aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2012-11-05 20:09:01 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2012-11-05 20:09:01 +0000
commit2edff3debb0af59ba6f87e58f1bc3a8faec3b8b6 (patch)
treece49545053b320e806a69787c4713288d1ec10fd
parente1a75a0227cc4a0a507328ef31051ccc0e83b623 (diff)
downloadalpine_aports-2edff3debb0af59ba6f87e58f1bc3a8faec3b8b6.tar.bz2
alpine_aports-2edff3debb0af59ba6f87e58f1bc3a8faec3b8b6.tar.xz
alpine_aports-2edff3debb0af59ba6f87e58f1bc3a8faec3b8b6.zip
main/linux-grsec: upgrade to grsecurity-2.9.1-3.6.5-201211042157
Diffstat
-rw-r--r--main/linux-grsec/APKBUILD10
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.6.5-201211042157.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.6.4-201210291446.patch)605
2 files changed, 498 insertions, 117 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 31b5fa664c..85f40da36c 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,9 +2,9 @@
2 2
3_flavor=grsec 3_flavor=grsec
4pkgname=linux-${_flavor} 4pkgname=linux-${_flavor}
5pkgver=3.6.4 5pkgver=3.6.5
6_kernver=3.6 6_kernver=3.6
7pkgrel=1 7pkgrel=0
8pkgdesc="Linux kernel with grsecurity" 8pkgdesc="Linux kernel with grsecurity"
9url=http://grsecurity.net 9url=http://grsecurity.net
10depends="mkinitfs linux-firmware" 10depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}}
14install= 14install=
15source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz 15source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
16 http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz 16 http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
17 grsecurity-2.9.1-3.6.4-201210291446.patch 17 grsecurity-2.9.1-3.6.5-201211042157.patch
18 18
19 0004-arp-flush-arp-cache-on-device-change.patch 19 0004-arp-flush-arp-cache-on-device-change.patch
20 20
@@ -139,8 +139,8 @@ dev() {
139} 139}
140 140
141md5sums="1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz 141md5sums="1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz
142d7efab4da2682c44662b684026b059f7 patch-3.6.4.xz 1426ad8ceebb9b5c1bf69a0c07ef7cc81f2 patch-3.6.5.xz
1434235328c981070bca82bc61b7f7bc7c1 grsecurity-2.9.1-3.6.4-201210291446.patch 1430affb0d4559c04d76251be6755338ae1 grsecurity-2.9.1-3.6.5-201211042157.patch
144776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch 144776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
1450fe70e3640b55adb6800e6eebe74ea4d kernelconfig.x86 1450fe70e3640b55adb6800e6eebe74ea4d kernelconfig.x86
146b7707e701f190d97c3552b7ec292b897 kernelconfig.x86_64" 146b7707e701f190d97c3552b7ec292b897 kernelconfig.x86_64"
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.6.4-201210291446.patch b/main/linux-grsec/grsecurity-2.9.1-3.6.5-201211042157.patch
index 08c581d833..18206e5084 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.6.4-201210291446.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.6.5-201211042157.patch
@@ -251,7 +251,7 @@ index ad7e2e5..199f49e 100644
251 251
252 pcd. [PARIDE] 252 pcd. [PARIDE]
253diff --git a/Makefile b/Makefile 253diff --git a/Makefile b/Makefile
254index dcf132a..db194e3 100644 254index 6e4a00d..4c7aa4f 100644
255--- a/Makefile 255--- a/Makefile
256+++ b/Makefile 256+++ b/Makefile
257@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ 257@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -19013,7 +19013,7 @@ index 7a6f3b3..bed145d7 100644
19013 19013
19014 1: 19014 1:
19015diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c 19015diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
19016index 198e774..e880f29 100644 19016index 5cee802..bc22bc3 100644
19017--- a/arch/x86/kernel/setup.c 19017--- a/arch/x86/kernel/setup.c
19018+++ b/arch/x86/kernel/setup.c 19018+++ b/arch/x86/kernel/setup.c
19019@@ -440,7 +440,7 @@ static void __init parse_setup_data(void) 19019@@ -440,7 +440,7 @@ static void __init parse_setup_data(void)
@@ -24577,7 +24577,7 @@ index b91e485..d00e7c9 100644
24577 } 24577 }
24578 if (mm->get_unmapped_area == arch_get_unmapped_area) 24578 if (mm->get_unmapped_area == arch_get_unmapped_area)
24579diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c 24579diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
24580index ab1f6a9..23030ba 100644 24580index d7aea41..f753ad2 100644
24581--- a/arch/x86/mm/init.c 24581--- a/arch/x86/mm/init.c
24582+++ b/arch/x86/mm/init.c 24582+++ b/arch/x86/mm/init.c
24583@@ -16,6 +16,8 @@ 24583@@ -16,6 +16,8 @@
@@ -24589,16 +24589,16 @@ index ab1f6a9..23030ba 100644
24589 24589
24590 unsigned long __initdata pgt_buf_start; 24590 unsigned long __initdata pgt_buf_start;
24591 unsigned long __meminitdata pgt_buf_end; 24591 unsigned long __meminitdata pgt_buf_end;
24592@@ -38,7 +40,7 @@ struct map_range { 24592@@ -44,7 +46,7 @@ static void __init find_early_table_space(struct map_range *mr, int nr_range)
24593 static void __init find_early_table_space(struct map_range *mr, unsigned long end,
24594 int use_pse, int use_gbpages)
24595 { 24593 {
24596- unsigned long puds, pmds, ptes, tables, start = 0, good_end = end; 24594 int i;
24597+ unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end; 24595 unsigned long puds = 0, pmds = 0, ptes = 0, tables;
24596- unsigned long start = 0, good_end;
24597+ unsigned long start = 0x100000, good_end;
24598 phys_addr_t base; 24598 phys_addr_t base;
24599 24599
24600 puds = (end + PUD_SIZE - 1) >> PUD_SHIFT; 24600 for (i = 0; i < nr_range; i++) {
24601@@ -317,10 +319,37 @@ unsigned long __init_refok init_memory_mapping(unsigned long start, 24601@@ -321,10 +323,37 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
24602 * Access has to be given to non-kernel-ram areas as well, these contain the PCI 24602 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
24603 * mmio resources as well as potential bios/acpi data regions. 24603 * mmio resources as well as potential bios/acpi data regions.
