diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2013-06-29 07:34:36 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2013-06-29 07:34:36 -0400 |
| commit | ce16e99899235b13f5fbfcdac187b7991ccb8fa2 (patch) | |
| tree | b8cf4ebe6e337670fd9092573fac63c983987a36 | |
| parent | Grsec/PaX: 2.9.1-{2.6.32.61,3.2.47,3.9.7}-201306261901 (diff) | |
| download | hardened-patchset-ce16e99899235b13f5fbfcdac187b7991ccb8fa2.tar.gz hardened-patchset-ce16e99899235b13f5fbfcdac187b7991ccb8fa2.tar.bz2 hardened-patchset-ce16e99899235b13f5fbfcdac187b7991ccb8fa2.zip | |
Grsec/PaX: 2.9.1-{2.6.32.61,3.2.47,3.9.8}-20130627205720130627
| -rw-r--r-- | 2.6.32/0000_README | 2 | ||||
| -rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306272055.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306261859.patch) | 82 | ||||
| -rw-r--r-- | 3.2.47/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.47/4420_grsecurity-2.9.1-3.2.47-201306272056.patch (renamed from 3.2.47/4420_grsecurity-2.9.1-3.2.47-201306261900.patch) | 112 | ||||
| -rw-r--r-- | 3.9.8/0000_README (renamed from 3.9.7/0000_README) | 2 | ||||
| -rw-r--r-- | 3.9.8/4420_grsecurity-2.9.1-3.9.8-201306272057.patch (renamed from 3.9.7/4420_grsecurity-2.9.1-3.9.7-201306261901.patch) | 711 | ||||
| -rw-r--r-- | 3.9.8/4425_grsec_remove_EI_PAX.patch (renamed from 3.9.7/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.9.8/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.9.7/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.9.8/4430_grsec-remove-localversion-grsec.patch (renamed from 3.9.7/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.9.8/4435_grsec-mute-warnings.patch (renamed from 3.9.7/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.9.8/4440_grsec-remove-protected-paths.patch (renamed from 3.9.7/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.9.8/4450_grsec-kconfig-default-gids.patch (renamed from 3.9.7/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.9.8/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.9.7/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.9.8/4470_disable-compat_vdso.patch (renamed from 3.9.7/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.9.8/4475_emutramp_default_on.patch (renamed from 3.9.7/4475_emutramp_default_on.patch) | 0 |
15 files changed, 418 insertions, 493 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 7236f6e..133e8f6 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch From: http://www.kernel.org Desc: Linux 2.6.32.61 -Patch: 4420_grsecurity-2.9.1-2.6.32.61-201306261859.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.61-201306272055.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306261859.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306272055.patch index 2d540c4..c67f417 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306261859.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306272055.patch @@ -63918,6 +63918,51 @@ index cd8cb95..4153b79 100644 if (len >= (sizeof(hex) / 2)) len = (sizeof(hex) / 2) - 1; +diff --git a/drivers/net/wan/dlci.c b/drivers/net/wan/dlci.c +index 15d353f..a7184e0 100644 +--- a/drivers/net/wan/dlci.c ++++ b/drivers/net/wan/dlci.c +@@ -382,20 +382,24 @@ static int dlci_del(struct dlci_add *dlci) + struct net_device *master, *slave; + int err; + ++ rtnl_lock(); ++ + /* validate slave device */ + master = __dev_get_by_name(&init_net, dlci->devname); +- if (!master) +- return(-ENODEV); ++ if (!master) { ++ err = -ENODEV; ++ goto out; ++ } + + if (netif_running(master)) { +- return(-EBUSY); ++ err = -EBUSY; ++ goto out; + } + + dlp = netdev_priv(master); + slave = dlp->slave; + flp = netdev_priv(slave); + +- rtnl_lock(); + err = (*flp->deassoc)(slave, master); + if (!err) { + list_del(&dlp->list); +@@ -404,9 +408,9 @@ static int dlci_del(struct dlci_add *dlci) + + dev_put(slave); + } ++out: + rtnl_unlock(); +- +- return(err); ++ return err; + } + + static int dlci_ioctl(unsigned int cmd, void __user *arg) diff --git a/drivers/net/wan/hdlc_x25.c b/drivers/net/wan/hdlc_x25.c index aa9248f..a4e3c3b 100644 --- a/drivers/net/wan/hdlc_x25.c @@ -114109,6 +114154,20 @@ index 0c2c59d..6b0a111 100644 hid->dev.parent = hidp_get_device(session); hid->ll_driver = &hidp_hid_driver; +diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c +index 1c20bd9..9d36d02 100644 +--- a/net/bluetooth/l2cap.c ++++ b/net/bluetooth/l2cap.c +@@ -2063,6 +2063,9 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, + BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d", + conn, code, ident, dlen); + ++ if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE) ++ return NULL; ++ + len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; + count = min_t(unsigned int, conn->mtu, len); + diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 1db0132..5e0453d 100644 --- a/net/bluetooth/rfcomm/sock.c @@ -115829,10 +115888,29 @@ index 093e9b2..f72cddb 100644 const struct in6_addr *daddr, const int dif) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 6ba0fe2..503c7c6 100644 +index 6ba0fe2..bb63ffc 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c -@@ -1168,7 +1168,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, +@@ -920,11 +920,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk, + struct flowi *fl) + { + struct ipv6_pinfo *np = inet6_sk(sk); +- struct rt6_info *rt = (struct rt6_info *)dst; ++ struct rt6_info *rt; + + if (!dst) + goto out; + ++ if (dst->ops->family != AF_INET6) { ++ dst_release(dst); ++ return NULL; ++ } ++ ++ rt = (struct rt6_info *)dst; + /* Yes, checking route validity in not connected + * case is not very simple. Take into account, + * that we do not support routing by source, TOS, +@@ -1168,7 +1174,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, if (WARN_ON(np->cork.opt)) return -EINVAL; diff --git a/3.2.47/0000_README b/3.2.47/0000_README index 749c390..0779b50 100644 --- a/3.2.47/0000_README +++ b/3.2.47/0000_README @@ -106,7 +106,7 @@ Patch: 1046_linux-3.2.47.patch From: http://www.kernel.org Desc: Linux 3.2.47 -Patch: 4420_grsecurity-2.9.1-3.2.47-201306261900.patch +Patch: 4420_grsecurity-2.9.1-3.2.47-201306272056.