diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-18 06:47:53 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-19 06:38:20 +0000 |
commit | bcbc45908a6264b88bb5f2f62f182f27d167bcf8 (patch) | |
tree | 117fbdfcf749f9eb6c7bb166a3552e601805ab31 | |
parent | 308a108d91e3b3310ca9175bf5663ff2c5f0e6ff (diff) | |
download | alpine_aports-bcbc45908a6264b88bb5f2f62f182f27d167bcf8.tar.bz2 alpine_aports-bcbc45908a6264b88bb5f2f62f182f27d167bcf8.tar.xz alpine_aports-bcbc45908a6264b88bb5f2f62f182f27d167bcf8.zip |
main/linux-grsec: upgrade to 3.9.6 and fix CVE-2013-2851
fixes #2078
fixes #2089
fixes #2094
(cherry picked from commit b52eb6193eb9c18980886ff25d2e4e41dd887078)
-rw-r--r-- | main/linux-grsec/APKBUILD | 23 | ||||
-rw-r--r-- | main/linux-grsec/CVE-2013-2851.patch | 60 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch) | 845 |
3 files changed, 836 insertions, 92 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index bbaacff686..cd5bb17371 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD | |||
@@ -2,12 +2,12 @@ | |||
2 | 2 | ||
3 | _flavor=grsec | 3 | _flavor=grsec |
4 | pkgname=linux-${_flavor} | 4 | pkgname=linux-${_flavor} |
5 | pkgver=3.9.5 | 5 | pkgver=3.9.6 |
6 | case $pkgver in | 6 | case $pkgver in |
7 | *.*.*) _kernver=${pkgver%.*};; | 7 | *.*.*) _kernver=${pkgver%.*};; |
8 | *.*) _kernver=${pkgver};; | 8 | *.*) _kernver=${pkgver};; |
9 | esac | 9 | esac |
10 | pkgrel=1 | 10 | pkgrel=0 |
11 | pkgdesc="Linux kernel with grsecurity" | 11 | pkgdesc="Linux kernel with grsecurity" |
12 | url=http://grsecurity.net | 12 | url=http://grsecurity.net |
13 | depends="mkinitfs linux-firmware" | 13 | depends="mkinitfs linux-firmware" |
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}} | |||
17 | install= | 17 | install= |
18 | source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz | 18 | source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz |
19 | http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz | 19 | http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz |
20 | grsecurity-2.9.1-3.9.5-201306111850.patch | 20 | grsecurity-2.9.1-3.9.6-201306171904.patch |
21 | 21 | ||
22 | 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch | 22 | 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch |
23 | 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 23 | 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
@@ -26,6 +26,8 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz | |||
26 | 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch | 26 | 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch |
27 | 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch | 27 | 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch |
28 | 28 | ||
29 | CVE-2013-2851.patch | ||
30 | |||
29 | kernelconfig.x86 | 31 | kernelconfig.x86 |
30 | kernelconfig.x86_64 | 32 | kernelconfig.x86_64 |
31 | " | 33 | " |
@@ -149,35 +151,38 @@ dev() { | |||
149 | } | 151 | } |
150 | 152 | ||
151 | md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz | 153 | md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz |
152 | aa22187ae5cd482a69097e9e59244491 patch-3.9.5.xz | 154 | 897cffc5167a561b38c6748e7f0a4215 patch-3.9.6.xz |
153 | cbc169ce43edf201acb158ce7e468516 grsecurity-2.9.1-3.9.5-201306111850.patch | 155 | 8c9e11d9121958fa866b330ed3dbe4bd grsecurity-2.9.1-3.9.6-201306171904.patch |
154 | a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch | 156 | a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch |
155 | 656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 157 | 656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
156 | aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch | 158 | aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch |
157 | 2a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch | 159 | 2a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch |
158 | 6ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch | 160 | 6ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch |
159 | 1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch | 161 | 1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch |
162 | eca3b4897b2a2191576ba719609cc654 CVE-2013-2851.patch | ||
160 | 3e219a1f25136b204d00865939532fe9 kernelconfig.x86 | 163 | 3e219a1f25136b204d00865939532fe9 kernelconfig.x86 |
161 | 1d057c89927a68e5f44896887ad3e379 kernelconfig.x86_64" | 164 | 1d057c89927a68e5f44896887ad3e379 kernelconfig.x86_64" |
162 | sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz | 165 | sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz |
163 | f25145ff6ddde7a633839aabfd97b0d8239e14c494fd16210871229a35c1c0de patch-3.9.5.xz | 166 | 13296dad939ef4e05adba87b9d0476aa8e2ccf92866f14835327dae8a1402fc3 patch-3.9.6.xz |
164 | 12ea825b5494c41529d1b3dda89fe592d6b4fc06d027b2e7f2e9a1ae41c3617c grsecurity-2.9.1-3.9.5-201306111850.patch | 167 | a14302153a717e8cf8346c44ed4ac620b87a38795afa72c3f61797eab221290d grsecurity-2.9.1-3.9.6-201306171904.patch |
165 | 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch | 168 | 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch |
166 | dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 169 | dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
167 | 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch | 170 | 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch |
168 | 260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch | 171 | 260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch |
169 | ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch | 172 | ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch |
170 | fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch | 173 | fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch |
174 | 461d159751095d3624d74867dc8b3e3865e3a67c4b3cd48188f5ae2f1f1f66cb CVE-2013-2851.patch | ||
171 | cc3bd3d23f6a73ea6488c158de9d195ad5e3d87859ce02d92a04f0e08c9503d3 kernelconfig.x86 | 175 | cc3bd3d23f6a73ea6488c158de9d195ad5e3d87859ce02d92a04f0e08c9503d3 kernelconfig.x86 |
172 | b780ef646b3b30a5b0307102367e17d45bb3a0ab7e37cf92a1ce783c3149243a kernelconfig.x86_64" | 176 | b780ef646b3b30a5b0307102367e17d45bb3a0ab7e37cf92a1ce783c3149243a kernelconfig.x86_64" |
173 | sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz | 177 | sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz |
174 | 8e9a064adadd062c7ca52c44de19dfd46b029e60f2832988a606e086b669ea699861ec57732d4abfb16e486f767d123fcfd66da7c2ddde380b7c13582bb44983 patch-3.9.5.xz | 178 | 6c79bde85d86c7e7dca160d5bdd5826ae05ed41cb372d0a94e4f9840413351a8bc1fec50159d59dbac462345bd13c31c6c4d8c47187ee6d87b4d71c8560093da patch-3.9.6.xz |
175 | e52a55753c0821c08578924abe2d6ccc02743050e71c827fefd21e616a887e45459f3a7eb56b22b6ec0d25555cbb37f0df5cd1fe695b2277dfd7109f4f84ae8a grsecurity-2.9.1-3.9.5-201306111850.patch | 179 | fe8a4fffb18b6ef88951e97cd20e464674e10d2a6a76a0b17d4922b87b24c6653a81d798f0b93dfb7545da011a29d73dfafd73b258f528bbe81984ef24c137ac grsecurity-2.9.1-3.9.6-201306171904.patch |
176 | 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch | 180 | 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch |
177 | 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 181 | 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
178 | 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch | 182 | 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch |
179 | d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch | 183 | d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch |
180 | 28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch | 184 | 28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch |
181 | 249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch | 185 | 249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch |
186 | 5e5c9ac96b87efc811bd612774934a5fb8635a34d7fbe13ea80f5a8da19efa2a71f0bcab08a85224612f332d7485cea1d6cbd4d64644d90a3dd576f3458e5a99 CVE-2013-2851.patch | ||
182 | 00fd8694455935f96e46b6624388b8c04af27ce4295040362da78c34bf9f08382bc69c1b8b273145573a59e3b4eecfa251119560da19ab390f171a8a6da18298 kernelconfig.x86 | 187 | 00fd8694455935f96e46b6624388b8c04af27ce4295040362da78c34bf9f08382bc69c1b8b273145573a59e3b4eecfa251119560da19ab390f171a8a6da18298 kernelconfig.x86 |
183 | 6276f503f9dd7ea228b1661f9a36edcf18d2c4cfb6d9c4e3e1496a4f70709cc693fc8498186d86dd3f303c909c50e478cb95e08a05f50bda77c9cf165aca1ba1 kernelconfig.x86_64" | 188 | 6276f503f9dd7ea228b1661f9a36edcf18d2c4cfb6d9c4e3e1496a4f70709cc693fc8498186d86dd3f303c909c50e478cb95e08a05f50bda77c9cf165aca1ba1 kernelconfig.x86_64" |
diff --git a/main/linux-grsec/CVE-2013-2851.patch b/main/linux-grsec/CVE-2013-2851.patch new file mode 100644 index 0000000000..3407731c7d --- /dev/null +++ b/main/linux-grsec/CVE-2013-2851.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | Subject: [PATCH 1/8] block: do not pass disk names as format strings | ||
2 | |||
3 | Disk names may contain arbitrary strings, so they must not be interpreted | ||
4 | as format strings. It seems that only md allows arbitrary strings to be | ||
5 | used for disk names, but this could allow for a local memory corruption | ||
6 | from uid 0 into ring 0. | ||
7 | |||
8 | CVE-2013-2851 | ||
9 | |||
10 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
11 | Cc: stable@vger.kernel.org | ||
12 | Cc: Jens Axboe <axboe@kernel.dk> | ||
13 | --- | ||
14 | block/genhd.c | 2 +- | ||
15 | drivers/block/nbd.c | 3 ++- | ||
16 | drivers/scsi/osd/osd_uld.c | 2 +- | ||
17 | 3 files changed, 4 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/block/genhd.c b/block/genhd.c | ||
20 | index 20625ee..cdeb527 100644 | ||
21 | --- a/block/genhd.c | ||
22 | +++ b/block/genhd.c | ||
23 | @@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk) | ||
24 | |||
25 | ddev->parent = disk->driverfs_dev; | ||
26 | |||
27 | - dev_set_name(ddev, disk->disk_name); | ||
28 | + dev_set_name(ddev, "%s", disk->disk_name); | ||
29 | |||
30 | /* delay uevents, until we scanned partition table */ | ||
31 | dev_set_uevent_suppress(ddev, 1); | ||
32 | diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c | ||
33 | index 037288e..46b35f7 100644 | ||
34 | --- a/drivers/block/nbd.c | ||
35 | +++ b/drivers/block/nbd.c | ||
36 | @@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, | ||
37 | else | ||
38 | blk_queue_flush(nbd->disk->queue, 0); | ||
39 | |||
40 | - thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); | ||
41 | + thread = kthread_create(nbd_thread, nbd, "%s", | ||
42 | + nbd->disk->disk_name); | ||
43 | if (IS_ERR(thread)) { | ||
44 | mutex_lock(&nbd->tx_lock); | ||
45 | return PTR_ERR(thread); | ||
46 | diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c | ||
47 | index 0fab6b5..9d86947 100644 | ||
48 | --- a/drivers/scsi/osd/osd_uld.c | ||
49 | +++ b/drivers/scsi/osd/osd_uld.c | ||
50 | @@ -485,7 +485,7 @@ static int osd_probe(struct device *dev) | ||
51 | oud->class_dev.class = &osd_uld_class; | ||
52 | oud->class_dev.parent = dev; | ||
53 | oud->class_dev.release = __remove; | ||
54 | - error = dev_set_name(&oud->class_dev, disk->disk_name); | ||
55 | + error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); | ||
56 | if (error) { | ||
57 | OSD_ERR("dev_set_name failed => %d\n", error); | ||
58 | goto err_put_cdev; | ||
59 | -- | ||
60 | 1.7.9.5 | ||
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch index 183d9f7a54..430bb2aca9 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch | |||
@@ -259,7 +259,7 @@ index 8ccbf27..afffeb4 100644 | |||
259 | 259 | ||
260 | pcd. [PARIDE] | 260 | pcd. [PARIDE] |
261 | diff --git a/Makefile b/Makefile | 261 | diff --git a/Makefile b/Makefile |
262 | index 8818c95..ced0bb1 100644 | 262 | index 4a40307..9ac699b 100644 |
263 | --- a/Makefile | 263 | --- a/Makefile |
264 | +++ b/Makefile | 264 | +++ b/Makefile |
