aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-06-18 06:47:53 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-06-19 06:38:20 +0000
commitbcbc45908a6264b88bb5f2f62f182f27d167bcf8 (patch)
tree117fbdfcf749f9eb6c7bb166a3552e601805ab31
parent308a108d91e3b3310ca9175bf5663ff2c5f0e6ff (diff)
downloadalpine_aports-bcbc45908a6264b88bb5f2f62f182f27d167bcf8.tar.bz2
alpine_aports-bcbc45908a6264b88bb5f2f62f182f27d167bcf8.tar.xz
alpine_aports-bcbc45908a6264b88bb5f2f62f182f27d167bcf8.zip
main/linux-grsec: upgrade to 3.9.6 and fix CVE-2013-2851
fixes #2078 fixes #2089 fixes #2094 (cherry picked from commit b52eb6193eb9c18980886ff25d2e4e41dd887078)
Diffstat
-rw-r--r--main/linux-grsec/APKBUILD23
-rw-r--r--main/linux-grsec/CVE-2013-2851.patch60
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch)845
3 files changed, 836 insertions, 92 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index bbaacff686..cd5bb17371 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,12 +2,12 @@
2 2
3_flavor=grsec 3_flavor=grsec
4pkgname=linux-${_flavor} 4pkgname=linux-${_flavor}
5pkgver=3.9.5 5pkgver=3.9.6
6case $pkgver in 6case $pkgver in
7*.*.*) _kernver=${pkgver%.*};; 7*.*.*) _kernver=${pkgver%.*};;
8*.*) _kernver=${pkgver};; 8*.*) _kernver=${pkgver};;
9esac 9esac
10pkgrel=1 10pkgrel=0
11pkgdesc="Linux kernel with grsecurity" 11pkgdesc="Linux kernel with grsecurity"
12url=http://grsecurity.net 12url=http://grsecurity.net
13depends="mkinitfs linux-firmware" 13depends="mkinitfs linux-firmware"
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
17install= 17install=
18source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz 18source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
19 http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz 19 http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
20 grsecurity-2.9.1-3.9.5-201306111850.patch 20 grsecurity-2.9.1-3.9.6-201306171904.patch
21 21
22 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 22 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
23 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 23 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
@@ -26,6 +26,8 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
26 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 26 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
27 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 27 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
28 28
29 CVE-2013-2851.patch
30
29 kernelconfig.x86 31 kernelconfig.x86
30 kernelconfig.x86_64 32 kernelconfig.x86_64
31 " 33 "
@@ -149,35 +151,38 @@ dev() {
149} 151}
150 152
151md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz 153md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz
152aa22187ae5cd482a69097e9e59244491 patch-3.9.5.xz 154897cffc5167a561b38c6748e7f0a4215 patch-3.9.6.xz
153cbc169ce43edf201acb158ce7e468516 grsecurity-2.9.1-3.9.5-201306111850.patch 1558c9e11d9121958fa866b330ed3dbe4bd grsecurity-2.9.1-3.9.6-201306171904.patch
154a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 156a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
155656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 157656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
156aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 158aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
1572a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 1592a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
1586ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 1606ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
1591a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 1611a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
162eca3b4897b2a2191576ba719609cc654 CVE-2013-2851.patch
1603e219a1f25136b204d00865939532fe9 kernelconfig.x86 1633e219a1f25136b204d00865939532fe9 kernelconfig.x86
1611d057c89927a68e5f44896887ad3e379 kernelconfig.x86_64" 1641d057c89927a68e5f44896887ad3e379 kernelconfig.x86_64"
162sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz 165sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz
163f25145ff6ddde7a633839aabfd97b0d8239e14c494fd16210871229a35c1c0de patch-3.9.5.xz 16613296dad939ef4e05adba87b9d0476aa8e2ccf92866f14835327dae8a1402fc3 patch-3.9.6.xz
16412ea825b5494c41529d1b3dda89fe592d6b4fc06d027b2e7f2e9a1ae41c3617c grsecurity-2.9.1-3.9.5-201306111850.patch 167a14302153a717e8cf8346c44ed4ac620b87a38795afa72c3f61797eab221290d grsecurity-2.9.1-3.9.6-201306171904.patch
1656af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 1686af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
166dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 169dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
1670985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 1700985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
168260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 171260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
169ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 172ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
170fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 173fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
174461d159751095d3624d74867dc8b3e3865e3a67c4b3cd48188f5ae2f1f1f66cb CVE-2013-2851.patch
171cc3bd3d23f6a73ea6488c158de9d195ad5e3d87859ce02d92a04f0e08c9503d3 kernelconfig.x86 175cc3bd3d23f6a73ea6488c158de9d195ad5e3d87859ce02d92a04f0e08c9503d3 kernelconfig.x86
172b780ef646b3b30a5b0307102367e17d45bb3a0ab7e37cf92a1ce783c3149243a kernelconfig.x86_64" 176b780ef646b3b30a5b0307102367e17d45bb3a0ab7e37cf92a1ce783c3149243a kernelconfig.x86_64"
173sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz 177sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz
1748e9a064adadd062c7ca52c44de19dfd46b029e60f2832988a606e086b669ea699861ec57732d4abfb16e486f767d123fcfd66da7c2ddde380b7c13582bb44983 patch-3.9.5.xz 1786c79bde85d86c7e7dca160d5bdd5826ae05ed41cb372d0a94e4f9840413351a8bc1fec50159d59dbac462345bd13c31c6c4d8c47187ee6d87b4d71c8560093da patch-3.9.6.xz
175e52a55753c0821c08578924abe2d6ccc02743050e71c827fefd21e616a887e45459f3a7eb56b22b6ec0d25555cbb37f0df5cd1fe695b2277dfd7109f4f84ae8a grsecurity-2.9.1-3.9.5-201306111850.patch 179fe8a4fffb18b6ef88951e97cd20e464674e10d2a6a76a0b17d4922b87b24c6653a81d798f0b93dfb7545da011a29d73dfafd73b258f528bbe81984ef24c137ac grsecurity-2.9.1-3.9.6-201306171904.patch
17681e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 18081e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
17751ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 18151ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
17857d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 18257d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
179d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 183d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
18028a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 18428a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
181249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 185249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
1865e5c9ac96b87efc811bd612774934a5fb8635a34d7fbe13ea80f5a8da19efa2a71f0bcab08a85224612f332d7485cea1d6cbd4d64644d90a3dd576f3458e5a99 CVE-2013-2851.patch
18200fd8694455935f96e46b6624388b8c04af27ce4295040362da78c34bf9f08382bc69c1b8b273145573a59e3b4eecfa251119560da19ab390f171a8a6da18298 kernelconfig.x86 18700fd8694455935f96e46b6624388b8c04af27ce4295040362da78c34bf9f08382bc69c1b8b273145573a59e3b4eecfa251119560da19ab390f171a8a6da18298 kernelconfig.x86
1836276f503f9dd7ea228b1661f9a36edcf18d2c4cfb6d9c4e3e1496a4f70709cc693fc8498186d86dd3f303c909c50e478cb95e08a05f50bda77c9cf165aca1ba1 kernelconfig.x86_64" 1886276f503f9dd7ea228b1661f9a36edcf18d2c4cfb6d9c4e3e1496a4f70709cc693fc8498186d86dd3f303c909c50e478cb95e08a05f50bda77c9cf165aca1ba1 kernelconfig.x86_64"
diff --git a/main/linux-grsec/CVE-2013-2851.patch b/main/linux-grsec/CVE-2013-2851.patch
new file mode 100644
index 0000000000..3407731c7d
--- /dev/null
+++ b/main/linux-grsec/CVE-2013-2851.patch
@@ -0,0 +1,60 @@
1Subject: [PATCH 1/8] block: do not pass disk names as format strings
2
3Disk names may contain arbitrary strings, so they must not be interpreted
4as format strings. It seems that only md allows arbitrary strings to be
5used for disk names, but this could allow for a local memory corruption
6from uid 0 into ring 0.