24604 */ 24604 */
@@ -24637,7 +24637,7 @@ index ab1f6a9..23030ba 100644
24637 if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) 24637 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
24638 return 0; 24638 return 0;
24639 if (!page_is_ram(pagenr)) 24639 if (!page_is_ram(pagenr))
24640@@ -377,8 +406,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) 24640@@ -381,8 +410,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
24641 #endif 24641 #endif
24642 } 24642 }
24643 24643
@@ -25034,7 +25034,7 @@ index 575d86f..4987469 100644
25034 printk(KERN_INFO "Write protecting the kernel text: %luk\n", 25034 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
25035 size >> 10); 25035 size >> 10);
25036diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c 25036diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
25037index 2b6b4a3..c17210d 100644 25037index 3baff25..8b37564 100644
25038--- a/arch/x86/mm/init_64.c 25038--- a/arch/x86/mm/init_64.c
25039+++ b/arch/x86/mm/init_64.c 25039+++ b/arch/x86/mm/init_64.c
25040@@ -74,7 +74,7 @@ early_param("gbpages", parse_direct_gbpages_on); 25040@@ -74,7 +74,7 @@ early_param("gbpages", parse_direct_gbpages_on);
@@ -25151,7 +25151,7 @@ index 2b6b4a3..c17210d 100644
25151 adr = (void *)(((unsigned long)adr) | left); 25151 adr = (void *)(((unsigned long)adr) | left);
25152 25152
25153 return adr; 25153 return adr;
25154@@ -548,7 +562,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, 25154@@ -553,7 +567,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
25155 unmap_low_page(pmd); 25155 unmap_low_page(pmd);
25156 25156
25157 spin_lock(&init_mm.page_table_lock); 25157 spin_lock(&init_mm.page_table_lock);
@@ -25160,7 +25160,7 @@ index 2b6b4a3..c17210d 100644
25160 spin_unlock(&init_mm.page_table_lock); 25160 spin_unlock(&init_mm.page_table_lock);
25161 } 25161 }
25162 __flush_tlb_all(); 25162 __flush_tlb_all();
25163@@ -594,7 +608,7 @@ kernel_physical_mapping_init(unsigned long start, 25163@@ -599,7 +613,7 @@ kernel_physical_mapping_init(unsigned long start,
25164 unmap_low_page(pud); 25164 unmap_low_page(pud);
25165 25165
25166 spin_lock(&init_mm.page_table_lock); 25166 spin_lock(&init_mm.page_table_lock);
@@ -25169,7 +25169,7 @@ index 2b6b4a3..c17210d 100644
25169 spin_unlock(&init_mm.page_table_lock); 25169 spin_unlock(&init_mm.page_table_lock);
25170 pgd_changed = true; 25170 pgd_changed = true;
25171 } 25171 }
25172@@ -686,6 +700,12 @@ void __init mem_init(void) 25172@@ -691,6 +705,12 @@ void __init mem_init(void)
25173 25173
25174 pci_iommu_alloc(); 25174 pci_iommu_alloc();
25175 25175
@@ -25182,7 +25182,7 @@ index 2b6b4a3..c17210d 100644
25182 /* clear_bss() already clear the empty_zero_page */ 25182 /* clear_bss() already clear the empty_zero_page */
25183 25183
25184 reservedpages = 0; 25184 reservedpages = 0;
25185@@ -846,8 +866,8 @@ int kern_addr_valid(unsigned long addr) 25185@@ -851,8 +871,8 @@ int kern_addr_valid(unsigned long addr)
25186 static struct vm_area_struct gate_vma = { 25186 static struct vm_area_struct gate_vma = {
25187 .vm_start = VSYSCALL_START, 25187 .vm_start = VSYSCALL_START,
25188 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE), 25188 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
@@ -25193,7 +25193,7 @@ index 2b6b4a3..c17210d 100644
25193 }; 25193 };
25194 25194
25195 struct vm_area_struct *get_gate_vma(struct mm_struct *mm) 25195 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
25196@@ -881,7 +901,7 @@ int in_gate_area_no_mm(unsigned long addr) 25196@@ -886,7 +906,7 @@ int in_gate_area_no_mm(unsigned long addr)
25197 25197
25198 const char *arch_vma_name(struct vm_area_struct *vma) 25198 const char *arch_vma_name(struct vm_area_struct *vma)
25199 { 25199 {
@@ -30813,7 +30813,7 @@ index 73fa3e1..ab2e9b9 100644
30813 iir = I915_READ(IIR); 30813 iir = I915_READ(IIR);
30814 30814
30815diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c 30815diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
30816index b634f6f..84bb8ba 100644 30816index b634f6f..43c62f5 100644
30817--- a/drivers/gpu/drm/i915/intel_display.c 30817--- a/drivers/gpu/drm/i915/intel_display.c
30818+++ b/drivers/gpu/drm/i915/intel_display.c 30818+++ b/drivers/gpu/drm/i915/intel_display.c
30819@@ -2182,7 +2182,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb) 30819@@ -2182,7 +2182,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb)
@@ -30825,16 +30825,17 @@ index b634f6f..84bb8ba 100644
30825 30825
30826 /* Big Hammer, we also need to ensure that any pending 30826 /* Big Hammer, we also need to ensure that any pending
30827 * MI_WAIT_FOR_EVENT inside a user batch buffer on the 30827 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
30828@@ -6168,7 +6168,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev, 30828@@ -6168,8 +6168,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
30829 30829
30830 obj = work->old_fb_obj; 30830 obj = work->old_fb_obj;
30831 30831
30832- atomic_clear_mask(1 << intel_crtc->plane, 30832- atomic_clear_mask(1 << intel_crtc->plane,
30833+ atomic_clear_mask_unchecked(1 << intel_crtc->plane, 30833- &obj->pending_flip.counter);
30834 &obj->pending_flip.counter); 30834+ atomic_clear_mask_unchecked(1 << intel_crtc->plane, &obj->pending_flip);
30835 30835
30836 wake_up(&dev_priv->pending_flip_queue); 30836 wake_up(&dev_priv->pending_flip_queue);
30837@@ -6515,7 +6515,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, 30837 schedule_work(&work->work);
30838@@ -6515,7 +6514,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
30838 /* Block clients from rendering to the new back buffer until 30839 /* Block clients from rendering to the new back buffer until
30839 * the flip occurs and the object is no longer visible. 30840 * the flip occurs and the object is no longer visible.
30840 */ 30841 */
@@ -30843,7 +30844,7 @@ index b634f6f..84bb8ba 100644
30843 30844
30844 ret = dev_priv->display.queue_flip(dev, crtc, fb, obj); 30845 ret = dev_priv->display.queue_flip(dev, crtc, fb, obj);
30845 if (ret) 30846 if (ret)
30846@@ -6530,7 +6530,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, 30847@@ -6530,7 +6529,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
30847 return 0; 30848 return 0;
30848 30849
30849 cleanup_pending: 30850 cleanup_pending:
@@ -31504,10 +31505,10 @@ index 14599e2..711c965 100644
31504 31505
31505 for (i = 0; i < hid->maxcollection; i++) 31506 for (i = 0; i < hid->maxcollection; i++)
31506diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c 31507diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
31507index 4065374..10ed7dc 100644 31508index f4c3d28..82f45a9 100644
31508--- a/drivers/hv/channel.c 31509--- a/drivers/hv/channel.c
31509+++ b/drivers/hv/channel.c 31510+++ b/drivers/hv/channel.c
31510@@ -400,8 +400,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer, 31511@@ -402,8 +402,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
31511 int ret = 0; 31512 int ret = 0;
31512 int t; 31513 int t;
31513 31514
@@ -34782,6 +34783,28 @@ index 51b9d6a..52af9a7 100644
34782 #include <linux/mtd/mtd.h> 34783 #include <linux/mtd/mtd.h>
34783 #include <linux/mtd/nand.h> 34784 #include <linux/mtd/nand.h>
34784 #include <linux/mtd/nftl.h> 34785 #include <linux/mtd/nftl.h>
34786diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
34787index dc15d24..ef8d2a0 100644
34788--- a/drivers/net/bonding/bond_sysfs.c
34789+++ b/drivers/net/bonding/bond_sysfs.c
34790@@ -1060,7 +1060,7 @@ static ssize_t bonding_store_primary(struct device *d,
34791 goto out;
34792 }
34793
34794- sscanf(buf, "%16s", ifname); /* IFNAMSIZ */
34795+ sscanf(buf, "%15s", ifname); /* IFNAMSIZ */
34796
34797 /* check to see if we are clearing primary */
34798 if (!strlen(ifname) || buf[0] == '\n') {
34799@@ -1237,7 +1237,7 @@ static ssize_t bonding_store_active_slave(struct device *d,
34800 goto out;
34801 }
34802
34803- sscanf(buf, "%16s", ifname); /* IFNAMSIZ */
34804+ sscanf(buf, "%15s", ifname); /* IFNAMSIZ */
34805
34806 /* check to see if we are clearing active */
34807 if (!strlen(ifname) || buf[0] == '\n') {
34785diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c 34808diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c
34786index 57d64b8..623dd86 100644 34809index 57d64b8..623dd86 100644