265 | @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ | 265 | @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ |
@@ -6682,10 +6682,10 @@ index 2e3200c..72095ce 100644 | |||
6682 | /* Find this entry, or if that fails, the next avail. entry */ | 6682 | /* Find this entry, or if that fails, the next avail. entry */ |
6683 | while (entry->jump[0]) { | 6683 | while (entry->jump[0]) { |
6684 | diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c | 6684 | diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c |
6685 | index 16e77a8..4501b41 100644 | 6685 | index 9600c36..0c156d7 100644 |
6686 | --- a/arch/powerpc/kernel/process.c | 6686 | --- a/arch/powerpc/kernel/process.c |
6687 | +++ b/arch/powerpc/kernel/process.c | 6687 | +++ b/arch/powerpc/kernel/process.c |
6688 | @@ -870,8 +870,8 @@ void show_regs(struct pt_regs * regs) | 6688 | @@ -871,8 +871,8 @@ void show_regs(struct pt_regs * regs) |
6689 | * Lookup NIP late so we have the best change of getting the | 6689 | * Lookup NIP late so we have the best change of getting the |
6690 | * above info out without failing | 6690 | * above info out without failing |
6691 | */ | 6691 | */ |
@@ -6696,7 +6696,7 @@ index 16e77a8..4501b41 100644 | |||
6696 | #endif | 6696 | #endif |
6697 | #ifdef CONFIG_PPC_TRANSACTIONAL_MEM | 6697 | #ifdef CONFIG_PPC_TRANSACTIONAL_MEM |
6698 | printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch); | 6698 | printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch); |
6699 | @@ -1330,10 +1330,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) | 6699 | @@ -1331,10 +1331,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) |
6700 | newsp = stack[0]; | 6700 | newsp = stack[0]; |
6701 | ip = stack[STACK_FRAME_LR_SAVE]; | 6701 | ip = stack[STACK_FRAME_LR_SAVE]; |
6702 | if (!firstframe || ip != lr) { | 6702 | if (!firstframe || ip != lr) { |
@@ -6709,7 +6709,7 @@ index 16e77a8..4501b41 100644 | |||
6709 | (void *)current->ret_stack[curr_frame].ret); | 6709 | (void *)current->ret_stack[curr_frame].ret); |
6710 | curr_frame--; | 6710 | curr_frame--; |
6711 | } | 6711 | } |
6712 | @@ -1353,7 +1353,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) | 6712 | @@ -1354,7 +1354,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) |
6713 | struct pt_regs *regs = (struct pt_regs *) | 6713 | struct pt_regs *regs = (struct pt_regs *) |
6714 | (sp + STACK_FRAME_OVERHEAD); | 6714 | (sp + STACK_FRAME_OVERHEAD); |
6715 | lr = regs->link; | 6715 | lr = regs->link; |
@@ -6718,7 +6718,7 @@ index 16e77a8..4501b41 100644 | |||
6718 | regs->trap, (void *)regs->nip, (void *)lr); | 6718 | regs->trap, (void *)regs->nip, (void *)lr); |
6719 | firstframe = 1; | 6719 | firstframe = 1; |
6720 | } | 6720 | } |
6721 | @@ -1395,58 +1395,3 @@ void __ppc64_runlatch_off(void) | 6721 | @@ -1396,58 +1396,3 @@ void __ppc64_runlatch_off(void) |
6722 | mtspr(SPRN_CTRLT, ctrl); | 6722 | mtspr(SPRN_CTRLT, ctrl); |
6723 | } | 6723 | } |
6724 | #endif /* CONFIG_PPC64 */ | 6724 | #endif /* CONFIG_PPC64 */ |
@@ -6856,7 +6856,7 @@ index 3ce1f86..c30e629 100644 | |||
6856 | }; | 6856 | }; |
6857 | 6857 | ||
6858 | diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c | 6858 | diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c |
6859 | index 1c22b2d..3b56e67 100644 | 6859 | index 29857c6..bd31e27 100644 |
6860 | --- a/arch/powerpc/kernel/traps.c | 6860 | --- a/arch/powerpc/kernel/traps.c |
6861 | +++ b/arch/powerpc/kernel/traps.c | 6861 | +++ b/arch/powerpc/kernel/traps.c |
6862 | @@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) | 6862 | @@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) |
@@ -31363,10 +31363,10 @@ index e006c18..b9a7d6c 100644 | |||
31363 | .alloc_pud = xen_alloc_pmd_init, | 31363 | .alloc_pud = xen_alloc_pmd_init, |
31364 | .release_pud = xen_release_pmd_init, | 31364 | .release_pud = xen_release_pmd_init, |
31365 | diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c | 31365 | diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c |
31366 | index 22c800a..8915f1e 100644 | 31366 | index 96c4e85..284fded 100644 |
31367 | --- a/arch/x86/xen/smp.c | 31367 | --- a/arch/x86/xen/smp.c |
31368 | +++ b/arch/x86/xen/smp.c | 31368 | +++ b/arch/x86/xen/smp.c |
31369 | @@ -229,11 +229,6 @@ static void __init xen_smp_prepare_boot_cpu(void) | 31369 | @@ -230,11 +230,6 @@ static void __init xen_smp_prepare_boot_cpu(void) |
31370 | { | 31370 | { |
31371 | BUG_ON(smp_processor_id() != 0); | 31371 | BUG_ON(smp_processor_id() != 0); |
31372 | native_smp_prepare_boot_cpu(); | 31372 | native_smp_prepare_boot_cpu(); |
@@ -31378,7 +31378,7 @@ index 22c800a..8915f1e 100644 | |||
31378 | xen_filter_cpu_maps(); | 31378 | xen_filter_cpu_maps(); |
31379 | xen_setup_vcpu_info_placement(); | 31379 | xen_setup_vcpu_info_placement(); |
31380 | } | 31380 | } |
31381 | @@ -303,7 +298,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) | 31381 | @@ -304,7 +299,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) |
31382 | ctxt->user_regs.ss = __KERNEL_DS; | 31382 | ctxt->user_regs.ss = __KERNEL_DS; |
31383 | #ifdef CONFIG_X86_32 | 31383 | #ifdef CONFIG_X86_32 |
31384 | ctxt->user_regs.fs = __KERNEL_PERCPU; | 31384 | ctxt->user_regs.fs = __KERNEL_PERCPU; |
@@ -31387,7 +31387,7 @@ index 22c800a..8915f1e 100644 | |||
31387 | #else | 31387 | #else |
31388 | ctxt->gs_base_kernel = per_cpu_offset(cpu); | 31388 | ctxt->gs_base_kernel = per_cpu_offset(cpu); |
31389 | #endif | 31389 | #endif |
31390 | @@ -313,8 +308,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) | 31390 | @@ -314,8 +309,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) |
31391 | 31391 | ||
31392 | { | 31392 | { |
31393 | ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */ | 31393 | ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */ |
@@ -31398,7 +31398,7 @@ index 22c800a..8915f1e 100644 | |||
31398 | 31398 | ||
31399 | xen_copy_trap_info(ctxt->trap_ctxt); | 31399 | xen_copy_trap_info(ctxt->trap_ctxt); |
31400 | 31400 | ||
31401 | @@ -359,13 +354,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle) | 31401 | @@ -360,13 +355,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle) |
31402 | int rc; | 31402 | int rc; |
31403 | 31403 | ||
31404 | per_cpu(current_task, cpu) = idle; | 31404 | per_cpu(current_task, cpu) = idle; |
@@ -31414,7 +31414,7 @@ index 22c800a..8915f1e 100644 | |||
31414 | #endif | 31414 | #endif |
31415 | xen_setup_runstate_info(cpu); | 31415 | xen_setup_runstate_info(cpu); |
31416 | xen_setup_timer(cpu); | 31416 | xen_setup_timer(cpu); |
31417 | @@ -634,7 +628,7 @@ static const struct smp_ops xen_smp_ops __initconst = { | 31417 | @@ -642,7 +636,7 @@ static const struct smp_ops xen_smp_ops __initconst = { |
31418 | 31418 | ||
31419 | void __init xen_smp_init(void) | 31419 | void __init xen_smp_init(void) |
31420 | { | 31420 | { |
@@ -33945,7 +33945,7 @@ index 2c644af..d4d7f17 100644 | |||
33945 | 33945 | ||
33946 | static int memory_open(struct inode *inode, struct file *filp) | 33946 | static int memory_open(struct inode *inode, struct file *filp) |
33947 | diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c | 33947 | diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c |
33948 | index c689697..04e6d6a 100644 | 33948 | index c689697..04e6d6a2 100644 |
33949 | --- a/drivers/char/mwave/tp3780i.c | 33949 | --- a/drivers/char/mwave/tp3780i.c |
33950 | +++ b/drivers/char/mwave/tp3780i.c | 33950 | +++ b/drivers/char/mwave/tp3780i.c |
33951 | @@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities | 33951 | @@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities |
@@ -34259,7 +34259,7 @@ index ade7513..069445f 100644 | |||
34259 | }; | 34259 | }; |
34260 | 34260 | ||
34261 | diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c | 34261 | diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c |
34262 | index 57a8774..545e993 100644 | 34262 | index bb5939b..d9accb7 100644 |
34263 | --- a/drivers/cpufreq/acpi-cpufreq.c | 34263 | --- a/drivers/cpufreq/acpi-cpufreq.c |
34264 | +++ b/drivers/cpufreq/acpi-cpufreq.c | 34264 | +++ b/drivers/cpufreq/acpi-cpufreq.c |
34265 | @@ -172,7 +172,7 @@ static ssize_t show_global_boost(struct kobject *kobj, | 34265 | @@ -172,7 +172,7 @@ static ssize_t show_global_boost(struct kobject *kobj, |
@@ -35394,10 +35394,10 @@ index 3c7bb04..182e049 100644 | |||
35394 | iir = I915_READ(IIR); | 35394 | iir = I915_READ(IIR); |
35395 | 35395 | ||
35396 | diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c | 35396 | diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c |
35397 | index c2d173a..f4357cc 100644 | 35397 | index 2ab65b4..acbd821 100644 |
35398 | --- a/drivers/gpu/drm/i915/intel_display.c | 35398 | --- a/drivers/gpu/drm/i915/intel_display.c |
35399 | +++ b/drivers/gpu/drm/i915/intel_display.c | 35399 | +++ b/drivers/gpu/drm/i915/intel_display.c |
35400 | @@ -8722,13 +8722,13 @@ struct intel_quirk { | 35400 | @@ -8742,13 +8742,13 @@ struct intel_quirk { |
35401 | int subsystem_vendor; | 35401 | int subsystem_vendor; |
35402 | int subsystem_device; | 35402 | int subsystem_device; |
35403 | void (*hook)(struct drm_device *dev); | 35403 | void (*hook)(struct drm_device *dev); |
@@ -35413,7 +35413,7 @@ index c2d173a..f4357cc 100644 | |||
35413 | 35413 | ||
35414 | static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) | 35414 | static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) |
35415 | { | 35415 | { |
35416 | @@ -8736,18 +8736,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) | 35416 | @@ -8756,18 +8756,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) |
35417 | return 1; | 35417 | return 1; |
35418 | } | 35418 | } |
35419 | 35419 | ||
@@ -35927,7 +35927,7 @@ index 6c0ce89..66f6d65 100644 | |||
35927 | #endif | 35927 | #endif |
35928 | return radeon_debugfs_add_files(rdev, radeon_mem_types_list, i); | 35928 | return radeon_debugfs_add_files(rdev, radeon_mem_types_list, i); |
35929 | diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c | 35929 | diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c |
35930 | index 5706d2a..17aedaa 100644 | 35930 | index fad6633..4ff94de 100644 |
35931 | --- a/drivers/gpu/drm/radeon/rs690.c | 35931 | --- a/drivers/gpu/drm/radeon/rs690.c |
35932 | +++ b/drivers/gpu/drm/radeon/rs690.c | 35932 | +++ b/drivers/gpu/drm/radeon/rs690.c |
35933 | @@ -304,9 +304,11 @@ static void rs690_crtc_bandwidth_compute(struct radeon_device *rdev, | 35933 | @@ -304,9 +304,11 @@ static void rs690_crtc_bandwidth_compute(struct radeon_device *rdev, |
@@ -39635,6 +39635,19 @@ index 25309bf..fcfd54c 100644 | |||
39635 | #define CHIPREV_ID_5750_C2 0x4202 | 39635 | #define CHIPREV_ID_5750_C2 0x4202 |
39636 | #define CHIPREV_ID_5752_A0_HW 0x5000 | 39636 | #define CHIPREV_ID_5752_A0_HW 0x5000 |
39637 | #define CHIPREV_ID_5752_A0 0x6000 | 39637 | #define CHIPREV_ID_5752_A0 0x6000 |
39638 | diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c | ||
39639 | index 6e8bc9d..94d957d 100644 | ||
39640 | --- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c | ||
39641 | +++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c | ||
39642 | @@ -244,7 +244,7 @@ bnad_debugfs_lseek(struct file *file, loff_t offset, int orig) | ||
39643 | file->f_pos += offset; | ||
39644 | break; | ||
39645 | case 2: | ||
39646 | - file->f_pos = debug->buffer_len - offset; | ||
39647 | + file->f_pos = debug->buffer_len + offset; | ||
39648 | break; | ||
39649 | default: | ||
39650 | return -EINVAL; | ||
39638 | diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h | 39651 | diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h |
39639 | index 8cffcdf..aadf043 100644 | 39652 | index 8cffcdf..aadf043 100644 |
39640 | --- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h | 39653 | --- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h |
@@ -40374,6 +40387,19 @@ index 784e81c..349e01e 100644 | |||
40374 | 40387 | ||