7
8CVE-2013-2851
9
10Signed-off-by: Kees Cook <keescook@chromium.org>
11Cc: stable@vger.kernel.org
12Cc: Jens Axboe <axboe@kernel.dk>
13---
14 block/genhd.c | 2 +-
15 drivers/block/nbd.c | 3 ++-
16 drivers/scsi/osd/osd_uld.c | 2 +-
17 3 files changed, 4 insertions(+), 3 deletions(-)
18
19diff --git a/block/genhd.c b/block/genhd.c
20index 20625ee..cdeb527 100644
21--- a/block/genhd.c
22+++ b/block/genhd.c
23@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
24
25 ddev->parent = disk->driverfs_dev;
26
27- dev_set_name(ddev, disk->disk_name);
28+ dev_set_name(ddev, "%s", disk->disk_name);
29
30 /* delay uevents, until we scanned partition table */
31 dev_set_uevent_suppress(ddev, 1);
32diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
33index 037288e..46b35f7 100644
34--- a/drivers/block/nbd.c
35+++ b/drivers/block/nbd.c
36@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
37 else
38 blk_queue_flush(nbd->disk->queue, 0);
39
40- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
41+ thread = kthread_create(nbd_thread, nbd, "%s",
42+ nbd->disk->disk_name);
43 if (IS_ERR(thread)) {
44 mutex_lock(&nbd->tx_lock);
45 return PTR_ERR(thread);
46diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
47index 0fab6b5..9d86947 100644
48--- a/drivers/scsi/osd/osd_uld.c
49+++ b/drivers/scsi/osd/osd_uld.c
50@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
51 oud->class_dev.class = &osd_uld_class;
52 oud->class_dev.parent = dev;
53 oud->class_dev.release = __remove;
54- error = dev_set_name(&oud->class_dev, disk->disk_name);
55+ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
56 if (error) {
57 OSD_ERR("dev_set_name failed => %d\n", error);
58 goto err_put_cdev;
59--
601.7.9.5
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch
index 183d9f7a54..430bb2aca9 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch
@@ -259,7 +259,7 @@ index 8ccbf27..afffeb4 100644
259 259
260 pcd. [PARIDE] 260 pcd. [PARIDE]
261diff --git a/Makefile b/Makefile 261diff --git a/Makefile b/Makefile
262index 8818c95..ced0bb1 100644 262index 4a40307..9ac699b 100644
263--- a/Makefile 263--- a/Makefile
264+++ b/Makefile 264+++ b/Makefile
265@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ 265@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -6682,10 +6682,10 @@ index 2e3200c..72095ce 100644
6682 /* Find this entry, or if that fails, the next avail. entry */ 6682 /* Find this entry, or if that fails, the next avail. entry */
6683 while (entry->jump[0]) { 6683 while (entry->jump[0]) {
6684diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c 6684diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
6685index 16e77a8..4501b41 100644 6685index 9600c36..0c156d7 100644
6686--- a/arch/powerpc/kernel/process.c 6686--- a/arch/powerpc/kernel/process.c
6687+++ b/arch/powerpc/kernel/process.c 6687+++ b/arch/powerpc/kernel/process.c
6688@@ -870,8 +870,8 @@ void show_regs(struct pt_regs * regs) 6688@@ -871,8 +871,8 @@ void show_regs(struct pt_regs * regs)
6689 * Lookup NIP late so we have the best change of getting the 6689 * Lookup NIP late so we have the best change of getting the
6690 * above info out without failing 6690 * above info out without failing
6691 */ 6691 */
@@ -6696,7 +6696,7 @@ index 16e77a8..4501b41 100644
6696 #endif 6696 #endif
6697 #ifdef CONFIG_PPC_TRANSACTIONAL_MEM 6697 #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
6698 printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch); 6698 printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch);
6699@@ -1330,10 +1330,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) 6699@@ -1331,10 +1331,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
6700 newsp = stack[0]; 6700 newsp = stack[0];
6701 ip = stack[STACK_FRAME_LR_SAVE]; 6701 ip = stack[STACK_FRAME_LR_SAVE];
6702 if (!firstframe || ip != lr) { 6702 if (!firstframe || ip != lr) {
@@ -6709,7 +6709,7 @@ index 16e77a8..4501b41 100644
6709 (void *)current->ret_stack[curr_frame].ret); 6709 (void *)current->ret_stack[curr_frame].ret);
6710 curr_frame--; 6710 curr_frame--;
6711 } 6711 }
6712@@ -1353,7 +1353,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) 6712@@ -1354,7 +1354,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
6713 struct pt_regs *regs = (struct pt_regs *) 6713 struct pt_regs *regs = (struct pt_regs *)
6714 (sp + STACK_FRAME_OVERHEAD); 6714 (sp + STACK_FRAME_OVERHEAD);
6715 lr = regs->link; 6715 lr = regs->link;
@@ -6718,7 +6718,7 @@ index 16e77a8..4501b41 100644
6718 regs->trap, (void *)regs->nip, (void *)lr); 6718 regs->trap, (void *)regs->nip, (void *)lr);
6719 firstframe = 1; 6719 firstframe = 1;
6720 } 6720 }
6721@@ -1395,58 +1395,3 @@ void __ppc64_runlatch_off(void) 6721@@ -1396,58 +1396,3 @@ void __ppc64_runlatch_off(void)
6722 mtspr(SPRN_CTRLT, ctrl); 6722 mtspr(SPRN_CTRLT, ctrl);
6723 } 6723 }
6724 #endif /* CONFIG_PPC64 */ 6724 #endif /* CONFIG_PPC64 */
@@ -6856,7 +6856,7 @@ index 3ce1f86..c30e629 100644
6856 }; 6856 };
6857 6857
6858diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c 6858diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
6859index 1c22b2d..3b56e67 100644 6859index 29857c6..bd31e27 100644
6860--- a/arch/powerpc/kernel/traps.c 6860--- a/arch/powerpc/kernel/traps.c
6861+++ b/arch/powerpc/kernel/traps.c 6861+++ b/arch/powerpc/kernel/traps.c
6862@@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) 6862@@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs)
@@ -31363,10 +31363,10 @@ index e006c18..b9a7d6c 100644
31363 .alloc_pud = xen_alloc_pmd_init, 31363 .alloc_pud = xen_alloc_pmd_init,
31364 .release_pud = xen_release_pmd_init, 31364 .release_pud = xen_release_pmd_init,
31365diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c 31365diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
31366index 22c800a..8915f1e 100644 31366index 96c4e85..284fded 100644
31367--- a/arch/x86/xen/smp.c 31367--- a/arch/x86/xen/smp.c
31368+++ b/arch/x86/xen/smp.c 31368+++ b/arch/x86/xen/smp.c
31369@@ -229,11 +229,6 @@ static void __init xen_smp_prepare_boot_cpu(void) 31369@@ -230,11 +230,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
31370 { 31370 {
31371 BUG_ON(smp_processor_id() != 0); 31371 BUG_ON(smp_processor_id() != 0);
31372 native_smp_prepare_boot_cpu(); 31372 native_smp_prepare_boot_cpu();
@@ -31378,7 +31378,7 @@ index 22c800a..8915f1e 100644
31378 xen_filter_cpu_maps(); 31378 xen_filter_cpu_maps();
31379 xen_setup_vcpu_info_placement(); 31379 xen_setup_vcpu_info_placement();
31380 } 31380 }
31381@@ -303,7 +298,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) 31381@@ -304,7 +299,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
31382 ctxt->user_regs.ss = __KERNEL_DS; 31382 ctxt->user_regs.ss = __KERNEL_DS;
31383 #ifdef CONFIG_X86_32 31383 #ifdef CONFIG_X86_32
31384 ctxt->user_regs.fs = __KERNEL_PERCPU; 31384 ctxt->user_regs.fs = __KERNEL_PERCPU;
@@ -31387,7 +31387,7 @@ index 22c800a..8915f1e 100644
31387 #else 31387 #else
31388 ctxt->gs_base_kernel = per_cpu_offset(cpu); 31388 ctxt->gs_base_kernel = per_cpu_offset(cpu);
31389 #endif 31389 #endif
31390@@ -313,8 +308,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) 31390@@ -314,8 +309,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
31391 31391
31392 { 31392 {
31393 ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */ 31393 ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */
@@ -31398,7 +31398,7 @@ index 22c800a..8915f1e 100644
31398 31398
31399 xen_copy_trap_info(ctxt->trap_ctxt); 31399 xen_copy_trap_info(ctxt->trap_ctxt);
31400 31400
31401@@ -359,13 +354,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle) 31401@@ -360,13 +355,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle)
31402 int rc; 31402 int rc;
31403 31403
31404 per_cpu(current_task, cpu) = idle; 31404 per_cpu(current_task, cpu) = idle;
@@ -31414,7 +31414,7 @@ index 22c800a..8915f1e 100644
31414 #endif 31414 #endif
31415 xen_setup_runstate_info(cpu); 31415 xen_setup_runstate_info(cpu);
31416 xen_setup_timer(cpu); 31416 xen_setup_timer(cpu);
31417@@ -634,7 +628,7 @@ static const struct smp_ops xen_smp_ops __initconst = { 31417@@ -642,7 +636,7 @@ static const struct smp_ops xen_smp_ops __initconst = {
31418 31418
31419 void __init xen_smp_init(void) 31419 void __init xen_smp_init(void)
31420 { 31420 {
@@ -33945,7 +33945,7 @@ index 2c644af..d4d7f17 100644
33945 33945
33946 static int memory_open(struct inode *inode, struct file *filp) 33946 static int memory_open(struct inode *inode, struct file *filp)
33947diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c 33947diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c
33948index c689697..04e6d6a 100644 33948index c689697..04e6d6a2 100644
33949--- a/drivers/char/mwave/tp3780i.c 33949--- a/drivers/char/mwave/tp3780i.c
33950+++ b/drivers/char/mwave/tp3780i.c 33950+++ b/drivers/char/mwave/tp3780i.c
33951@@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities 33951@@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities
@@ -34259,7 +34259,7 @@ index ade7513..069445f 100644
34259 }; 34259 };
34260 34260
34261diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c 34261diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
34262index 57a8774..545e993 100644 34262index bb5939b..d9accb7 100644
34263--- a/drivers/cpufreq/acpi-cpufreq.c 34263--- a/drivers/cpufreq/acpi-cpufreq.c
34264+++ b/drivers/cpufreq/acpi-cpufreq.c 34264+++ b/drivers/cpufreq/acpi-cpufreq.c
34265@@ -172,7 +172,7 @@ static ssize_t show_global_boost(struct kobject *kobj, 34265@@ -172,7 +172,7 @@ static ssize_t show_global_boost(struct kobject *kobj,
@@ -35394,10 +35394,10 @@ index 3c7bb04..182e049 100644
35394 iir = I915_READ(IIR); 35394 iir = I915_READ(IIR);
35395 35395
35396diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c 35396diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
35397index c2d173a..f4357cc 100644 35397index 2ab65b4..acbd821 100644
35398--- a/drivers/gpu/drm/i915/intel_display.c 35398--- a/drivers/gpu/drm/i915/intel_display.c
35399+++ b/drivers/gpu/drm/i915/intel_display.c 35399+++ b/drivers/gpu/drm/i915/intel_display.c
35400@@ -8722,13 +8722,13 @@ struct intel_quirk { 35400@@ -8742,13 +8742,13 @@ struct intel_quirk {
35401 int subsystem_vendor; 35401 int subsystem_vendor;
35402 int subsystem_device; 35402 int subsystem_device;
35403 void (*hook)(struct drm_device *dev); 35403 void (*hook)(struct drm_device *dev);
@@ -35413,7 +35413,7 @@ index c2d173a..f4357cc 100644
35413 35413
35414 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) 35414 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
35415 { 35415 {
35416@@ -8736,18 +8736,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) 35416@@ -8756,18 +8756,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
35417 return 1; 35417 return 1;
35418 } 35418 }
35419 35419
@@ -35927,7 +35927,7 @@ index 6c0ce89..66f6d65 100644
35927 #endif 35927 #endif
35928 return radeon_debugfs_add_files(rdev, radeon_mem_types_list, i); 35928 return radeon_debugfs_add_files(rdev, radeon_mem_types_list, i);
35929diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c 35929diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c
