diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2016-01-24 16:14:25 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2016-01-24 16:14:25 -0500 |
| commit | 8ea74e72a10e8c9982702c7e68315a7fc789873e (patch) | |
| tree | 9d5acbfa56eee24ab7d554dc544669cf61af3266 | |
| parent | grsecurity-3.1-4.3.3-201601192226 (diff) | |
| download | hardened-patchset-8ea74e72a10e8c9982702c7e68315a7fc789873e.tar.gz hardened-patchset-8ea74e72a10e8c9982702c7e68315a7fc789873e.tar.bz2 hardened-patchset-8ea74e72a10e8c9982702c7e68315a7fc789873e.zip | |
grsecurity-3.1-4.3.4-201601231215.patch20160123
| -rw-r--r-- | 4.3.4/0000_README (renamed from 4.3.3/0000_README) | 6 | ||||
| -rw-r--r-- | 4.3.4/1003_linux-4.3.4.patch | 1863 | ||||
| -rw-r--r-- | 4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch (renamed from 4.3.3/4420_grsecurity-3.1-4.3.3-201601192226.patch) | 815 | ||||
| -rw-r--r-- | 4.3.4/4425_grsec_remove_EI_PAX.patch (renamed from 4.3.3/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 4.3.4/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.3.3/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 4.3.4/4430_grsec-remove-localversion-grsec.patch (renamed from 4.3.3/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 4.3.4/4435_grsec-mute-warnings.patch (renamed from 4.3.3/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 4.3.4/4440_grsec-remove-protected-paths.patch (renamed from 4.3.3/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 4.3.4/4450_grsec-kconfig-default-gids.patch (renamed from 4.3.3/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 4.3.4/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.3.3/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 4.3.4/4470_disable-compat_vdso.patch (renamed from 4.3.3/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 4.3.4/4475_emutramp_default_on.patch (renamed from 4.3.3/4475_emutramp_default_on.patch) | 0 |
12 files changed, 2295 insertions, 389 deletions
diff --git a/4.3.3/0000_README b/4.3.4/0000_README index a2a51bf..f0bdee5 100644 --- a/4.3.3/0000_README +++ b/4.3.4/0000_README @@ -2,7 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.3.3-201601192226.patch +Patch: 1003_linux-4.3.4.patch +From: http://www.kernel.org +Desc: Linux 4.3.4 + +Patch: 4420_grsecurity-3.1-4.3.4-201601231215.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.3.4/1003_linux-4.3.4.patch b/4.3.4/1003_linux-4.3.4.patch new file mode 100644 index 0000000..0e103a4 --- /dev/null +++ b/4.3.4/1003_linux-4.3.4.patch @@ -0,0 +1,1863 @@ +diff --git a/Makefile b/Makefile +index 2070d16..69430ed 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 3 +-SUBLEVEL = 3 ++SUBLEVEL = 4 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 739a4a6..2f6e3c6 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -81,6 +81,7 @@ static struct workqueue_struct *kacpid_wq; + static struct workqueue_struct *kacpi_notify_wq; + static struct workqueue_struct *kacpi_hotplug_wq; + static bool acpi_os_initialized; ++unsigned int acpi_sci_irq = INVALID_ACPI_IRQ; + + /* + * This list of permanent mappings is for memory that may be accessed from +@@ -856,17 +857,19 @@ acpi_os_install_interrupt_handler(u32 gsi, acpi_osd_handler handler, + acpi_irq_handler = NULL; + return AE_NOT_ACQUIRED; + } ++ acpi_sci_irq = irq; + + return AE_OK; + } + +-acpi_status acpi_os_remove_interrupt_handler(u32 irq, acpi_osd_handler handler) ++acpi_status acpi_os_remove_interrupt_handler(u32 gsi, acpi_osd_handler handler) + { +- if (irq != acpi_gbl_FADT.sci_interrupt) ++ if (gsi != acpi_gbl_FADT.sci_interrupt || !acpi_sci_irq_valid()) + return AE_BAD_PARAMETER; + +- free_irq(irq, acpi_irq); ++ free_irq(acpi_sci_irq, acpi_irq); + acpi_irq_handler = NULL; ++ acpi_sci_irq = INVALID_ACPI_IRQ; + + return AE_OK; + } +@@ -1180,8 +1183,8 @@ void acpi_os_wait_events_complete(void) + * Make sure the GPE handler or the fixed event handler is not used + * on another CPU after removal. + */ +- if (acpi_irq_handler) +- synchronize_hardirq(acpi_gbl_FADT.sci_interrupt); ++ if (acpi_sci_irq_valid()) ++ synchronize_hardirq(acpi_sci_irq); + flush_workqueue(kacpid_wq); + flush_workqueue(kacpi_notify_wq); + } +diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c +index 2f0d4db..3fe1fbe 100644 +--- a/drivers/acpi/sleep.c ++++ b/drivers/acpi/sleep.c +@@ -632,14 +632,16 @@ static int acpi_freeze_prepare(void) + acpi_enable_wakeup_devices(ACPI_STATE_S0); + acpi_enable_all_wakeup_gpes(); + acpi_os_wait_events_complete(); +- enable_irq_wake(acpi_gbl_FADT.sci_interrupt); ++ if (acpi_sci_irq_valid()) ++ enable_irq_wake(acpi_sci_irq); + return 0; + } + + static void acpi_freeze_restore(void) + { + acpi_disable_wakeup_devices(ACPI_STATE_S0); +- disable_irq_wake(acpi_gbl_FADT.sci_interrupt); ++ if (acpi_sci_irq_valid()) ++ disable_irq_wake(acpi_sci_irq); + acpi_enable_all_runtime_gpes(); + } + +diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h +index f8319a0..39be5ac 100644 +--- a/drivers/char/tpm/tpm.h ++++ b/drivers/char/tpm/tpm.h +@@ -115,6 +115,13 @@ enum tpm2_startup_types { + TPM2_SU_STATE = 0x0001, + }; + ++enum tpm2_start_method { ++ TPM2_START_ACPI = 2, ++ TPM2_START_FIFO = 6, ++ TPM2_START_CRB = 7, ++ TPM2_START_CRB_WITH_ACPI = 8, ++}; ++ + struct tpm_chip; + + struct tpm_vendor_specific { +diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c +index 1267322..2b971b3 100644 +--- a/drivers/char/tpm/tpm_crb.c ++++ b/drivers/char/tpm/tpm_crb.c +@@ -34,12 +34,6 @@ enum