret);
+-}
+-EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
+-
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+-u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
+-			       __be16 dport)
+-{
+-	struct keydata *keyptr = get_keyptr();
+-	u32 hash[12];
+-
+-	memcpy(hash, saddr, 16);
+-	hash[4] = (__force u32)dport;
+-	memcpy(&hash[5], keyptr->secret, sizeof(__u32) * 7);
+-
+-	return twothirdsMD4Transform((const __u32 *)daddr, hash);
+-}
+-#endif
+-
+-#if defined(CONFIG_IP_DCCP) || defined(CONFIG_IP_DCCP_MODULE)
+-/* Similar to secure_tcp_sequence_number but generate a 48 bit value
+- * bit's 32-47 increase every key exchange
+- *       0-31  hash(source, dest)
+- */
+-u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
+-				__be16 sport, __be16 dport)
+-{
+-	u64 seq;
+-	__u32 hash[4];
+-	struct keydata *keyptr = get_keyptr();
+-
+-	hash[0] = (__force u32)saddr;
+-	hash[1] = (__force u32)daddr;
+-	hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
+-	hash[3] = keyptr->secret[11];
+-
+-	seq = half_md4_transform(hash, keyptr->secret);
+-	seq |= ((u64)keyptr->count) << (32 - HASH_BITS);
+-
+-	seq += ktime_to_ns(ktime_get_real());
+-	seq &= (1ull << 48) - 1;
+-
+-	return seq;
+-}
+-EXPORT_SYMBOL(secure_dccp_sequence_number);
+-#endif
+-
+-#endif /* CONFIG_INET */
+-
++late_initcall(random_int_secret_init);
+ 
+ /*
+  * Get a random word for internal kernel use only. Similar to urandom but
+@@ -1622,17 +1306,15 @@ EXPORT_SYMBOL(secure_dccp_sequence_number);
+  * value is not cryptographically secure but for several uses the cost of
+  * depleting entropy is too high
+  */
+-DEFINE_PER_CPU(__u32 [4], get_random_int_hash);
++DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash);
+ unsigned int get_random_int(void)
+ {
+-	struct keydata *keyptr;
+ 	__u32 *hash = get_cpu_var(get_random_int_hash);
+-	int ret;
++	unsigned int ret;
+ 
+-	keyptr = get_keyptr();
+ 	hash[0] += current->pid + jiffies + get_cycles();
+-
+-	ret = half_md4_transform(hash, keyptr->secret);
++	md5_transform(hash, random_int_secret);
++	ret = hash[0];
+ 	put_cpu_var(get_random_int_hash);
+ 
+ 	return ret;
+diff --git a/include/linux/random.h b/include/linux/random.h
+index fb7ab9d..d13059f 100644
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -57,17 +57,6 @@ extern void add_interrupt_randomness(int irq);
+ extern void get_random_bytes(void *buf, int nbytes);
+ void generate_random_uuid(unsigned char uuid_out[16]);
+ 
+-extern __u32 secure_ip_id(__be32 daddr);
+-extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
+-extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
+-				      __be16 dport);
+-extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
+-					__be16 sport, __be16 dport);
+-extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+-					  __be16 sport, __be16 dport);
+-extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
+-				       __be16 sport, __be16 dport);
+-
+ #ifndef MODULE
+ extern const struct file_operations random_fops, urandom_fops;
+ #endif
+diff --git a/include/net/secure_seq.h b/include/net/secure_seq.h
+new file mode 100644
+index 0000000..d97f689
+--- /dev/null
++++ b/include/net/secure_seq.h
+@@ -0,0 +1,20 @@
++#ifndef _NET_SECURE_SEQ
++#define _NET_SECURE_SEQ
++
++#include <linux/types.h>
++
++extern __u32 secure_ip_id(__be32 daddr);
++extern __u32 secure_ipv6_id(const __be32 daddr[4]);
++extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
++extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
++				      __be16 dport);
++extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
++					__be16 sport, __be16 dport);
++extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++					  __be16 sport, __be16 dport);
++extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
++				       __be16 sport, __be16 dport);
++extern u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++					 __be16 sport, __be16 dport);
++
++#endif /* _NET_SECURE_SEQ */
+diff --git a/net/core/Makefile b/net/core/Makefile
+index 51c3eec..d64933a 100644
+--- a/net/core/Makefile
++++ b/net/core/Makefile
+@@ -3,7 +3,7 @@
+ #
+ 
+ obj-y := sock.o request_sock.o skbuff.o iovec.o datagram.o stream.o scm.o \
+-	 gen_stats.o gen_estimator.o net_namespace.o
++	 gen_stats.o gen_estimator.o net_namespace.o secure_seq.o
+ 
+ obj-$(CONFIG_SYSCTL) += sysctl_net_core.o
+ 
+diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
+new file mode 100644
+index 0000000..45329d7
+--- /dev/null
++++ b/net/core/secure_seq.c
+@@ -0,0 +1,184 @@
++#include <linux/kernel.h>
++#include <linux/init.h>
++#include <linux/cryptohash.h>
++#include <linux/module.h>
++#include <linux/cache.h>
++#include <linux/random.h>
++#include <linux/hrtimer.h>
++#include <linux/ktime.h>
++#include <linux/string.h>
++
++#include <net/secure_seq.h>
++
++static u32 net_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
++
++static int __init net_secret_init(void)
++{
++	get_random_bytes(net_secret, sizeof(net_secret));
++	return 0;
++}
++late_initcall(net_secret_init);
++
++static u32 seq_scale(u32 seq)
++{
++	/*
++	 *	As close as possible to RFC 793, which
++	 *	suggests using a 250 kHz clock.
++	 *	Further reading shows this assumes 2 Mb/s networks.
++	 *	For 10 Mb/s Ethernet, a 1 MHz clock is appropriate.
++	 *	For 10 Gb/s Ethernet, a 1 GHz clock should be ok, but
++	 *	we also need to limit the resolution so that the u32 seq
++	 *	overlaps less than one time per MSL (2 minutes).
++	 *	Choosing a clock of 64 ns period is OK. (period of 274 s)
++	 */
++	return seq + (ktime_to_ns(ktime_get_real()) >> 6);
++}
++
++#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++__u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++				   __be16 sport, __be16 dport)
++{
++	u32 secret[MD5_MESSAGE_BYTES / 4];
++	u32 hash[MD5_DIGEST_WORDS];
++	u32 i;
++
++	memcpy(hash, saddr, 16);
++	for (i = 0; i < 4; i++)
++		secret[i] = net_secret[i] + daddr[i];
++	secret[4] = net_secret[4] +
++		(((__force u16)sport << 16) + (__force u16)dport);
++	for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++		secret[i] = net_secret[i];
++
++	md5_transform(hash, secret);
++
++	return seq_scale(hash[0]);
++}
++EXPORT_SYMBOL(secure_tcpv6_sequence_number);
++
++u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
++			       __be16 dport)
++{
++	u32 secret[MD5_MESSAGE_BYTES / 4];
++	u32 hash[MD5_DIGEST_WORDS];
++	u32 i;
++
++	memcpy(hash, saddr, 16);
++	for (i = 0; i < 4; i++)
++		secret[i] = net_secret[i] + (__force u32) daddr[i];
++	secret[4] = net_secret[4] + (__force u32)dport;
++	for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++		secret[i] = net_secret[i];
++
++	md5_transform(hash, secret);
++
++	return hash[0];
++}
++#endif
++
++#ifdef CONFIG_INET
++__u32 secure_ip_id(__be32 daddr)
++{
++	u32 hash[MD5_DIGEST_WORDS];
++
++	hash[0] = (__force __u32) daddr;
++	hash[1] = net_secret[13];
++	hash[2] = net_secret[14];
++	hash[3] = net_secret[15];
++
++	md5_transform(hash, net_secret);
++
++	return hash[0];
++}
++
++__u32 secure_ipv6_id(const __be32 daddr[4])
++{
++	__u32 hash[4];
++
++	memcpy(hash, daddr, 16);
++	md5_transform(hash, net_secret);
++
++	return hash[0];
++}
++
++__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
++				 __be16 sport, __be16 dport)
++{
++	u32 hash[MD5_DIGEST_WORDS];
++
++	hash[0] = (__force u32)saddr;
++	hash[1] = (__force u32)daddr;