34787--- a/drivers/net/ethernet/atheros/atlx/atl2.c 34810--- a/drivers/net/ethernet/atheros/atlx/atl2.c
@@ -34795,6 +34818,22 @@ index 57d64b8..623dd86 100644
34795 MODULE_PARM(X, "1-" __MODULE_STRING(ATL2_MAX_NIC) "i"); \ 34818 MODULE_PARM(X, "1-" __MODULE_STRING(ATL2_MAX_NIC) "i"); \
34796 MODULE_PARM_DESC(X, desc); 34819 MODULE_PARM_DESC(X, desc);
34797 #else 34820 #else
34821diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
34822index 0875ecf..794cdf3 100644
34823--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
34824+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
34825@@ -3051,9 +3051,8 @@ static void bnx2x_drv_info_ether_stat(struct bnx2x *bp)
34826 struct eth_stats_info *ether_stat =
34827 &bp->slowpath->drv_info_to_mcp.ether_stat;
34828
34829- /* leave last char as NULL */
34830- memcpy(ether_stat->version, DRV_MODULE_VERSION,
34831- ETH_STAT_INFO_VERSION_LEN - 1);
34832+ strlcpy(ether_stat->version, DRV_MODULE_VERSION,
34833+ ETH_STAT_INFO_VERSION_LEN);
34834
34835 bp->sp_objs[0].mac_obj.get_n_elements(bp, &bp->sp_objs[0].mac_obj,
34836 DRV_INFO_ETH_STAT_NUM_MACS_REQUIRED,
34798diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h 34837diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
34799index f83e033..8b4f43a 100644 34838index f83e033..8b4f43a 100644
34800--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h 34839--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
@@ -35258,6 +35297,18 @@ index 4a518a3..936b334 100644
35258 35297
35259 #define VXGE_HW_VIRTUAL_PATH_HANDLE(vpath) \ 35298 #define VXGE_HW_VIRTUAL_PATH_HANDLE(vpath) \
35260 ((struct __vxge_hw_vpath_handle *)(vpath)->vpath_handles.next) 35299 ((struct __vxge_hw_vpath_handle *)(vpath)->vpath_handles.next)
35300diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c
35301index 53743f7..af8b414 100644
35302--- a/drivers/net/ethernet/nxp/lpc_eth.c
35303+++ b/drivers/net/ethernet/nxp/lpc_eth.c
35304@@ -1524,6 +1524,7 @@ static int lpc_eth_drv_remove(struct platform_device *pdev)
35305 pldat->dma_buff_base_p);
35306 free_irq(ndev->irq, ndev);
35307 iounmap(pldat->net_base);
35308+ mdiobus_unregister(pldat->mii_bus);
35309 mdiobus_free(pldat->mii_bus);
35310 clk_disable(pldat->clk);
35311 clk_put(pldat->clk);
35261diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c 35312diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
35262index b47d5b3..273a516 100644 35313index b47d5b3..273a516 100644
35263--- a/drivers/net/ethernet/realtek/r8169.c 35314--- a/drivers/net/ethernet/realtek/r8169.c
@@ -35352,6 +35403,18 @@ index 1e88a10..1b01736 100644
35352 35403
35353 /* Ignore return since this msg is optional. */ 35404 /* Ignore return since this msg is optional. */
35354 rndis_filter_send_request(dev, request); 35405 rndis_filter_send_request(dev, request);
35406diff --git a/drivers/net/phy/mdio-bitbang.c b/drivers/net/phy/mdio-bitbang.c
35407index daec9b0..6428fcb 100644
35408--- a/drivers/net/phy/mdio-bitbang.c
35409+++ b/drivers/net/phy/mdio-bitbang.c
35410@@ -234,6 +234,7 @@ void free_mdio_bitbang(struct mii_bus *bus)
35411 struct mdiobb_ctrl *ctrl = bus->priv;
35412
35413 module_put(ctrl->ops->owner);
35414+ mdiobus_unregister(bus);
35415 mdiobus_free(bus);
35416 }
35417 EXPORT_SYMBOL(free_mdio_bitbang);
35355diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c 35418diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
35356index 5c05572..389610b 100644 35419index 5c05572..389610b 100644
35357--- a/drivers/net/ppp/ppp_generic.c 35420--- a/drivers/net/ppp/ppp_generic.c
@@ -35500,6 +35563,27 @@ index 6169fbd..40e8422 100644
35500 35563
35501 struct ath_common; 35564 struct ath_common;
35502 struct ath_bus_ops; 35565 struct ath_bus_ops;
35566diff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c
35567index 2aab20e..b761ef8 100644
35568--- a/drivers/net/wireless/ath/ath5k/base.c
35569+++ b/drivers/net/wireless/ath/ath5k/base.c
35570@@ -1803,7 +1803,7 @@ ath5k_beacon_update(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
35571 {
35572 int ret;
35573 struct ath5k_hw *ah = hw->priv;
35574- struct ath5k_vif *avf = (void *)vif->drv_priv;
35575+ struct ath5k_vif *avf;
35576 struct sk_buff *skb;
35577
35578 if (WARN_ON(!vif)) {
35579@@ -1818,6 +1818,7 @@ ath5k_beacon_update(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
35580 goto out;
35581 }
35582
35583+ avf = (void *)vif->drv_priv;
35584 ath5k_txbuf_free_skb(ah, avf->bbuf);
35585 avf->bbuf->skb = skb;
35586 ret = ath5k_beacon_setup(ah, avf->bbuf);
35503diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c 35587diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
35504index 8d78253..bebbb68 100644 35588index 8d78253..bebbb68 100644
35505--- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c 35589--- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c
@@ -37819,6 +37903,40 @@ index 0d4aa82..f7832d4 100644
37819 extern void tmem_register_hostops(struct tmem_hostops *m); 37903 extern void tmem_register_hostops(struct tmem_hostops *m);
37820 37904
37821 /* core tmem accessor functions */ 37905 /* core tmem accessor functions */
37906diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
37907index 9fc9a60..68d4c10 100644
37908--- a/drivers/target/target_core_device.c
37909+++ b/drivers/target/target_core_device.c
37910@@ -850,20 +850,20 @@ int se_dev_check_shutdown(struct se_device *dev)
37911
37912 static u32 se_dev_align_max_sectors(u32 max_sectors, u32 block_size)
37913 {
37914- u32 tmp, aligned_max_sectors;
37915+ u32 aligned_max_sectors;
37916+ u32 alignment;
37917 /*
37918 * Limit max_sectors to a PAGE_SIZE aligned value for modern
37919 * transport_allocate_data_tasks() operation.
37920 */
37921- tmp = rounddown((max_sectors * block_size), PAGE_SIZE);
37922- aligned_max_sectors = (tmp / block_size);
37923- if (max_sectors != aligned_max_sectors) {
37924- printk(KERN_INFO "Rounding down aligned max_sectors from %u"
37925- " to %u\n", max_sectors, aligned_max_sectors);
37926- return aligned_max_sectors;
37927- }
37928+ alignment = max(1ul, PAGE_SIZE / block_size);
37929+ aligned_max_sectors = rounddown(max_sectors, alignment);
37930
37931- return max_sectors;
37932+ if (max_sectors != aligned_max_sectors)
37933+ pr_info("Rounding down aligned max_sectors from %u to %u\n",
37934+ max_sectors, aligned_max_sectors);
37935+
37936+ return aligned_max_sectors;
37937 }
37938
37939 void se_dev_set_default_attribs(
37822diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c 37940diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
37823index 269f544..32def0d 100644 37941index 269f544..32def0d 100644
37824--- a/drivers/target/target_core_transport.c 37942--- a/drivers/target/target_core_transport.c
@@ -42586,6 +42704,19 @@ index e56c934..fc22f4b 100644
42586 } u; 42704 } u;
42587 struct list_head list; 42705 struct list_head list;
42588 }; 42706 };
42707diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
42708index 89f7625..ac72702 100644
42709--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
42710+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
42711@@ -458,7 +458,7 @@ static ssize_t xenbus_file_write(struct file *filp,
42712 goto out;
42713
42714 /* Can't write a xenbus message larger we can buffer */
42715- if ((len + u->len) > sizeof(u->u.buffer)) {
42716+ if (len > sizeof(u->u.buffer) - u->len) {
42717 /* On error, dump existing buffer */
42718 u->len = 0;
42719 rc = -EINVAL;
42589diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c 42720diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
42590index cbf9dbb..35c3af7 100644 42721index cbf9dbb..35c3af7 100644
42591--- a/fs/9p/vfs_inode.c 42722--- a/fs/9p/vfs_inode.c
@@ -44019,6 +44150,19 @@ index e5b7731..b9c59fb 100644
44019 int err; 44150 int err;
44020 u32 ftype; 44151 u32 ftype;
44021 struct ceph_mds_reply_info_parsed *rinfo; 44152 struct ceph_mds_reply_info_parsed *rinfo;
44153diff --git a/fs/ceph/export.c b/fs/ceph/export.c
44154index 02ce909..9349bb3 100644
44155--- a/fs/ceph/export.c
44156+++ b/fs/ceph/export.c
44157@@ -90,6 +90,8 @@ static int ceph_encode_fh(struct inode *inode, u32 *rawfh, int *max_len,
44158 *max_len = handle_length;
44159 type = 255;
44160 }
44161+ if (dentry)
44162+ dput(dentry);
44163 return type;