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306261900.patch b/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306272056.patch index 445d69c..81b695e 100644 --- a/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306261900.patch +++ b/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306272056.patch @@ -8540,7 +8540,7 @@ index 392e533..536b092 100644 /* bytes per L2 cache line */ #define L2_CACHE_SHIFT CHIP_L2_LOG_LINE_SIZE() diff --git a/arch/tile/include/asm/uaccess.h b/arch/tile/include/asm/uaccess.h -index ef34d2c..d6ce60c 100644 +index ef34d2caa..d6ce60c 100644 --- a/arch/tile/include/asm/uaccess.h +++ b/arch/tile/include/asm/uaccess.h @@ -361,9 +361,9 @@ static inline unsigned long __must_check copy_from_user(void *to, @@ -39954,10 +39954,23 @@ index 301b39e..345c414 100644 }; diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index 26106c0..4046553 100644 +index 26106c0..af78205 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c -@@ -1067,7 +1067,7 @@ static int macvtap_device_event(struct notifier_block *unused, +@@ -532,8 +532,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, + return -EMSGSIZE; + num_pages = get_user_pages_fast(base, size, 0, &page[i]); + if (num_pages != size) { +- for (i = 0; i < num_pages; i++) +- put_page(page[i]); ++ int j; ++ ++ for (j = 0; j < num_pages; j++) ++ put_page(page[i + j]); + return -EFAULT; + } + truesize = size * PAGE_SIZE; +@@ -1067,7 +1069,7 @@ static int macvtap_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -40334,6 +40347,62 @@ index e662cbc..8d4a102 100644 return -EINVAL; } +diff --git a/drivers/net/wan/dlci.c b/drivers/net/wan/dlci.c +index 48ab38a..02c939e 100644 +--- a/drivers/net/wan/dlci.c ++++ b/drivers/net/wan/dlci.c +@@ -385,21 +385,37 @@ static int dlci_del(struct dlci_add *dlci) + struct frad_local *flp; + struct net_device *master, *slave; + int err; ++ bool found = false; ++ ++ rtnl_lock(); + + /* validate slave device */ + master = __dev_get_by_name(&init_net, dlci->devname); +- if (!master) +- return -ENODEV; ++ if (!master) { ++ err = -ENODEV; ++ goto out; ++ } ++ ++ list_for_each_entry(dlp, &dlci_devs, list) { ++ if (dlp->master == master) { ++ found = true; ++ break; ++ } ++ } ++ if (!found) { ++ err = -ENODEV; ++ goto out; ++ } + + if (netif_running(master)) { +- return -EBUSY; ++ err = -EBUSY; ++ goto out; + } + + dlp = netdev_priv(master); + slave = dlp->slave; + flp = netdev_priv(slave); + +- rtnl_lock(); + err = (*flp->deassoc)(slave, master); + if (!err) { + list_del(&dlp->list); +@@ -408,8 +424,8 @@ static int dlci_del(struct dlci_add *dlci) + + dev_put(slave); + } ++out: + rtnl_unlock(); +- + return err; + } + diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c index 4045e5a..506f1cf 100644 --- a/drivers/net/wireless/at76c50x-usb.c @@ -86725,10 +86794,20 @@ index 0274157..f8afbf3c7 100644 hid->dev.parent = hidp_get_device(session); hid->ll_driver = &hidp_hid_driver; diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c -index a0b6c50..5b22003 100644 +index a0b6c50..a5dd784 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c -@@ -2178,8 +2178,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi +@@ -1737,6 +1737,9 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, + BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d", + conn, code, ident, dlen); + ++ if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE) ++ return NULL; ++ + len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; + count = min_t(unsigned int, conn->mtu, len); + +@@ -2178,8 +2181,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi break; case L2CAP_CONF_RFC: @@ -89287,10 +89366,29 @@ index 1567fb1..29af910 100644 dst = NULL; } diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 3ccd9b2..6aadaa8 100644 +index 3ccd9b2..7a0f168 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c -@@ -1233,7 +1233,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, +@@ -909,11 +909,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk, + const struct flowi6 *fl6) + { + struct ipv6_pinfo *np = inet6_sk(sk); +- struct rt6_info *rt = (struct rt6_info *)dst; ++ struct rt6_info *rt; + + if (!dst) + goto out; + ++ if (dst->ops->family != AF_INET6) { ++ dst_release(dst); ++ return NULL; ++ } ++ ++ rt = (struct rt6_info *)dst; + /* Yes, checking route validity in not connected + * case is not very simple. Take into account, + * that we do not support routing by source, TOS, +@@ -1233,7 +1239,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, if (WARN_ON(np->cork.opt)) return -EINVAL; diff --git a/3.9.7/0000_README b/3.9.8/0000_README index 14536fc..8c126eb 100644 --- a/3.9.7/0000_README +++ b/3.9.8/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.9.7-201306261901.patch +Patch: 4420_grsecurity-2.9.1-3.9.8-201306272057.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.9.7/4420_grsecurity-2.9.1-3.9.7-201306261901.patch b/3.9.8/4420_grsecurity-2.9.1-3.9.8-201306272057.patch index 45e175d..3efd0e4 100644 --- a/3.9.7/4420_grsecurity-2.9.1-3.9.7-201306261901.patch +++ b/3.9.8/4420_grsecurity-2.9.1-3.9.8-201306272057.patch @@ -263,7 +263,7 @@ index 8ccbf27..afffeb4 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index a129b15..548231d 100644 +index b013cbe..4ca639b 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -811,10 +811,10 @@ index 0c4132d..88f0d53 100644 /* Allow reads even for write-only mappings */ if (!(vma->vm_flags & (VM_READ | VM_WRITE))) diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig -index 1cacda4..2cef624 100644 +index 70cd012..71b82cd 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig -@@ -1850,7 +1850,7 @@ config ALIGNMENT_TRAP +@@ -1860,7 +1860,7 @@ config ALIGNMENT_TRAP config UACCESS_WITH_MEMCPY bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()" @@ -5754,19 +5754,6 @@ index e0a8235..ce2f1e1 100644 ret = __copy_from_user(to, from, n); else copy_from_user_overflow(); -diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c -index 5709c5e..14285ca 100644 ---- a/arch/parisc/kernel/drivers.c -+++ b/arch/parisc/kernel/drivers.c -@@ -394,7 +394,7 @@ EXPORT_SYMBOL(print_pci_hwpath); - static void setup_bus_id(struct parisc_device *padev) - { - struct hardware_path path; -- char name[20]; -+ char name[28]; - char *output = name; - int i; - diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c index 2a625fb..9908930 100644 --- a/arch/parisc/kernel/module.c @@ -5870,20 +5857,6 @@ index 2a625fb..9908930 100644 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", me->arch.unwind_section, table, end, gp); -diff --git a/arch/parisc/kernel/setup.c b/arch/parisc/kernel/setup.c -index a3328c2..3b812eb 100644 ---- a/arch/parisc/kernel/setup.c -+++ b/arch/parisc/kernel/setup.c -@@ -69,7 +69,8 @@ void __init setup_cmdline(char **cmdline_p) - /* called from hpux boot loader */ - boot_command_line[0] = '\0'; - } else { -- strcpy(boot_command_line, (char *)__va(boot_args[1])); -+ strlcpy(boot_command_line, (char *)__va(boot_args[1]), -+ COMMAND_LINE_SIZE); - - #ifdef CONFIG_BLK_DEV_INITRD - if (boot_args[2] != 0) /* did palo pass us a ramdisk? */ diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c index 5dfd248..64914ac 100644 --- a/arch/parisc/kernel/sys_parisc.c @@ -5959,10 +5932,10 @@ index 5dfd248..64914ac 100644 return addr; } diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c -index aeb8f8f..27a6c2f 100644 +index c6ae9f5..e9c3cf4 100644 --- a/arch/parisc/kernel/traps.c +++ b/arch/parisc/kernel/traps.c -@@ -732,9 +732,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) +@@ -733,9 +733,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) down_read(¤t->mm->mmap_sem); vma = find_vma(current->mm,regs->iaoq[0]); @@ -10272,7 +10245,7 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 6ef2a37..74ad6ad 100644 +index de80b33..c0f0899 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -243,7 +243,7 @@ config X86_HT @@ -24226,10 +24199,10 @@ index 0af1807..06912bb 100644 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index