40375 | struct ath_nf_limits { | 40388 | struct ath_nf_limits { |
40376 | s16 max; | 40389 | s16 max; |
40390 | diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c | ||
40391 | index 64b637a..911c4c0 100644 | ||
40392 | --- a/drivers/net/wireless/b43/main.c | ||
40393 | +++ b/drivers/net/wireless/b43/main.c | ||
40394 | @@ -2451,7 +2451,7 @@ static void b43_request_firmware(struct work_struct *work) | ||
40395 | for (i = 0; i < B43_NR_FWTYPES; i++) { | ||
40396 | errmsg = ctx->errors[i]; | ||
40397 | if (strlen(errmsg)) | ||
40398 | - b43err(dev->wl, errmsg); | ||
40399 | + b43err(dev->wl, "%s", errmsg); | ||
40400 | } | ||
40401 | b43_print_fw_helptext(dev->wl, 1); | ||
40402 | goto out; | ||
40377 | diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c | 40403 | diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c |
40378 | index c353b5f..62aaca2 100644 | 40404 | index c353b5f..62aaca2 100644 |
40379 | --- a/drivers/net/wireless/iwlegacy/3945-mac.c | 40405 | --- a/drivers/net/wireless/iwlegacy/3945-mac.c |
@@ -40575,6 +40601,46 @@ index 2b49f48..14fc244 100644 | |||
40575 | } | 40601 | } |
40576 | 40602 | ||
40577 | spin_lock_init(&hwsim_radio_lock); | 40603 | spin_lock_init(&hwsim_radio_lock); |
40604 | diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c | ||
40605 | index 753b568..a5f9875 100644 | ||
40606 | --- a/drivers/net/wireless/mwifiex/debugfs.c | ||
40607 | +++ b/drivers/net/wireless/mwifiex/debugfs.c | ||
40608 | @@ -26,10 +26,17 @@ | ||
40609 | static struct dentry *mwifiex_dfs_dir; | ||
40610 | |||
40611 | static char *bss_modes[] = { | ||
40612 | - "Unknown", | ||
40613 | - "Ad-hoc", | ||
40614 | - "Managed", | ||
40615 | - "Auto" | ||
40616 | + "UNSPECIFIED", | ||
40617 | + "ADHOC", | ||
40618 | + "STATION", | ||
40619 | + "AP", | ||
40620 | + "AP_VLAN", | ||
40621 | + "WDS", | ||
40622 | + "MONITOR", | ||
40623 | + "MESH_POINT", | ||
40624 | + "P2P_CLIENT", | ||
40625 | + "P2P_GO", | ||
40626 | + "P2P_DEVICE", | ||
40627 | }; | ||
40628 | |||
40629 | /* size/addr for mwifiex_debug_info */ | ||
40630 | @@ -200,7 +207,12 @@ mwifiex_info_read(struct file *file, char __user *ubuf, | ||
40631 | p += sprintf(p, "driver_version = %s", fmt); | ||
40632 | p += sprintf(p, "\nverext = %s", priv->version_str); | ||
40633 | p += sprintf(p, "\ninterface_name=\"%s\"\n", netdev->name); | ||
40634 | - p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]); | ||
40635 | + | ||
40636 | + if (info.bss_mode >= ARRAY_SIZE(bss_modes)) | ||
40637 | + p += sprintf(p, "bss_mode=\"%d\"\n", info.bss_mode); | ||
40638 | + else | ||
40639 | + p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]); | ||
40640 | + | ||
40641 | p += sprintf(p, "media_state=\"%s\"\n", | ||
40642 | (!priv->media_connected ? "Disconnected" : "Connected")); | ||
40643 | p += sprintf(p, "mac_address=\"%pM\"\n", netdev->dev_addr); | ||
40578 | diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c | 40644 | diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c |
40579 | index 525fd75..6c9f791 100644 | 40645 | index 525fd75..6c9f791 100644 |
40580 | --- a/drivers/net/wireless/rndis_wlan.c | 40646 | --- a/drivers/net/wireless/rndis_wlan.c |
@@ -41068,7 +41134,7 @@ index d320df6..ca9a8f6 100644 | |||
41068 | #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1) | 41134 | #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1) |
41069 | 41135 | ||
41070 | diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c | 41136 | diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c |
41071 | index 5427787..8df273b 100644 | 41137 | index 563771f..4e3c368 100644 |
41072 | --- a/drivers/pci/probe.c | 41138 | --- a/drivers/pci/probe.c |
41073 | +++ b/drivers/pci/probe.c | 41139 | +++ b/drivers/pci/probe.c |
41074 | @@ -173,7 +173,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, | 41140 | @@ -173,7 +173,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, |
@@ -41613,6 +41679,32 @@ index 23a90e7..9cf04ee 100644 | |||
41613 | 41679 | ||
41614 | /* | 41680 | /* |
41615 | * Queue element to wait for room in request queue. FIFO order is | 41681 | * Queue element to wait for room in request queue. FIFO order is |
41682 | diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c | ||
41683 | index 439c012..b63d534 100644 | ||
41684 | --- a/drivers/scsi/bfa/bfad_debugfs.c | ||
41685 | +++ b/drivers/scsi/bfa/bfad_debugfs.c | ||
41686 | @@ -186,7 +186,7 @@ bfad_debugfs_lseek(struct file *file, loff_t offset, int orig) | ||
41687 | file->f_pos += offset; | ||
41688 | break; | ||
41689 | case 2: | ||
41690 | - file->f_pos = debug->buffer_len - offset; | ||
41691 | + file->f_pos = debug->buffer_len + offset; | ||
41692 | break; | ||
41693 | default: | ||
41694 | return -EINVAL; | ||
41695 | diff --git a/drivers/scsi/fnic/fnic_debugfs.c b/drivers/scsi/fnic/fnic_debugfs.c | ||
41696 | index adc1f7f..85e1ffd 100644 | ||
41697 | --- a/drivers/scsi/fnic/fnic_debugfs.c | ||
41698 | +++ b/drivers/scsi/fnic/fnic_debugfs.c | ||
41699 | @@ -174,7 +174,7 @@ static loff_t fnic_trace_debugfs_lseek(struct file *file, | ||
41700 | pos = file->f_pos + offset; | ||
41701 | break; | ||
41702 | case 2: | ||
41703 | - pos = fnic_dbg_prt->buffer_len - offset; | ||
41704 | + pos = fnic_dbg_prt->buffer_len + offset; | ||
41705 | } | ||
41706 | return (pos < 0 || pos > fnic_dbg_prt->buffer_len) ? | ||
41707 | -EINVAL : (file->f_pos = pos); | ||
41616 | diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c | 41708 | diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c |
41617 | index df0c3c7..b00e1d0 100644 | 41709 | index df0c3c7..b00e1d0 100644 |
41618 | --- a/drivers/scsi/hosts.c | 41710 | --- a/drivers/scsi/hosts.c |
@@ -41967,7 +42059,7 @@ index 7706c99..3b4fc0c 100644 | |||
41967 | struct dentry *idiag_root; | 42059 | struct dentry *idiag_root; |
41968 | struct dentry *idiag_pci_cfg; | 42060 | struct dentry *idiag_pci_cfg; |
41969 | diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c | 42061 | diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c |
41970 | index f63f5ff..de29189 100644 | 42062 | index f63f5ff..32549a4 100644 |
41971 | --- a/drivers/scsi/lpfc/lpfc_debugfs.c | 42063 | --- a/drivers/scsi/lpfc/lpfc_debugfs.c |
41972 | +++ b/drivers/scsi/lpfc/lpfc_debugfs.c | 42064 | +++ b/drivers/scsi/lpfc/lpfc_debugfs.c |
41973 | @@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc, | 42065 | @@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc, |
@@ -42031,6 +42123,15 @@ index f63f5ff..de29189 100644 | |||
42031 | dtp->jif = jiffies; | 42123 | dtp->jif = jiffies; |
42032 | #endif | 42124 | #endif |
42033 | return; | 42125 | return; |
42126 | @@ -1178,7 +1178,7 @@ lpfc_debugfs_lseek(struct file *file, loff_t off, int whence) | ||
42127 | pos = file->f_pos + off; | ||
42128 | break; | ||
42129 | case 2: | ||
42130 | - pos = debug->len - off; | ||
42131 | + pos = debug->len + off; | ||
42132 | } | ||
42133 | return (pos < 0 || pos > debug->len) ? -EINVAL : (file->f_pos = pos); | ||
42134 | } | ||
42034 | @@ -4182,7 +4182,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) | 42135 | @@ -4182,7 +4182,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) |
42035 | "slow_ring buffer\n"); | 42136 | "slow_ring buffer\n"); |
42036 | goto debug_failed; | 42137 | goto debug_failed; |
@@ -51123,6 +51224,45 @@ index f3190ab..84ffb21 100644 | |||
51123 | trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len); | 51224 | trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len); |
51124 | 51225 | ||
51125 | return 0; | 51226 | return 0; |
51227 | diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c | ||
51228 | index 3beae6a..8cc5637 100644 | ||
51229 | --- a/fs/ext4/resize.c | ||
51230 | +++ b/fs/ext4/resize.c | ||
51231 | @@ -79,12 +79,20 @@ static int verify_group_input(struct super_block *sb, | ||
51232 | ext4_fsblk_t end = start + input->blocks_count; | ||
51233 | ext4_group_t group = input->group; | ||
51234 | ext4_fsblk_t itend = input->inode_table + sbi->s_itb_per_group; | ||
51235 | - unsigned overhead = ext4_group_overhead_blocks(sb, group); | ||
51236 | - ext4_fsblk_t metaend = start + overhead; | ||
51237 | + unsigned overhead; | ||
51238 | + ext4_fsblk_t metaend; | ||
51239 | struct buffer_head *bh = NULL; | ||
51240 | ext4_grpblk_t free_blocks_count, offset; | ||
51241 | int err = -EINVAL; | ||
51242 | |||
51243 | + if (group != sbi->s_groups_count) { | ||
51244 | + ext4_warning(sb, "Cannot add at group %u (only %u groups)", | ||
51245 | + input->group, sbi->s_groups_count); | ||
51246 | + return -EINVAL; | ||
51247 | + } | ||
51248 | + | ||
51249 | + overhead = ext4_group_overhead_blocks(sb, group); | ||
51250 | + metaend = start + overhead; | ||
51251 | input->free_blocks_count = free_blocks_count = | ||
51252 | input->blocks_count - 2 - overhead - sbi->s_itb_per_group; | ||
51253 | |||
51254 | @@ -96,10 +104,7 @@ static int verify_group_input(struct super_block *sb, | ||
51255 | free_blocks_count, input->reserved_blocks); | ||
51256 | |||
51257 | ext4_get_group_no_and_offset(sb, start, NULL, &offset); | ||
51258 | - if (group != sbi->s_groups_count) | ||
51259 | - ext4_warning(sb, "Cannot add at group %u (only %u groups)", | ||
51260 | - input->group, sbi->s_groups_count); | ||
51261 | - else if (offset != 0) | ||
51262 | + if (offset != 0) | ||
51263 | ext4_warning(sb, "Last group not full"); | ||
51264 | else if (input->reserved_blocks > input->blocks_count / 5) | ||
51265 | ext4_warning(sb, "Reserved blocks too high (%u)", | ||
51126 | diff --git a/fs/ext4/super.c b/fs/ext4/super.c | 51266 | diff --git a/fs/ext4/super.c b/fs/ext4/super.c |
51127 | index febbe0e..782c4fd 100644 | 51267 | index febbe0e..782c4fd 100644 |
51128 | --- a/fs/ext4/super.c | 51268 | --- a/fs/ext4/super.c |
@@ -71468,6 +71608,20 @@ index e8d702e..0a56eb4 100644 | |||
71468 | 71608 | ||
71469 | int sock_diag_register(const struct sock_diag_handler *h); | 71609 | int sock_diag_register(const struct sock_diag_handler *h); |
71470 | void sock_diag_unregister(const struct sock_diag_handler *h); | 71610 | void sock_diag_unregister(const struct sock_diag_handler *h); |
71611 | diff --git a/include/linux/socket.h b/include/linux/socket.h | ||
71612 | index 2b9f74b..e897bdc 100644 | ||
71613 | --- a/include/linux/socket.h | ||
71614 | +++ b/include/linux/socket.h | ||
71615 | @@ -321,6 +321,9 @@ extern int put_cmsg(struct msghdr*, int level, int type, int len, void *data); | ||
71616 | |||
71617 | struct timespec; | ||
71618 | |||
71619 | +/* The __sys_...msg variants allow MSG_CMSG_COMPAT */ | ||
71620 | +extern long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags); | ||
71621 | +extern long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags); | ||
71622 | extern int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, | ||
71623 | unsigned int flags, struct timespec *timeout); | ||
71624 | extern int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, | ||
71471 | diff --git a/include/linux/sonet.h b/include/linux/sonet.h | 71625 | diff --git a/include/linux/sonet.h b/include/linux/sonet.h |
71472 | index 680f9a3..f13aeb0 100644 | 71626 | index 680f9a3..f13aeb0 100644 |
71473 | --- a/include/linux/sonet.h | 71627 | --- a/include/linux/sonet.h |
@@ -74611,7 +74765,7 @@ index 00eb8f7..d7e3244 100644 | |||
74611 | #ifdef CONFIG_MODULE_UNLOAD | 74765 | #ifdef CONFIG_MODULE_UNLOAD |
74612 | { | 74766 | { |
74613 | diff --git a/kernel/events/core.c b/kernel/events/core.c | 74767 | diff --git a/kernel/events/core.c b/kernel/events/core.c |
74614 | index 9fcb094..8370228 100644 | 74768 | index 9fcb094..353baaaf 100644 |
74615 | --- a/kernel/events/core.c | 74769 | --- a/kernel/events/core.c |
74616 | +++ b/kernel/events/core.c | 74770 | +++ b/kernel/events/core.c |
74617 | @@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu; | 74771 | @@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu; |
