.33 patches
diff --git a/queue-2.6.33/block-check-for-proper-length-of-iov-entries-earlier-in.patch b/queue-2.6.33/block-check-for-proper-length-of-iov-entries-earlier-in.patch
new file mode 100644
index 0000000..f3acf75
--- /dev/null
+++ b/queue-2.6.33/block-check-for-proper-length-of-iov-entries-earlier-in.patch
@@ -0,0 +1,42 @@
+From 5478755616ae2ef1ce144dded589b62b2a50d575 Mon Sep 17 00:00:00 2001
+From: Xiaotian Feng <dfeng@redhat.com>
+Date: Mon, 29 Nov 2010 10:03:55 +0100
+Subject: block: check for proper length of iov entries earlier in
+ blk_rq_map_user_iov()
+
+From: Xiaotian Feng <dfeng@redhat.com>
+
+commit 5478755616ae2ef1ce144dded589b62b2a50d575 upstream.
+
+commit 9284bcf checks for proper length of iov entries in
+blk_rq_map_user_iov(). But if the map is unaligned, kernel
+will break out the loop without checking for the proper length.
+So we need to check the proper length before the unalign check.
+
+Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ block/blk-map.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_q
+ 	for (i = 0; i < iov_count; i++) {
+ 		unsigned long uaddr = (unsigned long)iov[i].iov_base;
+ 
++		if (!iov[i].iov_len)
++			return -EINVAL;
++
+ 		if (uaddr & queue_dma_alignment(q)) {
+ 			unaligned = 1;
+ 			break;
+ 		}
+-		if (!iov[i].iov_len)
+-			return -EINVAL;
+ 	}
+ 
+ 	if (unaligned || (q->dma_pad_mask & len) || map_data)
diff --git a/queue-2.6.33/series b/queue-2.6.33/series
index 4f2ac86..a7c93cc 100644
--- a/queue-2.6.33/series
+++ b/queue-2.6.33/series
@@ -47,3 +47,5 @@
 ahci-enable-sb600-64bit-dma-on-asus-m3a.patch
 hid-usbhid-add-support-for-sigma-micro-chip.patch
 hwmon-w83627ehf-properly-report-thermal-diode-sensors.patch
+x25-prevent-skb-overreads-when-checking-call-user-data.patch
+block-check-for-proper-length-of-iov-entries-earlier-in.patch
diff --git a/queue-2.6.33/x25-prevent-skb-overreads-when-checking-call-user-data.patch b/queue-2.6.33/x25-prevent-skb-overreads-when-checking-call-user-data.patch
new file mode 100644
index 0000000..4689050
--- /dev/null
+++ b/queue-2.6.33/x25-prevent-skb-overreads-when-checking-call-user-data.patch
@@ -0,0 +1,36 @@
+From 7f81e25befdfb3272345a2e775f520e1d515fa20 Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattjd@gmail.com>
+Date: Fri, 14 Oct 2011 18:45:05 +0000
+Subject: x25: Prevent skb overreads when checking call user data
+
+From: Matthew Daley <mattjd@gmail.com>
+
+commit 7f81e25befdfb3272345a2e775f520e1d515fa20 upstream.
+
+x25_find_listener does not check that the amount of call user data given
+in the skb is big enough in per-socket comparisons, hence buffer
+overreads may occur.  Fix this by adding a check.
+
+Signed-off-by: Matthew Daley <mattjd@gmail.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Andrew Hendry <andrew.hendry@gmail.com>
+Acked-by: Andrew Hendry <andrew.hendry@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/x25/af_x25.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -294,7 +294,8 @@ static struct sock *x25_find_listener(st
+ 			 * Found a listening socket, now check the incoming
+ 			 * call user data vs this sockets call user data
+ 			 */
+-			if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) {
++			if (x25_sk(s)->cudmatchlength > 0 &&
++				skb->len >= x25_sk(s)->cudmatchlength) {
+ 				if((memcmp(x25_sk(s)->calluserdata.cuddata,
+ 					skb->data,
+ 					x25_sk(s)->cudmatchlength)) == 0) {