44164 }
44165
44022diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c 44166diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
44023index d9ea6ed..1e6c8ac 100644 44167index d9ea6ed..1e6c8ac 100644
44024--- a/fs/cifs/cifs_debug.c 44168--- a/fs/cifs/cifs_debug.c
@@ -44624,19 +44768,10 @@ index 112e45a..b59845b 100644
44624 44768
44625 /* 44769 /*
44626diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c 44770diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
44627index debdfe0..75d31d4 100644 44771index 5d2069f..75d31d4 100644
44628--- a/fs/compat_ioctl.c 44772--- a/fs/compat_ioctl.c
44629+++ b/fs/compat_ioctl.c 44773+++ b/fs/compat_ioctl.c
44630@@ -210,6 +210,8 @@ static int do_video_set_spu_palette(unsigned int fd, unsigned int cmd, 44774@@ -623,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd,
44631
44632 err = get_user(palp, &up->palette);
44633 err |= get_user(length, &up->length);
44634+ if (err)
44635+ return -EFAULT;
44636
44637 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
44638 err = put_user(compat_ptr(palp), &up_native->palette);
44639@@ -621,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd,
44640 return -EFAULT; 44775 return -EFAULT;
44641 if (__get_user(udata, &ss32->iomem_base)) 44776 if (__get_user(udata, &ss32->iomem_base))
44642 return -EFAULT; 44777 return -EFAULT;
@@ -44645,7 +44780,7 @@ index debdfe0..75d31d4 100644
44645 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) || 44780 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
44646 __get_user(ss.port_high, &ss32->port_high)) 44781 __get_user(ss.port_high, &ss32->port_high))
44647 return -EFAULT; 44782 return -EFAULT;
44648@@ -796,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file, 44783@@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file,
44649 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) || 44784 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
44650 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) || 44785 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
44651 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) || 44786 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
@@ -44654,7 +44789,7 @@ index debdfe0..75d31d4 100644
44654 return -EFAULT; 44789 return -EFAULT;
44655 44790
44656 return ioctl_preallocate(file, p); 44791 return ioctl_preallocate(file, p);
44657@@ -1610,8 +1612,8 @@ asmlinkage long compat_sys_ioctl(unsigned int fd, unsigned int cmd, 44792@@ -1612,8 +1612,8 @@ asmlinkage long compat_sys_ioctl(unsigned int fd, unsigned int cmd,
44658 static int __init init_sys32_ioctl_cmp(const void *p, const void *q) 44793 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
44659 { 44794 {
44660 unsigned int a, b; 44795 unsigned int a, b;
@@ -44780,7 +44915,7 @@ index b2a34a1..162fa69 100644
44780 return rc; 44915 return rc;
44781 } 44916 }
44782diff --git a/fs/exec.c b/fs/exec.c 44917diff --git a/fs/exec.c b/fs/exec.c
44783index 574cf4d..dfe774a 100644 44918index fab2c6d..4fa20c0 100644
44784--- a/fs/exec.c 44919--- a/fs/exec.c
44785+++ b/fs/exec.c 44920+++ b/fs/exec.c
44786@@ -55,6 +55,15 @@ 44921@@ -55,6 +55,15 @@
@@ -45050,7 +45185,7 @@ index 574cf4d..dfe774a 100644
45050 set_fs(old_fs); 45185 set_fs(old_fs);
45051 return result; 45186 return result;
45052 } 45187 }
45053@@ -1257,7 +1296,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) 45188@@ -1258,7 +1297,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
45054 } 45189 }
45055 rcu_read_unlock(); 45190 rcu_read_unlock();
45056 45191
@@ -45059,7 +45194,7 @@ index 574cf4d..dfe774a 100644
45059 bprm->unsafe |= LSM_UNSAFE_SHARE; 45194 bprm->unsafe |= LSM_UNSAFE_SHARE;
45060 } else { 45195 } else {
45061 res = -EAGAIN; 45196 res = -EAGAIN;
45062@@ -1460,6 +1499,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) 45197@@ -1461,6 +1500,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
45063 45198
45064 EXPORT_SYMBOL(search_binary_handler); 45199 EXPORT_SYMBOL(search_binary_handler);
45065 45200
@@ -45088,7 +45223,7 @@ index 574cf4d..dfe774a 100644
45088 /* 45223 /*
45089 * sys_execve() executes a new program. 45224 * sys_execve() executes a new program.
45090 */ 45225 */
45091@@ -1468,6 +1529,11 @@ static int do_execve_common(const char *filename, 45226@@ -1469,6 +1530,11 @@ static int do_execve_common(const char *filename,
45092 struct user_arg_ptr envp, 45227 struct user_arg_ptr envp,
45093 struct pt_regs *regs) 45228 struct pt_regs *regs)
45094 { 45229 {
@@ -45100,7 +45235,7 @@ index 574cf4d..dfe774a 100644
45100 struct linux_binprm *bprm; 45235 struct linux_binprm *bprm;
45101 struct file *file; 45236 struct file *file;
45102 struct files_struct *displaced; 45237 struct files_struct *displaced;
45103@@ -1475,6 +1541,8 @@ static int do_execve_common(const char *filename, 45238@@ -1476,6 +1542,8 @@ static int do_execve_common(const char *filename,
45104 int retval; 45239 int retval;
45105 const struct cred *cred = current_cred(); 45240 const struct cred *cred = current_cred();
45106 45241
@@ -45109,7 +45244,7 @@ index 574cf4d..dfe774a 100644
45109 /* 45244 /*
45110 * We move the actual failure in case of RLIMIT_NPROC excess from 45245 * We move the actual failure in case of RLIMIT_NPROC excess from
45111 * set*uid() to execve() because too many poorly written programs 45246 * set*uid() to execve() because too many poorly written programs
45112@@ -1515,12 +1583,27 @@ static int do_execve_common(const char *filename, 45247@@ -1516,12 +1584,27 @@ static int do_execve_common(const char *filename,
45113 if (IS_ERR(file)) 45248 if (IS_ERR(file))
45114 goto out_unmark; 45249 goto out_unmark;
45115 45250
@@ -45137,7 +45272,7 @@ index 574cf4d..dfe774a 100644
45137 retval = bprm_mm_init(bprm); 45272 retval = bprm_mm_init(bprm);
45138 if (retval) 45273 if (retval)
45139 goto out_file; 45274 goto out_file;
45140@@ -1537,24 +1620,65 @@ static int do_execve_common(const char *filename, 45275@@ -1538,24 +1621,65 @@ static int do_execve_common(const char *filename,
45141 if (retval < 0) 45276 if (retval < 0)
45142 goto out; 45277 goto out;
45143 45278
@@ -45207,7 +45342,7 @@ index 574cf4d..dfe774a 100644
45207 current->fs->in_exec = 0; 45342 current->fs->in_exec = 0;
45208 current->in_execve = 0; 45343 current->in_execve = 0;
45209 acct_update_integrals(current); 45344 acct_update_integrals(current);
45210@@ -1563,6 +1687,14 @@ static int do_execve_common(const char *filename, 45345@@ -1564,6 +1688,14 @@ static int do_execve_common(const char *filename,
45211 put_files_struct(displaced); 45346 put_files_struct(displaced);
45212 return retval; 45347 return retval;
45213 45348
@@ -45222,7 +45357,7 @@ index 574cf4d..dfe774a 100644
45222 out: 45357 out:
45223 if (bprm->mm) { 45358 if (bprm->mm) {
45224 acct_arg_size(bprm, 0); 45359 acct_arg_size(bprm, 0);
45225@@ -1636,7 +1768,7 @@ static int expand_corename(struct core_name *cn) 45360@@ -1637,7 +1769,7 @@ static int expand_corename(struct core_name *cn)
45226 { 45361 {
45227 char *old_corename = cn->corename; 45362 char *old_corename = cn->corename;
45228 45363
@@ -45231,7 +45366,7 @@ index 574cf4d..dfe774a 100644
45231 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL); 45366 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
45232 45367
45233 if (!cn->corename) { 45368 if (!cn->corename) {
45234@@ -1733,7 +1865,7 @@ static int format_corename(struct core_name *cn, long signr) 45369@@ -1734,7 +1866,7 @@ static int format_corename(struct core_name *cn, long signr)
45235 int pid_in_pattern = 0; 45370 int pid_in_pattern = 0;
45236 int err = 0; 45371 int err = 0;
45237 45372
@@ -45240,7 +45375,7 @@ index 574cf4d..dfe774a 100644
45240 cn->corename = kmalloc(cn->size, GFP_KERNEL); 45375 cn->corename = kmalloc(cn->size, GFP_KERNEL);
45241 cn->used = 0; 45376 cn->used = 0;
45242 45377
45243@@ -1830,6 +1962,250 @@ out: 45378@@ -1831,6 +1963,250 @@ out:
45244 return ispipe; 45379 return ispipe;
45245 } 45380 }
45246 45381
@@ -45491,7 +45626,7 @@ index 574cf4d..dfe774a 100644
45491 static int zap_process(struct task_struct *start, int exit_code) 45626 static int zap_process(struct task_struct *start, int exit_code)
45492 { 45627 {
45493 struct task_struct *t; 45628 struct task_struct *t;