35930index 5706d2a..17aedaa 100644 35930index fad6633..4ff94de 100644
35931--- a/drivers/gpu/drm/radeon/rs690.c 35931--- a/drivers/gpu/drm/radeon/rs690.c
35932+++ b/drivers/gpu/drm/radeon/rs690.c 35932+++ b/drivers/gpu/drm/radeon/rs690.c
35933@@ -304,9 +304,11 @@ static void rs690_crtc_bandwidth_compute(struct radeon_device *rdev, 35933@@ -304,9 +304,11 @@ static void rs690_crtc_bandwidth_compute(struct radeon_device *rdev,
@@ -39635,6 +39635,19 @@ index 25309bf..fcfd54c 100644
39635 #define CHIPREV_ID_5750_C2 0x4202 39635 #define CHIPREV_ID_5750_C2 0x4202
39636 #define CHIPREV_ID_5752_A0_HW 0x5000 39636 #define CHIPREV_ID_5752_A0_HW 0x5000
39637 #define CHIPREV_ID_5752_A0 0x6000 39637 #define CHIPREV_ID_5752_A0 0x6000
39638diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
39639index 6e8bc9d..94d957d 100644
39640--- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
39641+++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
39642@@ -244,7 +244,7 @@ bnad_debugfs_lseek(struct file *file, loff_t offset, int orig)
39643 file->f_pos += offset;
39644 break;
39645 case 2:
39646- file->f_pos = debug->buffer_len - offset;
39647+ file->f_pos = debug->buffer_len + offset;
39648 break;
39649 default:
39650 return -EINVAL;
39638diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h 39651diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
39639index 8cffcdf..aadf043 100644 39652index 8cffcdf..aadf043 100644
39640--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h 39653--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
@@ -40374,6 +40387,19 @@ index 784e81c..349e01e 100644
40374 40387
40375 struct ath_nf_limits { 40388 struct ath_nf_limits {
40376 s16 max; 40389 s16 max;
40390diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
40391index 64b637a..911c4c0 100644
40392--- a/drivers/net/wireless/b43/main.c
40393+++ b/drivers/net/wireless/b43/main.c
40394@@ -2451,7 +2451,7 @@ static void b43_request_firmware(struct work_struct *work)
40395 for (i = 0; i < B43_NR_FWTYPES; i++) {
40396 errmsg = ctx->errors[i];
40397 if (strlen(errmsg))
40398- b43err(dev->wl, errmsg);
40399+ b43err(dev->wl, "%s", errmsg);
40400 }
40401 b43_print_fw_helptext(dev->wl, 1);
40402 goto out;
40377diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c 40403diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c
40378index c353b5f..62aaca2 100644 40404index c353b5f..62aaca2 100644
40379--- a/drivers/net/wireless/iwlegacy/3945-mac.c 40405--- a/drivers/net/wireless/iwlegacy/3945-mac.c
@@ -40575,6 +40601,46 @@ index 2b49f48..14fc244 100644
40575 } 40601 }
40576 40602
40577 spin_lock_init(&hwsim_radio_lock); 40603 spin_lock_init(&hwsim_radio_lock);
40604diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c
40605index 753b568..a5f9875 100644
40606--- a/drivers/net/wireless/mwifiex/debugfs.c
40607+++ b/drivers/net/wireless/mwifiex/debugfs.c
40608@@ -26,10 +26,17 @@
40609 static struct dentry *mwifiex_dfs_dir;
40610
40611 static char *bss_modes[] = {
40612- "Unknown",
40613- "Ad-hoc",
40614- "Managed",
40615- "Auto"
40616+ "UNSPECIFIED",
40617+ "ADHOC",
40618+ "STATION",
40619+ "AP",
40620+ "AP_VLAN",
40621+ "WDS",
40622+ "MONITOR",
40623+ "MESH_POINT",
40624+ "P2P_CLIENT",
40625+ "P2P_GO",
40626+ "P2P_DEVICE",
40627 };
40628
40629 /* size/addr for mwifiex_debug_info */
40630@@ -200,7 +207,12 @@ mwifiex_info_read(struct file *file, char __user *ubuf,
40631 p += sprintf(p, "driver_version = %s", fmt);
40632 p += sprintf(p, "\nverext = %s", priv->version_str);
40633 p += sprintf(p, "\ninterface_name=\"%s\"\n", netdev->name);
40634- p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
40635+
40636+ if (info.bss_mode >= ARRAY_SIZE(bss_modes))
40637+ p += sprintf(p, "bss_mode=\"%d\"\n", info.bss_mode);
40638+ else
40639+ p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
40640+
40641 p += sprintf(p, "media_state=\"%s\"\n",
40642 (!priv->media_connected ? "Disconnected" : "Connected"));
40643 p += sprintf(p, "mac_address=\"%pM\"\n", netdev->dev_addr);
40578diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c 40644diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
40579index 525fd75..6c9f791 100644 40645index 525fd75..6c9f791 100644
40580--- a/drivers/net/wireless/rndis_wlan.c 40646--- a/drivers/net/wireless/rndis_wlan.c
@@ -41068,7 +41134,7 @@ index d320df6..ca9a8f6 100644
41068 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1) 41134 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
41069 41135
41070diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c 41136diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
41071index 5427787..8df273b 100644 41137index 563771f..4e3c368 100644
41072--- a/drivers/pci/probe.c 41138--- a/drivers/pci/probe.c
41073+++ b/drivers/pci/probe.c 41139+++ b/drivers/pci/probe.c
41074@@ -173,7 +173,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, 41140@@ -173,7 +173,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
@@ -41613,6 +41679,32 @@ index 23a90e7..9cf04ee 100644
41613 41679
41614 /* 41680 /*
41615 * Queue element to wait for room in request queue. FIFO order is 41681 * Queue element to wait for room in request queue. FIFO order is
41682diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c
41683index 439c012..b63d534 100644
41684--- a/drivers/scsi/bfa/bfad_debugfs.c
41685+++ b/drivers/scsi/bfa/bfad_debugfs.c
41686@@ -186,7 +186,7 @@ bfad_debugfs_lseek(struct file *file, loff_t offset, int orig)
41687 file->f_pos += offset;
41688 break;
41689 case 2:
41690- file->f_pos = debug->buffer_len - offset;
41691+ file->f_pos = debug->buffer_len + offset;
41692 break;
41693 default:
41694 return -EINVAL;
41695diff --git a/drivers/scsi/fnic/fnic_debugfs.c b/drivers/scsi/fnic/fnic_debugfs.c
41696index adc1f7f..85e1ffd 100644
41697--- a/drivers/scsi/fnic/fnic_debugfs.c
41698+++ b/drivers/scsi/fnic/fnic_debugfs.c
41699@@ -174,7 +174,7 @@ static loff_t fnic_trace_debugfs_lseek(struct file *file,
41700 pos = file->f_pos + offset;
41701 break;
41702 case 2:
41703- pos = fnic_dbg_prt->buffer_len - offset;
41704+ pos = fnic_dbg_prt->buffer_len + offset;
41705 }
41706 return (pos < 0 || pos > fnic_dbg_prt->buffer_len) ?
41707 -EINVAL : (file->f_pos = pos);
41616diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c 41708diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
41617index df0c3c7..b00e1d0 100644 41709index df0c3c7..b00e1d0 100644
41618--- a/drivers/scsi/hosts.c 41710--- a/drivers/scsi/hosts.c
@@ -41967,7 +42059,7 @@ index 7706c99..3b4fc0c 100644
41967 struct dentry *idiag_root; 42059 struct dentry *idiag_root;
41968 struct dentry *idiag_pci_cfg; 42060 struct dentry *idiag_pci_cfg;
41969diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c 42061diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
41970index f63f5ff..de29189 100644 42062index f63f5ff..32549a4 100644
41971--- a/drivers/scsi/lpfc/lpfc_debugfs.c 42063--- a/drivers/scsi/lpfc/lpfc_debugfs.c
41972+++ b/drivers/scsi/lpfc/lpfc_debugfs.c 42064+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
41973@@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc, 42065@@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc,
@@ -42031,6 +42123,15 @@ index f63f5ff..de29189 100644
42031 dtp->jif = jiffies; 42123 dtp->jif = jiffies;
42032 #endif 42124 #endif
42033 return; 42125 return;
42126@@ -1178,7 +1178,7 @@ lpfc_debugfs_lseek(struct file *file, loff_t off, int whence)
42127 pos = file->f_pos + off;
42128 break;
42129 case 2:
42130- pos = debug->len - off;
42131+ pos = debug->len + off;
42132 }
42133 return (pos < 0 || pos > debug->len) ? -EINVAL : (file->f_pos = pos);
42134 }
42034@@ -4182,7 +4182,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) 42135@@ -4182,7 +4182,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
42035 "slow_ring buffer\n"); 42136 "slow_ring buffer\n");
42036 goto debug_failed; 42137 goto debug_failed;
@@ -51123,6 +51224,45 @@ index f3190ab..84ffb21 100644
51123 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len); 51224 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
51124 51225
51125 return 0; 51226 return 0;
51227diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
51228index 3beae6a..8cc5637 100644
51229--- a/fs/ext4/resize.c
51230+++ b/fs/ext4/resize.c
51231@@ -79,12 +79,20 @@ static int verify_group_input(struct super_block *sb,
51232 ext4_fsblk_t end = start + input->blocks_count;
51233 ext4_group_t group = input->group;
51234 ext4_fsblk_t itend = input->inode_table + sbi->s_itb_per_group;
51235- unsigned overhead = ext4_group_overhead_blocks(sb, group);
51236- ext4_fsblk_t metaend = start + overhead;
51237+ unsigned overhead;
51238+ ext4_fsblk_t metaend;
51239 struct buffer_head *bh = NULL;
51240 ext4_grpblk_t free_blocks_count, offset;
51241 int err = -EINVAL;
51242
51243+ if (group != sbi->s_groups_count) {
51244+ ext4_warning(sb, "Cannot add at group %u (only %u groups)",
51245+ input->group, sbi->s_groups_count);
51246+ return -EINVAL;
51247+ }
51248+
51249+ overhead = ext4_group_overhead_blocks(sb, group);
51250+ metaend = start + overhead;
51251 input->free_blocks_count = free_blocks_count =
51252 input->blocks_count - 2 - overhead - sbi->s_itb_per_group;
51253
51254@@ -96,10 +104,7 @@ static int verify_group_input(struct super_block *sb,
51255 free_blocks_count, input->reserved_blocks);
51256
51257 ext4_get_group_no_and_offset(sb, start, NULL, &offset);
51258- if (group != sbi->s_groups_count)
51259- ext4_warning(sb, "Cannot add at group %u (only %u groups)",
51260- input->group, sbi->s_groups_count);
51261- else if (offset != 0)
51262+ if (offset != 0)
51263 ext4_warning(sb, "Last group not full");
51264 else if (input->reserved_blocks > input->blocks_count / 5)
51265 ext4_warning(sb, "Reserved blocks too high (%u)",
51126diff --git a/fs/ext4/super.c b/fs/ext4/super.c 51266diff --git a/fs/ext4/super.c b/fs/ext4/super.c
51127index febbe0e..782c4fd 100644 51267index febbe0e..782c4fd 100644
51128--- a/fs/ext4/super.c 51268--- a/fs/ext4/super.c
@@ -71468,6 +71608,20 @@ index e8d702e..0a56eb4 100644
71468 71608
71469 int sock_diag_register(const struct sock_diag_handler *h); 71609 int sock_diag_register(const struct sock_diag_handler *h);
71470 void sock_diag_unregister(const struct sock_diag_handler *h); 71610 void sock_diag_unregister(const struct sock_diag_handler *h);
71611diff --git a/include/linux/socket.h b/include/linux/socket.h
71612index 2b9f74b..e897bdc 100644
71613--- a/include/linux/socket.h
71614+++ b/include/linux/socket.h
71615@@ -321,6 +321,9 @@ extern int put_cmsg(struct msghdr*, int level, int type, int len, void *data);
71616
71617 struct timespec;
71618
71619+/* The __sys_...msg variants allow MSG_CMSG_COMPAT */
71620+extern long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags);
71621+extern long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags);
71622 extern int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
71623 unsigned int flags, struct timespec *timeout);
71624 extern int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg,
71471diff --git a/include/linux/sonet.h b/include/linux/sonet.h 71625diff --git a/include/linux/sonet.h b/include/linux/sonet.h
