--- linux-2.4.31-hf5/Makefile	Sun Sep 11 15:57:01 2005
+++ linux-2.4.31-hf6/Makefile	Sun Sep 25 20:51:58 2005
@@ -1,7 +1,7 @@
 VERSION = 2
 PATCHLEVEL = 4
 SUBLEVEL = 31
-EXTRAVERSION = -hf5
+EXTRAVERSION = -hf6
 
 KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
 
--- linux-2.4.31-hf5/include/asm-x86_64/processor.h	Sun Sep 11 15:57:00 2005
+++ linux-2.4.31-hf6/include/asm-x86_64/processor.h	Sun Sep 25 20:51:56 2005
@@ -260,6 +260,7 @@
  * Size of io_bitmap in longwords: 32 is ports 0-0x3ff.
  */
 #define IO_BITMAP_SIZE	32
+#define IO_BITMAP_BYTES (IO_BITMAP_SIZE * sizeof(u32))
 #define IO_BITMAP_OFFSET offsetof(struct tss_struct,io_bitmap)
 #define INVALID_IO_BITMAP_OFFSET 0x8000
 
--- linux-2.4.31/arch/ia64/mm/fault.c	Sat Sep 13 07:57:17 2003
+++ linux-2.4.31-hf6/arch/ia64/mm/fault.c	Sun Sep 25 20:51:57 2005
@@ -206,9 +206,6 @@
 		return;
 	}
 
-	if (done_with_exception(regs))
-		return;
-
 	/*
 	 * Since we have no vma's for region 5, we might get here even if the address is
 	 * valid, due to the VHPT walker inserting a non present translation that becomes
@@ -217,6 +214,9 @@
 	 * valid, and return if it is.
 	 */
 	if (REGION_NUMBER(address) == 5 && mapped_kernel_page_is_present(address))
+		return;
+
+	if (done_with_exception(regs))
 		return;
 
 	/*
--- linux-2.4.31/arch/ppc64/kernel/ioctl32.c	Mon Jan 31 22:01:10 2005
+++ linux-2.4.31-hf6/arch/ppc64/kernel/ioctl32.c	Sun Sep 25 20:51:57 2005
@@ -876,13 +876,15 @@
 		r = (void *) &r4;
 	}
 
-	if (ret)
-		return -EFAULT;
+	if (ret) {
+		ret = -EFAULT;
+		goto out;
+	}
 
 	set_fs (KERNEL_DS);
 	ret = sys_ioctl (fd, cmd, (long) r);
 	set_fs (old_fs);
-
+out:
 	if (mysock)
 		sockfd_put(mysock);
 
--- linux-2.4.31/arch/sparc64/kernel/ioctl32.c	Sun Apr 17 15:32:22 2005
+++ linux-2.4.31-hf6/arch/sparc64/kernel/ioctl32.c	Sun Sep 25 20:51:57 2005
@@ -809,13 +809,15 @@
 		r = (void *) &r4;
 	}
 
-	if (ret)
-		return -EFAULT;
+	if (ret) {
+		ret = -EFAULT;
+		goto out;
+	}
 
 	set_fs (KERNEL_DS);
 	ret = sys_ioctl (fd, cmd, (long) r);
 	set_fs (old_fs);
-
+out:
 	if (mysock)
 		sockfd_put(mysock);
 
--- linux-2.4.31/arch/x86_64/ia32/ia32_ioctl.c	Mon Jan 31 22:01:10 2005
+++ linux-2.4.31-hf6/arch/x86_64/ia32/ia32_ioctl.c	Sun Sep 25 20:51:57 2005
@@ -816,6 +816,11 @@
 
 extern struct socket *sockfd_lookup(int fd, int *err);
 
+extern __inline__ void sockfd_put(struct socket *sock)
+{
+	fput(sock->file);
+}
+
 static int routing_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
 {
 	int ret;
@@ -857,12 +862,17 @@
 		r = (void *) &r4;
 	}
 