45494@@ -2040,17 +2416,17 @@ static void wait_for_dump_helpers(struct file *file) 45629@@ -2041,17 +2417,17 @@ static void wait_for_dump_helpers(struct file *file)
45495 pipe = file->f_path.dentry->d_inode->i_pipe; 45630 pipe = file->f_path.dentry->d_inode->i_pipe;
45496 45631
45497 pipe_lock(pipe); 45632 pipe_lock(pipe);
@@ -45514,7 +45649,7 @@ index 574cf4d..dfe774a 100644
45514 pipe_unlock(pipe); 45649 pipe_unlock(pipe);
45515 45650
45516 } 45651 }
45517@@ -2105,7 +2481,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) 45652@@ -2106,7 +2482,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
45518 int flag = 0; 45653 int flag = 0;
45519 int ispipe; 45654 int ispipe;
45520 bool need_nonrelative = false; 45655 bool need_nonrelative = false;
@@ -45523,7 +45658,7 @@ index 574cf4d..dfe774a 100644
45523 struct coredump_params cprm = { 45658 struct coredump_params cprm = {
45524 .signr = signr, 45659 .signr = signr,
45525 .regs = regs, 45660 .regs = regs,
45526@@ -2120,6 +2496,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) 45661@@ -2121,6 +2497,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
45527 45662
45528 audit_core_dumps(signr); 45663 audit_core_dumps(signr);
45529 45664
@@ -45533,7 +45668,7 @@ index 574cf4d..dfe774a 100644
45533 binfmt = mm->binfmt; 45668 binfmt = mm->binfmt;
45534 if (!binfmt || !binfmt->core_dump) 45669 if (!binfmt || !binfmt->core_dump)
45535 goto fail; 45670 goto fail;
45536@@ -2190,7 +2569,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) 45671@@ -2191,7 +2570,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
45537 } 45672 }
45538 cprm.limit = RLIM_INFINITY; 45673 cprm.limit = RLIM_INFINITY;
45539 45674
@@ -45542,7 +45677,7 @@ index 574cf4d..dfe774a 100644
45542 if (core_pipe_limit && (core_pipe_limit < dump_count)) { 45677 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
45543 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", 45678 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
45544 task_tgid_vnr(current), current->comm); 45679 task_tgid_vnr(current), current->comm);
45545@@ -2217,6 +2596,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) 45680@@ -2218,6 +2597,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
45546 } else { 45681 } else {
45547 struct inode *inode; 45682 struct inode *inode;
45548 45683
@@ -45551,7 +45686,7 @@ index 574cf4d..dfe774a 100644
45551 if (cprm.limit < binfmt->min_coredump) 45686 if (cprm.limit < binfmt->min_coredump)
45552 goto fail_unlock; 45687 goto fail_unlock;
45553 45688
45554@@ -2268,7 +2649,7 @@ close_fail: 45689@@ -2269,7 +2650,7 @@ close_fail:
45555 filp_close(cprm.file, NULL); 45690 filp_close(cprm.file, NULL);
45556 fail_dropcount: 45691 fail_dropcount:
45557 if (ispipe) 45692 if (ispipe)
@@ -45560,7 +45695,7 @@ index 574cf4d..dfe774a 100644
45560 fail_unlock: 45695 fail_unlock:
45561 kfree(cn.corename); 45696 kfree(cn.corename);
45562 fail_corename: 45697 fail_corename:
45563@@ -2287,7 +2668,7 @@ fail: 45698@@ -2288,7 +2669,7 @@ fail:
45564 */ 45699 */
45565 int dump_write(struct file *file, const void *addr, int nr) 45700 int dump_write(struct file *file, const void *addr, int nr)
45566 { 45701 {
@@ -45652,6 +45787,57 @@ index 5c69f2b..05dec7f 100644
45652 atomic_t s_lock_busy; 45787 atomic_t s_lock_busy;
45653 45788
45654 /* locality groups */ 45789 /* locality groups */
45790diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
45791index 8ce0076..cc2d77c 100644
45792--- a/fs/ext4/ialloc.c
45793+++ b/fs/ext4/ialloc.c
45794@@ -716,6 +716,10 @@ repeat_in_this_group:
45795 "inode=%lu", ino + 1);
45796 continue;
45797 }
45798+ BUFFER_TRACE(inode_bitmap_bh, "get_write_access");
45799+ err = ext4_journal_get_write_access(handle, inode_bitmap_bh);
45800+ if (err)
45801+ goto fail;
45802 ext4_lock_group(sb, group);
45803 ret2 = ext4_test_and_set_bit(ino, inode_bitmap_bh->b_data);
45804 ext4_unlock_group(sb, group);
45805@@ -729,6 +733,11 @@ repeat_in_this_group:
45806 goto out;
45807
45808 got:
45809+ BUFFER_TRACE(inode_bitmap_bh, "call ext4_handle_dirty_metadata");
45810+ err = ext4_handle_dirty_metadata(handle, NULL, inode_bitmap_bh);
45811+ if (err)
45812+ goto fail;
45813+
45814 /* We may have to initialize the block bitmap if it isn't already */
45815 if (ext4_has_group_desc_csum(sb) &&
45816 gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
45817@@ -762,11 +771,6 @@ got:
45818 goto fail;
45819 }
45820
45821- BUFFER_TRACE(inode_bitmap_bh, "get_write_access");
45822- err = ext4_journal_get_write_access(handle, inode_bitmap_bh);
45823- if (err)
45824- goto fail;
45825-
45826 BUFFER_TRACE(group_desc_bh, "get_write_access");
45827 err = ext4_journal_get_write_access(handle, group_desc_bh);
45828 if (err)
45829@@ -814,11 +818,6 @@ got:
45830 }
45831 ext4_unlock_group(sb, group);
45832
45833- BUFFER_TRACE(inode_bitmap_bh, "call ext4_handle_dirty_metadata");
45834- err = ext4_handle_dirty_metadata(handle, NULL, inode_bitmap_bh);
45835- if (err)
45836- goto fail;
45837-
45838 BUFFER_TRACE(group_desc_bh, "call ext4_handle_dirty_metadata");
45839 err = ext4_handle_dirty_metadata(handle, NULL, group_desc_bh);
45840 if (err)
45655diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c 45841diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
45656index b26410c..7383d90 100644 45842index b26410c..7383d90 100644
45657--- a/fs/ext4/mballoc.c 45843--- a/fs/ext4/mballoc.c
@@ -47551,7 +47737,7 @@ index 7e81bfc..c3649aa 100644
47551 47737
47552 lock_flocks(); 47738 lock_flocks();
47553diff --git a/fs/namei.c b/fs/namei.c 47739diff --git a/fs/namei.c b/fs/namei.c
47554index 81bd546..80149d9 100644 47740index 091c4b7..c6d7e26 100644
47555--- a/fs/namei.c 47741--- a/fs/namei.c
47556+++ b/fs/namei.c 47742+++ b/fs/namei.c
47557@@ -265,16 +265,32 @@ int generic_permission(struct inode *inode, int mask) 47743@@ -265,16 +265,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -50292,7 +50478,7 @@ index 41514dd..6564a93 100644
50292 50478
50293 pipe_unlock(ipipe); 50479 pipe_unlock(ipipe);
50294diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c 50480diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
50295index 6b0bb00..75db2fe 100644 50481index 2fbdff6..5530a61 100644
50296--- a/fs/sysfs/dir.c 50482--- a/fs/sysfs/dir.c
50297+++ b/fs/sysfs/dir.c 50483+++ b/fs/sysfs/dir.c
50298@@ -685,6 +685,18 @@ static int create_dir(struct kobject *kobj, struct sysfs_dirent *parent_sd, 50484@@ -685,6 +685,18 @@ static int create_dir(struct kobject *kobj, struct sysfs_dirent *parent_sd,
@@ -61439,10 +61625,10 @@ index 9c02a45..89fdd73 100644
61439 unsigned int offset, size_t len); 61625 unsigned int offset, size_t len);
61440 61626
61441diff --git a/include/linux/efi.h b/include/linux/efi.h 61627diff --git a/include/linux/efi.h b/include/linux/efi.h
61442index ec45ccd..9923c32 100644 61628index 5782114..e9b1ba1 100644
61443--- a/include/linux/efi.h 61629--- a/include/linux/efi.h
61444+++ b/include/linux/efi.h 61630+++ b/include/linux/efi.h
61445@@ -635,7 +635,7 @@ struct efivar_operations { 61631@@ -640,7 +640,7 @@ struct efivar_operations {
61446 efi_get_variable_t *get_variable; 61632 efi_get_variable_t *get_variable;
61447 efi_get_next_variable_t *get_next_variable; 61633 efi_get_next_variable_t *get_next_variable;
61448 efi_set_variable_t *set_variable; 61634 efi_set_variable_t *set_variable;
@@ -65051,6 +65237,26 @@ index 9e5425b..8136ffc 100644
65051 struct list_head list; 65237 struct list_head list;
65052 /* Protects from simultaneous access to first_req list */ 65238 /* Protects from simultaneous access to first_req list */
65053 spinlock_t info_list_lock; 65239 spinlock_t info_list_lock;
65240diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
65241index f10553c..fb5204b 100644
65242--- a/include/net/cfg80211.h
65243+++ b/include/net/cfg80211.h
65244@@ -2633,6 +2633,15 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb);
65245 unsigned int __attribute_const__ ieee80211_hdrlen(__le16 fc);
65246
65247 /**
65248+ * ieee80211_get_mesh_hdrlen - get mesh extension header length
65249+ * @meshhdr: the mesh extension header, only the flags field
65250+ * (first byte) will be accessed
65251+ * Returns the length of the extension header, which is always at
65252+ * least 6 bytes and at most 18 if address 5 and 6 are present.