crb_defaults { + CRB_ACPI_START_INDEX = 1, + }; + +-enum crb_start_method { +- CRB_SM_ACPI_START = 2, +- CRB_SM_CRB = 7, +- CRB_SM_CRB_WITH_ACPI_START = 8, +-}; +- + struct acpi_tpm2 { + struct acpi_table_header hdr; + u16 platform_class; +@@ -220,12 +214,6 @@ static int crb_acpi_add(struct acpi_device *device) + u64 pa; + int rc; + +- chip = tpmm_chip_alloc(dev, &tpm_crb); +- if (IS_ERR(chip)) +- return PTR_ERR(chip); +- +- chip->flags = TPM_CHIP_FLAG_TPM2; +- + status = acpi_get_table(ACPI_SIG_TPM2, 1, + (struct acpi_table_header **) &buf); + if (ACPI_FAILURE(status)) { +@@ -233,13 +221,15 @@ static int crb_acpi_add(struct acpi_device *device) + return -ENODEV; + } + +- /* At least some versions of AMI BIOS have a bug that TPM2 table has +- * zero address for the control area and therefore we must fail. +- */ +- if (!buf->control_area_pa) { +- dev_err(dev, "TPM2 ACPI table has a zero address for the control area\n"); +- return -EINVAL; +- } ++ /* Should the FIFO driver handle this? */ ++ if (buf->start_method == TPM2_START_FIFO) ++ return -ENODEV; ++ ++ chip = tpmm_chip_alloc(dev, &tpm_crb); ++ if (IS_ERR(chip)) ++ return PTR_ERR(chip); ++ ++ chip->flags = TPM_CHIP_FLAG_TPM2; + + if (buf->hdr.length < sizeof(struct acpi_tpm2)) { + dev_err(dev, "TPM2 ACPI table has wrong size"); +@@ -259,11 +249,11 @@ static int crb_acpi_add(struct acpi_device *device) + * report only ACPI start but in practice seems to require both + * ACPI start and CRB start. + */ +- if (sm == CRB_SM_CRB || sm == CRB_SM_CRB_WITH_ACPI_START || ++ if (sm == TPM2_START_CRB || sm == TPM2_START_FIFO || + !strcmp(acpi_device_hid(device), "MSFT0101")) + priv->flags |= CRB_FL_CRB_START; + +- if (sm == CRB_SM_ACPI_START || sm == CRB_SM_CRB_WITH_ACPI_START) ++ if (sm == TPM2_START_ACPI || sm == TPM2_START_CRB_WITH_ACPI) + priv->flags |= CRB_FL_ACPI_START; + + priv->cca = (struct crb_control_area __iomem *) +diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c +index f2dffa7..696ef1d 100644 +--- a/drivers/char/tpm/tpm_tis.c ++++ b/drivers/char/tpm/tpm_tis.c +@@ -1,6 +1,6 @@ + /* + * Copyright (C) 2005, 2006 IBM Corporation +- * Copyright (C) 2014 Intel Corporation ++ * Copyright (C) 2014, 2015 Intel Corporation + * + * Authors: + * Leendert van Doorn <leendert@watson.ibm.com> +@@ -28,6 +28,7 @@ + #include <linux/wait.h> + #include <linux/acpi.h> + #include <linux/freezer.h> ++#include <acpi/actbl2.h> + #include "tpm.h" + + enum tis_access { +@@ -65,6 +66,17 @@ enum tis_defaults { + TIS_LONG_TIMEOUT = 2000, /* 2 sec */ + }; + ++struct tpm_info { ++ unsigned long start; ++ unsigned long len; ++ unsigned int irq; ++}; ++ ++static struct tpm_info tis_default_info = { ++ .start = TIS_MEM_BASE, ++ .len = TIS_MEM_LEN, ++ .irq = 0, ++}; + + /* Some timeout values are needed before it is known whether the chip is + * TPM 1.0 or TPM 2.0. +@@ -91,26 +103,54 @@ struct priv_data { + }; + + #if defined(CONFIG_PNP) && defined(CONFIG_ACPI) +-static int is_itpm(struct pnp_dev *dev) ++static int has_hid(struct acpi_device *dev, const char *hid) + { +- struct acpi_device *acpi = pnp_acpi_device(dev); + struct acpi_hardware_id *id; + +- if (!acpi) +- return 0; +- +- list_for_each_entry(id, &acpi->pnp.ids, list) { +- if (!strcmp("INTC0102", id->id)) ++ list_for_each_entry(id, &dev->pnp.ids, list) ++ if (!strcmp(hid, id->id)) + return 1; +- } + + return 0; + } ++ ++static inline int is_itpm(struct acpi_device *dev) ++{ ++ return has_hid(dev, "INTC0102"); ++} ++ ++static inline int is_fifo(struct acpi_device *dev) ++{ ++ struct acpi_table_tpm2 *tbl; ++ acpi_status st; ++ ++ /* TPM 1.2 FIFO */ ++ if (!has_hid(dev, "MSFT0101")) ++ return 1; ++ ++ st = acpi_get_table(ACPI_SIG_TPM2, 1, ++ (struct acpi_table_header **) &tbl); ++ if (ACPI_FAILURE(st)) { ++ dev_err(&dev->dev, "failed to get TPM2 ACPI table\n"); ++ return 0; ++ } ++ ++ if (le32_to_cpu(tbl->start_method) != TPM2_START_FIFO) ++ return 0; ++ ++ /* TPM 2.0 FIFO */ ++ return 1; ++} + #else +-static inline int is_itpm(struct pnp_dev *dev) ++static inline int is_itpm(struct acpi_device *dev) + { + return 0; + } ++ ++static inline int is_fifo(struct acpi_device *dev) ++{ ++ return 1; ++} + #endif + + /* Before we attempt to access the TPM we must see that the valid bit is set. +@@ -600,9 +640,8 @@ static void tpm_tis_remove(struct tpm_chip *chip) + release_locality(chip, chip->vendor.locality, 1); + } + +-static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle, +- resource_size_t start, resource_size_t len, +- unsigned int irq) ++static int tpm_tis_init(struct device *dev, struct tpm_info *tpm_info, ++ acpi_handle acpi_dev_handle) + { + u32 vendor, intfcaps, intmask; + int rc, i, irq_s, irq_e, probe; +@@ -622,7 +661,7 @@ static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle, + chip->acpi_dev_handle = acpi_dev_handle; + #endif + +- chip->vendor.iobase = devm_ioremap(dev, start, len); ++ chip->vendor.iobase = devm_ioremap(dev, tpm_info->start, tpm_info->len); + if (!chip->vendor.iobase) + return -EIO; + +@@ -707,7 +746,7 @@ static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle, + chip->vendor.iobase + + TPM_INT_ENABLE(chip->vendor.locality)); + if (interrupts) +- chip->vendor.irq = irq; ++ chip->vendor.irq = tpm_info->irq; + if (interrupts && !chip->vendor.irq) { + irq_s = + ioread8(chip->vendor.iobase + +@@ -890,27 +929,27 @@ static SIMPLE_DEV_PM_OPS(tpm_tis_pm, tpm_pm_suspend, tpm_tis_resume); + static int tpm_tis_pnp_init(struct pnp_dev *pnp_dev, + const