@@ -74623,7 +74777,7 @@ index 9fcb094..8370228 100644 | |||
74623 | -int sysctl_perf_event_paranoid __read_mostly = 1; | 74777 | -int sysctl_perf_event_paranoid __read_mostly = 1; |
74624 | +#ifdef CONFIG_GRKERNSEC_PERF_HARDEN | 74778 | +#ifdef CONFIG_GRKERNSEC_PERF_HARDEN |
74625 | +int sysctl_perf_event_legitimately_concerned __read_mostly = 3; | 74779 | +int sysctl_perf_event_legitimately_concerned __read_mostly = 3; |
74626 | +#elif CONFIG_GRKERNSEC_HIDESYM | 74780 | +#elif defined(CONFIG_GRKERNSEC_HIDESYM) |
74627 | +int sysctl_perf_event_legitimately_concerned __read_mostly = 2; | 74781 | +int sysctl_perf_event_legitimately_concerned __read_mostly = 2; |
74628 | +#else | 74782 | +#else |
74629 | +int sysctl_perf_event_legitimately_concerned __read_mostly = 1; | 74783 | +int sysctl_perf_event_legitimately_concerned __read_mostly = 1; |
@@ -78324,7 +78478,7 @@ index 02fc5c9..e54c335 100644 | |||
78324 | mutex_unlock(&smpboot_threads_lock); | 78478 | mutex_unlock(&smpboot_threads_lock); |
78325 | put_online_cpus(); | 78479 | put_online_cpus(); |
78326 | diff --git a/kernel/softirq.c b/kernel/softirq.c | 78480 | diff --git a/kernel/softirq.c b/kernel/softirq.c |
78327 | index 14d7758..012121f 100644 | 78481 | index d93dcb1..1cd8a71 100644 |
78328 | --- a/kernel/softirq.c | 78482 | --- a/kernel/softirq.c |
78329 | +++ b/kernel/softirq.c | 78483 | +++ b/kernel/softirq.c |
78330 | @@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned; | 78484 | @@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned; |
@@ -78341,7 +78495,7 @@ index 14d7758..012121f 100644 | |||
78341 | "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL", | 78495 | "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL", |
78342 | "TASKLET", "SCHED", "HRTIMER", "RCU" | 78496 | "TASKLET", "SCHED", "HRTIMER", "RCU" |
78343 | }; | 78497 | }; |
78344 | @@ -244,7 +244,7 @@ restart: | 78498 | @@ -250,7 +250,7 @@ restart: |
78345 | kstat_incr_softirqs_this_cpu(vec_nr); | 78499 | kstat_incr_softirqs_this_cpu(vec_nr); |
78346 | 78500 | ||
78347 | trace_softirq_entry(vec_nr); | 78501 | trace_softirq_entry(vec_nr); |
@@ -78350,7 +78504,7 @@ index 14d7758..012121f 100644 | |||
78350 | trace_softirq_exit(vec_nr); | 78504 | trace_softirq_exit(vec_nr); |
78351 | if (unlikely(prev_count != preempt_count())) { | 78505 | if (unlikely(prev_count != preempt_count())) { |
78352 | printk(KERN_ERR "huh, entered softirq %u %s %p" | 78506 | printk(KERN_ERR "huh, entered softirq %u %s %p" |
78353 | @@ -389,7 +389,7 @@ void __raise_softirq_irqoff(unsigned int nr) | 78507 | @@ -396,7 +396,7 @@ void __raise_softirq_irqoff(unsigned int nr) |
78354 | or_softirq_pending(1UL << nr); | 78508 | or_softirq_pending(1UL << nr); |
78355 | } | 78509 | } |
78356 | 78510 | ||
@@ -78359,7 +78513,7 @@ index 14d7758..012121f 100644 | |||
78359 | { | 78513 | { |
78360 | softirq_vec[nr].action = action; | 78514 | softirq_vec[nr].action = action; |
78361 | } | 78515 | } |
78362 | @@ -445,7 +445,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t) | 78516 | @@ -452,7 +452,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t) |
78363 | 78517 | ||
78364 | EXPORT_SYMBOL(__tasklet_hi_schedule_first); | 78518 | EXPORT_SYMBOL(__tasklet_hi_schedule_first); |
78365 | 78519 | ||
@@ -78368,7 +78522,7 @@ index 14d7758..012121f 100644 | |||
78368 | { | 78522 | { |
78369 | struct tasklet_struct *list; | 78523 | struct tasklet_struct *list; |
78370 | 78524 | ||
78371 | @@ -480,7 +480,7 @@ static void tasklet_action(struct softirq_action *a) | 78525 | @@ -487,7 +487,7 @@ static void tasklet_action(struct softirq_action *a) |
78372 | } | 78526 | } |
78373 | } | 78527 | } |
78374 | 78528 | ||
@@ -78377,7 +78531,7 @@ index 14d7758..012121f 100644 | |||
78377 | { | 78531 | { |
78378 | struct tasklet_struct *list; | 78532 | struct tasklet_struct *list; |
78379 | 78533 | ||
78380 | @@ -716,7 +716,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self, | 78534 | @@ -723,7 +723,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self, |
78381 | return NOTIFY_OK; | 78535 | return NOTIFY_OK; |
78382 | } | 78536 | } |
78383 | 78537 | ||
@@ -78386,7 +78540,7 @@ index 14d7758..012121f 100644 | |||
78386 | .notifier_call = remote_softirq_cpu_notify, | 78540 | .notifier_call = remote_softirq_cpu_notify, |
78387 | }; | 78541 | }; |
78388 | 78542 | ||
78389 | @@ -833,11 +833,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb, | 78543 | @@ -840,11 +840,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb, |
78390 | return NOTIFY_OK; | 78544 | return NOTIFY_OK; |
78391 | } | 78545 | } |
78392 | 78546 | ||
@@ -78912,7 +79066,7 @@ index 90ad470..1814e9a 100644 | |||
78912 | tick_broadcast_clear_oneshot(cpu); | 79066 | tick_broadcast_clear_oneshot(cpu); |
78913 | } else { | 79067 | } else { |
78914 | diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c | 79068 | diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c |
78915 | index 9a0bc98..fceb7d0 100644 | 79069 | index 183df62..59b1442 100644 |
78916 | --- a/kernel/time/timekeeping.c | 79070 | --- a/kernel/time/timekeeping.c |
78917 | +++ b/kernel/time/timekeeping.c | 79071 | +++ b/kernel/time/timekeeping.c |
78918 | @@ -15,6 +15,7 @@ | 79072 | @@ -15,6 +15,7 @@ |
@@ -81653,7 +81807,7 @@ index 79b7cf7..9944291 100644 | |||
81653 | capable(CAP_IPC_LOCK)) | 81807 | capable(CAP_IPC_LOCK)) |
81654 | ret = do_mlockall(flags); | 81808 | ret = do_mlockall(flags); |
81655 | diff --git a/mm/mmap.c b/mm/mmap.c | 81809 | diff --git a/mm/mmap.c b/mm/mmap.c |
81656 | index 0dceed8..671951c 100644 | 81810 | index 0dceed8..e7cfc40 100644 |
81657 | --- a/mm/mmap.c | 81811 | --- a/mm/mmap.c |
81658 | +++ b/mm/mmap.c | 81812 | +++ b/mm/mmap.c |
81659 | @@ -33,6 +33,7 @@ | 81813 | @@ -33,6 +33,7 @@ |
@@ -82402,11 +82556,10 @@ index 0dceed8..671951c 100644 | |||
82402 | size = vma->vm_end - address; | 82556 | size = vma->vm_end - address; |
82403 | grow = (vma->vm_start - address) >> PAGE_SHIFT; | 82557 | grow = (vma->vm_start - address) >> PAGE_SHIFT; |
82404 | 82558 | ||
82405 | @@ -2184,6 +2492,18 @@ int expand_downwards(struct vm_area_struct *vma, | 82559 | @@ -2184,13 +2492,27 @@ int expand_downwards(struct vm_area_struct *vma, |
82406 | vma->vm_pgoff -= grow; | 82560 | vma->vm_pgoff -= grow; |
82407 | anon_vma_interval_tree_post_update_vma(vma); | 82561 | anon_vma_interval_tree_post_update_vma(vma); |
82408 | vma_gap_update(vma); | 82562 | vma_gap_update(vma); |
82409 | + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags); | ||
82410 | + | 82563 | + |
82411 | +#ifdef CONFIG_PAX_SEGMEXEC | 82564 | +#ifdef CONFIG_PAX_SEGMEXEC |
82412 | + if (vma_m) { | 82565 | + if (vma_m) { |
@@ -82420,8 +82573,18 @@ index 0dceed8..671951c 100644 | |||
82420 | + | 82573 | + |
82421 | spin_unlock(&vma->vm_mm->page_table_lock); | 82574 | spin_unlock(&vma->vm_mm->page_table_lock); |
82422 | 82575 | ||
82576 | + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags); | ||
82423 | perf_event_mmap(vma); | 82577 | perf_event_mmap(vma); |
82424 | @@ -2288,6 +2608,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) | 82578 | } |
82579 | } | ||
82580 | } | ||
82581 | vma_unlock_anon_vma(vma); | ||
82582 | + if (lockprev) | ||
82583 | + vma_unlock_anon_vma(prev); | ||
82584 | khugepaged_enter_vma_merge(vma); | ||
82585 | validate_mm(vma->vm_mm); | ||
82586 | return error; | ||
82587 | @@ -2288,6 +2610,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) | ||
82425 | do { | 82588 | do { |
82426 | long nrpages = vma_pages(vma); | 82589 | long nrpages = vma_pages(vma); |
82427 | 82590 | ||
@@ -82435,7 +82598,7 @@ index 0dceed8..671951c 100644 | |||
82435 | if (vma->vm_flags & VM_ACCOUNT) | 82598 | if (vma->vm_flags & VM_ACCOUNT) |
82436 | nr_accounted += nrpages; | 82599 | nr_accounted += nrpages; |
82437 | vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); | 82600 | vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); |
82438 | @@ -2333,6 +2660,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, | 82601 | @@ -2333,6 +2662,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, |
82439 | insertion_point = (prev ? &prev->vm_next : &mm->mmap); | 82602 | insertion_point = (prev ? &prev->vm_next : &mm->mmap); |
82440 | vma->vm_prev = NULL; | 82603 | vma->vm_prev = NULL; |
82441 | do { | 82604 | do { |
@@ -82452,7 +82615,7 @@ index 0dceed8..671951c 100644 | |||
82452 | vma_rb_erase(vma, &mm->mm_rb); | 82615 | vma_rb_erase(vma, &mm->mm_rb); |
82453 | mm->map_count--; | 82616 | mm->map_count--; |
82454 | tail_vma = vma; | 82617 | tail_vma = vma; |
82455 | @@ -2364,14 +2701,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, | 82618 | @@ -2364,14 +2703,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
82456 | struct vm_area_struct *new; | 82619 | struct vm_area_struct *new; |
82457 | int err = -ENOMEM; | 82620 | int err = -ENOMEM; |
82458 | 82621 | ||
@@ -82486,7 +82649,7 @@ index 0dceed8..671951c 100644 | |||
82486 | /* most fields are the same, copy all, and then fixup */ | 82649 | /* most fields are the same, copy all, and then fixup */ |
82487 | *new = *vma; | 82650 | *new = *vma; |
82488 | 82651 | ||
82489 | @@ -2384,6 +2740,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, | 82652 | @@ -2384,6 +2742,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
82490 | new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); | 82653 | new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); |
82491 | } | 82654 | } |
82492 | 82655 | ||
@@ -82509,7 +82672,7 @@ index 0dceed8..671951c 100644 | |||
82509 | pol = mpol_dup(vma_policy(vma)); | 82672 | pol = mpol_dup(vma_policy(vma)); |
82510 | if (IS_ERR(pol)) { | 82673 | if (IS_ERR(pol)) { |
82511 | err = PTR_ERR(pol); | 82674 | err = PTR_ERR(pol); |
82512 | @@ -2406,6 +2778,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, | 82675 | @@ -2406,6 +2780,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
82513 | else | 82676 | else |
82514 | err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); | 82677 | err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); |
82515 | 82678 | ||
@@ -82546,7 +82709,7 @@ index 0dceed8..671951c 100644 | |||
82546 | /* Success. */ | 82709 | /* Success. */ |
82547 | if (!err) | 82710 | if (!err) |
82548 | return 0; | 82711 | return 0; |
82549 | @@ -2415,10 +2817,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, | 82712 | @@ -2415,10 +2819,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
82550 | new->vm_ops->close(new); | 82713 | new->vm_ops->close(new); |
82551 | if (new->vm_file) | 82714 | if (new->vm_file) |
82552 | fput(new->vm_file); | 82715 | fput(new->vm_file); |
@@ -82566,7 +82729,7 @@ index 0dceed8..671951c 100644 | |||
82566 | kmem_cache_free(vm_area_cachep, new); | 82729 | kmem_cache_free(vm_area_cachep, new); |
82567 | out_err: | 82730 | out_err: |
82568 | return err; | 82731 | return err; |
82569 | @@ -2431,6 +2841,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, | 82732 | @@ -2431,6 +2843,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
82570 | int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, | 82733 | int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, |
82571 | unsigned long addr, int new_below) | 82734 | unsigned long addr, int new_below) |
82572 | { | 82735 | { |
@@ -82582,7 +82745,7 @@ index 0dceed8..671951c 100644 | |||
82582 | if (mm->map_count >= sysctl_max_map_count) | 82745 | if (mm->map_count >= sysctl_max_map_count) |
82583 | return -ENOMEM; | 82746 | return -ENOMEM; |
82584 | 82747 | ||
82585 | @@ -2442,11 +2861,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, | 82748 | @@ -2442,11 +2863,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, |
82586 | * work. This now handles partial unmappings. | 82749 | * work. This now handles partial unmappings. |