65253+ */
65254+unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr);
65255+
65256+/**
65257 * DOC: Data path helpers
65258 *
65259 * In addition to generic utilities, cfg80211 also offers
65054diff --git a/include/net/flow.h b/include/net/flow.h 65260diff --git a/include/net/flow.h b/include/net/flow.h
65055index 628e11b..4c475df 100644 65261index 628e11b..4c475df 100644
65056--- a/include/net/flow.h 65262--- a/include/net/flow.h
@@ -66039,7 +66245,7 @@ index 84c6bf1..8899338 100644
66039 next_state = Reset; 66245 next_state = Reset;
66040 return 0; 66246 return 0;
66041diff --git a/init/main.c b/init/main.c 66247diff --git a/init/main.c b/init/main.c
66042index b286730..9ff6135 100644 66248index d61ec54..bd3144f 100644
66043--- a/init/main.c 66249--- a/init/main.c
66044+++ b/init/main.c 66250+++ b/init/main.c
66045@@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { } 66251@@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { }
@@ -66113,7 +66319,7 @@ index b286730..9ff6135 100644
66113 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, }; 66319 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
66114 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, }; 66320 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
66115 static const char *panic_later, *panic_param; 66321 static const char *panic_later, *panic_param;
66116@@ -675,6 +732,7 @@ int __init_or_module do_one_initcall(initcall_t fn) 66322@@ -678,6 +735,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
66117 { 66323 {
66118 int count = preempt_count(); 66324 int count = preempt_count();
66119 int ret; 66325 int ret;
@@ -66121,7 +66327,7 @@ index b286730..9ff6135 100644
66121 66327
66122 if (initcall_debug) 66328 if (initcall_debug)
66123 ret = do_one_initcall_debug(fn); 66329 ret = do_one_initcall_debug(fn);
66124@@ -687,15 +745,15 @@ int __init_or_module do_one_initcall(initcall_t fn) 66330@@ -690,15 +748,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
66125 sprintf(msgbuf, "error code %d ", ret); 66331 sprintf(msgbuf, "error code %d ", ret);
66126 66332
66127 if (preempt_count() != count) { 66333 if (preempt_count() != count) {
@@ -66141,7 +66347,7 @@ index b286730..9ff6135 100644
66141 } 66347 }
66142 66348
66143 return ret; 66349 return ret;
66144@@ -749,8 +807,14 @@ static void __init do_initcall_level(int level) 66350@@ -752,8 +810,14 @@ static void __init do_initcall_level(int level)
66145 level, level, 66351 level, level,
66146 &repair_env_string); 66352 &repair_env_string);
66147 66353
@@ -66157,7 +66363,7 @@ index b286730..9ff6135 100644
66157 } 66363 }
66158 66364
66159 static void __init do_initcalls(void) 66365 static void __init do_initcalls(void)
66160@@ -784,8 +848,14 @@ static void __init do_pre_smp_initcalls(void) 66366@@ -787,8 +851,14 @@ static void __init do_pre_smp_initcalls(void)
66161 { 66367 {
66162 initcall_t *fn; 66368 initcall_t *fn;
66163 66369
@@ -66173,7 +66379,7 @@ index b286730..9ff6135 100644
66173 } 66379 }
66174 66380
66175 static void run_init_process(const char *init_filename) 66381 static void run_init_process(const char *init_filename)
66176@@ -867,7 +937,7 @@ static int __init kernel_init(void * unused) 66382@@ -870,7 +940,7 @@ static int __init kernel_init(void * unused)
66177 do_basic_setup(); 66383 do_basic_setup();
66178 66384
66179 /* Open the /dev/console on the rootfs, this should never fail */ 66385 /* Open the /dev/console on the rootfs, this should never fail */
@@ -66182,7 +66388,7 @@ index b286730..9ff6135 100644
66182 printk(KERN_WARNING "Warning: unable to open an initial console.\n"); 66388 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
66183 66389
66184 (void) sys_dup(0); 66390 (void) sys_dup(0);
66185@@ -880,11 +950,13 @@ static int __init kernel_init(void * unused) 66391@@ -883,11 +953,13 @@ static int __init kernel_init(void * unused)
66186 if (!ramdisk_execute_command) 66392 if (!ramdisk_execute_command)
66187 ramdisk_execute_command = "/init"; 66393 ramdisk_execute_command = "/init";
66188 66394
@@ -72430,7 +72636,7 @@ index 5736170..8e04800 100644
72430 return 0; 72636 return 0;
72431 } 72637 }
72432diff --git a/mm/mempolicy.c b/mm/mempolicy.c 72638diff --git a/mm/mempolicy.c b/mm/mempolicy.c
72433index 3d64b36..dbab433 100644 72639index 3d64b36..c6ab69c 100644
72434--- a/mm/mempolicy.c 72640--- a/mm/mempolicy.c
72435+++ b/mm/mempolicy.c 72641+++ b/mm/mempolicy.c
72436@@ -655,6 +655,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, 72642@@ -655,6 +655,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
@@ -72444,7 +72650,7 @@ index 3d64b36..dbab433 100644
72444 vma = find_vma(mm, start); 72650 vma = find_vma(mm, start);
72445 if (!vma || vma->vm_start > start) 72651 if (!vma || vma->vm_start > start)
72446 return -EFAULT; 72652 return -EFAULT;
72447@@ -691,9 +695,18 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, 72653@@ -691,9 +695,20 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
72448 if (err) 72654 if (err)
72449 goto out; 72655 goto out;
72450 } 72656 }
@@ -72455,15 +72661,17 @@ index 3d64b36..dbab433 100644
72455+ 72661+
72456+#ifdef CONFIG_PAX_SEGMEXEC 72662+#ifdef CONFIG_PAX_SEGMEXEC
72457+ vma_m = pax_find_mirror_vma(vma); 72663+ vma_m = pax_find_mirror_vma(vma);
72458+ err = vma_replace_policy(vma_m, new_pol); 72664+ if (vma_m) {
72459+ if (err) 72665+ err = vma_replace_policy(vma_m, new_pol);
72460+ goto out; 72666+ if (err)
72667+ goto out;
72668+ }
72461+#endif 72669+#endif
72462+ 72670+
72463 } 72671 }
72464 72672
72465 out: 72673 out:
72466@@ -1147,6 +1160,17 @@ static long do_mbind(unsigned long start, unsigned long len, 72674@@ -1147,6 +1162,17 @@ static long do_mbind(unsigned long start, unsigned long len,
72467 72675
72468 if (end < start) 72676 if (end < start)
72469 return -EINVAL; 72677 return -EINVAL;
@@ -72481,7 +72689,7 @@ index 3d64b36..dbab433 100644
72481 if (end == start) 72689 if (end == start)
72482 return 0; 72690 return 0;
72483 72691
72484@@ -1370,8 +1394,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, 72692@@ -1370,8 +1396,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
72485 */ 72693 */
72486 tcred = __task_cred(task); 72694 tcred = __task_cred(task);
72487 if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) && 72695 if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
@@ -72491,7 +72699,7 @@ index 3d64b36..dbab433 100644
72491 rcu_read_unlock(); 72699 rcu_read_unlock();
72492 err = -EPERM; 72700 err = -EPERM;
72493 goto out_put; 72701 goto out_put;
72494@@ -1402,6 +1425,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, 72702@@ -1402,6 +1427,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
72495 goto out; 72703 goto out;
72496 } 72704 }
72497 72705
@@ -74365,10 +74573,10 @@ index 926b466..b23df53 100644
74365 if (!mm || IS_ERR(mm)) { 74573 if (!mm || IS_ERR(mm)) {
74366 rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; 74574 rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
74367diff --git a/mm/rmap.c b/mm/rmap.c 74575diff --git a/mm/rmap.c b/mm/rmap.c
74368index 0f3b7cd..c5652b6 100644 74576index aa95e59..b681a63 100644
74369--- a/mm/rmap.c 74577--- a/mm/rmap.c
74370+++ b/mm/rmap.c 74578+++ b/mm/rmap.c
74371@@ -167,6 +167,10 @@ int anon_vma_prepare(struct vm_area_struct *vma) 74579@@ -168,6 +168,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
74372 struct anon_vma *anon_vma = vma->anon_vma; 74580 struct anon_vma *anon_vma = vma->anon_vma;
74373 struct anon_vma_chain *avc; 74581 struct anon_vma_chain *avc;