struct pnp_device_id *pnp_id) + { +- resource_size_t start, len; +- unsigned int irq = 0; ++ struct tpm_info tpm_info = tis_default_info; + acpi_handle acpi_dev_handle = NULL; + +- start = pnp_mem_start(pnp_dev, 0); +- len = pnp_mem_len(pnp_dev, 0); ++ tpm_info.start = pnp_mem_start(pnp_dev, 0); ++ tpm_info.len = pnp_mem_len(pnp_dev, 0); + + if (pnp_irq_valid(pnp_dev, 0)) +- irq = pnp_irq(pnp_dev, 0); ++ tpm_info.irq = pnp_irq(pnp_dev, 0); + else + interrupts = false; + +- if (is_itpm(pnp_dev)) +- itpm = true; +- + #ifdef CONFIG_ACPI +- if (pnp_acpi_device(pnp_dev)) ++ if (pnp_acpi_device(pnp_dev)) { ++ if (is_itpm(pnp_acpi_device(pnp_dev))) ++ itpm = true; ++ + acpi_dev_handle = pnp_acpi_device(pnp_dev)->handle; ++ } + #endif + +- return tpm_tis_init(&pnp_dev->dev, acpi_dev_handle, start, len, irq); ++ return tpm_tis_init(&pnp_dev->dev, &tpm_info, acpi_dev_handle); + } + + static struct pnp_device_id tpm_pnp_tbl[] = { +@@ -930,6 +969,7 @@ MODULE_DEVICE_TABLE(pnp, tpm_pnp_tbl); + static void tpm_tis_pnp_remove(struct pnp_dev *dev) + { + struct tpm_chip *chip = pnp_get_drvdata(dev); ++ + tpm_chip_unregister(chip); + tpm_tis_remove(chip); + } +@@ -950,6 +990,79 @@ module_param_string(hid, tpm_pnp_tbl[TIS_HID_USR_IDX].id, + MODULE_PARM_DESC(hid, "Set additional specific HID for this driver to probe"); + #endif + ++#ifdef CONFIG_ACPI ++static int tpm_check_resource(struct acpi_resource *ares, void *data) ++{ ++ struct tpm_info *tpm_info = (struct tpm_info *) data; ++ struct resource res; ++ ++ if (acpi_dev_resource_interrupt(ares, 0, &res)) { ++ tpm_info->irq = res.start; ++ } else if (acpi_dev_resource_memory(ares, &res)) { ++ tpm_info->start = res.start; ++ tpm_info->len = resource_size(&res); ++ } ++ ++ return 1; ++} ++ ++static int tpm_tis_acpi_init(struct acpi_device *acpi_dev) ++{ ++ struct list_head resources; ++ struct tpm_info tpm_info = tis_default_info; ++ int ret; ++ ++ if (!is_fifo(acpi_dev)) ++ return -ENODEV; ++ ++ INIT_LIST_HEAD(&resources); ++ ret = acpi_dev_get_resources(acpi_dev, &resources, tpm_check_resource, ++ &tpm_info); ++ if (ret < 0) ++ return ret; ++ ++ acpi_dev_free_resource_list(&resources); ++ ++ if (!tpm_info.irq) ++ interrupts = false; ++ ++ if (is_itpm(acpi_dev)) ++ itpm = true; ++ ++ return tpm_tis_init(&acpi_dev->dev, &tpm_info, acpi_dev->handle); ++} ++ ++static int tpm_tis_acpi_remove(struct acpi_device *dev) ++{ ++ struct tpm_chip *chip = dev_get_drvdata(&dev->dev); ++ ++ tpm_chip_unregister(chip); ++ tpm_tis_remove(chip); ++ ++ return 0; ++} ++ ++static struct acpi_device_id tpm_acpi_tbl[] = { ++ {"MSFT0101", 0}, /* TPM 2.0 */ ++ /* Add new here */ ++ {"", 0}, /* User Specified */ ++ {"", 0} /* Terminator */ ++}; ++MODULE_DEVICE_TABLE(acpi, tpm_acpi_tbl); ++ ++static struct acpi_driver tis_acpi_driver = { ++ .name = "tpm_tis", ++ .ids = tpm_acpi_tbl, ++ .ops = { ++ .add = tpm_tis_acpi_init, ++ .remove = tpm_tis_acpi_remove, ++ }, ++ .drv = { ++ .pm = &tpm_tis_pm, ++ }, ++}; ++#endif ++ + static struct platform_driver tis_drv = { + .driver = { + .name = "tpm_tis", +@@ -966,9 +1079,25 @@ static int __init init_tis(void) + { + int rc; + #ifdef CONFIG_PNP +- if (!force) +- return pnp_register_driver(&tis_pnp_driver); ++ if (!force) { ++ rc = pnp_register_driver(&tis_pnp_driver); ++ if (rc) ++ return rc; ++ } ++#endif ++#ifdef CONFIG_ACPI ++ if (!force) { ++ rc = acpi_bus_register_driver(&tis_acpi_driver); ++ if (rc) { ++#ifdef CONFIG_PNP ++ pnp_unregister_driver(&tis_pnp_driver); + #endif ++ return rc; ++ } ++ } ++#endif ++ if (!force) ++ return 0; + + rc = platform_driver_register(&tis_drv); + if (rc < 0) +@@ -978,7 +1107,7 @@ static int __init init_tis(void) + rc = PTR_ERR(pdev); + goto err_dev; + } +- rc = tpm_tis_init(&pdev->dev, NULL, TIS_MEM_BASE, TIS_MEM_LEN, 0); ++ rc = tpm_tis_init(&pdev->dev, &tis_default_info, NULL); + if (rc) + goto err_init; + return 0; +@@ -992,9 +1121,14 @@ err_dev: + static void __exit cleanup_tis(void) + { + struct tpm_chip *chip; +-#ifdef CONFIG_PNP ++#if defined(CONFIG_PNP) || defined(CONFIG_ACPI) + if (!force) { ++#ifdef CONFIG_ACPI ++ acpi_bus_unregister_driver(&tis_acpi_driver); ++#endif ++#ifdef CONFIG_PNP + pnp_unregister_driver(&tis_pnp_driver); ++#endif + return; + } + #endif +diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +index 2795d6d..8b5988e 100644 +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -1016,13 +1016,12 @@ static int atl1c_setup_ring_resources(struct atl1c_adapter *adapter) + sizeof(struct atl1c_recv_ret_status) * rx_desc_count + + 8 * 4; + +- ring_header->desc = pci_alloc_consistent(pdev, ring_header->size, +- &ring_header->dma); ++ ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size, ++ &ring_header->dma, GFP_KERNEL); + if (unlikely(!ring_header->desc)) { +- dev_err(&pdev->dev, "pci_alloc_consistend failed\n"); ++ dev_err(&pdev->dev, "could not get memory for DMA buffer\n"); + goto err_nomem; + } +- memset(ring_header->desc, 0, ring_header->size); + /* init TPD ring */ + + tpd_ring[0].dma = roundup(ring_header->dma, 8); +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c +index ce38d26..bcb933e 100644 +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -894,7 +894,8 @@ static int gfar_of_init(struct platform_device *ofdev, struct net_device **pdev) + FSL_GIANFAR_DEV_HAS_VLAN | + FSL_GIANFAR_DEV_HAS_MAGIC_PACKET | + FSL_GIANFAR_DEV_HAS_EXTENDED_HASH | +- FSL_GIANFAR_DEV_HAS_TIMER; ++ FSL_GIANFAR_DEV_HAS_TIMER | ++ FSL_GIANFAR_DEV_HAS_RX_FILER; + + err = of_property_read_string(np, "phy-connection-type", &ctype); + +@@ -1393,8 +1394,9 @@ static int gfar_probe(struct platform_device *ofdev) + priv->rx_queue[i]->rxic = DEFAULT_RXIC; + } + +- /* always enable rx filer */ +- priv->rx_filer_enable = 1; ++ /* Always enable rx filer if available */ ++ priv->rx_filer_enable = ++ (priv->device_flags & FSL_GIANFAR_DEV_HAS_RX_FILER) ? 