71472index 680f9a3..f13aeb0 100644 71626index 680f9a3..f13aeb0 100644
71473--- a/include/linux/sonet.h 71627--- a/include/linux/sonet.h
@@ -74611,7 +74765,7 @@ index 00eb8f7..d7e3244 100644
74611 #ifdef CONFIG_MODULE_UNLOAD 74765 #ifdef CONFIG_MODULE_UNLOAD
74612 { 74766 {
74613diff --git a/kernel/events/core.c b/kernel/events/core.c 74767diff --git a/kernel/events/core.c b/kernel/events/core.c
74614index 9fcb094..8370228 100644 74768index 9fcb094..353baaaf 100644
74615--- a/kernel/events/core.c 74769--- a/kernel/events/core.c
74616+++ b/kernel/events/core.c 74770+++ b/kernel/events/core.c
74617@@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu; 74771@@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu;
@@ -74623,7 +74777,7 @@ index 9fcb094..8370228 100644
74623-int sysctl_perf_event_paranoid __read_mostly = 1; 74777-int sysctl_perf_event_paranoid __read_mostly = 1;
74624+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN 74778+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
74625+int sysctl_perf_event_legitimately_concerned __read_mostly = 3; 74779+int sysctl_perf_event_legitimately_concerned __read_mostly = 3;
74626+#elif CONFIG_GRKERNSEC_HIDESYM 74780+#elif defined(CONFIG_GRKERNSEC_HIDESYM)
74627+int sysctl_perf_event_legitimately_concerned __read_mostly = 2; 74781+int sysctl_perf_event_legitimately_concerned __read_mostly = 2;
74628+#else 74782+#else
74629+int sysctl_perf_event_legitimately_concerned __read_mostly = 1; 74783+int sysctl_perf_event_legitimately_concerned __read_mostly = 1;
@@ -78324,7 +78478,7 @@ index 02fc5c9..e54c335 100644
78324 mutex_unlock(&smpboot_threads_lock); 78478 mutex_unlock(&smpboot_threads_lock);
78325 put_online_cpus(); 78479 put_online_cpus();
78326diff --git a/kernel/softirq.c b/kernel/softirq.c 78480diff --git a/kernel/softirq.c b/kernel/softirq.c
78327index 14d7758..012121f 100644 78481index d93dcb1..1cd8a71 100644
78328--- a/kernel/softirq.c 78482--- a/kernel/softirq.c
78329+++ b/kernel/softirq.c 78483+++ b/kernel/softirq.c
78330@@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned; 78484@@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
@@ -78341,7 +78495,7 @@ index 14d7758..012121f 100644
78341 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL", 78495 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
78342 "TASKLET", "SCHED", "HRTIMER", "RCU" 78496 "TASKLET", "SCHED", "HRTIMER", "RCU"
78343 }; 78497 };
78344@@ -244,7 +244,7 @@ restart: 78498@@ -250,7 +250,7 @@ restart:
78345 kstat_incr_softirqs_this_cpu(vec_nr); 78499 kstat_incr_softirqs_this_cpu(vec_nr);
78346 78500
78347 trace_softirq_entry(vec_nr); 78501 trace_softirq_entry(vec_nr);
@@ -78350,7 +78504,7 @@ index 14d7758..012121f 100644
78350 trace_softirq_exit(vec_nr); 78504 trace_softirq_exit(vec_nr);
78351 if (unlikely(prev_count != preempt_count())) { 78505 if (unlikely(prev_count != preempt_count())) {
78352 printk(KERN_ERR "huh, entered softirq %u %s %p" 78506 printk(KERN_ERR "huh, entered softirq %u %s %p"
78353@@ -389,7 +389,7 @@ void __raise_softirq_irqoff(unsigned int nr) 78507@@ -396,7 +396,7 @@ void __raise_softirq_irqoff(unsigned int nr)
78354 or_softirq_pending(1UL << nr); 78508 or_softirq_pending(1UL << nr);
78355 } 78509 }
78356 78510
@@ -78359,7 +78513,7 @@ index 14d7758..012121f 100644
78359 { 78513 {
78360 softirq_vec[nr].action = action; 78514 softirq_vec[nr].action = action;
78361 } 78515 }
78362@@ -445,7 +445,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t) 78516@@ -452,7 +452,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
78363 78517
78364 EXPORT_SYMBOL(__tasklet_hi_schedule_first); 78518 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
78365 78519
@@ -78368,7 +78522,7 @@ index 14d7758..012121f 100644
78368 { 78522 {
78369 struct tasklet_struct *list; 78523 struct tasklet_struct *list;
78370 78524
78371@@ -480,7 +480,7 @@ static void tasklet_action(struct softirq_action *a) 78525@@ -487,7 +487,7 @@ static void tasklet_action(struct softirq_action *a)
78372 } 78526 }
78373 } 78527 }
78374 78528
@@ -78377,7 +78531,7 @@ index 14d7758..012121f 100644
78377 { 78531 {
78378 struct tasklet_struct *list; 78532 struct tasklet_struct *list;
78379 78533
78380@@ -716,7 +716,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self, 78534@@ -723,7 +723,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self,
78381 return NOTIFY_OK; 78535 return NOTIFY_OK;
78382 } 78536 }
78383 78537
@@ -78386,7 +78540,7 @@ index 14d7758..012121f 100644
78386 .notifier_call = remote_softirq_cpu_notify, 78540 .notifier_call = remote_softirq_cpu_notify,
78387 }; 78541 };
78388 78542
78389@@ -833,11 +833,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb, 78543@@ -840,11 +840,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb,
78390 return NOTIFY_OK; 78544 return NOTIFY_OK;
78391 } 78545 }
78392 78546
@@ -78912,7 +79066,7 @@ index 90ad470..1814e9a 100644
78912 tick_broadcast_clear_oneshot(cpu); 79066 tick_broadcast_clear_oneshot(cpu);
78913 } else { 79067 } else {
78914diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c 79068diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
78915index 9a0bc98..fceb7d0 100644 79069index 183df62..59b1442 100644
78916--- a/kernel/time/timekeeping.c 79070--- a/kernel/time/timekeeping.c
78917+++ b/kernel/time/timekeeping.c 79071+++ b/kernel/time/timekeeping.c
78918@@ -15,6 +15,7 @@ 79072@@ -15,6 +15,7 @@
@@ -81653,7 +81807,7 @@ index 79b7cf7..9944291 100644
81653 capable(CAP_IPC_LOCK)) 81807 capable(CAP_IPC_LOCK))
81654 ret = do_mlockall(flags); 81808 ret = do_mlockall(flags);
81655diff --git a/mm/mmap.c b/mm/mmap.c 81809diff --git a/mm/mmap.c b/mm/mmap.c
81656index 0dceed8..671951c 100644 81810index 0dceed8..e7cfc40 100644
81657--- a/mm/mmap.c 81811--- a/mm/mmap.c
81658+++ b/mm/mmap.c 81812+++ b/mm/mmap.c
81659@@ -33,6 +33,7 @@ 81813@@ -33,6 +33,7 @@
@@ -82402,11 +82556,10 @@ index 0dceed8..671951c 100644
82402 size = vma->vm_end - address; 82556 size = vma->vm_end - address;
82403 grow = (vma->vm_start - address) >> PAGE_SHIFT; 82557 grow = (vma->vm_start - address) >> PAGE_SHIFT;
82404 82558
82405@@ -2184,6 +2492,18 @@ int expand_downwards(struct vm_area_struct *vma, 82559@@ -2184,13 +2492,27 @@ int expand_downwards(struct vm_area_struct *vma,
82406 vma->vm_pgoff -= grow; 82560 vma->vm_pgoff -= grow;
82407 anon_vma_interval_tree_post_update_vma(vma); 82561 anon_vma_interval_tree_post_update_vma(vma);
82408 vma_gap_update(vma); 82562 vma_gap_update(vma);
82409+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
82410+ 82563+
82411+#ifdef CONFIG_PAX_SEGMEXEC 82564+#ifdef CONFIG_PAX_SEGMEXEC
82412+ if (vma_m) { 82565+ if (vma_m) {
@@ -82420,8 +82573,18 @@ index 0dceed8..671951c 100644
82420+ 82573+
82421 spin_unlock(&vma->vm_mm->page_table_lock); 82574 spin_unlock(&vma->vm_mm->page_table_lock);
82422 82575
82576+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
82423 perf_event_mmap(vma); 82577 perf_event_mmap(vma);
82424@@ -2288,6 +2608,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) 82578 }
82579 }
82580 }
82581 vma_unlock_anon_vma(vma);
82582+ if (lockprev)
82583+ vma_unlock_anon_vma(prev);
82584 khugepaged_enter_vma_merge(vma);
82585 validate_mm(vma->vm_mm);
82586 return error;
82587@@ -2288,6 +2610,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
82425 do { 82588 do {
82426 long nrpages = vma_pages(vma); 82589 long nrpages = vma_pages(vma);
82427 82590
@@ -82435,7 +82598,7 @@ index 0dceed8..671951c 100644
82435 if (vma->vm_flags & VM_ACCOUNT) 82598 if (vma->vm_flags & VM_ACCOUNT)
82436 nr_accounted += nrpages; 82599 nr_accounted += nrpages;
82437 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); 82600 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
82438@@ -2333,6 +2660,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, 82601@@ -2333,6 +2662,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
82439 insertion_point = (prev ? &prev->vm_next : &mm->mmap); 82602 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
82440 vma->vm_prev = NULL; 82603 vma->vm_prev = NULL;
82441 do { 82604 do {
@@ -82452,7 +82615,7 @@ index 0dceed8..671951c 100644
82452 vma_rb_erase(vma, &mm->mm_rb); 82615 vma_rb_erase(vma, &mm->mm_rb);
82453 mm->map_count--; 82616 mm->map_count--;
82454 tail_vma = vma; 82617 tail_vma = vma;
82455@@ -2364,14 +2701,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, 82618@@ -2364,14 +2703,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
82456 struct vm_area_struct *new; 82619 struct vm_area_struct *new;
82457 int err = -ENOMEM; 82620 int err = -ENOMEM;
82458 82621
@@ -82486,7 +82649,7 @@ index 0dceed8..671951c 100644
82486 /* most fields are the same, copy all, and then fixup */ 82649 /* most fields are the same, copy all, and then fixup */
82487 *new = *vma; 82650 *new = *vma;
82488 82651
82489@@ -2384,6 +2740,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, 82652@@ -2384,6 +2742,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
82490 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); 82653 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
82491 } 82654 }
82492 82655
@@ -82509,7 +82672,7 @@ index 0dceed8..671951c 100644
82509 pol = mpol_dup(vma_policy(vma)); 82672 pol = mpol_dup(vma_policy(vma));
82510 if (IS_ERR(pol)) { 82673 if (IS_ERR(pol)) {
82511 err = PTR_ERR(pol); 82674 err = PTR_ERR(pol);
82512@@ -2406,6 +2778,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, 82675@@ -2406,6 +2780,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
82513 else 82676 else
82514 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); 82677 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
82515 82678
@@ -82546,7 +82709,7 @@ index 0dceed8..671951c 100644
82546 /* Success. */ 82709 /* Success. */
82547 if (!err) 82710 if (!err)
82548 return 0; 82711 return 0;
82549@@ -2415,10 +2817,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, 82712@@ -2415,10 +2819,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
82550 new->vm_ops->close(new); 82713 new->vm_ops->close(new);
82551 if (new->vm_file) 82714 if (new->vm_file)
82552 fput(new->vm_file); 82715 fput(new->vm_file);
@@ -82566,7 +82729,7 @@ index 0dceed8..671951c 100644
82566 kmem_cache_free(vm_area_cachep, new); 82729 kmem_cache_free(vm_area_cachep, new);
82567 out_err: 82730 out_err:
82568 return err; 82731 return err;
82569@@ -2431,6 +2841,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, 82732@@ -2431,6 +2843,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
82570 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, 82733 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
82571 unsigned long addr, int new_below) 82734 unsigned long addr, int new_below)
82572 { 82735 {
@@ -82582,7 +82745,7 @@ index 0dceed8..671951c 100644
82582 if (mm->map_count >= sysctl_max_map_count) 82745 if (mm->map_count >= sysctl_max_map_count)
82583 return -ENOMEM; 82746 return -ENOMEM;
82584 82747
82585@@ -2442,11 +2861,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, 82748@@ -2442,11 +2863,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
82586 * work. This now handles partial unmappings. 82749 * work. This now handles partial unmappings.