74374 74582
@@ -74379,7 +74587,7 @@ index 0f3b7cd..c5652b6 100644
74379 might_sleep(); 74587 might_sleep();
74380 if (unlikely(!anon_vma)) { 74588 if (unlikely(!anon_vma)) {
74381 struct mm_struct *mm = vma->vm_mm; 74589 struct mm_struct *mm = vma->vm_mm;
74382@@ -176,6 +180,12 @@ int anon_vma_prepare(struct vm_area_struct *vma) 74590@@ -177,6 +181,12 @@ int anon_vma_prepare(struct vm_area_struct *vma)
74383 if (!avc) 74591 if (!avc)
74384 goto out_enomem; 74592 goto out_enomem;
74385 74593
@@ -74392,7 +74600,7 @@ index 0f3b7cd..c5652b6 100644
74392 anon_vma = find_mergeable_anon_vma(vma); 74600 anon_vma = find_mergeable_anon_vma(vma);
74393 allocated = NULL; 74601 allocated = NULL;
74394 if (!anon_vma) { 74602 if (!anon_vma) {
74395@@ -189,6 +199,18 @@ int anon_vma_prepare(struct vm_area_struct *vma) 74603@@ -190,6 +200,18 @@ int anon_vma_prepare(struct vm_area_struct *vma)
74396 /* page_table_lock to protect against threads */ 74604 /* page_table_lock to protect against threads */
74397 spin_lock(&mm->page_table_lock); 74605 spin_lock(&mm->page_table_lock);
74398 if (likely(!vma->anon_vma)) { 74606 if (likely(!vma->anon_vma)) {
@@ -74411,7 +74619,7 @@ index 0f3b7cd..c5652b6 100644
74411 vma->anon_vma = anon_vma; 74619 vma->anon_vma = anon_vma;
74412 anon_vma_chain_link(vma, avc, anon_vma); 74620 anon_vma_chain_link(vma, avc, anon_vma);
74413 allocated = NULL; 74621 allocated = NULL;
74414@@ -199,12 +221,24 @@ int anon_vma_prepare(struct vm_area_struct *vma) 74622@@ -200,12 +222,24 @@ int anon_vma_prepare(struct vm_area_struct *vma)
74415 74623
74416 if (unlikely(allocated)) 74624 if (unlikely(allocated))
74417 put_anon_vma(allocated); 74625 put_anon_vma(allocated);
@@ -74436,7 +74644,7 @@ index 0f3b7cd..c5652b6 100644
74436 anon_vma_chain_free(avc); 74644 anon_vma_chain_free(avc);
74437 out_enomem: 74645 out_enomem:
74438 return -ENOMEM; 74646 return -ENOMEM;
74439@@ -240,7 +274,7 @@ static inline void unlock_anon_vma_root(struct anon_vma *root) 74647@@ -241,7 +275,7 @@ static inline void unlock_anon_vma_root(struct anon_vma *root)
74440 * Attach the anon_vmas from src to dst. 74648 * Attach the anon_vmas from src to dst.
74441 * Returns 0 on success, -ENOMEM on failure. 74649 * Returns 0 on success, -ENOMEM on failure.
74442 */ 74650 */
@@ -74445,7 +74653,7 @@ index 0f3b7cd..c5652b6 100644
74445 { 74653 {
74446 struct anon_vma_chain *avc, *pavc; 74654 struct anon_vma_chain *avc, *pavc;
74447 struct anon_vma *root = NULL; 74655 struct anon_vma *root = NULL;
74448@@ -318,7 +352,7 @@ void anon_vma_moveto_tail(struct vm_area_struct *dst) 74656@@ -319,7 +353,7 @@ void anon_vma_moveto_tail(struct vm_area_struct *dst)
74449 * the corresponding VMA in the parent process is attached to. 74657 * the corresponding VMA in the parent process is attached to.
74450 * Returns 0 on success, non-zero on failure. 74658 * Returns 0 on success, non-zero on failure.
74451 */ 74659 */
@@ -77077,11 +77285,42 @@ index 2a1383c..ff99572 100644
77077 get_random_bytes(&net->ipv4.dev_addr_genid, 77285 get_random_bytes(&net->ipv4.dev_addr_genid,
77078 sizeof(net->ipv4.dev_addr_genid)); 77286 sizeof(net->ipv4.dev_addr_genid));
77079 return 0; 77287 return 0;
77288diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
77289index 813b43a..834857f 100644
77290--- a/net/ipv4/tcp_illinois.c
77291+++ b/net/ipv4/tcp_illinois.c
77292@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
77293 .tcpv_rttcnt = ca->cnt_rtt,
77294 .tcpv_minrtt = ca->base_rtt,
77295 };
77296- u64 t = ca->sum_rtt;
77297
77298- do_div(t, ca->cnt_rtt);
77299- info.tcpv_rtt = t;
77300+ if (info.tcpv_rttcnt > 0) {
77301+ u64 t = ca->sum_rtt;
77302
77303+ do_div(t, info.tcpv_rttcnt);
77304+ info.tcpv_rtt = t;
77305+ }
77306 nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
77307 }
77308 }
77080diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c 77309diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
77081index d377f48..c2211ed 100644 77310index d377f48..f19e3ec 100644
77082--- a/net/ipv4/tcp_input.c 77311--- a/net/ipv4/tcp_input.c
77083+++ b/net/ipv4/tcp_input.c 77312+++ b/net/ipv4/tcp_input.c
77084@@ -4728,7 +4728,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, 77313@@ -4556,6 +4556,9 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
77314 struct tcphdr *th;
77315 bool fragstolen;
77316
77317+ if (size == 0)
77318+ return 0;
77319+
77320 skb = alloc_skb(size + sizeof(*th), sk->sk_allocation);
77321 if (!skb)
77322 goto err;
77323@@ -4728,7 +4731,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
77085 * simplifies code) 77324 * simplifies code)
77086 */ 77325 */
77087 static void 77326 static void
@@ -77879,6 +78118,31 @@ index 34e4185..8823368 100644
77879 } while (!res); 78118 } while (!res);
77880 return res; 78119 return res;
77881 } 78120 }
78121diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
78122index 3bfb34a..69bf48d 100644
78123--- a/net/l2tp/l2tp_eth.c
78124+++ b/net/l2tp/l2tp_eth.c
78125@@ -290,6 +290,7 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
78126
78127 out_del_dev:
78128 free_netdev(dev);
78129+ spriv->dev = NULL;
78130 out_del_session:
78131 l2tp_session_delete(session);
78132 out:
78133diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
78134index 5746d62..327aa07 100644
78135--- a/net/mac80211/ibss.c
78136+++ b/net/mac80211/ibss.c
78137@@ -1074,7 +1074,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
78138 sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
78139 sdata->u.ibss.ibss_join_req = jiffies;
78140
78141- memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);
78142+ memcpy(sdata->u.ibss.ssid, params->ssid, params->ssid_len);
78143 sdata->u.ibss.ssid_len = params->ssid_len;
78144
78145 mutex_unlock(&sdata->u.ibss.mtx);
77882diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h 78146diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
77883index bb61f77..3788d63 100644 78147index bb61f77..3788d63 100644
77884--- a/net/mac80211/ieee80211_i.h 78148--- a/net/mac80211/ieee80211_i.h
@@ -77901,7 +78165,7 @@ index bb61f77..3788d63 100644
77901 /* number of interfaces with corresponding FIF_ flags */ 78165 /* number of interfaces with corresponding FIF_ flags */
77902 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll, 78166 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
77903diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c 78167diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
77904index bfb57dc..77c4b81 100644 78168index c93d395..a305570 100644
77905--- a/net/mac80211/iface.c 78169--- a/net/mac80211/iface.c
77906+++ b/net/mac80211/iface.c 78170+++ b/net/mac80211/iface.c
77907@@ -454,7 +454,7 @@ static int ieee80211_do_open(struct net_device *dev, bool coming_up) 78171@@ -454,7 +454,7 @@ static int ieee80211_do_open(struct net_device *dev, bool coming_up)
@@ -78037,8 +78301,108 @@ index c97a065..ff61928 100644
78037 return -EFAULT; 78301 return -EFAULT;
78038 78302
78039 return p; 78303 return p;
78304diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
78305index 0cb4ede..884155d 100644
78306--- a/net/mac80211/rx.c
78307+++ b/net/mac80211/rx.c
78308@@ -491,6 +491,11 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
78309
78310 if (ieee80211_is_action(hdr->frame_control)) {
78311 u8 category;
78312+
78313+ /* make sure category field is present */
78314+ if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
78315+ return RX_DROP_MONITOR;
78316+
78317 mgmt = (struct ieee80211_mgmt *)hdr;