1 : 0; + /* Enable most messages by default */ + priv->msg_enable = (NETIF_MSG_IFUP << 1 ) - 1; + /* use pritority h/w tx queue scheduling for single queue devices */ +diff --git a/drivers/net/ethernet/freescale/gianfar.h b/drivers/net/ethernet/freescale/gianfar.h +index 8c19948..3755372 100644 +--- a/drivers/net/ethernet/freescale/gianfar.h ++++ b/drivers/net/ethernet/freescale/gianfar.h +@@ -917,6 +917,7 @@ struct gfar { + #define FSL_GIANFAR_DEV_HAS_BD_STASHING 0x00000200 + #define FSL_GIANFAR_DEV_HAS_BUF_STASHING 0x00000400 + #define FSL_GIANFAR_DEV_HAS_TIMER 0x00000800 ++#define FSL_GIANFAR_DEV_HAS_RX_FILER 0x00002000 + + #if (MAXGROUPS == 2) + #define DEFAULT_MAPPING 0xAA +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 2f87909..60ccc29 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -736,9 +736,8 @@ qcaspi_netdev_tx_timeout(struct net_device *dev) + netdev_info(qca->net_dev, "Transmit timeout at %ld, latency %ld\n", + jiffies, jiffies - dev->trans_start); + qca->net_dev->stats.tx_errors++; +- /* wake the queue if there is room */ +- if (qcaspi_tx_ring_has_space(&qca->txr)) +- netif_wake_queue(dev); ++ /* Trigger tx queue flush and QCA7000 reset */ ++ qca->sync = QCASPI_SYNC_UNKNOWN; + } + + static int +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index a484d8b..f3cbf90c 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1481,6 +1481,7 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota) + if (mdp->cd->shift_rd0) + desc_status >>= 16; + ++ skb = mdp->rx_skbuff[entry]; + if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 | + RD_RFS5 | RD_RFS6 | RD_RFS10)) { + ndev->stats.rx_errors++; +@@ -1496,12 +1497,11 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota) + ndev->stats.rx_missed_errors++; + if (desc_status & RD_RFS10) + ndev->stats.rx_over_errors++; +- } else { ++ } else if (skb) { + if (!mdp->cd->hw_swap) + sh_eth_soft_swap( + phys_to_virt(ALIGN(rxdesc->addr, 4)), + pkt_len + 2); +- skb = mdp->rx_skbuff[entry]; + mdp->rx_skbuff[entry] = NULL; + if (mdp->cd->rpadir) + skb_reserve(skb, NET_IP_ALIGN); +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index cf6312f..e13ad6c 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -339,9 +339,18 @@ static int ksz9021_config_init(struct phy_device *phydev) + { + const struct device *dev = &phydev->dev; + const struct device_node *of_node = dev->of_node; ++ const struct device *dev_walker; + +- if (!of_node && dev->parent->of_node) +- of_node = dev->parent->of_node; ++ /* The Micrel driver has a deprecated option to place phy OF ++ * properties in the MAC node. Walk up the tree of devices to ++ * find a device with an OF node. ++ */ ++ dev_walker = &phydev->dev; ++ do { ++ of_node = dev_walker->of_node; ++ dev_walker = dev_walker->parent; ++ ++ } while (!of_node && dev_walker); + + if (of_node) { + ksz9021_load_values_from_of(phydev, of_node, +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index 5e0b432..0a37f84 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket *sock, int kern) + sk->sk_family = PF_PPPOX; + sk->sk_protocol = PX_PROTO_OE; + ++ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work, ++ pppoe_unbind_sock_work); ++ + return 0; + } + +@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, + + lock_sock(sk); + +- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work); +- + error = -EINVAL; + if (sp->sa_protocol != PX_PROTO_OE) + goto end; +@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, + po->pppoe_dev = NULL; + } + +- memset(sk_pppox(po) + 1, 0, +- sizeof(struct pppox_sock) - sizeof(struct sock)); ++ po->pppoe_ifindex = 0; ++ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa)); ++ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay)); ++ memset(&po->chan, 0, sizeof(po->chan)); ++ po->next = NULL; ++ po->num = 0; ++ + sk->sk_state = PPPOX_NONE; + } + +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index 686f37d..b910cae 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, + struct pptp_opt *opt = &po->proto.pptp; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + lock_sock(sk); + + opt->src_addr = sp->sa_addr.pptp; +@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr, + struct flowi4 fl4; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + if (sp->sa_protocol != PX_PROTO_PPTP) + return -EINVAL; + +diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c +index efc18e0..b6ea6ff 100644 +--- a/drivers/net/usb/cdc_mbim.c ++++ b/drivers/net/usb/cdc_mbim.c +@@ -158,7 +158,7 @@ static int cdc_mbim_bind(struct usbnet *dev, struct usb_interface *intf) + if (!cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting)) + goto err; + +- ret = cdc_ncm_bind_common(dev, intf, data_altsetting, 0); ++ ret = cdc_ncm_bind_common(dev, intf, data_altsetting, dev->driver_info->data); + if (ret) + goto err; + +@@ -582,6 +582,26 @@ static const struct driver_info cdc_mbim_info_zlp = { + .tx_fixup = cdc_mbim_tx_fixup, + }; + ++/* The spefication explicitly allows NDPs to be placed anywhere in the ++ * frame, but some devices fail unless the NDP is placed after the IP ++ * packets. Using the CDC_NCM_FLAG_NDP_TO_END flags to force this ++ * behaviour. ++ * ++ * Note: The current implementation of this feature restricts each NTB ++ * to a single NDP, implying that multiplexed sessions cannot share an ++ * NTB. This might affect performace for multiplexed sessions. ++ */ ++static const struct driver_info cdc_mbim_info_ndp_to_end = { ++ .description = "CDC MBIM", ++ .