-	if (ret)
-		return -EFAULT;
+	if (ret) {
+		ret = -EFAULT;
+		goto out;
+	}
 
 	set_fs (KERNEL_DS);
 	ret = sys_ioctl (fd, cmd, (long) r);
 	set_fs (old_fs);
+out:
+	if (mysock)
+		sockfd_put(mysock);
 
 	return ret;
 }
@@ -2766,17 +2776,24 @@
 static int tiocgdev(unsigned fd, unsigned cmd,  unsigned int *ptr) 
 { 
 
-	struct file *file = fget(fd);
+	struct file *file;
 	struct tty_struct *real_tty;
+	int ret;
 
+	file = fget(fd);
 	if (!file)
 		return -EBADF;
+	ret = -EINVAL;
 	if (file->f_op->ioctl != tty_ioctl)
-		return -EINVAL; 
+		goto out;
 	real_tty = (struct tty_struct *)file->private_data;
 	if (!real_tty) 	
-		return -EINVAL; 
-	return put_user(kdev_t_to_nr(real_tty->device), ptr); 
+		goto out;
+	ret = put_user(kdev_t_to_nr(real_tty->device), ptr); 
+out:
+	fput(file);
+
+	return ret;
 } 
 
 
--- linux-2.4.31/fs/nfs/nfs2xdr.c	Sun Jan 26 10:12:47 2003
+++ linux-2.4.31-hf6/fs/nfs/nfs2xdr.c	Sun Sep 25 20:51:57 2005
@@ -571,8 +571,11 @@
 	strlen = (u32*)kmap(rcvbuf->pages[0]);
 	/* Convert length of symlink */
 	len = ntohl(*strlen);
-	if (len > rcvbuf->page_len)
-		len = rcvbuf->page_len;
+	if (len >= rcvbuf->page_len - sizeof(u32) || len > NFS2_MAXPATHLEN) {
+		dprintk("NFS: server returned giant symlink!\n");
+		kunmap(rcvbuf->pages[0]);
+		return -ENAMETOOLONG;
+        }
 	*strlen = len;
 	/* NULL terminate the string we got */
 	string = (char *)(strlen + 1);
--- linux-2.4.31/fs/nfs/nfs3xdr.c	Sat Dec  6 08:14:48 2003
+++ linux-2.4.31-hf6/fs/nfs/nfs3xdr.c	Sun Sep 25 20:51:57 2005
@@ -759,8 +759,11 @@
 	strlen = (u32*)kmap(rcvbuf->pages[0]);
 	/* Convert length of symlink */
 	len = ntohl(*strlen);
-	if (len > rcvbuf->page_len)
-		len = rcvbuf->page_len;
+	if (len >= rcvbuf->page_len - sizeof(u32)) {
+		dprintk("NFS: server returned giant symlink!\n");
+		kunmap(rcvbuf->pages[0]);
+		return -ENAMETOOLONG;
+        }
 	*strlen = len;
 	/* NULL terminate the string we got */
 	string = (char *)(strlen + 1);
--- linux-2.4.31/include/asm-x86_64/desc.h	Sat Jul 31 18:45:19 2004
+++ linux-2.4.31-hf6/include/asm-x86_64/desc.h	Sun Sep 25 20:51:56 2005
@@ -128,7 +128,7 @@
 
 static inline void set_tss_desc(unsigned n, void *addr)
 { 
-	set_tssldt_descriptor((void *)&gdt_table + __CPU_DESC_INDEX(n,tss), (unsigned long)addr, DESC_TSS, sizeof(struct tss_struct)); 
+	set_tssldt_descriptor((void *)&gdt_table + __CPU_DESC_INDEX(n,tss), (unsigned long)addr, DESC_TSS, IO_BITMAP_OFFSET + IO_BITMAP_BYTES + 7); 
 } 
 
 static inline void set_ldt_desc(unsigned n, void *addr, int size)