78318 category = mgmt->u.action.category;
78319 if (category != WLAN_CATEGORY_MESH_ACTION &&
78320@@ -1426,7 +1431,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
78321 frag = sc & IEEE80211_SCTL_FRAG;
78322
78323 if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
78324- (rx->skb)->len < 24 ||
78325 is_multicast_ether_addr(hdr->addr1))) {
78326 /* not fragmented */
78327 goto out;
78328@@ -1849,6 +1853,20 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
78329
78330 hdr = (struct ieee80211_hdr *) skb->data;
78331 hdrlen = ieee80211_hdrlen(hdr->frame_control);
78332+
78333+ /* make sure fixed part of mesh header is there, also checks skb len */
78334+ if (!pskb_may_pull(rx->skb, hdrlen + 6))
78335+ return RX_DROP_MONITOR;
78336+
78337+ mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
78338+
78339+ /* make sure full mesh header is there, also checks skb len */
78340+ if (!pskb_may_pull(rx->skb,
78341+ hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
78342+ return RX_DROP_MONITOR;
78343+
78344+ /* reload pointers */
78345+ hdr = (struct ieee80211_hdr *) skb->data;
78346 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
78347
78348 /* frame is in RMC, don't forward */
78349@@ -1871,9 +1889,12 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
78350 if (is_multicast_ether_addr(hdr->addr1)) {
78351 mpp_addr = hdr->addr3;
78352 proxied_addr = mesh_hdr->eaddr1;
78353- } else {
78354+ } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
78355+ /* has_a4 already checked in ieee80211_rx_mesh_check */
78356 mpp_addr = hdr->addr4;
78357 proxied_addr = mesh_hdr->eaddr2;
78358+ } else {
78359+ return RX_DROP_MONITOR;
78360 }
78361
78362 rcu_read_lock();
78363@@ -2313,6 +2334,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
78364 }
78365 break;
78366 case WLAN_CATEGORY_SELF_PROTECTED:
78367+ if (len < (IEEE80211_MIN_ACTION_SIZE +
78368+ sizeof(mgmt->u.action.u.self_prot.action_code)))
78369+ break;
78370+
78371 switch (mgmt->u.action.u.self_prot.action_code) {
78372 case WLAN_SP_MESH_PEERING_OPEN:
78373 case WLAN_SP_MESH_PEERING_CLOSE:
78374@@ -2331,6 +2356,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
78375 }
78376 break;
78377 case WLAN_CATEGORY_MESH_ACTION:
78378+ if (len < (IEEE80211_MIN_ACTION_SIZE +
78379+ sizeof(mgmt->u.action.u.mesh_action.action_code)))
78380+ break;
78381+
78382 if (!ieee80211_vif_is_mesh(&sdata->vif))
78383 break;
78384 if (mesh_action_is_path_sel(mgmt) &&
78385@@ -2865,10 +2894,15 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
78386 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
78387 local->dot11ReceivedFragmentCount++;
78388
78389- if (ieee80211_is_mgmt(fc))
78390- err = skb_linearize(skb);
78391- else
78392+ if (ieee80211_is_mgmt(fc)) {
78393+ /* drop frame if too short for header */
78394+ if (skb->len < ieee80211_hdrlen(fc))
78395+ err = -ENOBUFS;
78396+ else
78397+ err = skb_linearize(skb);
78398+ } else {
78399 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
78400+ }
78401
78402 if (err) {
78403 dev_kfree_skb(skb);
78040diff --git a/net/mac80211/util.c b/net/mac80211/util.c 78404diff --git a/net/mac80211/util.c b/net/mac80211/util.c
78041index 39b82fe..5469ef4 100644 78405index c9b52f7..4da1014 100644
78042--- a/net/mac80211/util.c 78406--- a/net/mac80211/util.c
78043+++ b/net/mac80211/util.c 78407+++ b/net/mac80211/util.c
78044@@ -1251,7 +1251,7 @@ int ieee80211_reconfig(struct ieee80211_local *local) 78408@@ -1251,7 +1251,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
@@ -78420,6 +78784,28 @@ index 7261eb8..44e8ac6 100644
78420 sax->fsa_ax25.sax25_call = nr->source_addr; 78784 sax->fsa_ax25.sax25_call = nr->source_addr;
78421 *uaddr_len = sizeof(struct sockaddr_ax25); 78785 *uaddr_len = sizeof(struct sockaddr_ax25);
78422 } 78786 }
78787diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
78788index ddeb9aa..e18fffd 100644
78789--- a/net/nfc/llcp/sock.c
78790+++ b/net/nfc/llcp/sock.c
78791@@ -443,15 +443,11 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
78792 pr_debug("sock %p sk %p flags 0x%x\n", sock, sk, flags);
78793
78794 if (!addr || len < sizeof(struct sockaddr_nfc) ||
78795- addr->sa_family != AF_NFC) {
78796- pr_err("Invalid socket\n");
78797+ addr->sa_family != AF_NFC)
78798 return -EINVAL;
78799- }
78800
78801- if (addr->service_name_len == 0 && addr->dsap == 0) {
78802- pr_err("Missing service name or dsap\n");
78803+ if (addr->service_name_len == 0 && addr->dsap == 0)
78804 return -EINVAL;
78805- }
78806
78807 pr_debug("addr dev_idx=%u target_idx=%u protocol=%u\n", addr->dev_idx,
78808 addr->target_idx, addr->nfc_protocol);
78423diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c 78809diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
78424index c5c9e2a..4814ab1 100644 78810index c5c9e2a..4814ab1 100644
78425--- a/net/packet/af_packet.c 78811--- a/net/packet/af_packet.c
@@ -79607,6 +79993,27 @@ index bc7430b..35349de 100644
79607 struct rfkill *rfkill; 79993 struct rfkill *rfkill;
79608 struct work_struct rfkill_sync; 79994 struct work_struct rfkill_sync;
79609 79995
79996diff --git a/net/wireless/util.c b/net/wireless/util.c
79997index 994e2f0..f67aeb1 100644
79998--- a/net/wireless/util.c
79999+++ b/net/wireless/util.c
80000@@ -309,7 +309,7 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb)
80001 }
80002 EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb);
80003
80004-static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
80005+unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
80006 {
80007 int ae = meshhdr->flags & MESH_FLAGS_AE;
80008 /* 7.1.3.5a.2 */
80009@@ -326,6 +326,7 @@ static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
80010 return 6;
80011 }
80012 }
80013+EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen);
80014
80015 int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
80016 enum nl80211_iftype iftype)
79610diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c 80017diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
79611index b0eb7aa..7d73e82 100644 80018index b0eb7aa..7d73e82 100644
79612--- a/net/wireless/wext-core.c 80019--- a/net/wireless/wext-core.c
@@ -89442,32 +89849,6 @@ index 6789d78..4afd019e 100644
89442+ .endm 89849+ .endm
89443+ 89850+
89444 #endif 89851 #endif
89445diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
89446index af0f22f..9a7d479 100644
89447--- a/usr/gen_init_cpio.c
89448+++ b/usr/gen_init_cpio.c
89449@@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name, const char *location,
89450 int retval;
89451 int rc = -1;
89452 int namesize;
89453- int i;
89454+ unsigned int i;
89455
89456 mode |= S_IFREG;
89457
89458@@ -392,9 +392,10 @@ static char *cpio_replace_env(char *new_location)
89459 *env_var = *expanded = '\0';
89460 strncat(env_var, start + 2, end - start - 2);
89461 strncat(expanded, new_location, start - new_location);
89462- strncat(expanded, getenv(env_var), PATH_MAX);
89463- strncat(expanded, end + 1, PATH_MAX);
89464+ strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
89465+ strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
89466 strncpy(new_location, expanded, PATH_MAX);
89467+ new_location[PATH_MAX] = 0;
89468 } else
89469 break;
89470 }
89471diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c 89852diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
89472index d617f69..6b445d2 100644 89853index d617f69..6b445d2 100644
89473--- a/virt/kvm/kvm_main.c 89854--- a/virt/kvm/kvm_main.c
© 2015 Mike Crute