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN, ++ .bind = cdc_mbim_bind, ++ .unbind = cdc_mbim_unbind, ++ .manage_power = cdc_mbim_manage_power, ++ .rx_fixup = cdc_mbim_rx_fixup, ++ .tx_fixup = cdc_mbim_tx_fixup, ++ .data = CDC_NCM_FLAG_NDP_TO_END, ++}; ++ + static const struct usb_device_id mbim_devs[] = { + /* This duplicate NCM entry is intentional. MBIM devices can + * be disguised as NCM by default, and this is necessary to +@@ -597,6 +617,10 @@ static const struct usb_device_id mbim_devs[] = { + { USB_VENDOR_AND_INTERFACE_INFO(0x0bdb, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info, + }, ++ /* Huawei E3372 fails unless NDP comes after the IP packets */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x12d1, 0x157d, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), ++ .driver_info = (unsigned long)&cdc_mbim_info_ndp_to_end, ++ }, + /* default entry */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info_zlp, +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index db40175..fa41a6d 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1006,10 +1006,18 @@ static struct usb_cdc_ncm_ndp16 *cdc_ncm_ndp(struct cdc_ncm_ctx *ctx, struct sk_ + * NTH16 header as we would normally do. NDP isn't written to the SKB yet, and + * the wNdpIndex field in the header is actually not consistent with reality. It will be later. + */ +- if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) ++ if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) { + if (ctx->delayed_ndp16->dwSignature == sign) + return ctx->delayed_ndp16; + ++ /* We can only push a single NDP to the end. Return ++ * NULL to send what we've already got and queue this ++ * skb for later. ++ */ ++ else if (ctx->delayed_ndp16->dwSignature) ++ return NULL; ++ } ++ + /* follow the chain of NDPs, looking for a match */ + while (ndpoffset) { + ndp16 = (struct usb_cdc_ncm_ndp16 *)(skb->data + ndpoffset); +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index d9427ca..2e32c41 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3067,17 +3067,6 @@ static int rtl8152_open(struct net_device *netdev) + + mutex_lock(&tp->control); + +- /* The WORK_ENABLE may be set when autoresume occurs */ +- if (test_bit(WORK_ENABLE, &tp->flags)) { +- clear_bit(WORK_ENABLE, &tp->flags); +- usb_kill_urb(tp->intr_urb); +- cancel_delayed_work_sync(&tp->schedule); +- +- /* disable the tx/rx, if the workqueue has enabled them. */ +- if (netif_carrier_ok(netdev)) +- tp->rtl_ops.disable(tp); +- } +- + tp->rtl_ops.up(tp); + + rtl8152_set_speed(tp, AUTONEG_ENABLE, +@@ -3124,12 +3113,6 @@ static int rtl8152_close(struct net_device *netdev) + } else { + mutex_lock(&tp->control); + +- /* The autosuspend may have been enabled and wouldn't +- * be disable when autoresume occurs, because the +- * netif_running() would be false. +- */ +- rtl_runtime_suspend_enable(tp, false); +- + tp->rtl_ops.down(tp); + + mutex_unlock(&tp->control); +@@ -3512,7 +3495,7 @@ static int rtl8152_resume(struct usb_interface *intf) + netif_device_attach(tp->netdev); + } + +- if (netif_running(tp->netdev)) { ++ if (netif_running(tp->netdev) && tp->netdev->flags & IFF_UP) { + if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { + rtl_runtime_suspend_enable(tp, false); + clear_bit(SELECTIVE_SUSPEND, &tp->flags); +@@ -3532,6 +3515,8 @@ static int rtl8152_resume(struct usb_interface *intf) + } + usb_submit_urb(tp->intr_urb, GFP_KERNEL); + } else if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { ++ if (tp->netdev->flags & IFF_UP) ++ rtl_runtime_suspend_enable(tp, false); + clear_bit(SELECTIVE_SUSPEND, &tp->flags); + } + +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index c9e309c..374feba 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, + { + struct net_vrf *vrf = netdev_priv(dev); + struct net_vrf_dev *vrf_ptr; ++ int err; + + if (!data || !data[IFLA_VRF_TABLE]) + return -EINVAL; +@@ -589,16 +590,25 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, + + dev->priv_flags |= IFF_VRF_MASTER; + ++ err = -ENOMEM; + vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL); + if (!vrf_ptr) +- return -ENOMEM; ++ goto out_fail; + + vrf_ptr->ifindex = dev->ifindex; + vrf_ptr->tb_id = vrf->tb_id; + ++ err = register_netdevice(dev); ++ if (err < 0) ++ goto out_fail; ++ + rcu_assign_pointer(dev->vrf_ptr, vrf_ptr); + +- return register_netdev(dev); ++ return 0; ++ ++out_fail: ++ kfree(vrf_ptr); ++ return err; + } + + static size_t vrf_nl_getsize(const struct net_device *dev) +diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c +index f2372f4..d2de91c 100644 +--- a/drivers/platform/x86/toshiba_acpi.c ++++ b/drivers/platform/x86/toshiba_acpi.c +@@ -2676,6 +2676,7 @@ static int toshiba_acpi_add(struct acpi_device *acpi_dev) + ret = toshiba_function_keys_get(dev, &special_functions); + dev->kbd_function_keys_supported = !ret; + ++ dev->hotkey_event_type = 0; + if (toshiba_acpi_setup_keyboard(dev)) + pr_info("Unable to activate hotkeys\n"); + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index b30e742..26ca4f9 