82587 * Jeremy Fitzhardinge <jeremy@goop.org> 82750 * Jeremy Fitzhardinge <jeremy@goop.org>
82588 */ 82751 */
@@ -82613,7 +82776,7 @@ index 0dceed8..671951c 100644
82613 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) 82776 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
82614 return -EINVAL; 82777 return -EINVAL;
82615 82778
82616@@ -2521,6 +2959,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) 82779@@ -2521,6 +2961,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
82617 /* Fix up all other VM information */ 82780 /* Fix up all other VM information */
82618 remove_vma_list(mm, vma); 82781 remove_vma_list(mm, vma);
82619 82782
@@ -82622,7 +82785,7 @@ index 0dceed8..671951c 100644
82622 return 0; 82785 return 0;
82623 } 82786 }
82624 82787
82625@@ -2529,6 +2969,13 @@ int vm_munmap(unsigned long start, size_t len) 82788@@ -2529,6 +2971,13 @@ int vm_munmap(unsigned long start, size_t len)
82626 int ret; 82789 int ret;
82627 struct mm_struct *mm = current->mm; 82790 struct mm_struct *mm = current->mm;
82628 82791
@@ -82636,7 +82799,7 @@ index 0dceed8..671951c 100644
82636 down_write(&mm->mmap_sem); 82799 down_write(&mm->mmap_sem);
82637 ret = do_munmap(mm, start, len); 82800 ret = do_munmap(mm, start, len);
82638 up_write(&mm->mmap_sem); 82801 up_write(&mm->mmap_sem);
82639@@ -2542,16 +2989,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) 82802@@ -2542,16 +2991,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
82640 return vm_munmap(addr, len); 82803 return vm_munmap(addr, len);
82641 } 82804 }
82642 82805
@@ -82653,7 +82816,7 @@ index 0dceed8..671951c 100644
82653 /* 82816 /*
82654 * this is really a simplified "do_mmap". it only handles 82817 * this is really a simplified "do_mmap". it only handles
82655 * anonymous maps. eventually we may be able to do some 82818 * anonymous maps. eventually we may be able to do some
82656@@ -2565,6 +3002,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) 82819@@ -2565,6 +3004,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
82657 struct rb_node ** rb_link, * rb_parent; 82820 struct rb_node ** rb_link, * rb_parent;
82658 pgoff_t pgoff = addr >> PAGE_SHIFT; 82821 pgoff_t pgoff = addr >> PAGE_SHIFT;
82659 int error; 82822 int error;
@@ -82661,7 +82824,7 @@ index 0dceed8..671951c 100644
82661 82824
82662 len = PAGE_ALIGN(len); 82825 len = PAGE_ALIGN(len);
82663 if (!len) 82826 if (!len)
82664@@ -2572,16 +3010,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) 82827@@ -2572,16 +3012,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
82665 82828
82666 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; 82829 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
82667 82830
@@ -82693,7 +82856,7 @@ index 0dceed8..671951c 100644
82693 locked += mm->locked_vm; 82856 locked += mm->locked_vm;
82694 lock_limit = rlimit(RLIMIT_MEMLOCK); 82857 lock_limit = rlimit(RLIMIT_MEMLOCK);
82695 lock_limit >>= PAGE_SHIFT; 82858 lock_limit >>= PAGE_SHIFT;
82696@@ -2598,21 +3050,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) 82859@@ -2598,21 +3052,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
82697 /* 82860 /*
82698 * Clear old maps. this also does some error checking for us 82861 * Clear old maps. this also does some error checking for us
82699 */ 82862 */
@@ -82718,7 +82881,7 @@ index 0dceed8..671951c 100644
82718 return -ENOMEM; 82881 return -ENOMEM;
82719 82882
82720 /* Can we just expand an old private anonymous mapping? */ 82883 /* Can we just expand an old private anonymous mapping? */
82721@@ -2626,7 +3077,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) 82884@@ -2626,7 +3079,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
82722 */ 82885 */
82723 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); 82886 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
82724 if (!vma) { 82887 if (!vma) {
@@ -82727,7 +82890,7 @@ index 0dceed8..671951c 100644
82727 return -ENOMEM; 82890 return -ENOMEM;
82728 } 82891 }
82729 82892
82730@@ -2640,9 +3091,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) 82893@@ -2640,9 +3093,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
82731 vma_link(mm, vma, prev, rb_link, rb_parent); 82894 vma_link(mm, vma, prev, rb_link, rb_parent);
82732 out: 82895 out:
82733 perf_event_mmap(vma); 82896 perf_event_mmap(vma);
@@ -82740,7 +82903,7 @@ index 0dceed8..671951c 100644
82740 return addr; 82903 return addr;
82741 } 82904 }
82742 82905
82743@@ -2704,6 +3156,7 @@ void exit_mmap(struct mm_struct *mm) 82906@@ -2704,6 +3158,7 @@ void exit_mmap(struct mm_struct *mm)
82744 while (vma) { 82907 while (vma) {
82745 if (vma->vm_flags & VM_ACCOUNT) 82908 if (vma->vm_flags & VM_ACCOUNT)
82746 nr_accounted += vma_pages(vma); 82909 nr_accounted += vma_pages(vma);
@@ -82748,7 +82911,7 @@ index 0dceed8..671951c 100644
82748 vma = remove_vma(vma); 82911 vma = remove_vma(vma);
82749 } 82912 }
82750 vm_unacct_memory(nr_accounted); 82913 vm_unacct_memory(nr_accounted);
82751@@ -2720,6 +3173,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) 82914@@ -2720,6 +3175,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
82752 struct vm_area_struct *prev; 82915 struct vm_area_struct *prev;
82753 struct rb_node **rb_link, *rb_parent; 82916 struct rb_node **rb_link, *rb_parent;
82754 82917
@@ -82762,7 +82925,7 @@ index 0dceed8..671951c 100644
82762 /* 82925 /*
82763 * The vm_pgoff of a purely anonymous vma should be irrelevant 82926 * The vm_pgoff of a purely anonymous vma should be irrelevant
82764 * until its first write fault, when page's anon_vma and index 82927 * until its first write fault, when page's anon_vma and index
82765@@ -2743,7 +3203,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) 82928@@ -2743,7 +3205,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
82766 security_vm_enough_memory_mm(mm, vma_pages(vma))) 82929 security_vm_enough_memory_mm(mm, vma_pages(vma)))
82767 return -ENOMEM; 82930 return -ENOMEM;
82768 82931
@@ -82784,7 +82947,7 @@ index 0dceed8..671951c 100644
82784 return 0; 82947 return 0;
82785 } 82948 }
82786 82949
82787@@ -2763,6 +3237,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, 82950@@ -2763,6 +3239,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
82788 struct mempolicy *pol; 82951 struct mempolicy *pol;
82789 bool faulted_in_anon_vma = true; 82952 bool faulted_in_anon_vma = true;
82790 82953
@@ -82793,7 +82956,7 @@ index 0dceed8..671951c 100644
82793 /* 82956 /*
82794 * If anonymous vma has not yet been faulted, update new pgoff 82957 * If anonymous vma has not yet been faulted, update new pgoff
82795 * to match new location, to increase its chance of merging. 82958 * to match new location, to increase its chance of merging.