e172132..c3d3e27 100644 +index 8563b45..272f1fe 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -1686,8 +1686,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) +@@ -1685,8 +1685,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) { struct kvm *kvm = vcpu->kvm; int lm = is_long_mode(vcpu); @@ -24240,7 +24213,7 @@ index e172132..c3d3e27 100644 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 : kvm->arch.xen_hvm_config.blob_size_32; u32 page_num = data & ~PAGE_MASK; -@@ -2567,6 +2567,8 @@ long kvm_arch_dev_ioctl(struct file *filp, +@@ -2566,6 +2566,8 @@ long kvm_arch_dev_ioctl(struct file *filp, if (n < msr_list.nmsrs) goto out; r = -EFAULT; @@ -24249,7 +24222,7 @@ index e172132..c3d3e27 100644 if (copy_to_user(user_msr_list->indices, &msrs_to_save, num_msrs_to_save * sizeof(u32))) goto out; -@@ -2696,7 +2698,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, +@@ -2695,7 +2697,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, struct kvm_interrupt *irq) { @@ -24258,7 +24231,7 @@ index e172132..c3d3e27 100644 return -EINVAL; if (irqchip_in_kernel(vcpu->kvm)) return -ENXIO; -@@ -5247,7 +5249,7 @@ static struct notifier_block pvclock_gtod_notifier = { +@@ -5246,7 +5248,7 @@ static struct notifier_block pvclock_gtod_notifier = { }; #endif @@ -30416,31 +30389,6 @@ index c77b24a..c979855 100644 return !(ret & 0xff00); } EXPORT_SYMBOL(pcibios_set_irq_routing); -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index 90f3a52..714e825 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -1059,7 +1059,10 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) - * that by attempting to use more space than is available. - */ - unsigned long dummy_size = remaining_size + 1024; -- void *dummy = kmalloc(dummy_size, GFP_ATOMIC); -+ void *dummy = kzalloc(dummy_size, GFP_ATOMIC); -+ -+ if (!dummy) -+ return EFI_OUT_OF_RESOURCES; - - status = efi.set_variable(efi_dummy_name, &EFI_DUMMY_GUID, - EFI_VARIABLE_NON_VOLATILE | -@@ -1079,6 +1082,8 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) - 0, dummy); - } - -+ kfree(dummy); -+ - /* - * The runtime code may now have triggered a garbage collection - * run, so check the variable info again diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c index 40e4469..1ab536e 100644 --- a/arch/x86/platform/efi/efi_32.c @@ -37593,7 +37541,7 @@ index 04c69af..5f92d00 100644 #include <linux/input.h> #include <linux/gameport.h> diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c -index d6cbfe9..6225402 100644 +index fa061d4..4a6957c 100644 --- a/drivers/input/joystick/xpad.c +++ b/drivers/input/joystick/xpad.c @@ -735,7 +735,7 @@ static void xpad_led_set(struct led_classdev *led_cdev, @@ -40072,7 +40020,7 @@ index b0c3de9..fc5857e 100644 return -EIO; } diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c -index 15ba8c4..3f56838 100644 +index 54fd2ef..33c8a4f 100644 --- a/drivers/net/ethernet/realtek/r8169.c +++ b/drivers/net/ethernet/realtek/r8169.c @@ -740,22 +740,22 @@ struct rtl8169_private { @@ -40215,10 +40163,23 @@ index 011062e..ada88e9 100644 }; diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index a449439..1e468fe 100644 +index acf6450..8f771b7 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c -@@ -1090,7 +1090,7 @@ static int macvtap_device_event(struct notifier_block *unused, +@@ -525,8 +525,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, + return -EMSGSIZE; + num_pages = get_user_pages_fast(base, size, 0, &page[i]); + if (num_pages != size) { +- for (i = 0; i < num_pages; i++) +- put_page(page[i]); ++ int j; ++ ++ for (j = 0; j < num_pages; j++) ++ put_page(page[i + j]); + return -EFAULT; + } + truesize = size * PAGE_SIZE; +@@ -1099,7 +1101,7 @@ static int macvtap_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -40275,7 +40236,7 @@ index 1252d9c..80e660b 100644 /* We've got a compressed packet; read the change byte */ diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index bf34192..fba3500 100644 +index 0017b67..ab8f595 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c @@ -2668,7 +2668,7 @@ static int team_device_event(struct notifier_block *unused, @@ -40288,10 +40249,23 @@ index bf34192..fba3500 100644 }; diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 755fa9e..631fdce 100644 +index 8ad822e..eb895f1 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c -@@ -1841,7 +1841,7 @@ unlock: +@@ -1013,8 +1013,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, + return -EMSGSIZE; + num_pages = get_user_pages_fast(base, size, 0, &page[i]); + if (num_pages != size) { +- for (i = 0; i < num_pages; i++) +- put_page(page[i]); ++ int j; ++ ++ for (j = 0; j < num_pages; j++) ++ put_page(page[i + j]); + return -EFAULT; + } + truesize = size * PAGE_SIZE; +@@ -1859,7 +1861,7 @@ unlock: } static long __tun_chr_ioctl(struct file *file, unsigned int cmd, @@ -40300,7 +40274,7 @@ index 755fa9e..631fdce 100644 { struct tun_file *tfile = file->private_data; struct tun_struct *tun; -@@ -1853,6 +1853,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, +@@ -1871,6 +1873,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, int vnet_hdr_sz; int ret; @@ -40402,10 +40376,10 @@ index e2dd324..be92fcf 100644 hso_start_serial_device(serial_table[i], GFP_NOIO); hso_kick_transmit(dev2ser(serial_table[i])); diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c -index 7cee7a3..1eb9f3b 100644 +index a4fe5f1..6c9e77f 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c -@@ -1443,7 +1443,7 @@ nla_put_failure: +@@ -1454,7 +1454,7 @@ nla_put_failure: return -EMSGSIZE; } @@ -40414,6 +40388,62 @@ index 7cee7a3..1eb9f3b 100644 .kind = "vxlan", .maxtype = IFLA_VXLAN_MAX, .policy = vxlan_policy, +diff --git a/drivers/net/wan/dlci.c b/drivers/net/wan/dlci.c +index 147614e..6a8a382 100644 +--- a/drivers/net/wan/dlci.c ++++ b/drivers/net/wan/dlci.c +@@ -384,21 +384,37 @@ static int dlci_del(struct dlci_add *dlci) + struct frad_local *flp; + struct net_device *master, *slave; + int err; ++ bool found = false; ++ ++ rtnl_lock(); + + /* validate slave device */ + master = __dev_get_by_name(&init_net, dlci->devname); +- if (!master) +- return -ENODEV; ++ if (!master) { ++ err = -ENODEV; ++ goto out; ++ } ++ ++ list_for_each_entry(dlp, &dlci_devs, list) { ++ if (dlp->master == master) { ++ found = true; ++ break; ++ } ++ } ++ if (!found) { ++ err = -ENODEV; ++ goto out; ++ } + + if (netif_running(master)) { +- return -EBUSY; ++ err = -EBUSY; ++ goto out; + } + + dlp = netdev_priv(master); + slave = dlp->slave; + flp = netdev_priv(slave); + +- rtnl_lock(); + err = (*flp->deassoc)(slave, master); + if (!err) { + list_del(&dlp->list); +@@ -407,8 +423,8 @@ static int dlci_del(struct dlci_add *dlci) + + dev_put(slave); + } ++out: + rtnl_unlock(); +- + return err; + } + diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c index 5ac5f7a..5f82012 100644 --- a/drivers/net/wireless/at76c50x-usb.c @@ -43506,10 +43536,10 @@ index 1f8cba6..47b06c2 100644 } EXPORT_SYMBOL_GPL(n_tty_inherit_ops); diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c -index 125e0fd..8c50690 