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1838,6 +1838,11 @@ static const struct usb_device_id acm_ids[] = { + }, + #endif + ++ /* Exclude Infineon Flash Loader utility */ ++ { USB_DEVICE(0x058b, 0x0041), ++ .driver_info = IGNORE_DEVICE, ++ }, ++ + /* control interfaces without any protocol set */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM, + USB_CDC_PROTO_NONE) }, +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index b9ddf0c..894894f 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -115,7 +115,8 @@ static void usb_parse_ss_endpoint_companion(struct device *ddev, int cfgno, + USB_SS_MULT(desc->bmAttributes) > 3) { + dev_warn(ddev, "Isoc endpoint has Mult of %d in " + "config %d interface %d altsetting %d ep %d: " +- "setting to 3\n", desc->bmAttributes + 1, ++ "setting to 3\n", ++ USB_SS_MULT(desc->bmAttributes), + cfgno, inum, asnum, ep->desc.bEndpointAddress); + ep->ss_ep_comp.bmAttributes = 2; + } +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 431839b..522f766 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -124,6 +124,10 @@ struct usb_hub *usb_hub_to_struct_hub(struct usb_device *hdev) + + int usb_device_supports_lpm(struct usb_device *udev) + { ++ /* Some devices have trouble with LPM */ ++ if (udev->quirks & USB_QUIRK_NO_LPM) ++ return 0; ++ + /* USB 2.1 (and greater) devices indicate LPM support through + * their USB 2.0 Extended Capabilities BOS descriptor. + */ +@@ -4503,6 +4507,8 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + goto fail; + } + ++ usb_detect_quirks(udev); ++ + if (udev->wusb == 0 && le16_to_cpu(udev->descriptor.bcdUSB) >= 0x0201) { + retval = usb_get_bos_descriptor(udev); + if (!retval) { +@@ -4701,7 +4707,6 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + if (status < 0) + goto loop; + +- usb_detect_quirks(udev); + if (udev->quirks & USB_QUIRK_DELAY_INIT) + msleep(1000); + +@@ -5317,9 +5322,6 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + if (udev->usb2_hw_lpm_enabled == 1) + usb_set_usb2_hardware_lpm(udev, 0); + +- bos = udev->bos; +- udev->bos = NULL; +- + /* Disable LPM and LTM while we reset the device and reinstall the alt + * settings. Device-initiated LPM settings, and system exit latency + * settings are cleared when the device is reset, so we have to set +@@ -5328,15 +5330,18 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + ret = usb_unlocked_disable_lpm(udev); + if (ret) { + dev_err(&udev->dev, "%s Failed to disable LPM\n.", __func__); +- goto re_enumerate; ++ goto re_enumerate_no_bos; + } + ret = usb_disable_ltm(udev); + if (ret) { + dev_err(&udev->dev, "%s Failed to disable LTM\n.", + __func__); +- goto re_enumerate; ++ goto re_enumerate_no_bos; + } + ++ bos = udev->bos; ++ udev->bos = NULL; ++ + for (i = 0; i < SET_CONFIG_TRIES; ++i) { + + /* ep0 maxpacket size may change; let the HCD know about it. +@@ -5433,10 +5438,11 @@ done: + return 0; + + re_enumerate: +- /* LPM state doesn't matter when we're about to destroy the device. */ +- hub_port_logical_disconnect(parent_hub, port1); + usb_release_bos_descriptor(udev); + udev->bos = bos; ++re_enumerate_no_bos: ++ /* LPM state doesn't matter when we're about to destroy the device. */ ++ hub_port_logical_disconnect(parent_hub, port1); + return -ENODEV; + } + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index f5a3819..017c1de 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -199,6 +199,12 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x1a0a, 0x0200), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + ++ /* Blackmagic Design Intensity Shuttle */ ++ { USB_DEVICE(0x1edb, 0xbd3b), .driver_info = USB_QUIRK_NO_LPM }, ++ ++ /* Blackmagic Design UltraStudio SDI */ ++ { USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM }, ++ + { } /* terminating entry must be last */ + }; + +diff --git a/drivers/usb/gadget/udc/pxa27x_udc.c b/drivers/usb/gadget/udc/pxa27x_udc.c +index 670ac0b..001a3b7 100644 +--- a/drivers/usb/gadget/udc/pxa27x_udc.c ++++ b/drivers/usb/gadget/udc/pxa27x_udc.c +@@ -2536,6 +2536,9 @@ static int pxa_udc_suspend(struct platform_device *_dev, pm_message_t state) + udc->pullup_resume = udc->pullup_on; + dplus_pullup(udc, 0); + ++ if (udc->driver) ++ udc->driver->disconnect(&udc->gadget); ++ + return 0; + } + +diff --git a/drivers/usb/host/ohci-at91.c b/drivers/usb/host/ohci-at91.c +index 342ffd1..8c6e15b 100644 +--- a/drivers/usb/host/ohci-at91.c ++++ b/drivers/usb/host/ohci-at91.c +@@ -473,6 +473,8 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev) + if (!pdata) + return -ENOMEM; + ++ pdev->dev.platform_data = pdata; ++ + if (!of_property_read_u32(np, "num-ports", &ports)) + pdata->ports = ports; + +@@ -483,6 +485,7 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev) + */ + if (i >= pdata->ports) { + pdata->vbus_pin[i] = -EINVAL; ++ pdata->overcurrent_pin[i] = -EINVAL; + continue; + } + +@@ -513,10 +516,8 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev) + } + + at91_for_each_port(i) { +- if (i >= pdata->ports) { +- pdata->overcurrent_pin[i] = -EINVAL; +- continue; +- } ++ if (i >= pdata->ports) ++ break; + + pdata->overcurrent_pin[i] = + of_get_named_gpio_flags(np, "atmel,oc-gpio", i, &flags); +@@ -552,8 +553,6 @@ static int ohci_hcd_at91_drv_probe(struct platform_device *pdev) + } + } + +- pdev->dev.platform_data = pdata; +- + device_init_wakeup(&pdev->dev, 1); + return usb_hcd_at91_probe(&ohci_at91_hc_driver, pdev); + } +diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c +index dc31c42..9f1c053 100644 +--- a/drivers/usb/host/whci/qset.c ++++ b/drivers/usb/host/whci/qset.c +@@ -377,6 +377,10 @@ static int qset_fill_page_list(struct whc *whc, struct whc_std *std, gfp_t mem_f + if (std->pl_virt == NULL) + return -ENOMEM; + std->dma_addr = dma_map_single(whc->wusbhc.dev, std->pl_virt, pl_len, DMA_TO_DEVICE); ++ if (dma_mapping_error(whc->wusbhc.dev, std->dma_addr)) { ++ kfree(std->pl_virt); ++ return -EFAULT; ++ } + + for (p = 0; p < std->num_pointers; p++) { + std->pl_virt[p].buf_ptr = cpu_to_le64(dma_addr); +diff --git a/drivers/usb/musb/Kconfig b/drivers/usb/musb/Kconfig +index 1f2037b..45c83ba 100644 +--- a/drivers/usb/musb/Kconfig ++++ b/drivers/usb/musb/Kconfig +@@ -159,7 +159,7 @@ config USB_TI_CPPI_DMA + + config USB_TI_CPPI41_DMA + bool 'TI CPPI 4.1 (AM335x)' +- depends on ARCH_OMAP ++ depends on ARCH_OMAP && DMADEVICES + select TI_CPPI41 + + config USB_TUSB_OMAP_DMA +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index eac7cca..7d4f51a 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -132,7 +132,6 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */ +- { USB_DEVICE(0x10C4, 0xEA80) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */ + { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */ + { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */ +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c +index 3658662..a204782 100644 +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -53,6 +53,7 @@ DEVICE(funsoft, FUNSOFT_IDS); + + /* Infineon Flashloader driver */ + #define FLASHLOADER_IDS() \ ++ { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \ + { USB_DEVICE(0x8087, 0x0716) } + DEVICE(flashloader, FLASHLOADER_IDS); + +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index f689219..43b1caf 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -796,6 +796,10 @@ static int uas_slave_configure(struct scsi_device *sdev) + if (devinfo->flags & US_FL_NO_REPORT_OPCODES) + sdev->no_report_opcodes = 1; + ++ /* A few buggy USB-ATA bridges don't understand FUA */ ++ if (devinfo->flags & US_FL_BROKEN_FUA) ++ sdev->broken_fua = 1; ++ + scsi_change_queue_depth(sdev, devinfo->qdepth - 2); + return 0; + } +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index 6b24791..7ffe420 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1987,7 +1987,7 @@ UNUSUAL_DEV( 0x14cd, 0x6600, 0x0201, 0x0201, + US_FL_IGNORE_RESIDUE ), + + /* Reported by Michael Büsch <m@bues.ch> */ +-UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0114, ++UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0116, + "JMicron", + "USB to ATA/ATAPI Bridge", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, +diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h +index c85ea53..ccc113e 100644 +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -132,7 +132,7 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x9999, + "JMicron", + "JMS567", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, +- US_FL_NO_REPORT_OPCODES), ++ US_FL_BROKEN_FUA | US_FL_NO_REPORT_OPCODES), + + /* Reported-by: Hans de Goede <hdegoede@redhat.com> */ + UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999, +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index 43856d1..1ae6ba0 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -193,6 +193,12 @@ int acpi_ioapic_registered(acpi_handle handle, u32 gsi_base); + void acpi_irq_stats_init(void); + extern u32 acpi_irq_handled; + extern u32 acpi_irq_not_handled; ++extern unsigned int acpi_sci_irq; ++#define INVALID_ACPI_IRQ ((unsigned)-1) ++static inline bool acpi_sci_irq_valid(void) ++{ ++ return acpi_sci_irq != INVALID_ACPI_IRQ; ++} + + extern int sbf_port; + extern unsigned long acpi_realmode_flags; +diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h +index 9948c87..1d0043d 100644 +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -47,4 +47,7 @@ + /* device generates spurious wakeup, ignore remote wakeup capability */ + #define USB_QUIRK_IGNORE_REMOTE_WAKEUP BIT(9) + ++/* device can't handle Link Power Management */ ++#define USB_QUIRK_NO_LPM BIT(10) ++ + #endif /* __LINUX_USB_QUIRKS_H */ +diff --git a/include/net/dst.h b/include/net/dst.h +index 9261d92..e7fa2e2 100644 +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -322,6 +322,39 @@ static inline void skb_dst_force(struct sk_buff *skb) + } + } + ++/** ++ * dst_hold_safe - Take a reference on a dst if possible ++ * @dst: pointer to dst entry ++ * ++ * This helper returns false if it could not safely ++ * take a reference on a dst. ++ */ ++static inline bool dst_hold_safe(struct dst_entry *dst) ++{ ++ if (dst->flags & DST_NOCACHE) ++ return atomic_inc_not_zero(&dst->__refcnt); ++ dst_hold(dst); ++ return true; ++} ++ ++/** ++ * skb_dst_force_safe - makes sure skb dst is refcounted ++ * @skb: buffer ++ * ++ * If dst is not yet refcounted and not destroyed, grab a ref on it. ++ */ ++static inline void skb_dst_force_safe(struct sk_buff *skb) ++{ ++ if (skb_dst_is_noref(skb)) { ++ struct dst_entry *dst = skb_dst(skb); ++ ++ if (!dst_hold_safe(dst)) ++ dst = NULL; ++ ++ skb->_skb_refdst = (unsigned long)dst; ++ } ++} ++ + + /** + * __skb_tunnel_rx - prepare skb for rx reinsert +diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h +index 4a6009d..235c781 100644 +--- a/include/net/inetpeer.h ++++ b/include/net/inetpeer.h +@@ -78,6 +78,7 @@ void inet_initpeers(void) __init; + static inline void inetpeer_set_addr_v4(struct