diff --git a/linux-core/drm_bufs.c b/linux-core/drm_bufs.c
index c2a3313d..5fd2a4b1 100644
--- a/linux-core/drm_bufs.c
+++ b/linux-core/drm_bufs.c
@@ -429,6 +429,12 @@ int DRM(addbufs_agp)( DRM_OS_IOCTL )
 		DRM_OS_RETURN(ENOMEM); /* May only call once for each order */
 	}
 
+	if (count < 0 || count > 4096) {
+		up( &dev->struct_sem );
+		atomic_dec( &dev->buf_alloc );
+		return -EINVAL;
+	}
+
 	entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
 				    DRM_MEM_BUFS );
 	if ( !entry->buflist ) {
@@ -581,6 +587,12 @@ int DRM(addbufs_pci)( DRM_OS_IOCTL )
 		DRM_OS_RETURN(ENOMEM);	/* May only call once for each order */
 	}
 
+	if (count < 0 || count > 4096) {
+		DRM_OS_UNLOCK;
+		atomic_dec( &dev->buf_alloc );
+		DRM_OS_RETURN(EINVAL);
+	}
+
 	entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
 				    DRM_MEM_BUFS );
 	if ( !entry->buflist ) {
@@ -687,6 +699,7 @@ int DRM(addbufs_pci)( DRM_OS_IOCTL )
 
 	atomic_dec( &dev->buf_alloc );
 	return 0;
+
 }
 #endif /* __HAVE_PCI_DMA */
 
@@ -759,6 +772,12 @@ int DRM(addbufs_sg)( DRM_OS_IOCTL )
                	DRM_OS_RETURN(ENOMEM); /* May only call once for each order */
        }
 
+	if (count < 0 || count > 4096) {
+		up( &dev->struct_sem );
+		atomic_dec( &dev->buf_alloc );
+		return -EINVAL;
+	}
+
        entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
                                    DRM_MEM_BUFS );
        if ( !entry->buflist ) {
diff --git a/linux-core/drm_ioctl.c b/linux-core/drm_ioctl.c
index 901cff4c..35ecfab0 100644
--- a/linux-core/drm_ioctl.c
+++ b/linux-core/drm_ioctl.c
@@ -118,7 +118,7 @@ int DRM(setunique)( DRM_OS_IOCTL )
 
 	DRM_OS_KRNFROMUSR( u, (drm_unique_t *)data, sizeof(u) );
 
-	if (!u.unique_len)
+	if (!u.unique_len || u.unique_len > 1024)
 		DRM_OS_RETURN(EINVAL);
 
 	dev->unique_len = u.unique_len;
diff --git a/linux-core/i810_dma.c b/linux-core/i810_dma.c
index ee52be73..493a64c1 100644
--- a/linux-core/i810_dma.c
+++ b/linux-core/i810_dma.c
@@ -1225,6 +1225,7 @@ int i810_copybuf( DRM_OS_IOCTL )
 	buf = dma->buflist[ d.idx ];
    	buf_priv = buf->dev_private;
 	if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM;
+	if(d.used < 0 || d.used > buf->total) DRM_OS_RETURN(EINVAL);
 
    	if (DRM_OS_COPYFROMUSR(buf_priv->virtual, d.address, d.used))
 		DRM_OS_RETURN( EFAULT );
diff --git a/linux-core/i810_drv.c b/linux-core/i810_drv.c
index 5a09cf32..5332dab6 100644
--- a/linux-core/i810_drv.c
+++ b/linux-core/i810_drv.c
@@ -51,9 +51,9 @@
 #define DRIVER_DESC		"Intel i810"
 #define DRIVER_DATE		"20010616"
 
-#define DRIVER_MAJOR		1
-#define DRIVER_MINOR		1
-#define DRIVER_PATCHLEVEL	1
+#define DRIVER_MAJOR		2
+#define DRIVER_MINOR		0
+#define DRIVER_PATCHLEVEL	0
 
 #ifdef __FreeBSD__
 static int i810_probe(device_t dev)
diff --git a/linux-core/r128_drv.c b/linux-core/r128_drv.c
index ca4332ed..62f58b08 100644
--- a/linux-core/r128_drv.c
+++ b/linux-core/r128_drv.c
@@ -53,9 +53,9 @@
 #define DRIVER_DESC		"ATI Rage 128"
 #define DRIVER_DATE		"20010405"
 
-#define DRIVER_MAJOR		2
-#define DRIVER_MINOR		1
-#define DRIVER_PATCHLEVEL	6
+#define DRIVER_MAJOR		3
+#define DRIVER_MINOR		0
+#define DRIVER_PATCHLEVEL	0
 
 #ifdef __FreeBSD__
 static int r128_probe(device_t dev)
diff --git a/linux/drm.h b/linux/drm.h
index 6ef41459..c639c306 100644
--- a/linux/drm.h
+++ b/linux/drm.h
@@ -46,7 +46,7 @@
 #endif
 
 #define XFREE86_VERSION(major,minor,patch,snap) \
-		((major << 16) | (minor < 8) | patch)
+		((major << 16) | (minor << 8) | patch)
 
 #ifndef CONFIG_XFREE86_VERSION
 #define CONFIG_XFREE86_VERSION XFREE86_VERSION(4,1,0,0)
diff --git a/linux/drm_bufs.h b/linux/drm_bufs.h
index c2a3313d..5fd2a4b1 100644
--- a/linux/drm_bufs.h
+++ b/linux/drm_bufs.h
@@ -429,6 +429,12 @@ int DRM(addbufs_agp)( DRM_OS_IOCTL )
 		DRM_OS_RETURN(ENOMEM); /* May only call once for each order */
 	}
 