82587 | * Jeremy Fitzhardinge <jeremy@goop.org> | 82750 | * Jeremy Fitzhardinge <jeremy@goop.org> |
82588 | */ | 82751 | */ |
@@ -82613,7 +82776,7 @@ index 0dceed8..671951c 100644 | |||
82613 | if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) | 82776 | if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) |
82614 | return -EINVAL; | 82777 | return -EINVAL; |
82615 | 82778 | ||
82616 | @@ -2521,6 +2959,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) | 82779 | @@ -2521,6 +2961,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
82617 | /* Fix up all other VM information */ | 82780 | /* Fix up all other VM information */ |
82618 | remove_vma_list(mm, vma); | 82781 | remove_vma_list(mm, vma); |
82619 | 82782 | ||
@@ -82622,7 +82785,7 @@ index 0dceed8..671951c 100644 | |||
82622 | return 0; | 82785 | return 0; |
82623 | } | 82786 | } |
82624 | 82787 | ||
82625 | @@ -2529,6 +2969,13 @@ int vm_munmap(unsigned long start, size_t len) | 82788 | @@ -2529,6 +2971,13 @@ int vm_munmap(unsigned long start, size_t len) |
82626 | int ret; | 82789 | int ret; |
82627 | struct mm_struct *mm = current->mm; | 82790 | struct mm_struct *mm = current->mm; |
82628 | 82791 | ||
@@ -82636,7 +82799,7 @@ index 0dceed8..671951c 100644 | |||
82636 | down_write(&mm->mmap_sem); | 82799 | down_write(&mm->mmap_sem); |
82637 | ret = do_munmap(mm, start, len); | 82800 | ret = do_munmap(mm, start, len); |
82638 | up_write(&mm->mmap_sem); | 82801 | up_write(&mm->mmap_sem); |
82639 | @@ -2542,16 +2989,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) | 82802 | @@ -2542,16 +2991,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) |
82640 | return vm_munmap(addr, len); | 82803 | return vm_munmap(addr, len); |
82641 | } | 82804 | } |
82642 | 82805 | ||
@@ -82653,7 +82816,7 @@ index 0dceed8..671951c 100644 | |||
82653 | /* | 82816 | /* |
82654 | * this is really a simplified "do_mmap". it only handles | 82817 | * this is really a simplified "do_mmap". it only handles |
82655 | * anonymous maps. eventually we may be able to do some | 82818 | * anonymous maps. eventually we may be able to do some |
82656 | @@ -2565,6 +3002,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) | 82819 | @@ -2565,6 +3004,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
82657 | struct rb_node ** rb_link, * rb_parent; | 82820 | struct rb_node ** rb_link, * rb_parent; |
82658 | pgoff_t pgoff = addr >> PAGE_SHIFT; | 82821 | pgoff_t pgoff = addr >> PAGE_SHIFT; |
82659 | int error; | 82822 | int error; |
@@ -82661,7 +82824,7 @@ index 0dceed8..671951c 100644 | |||
82661 | 82824 | ||
82662 | len = PAGE_ALIGN(len); | 82825 | len = PAGE_ALIGN(len); |
82663 | if (!len) | 82826 | if (!len) |
82664 | @@ -2572,16 +3010,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) | 82827 | @@ -2572,16 +3012,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
82665 | 82828 | ||
82666 | flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; | 82829 | flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; |
82667 | 82830 | ||
@@ -82693,7 +82856,7 @@ index 0dceed8..671951c 100644 | |||
82693 | locked += mm->locked_vm; | 82856 | locked += mm->locked_vm; |
82694 | lock_limit = rlimit(RLIMIT_MEMLOCK); | 82857 | lock_limit = rlimit(RLIMIT_MEMLOCK); |
82695 | lock_limit >>= PAGE_SHIFT; | 82858 | lock_limit >>= PAGE_SHIFT; |
82696 | @@ -2598,21 +3050,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) | 82859 | @@ -2598,21 +3052,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
82697 | /* | 82860 | /* |
82698 | * Clear old maps. this also does some error checking for us | 82861 | * Clear old maps. this also does some error checking for us |
82699 | */ | 82862 | */ |
@@ -82718,7 +82881,7 @@ index 0dceed8..671951c 100644 | |||
82718 | return -ENOMEM; | 82881 | return -ENOMEM; |
82719 | 82882 | ||
82720 | /* Can we just expand an old private anonymous mapping? */ | 82883 | /* Can we just expand an old private anonymous mapping? */ |
82721 | @@ -2626,7 +3077,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) | 82884 | @@ -2626,7 +3079,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
82722 | */ | 82885 | */ |
82723 | vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); | 82886 | vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); |
82724 | if (!vma) { | 82887 | if (!vma) { |
@@ -82727,7 +82890,7 @@ index 0dceed8..671951c 100644 | |||
82727 | return -ENOMEM; | 82890 | return -ENOMEM; |
82728 | } | 82891 | } |
82729 | 82892 | ||
82730 | @@ -2640,9 +3091,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) | 82893 | @@ -2640,9 +3093,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
82731 | vma_link(mm, vma, prev, rb_link, rb_parent); | 82894 | vma_link(mm, vma, prev, rb_link, rb_parent); |
82732 | out: | 82895 | out: |
82733 | perf_event_mmap(vma); | 82896 | perf_event_mmap(vma); |
@@ -82740,7 +82903,7 @@ index 0dceed8..671951c 100644 | |||
82740 | return addr; | 82903 | return addr; |
82741 | } | 82904 | } |
82742 | 82905 | ||
82743 | @@ -2704,6 +3156,7 @@ void exit_mmap(struct mm_struct *mm) | 82906 | @@ -2704,6 +3158,7 @@ void exit_mmap(struct mm_struct *mm) |
82744 | while (vma) { | 82907 | while (vma) { |
82745 | if (vma->vm_flags & VM_ACCOUNT) | 82908 | if (vma->vm_flags & VM_ACCOUNT) |
82746 | nr_accounted += vma_pages(vma); | 82909 | nr_accounted += vma_pages(vma); |
@@ -82748,7 +82911,7 @@ index 0dceed8..671951c 100644 | |||
82748 | vma = remove_vma(vma); | 82911 | vma = remove_vma(vma); |
82749 | } | 82912 | } |
82750 | vm_unacct_memory(nr_accounted); | 82913 | vm_unacct_memory(nr_accounted); |
82751 | @@ -2720,6 +3173,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) | 82914 | @@ -2720,6 +3175,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) |
82752 | struct vm_area_struct *prev; | 82915 | struct vm_area_struct *prev; |
82753 | struct rb_node **rb_link, *rb_parent; | 82916 | struct rb_node **rb_link, *rb_parent; |
82754 | 82917 | ||
@@ -82762,7 +82925,7 @@ index 0dceed8..671951c 100644 | |||
82762 | /* | 82925 | /* |
82763 | * The vm_pgoff of a purely anonymous vma should be irrelevant | 82926 | * The vm_pgoff of a purely anonymous vma should be irrelevant |
82764 | * until its first write fault, when page's anon_vma and index | 82927 | * until its first write fault, when page's anon_vma and index |
82765 | @@ -2743,7 +3203,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) | 82928 | @@ -2743,7 +3205,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) |
82766 | security_vm_enough_memory_mm(mm, vma_pages(vma))) | 82929 | security_vm_enough_memory_mm(mm, vma_pages(vma))) |
82767 | return -ENOMEM; | 82930 | return -ENOMEM; |
82768 | 82931 | ||
@@ -82784,7 +82947,7 @@ index 0dceed8..671951c 100644 | |||
82784 | return 0; | 82947 | return 0; |
82785 | } | 82948 | } |
82786 | 82949 | ||
82787 | @@ -2763,6 +3237,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, | 82950 | @@ -2763,6 +3239,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
82788 | struct mempolicy *pol; | 82951 | struct mempolicy *pol; |
82789 | bool faulted_in_anon_vma = true; | 82952 | bool faulted_in_anon_vma = true; |
82790 | 82953 | ||
@@ -82793,7 +82956,7 @@ index 0dceed8..671951c 100644 | |||
82793 | /* | 82956 | /* |
82794 | * If anonymous vma has not yet been faulted, update new pgoff | 82957 | * If anonymous vma has not yet been faulted, update new pgoff |
82795 | * to match new location, to increase its chance of merging. | 82958 | * to match new location, to increase its chance of merging. |
82796 | @@ -2829,6 +3305,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, | 82959 | @@ -2829,6 +3307,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
82797 | return NULL; | 82960 | return NULL; |
82798 | } | 82961 | } |
82799 | 82962 | ||
@@ -82833,7 +82996,7 @@ index 0dceed8..671951c 100644 | |||
82833 | /* | 82996 | /* |
82834 | * Return true if the calling process may expand its vm space by the passed | 82997 | * Return true if the calling process may expand its vm space by the passed |
82835 | * number of pages | 82998 | * number of pages |
82836 | @@ -2840,6 +3349,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) | 82999 | @@ -2840,6 +3351,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) |
82837 | 83000 | ||
82838 | lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; | 83001 | lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; |
82839 | 83002 | ||
@@ -82841,7 +83004,7 @@ index 0dceed8..671951c 100644 | |||
82841 | if (cur + npages > lim) | 83004 | if (cur + npages > lim) |
82842 | return 0; | 83005 | return 0; |
82843 | return 1; | 83006 | return 1; |
82844 | @@ -2910,6 +3420,22 @@ int install_special_mapping(struct mm_struct *mm, | 83007 | @@ -2910,6 +3422,22 @@ int install_special_mapping(struct mm_struct *mm, |
82845 | vma->vm_start = addr; | 83008 | vma->vm_start = addr; |
82846 | vma->vm_end = addr + len; | 83009 | vma->vm_end = addr + len; |
82847 | 83010 | ||
@@ -85239,7 +85402,7 @@ index 6a93614..1415549 100644 | |||
85239 | err = -EFAULT; | 85402 | err = -EFAULT; |
85240 | break; | 85403 | break; |
85241 | diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c | 85404 | diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c |
85242 | index 7c7e932..7a7815d 100644 | 85405 | index 7c7e932..8d23158 100644 |
85243 | --- a/net/bluetooth/l2cap_core.c | 85406 | --- a/net/bluetooth/l2cap_core.c |
85244 | +++ b/net/bluetooth/l2cap_core.c | 85407 | +++ b/net/bluetooth/l2cap_core.c |
85245 | @@ -3395,8 +3395,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, | 85408 | @@ -3395,8 +3395,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, |
@@ -85255,6 +85418,223 @@ index 7c7e932..7a7815d 100644 | |||
85255 | 85418 | ||
85256 | if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && | 85419 | if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && |
85257 | rfc.mode != chan->mode) | 85420 | rfc.mode != chan->mode) |
85421 | @@ -3568,10 +3570,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) | ||
85422 | } | ||
85423 | |||
85424 | static inline int l2cap_command_rej(struct l2cap_conn *conn, | ||
85425 | - struct l2cap_cmd_hdr *cmd, u8 *data) | ||
85426 | + struct l2cap_cmd_hdr *cmd, u16 cmd_len, | ||
85427 | + u8 *data) | ||
85428 | { | ||
85429 | struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; | ||
85430 | |||
85431 | + if (cmd_len < sizeof(*rej)) | ||
85432 | + return -EPROTO; | ||
85433 | + | ||
85434 | if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) | ||
85435 | return 0; | ||
85436 | |||
85437 | @@ -3720,11 +3726,14 @@ sendresp: | ||
85438 | } | ||
85439 | |||
85440 | static int l2cap_connect_req(struct l2cap_conn *conn, | ||
85441 | - struct l2cap_cmd_hdr *cmd, u8 *data) | ||
85442 | + struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) | ||
85443 | { | ||
85444 | struct hci_dev *hdev = conn->hcon->hdev; | ||
85445 | struct hci_conn *hcon = conn->hcon; | ||
85446 | |||
85447 | + if (cmd_len < sizeof(struct l2cap_conn_req)) | ||
85448 | + return -EPROTO; | ||
85449 | + | ||
85450 | hci_dev_lock(hdev); | ||
85451 | if (test_bit(HCI_MGMT, &hdev->dev_flags) && | ||
85452 | !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags)) | ||
85453 | @@ -3738,7 +3747,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn, | ||
85454 | } | ||
85455 | |||
85456 | static int l2cap_connect_create_rsp(struct l2cap_conn *conn, | ||
85457 | - struct l2cap_cmd_hdr *cmd, u8 *data) | ||
85458 | + struct l2cap_cmd_hdr *cmd, u16 cmd_len, | ||
85459 | + u8 *data) | ||
85460 | { | ||
85461 | struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; | ||
85462 | u16 scid, dcid, result, status; | ||
85463 | @@ -3746,6 +3756,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, | ||
85464 | u8 req[128]; | ||
85465 | int err; | ||
85466 | |||
85467 | + if (cmd_len < sizeof(*rsp)) | ||
85468 | + return -EPROTO; | ||
85469 | + | ||