++	hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
++	hash[3] = net_secret[15];
++
++	md5_transform(hash, net_secret);
++
++	return seq_scale(hash[0]);
++}
++
++u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
++{
++	u32 hash[MD5_DIGEST_WORDS];
++
++	hash[0] = (__force u32)saddr;
++	hash[1] = (__force u32)daddr;
++	hash[2] = (__force u32)dport ^ net_secret[14];
++	hash[3] = net_secret[15];
++
++	md5_transform(hash, net_secret);
++
++	return hash[0];
++}
++EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
++#endif
++
++#if defined(CONFIG_IP_DCCP) || defined(CONFIG_IP_DCCP_MODULE)
++u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
++				__be16 sport, __be16 dport)
++{
++	u32 hash[MD5_DIGEST_WORDS];
++	u64 seq;
++
++	hash[0] = (__force u32)saddr;
++	hash[1] = (__force u32)daddr;
++	hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
++	hash[3] = net_secret[15];
++
++	md5_transform(hash, net_secret);
++
++	seq = hash[0] | (((u64)hash[1]) << 32);
++	seq += ktime_to_ns(ktime_get_real());
++	seq &= (1ull << 48) - 1;
++
++	return seq;
++}
++EXPORT_SYMBOL(secure_dccp_sequence_number);
++
++#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++				  __be16 sport, __be16 dport)
++{
++	u32 secret[MD5_MESSAGE_BYTES / 4];
++	u32 hash[MD5_DIGEST_WORDS];
++	u64 seq;
++	u32 i;
++
++	memcpy(hash, saddr, 16);
++	for (i = 0; i < 4; i++)
++		secret[i] = net_secret[i] + daddr[i];
++	secret[4] = net_secret[4] +
++		(((__force u16)sport << 16) + (__force u16)dport);
++	for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++		secret[i] = net_secret[i];
++
++	md5_transform(hash, secret);
++
++	seq = hash[0] | (((u64)hash[1]) << 32);
++	seq += ktime_to_ns(ktime_get_real());
++	seq &= (1ull << 48) - 1;
++
++	return seq;
++}
++EXPORT_SYMBOL(secure_dccpv6_sequence_number);
++#endif
++#endif
+diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
+index d9b11ef..3ff9fd9 100644
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -26,6 +26,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/tcp_states.h>
+ #include <net/xfrm.h>
++#include <net/secure_seq.h>
+ 
+ #include "ackvec.h"
+ #include "ccid.h"
+diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
+index 0916988..e256940 100644
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -29,6 +29,7 @@
+ #include <net/transp_v6.h>
+ #include <net/ip6_checksum.h>
+ #include <net/xfrm.h>
++#include <net/secure_seq.h>
+ 
+ #include "dccp.h"
+ #include "ipv6.h"
+@@ -69,13 +70,7 @@ static inline void dccp_v6_send_check(struct sock *sk, struct sk_buff *skb)
+ 	dh->dccph_checksum = dccp_v6_csum_finish(skb, &np->saddr, &np->daddr);
+ }
+ 
+-static inline __u32 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+-						  __be16 sport, __be16 dport   )
+-{
+-	return secure_tcpv6_sequence_number(saddr, daddr, sport, dport);
+-}
+-
+-static inline __u32 dccp_v6_init_sequence(struct sk_buff *skb)
++static inline __u64 dccp_v6_init_sequence(struct sk_buff *skb)
+ {
+ 	return secure_dccpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
+ 					     ipv6_hdr(skb)->saddr.s6_addr32,
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index d3e160a..ff67e46 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -21,6 +21,7 @@
+ 
+ #include <net/inet_connection_sock.h>
+ #include <net/inet_hashtables.h>
++#include <net/secure_seq.h>
+ #include <net/ip.h>
+ 
+ /*
+diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
+index 6bcfe52..5639e05 100644
+--- a/net/ipv4/inetpeer.c
++++ b/net/ipv4/inetpeer.c
+@@ -19,6 +19,7 @@
+ #include <linux/net.h>
+ #include <net/ip.h>
+ #include <net/inetpeer.h>
++#include <net/secure_seq.h>
+ 
+ /*
+  *  Theory of operations.