+	if (count < 0 || count > 4096) {
+		up( &dev->struct_sem );
+		atomic_dec( &dev->buf_alloc );
+		return -EINVAL;
+	}
+
 	entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
 				    DRM_MEM_BUFS );
 	if ( !entry->buflist ) {
@@ -581,6 +587,12 @@ int DRM(addbufs_pci)( DRM_OS_IOCTL )
 		DRM_OS_RETURN(ENOMEM);	/* May only call once for each order */
 	}
 
+	if (count < 0 || count > 4096) {
+		DRM_OS_UNLOCK;
+		atomic_dec( &dev->buf_alloc );
+		DRM_OS_RETURN(EINVAL);
+	}
+
 	entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
 				    DRM_MEM_BUFS );
 	if ( !entry->buflist ) {
@@ -687,6 +699,7 @@ int DRM(addbufs_pci)( DRM_OS_IOCTL )
 
 	atomic_dec( &dev->buf_alloc );
 	return 0;
+
 }
 #endif /* __HAVE_PCI_DMA */
 
@@ -759,6 +772,12 @@ int DRM(addbufs_sg)( DRM_OS_IOCTL )
                	DRM_OS_RETURN(ENOMEM); /* May only call once for each order */
        }
 
+	if (count < 0 || count > 4096) {
+		up( &dev->struct_sem );
+		atomic_dec( &dev->buf_alloc );
+		return -EINVAL;
+	}
+
        entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
                                    DRM_MEM_BUFS );
        if ( !entry->buflist ) {
diff --git a/linux/drm_ioctl.h b/linux/drm_ioctl.h
index 901cff4c..35ecfab0 100644
--- a/linux/drm_ioctl.h
+++ b/linux/drm_ioctl.h
@@ -118,7 +118,7 @@ int DRM(setunique)( DRM_OS_IOCTL )
 
 	DRM_OS_KRNFROMUSR( u, (drm_unique_t *)data, sizeof(u) );
 
-	if (!u.unique_len)
+	if (!u.unique_len || u.unique_len > 1024)
 		DRM_OS_RETURN(EINVAL);
 
 	dev->unique_len = u.unique_len;
diff --git a/linux/i810_dma.c b/linux/i810_dma.c
index ee52be73..493a64c1 100644
--- a/linux/i810_dma.c
+++ b/linux/i810_dma.c
@@ -1225,6 +1225,7 @@ int i810_copybuf( DRM_OS_IOCTL )
 	buf = dma->buflist[ d.idx ];
    	buf_priv = buf->dev_private;
 	if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM;
+	if(d.used < 0 || d.used > buf->total) DRM_OS_RETURN(EINVAL);
 
    	if (DRM_OS_COPYFROMUSR(buf_priv->virtual, d.address, d.used))
 		DRM_OS_RETURN( EFAULT );
diff --git a/linux/i810_drv.c b/linux/i810_drv.c
index 5a09cf32..5332dab6 100644
--- a/linux/i810_drv.c
+++ b/linux/i810_drv.c
@@ -51,9 +51,9 @@
 #define DRIVER_DESC		"Intel i810"
 #define DRIVER_DATE		"20010616"
 
-#define DRIVER_MAJOR		1
-#define DRIVER_MINOR		1
-#define DRIVER_PATCHLEVEL	1
+#define DRIVER_MAJOR		2
+#define DRIVER_MINOR		0
+#define DRIVER_PATCHLEVEL	0
 
 #ifdef __FreeBSD__
 static int i810_probe(device_t dev)
diff --git a/linux/r128_drv.c b/linux/r128_drv.c
index ca4332ed..62f58b08 100644
--- a/linux/r128_drv.c
+++ b/linux/r128_drv.c
@@ -53,9 +53,9 @@
 #define DRIVER_DESC		"ATI Rage 128"
 #define DRIVER_DATE		"20010405"
 
-#define DRIVER_MAJOR		2
-#define DRIVER_MINOR		1
-#define DRIVER_PATCHLEVEL	6
+#define DRIVER_MAJOR		3
+#define DRIVER_MINOR		0
+#define DRIVER_PATCHLEVEL	0
 
 #ifdef __FreeBSD__
 static int r128_probe(device_t dev)
diff --git a/shared-core/drm.h b/shared-core/drm.h
index 6ef41459..c639c306 100644
--- a/shared-core/drm.h
+++ b/shared-core/drm.h
@@ -46,7 +46,7 @@
 #endif
 
 #define XFREE86_VERSION(major,minor,patch,snap) \
-		((major << 16) | (minor < 8) | patch)
+		((major << 16) | (minor << 8) | patch)
 
 #ifndef CONFIG_XFREE86_VERSION
 #define CONFIG_XFREE86_VERSION XFREE86_VERSION(4,1,0,0)
diff --git a/shared/drm.h b/shared/drm.h
index 6ef41459..c639c306 100644
--- a/shared/drm.h
+++ b/shared/drm.h
@@ -46,7 +46,7 @@
 #endif
 
 #define XFREE86_VERSION(major,minor,patch,snap) \
-		((major << 16) | (minor < 8) | patch)
+		((major << 16) | (minor << 8) | patch)
 
 #ifndef CONFIG_XFREE86_VERSION
 #define CONFIG_XFREE86_VERSION XFREE86_VERSION(4,1,0,0)