100644 +index 74a5e8b..40c36a7 100644 --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c -@@ -800,8 +800,10 @@ static void __init unix98_pty_init(void) +@@ -797,8 +797,10 @@ static void __init unix98_pty_init(void) panic("Couldn't register Unix98 pts driver"); /* Now create the /dev/ptmx special device */ @@ -44323,7 +44353,7 @@ index a9af1b9a..1e08e7f 100644 ret = -EPERM; goto reterr; diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c -index c8b9262..7e824e6 100644 +index b645c47..a55c182 100644 --- a/drivers/uio/uio.c +++ b/drivers/uio/uio.c @@ -25,6 +25,7 @@ @@ -44356,7 +44386,7 @@ index c8b9262..7e824e6 100644 } static struct device_attribute uio_class_attributes[] = { -@@ -397,7 +398,7 @@ void uio_event_notify(struct uio_info *info) +@@ -398,7 +399,7 @@ void uio_event_notify(struct uio_info *info) { struct uio_device *idev = info->uio_dev; @@ -44365,7 +44395,7 @@ index c8b9262..7e824e6 100644 wake_up_interruptible(&idev->wait); kill_fasync(&idev->async_queue, SIGIO, POLL_IN); } -@@ -450,7 +451,7 @@ static int uio_open(struct inode *inode, struct file *filep) +@@ -451,7 +452,7 @@ static int uio_open(struct inode *inode, struct file *filep) } listener->dev = idev; @@ -44374,7 +44404,7 @@ index c8b9262..7e824e6 100644 filep->private_data = listener; if (idev->info->open) { -@@ -501,7 +502,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait) +@@ -502,7 +503,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait) return -EIO; poll_wait(filep, &idev->wait, wait); @@ -44383,7 +44413,7 @@ index c8b9262..7e824e6 100644 return POLLIN | POLLRDNORM; return 0; } -@@ -526,7 +527,7 @@ static ssize_t uio_read(struct file *filep, char __user *buf, +@@ -527,7 +528,7 @@ static ssize_t uio_read(struct file *filep, char __user *buf, do { set_current_state(TASK_INTERRUPTIBLE); @@ -44392,7 +44422,7 @@ index c8b9262..7e824e6 100644 if (event_count != listener->event_count) { if (copy_to_user(buf, &event_count, count)) retval = -EFAULT; -@@ -595,13 +596,13 @@ static int uio_find_mem_index(struct vm_area_struct *vma) +@@ -596,13 +597,13 @@ static int uio_find_mem_index(struct vm_area_struct *vma) static void uio_vma_open(struct vm_area_struct *vma) { struct uio_device *idev = vma->vm_private_data; @@ -44408,7 +44438,7 @@ index c8b9262..7e824e6 100644 } static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf) -@@ -808,7 +809,7 @@ int __uio_register_device(struct module *owner, +@@ -809,7 +810,7 @@ int __uio_register_device(struct module *owner, idev->owner = owner; idev->info = info; init_waitqueue_head(&idev->wait); @@ -70908,7 +70938,7 @@ index 45fc162..01a4068 100644 /** * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h -index 1d795df..b0a6449 100644 +index 2f522a3..494e45f 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -333,8 +333,8 @@ struct perf_event { @@ -70933,7 +70963,7 @@ index 1d795df..b0a6449 100644 /* * Protect attach/detach and child_list: -@@ -704,7 +704,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64 +@@ -703,7 +703,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64 entry->ip[entry->nr++] = ip; } @@ -70942,7 +70972,7 @@ index 1d795df..b0a6449 100644 extern int sysctl_perf_event_mlock; extern int sysctl_perf_event_sample_rate; -@@ -712,19 +712,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write, +@@ -711,19 +711,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); @@ -70970,7 +71000,7 @@ index 1d795df..b0a6449 100644 } extern void perf_event_init(void); -@@ -812,7 +817,7 @@ static inline void perf_restore_debug_store(void) { } +@@ -811,7 +816,7 @@ static inline void perf_restore_debug_store(void) { } */ #define perf_cpu_notifier(fn) \ do { \ @@ -70979,7 +71009,7 @@ index 1d795df..b0a6449 100644 { .notifier_call = fn, .priority = CPU_PRI_PERF }; \ unsigned long cpu = smp_processor_id(); \ unsigned long flags; \ -@@ -831,7 +836,7 @@ do { \ +@@ -830,7 +835,7 @@ do { \ struct perf_pmu_events_attr { struct device_attribute attr; u64 id; @@ -71642,7 +71672,7 @@ index 429c199..4d42e38 100644 /* shm_mode upper byte flags */ diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index b8292d8..96db310 100644 +index 1f2803c..4858a3d 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -599,7 +599,7 @@ extern bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from, @@ -71963,20 +71993,6 @@ index e8d702e..0a56eb4 100644 int sock_diag_register(const struct sock_diag_handler *h); void sock_diag_unregister(const struct sock_diag_handler *h); -diff --git a/include/linux/socket.h b/include/linux/socket.h -index 2b9f74b..e897bdc 100644 ---- a/include/linux/socket.h -+++ b/include/linux/socket.h -@@ -321,6 +321,9 @@ extern int put_cmsg(struct msghdr*, int level, int type, int len, void *data); - - struct timespec; - -+/* The __sys_...msg variants allow MSG_CMSG_COMPAT */ -+extern long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags); -+extern long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags); - extern int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, - unsigned int flags, struct timespec *timeout); - extern int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, diff --git a/include/linux/sonet.h b/include/linux/sonet.h index 680f9a3..f13aeb0 100644 --- a/include/linux/sonet.h @@ -75129,7 +75145,7 @@ index 00eb8f7..d7e3244 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index 9fcb094..353baaaf 100644 +index f8ddcfb..77c06ec 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu; @@ -75158,7 +75174,7 @@ index 9fcb094..353baaaf 100644 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx, enum event_type_t event_type); -@@ -2677,7 +2684,7 @@ static void __perf_event_read(void *info) +@@ -2674,7 +2681,7 @@ static void __perf_event_read(void *info) static inline u64 perf_event_count(struct perf_event *event) { @@ -75167,7 +75183,7 @@ index 9fcb094..353baaaf 100644 } static u64 perf_event_read(struct perf_event *event) -@@ -3007,9 +3014,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) +@@ -3020,9 +3027,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) mutex_lock(&event->child_mutex); total += perf_event_read(event); *enabled += event->total_time_enabled + @@ -75179,7 +75195,7 @@ index 9fcb094..353baaaf 100644 list_for_each_entry(child, &event->child_list, child_list) { total += perf_event_read(child); -@@ -3412,10 +3419,10 @@ void perf_event_update_userpage(struct perf_event *event) +@@ -3408,10 +3415,10 @@ void perf_event_update_userpage(struct perf_event *event) userpg->offset -= local64_read(&event->hw.prev_count); userpg->time_enabled = enabled + @@ -75192,7 +75208,7 @@ index 9fcb094..353baaaf 100644 arch_perf_update_userpage(userpg, now); -@@ -3886,7 +3893,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, +@@ -3961,7 +3968,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, /* Data. */ sp = perf_user_stack_pointer(regs); @@ -75201,7 +75217,7 @@ index 9fcb094..353baaaf 100644 dyn_size = dump_size - rem; perf_output_skip(handle, rem); -@@ -3974,11 +3981,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, +@@ -4049,11 +4056,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, values[n++] = perf_event_count(event); if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { values[n++] = enabled + @@ -75215,7 +75231,7 @@ index 9fcb094..353baaaf 100644 } if (read_format & PERF_FORMAT_ID) values[n++] = primary_event_id(event); -@@ -4726,12 +4733,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) +@@ -4801,12 +4808,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) * need to add enough zero bytes after the string to handle * the 64bit alignment we do later. */ @@ -75230,7 +75246,7 @@ index 9fcb094..353baaaf 100644 if (IS_ERR(name)) { name = strncpy(tmp, "//toolong", sizeof(tmp)); goto got_name; -@@ -6167,7 +6174,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, +@@ -6242,7 +6249,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, event->parent = parent_event; event->ns = get_pid_ns(task_active_pid_ns(current)); @@ -75239,7 +75255,7 @@ index 9fcb094..353baaaf 100644 event->state = PERF_EVENT_STATE_INACTIVE; -@@ -6463,6 +6470,11 @@ SYSCALL_DEFINE5(perf_event_open, +@@ -6552,6 +6559,11 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; @@ -75251,7 +75267,7 @@ index 9fcb094..353baaaf 100644 err = perf_copy_attr(attr_uptr, &attr); if (err) return err; -@@ -6795,10 +6807,10 @@ static void sync_child_event(struct perf_event *child_event, +@@ -6884,10 +6896,10 @@ static void sync_child_event(struct perf_event *child_event, /* * Add back the child's count to the parent's count: */ @@ -75266,10 +75282,10 @@ index 9fcb094..353baaaf 100644 /* diff --git a/kernel/events/internal.h b/kernel/events/internal.h -index eb675c4..54912ff 100644 +index ca65997..cc8cee4 100644 --- a/kernel/events/internal.h +++ b/kernel/events/internal.h -@@ -77,10 +77,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb) +@@ -81,10 +81,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb) return rb->nr_pages << (PAGE_SHIFT + page_order(rb)); } @@ -75282,7 +75298,7 @@ index eb675c4..54912ff 100644 { \ unsigned long size, written; \ \ -@@ -112,17 +112,17 @@ static inline int memcpy_common(void *dst, const void *src, size_t n) +@@ -116,17 +116,17 @@ static inline int memcpy_common(void *dst, const void *src, size_t n) return n; } @@ -85871,10 +85887,20 @@ index 6a93614..1415549 100644 err = -EFAULT; break; diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c -index c5f9cd6..8d23158 100644 +index c5f9cd6..dfc8ec1 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c -@@ -3395,8 +3395,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, +@@ -2743,6 +2743,9 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code, + BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u", + conn, code, ident, dlen); + ++ if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE) ++ return NULL; ++ + len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; + count = min_t(unsigned int, conn->mtu, len); + +@@ -3395,8 +3398,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, break; case L2CAP_CONF_RFC: @@ -85887,6 +85913,15 @@ index c5f9cd6..8d23158 100644 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && rfc.mode != chan->mode) +@@ -4221,7 +4226,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, + struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; + u16 type, result; + +- if (cmd_len != sizeof(*rsp)) ++ if (cmd_len < sizeof(*rsp)) + return -EPROTO; + + type = __le16_to_cpu(rsp->type); diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 1bcfb84..dad9f98 100644 --- a/net/bluetooth/l2cap_sock.c @@ -86118,7 +86153,7 @@ index 117814a..ad4fb73 100644 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { diff --git a/net/compat.c b/net/compat.c -index 79ae884..0541331 100644 +index f0a1ba6..0541331 100644 --- a/net/compat.c +++ b/net/compat.c @@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) @@ -86248,45 +86283,7 @@ index 79ae884..0541331 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -734,19 +734,25 @@ static unsigned char nas[21] = { - - asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags) - { -- return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); - } - - asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg, - unsigned int vlen, unsigned int flags) - { -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; - return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT); - } - - asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags) - { -- return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); - } - - asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned int flags) -@@ -768,6 +774,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, - int datagrams; - struct timespec ktspec; - -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ - if (COMPAT_USE_64BIT_TIME) - return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT, -@@ -796,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -805,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -86309,7 +86306,7 @@ index 368f9c3..f82d4a3 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 9a278e9..15f2b9e 100644 +index c9eb9e6..922c789 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1617,7 +1617,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) @@ -86339,7 +86336,7 @@ index 9a278e9..15f2b9e 100644 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb) -@@ -3093,7 +3093,7 @@ enqueue: +@@ -3099,7 +3099,7 @@ enqueue: local_irq_restore(flags); @@ -86348,7 +86345,7 @@ index 9a278e9..15f2b9e 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -3165,7 +3165,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -3171,7 +3171,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -86357,7 +86354,7 @@ index 9a278e9..15f2b9e 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); -@@ -3490,7 +3490,7 @@ ncls: +@@ -3496,7 +3496,7 @@ ncls: ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); } else { drop: @@ -86366,7 +86363,7 @@ index 9a278e9..15f2b9e 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -4095,7 +4095,7 @@ void netif_napi_del(struct napi_struct *napi) +@@ -4101,7 +4101,7 @@ void netif_napi_del(struct napi_struct *napi) } EXPORT_SYMBOL(netif_napi_del); @@ -86375,7 +86372,7 @@ index 9a278e9..15f2b9e 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); unsigned long time_limit = jiffies + 2; -@@ -5522,7 +5522,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -5528,7 +5528,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -86646,7 +86643,7 @@ index e61a8bb..6a2f13c 100644 #ifdef CONFIG_INET static u32 seq_scale(u32 seq) diff --git a/net/core/sock.c b/net/core/sock.c -index 1432266..1a0d4a1 100644 +index 684c37d..b541900 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -390,7 +390,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -87175,7 +87172,7 @@ index 52c273e..579060b 100644 return -ENOMEM; } diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c -index 91d66db..4af7d99 100644 +index c7e8c04..56cb4c1 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -124,7 +124,7 @@ static bool log_ecn_error = true; @@ -87305,7 +87302,7 @@ index bf6c5cf..ab2e9c6 100644 return res; } diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c -index 8f024d4..8b3500c 100644 +index 7533846..d2361d1 100644 --- a/net/ipv4/ipip.c +++ b/net/ipv4/ipip.c @@ -138,7 +138,7 @@ struct ipip_net { @@ -87493,10 +87490,10 @@ index dd44e0a..06dcca4 100644 static int raw_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 6e28514..5e1b055 100644 +index cfede9a..22248f9 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c -@@ -2553,34 +2553,34 @@ static struct ctl_table ipv4_route_flush_table[] = { +@@ -2558,34 +2558,34 @@ static struct ctl_table ipv4_route_flush_table[] = { .maxlen = sizeof(int), .mode = 0200, .proc_handler = ipv4_sysctl_rtcache_flush, @@ -87539,7 +87536,7 @@ index 6e28514..5e1b055 100644 err_dup: return -ENOMEM; } -@@ -2603,7 +2603,7 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { +@@ -2608,7 +2608,7 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { static __net_init int rt_genid_init(struct net *net) { @@ -87688,29 +87685,11 @@ index 960fd29..d55bf64 100644 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); if (hdr == NULL) -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index e220207..cdeb839 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3383,8 +3383,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp, - - for (i = 0; i < shi->nr_frags; ++i) { - const struct skb_frag_struct *f = &shi->frags[i]; -- struct page *page = skb_frag_page(f); -- sg_set_page(&sg, page, skb_frag_size(f), f->page_offset); -+ unsigned int offset = f->page_offset; -+ struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT); -+ -+ sg_set_page(&sg, page, skb_frag_size(f), -+ offset_in_page(offset)); - if (crypto_hash_update(desc, &sg, skb_frag_size(f))) - return 1; - } diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 13b9c08..d33a8d0 100644 +index 59163c8..8277c51 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c -@@ -4724,7 +4724,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, +@@ -4727,7 +4727,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, * simplifies code) */ static void @@ -87719,7 +87698,7 @@ index 13b9c08..d33a8d0 100644 struct sk_buff *head, struct sk_buff *tail, u32 start, u32 end) { -@@ -5838,6 +5838,7 @@ discard: +@@ -5841,6 +5841,7 @@ discard: tcp_paws_reject(&tp->rx_opt, 0)) goto discard_and_undo; @@ -87727,7 +87706,7 @@ index 13b9c08..d33a8d0 100644 if (th->syn) { /* We see SYN without ACK. It is attempt of * simultaneous connect with crossed SYNs. -@@ -5888,6 +5889,7 @@ discard: +@@ -5891,6 +5892,7 @@ discard: goto discard; #endif } @@ -87735,7 +87714,7 @@ index 13b9c08..d33a8d0 100644 /* "fifth, if neither of the SYN or RST bits is set then * drop the segment and return." */ -@@ -5932,7 +5934,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5935,7 +5937,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto discard; if (th->syn) { @@ -88030,7 +88009,7 @@ index 9a459be..086b866 100644 return -ENOMEM; } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index dae802c..bfa4baa 100644 +index 50a4c7c..50a27e6 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -2274,7 +2274,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) @@ -88042,7 +88021,7 @@ index dae802c..bfa4baa 100644 if (ops->ndo_do_ioctl) { mm_segment_t oldfs = get_fs(); -@@ -4410,7 +4410,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write, +@@ -4412,7 +4412,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -88051,7 +88030,7 @@ index dae802c..bfa4baa 100644 int ret; /* -@@ -4492,7 +4492,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write, +@@ -4494,7 +4494,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -88114,18 +88093,28 @@ index 95d13c7..791fe2f 100644 .maxtype = IFLA_GRE_MAX, .policy = ip6gre_policy, diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 155eccf..851fdae 100644 +index 851fdae..9d4d1fd 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c -@@ -1147,7 +1147,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, - if (WARN_ON(np->cork.opt)) - return -EINVAL; +@@ -822,11 +822,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk, + const struct flowi6 *fl6) + { + struct ipv6_pinfo *np = inet6_sk(sk); +- struct rt6_info *rt = (struct rt6_info *)dst; ++ struct rt6_info *rt; -- np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation); -+ np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation); - if (unlikely(np->cork.opt == NULL)) - return -ENOBUFS; + if (!dst) + goto out; ++ if (dst->ops->family != AF_INET6) { ++ dst_release(dst); ++ return NULL; ++ } ++ ++ rt = (struct rt6_info *)dst; + /* Yes, checking route validity in not connected + * case is not very simple. Take into account, + * that we do not support routing by source, TOS, diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index fff83cb..82d49dd 100644 --- a/net/ipv6/ip6_tunnel.c @@ -88736,33 +88725,6 @@ index 5b1e5af..1b929e7 100644 } while (!res); return res; } -diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c -index 637a341..8dec687 100644 ---- a/net/l2tp/l2tp_ppp.c -+++ b/net/l2tp/l2tp_ppp.c -@@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh - skb_put(skb, 2); - - /* Copy user data into skb */ -- error = memcpy_fromiovec(skb->data, m->msg_iov, total_len); -+ error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov, -+ total_len); - if (error < 0) { - kfree_skb(skb); - goto error_put_sess_tun; - } -- skb_put(skb, total_len); - - l2tp_xmit_skb(session, skb, session->hdr_len); - - sock_put(ps->tunnel_sock); - sock_put(sk); - -- return error; -+ return total_len; - - error_put_sess_tun: - sock_put(ps->tunnel_sock); diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 843d8c4..cb04fa1 100644 --- a/net/mac80211/cfg.c @@ -89379,6 +89341,22 @@ index 9e31269..bc4c1b7 100644 mutex_unlock(&nf_log_mutex); } +diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c +index 96ccdf7..dac11f7 100644 +--- a/net/netfilter/nf_nat_sip.c ++++ b/net/netfilter/nf_nat_sip.c +@@ -230,9 +230,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff, + &ct->tuplehash[!dir].tuple.src.u3, + false); + if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, +- poff, plen, buffer, buflen)) ++ poff, plen, buffer, buflen)) { + nf_ct_helper_log(skb, ct, "cannot mangle received"); + return NF_DROP; ++ } + } + + /* The rport= parameter (RFC 3581) contains the port number diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c index f042ae5..30ea486 100644 --- a/net/netfilter/nf_sockopt.c @@ -89599,10 +89577,10 @@ index 103bd70..f21aad3 100644 *uaddr_len = sizeof(struct sockaddr_ax25); } diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index f83e172..223ffe1 100644 +index e50f72a..f71867d 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c -@@ -1571,7 +1571,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1578,7 +1578,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, spin_lock(&sk->sk_receive_queue.lock); po->stats.tp_packets++; @@ -89611,7 +89589,7 @@ index f83e172..223ffe1 100644 __skb_queue_tail(&sk->sk_receive_queue, skb); spin_unlock(&sk->sk_receive_queue.lock); sk->sk_data_ready(sk, skb->len); -@@ -1580,7 +1580,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1587,7 +1587,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, drop_n_acct: spin_lock(&sk->sk_receive_queue.lock); po->stats.tp_drops++; @@ -89620,7 +89598,7 @@ index f83e172..223ffe1 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -2558,6 +2558,7 @@ out: +@@ -2579,6 +2579,7 @@ out: static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) { @@ -89628,7 +89606,7 @@ index f83e172..223ffe1 100644 struct sock_exterr_skb *serr; struct sk_buff *skb, *skb2; int copied, err; -@@ -2579,8 +2580,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) +@@ -2600,8 +2601,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) sock_recv_timestamp(msg, sk, skb); serr = SKB_EXT_ERR(skb); @@ -89639,22 +89617,7 @@ index f83e172..223ffe1 100644 msg->msg_flags |= MSG_ERRQUEUE; err = copied; -@@ -2769,12 +2771,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, - return -EOPNOTSUPP; - - uaddr->sa_family = AF_PACKET; -+ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); - rcu_read_lock(); - dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); - if (dev) -- strncpy(uaddr->sa_data, dev->name, 14); -- else -- memset(uaddr->sa_data, 0, 14); -+ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); - rcu_read_unlock(); - *uaddr_len = sizeof(*uaddr); - -@@ -3205,7 +3206,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3225,7 +3227,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -89663,7 +89626,7 @@ index f83e172..223ffe1 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3247,7 +3248,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3267,7 +3269,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, len = lv; if (put_user(len, optlen)) return -EFAULT; @@ -90199,33 +90162,6 @@ index 391a245..296b3d7 100644 } /* Initialize IPv6 support and register with socket layer. */ -diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c -index 01dca75..e9426bb 100644 ---- a/net/sctp/outqueue.c -+++ b/net/sctp/outqueue.c -@@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary, - */ - void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q) - { -+ memset(q, 0, sizeof(struct sctp_outq)); -+ - q->asoc = asoc; - INIT_LIST_HEAD(&q->out_chunk_list); - INIT_LIST_HEAD(&q->control_chunk_list); -@@ -213,13 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q) - INIT_LIST_HEAD(&q->sacked); - INIT_LIST_HEAD(&q->abandoned); - -- q->fast_rtx = 0; -- q->outstanding_bytes = 0; - q->empty = 1; -- q->cork = 0; -- -- q->malloced = 0; -- q->out_qlen = 0; - } - - /* Free the outqueue structure and any related pending chunks. diff --git a/net/sctp/probe.c b/net/sctp/probe.c index ad0dba8..e62c225 100644 --- a/net/sctp/probe.c @@ -90310,7 +90246,7 @@ index 8aab894..f6b7e7d 100644 sctp_generate_t1_cookie_event, sctp_generate_t1_init_event, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index b907073..7bea2ca 100644 +index 02c43e4..7bea2ca 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -2166,11 +2166,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, @@ -90328,20 +90264,7 @@ index b907073..7bea2ca 100644 /* * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT, -@@ -4002,6 +4004,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk) - - /* Release our hold on the endpoint. */ - sp = sctp_sk(sk); -+ /* This could happen during socket init, thus we bail out -+ * early, since the rest of the below is not setup either. -+ */ -+ if (sp->ep == NULL) -+ return; -+ - if (sp->do_auto_asconf) { - sp->do_auto_asconf = 0; - list_del(&sp->auto_asconf_list); -@@ -4215,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, +@@ -4221,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -90359,7 +90282,7 @@ index b907073..7bea2ca 100644 return -EFAULT; return 0; } -@@ -4239,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, +@@ -4245,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, */ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -90368,7 +90291,7 @@ index b907073..7bea2ca 100644 /* Applicable to UDP-style socket only */ if (sctp_style(sk, TCP)) return -EOPNOTSUPP; -@@ -4247,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv +@@ -4253,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv len = sizeof(int); if (put_user(len, optlen)) return -EFAULT; @@ -90378,7 +90301,7 @@ index b907073..7bea2ca 100644 return -EFAULT; return 0; } -@@ -4619,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, +@@ -4625,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, */ static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -90395,7 +90318,7 @@ index b907073..7bea2ca 100644 return -EFAULT; return 0; } -@@ -4665,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4671,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; if (space_left < addrlen) return -ENOMEM; @@ -90427,7 +90350,7 @@ index bf3c6e8..376d8d0 100644 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); diff --git a/net/socket.c b/net/socket.c -index 88f759a..74be616 100644 +index e216502..74be616 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -90598,16 +90521,7 @@ index 88f759a..74be616 100644 int err, err2; int fput_needed; -@@ -1978,7 +2040,7 @@ struct used_address { - unsigned int name_len; - }; - --static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, -+static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, - struct msghdr *msg_sys, unsigned int flags, - struct used_address *used_address) - { -@@ -2045,7 +2107,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2045,7 +2107,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, * checking falls down on this. */ if (copy_from_user(ctl_buf, @@ -90616,83 +90530,7 @@ index 88f759a..74be616 100644 ctl_len)) goto out_freectl; msg_sys->msg_control = ctl_buf; -@@ -2093,20 +2155,28 @@ out: - * BSD sendmsg interface - */ - -+long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags) -+{ -+ int fput_needed, err; -+ struct msghdr msg_sys; -+ struct socket *sock; -+ -+ sock = sockfd_lookup_light(fd, &err, &fput_needed); -+ if (!sock) -+ goto out; -+ -+ err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL); -+ -+ fput_light(sock->file, fput_needed); -+out: -+ return err; -+} -+ - SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags) - { -- int fput_needed, err; -- struct msghdr msg_sys; -- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed); -- -- if (!sock) -- goto out; -- -- err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL); -- -- fput_light(sock->file, fput_needed); --out: -- return err; -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ return __sys_sendmsg(fd, msg, flags); - } - - /* -@@ -2139,15 +2209,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, - - while (datagrams < vlen) { - if (MSG_CMSG_COMPAT & flags) { -- err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry, -- &msg_sys, flags, &used_address); -+ err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry, -+ &msg_sys, flags, &used_address); - if (err < 0) - break; - err = __put_user(err, &compat_entry->msg_len); - ++compat_entry; - } else { -- err = __sys_sendmsg(sock, (struct msghdr __user *)entry, -- &msg_sys, flags, &used_address); -+ err = ___sys_sendmsg(sock, -+ (struct msghdr __user *)entry, -+ &msg_sys, flags, &used_address); - if (err < 0) - break; - err = put_user(err, &entry->msg_len); -@@ -2171,10 +2242,12 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, - SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg, - unsigned int, vlen, unsigned int, flags) - { -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; - return __sys_sendmmsg(fd, mmsg, vlen, flags); - } - --static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, -+static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, - struct msghdr *msg_sys, unsigned int flags, int nosec) - { - struct compat_msghdr __user *msg_compat = -@@ -2185,7 +2258,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2196,7 +2258,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, int err, total_len, len; /* kernel mode address */ @@ -90701,7 +90539,7 @@ index 88f759a..74be616 100644 /* user mode address pointers */ struct sockaddr __user *uaddr; -@@ -2213,7 +2286,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2224,7 +2286,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, * kernel msghdr to use the kernel address space) */ @@ -90710,84 +90548,7 @@ index 88f759a..74be616 100644 uaddr_len = COMPAT_NAMELEN(msg); if (MSG_CMSG_COMPAT & flags) { err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); -@@ -2266,21 +2339,29 @@ out: - * BSD recvmsg interface - */ - -+long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags) -+{ -+ int fput_needed, err; -+ struct msghdr msg_sys; -+ struct socket *sock; -+ -+ sock = sockfd_lookup_light(fd, &err, &fput_needed); -+ if (!sock) -+ goto out; -+ -+ err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0); -+ -+ fput_light(sock->file, fput_needed); -+out: -+ return err; -+} -+ - SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg, - unsigned int, flags) - { -- int fput_needed, err; -- struct msghdr msg_sys; -- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed); -- -- if (!sock) -- goto out; -- -- err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0); -- -- fput_light(sock->file, fput_needed); --out: -- return err; -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ return __sys_recvmsg(fd, msg, flags); - } - - /* -@@ -2320,17 +2401,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, - * No need to ask LSM for more than the first datagram. - */ - if (MSG_CMSG_COMPAT & flags) { -- err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry, -- &msg_sys, flags & ~MSG_WAITFORONE, -- datagrams); -+ err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry, -+ &msg_sys, flags & ~MSG_WAITFORONE, -+ datagrams); - if (err < 0) - break; - err = __put_user(err, &compat_entry->msg_len); - ++compat_entry; - } else { -- err = __sys_recvmsg(sock, (struct msghdr __user *)entry, -- &msg_sys, flags & ~MSG_WAITFORONE, -- datagrams); -+ err = ___sys_recvmsg(sock, -+ (struct msghdr __user *)entry, -+ &msg_sys, flags & ~MSG_WAITFORONE, -+ datagrams); - if (err < 0) - break; - err = put_user(err, &entry->msg_len); -@@ -2397,6 +2479,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, - int datagrams; - struct timespec timeout_sys; - -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ - if (!timeout) - return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL); - -@@ -2952,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2975,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -90796,7 +90557,7 @@ index 88f759a..74be616 100644 set_fs(old_fs); return err; -@@ -3061,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -3084,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -90805,7 +90566,7 @@ index 88f759a..74be616 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3166,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3189,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= __get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -90814,7 +90575,7 @@ index 88f759a..74be616 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3392,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3415,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -90825,7 +90586,7 @@ index 88f759a..74be616 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3413,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3436,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -91323,18 +91084,6 @@ index c8717c1..08539f5 100644 err = handler(dev, info, (union iwreq_data *) iwp, extra); iwp->length += essid_compat; -diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c -index bcfda89..0cf003d 100644 ---- a/net/xfrm/xfrm_output.c -+++ b/net/xfrm/xfrm_output.c -@@ -64,6 +64,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err) - - if (unlikely(x->km.state != XFRM_STATE_VALID)) { - XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID); -+ err = -EINVAL; - goto error; - } - diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 167c67d..3f2ae427 100644 --- a/net/xfrm/xfrm_policy.c diff --git a/3.9.7/4425_grsec_remove_EI_PAX.patch b/3.9.8/4425_grsec_remove_EI_PAX.patch index 415fda5..415fda5 100644 --- a/3.9.7/4425_grsec_remove_EI_PAX.patch +++ b/3.9.8/4425_grsec_remove_EI_PAX.patch diff --git a/3.9.7/4427_force_XATTR_PAX_tmpfs.patch b/3.9.8/4427_force_XATTR_PAX_tmpfs.patch index e2a9551..e2a9551 100644 --- a/3.9.7/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.9.8/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.9.7/4430_grsec-remove-localversion-grsec.patch b/3.9.8/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.9.7/4430_grsec-remove-localversion-grsec.patch +++ b/3.9.8/4430_grsec-remove-localversion-grsec.patch diff --git a/3.9.7/4435_grsec-mute-warnings.patch b/3.9.8/4435_grsec-mute-warnings.patch index ed941d5..ed941d5 100644 --- a/3.9.7/4435_grsec-mute-warnings.patch +++ b/3.9.8/4435_grsec-mute-warnings.patch diff --git a/3.9.7/4440_grsec-remove-protected-paths.patch b/3.9.8/4440_grsec-remove-protected-paths.patch index 637934a..637934a 100644 --- a/3.9.7/4440_grsec-remove-protected-paths.patch +++ b/3.9.8/4440_grsec-remove-protected-paths.patch diff --git a/3.9.7/4450_grsec-kconfig-default-gids.patch b/3.9.8/4450_grsec-kconfig-default-gids.patch index f144c0e..f144c0e 100644 --- a/3.9.7/4450_grsec-kconfig-default-gids.patch +++ b/3.9.8/4450_grsec-kconfig-default-gids.patch diff --git a/3.9.7/4465_selinux-avc_audit-log-curr_ip.patch b/3.9.8/4465_selinux-avc_audit-log-curr_ip.patch index b0786d4..b0786d4 100644 --- a/3.9.7/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.9.8/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.9.7/4470_disable-compat_vdso.patch b/3.9.8/4470_disable-compat_vdso.patch index 424d91f..424d91f 100644 --- a/3.9.7/4470_disable-compat_vdso.patch +++ b/3.9.8/4470_disable-compat_vdso.patch diff --git a/3.9.7/4475_emutramp_default_on.patch b/3.9.8/4475_emutramp_default_on.patch index 27bfc2d..27bfc2d 100644 --- a/3.9.7/4475_emutramp_default_on.patch +++ b/3.9.8/4475_emutramp_default_on.patch |