82796@@ -2829,6 +3305,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, 82959@@ -2829,6 +3307,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
82797 return NULL; 82960 return NULL;
82798 } 82961 }
82799 82962
@@ -82833,7 +82996,7 @@ index 0dceed8..671951c 100644
82833 /* 82996 /*
82834 * Return true if the calling process may expand its vm space by the passed 82997 * Return true if the calling process may expand its vm space by the passed
82835 * number of pages 82998 * number of pages
82836@@ -2840,6 +3349,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) 82999@@ -2840,6 +3351,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
82837 83000
82838 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; 83001 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
82839 83002
@@ -82841,7 +83004,7 @@ index 0dceed8..671951c 100644
82841 if (cur + npages > lim) 83004 if (cur + npages > lim)
82842 return 0; 83005 return 0;
82843 return 1; 83006 return 1;
82844@@ -2910,6 +3420,22 @@ int install_special_mapping(struct mm_struct *mm, 83007@@ -2910,6 +3422,22 @@ int install_special_mapping(struct mm_struct *mm,
82845 vma->vm_start = addr; 83008 vma->vm_start = addr;
82846 vma->vm_end = addr + len; 83009 vma->vm_end = addr + len;
82847 83010
@@ -85239,7 +85402,7 @@ index 6a93614..1415549 100644
85239 err = -EFAULT; 85402 err = -EFAULT;
85240 break; 85403 break;
85241diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c 85404diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
85242index 7c7e932..7a7815d 100644 85405index 7c7e932..8d23158 100644
85243--- a/net/bluetooth/l2cap_core.c 85406--- a/net/bluetooth/l2cap_core.c
85244+++ b/net/bluetooth/l2cap_core.c 85407+++ b/net/bluetooth/l2cap_core.c
85245@@ -3395,8 +3395,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, 85408@@ -3395,8 +3395,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
@@ -85255,6 +85418,223 @@ index 7c7e932..7a7815d 100644
85255 85418
85256 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && 85419 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
85257 rfc.mode != chan->mode) 85420 rfc.mode != chan->mode)
85421@@ -3568,10 +3570,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
85422 }
85423
85424 static inline int l2cap_command_rej(struct l2cap_conn *conn,
85425- struct l2cap_cmd_hdr *cmd, u8 *data)
85426+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
85427+ u8 *data)
85428 {
85429 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
85430
85431+ if (cmd_len < sizeof(*rej))
85432+ return -EPROTO;
85433+
85434 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
85435 return 0;
85436
85437@@ -3720,11 +3726,14 @@ sendresp:
85438 }
85439
85440 static int l2cap_connect_req(struct l2cap_conn *conn,
85441- struct l2cap_cmd_hdr *cmd, u8 *data)
85442+ struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
85443 {
85444 struct hci_dev *hdev = conn->hcon->hdev;
85445 struct hci_conn *hcon = conn->hcon;
85446
85447+ if (cmd_len < sizeof(struct l2cap_conn_req))
85448+ return -EPROTO;
85449+
85450 hci_dev_lock(hdev);
85451 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
85452 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
85453@@ -3738,7 +3747,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn,
85454 }
85455
85456 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
85457- struct l2cap_cmd_hdr *cmd, u8 *data)
85458+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
85459+ u8 *data)
85460 {
85461 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
85462 u16 scid, dcid, result, status;
85463@@ -3746,6 +3756,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
85464 u8 req[128];
85465 int err;
85466
85467+ if (cmd_len < sizeof(*rsp))
85468+ return -EPROTO;
85469+
85470 scid = __le16_to_cpu(rsp->scid);
85471 dcid = __le16_to_cpu(rsp->dcid);
85472 result = __le16_to_cpu(rsp->result);
85473@@ -3843,6 +3856,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
85474 struct l2cap_chan *chan;
85475 int len, err = 0;
85476
85477+ if (cmd_len < sizeof(*req))
85478+ return -EPROTO;
85479+
85480 dcid = __le16_to_cpu(req->dcid);
85481 flags = __le16_to_cpu(req->flags);
85482
85483@@ -3866,7 +3882,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
85484
85485 /* Reject if config buffer is too small. */
85486 len = cmd_len - sizeof(*req);
85487- if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
85488+ if (chan->conf_len + len > sizeof(chan->conf_req)) {
85489 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
85490 l2cap_build_conf_rsp(chan, rsp,
85491 L2CAP_CONF_REJECT, flags), rsp);
85492@@ -3944,14 +3960,18 @@ unlock:
85493 }
85494
85495 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
85496- struct l2cap_cmd_hdr *cmd, u8 *data)
85497+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
85498+ u8 *data)
85499 {
85500 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
85501 u16 scid, flags, result;
85502 struct l2cap_chan *chan;
85503- int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
85504+ int len = cmd_len - sizeof(*rsp);
85505 int err = 0;
85506
85507+ if (cmd_len < sizeof(*rsp))
85508+ return -EPROTO;
85509+
85510 scid = __le16_to_cpu(rsp->scid);
85511 flags = __le16_to_cpu(rsp->flags);
85512 result = __le16_to_cpu(rsp->result);
85513@@ -4052,7 +4072,8 @@ done:
85514 }
85515
85516 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
85517- struct l2cap_cmd_hdr *cmd, u8 *data)
85518+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
85519+ u8 *data)
85520 {
85521 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
85522 struct l2cap_disconn_rsp rsp;
85523@@ -4060,6 +4081,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
85524 struct l2cap_chan *chan;
85525 struct sock *sk;
85526
85527+ if (cmd_len != sizeof(*req))
85528+ return -EPROTO;
85529+
85530 scid = __le16_to_cpu(req->scid);
85531 dcid = __le16_to_cpu(req->dcid);
85532
85533@@ -4099,12 +4123,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
85534 }
85535
85536 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
85537- struct l2cap_cmd_hdr *cmd, u8 *data)
85538+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
85539+ u8 *data)
85540 {
85541 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
85542 u16 dcid, scid;
85543 struct l2cap_chan *chan;
85544
85545+ if (cmd_len != sizeof(*rsp))
85546+ return -EPROTO;
85547+
85548 scid = __le16_to_cpu(rsp->scid);
85549 dcid = __le16_to_cpu(rsp->dcid);
85550
85551@@ -4134,11 +4162,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
85552 }
85553
85554 static inline int l2cap_information_req(struct l2cap_conn *conn,
85555- struct l2cap_cmd_hdr *cmd, u8 *data)
85556+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
85557+ u8 *data)
85558 {
85559 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
85560 u16 type;
85561
85562+ if (cmd_len != sizeof(*req))
85563+ return -EPROTO;
85564+
85565 type = __le16_to_cpu(req->type);
85566
85567 BT_DBG("type 0x%4.4x", type);
85568@@ -4185,11 +4217,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
85569 }
85570
85571 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
85572- struct l2cap_cmd_hdr *cmd, u8 *data)
85573+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
85574+ u8 *data)
85575 {
85576 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
85577 u16 type, result;
85578
85579+ if (cmd_len != sizeof(*rsp))
85580+ return -EPROTO;
85581+
85582 type = __le16_to_cpu(rsp->type);
85583 result = __le16_to_cpu(rsp->result);
85584
85585@@ -5055,16 +5091,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
85586
85587 switch (cmd->code) {
85588 case L2CAP_COMMAND_REJ:
85589- l2cap_command_rej(conn, cmd, data);
85590+ l2cap_command_rej(conn, cmd, cmd_len, data);
85591 break;
85592
85593 case L2CAP_CONN_REQ:
85594- err = l2cap_connect_req(conn, cmd, data);
85595+ err = l2cap_connect_req(conn, cmd, cmd_len, data);
85596 break;
85597
85598 case L2CAP_CONN_RSP:
85599 case L2CAP_CREATE_CHAN_RSP:
85600- err = l2cap_connect_create_rsp(conn, cmd, data);
85601+ err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
85602 break;
85603
85604 case L2CAP_CONF_REQ:
85605@@ -5072,15 +5108,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
85606 break;
85607
85608 case L2CAP_CONF_RSP:
85609- err = l2cap_config_rsp(conn, cmd, data);
85610+ err = l2cap_config_rsp(conn, cmd, cmd_len, data);
85611 break;
85612
85613 case L2CAP_DISCONN_REQ:
85614- err = l2cap_disconnect_req(conn, cmd, data);
85615+ err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
85616 break;
85617
85618 case L2CAP_DISCONN_RSP:
85619- err = l2cap_disconnect_rsp(conn, cmd, data);
85620+ err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
85621 break;
85622
85623 case L2CAP_ECHO_REQ:
85624@@ -5091,11 +5127,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
85625 break;
85626
85627 case L2CAP_INFO_REQ:
85628- err = l2cap_information_req(conn, cmd, data);
85629+ err = l2cap_information_req(conn, cmd, cmd_len, data);
85630 break;
85631
85632 case L2CAP_INFO_RSP:
85633- err = l2cap_information_rsp(conn, cmd, data);
85634+ err = l2cap_information_rsp(conn, cmd, cmd_len, data);
85635 break;
85636
85637 case L2CAP_CREATE_CHAN_REQ:
85258diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c 85638diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
85259index 1bcfb84..dad9f98 100644 85639index 1bcfb84..dad9f98 100644
85260--- a/net/bluetooth/l2cap_sock.c 85640--- a/net/bluetooth/l2cap_sock.c
@@ -85486,7 +85866,7 @@ index 117814a..ad4fb73 100644
85486 85866
85487 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { 85867 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
85488diff --git a/net/compat.c b/net/compat.c 85868diff --git a/net/compat.c b/net/compat.c
85489index 79ae884..17c5c09 100644 85869index 79ae884..0541331 100644
85490--- a/net/compat.c 85870--- a/net/compat.c
85491+++ b/net/compat.c 85871+++ b/net/compat.c
85492@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) 85872@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
@@ -85616,7 +85996,45 @@ index 79ae884..17c5c09 100644
85616 struct group_filter __user *kgf; 85996 struct group_filter __user *kgf;
85617 int __user *koptlen; 85997 int __user *koptlen;
85618 u32 interface, fmode, numsrc; 85998 u32 interface, fmode, numsrc;
85619@@ -796,7 +796,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) 85999@@ -734,19 +734,25 @@ static unsigned char nas[21] = {
86000
86001 asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
86002 {
86003- return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
86004+ if (flags & MSG_CMSG_COMPAT)
86005+ return -EINVAL;
86006+ return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
86007 }
86008
86009 asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
86010 unsigned int vlen, unsigned int flags)
86011 {
86012+ if (flags & MSG_CMSG_COMPAT)
86013+ return -EINVAL;
86014 return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
86015 flags | MSG_CMSG_COMPAT);
86016 }
86017
86018 asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
86019 {