85470 | scid = __le16_to_cpu(rsp->scid); | ||
85471 | dcid = __le16_to_cpu(rsp->dcid); | ||
85472 | result = __le16_to_cpu(rsp->result); | ||
85473 | @@ -3843,6 +3856,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, | ||
85474 | struct l2cap_chan *chan; | ||
85475 | int len, err = 0; | ||
85476 | |||
85477 | + if (cmd_len < sizeof(*req)) | ||
85478 | + return -EPROTO; | ||
85479 | + | ||
85480 | dcid = __le16_to_cpu(req->dcid); | ||
85481 | flags = __le16_to_cpu(req->flags); | ||
85482 | |||
85483 | @@ -3866,7 +3882,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, | ||
85484 | |||
85485 | /* Reject if config buffer is too small. */ | ||
85486 | len = cmd_len - sizeof(*req); | ||
85487 | - if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) { | ||
85488 | + if (chan->conf_len + len > sizeof(chan->conf_req)) { | ||
85489 | l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, | ||
85490 | l2cap_build_conf_rsp(chan, rsp, | ||
85491 | L2CAP_CONF_REJECT, flags), rsp); | ||
85492 | @@ -3944,14 +3960,18 @@ unlock: | ||
85493 | } | ||
85494 | |||
85495 | static inline int l2cap_config_rsp(struct l2cap_conn *conn, | ||
85496 | - struct l2cap_cmd_hdr *cmd, u8 *data) | ||
85497 | + struct l2cap_cmd_hdr *cmd, u16 cmd_len, | ||
85498 | + u8 *data) | ||
85499 | { | ||
85500 | struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; | ||
85501 | u16 scid, flags, result; | ||
85502 | struct l2cap_chan *chan; | ||
85503 | - int len = le16_to_cpu(cmd->len) - sizeof(*rsp); | ||
85504 | + int len = cmd_len - sizeof(*rsp); | ||
85505 | int err = 0; | ||
85506 | |||
85507 | + if (cmd_len < sizeof(*rsp)) | ||
85508 | + return -EPROTO; | ||
85509 | + | ||
85510 | scid = __le16_to_cpu(rsp->scid); | ||
85511 | flags = __le16_to_cpu(rsp->flags); | ||
85512 | result = __le16_to_cpu(rsp->result); | ||
85513 | @@ -4052,7 +4072,8 @@ done: | ||
85514 | } | ||
85515 | |||
85516 | static inline int l2cap_disconnect_req(struct l2cap_conn *conn, | ||
85517 | - struct l2cap_cmd_hdr *cmd, u8 *data) | ||
85518 | + struct l2cap_cmd_hdr *cmd, u16 cmd_len, | ||
85519 | + u8 *data) | ||
85520 | { | ||
85521 | struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; | ||
85522 | struct l2cap_disconn_rsp rsp; | ||
85523 | @@ -4060,6 +4081,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, | ||
85524 | struct l2cap_chan *chan; | ||
85525 | struct sock *sk; | ||
85526 | |||
85527 | + if (cmd_len != sizeof(*req)) | ||
85528 | + return -EPROTO; | ||
85529 | + | ||
85530 | scid = __le16_to_cpu(req->scid); | ||
85531 | dcid = __le16_to_cpu(req->dcid); | ||
85532 | |||
85533 | @@ -4099,12 +4123,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, | ||
85534 | } | ||
85535 | |||
85536 | static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, | ||
85537 | - struct l2cap_cmd_hdr *cmd, u8 *data) | ||
85538 | + struct l2cap_cmd_hdr *cmd, u16 cmd_len, | ||
85539 | + u8 *data) | ||
85540 | { | ||
85541 | struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; | ||
85542 | u16 dcid, scid; | ||
85543 | struct l2cap_chan *chan; | ||
85544 | |||
85545 | + if (cmd_len != sizeof(*rsp)) | ||
85546 | + return -EPROTO; | ||
85547 | + | ||
85548 | scid = __le16_to_cpu(rsp->scid); | ||
85549 | dcid = __le16_to_cpu(rsp->dcid); | ||
85550 | |||
85551 | @@ -4134,11 +4162,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, | ||
85552 | } | ||
85553 | |||
85554 | static inline int l2cap_information_req(struct l2cap_conn *conn, | ||
85555 | - struct l2cap_cmd_hdr *cmd, u8 *data) | ||
85556 | + struct l2cap_cmd_hdr *cmd, u16 cmd_len, | ||
85557 | + u8 *data) | ||
85558 | { | ||
85559 | struct l2cap_info_req *req = (struct l2cap_info_req *) data; | ||
85560 | u16 type; | ||
85561 | |||
85562 | + if (cmd_len != sizeof(*req)) | ||
85563 | + return -EPROTO; | ||
85564 | + | ||
85565 | type = __le16_to_cpu(req->type); | ||
85566 | |||
85567 | BT_DBG("type 0x%4.4x", type); | ||
85568 | @@ -4185,11 +4217,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn, | ||
85569 | } | ||
85570 | |||
85571 | static inline int l2cap_information_rsp(struct l2cap_conn *conn, | ||
85572 | - struct l2cap_cmd_hdr *cmd, u8 *data) | ||
85573 | + struct l2cap_cmd_hdr *cmd, u16 cmd_len, | ||
85574 | + u8 *data) | ||
85575 | { | ||
85576 | struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; | ||
85577 | u16 type, result; | ||
85578 | |||
85579 | + if (cmd_len != sizeof(*rsp)) | ||
85580 | + return -EPROTO; | ||
85581 | + | ||
85582 | type = __le16_to_cpu(rsp->type); | ||
85583 | result = __le16_to_cpu(rsp->result); | ||
85584 | |||
85585 | @@ -5055,16 +5091,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, | ||
85586 | |||
85587 | switch (cmd->code) { | ||
85588 | case L2CAP_COMMAND_REJ: | ||
85589 | - l2cap_command_rej(conn, cmd, data); | ||
85590 | + l2cap_command_rej(conn, cmd, cmd_len, data); | ||
85591 | break; | ||
85592 | |||
85593 | case L2CAP_CONN_REQ: | ||
85594 | - err = l2cap_connect_req(conn, cmd, data); | ||
85595 | + err = l2cap_connect_req(conn, cmd, cmd_len, data); | ||
85596 | break; | ||
85597 | |||
85598 | case L2CAP_CONN_RSP: | ||
85599 | case L2CAP_CREATE_CHAN_RSP: | ||
85600 | - err = l2cap_connect_create_rsp(conn, cmd, data); | ||
85601 | + err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data); | ||
85602 | break; | ||
85603 | |||
85604 | case L2CAP_CONF_REQ: | ||
85605 | @@ -5072,15 +5108,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, | ||
85606 | break; | ||
85607 | |||
85608 | case L2CAP_CONF_RSP: | ||
85609 | - err = l2cap_config_rsp(conn, cmd, data); | ||
85610 | + err = l2cap_config_rsp(conn, cmd, cmd_len, data); | ||
85611 | break; | ||
85612 | |||
85613 | case L2CAP_DISCONN_REQ: | ||
85614 | - err = l2cap_disconnect_req(conn, cmd, data); | ||
85615 | + err = l2cap_disconnect_req(conn, cmd, cmd_len, data); | ||
85616 | break; | ||
85617 | |||
85618 | case L2CAP_DISCONN_RSP: | ||
85619 | - err = l2cap_disconnect_rsp(conn, cmd, data); | ||
85620 | + err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data); | ||
85621 | break; | ||
85622 | |||
85623 | case L2CAP_ECHO_REQ: | ||
85624 | @@ -5091,11 +5127,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, | ||
85625 | break; | ||
85626 | |||
85627 | case L2CAP_INFO_REQ: | ||
85628 | - err = l2cap_information_req(conn, cmd, data); | ||
85629 | + err = l2cap_information_req(conn, cmd, cmd_len, data); | ||
85630 | break; | ||
85631 | |||
85632 | case L2CAP_INFO_RSP: | ||
85633 | - err = l2cap_information_rsp(conn, cmd, data); | ||
85634 | + err = l2cap_information_rsp(conn, cmd, cmd_len, data); | ||
85635 | break; | ||
85636 | |||
85637 | case L2CAP_CREATE_CHAN_REQ: | ||
85258 | diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c | 85638 | diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c |
85259 | index 1bcfb84..dad9f98 100644 | 85639 | index 1bcfb84..dad9f98 100644 |
85260 | --- a/net/bluetooth/l2cap_sock.c | 85640 | --- a/net/bluetooth/l2cap_sock.c |
@@ -85486,7 +85866,7 @@ index 117814a..ad4fb73 100644 | |||
85486 | 85866 | ||
85487 | if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { | 85867 | if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { |
85488 | diff --git a/net/compat.c b/net/compat.c | 85868 | diff --git a/net/compat.c b/net/compat.c |
85489 | index 79ae884..17c5c09 100644 | 85869 | index 79ae884..0541331 100644 |
85490 | --- a/net/compat.c | 85870 | --- a/net/compat.c |
85491 | +++ b/net/compat.c | 85871 | +++ b/net/compat.c |
85492 | @@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) | 85872 | @@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) |
@@ -85616,7 +85996,45 @@ index 79ae884..17c5c09 100644 | |||
85616 | struct group_filter __user *kgf; | 85996 | struct group_filter __user *kgf; |
85617 | int __user *koptlen; | 85997 | int __user *koptlen; |
85618 | u32 interface, fmode, numsrc; | 85998 | u32 interface, fmode, numsrc; |
85619 | @@ -796,7 +796,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) | 85999 | @@ -734,19 +734,25 @@ static unsigned char nas[21] = { |
86000 | |||
86001 | asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags) | ||
86002 | { | ||
86003 | - return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); | ||
86004 | + if (flags & MSG_CMSG_COMPAT) | ||
86005 | + return -EINVAL; | ||
86006 | + return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); | ||
86007 | } | ||
86008 | |||
86009 | asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg, | ||
86010 | unsigned int vlen, unsigned int flags) | ||
86011 | { | ||
86012 | + if (flags & MSG_CMSG_COMPAT) | ||
86013 | + return -EINVAL; | ||
86014 | return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, | ||
86015 | flags | MSG_CMSG_COMPAT); | ||
86016 | } | ||
86017 | |||
86018 | asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags) | ||
86019 | { | ||
86020 | - return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); | ||
86021 | + if (flags & MSG_CMSG_COMPAT) | ||
86022 | + return -EINVAL; | ||
86023 | + return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); | ||
86024 | } | ||
86025 | |||
86026 | asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned int flags) | ||
86027 | @@ -768,6 +774,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, | ||
86028 | int datagrams; | ||
86029 | struct timespec ktspec; | ||
86030 | |||
86031 | + if (flags & MSG_CMSG_COMPAT) | ||
86032 | + return -EINVAL; | ||
86033 | + | ||
86034 | if (COMPAT_USE_64BIT_TIME) | ||
86035 | return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, | ||
86036 | flags | MSG_CMSG_COMPAT, | ||
86037 | @@ -796,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) | ||
85620 | 86038 | ||
85621 | if (call < SYS_SOCKET || call > SYS_SENDMMSG) | 86039 | if (call < SYS_SOCKET || call > SYS_SENDMMSG) |
85622 | return -EINVAL; | 86040 | return -EINVAL; |
@@ -86559,7 +86977,7 @@ index d9c4f11..02b82dbc 100644 | |||
86559 | msg.msg_flags = flags; | 86977 | msg.msg_flags = flags; |
86560 | 86978 | ||
86561 | diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c | 86979 | diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c |
86562 | index c3a4233..1412161 100644 | 86980 | index c3a4233..7df5626 100644 |
86563 | --- a/net/ipv4/ip_vti.c | 86981 | --- a/net/ipv4/ip_vti.c |
86564 | +++ b/net/ipv4/ip_vti.c | 86982 | +++ b/net/ipv4/ip_vti.c |
86565 | @@ -47,7 +47,7 @@ | 86983 | @@ -47,7 +47,7 @@ |
@@ -86571,7 +86989,17 @@ index c3a4233..1412161 100644 | |||
86571 | 86989 | ||
86572 | static int vti_net_id __read_mostly; | 86990 | static int vti_net_id __read_mostly; |
86573 | struct vti_net { | 86991 | struct vti_net { |
86574 | @@ -886,7 +886,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = { | 86992 | @@ -399,8 +399,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) |
86993 | tunnel->err_count = 0; | ||
86994 | } | ||
86995 | |||
86996 | - IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | | ||
86997 | - IPSKB_REROUTED); | ||
86998 | + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); | ||
86999 | skb_dst_drop(skb); | ||
87000 | skb_dst_set(skb, &rt->dst); | ||
87001 | nf_reset(skb); | ||
87002 | @@ -886,7 +885,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = { | ||
86575 | [IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) }, | 87003 | [IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) }, |
86576 | }; | 87004 | }; |
86577 | 87005 | ||
@@ -88040,6 +88468,33 @@ index 5b1e5af..2358147 100644 | |||
88040 | } while (!res); | 88468 | } while (!res); |
88041 | return res; | 88469 | return res; |
88042 | } | 88470 | } |
88471 | diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c | ||
88472 | index 637a341..8dec687 100644 | ||
88473 | --- a/net/l2tp/l2tp_ppp.c | ||
88474 | +++ b/net/l2tp/l2tp_ppp.c | ||
88475 | @@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh | ||
88476 | skb_put(skb, 2); | ||
88477 | |||
