Description of problem: The tg3-driver has a bug in the ioctl-function (ETHTOOL_GLINK). A missing return-statement causes data to be copied userspace incorrectly, possible overwriting the stack of the userspace-program. Version-Release number of selected component (if applicable): kernel 2.4.9e24 and 2.4.9e25 How reproducible: Use a modified version of the ethtool-program Steps to Reproduce: 1. Download the source of ethtool 2. Modify do_gset-function, insert "long a=-1;" before, and "long b=-1" after, struct ethtool_value edata. 3. Modify the code to print the content of a and b right after the ioctl. 4. Run the program. a and/or b (depending on architecture) will be overwritten by the ioctl. In other userspace-programs the error will typically overwrite parts of the stack causing the program to segfault or fail in another way. The following patch fixes the problem: --- linux-2.4.9-e.25/drivers/net/tg3.c.orig Thu Aug 28 09:35:41 2003 +++ linux-2.4.9-e.25/drivers/net/tg3.c Thu Aug 28 09:36:40 2003 @@ -5196,6 +5196,7 @@ edata.data = netif_carrier_ok(tp->dev) ? 1 : 0; if (copy_to_user(useraddr, &edata, sizeof(edata))) return -EFAULT; + return 0; } case ETHTOOL_GCOALESCE: { struct ethtool_coalesce ecoal = { ETHTOOL_GCOALESCE }; Will a new update-kernel, with this patch or a newer tg3-driver, ship for the 2.1 enterprise-series? When?