86020- return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
86021+ if (flags & MSG_CMSG_COMPAT)
86022+ return -EINVAL;
86023+ return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
86024 }
86025
86026 asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned int flags)
86027@@ -768,6 +774,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
86028 int datagrams;
86029 struct timespec ktspec;
86030
86031+ if (flags & MSG_CMSG_COMPAT)
86032+ return -EINVAL;
86033+
86034 if (COMPAT_USE_64BIT_TIME)
86035 return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
86036 flags | MSG_CMSG_COMPAT,
86037@@ -796,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
85620 86038
85621 if (call < SYS_SOCKET || call > SYS_SENDMMSG) 86039 if (call < SYS_SOCKET || call > SYS_SENDMMSG)
85622 return -EINVAL; 86040 return -EINVAL;
@@ -86559,7 +86977,7 @@ index d9c4f11..02b82dbc 100644
86559 msg.msg_flags = flags; 86977 msg.msg_flags = flags;
86560 86978
86561diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c 86979diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
86562index c3a4233..1412161 100644 86980index c3a4233..7df5626 100644
86563--- a/net/ipv4/ip_vti.c 86981--- a/net/ipv4/ip_vti.c
86564+++ b/net/ipv4/ip_vti.c 86982+++ b/net/ipv4/ip_vti.c
86565@@ -47,7 +47,7 @@ 86983@@ -47,7 +47,7 @@
@@ -86571,7 +86989,17 @@ index c3a4233..1412161 100644
86571 86989
86572 static int vti_net_id __read_mostly; 86990 static int vti_net_id __read_mostly;
86573 struct vti_net { 86991 struct vti_net {
86574@@ -886,7 +886,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = { 86992@@ -399,8 +399,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
86993 tunnel->err_count = 0;
86994 }
86995
86996- IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
86997- IPSKB_REROUTED);
86998+ memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
86999 skb_dst_drop(skb);
87000 skb_dst_set(skb, &rt->dst);
87001 nf_reset(skb);
87002@@ -886,7 +885,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
86575 [IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) }, 87003 [IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) },
86576 }; 87004 };
86577 87005
@@ -88040,6 +88468,33 @@ index 5b1e5af..2358147 100644
88040 } while (!res); 88468 } while (!res);
88041 return res; 88469 return res;
88042 } 88470 }
88471diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
88472index 637a341..8dec687 100644
88473--- a/net/l2tp/l2tp_ppp.c
88474+++ b/net/l2tp/l2tp_ppp.c
88475@@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
88476 skb_put(skb, 2);
88477
88478 /* Copy user data into skb */
88479- error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
88480+ error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
88481+ total_len);
88482 if (error < 0) {
88483 kfree_skb(skb);
88484 goto error_put_sess_tun;
88485 }
88486- skb_put(skb, total_len);
88487
88488 l2tp_xmit_skb(session, skb, session->hdr_len);
88489
88490 sock_put(ps->tunnel_sock);
88491 sock_put(sk);
88492
88493- return error;
88494+ return total_len;
88495
88496 error_put_sess_tun:
88497 sock_put(ps->tunnel_sock);
88043diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c 88498diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
88044index 843d8c4..cb04fa1 100644 88499index 843d8c4..cb04fa1 100644
88045--- a/net/mac80211/cfg.c 88500--- a/net/mac80211/cfg.c
@@ -88344,7 +88799,7 @@ index 61f49d2..6c8c5bc 100644
88344 if (ipvs->sync_state & IP_VS_STATE_MASTER) 88799 if (ipvs->sync_state & IP_VS_STATE_MASTER)
88345 ip_vs_sync_conn(net, cp, pkts); 88800 ip_vs_sync_conn(net, cp, pkts);
88346diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c 88801diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
88347index 9e2d1cc..7f8f569 100644 88802index 9e2d1cc..6ed0748 100644
88348--- a/net/netfilter/ipvs/ip_vs_ctl.c 88803--- a/net/netfilter/ipvs/ip_vs_ctl.c
88349+++ b/net/netfilter/ipvs/ip_vs_ctl.c 88804+++ b/net/netfilter/ipvs/ip_vs_ctl.c
88350@@ -787,7 +787,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest, 88805@@ -787,7 +787,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
@@ -88383,7 +88838,14 @@ index 9e2d1cc..7f8f569 100644
88383 atomic_read(&dest->weight), 88838 atomic_read(&dest->weight),
88384 atomic_read(&dest->activeconns), 88839 atomic_read(&dest->activeconns),
88385 atomic_read(&dest->inactconns)); 88840 atomic_read(&dest->inactconns));
88386@@ -2568,7 +2568,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get, 88841@@ -2562,13 +2562,14 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
88842 struct ip_vs_dest *dest;
88843 struct ip_vs_dest_entry entry;
88844
88845+ memset(&entry, 0, sizeof(entry));
88846 list_for_each_entry(dest, &svc->destinations, n_list) {
88847 if (count >= get->num_dests)
88848 break;
88387 88849
88388 entry.addr = dest->addr.ip; 88850 entry.addr = dest->addr.ip;
88389 entry.port = dest->port; 88851 entry.port = dest->port;
@@ -88392,7 +88854,7 @@ index 9e2d1cc..7f8f569 100644
88392 entry.weight = atomic_read(&dest->weight); 88854 entry.weight = atomic_read(&dest->weight);
88393 entry.u_threshold = dest->u_threshold; 88855 entry.u_threshold = dest->u_threshold;
88394 entry.l_threshold = dest->l_threshold; 88856 entry.l_threshold = dest->l_threshold;
88395@@ -3104,7 +3104,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) 88857@@ -3104,7 +3105,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
88396 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) || 88858 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
88397 nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) || 88859 nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
88398 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD, 88860 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
@@ -88401,7 +88863,7 @@ index 9e2d1cc..7f8f569 100644
88401 IP_VS_CONN_F_FWD_MASK)) || 88863 IP_VS_CONN_F_FWD_MASK)) ||
88402 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT, 88864 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
88403 atomic_read(&dest->weight)) || 88865 atomic_read(&dest->weight)) ||
88404@@ -3694,7 +3694,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net) 88866@@ -3694,7 +3695,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
88405 { 88867 {
88406 int idx; 88868 int idx;
88407 struct netns_ipvs *ipvs = net_ipvs(net); 88869 struct netns_ipvs *ipvs = net_ipvs(net);
@@ -88847,7 +89309,7 @@ index 103bd70..f21aad3 100644
88847 *uaddr_len = sizeof(struct sockaddr_ax25); 89309 *uaddr_len = sizeof(struct sockaddr_ax25);
88848 } 89310 }
88849diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c 89311diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
88850index f83e172..b57140d 100644 89312index f83e172..223ffe1 100644
88851--- a/net/packet/af_packet.c 89313--- a/net/packet/af_packet.c
88852+++ b/net/packet/af_packet.c 89314+++ b/net/packet/af_packet.c
88853@@ -1571,7 +1571,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, 89315@@ -1571,7 +1571,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
@@ -88887,7 +89349,22 @@ index f83e172..b57140d 100644
88887 89349
88888 msg->msg_flags |= MSG_ERRQUEUE; 89350 msg->msg_flags |= MSG_ERRQUEUE;
88889 err = copied; 89351 err = copied;
88890@@ -3205,7 +3207,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, 89352@@ -2769,12 +2771,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
89353 return -EOPNOTSUPP;
89354
89355 uaddr->sa_family = AF_PACKET;
89356+ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
89357 rcu_read_lock();
89358 dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
89359 if (dev)
89360- strncpy(uaddr->sa_data, dev->name, 14);
89361- else
89362- memset(uaddr->sa_data, 0, 14);
89363+ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
89364 rcu_read_unlock();
89365 *uaddr_len = sizeof(*uaddr);
89366
89367@@ -3205,7 +3206,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
88891 case PACKET_HDRLEN: 89368 case PACKET_HDRLEN:
88892 if (len > sizeof(int)) 89369 if (len > sizeof(int))
88893 len = sizeof(int); 89370 len = sizeof(int);
@@ -88896,7 +89373,7 @@ index f83e172..b57140d 100644
88896 return -EFAULT; 89373 return -EFAULT;
88897 switch (val) { 89374 switch (val) {
88898 case TPACKET_V1: 89375 case TPACKET_V1:
88899@@ -3247,7 +3249,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, 89376@@ -3247,7 +3248,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
88900 len = lv; 89377 len = lv;
88901 if (put_user(len, optlen)) 89378 if (put_user(len, optlen))
88902 return -EFAULT; 89379 return -EFAULT;
@@ -89432,6 +89909,33 @@ index 391a245..296b3d7 100644
89432 } 89909 }
89433 89910
89434 /* Initialize IPv6 support and register with socket layer. */ 89911 /* Initialize IPv6 support and register with socket layer. */
89912diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
89913index 01dca75..e9426bb 100644
89914--- a/net/sctp/outqueue.c
89915+++ b/net/sctp/outqueue.c
89916@@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
89917 */
89918 void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
89919 {
89920+ memset(q, 0, sizeof(struct sctp_outq));
89921+
89922 q->asoc = asoc;
89923 INIT_LIST_HEAD(&q->out_chunk_list);
89924 INIT_LIST_HEAD(&q->control_chunk_list);
89925@@ -213,13 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
89926 INIT_LIST_HEAD(&q->sacked);
89927 INIT_LIST_HEAD(&q->abandoned);
89928
89929- q->fast_rtx = 0;
89930- q->outstanding_bytes = 0;
89931 q->empty = 1;
89932- q->cork = 0;
89933-
89934- q->malloced = 0;
89935- q->out_qlen = 0;
89936 }
89937
89938 /* Free the outqueue structure and any related pending chunks.
89435diff --git a/net/sctp/probe.c b/net/sctp/probe.c 89939diff --git a/net/sctp/probe.c b/net/sctp/probe.c
89436index ad0dba8..e62c225 100644 89940index ad0dba8..e62c225 100644
89437--- a/net/sctp/probe.c 89941--- a/net/sctp/probe.c
@@ -89516,7 +90020,7 @@ index 8aab894..f6b7e7d 100644
89516 sctp_generate_t1_cookie_event, 90020 sctp_generate_t1_cookie_event,
89517 sctp_generate_t1_init_event, 90021 sctp_generate_t1_init_event,
89518diff --git a/net/sctp/socket.c b/net/sctp/socket.c 90022diff --git a/net/sctp/socket.c b/net/sctp/socket.c
89519index b907073..57fef6c 100644 90023index b907073..7bea2ca 100644
89520--- a/net/sctp/socket.c 90024--- a/net/sctp/socket.c
89521+++ b/net/sctp/socket.c 90025+++ b/net/sctp/socket.c
89522@@ -2166,11 +2166,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, 90026@@ -2166,11 +2166,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
@@ -89534,7 +90038,20 @@ index b907073..57fef6c 100644
89534 90038
89535 /* 90039 /*
89536 * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT, 90040 * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
89537@@ -4215,13 +4217,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, 90041@@ -4002,6 +4004,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
90042
90043 /* Release our hold on the endpoint. */
90044 sp = sctp_sk(sk);
90045+ /* This could happen during socket init, thus we bail out
90046+ * early, since the rest of the below is not setup either.