88478 | /* Copy user data into skb */ | ||
88479 | - error = memcpy_fromiovec(skb->data, m->msg_iov, total_len); | ||
88480 | + error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov, | ||
88481 | + total_len); | ||
88482 | if (error < 0) { | ||
88483 | kfree_skb(skb); | ||
88484 | goto error_put_sess_tun; | ||
88485 | } | ||
88486 | - skb_put(skb, total_len); | ||
88487 | |||
88488 | l2tp_xmit_skb(session, skb, session->hdr_len); | ||
88489 | |||
88490 | sock_put(ps->tunnel_sock); | ||
88491 | sock_put(sk); | ||
88492 | |||
88493 | - return error; | ||
88494 | + return total_len; | ||
88495 | |||
88496 | error_put_sess_tun: | ||
88497 | sock_put(ps->tunnel_sock); | ||
88043 | diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c | 88498 | diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c |
88044 | index 843d8c4..cb04fa1 100644 | 88499 | index 843d8c4..cb04fa1 100644 |
88045 | --- a/net/mac80211/cfg.c | 88500 | --- a/net/mac80211/cfg.c |
@@ -88344,7 +88799,7 @@ index 61f49d2..6c8c5bc 100644 | |||
88344 | if (ipvs->sync_state & IP_VS_STATE_MASTER) | 88799 | if (ipvs->sync_state & IP_VS_STATE_MASTER) |
88345 | ip_vs_sync_conn(net, cp, pkts); | 88800 | ip_vs_sync_conn(net, cp, pkts); |
88346 | diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c | 88801 | diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c |
88347 | index 9e2d1cc..7f8f569 100644 | 88802 | index 9e2d1cc..6ed0748 100644 |
88348 | --- a/net/netfilter/ipvs/ip_vs_ctl.c | 88803 | --- a/net/netfilter/ipvs/ip_vs_ctl.c |
88349 | +++ b/net/netfilter/ipvs/ip_vs_ctl.c | 88804 | +++ b/net/netfilter/ipvs/ip_vs_ctl.c |
88350 | @@ -787,7 +787,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest, | 88805 | @@ -787,7 +787,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest, |
@@ -88383,7 +88838,14 @@ index 9e2d1cc..7f8f569 100644 | |||
88383 | atomic_read(&dest->weight), | 88838 | atomic_read(&dest->weight), |
88384 | atomic_read(&dest->activeconns), | 88839 | atomic_read(&dest->activeconns), |
88385 | atomic_read(&dest->inactconns)); | 88840 | atomic_read(&dest->inactconns)); |
88386 | @@ -2568,7 +2568,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get, | 88841 | @@ -2562,13 +2562,14 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get, |
88842 | struct ip_vs_dest *dest; | ||
88843 | struct ip_vs_dest_entry entry; | ||
88844 | |||
88845 | + memset(&entry, 0, sizeof(entry)); | ||
88846 | list_for_each_entry(dest, &svc->destinations, n_list) { | ||
88847 | if (count >= get->num_dests) | ||
88848 | break; | ||
88387 | 88849 | ||
88388 | entry.addr = dest->addr.ip; | 88850 | entry.addr = dest->addr.ip; |
88389 | entry.port = dest->port; | 88851 | entry.port = dest->port; |
@@ -88392,7 +88854,7 @@ index 9e2d1cc..7f8f569 100644 | |||
88392 | entry.weight = atomic_read(&dest->weight); | 88854 | entry.weight = atomic_read(&dest->weight); |
88393 | entry.u_threshold = dest->u_threshold; | 88855 | entry.u_threshold = dest->u_threshold; |
88394 | entry.l_threshold = dest->l_threshold; | 88856 | entry.l_threshold = dest->l_threshold; |
88395 | @@ -3104,7 +3104,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) | 88857 | @@ -3104,7 +3105,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) |
88396 | if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) || | 88858 | if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) || |
88397 | nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) || | 88859 | nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) || |
88398 | nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD, | 88860 | nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD, |
@@ -88401,7 +88863,7 @@ index 9e2d1cc..7f8f569 100644 | |||
88401 | IP_VS_CONN_F_FWD_MASK)) || | 88863 | IP_VS_CONN_F_FWD_MASK)) || |
88402 | nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT, | 88864 | nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT, |
88403 | atomic_read(&dest->weight)) || | 88865 | atomic_read(&dest->weight)) || |
88404 | @@ -3694,7 +3694,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net) | 88866 | @@ -3694,7 +3695,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net) |
88405 | { | 88867 | { |
88406 | int idx; | 88868 | int idx; |
88407 | struct netns_ipvs *ipvs = net_ipvs(net); | 88869 | struct netns_ipvs *ipvs = net_ipvs(net); |
@@ -88847,7 +89309,7 @@ index 103bd70..f21aad3 100644 | |||
88847 | *uaddr_len = sizeof(struct sockaddr_ax25); | 89309 | *uaddr_len = sizeof(struct sockaddr_ax25); |
88848 | } | 89310 | } |
88849 | diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c | 89311 | diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
88850 | index f83e172..b57140d 100644 | 89312 | index f83e172..223ffe1 100644 |
88851 | --- a/net/packet/af_packet.c | 89313 | --- a/net/packet/af_packet.c |
88852 | +++ b/net/packet/af_packet.c | 89314 | +++ b/net/packet/af_packet.c |
88853 | @@ -1571,7 +1571,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, | 89315 | @@ -1571,7 +1571,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, |
@@ -88887,7 +89349,22 @@ index f83e172..b57140d 100644 | |||
88887 | 89349 | ||
88888 | msg->msg_flags |= MSG_ERRQUEUE; | 89350 | msg->msg_flags |= MSG_ERRQUEUE; |
88889 | err = copied; | 89351 | err = copied; |
88890 | @@ -3205,7 +3207,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, | 89352 | @@ -2769,12 +2771,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, |
89353 | return -EOPNOTSUPP; | ||
89354 | |||
89355 | uaddr->sa_family = AF_PACKET; | ||
89356 | + memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); | ||
89357 | rcu_read_lock(); | ||
89358 | dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); | ||
89359 | if (dev) | ||
89360 | - strncpy(uaddr->sa_data, dev->name, 14); | ||
89361 | - else | ||
89362 | - memset(uaddr->sa_data, 0, 14); | ||
89363 | + strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); | ||
89364 | rcu_read_unlock(); | ||
89365 | *uaddr_len = sizeof(*uaddr); | ||
89366 | |||
89367 | @@ -3205,7 +3206,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, | ||
88891 | case PACKET_HDRLEN: | 89368 | case PACKET_HDRLEN: |
88892 | if (len > sizeof(int)) | 89369 | if (len > sizeof(int)) |
88893 | len = sizeof(int); | 89370 | len = sizeof(int); |
@@ -88896,7 +89373,7 @@ index f83e172..b57140d 100644 | |||
88896 | return -EFAULT; | 89373 | return -EFAULT; |
88897 | switch (val) { | 89374 | switch (val) { |
88898 | case TPACKET_V1: | 89375 | case TPACKET_V1: |
88899 | @@ -3247,7 +3249,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, | 89376 | @@ -3247,7 +3248,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, |
88900 | len = lv; | 89377 | len = lv; |
88901 | if (put_user(len, optlen)) | 89378 | if (put_user(len, optlen)) |
88902 | return -EFAULT; | 89379 | return -EFAULT; |
@@ -89432,6 +89909,33 @@ index 391a245..296b3d7 100644 | |||
89432 | } | 89909 | } |
89433 | 89910 | ||
89434 | /* Initialize IPv6 support and register with socket layer. */ | 89911 | /* Initialize IPv6 support and register with socket layer. */ |
89912 | diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c | ||
89913 | index 01dca75..e9426bb 100644 | ||
89914 | --- a/net/sctp/outqueue.c | ||
89915 | +++ b/net/sctp/outqueue.c | ||
89916 | @@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary, | ||
89917 | */ | ||
89918 | void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q) | ||
89919 | { | ||
89920 | + memset(q, 0, sizeof(struct sctp_outq)); | ||
89921 | + | ||
89922 | q->asoc = asoc; | ||
89923 | INIT_LIST_HEAD(&q->out_chunk_list); | ||
89924 | INIT_LIST_HEAD(&q->control_chunk_list); | ||
89925 | @@ -213,13 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q) | ||
89926 | INIT_LIST_HEAD(&q->sacked); | ||
89927 | INIT_LIST_HEAD(&q->abandoned); | ||
89928 | |||
89929 | - q->fast_rtx = 0; | ||
89930 | - q->outstanding_bytes = 0; | ||
89931 | q->empty = 1; | ||
89932 | - q->cork = 0; | ||
89933 | - | ||
89934 | - q->malloced = 0; | ||
89935 | - q->out_qlen = 0; | ||
89936 | } | ||
89937 | |||
89938 | /* Free the outqueue structure and any related pending chunks. | ||
89435 | diff --git a/net/sctp/probe.c b/net/sctp/probe.c | 89939 | diff --git a/net/sctp/probe.c b/net/sctp/probe.c |
89436 | index ad0dba8..e62c225 100644 | 89940 | index ad0dba8..e62c225 100644 |
89437 | --- a/net/sctp/probe.c | 89941 | --- a/net/sctp/probe.c |
@@ -89516,7 +90020,7 @@ index 8aab894..f6b7e7d 100644 | |||
89516 | sctp_generate_t1_cookie_event, | 90020 | sctp_generate_t1_cookie_event, |
89517 | sctp_generate_t1_init_event, | 90021 | sctp_generate_t1_init_event, |
89518 | diff --git a/net/sctp/socket.c b/net/sctp/socket.c | 90022 | diff --git a/net/sctp/socket.c b/net/sctp/socket.c |
89519 | index b907073..57fef6c 100644 | 90023 | index b907073..7bea2ca 100644 |
89520 | --- a/net/sctp/socket.c | 90024 | --- a/net/sctp/socket.c |
89521 | +++ b/net/sctp/socket.c | 90025 | +++ b/net/sctp/socket.c |
89522 | @@ -2166,11 +2166,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, | 90026 | @@ -2166,11 +2166,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, |
@@ -89534,7 +90038,20 @@ index b907073..57fef6c 100644 | |||
89534 | 90038 | ||
89535 | /* | 90039 | /* |
89536 | * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT, | 90040 | * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT, |
89537 | @@ -4215,13 +4217,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, | 90041 | @@ -4002,6 +4004,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk) |
90042 | |||
90043 | /* Release our hold on the endpoint. */ | ||
90044 | sp = sctp_sk(sk); | ||
90045 | + /* This could happen during socket init, thus we bail out | ||
90046 | + * early, since the rest of the below is not setup either. | ||
90047 | + */ | ||
90048 | + if (sp->ep == NULL) | ||
90049 | + return; | ||
90050 | + | ||
90051 | if (sp->do_auto_asconf) { | ||
90052 | sp->do_auto_asconf = 0; | ||
90053 | list_del(&sp->auto_asconf_list); | ||
90054 | @@ -4215,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, | ||
89538 | static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, | 90055 | static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, |
89539 | int __user *optlen) | 90056 | int __user *optlen) |
89540 | { | 90057 | { |
@@ -89552,7 +90069,7 @@ index b907073..57fef6c 100644 | |||
89552 | return -EFAULT; | 90069 | return -EFAULT; |
89553 | return 0; | 90070 | return 0; |
89554 | } | 90071 | } |
89555 | @@ -4239,6 +4244,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, | 90072 | @@ -4239,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, |
89556 | */ | 90073 | */ |
89557 | static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) | 90074 | static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) |
89558 | { | 90075 | { |
@@ -89561,7 +90078,7 @@ index b907073..57fef6c 100644 | |||
89561 | /* Applicable to UDP-style socket only */ | 90078 | /* Applicable to UDP-style socket only */ |
89562 | if (sctp_style(sk, TCP)) | 90079 | if (sctp_style(sk, TCP)) |
89563 | return -EOPNOTSUPP; | 90080 | return -EOPNOTSUPP; |
89564 | @@ -4247,7 +4254,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv | 90081 | @@ -4247,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv |
89565 | len = sizeof(int); | 90082 | len = sizeof(int); |
89566 | if (put_user(len, optlen)) | 90083 | if (put_user(len, optlen)) |
89567 | return -EFAULT; | 90084 | return -EFAULT; |
@@ -89571,7 +90088,7 @@ index b907073..57fef6c 100644 | |||
89571 | return -EFAULT; | 90088 | return -EFAULT; |
89572 | return 0; | 90089 | return 0; |
89573 | } | 90090 | } |
89574 | @@ -4619,12 +4627,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, | 90091 | @@ -4619,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, |
89575 | */ | 90092 | */ |
89576 | static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) | 90093 | static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) |