+diff --git a/net/ipv4/netfilter/nf_nat_proto_common.c b/net/ipv4/netfilter/nf_nat_proto_common.c
+index 6c4f11f..2d5073a 100644
+--- a/net/ipv4/netfilter/nf_nat_proto_common.c
++++ b/net/ipv4/netfilter/nf_nat_proto_common.c
+@@ -12,6 +12,7 @@
+ #include <linux/ip.h>
+ 
+ #include <linux/netfilter.h>
++#include <net/secure_seq.h>
+ #include <net/netfilter/nf_nat.h>
+ #include <net/netfilter/nf_nat_core.h>
+ #include <net/netfilter/nf_nat_rule.h>
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 0189deb..b7a8e1a 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -108,6 +108,7 @@
+ #ifdef CONFIG_SYSCTL
+ #include <linux/sysctl.h>
+ #endif
++#include <net/secure_seq.h>
+ 
+ #define RT_FL_TOS(oldflp) \
+     ((u32)(oldflp->fl4_tos & (IPTOS_RT_MASK | RTO_ONLINK)))
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 163a5c1..08a7695 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -72,6 +72,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/xfrm.h>
+ #include <net/netdma.h>
++#include <net/secure_seq.h>
+ 
+ #include <linux/inet.h>
+ #include <linux/ipv6.h>
+diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
+index 633a6c2..b7c125f 100644
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -20,6 +20,7 @@
+ #include <net/inet_connection_sock.h>
+ #include <net/inet_hashtables.h>
+ #include <net/inet6_hashtables.h>
++#include <net/secure_seq.h>
+ #include <net/ip.h>
+ 
+ int __inet6_hash(struct sock *sk, struct inet_timewait_sock *tw)
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 2b7c3a1..e468a79 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -61,6 +61,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/netdma.h>
+ #include <net/inet_common.h>
++#include <net/secure_seq.h>
+ 
+ #include <asm/uaccess.h>
+ 
+-- 
+1.7.6
+
diff --git a/freed-ora/current/f14/perf-Fix-software-event-overflow.patch b/freed-ora/current/f14/perf-Fix-software-event-overflow.patch
new file mode 100644
index 000000000..6eb5c10f9
--- /dev/null
+++ b/freed-ora/current/f14/perf-Fix-software-event-overflow.patch
@@ -0,0 +1,40 @@
+From 68183a00aebc8b7b89975578cda38358bf6f93a1 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri, 16 Sep 2011 09:13:29 -0400
+Subject: [PATCH] perf: Fix software event overflow
+
+The below patch is for -stable only, upstream has a much larger patch
+that contains the below hunk in commit a8b0ca17b80e92faab46ee7179ba9e99ccb61233
+
+Vince found that under certain circumstances software event overflows
+go wrong and deadlock. Avoid trying to delete a timer from the timer
+callback.
+
+Reported-by: Vince Weaver <vweaver1@eecs.utk.edu>
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+---
+ kernel/perf_event.c |    8 ++------
+ 1 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/perf_event.c b/kernel/perf_event.c
+index fa8123e..720b764 100644
+--- a/kernel/perf_event.c
++++ b/kernel/perf_event.c
+@@ -3985,12 +3985,8 @@ static int __perf_event_overflow(struct perf_event *event, int nmi,
+ 	if (events && atomic_dec_and_test(&event->event_limit)) {
+ 		ret = 1;
+ 		event->pending_kill = POLL_HUP;
+-		if (nmi) {
+-			event->pending_disable = 1;
+-			perf_pending_queue(&event->pending,
+-					   perf_pending_event);
+-		} else
+-			perf_event_disable(event);
++		event->pending_disable = 1;
++		perf_pending_queue(&event->pending, perf_pending_event);
+ 	}
+ 
+ 	if (event->overflow_handler)
+-- 
+1.7.6
+