90047+ */
90048+ if (sp->ep == NULL)
90049+ return;
90050+
90051 if (sp->do_auto_asconf) {
90052 sp->do_auto_asconf = 0;
90053 list_del(&sp->auto_asconf_list);
90054@@ -4215,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
89538 static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, 90055 static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
89539 int __user *optlen) 90056 int __user *optlen)
89540 { 90057 {
@@ -89552,7 +90069,7 @@ index b907073..57fef6c 100644
89552 return -EFAULT; 90069 return -EFAULT;
89553 return 0; 90070 return 0;
89554 } 90071 }
89555@@ -4239,6 +4244,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, 90072@@ -4239,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
89556 */ 90073 */
89557 static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) 90074 static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
89558 { 90075 {
@@ -89561,7 +90078,7 @@ index b907073..57fef6c 100644
89561 /* Applicable to UDP-style socket only */ 90078 /* Applicable to UDP-style socket only */
89562 if (sctp_style(sk, TCP)) 90079 if (sctp_style(sk, TCP))
89563 return -EOPNOTSUPP; 90080 return -EOPNOTSUPP;
89564@@ -4247,7 +4254,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv 90081@@ -4247,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
89565 len = sizeof(int); 90082 len = sizeof(int);
89566 if (put_user(len, optlen)) 90083 if (put_user(len, optlen))
89567 return -EFAULT; 90084 return -EFAULT;
@@ -89571,7 +90088,7 @@ index b907073..57fef6c 100644
89571 return -EFAULT; 90088 return -EFAULT;
89572 return 0; 90089 return 0;
89573 } 90090 }
89574@@ -4619,12 +4627,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, 90091@@ -4619,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
89575 */ 90092 */
89576 static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) 90093 static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
89577 { 90094 {
@@ -89588,7 +90105,7 @@ index b907073..57fef6c 100644
89588 return -EFAULT; 90105 return -EFAULT;
89589 return 0; 90106 return 0;
89590 } 90107 }
89591@@ -4665,6 +4676,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, 90108@@ -4665,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
89592 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; 90109 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
89593 if (space_left < addrlen) 90110 if (space_left < addrlen)
89594 return -ENOMEM; 90111 return -ENOMEM;
@@ -89620,7 +90137,7 @@ index bf3c6e8..376d8d0 100644
89620 90137
89621 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); 90138 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL);
89622diff --git a/net/socket.c b/net/socket.c 90139diff --git a/net/socket.c b/net/socket.c
89623index 88f759a..c6933de 100644 90140index 88f759a..74be616 100644
89624--- a/net/socket.c 90141--- a/net/socket.c
89625+++ b/net/socket.c 90142+++ b/net/socket.c
89626@@ -88,6 +88,7 @@ 90143@@ -88,6 +88,7 @@
@@ -89791,6 +90308,15 @@ index 88f759a..c6933de 100644
89791 int err, err2; 90308 int err, err2;
89792 int fput_needed; 90309 int fput_needed;
89793 90310
90311@@ -1978,7 +2040,7 @@ struct used_address {
90312 unsigned int name_len;
90313 };
90314
90315-static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
90316+static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
90317 struct msghdr *msg_sys, unsigned int flags,
90318 struct used_address *used_address)
90319 {
89794@@ -2045,7 +2107,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, 90320@@ -2045,7 +2107,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
89795 * checking falls down on this. 90321 * checking falls down on this.
89796 */ 90322 */
@@ -89800,7 +90326,83 @@ index 88f759a..c6933de 100644
89800 ctl_len)) 90326 ctl_len))
89801 goto out_freectl; 90327 goto out_freectl;
89802 msg_sys->msg_control = ctl_buf; 90328 msg_sys->msg_control = ctl_buf;
89803@@ -2185,7 +2247,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, 90329@@ -2093,20 +2155,28 @@ out:
90330 * BSD sendmsg interface
90331 */
90332
90333+long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
90334+{
90335+ int fput_needed, err;
90336+ struct msghdr msg_sys;
90337+ struct socket *sock;
90338+
90339+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
90340+ if (!sock)
90341+ goto out;
90342+
90343+ err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
90344+
90345+ fput_light(sock->file, fput_needed);
90346+out:
90347+ return err;
90348+}
90349+
90350 SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags)
90351 {
90352- int fput_needed, err;
90353- struct msghdr msg_sys;
90354- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
90355-
90356- if (!sock)
90357- goto out;
90358-
90359- err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
90360-
90361- fput_light(sock->file, fput_needed);
90362-out:
90363- return err;
90364+ if (flags & MSG_CMSG_COMPAT)
90365+ return -EINVAL;
90366+ return __sys_sendmsg(fd, msg, flags);
90367 }
90368
90369 /*
90370@@ -2139,15 +2209,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
90371
90372 while (datagrams < vlen) {
90373 if (MSG_CMSG_COMPAT & flags) {
90374- err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
90375- &msg_sys, flags, &used_address);
90376+ err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
90377+ &msg_sys, flags, &used_address);
90378 if (err < 0)
90379 break;
90380 err = __put_user(err, &compat_entry->msg_len);
90381 ++compat_entry;
90382 } else {
90383- err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
90384- &msg_sys, flags, &used_address);
90385+ err = ___sys_sendmsg(sock,
90386+ (struct msghdr __user *)entry,
90387+ &msg_sys, flags, &used_address);
90388 if (err < 0)
90389 break;
90390 err = put_user(err, &entry->msg_len);
90391@@ -2171,10 +2242,12 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
90392 SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
90393 unsigned int, vlen, unsigned int, flags)
90394 {
90395+ if (flags & MSG_CMSG_COMPAT)
90396+ return -EINVAL;
90397 return __sys_sendmmsg(fd, mmsg, vlen, flags);
90398 }
90399
90400-static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
90401+static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
90402 struct msghdr *msg_sys, unsigned int flags, int nosec)
90403 {
90404 struct compat_msghdr __user *msg_compat =
90405@@ -2185,7 +2258,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
89804 int err, total_len, len; 90406 int err, total_len, len;
89805 90407
89806 /* kernel mode address */ 90408 /* kernel mode address */
@@ -89809,7 +90411,7 @@ index 88f759a..c6933de 100644
89809 90411
89810 /* user mode address pointers */ 90412 /* user mode address pointers */
89811 struct sockaddr __user *uaddr; 90413 struct sockaddr __user *uaddr;
89812@@ -2213,7 +2275,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, 90414@@ -2213,7 +2286,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
89813 * kernel msghdr to use the kernel address space) 90415 * kernel msghdr to use the kernel address space)
89814 */ 90416 */
89815 90417
@@ -89818,7 +90420,84 @@ index 88f759a..c6933de 100644
89818 uaddr_len = COMPAT_NAMELEN(msg); 90420 uaddr_len = COMPAT_NAMELEN(msg);
89819 if (MSG_CMSG_COMPAT & flags) { 90421 if (MSG_CMSG_COMPAT & flags) {
89820 err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); 90422 err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
89821@@ -2952,7 +3014,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, 90423@@ -2266,21 +2339,29 @@ out:
90424 * BSD recvmsg interface
90425 */
90426
90427+long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags)
90428+{
90429+ int fput_needed, err;
90430+ struct msghdr msg_sys;
90431+ struct socket *sock;
90432+
90433+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
90434+ if (!sock)
90435+ goto out;
90436+
90437+ err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0);
90438+
90439+ fput_light(sock->file, fput_needed);
90440+out:
90441+ return err;
90442+}
90443+
90444 SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
90445 unsigned int, flags)
90446 {
90447- int fput_needed, err;
90448- struct msghdr msg_sys;
90449- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
90450-
90451- if (!sock)
90452- goto out;
90453-
90454- err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0);
90455-
90456- fput_light(sock->file, fput_needed);
90457-out:
90458- return err;
90459+ if (flags & MSG_CMSG_COMPAT)
90460+ return -EINVAL;
90461+ return __sys_recvmsg(fd, msg, flags);
90462 }
90463
90464 /*
90465@@ -2320,17 +2401,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
90466 * No need to ask LSM for more than the first datagram.
90467 */
90468 if (MSG_CMSG_COMPAT & flags) {
90469- err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
90470- &msg_sys, flags & ~MSG_WAITFORONE,
90471- datagrams);
90472+ err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
90473+ &msg_sys, flags & ~MSG_WAITFORONE,
90474+ datagrams);
90475 if (err < 0)
90476 break;
90477 err = __put_user(err, &compat_entry->msg_len);
90478 ++compat_entry;
90479 } else {
90480- err = __sys_recvmsg(sock, (struct msghdr __user *)entry,
90481- &msg_sys, flags & ~MSG_WAITFORONE,
90482- datagrams);
90483+ err = ___sys_recvmsg(sock,
90484+ (struct msghdr __user *)entry,
90485+ &msg_sys, flags & ~MSG_WAITFORONE,
90486+ datagrams);
90487 if (err < 0)
90488 break;
90489 err = put_user(err, &entry->msg_len);
90490@@ -2397,6 +2479,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
90491 int datagrams;
90492 struct timespec timeout_sys;
90493
90494+ if (flags & MSG_CMSG_COMPAT)
90495+ return -EINVAL;
90496+
90497 if (!timeout)
90498 return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL);
90499
90500@@ -2952,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
89822 old_fs = get_fs(); 90501 old_fs = get_fs();
89823 set_fs(KERNEL_DS); 90502 set_fs(KERNEL_DS);
89824 err = dev_ioctl(net, cmd, 90503 err = dev_ioctl(net, cmd,
@@ -89827,7 +90506,7 @@ index 88f759a..c6933de 100644
89827 set_fs(old_fs); 90506 set_fs(old_fs);
89828 90507
89829 return err; 90508 return err;
89830@@ -3061,7 +3123,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, 90509@@ -3061,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
89831 90510
89832 old_fs = get_fs(); 90511 old_fs = get_fs();
89833 set_fs(KERNEL_DS); 90512 set_fs(KERNEL_DS);
@@ -89836,7 +90515,7 @@ index 88f759a..c6933de 100644
89836 set_fs(old_fs); 90515 set_fs(old_fs);
89837 90516
89838 if (cmd == SIOCGIFMAP && !err) { 90517 if (cmd == SIOCGIFMAP && !err) {
89839@@ -3166,7 +3228,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, 90518@@ -3166,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
89840 ret |= __get_user(rtdev, &(ur4->rt_dev)); 90519 ret |= __get_user(rtdev, &(ur4->rt_dev));
89841 if (rtdev) { 90520 if (rtdev) {
89842 ret |= copy_from_user(devname, compat_ptr(rtdev), 15); 90521 ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -89845,7 +90524,7 @@ index 88f759a..c6933de 100644
89845 devname[15] = 0; 90524 devname[15] = 0;
89846 } else 90525 } else
89847 r4.rt_dev = NULL; 90526 r4.rt_dev = NULL;
89848@@ -3392,8 +3454,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, 90527@@ -3392,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
89849 int __user *uoptlen; 90528 int __user *uoptlen;
89850 int err; 90529 int err;
89851 90530
@@ -89856,7 +90535,7 @@ index 88f759a..c6933de 100644
89856 90535
89857 set_fs(KERNEL_DS); 90536 set_fs(KERNEL_DS);
89858 if (level == SOL_SOCKET) 90537 if (level == SOL_SOCKET)
89859@@ -3413,7 +3475,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, 90538@@ -3413,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
89860 char __user *uoptval; 90539 char __user *uoptval;
89861 int err; 90540 int err;
89862 90541
© 2015 Mike Crute