89577 | { | 90094 | { |
@@ -89588,7 +90105,7 @@ index b907073..57fef6c 100644 | |||
89588 | return -EFAULT; | 90105 | return -EFAULT; |
89589 | return 0; | 90106 | return 0; |
89590 | } | 90107 | } |
89591 | @@ -4665,6 +4676,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, | 90108 | @@ -4665,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, |
89592 | addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; | 90109 | addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; |
89593 | if (space_left < addrlen) | 90110 | if (space_left < addrlen) |
89594 | return -ENOMEM; | 90111 | return -ENOMEM; |
@@ -89620,7 +90137,7 @@ index bf3c6e8..376d8d0 100644 | |||
89620 | 90137 | ||
89621 | table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); | 90138 | table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); |
89622 | diff --git a/net/socket.c b/net/socket.c | 90139 | diff --git a/net/socket.c b/net/socket.c |
89623 | index 88f759a..c6933de 100644 | 90140 | index 88f759a..74be616 100644 |
89624 | --- a/net/socket.c | 90141 | --- a/net/socket.c |
89625 | +++ b/net/socket.c | 90142 | +++ b/net/socket.c |
89626 | @@ -88,6 +88,7 @@ | 90143 | @@ -88,6 +88,7 @@ |
@@ -89791,6 +90308,15 @@ index 88f759a..c6933de 100644 | |||
89791 | int err, err2; | 90308 | int err, err2; |
89792 | int fput_needed; | 90309 | int fput_needed; |
89793 | 90310 | ||
90311 | @@ -1978,7 +2040,7 @@ struct used_address { | ||
90312 | unsigned int name_len; | ||
90313 | }; | ||
90314 | |||
90315 | -static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, | ||
90316 | +static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, | ||
90317 | struct msghdr *msg_sys, unsigned int flags, | ||
90318 | struct used_address *used_address) | ||
90319 | { | ||
89794 | @@ -2045,7 +2107,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, | 90320 | @@ -2045,7 +2107,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, |
89795 | * checking falls down on this. | 90321 | * checking falls down on this. |
89796 | */ | 90322 | */ |
@@ -89800,7 +90326,83 @@ index 88f759a..c6933de 100644 | |||
89800 | ctl_len)) | 90326 | ctl_len)) |
89801 | goto out_freectl; | 90327 | goto out_freectl; |
89802 | msg_sys->msg_control = ctl_buf; | 90328 | msg_sys->msg_control = ctl_buf; |
89803 | @@ -2185,7 +2247,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, | 90329 | @@ -2093,20 +2155,28 @@ out: |
90330 | * BSD sendmsg interface | ||
90331 | */ | ||
90332 | |||
90333 | +long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags) | ||
90334 | +{ | ||
90335 | + int fput_needed, err; | ||
90336 | + struct msghdr msg_sys; | ||
90337 | + struct socket *sock; | ||
90338 | + | ||
90339 | + sock = sockfd_lookup_light(fd, &err, &fput_needed); | ||
90340 | + if (!sock) | ||
90341 | + goto out; | ||
90342 | + | ||
90343 | + err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL); | ||
90344 | + | ||
90345 | + fput_light(sock->file, fput_needed); | ||
90346 | +out: | ||
90347 | + return err; | ||
90348 | +} | ||
90349 | + | ||
90350 | SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags) | ||
90351 | { | ||
90352 | - int fput_needed, err; | ||
90353 | - struct msghdr msg_sys; | ||
90354 | - struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed); | ||
90355 | - | ||
90356 | - if (!sock) | ||
90357 | - goto out; | ||
90358 | - | ||
90359 | - err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL); | ||
90360 | - | ||
90361 | - fput_light(sock->file, fput_needed); | ||
90362 | -out: | ||
90363 | - return err; | ||
90364 | + if (flags & MSG_CMSG_COMPAT) | ||
90365 | + return -EINVAL; | ||
90366 | + return __sys_sendmsg(fd, msg, flags); | ||
90367 | } | ||
90368 | |||
90369 | /* | ||
90370 | @@ -2139,15 +2209,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, | ||
90371 | |||
90372 | while (datagrams < vlen) { | ||
90373 | if (MSG_CMSG_COMPAT & flags) { | ||
90374 | - err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry, | ||
90375 | - &msg_sys, flags, &used_address); | ||
90376 | + err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry, | ||
90377 | + &msg_sys, flags, &used_address); | ||
90378 | if (err < 0) | ||
90379 | break; | ||
90380 | err = __put_user(err, &compat_entry->msg_len); | ||
90381 | ++compat_entry; | ||
90382 | } else { | ||
90383 | - err = __sys_sendmsg(sock, (struct msghdr __user *)entry, | ||
90384 | - &msg_sys, flags, &used_address); | ||
90385 | + err = ___sys_sendmsg(sock, | ||
90386 | + (struct msghdr __user *)entry, | ||
90387 | + &msg_sys, flags, &used_address); | ||
90388 | if (err < 0) | ||
90389 | break; | ||
90390 | err = put_user(err, &entry->msg_len); | ||
90391 | @@ -2171,10 +2242,12 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, | ||
90392 | SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg, | ||
90393 | unsigned int, vlen, unsigned int, flags) | ||
90394 | { | ||
90395 | + if (flags & MSG_CMSG_COMPAT) | ||
90396 | + return -EINVAL; | ||
90397 | return __sys_sendmmsg(fd, mmsg, vlen, flags); | ||
90398 | } | ||
90399 | |||
90400 | -static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, | ||
90401 | +static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, | ||
90402 | struct msghdr *msg_sys, unsigned int flags, int nosec) | ||
90403 | { | ||
90404 | struct compat_msghdr __user *msg_compat = | ||
90405 | @@ -2185,7 +2258,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, | ||
89804 | int err, total_len, len; | 90406 | int err, total_len, len; |
89805 | 90407 | ||
89806 | /* kernel mode address */ | 90408 | /* kernel mode address */ |
@@ -89809,7 +90411,7 @@ index 88f759a..c6933de 100644 | |||
89809 | 90411 | ||
89810 | /* user mode address pointers */ | 90412 | /* user mode address pointers */ |
89811 | struct sockaddr __user *uaddr; | 90413 | struct sockaddr __user *uaddr; |
89812 | @@ -2213,7 +2275,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, | 90414 | @@ -2213,7 +2286,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, |
89813 | * kernel msghdr to use the kernel address space) | 90415 | * kernel msghdr to use the kernel address space) |
89814 | */ | 90416 | */ |
89815 | 90417 | ||
@@ -89818,7 +90420,84 @@ index 88f759a..c6933de 100644 | |||
89818 | uaddr_len = COMPAT_NAMELEN(msg); | 90420 | uaddr_len = COMPAT_NAMELEN(msg); |
89819 | if (MSG_CMSG_COMPAT & flags) { | 90421 | if (MSG_CMSG_COMPAT & flags) { |
89820 | err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); | 90422 | err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); |
89821 | @@ -2952,7 +3014,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, | 90423 | @@ -2266,21 +2339,29 @@ out: |
90424 | * BSD recvmsg interface | ||
90425 | */ | ||
90426 | |||
90427 | +long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags) | ||
90428 | +{ | ||
90429 | + int fput_needed, err; | ||
90430 | + struct msghdr msg_sys; | ||
90431 | + struct socket *sock; | ||
90432 | + | ||
90433 | + sock = sockfd_lookup_light(fd, &err, &fput_needed); | ||
90434 | + if (!sock) | ||
90435 | + goto out; | ||
90436 | + | ||
90437 | + err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0); | ||
90438 | + | ||
90439 | + fput_light(sock->file, fput_needed); | ||
90440 | +out: | ||
90441 | + return err; | ||
90442 | +} | ||
90443 | + | ||
90444 | SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg, | ||
90445 | unsigned int, flags) | ||
90446 | { | ||
90447 | - int fput_needed, err; | ||
90448 | - struct msghdr msg_sys; | ||
90449 | - struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed); | ||
90450 | - | ||
90451 | - if (!sock) | ||
90452 | - goto out; | ||
90453 | - | ||
90454 | - err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0); | ||
90455 | - | ||
90456 | - fput_light(sock->file, fput_needed); | ||
90457 | -out: | ||
90458 | - return err; | ||
90459 | + if (flags & MSG_CMSG_COMPAT) | ||
90460 | + return -EINVAL; | ||
90461 | + return __sys_recvmsg(fd, msg, flags); | ||
90462 | } | ||
90463 | |||
90464 | /* | ||
90465 | @@ -2320,17 +2401,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, | ||
90466 | * No need to ask LSM for more than the first datagram. | ||
90467 | */ | ||
90468 | if (MSG_CMSG_COMPAT & flags) { | ||
90469 | - err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry, | ||
90470 | - &msg_sys, flags & ~MSG_WAITFORONE, | ||
90471 | - datagrams); | ||
90472 | + err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry, | ||
90473 | + &msg_sys, flags & ~MSG_WAITFORONE, | ||
90474 | + datagrams); | ||
90475 | if (err < 0) | ||
90476 | break; | ||
90477 | err = __put_user(err, &compat_entry->msg_len); | ||
90478 | ++compat_entry; | ||
90479 | } else { | ||
90480 | - err = __sys_recvmsg(sock, (struct msghdr __user *)entry, | ||
90481 | - &msg_sys, flags & ~MSG_WAITFORONE, | ||
90482 | - datagrams); | ||
90483 | + err = ___sys_recvmsg(sock, | ||
90484 | + (struct msghdr __user *)entry, | ||
90485 | + &msg_sys, flags & ~MSG_WAITFORONE, | ||
90486 | + datagrams); | ||
90487 | if (err < 0) | ||
90488 | break; | ||
90489 | err = put_user(err, &entry->msg_len); | ||
90490 | @@ -2397,6 +2479,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, | ||
90491 | int datagrams; | ||
90492 | struct timespec timeout_sys; | ||
90493 | |||
90494 | + if (flags & MSG_CMSG_COMPAT) | ||
90495 | + return -EINVAL; | ||
90496 | + | ||
90497 | if (!timeout) | ||
90498 | return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL); | ||
90499 | |||
90500 | @@ -2952,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, | ||
89822 | old_fs = get_fs(); | 90501 | old_fs = get_fs(); |
89823 | set_fs(KERNEL_DS); | 90502 | set_fs(KERNEL_DS); |
89824 | err = dev_ioctl(net, cmd, | 90503 | err = dev_ioctl(net, cmd, |
@@ -89827,7 +90506,7 @@ index 88f759a..c6933de 100644 | |||
89827 | set_fs(old_fs); | 90506 | set_fs(old_fs); |
89828 | 90507 | ||
89829 | return err; | 90508 | return err; |
89830 | @@ -3061,7 +3123,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, | 90509 | @@ -3061,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, |
89831 | 90510 | ||
89832 | old_fs = get_fs(); | 90511 | old_fs = get_fs(); |
89833 | set_fs(KERNEL_DS); | 90512 | set_fs(KERNEL_DS); |
@@ -89836,7 +90515,7 @@ index 88f759a..c6933de 100644 | |||
89836 | set_fs(old_fs); | 90515 | set_fs(old_fs); |
89837 | 90516 | ||
89838 | if (cmd == SIOCGIFMAP && !err) { | 90517 | if (cmd == SIOCGIFMAP && !err) { |
89839 | @@ -3166,7 +3228,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, | 90518 | @@ -3166,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, |
89840 | ret |= __get_user(rtdev, &(ur4->rt_dev)); | 90519 | ret |= __get_user(rtdev, &(ur4->rt_dev)); |
89841 | if (rtdev) { | 90520 | if (rtdev) { |
89842 | ret |= copy_from_user(devname, compat_ptr(rtdev), 15); | 90521 | ret |= copy_from_user(devname, compat_ptr(rtdev), 15); |
@@ -89845,7 +90524,7 @@ index 88f759a..c6933de 100644 | |||
89845 | devname[15] = 0; | 90524 | devname[15] = 0; |
89846 | } else | 90525 | } else |
89847 | r4.rt_dev = NULL; | 90526 | r4.rt_dev = NULL; |
89848 | @@ -3392,8 +3454,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, | 90527 | @@ -3392,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, |
89849 | int __user *uoptlen; | 90528 | int __user *uoptlen; |
89850 | int err; | 90529 | int err; |
89851 | 90530 | ||
@@ -89856,7 +90535,7 @@ index 88f759a..c6933de 100644 | |||
89856 | 90535 | ||
89857 | set_fs(KERNEL_DS); | 90536 | set_fs(KERNEL_DS); |
89858 | if (level == SOL_SOCKET) | 90537 | if (level == SOL_SOCKET) |
89859 | @@ -3413,7 +3475,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, | 90538 | @@ -3413,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, |
89860 | char __user *uoptval; | 90539 | char __user *uoptval; |
89861 | int err; | 90540 | int err; |
89862 | 90541 | ||