inetpeer_addr *iaddr, __be32 ip) + { + iaddr->a4.addr = ip; ++ iaddr->a4.vif = 0; + iaddr->family = AF_INET; + } + +diff --git a/include/net/sock.h b/include/net/sock.h +index e237170..bca709a 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -387,6 +387,7 @@ struct sock { + sk_no_check_rx : 1, + sk_userlocks : 4, + sk_protocol : 8, ++#define SK_PROTOCOL_MAX U8_MAX + sk_type : 16; + kmemcheck_bitfield_end(flags); + int sk_wmem_queued; +@@ -724,6 +725,8 @@ enum sock_flags { + SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */ + }; + ++#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) ++ + static inline void sock_copy_flags(struct sock *nsk, struct sock *osk) + { + nsk->sk_flags = osk->sk_flags; +@@ -798,7 +801,7 @@ void sk_stream_write_space(struct sock *sk); + static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb) + { + /* dont let skb dst not refcounted, we are going to leave rcu lock */ +- skb_dst_force(skb); ++ skb_dst_force_safe(skb); + + if (!sk->sk_backlog.tail) + sk->sk_backlog.head = skb; +diff --git a/include/net/vxlan.h b/include/net/vxlan.h +index 480a319..f4a4972 100644 +--- a/include/net/vxlan.h ++++ b/include/net/vxlan.h +@@ -79,7 +79,7 @@ struct vxlanhdr { + }; + + /* VXLAN header flags. */ +-#define VXLAN_HF_RCO BIT(24) ++#define VXLAN_HF_RCO BIT(21) + #define VXLAN_HF_VNI BIT(27) + #define VXLAN_HF_GBP BIT(31) + +diff --git a/include/uapi/linux/Kbuild b/include/uapi/linux/Kbuild +index f7b2db4..7fc5733 100644 +--- a/include/uapi/linux/Kbuild ++++ b/include/uapi/linux/Kbuild +@@ -186,6 +186,7 @@ header-y += if_tunnel.h + header-y += if_vlan.h + header-y += if_x25.h + header-y += igmp.h ++header-y += ila.h + header-y += in6.h + header-y += inet_diag.h + header-y += in.h +diff --git a/lib/rhashtable.c b/lib/rhashtable.c +index a54ff89..aa388a7 100644 +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -503,10 +503,11 @@ int rhashtable_walk_init(struct rhashtable *ht, struct rhashtable_iter *iter) + if (!iter->walker) + return -ENOMEM; + +- mutex_lock(&ht->mutex); +- iter->walker->tbl = rht_dereference(ht->tbl, ht); ++ spin_lock(&ht->lock); ++ iter->walker->tbl = ++ rcu_dereference_protected(ht->tbl, lockdep_is_held(&ht->lock)); + list_add(&iter->walker->list, &iter->walker->tbl->walkers); +- mutex_unlock(&ht->mutex); ++ spin_unlock(&ht->lock); + + return 0; + } +@@ -520,10 +521,10 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_init); + */ + void rhashtable_walk_exit(struct rhashtable_iter *iter) + { +- mutex_lock(&iter->ht->mutex); ++ spin_lock(&iter->ht->lock); + if (iter->walker->tbl) + list_del(&iter->walker->list); +- mutex_unlock(&iter->ht->mutex); ++ spin_unlock(&iter->ht->lock); + kfree(iter->walker); + } + EXPORT_SYMBOL_GPL(rhashtable_walk_exit); +@@ -547,14 +548,12 @@ int rhashtable_walk_start(struct rhashtable_iter *iter) + { + struct rhashtable *ht = iter->ht; + +- mutex_lock(&ht->mutex); ++ rcu_read_lock(); + ++ spin_lock(&ht->lock); + if (iter->walker->tbl) + list_del(&iter->walker->list); +- +- rcu_read_lock(); +- +- mutex_unlock(&ht->mutex); ++ spin_unlock(&ht->lock); + + if (!iter->walker->tbl) { + iter->walker->tbl = rht_dereference_rcu(ht->tbl, ht); +@@ -723,9 +722,6 @@ int rhashtable_init(struct rhashtable *ht, + if (params->nulls_base && params->nulls_base < (1U << RHT_BASE_SHIFT)) + return -EINVAL; + +- if (params->nelem_hint) +- size = rounded_hashtable_size(params); +- + memset(ht, 0, sizeof(*ht)); + mutex_init(&ht->mutex); + spin_lock_init(&ht->lock); +@@ -745,6 +741,9 @@ int rhashtable_init(struct rhashtable *ht, + + ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE); + ++ if (params->nelem_hint) ++ size = rounded_hashtable_size(&ht->p); ++ + /* The maximum (not average) chain length grows with the + * size of the hash table, at a rate of (log N)/(log log N). + * The value of 16 is selected so that even if the hash +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index ae3a47f..fbd0acf 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol, + struct sock *sk; + ax25_cb *ax25; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index f315c8d..15cb6c5 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le + if (!addr || addr->sa_family != AF_BLUETOOTH) + return -EINVAL; + ++ if (addr_len < sizeof(struct sockaddr_sco)) ++ return -EINVAL; ++ + lock_sock(sk); + + if (sk->sk_state != BT_OPEN) { +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index fab4599..1c1f87c 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3643,7 +3643,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb, + serr->ee.ee_info = tstype; + if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) { + serr->ee.ee_data = skb_shinfo(skb)->tskey; +- if (sk->sk_protocol == IPPROTO_TCP) ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_type == SOCK_STREAM) + serr->ee.ee_data -= sk->sk_tskey; + } + +@@ -4268,7 +4269,8 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN); ++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, ++ 2 * ETH_ALEN); + skb->mac_header += VLAN_HLEN; + return skb; + } +diff --git a/net/core/sock.c b/net/core/sock.c +index 3307c02..dbbda99 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -422,8 +422,6 @@ static void sock_warn_obsolete_bsdism(const char *name) + } + } + +-#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) +- + static void sock_disable_timestamp(struct sock *sk, unsigned long flags) + { + if (sk->sk_flags & flags) { +@@ -862,7 +860,8 @@ set_rcvbuf: + + if (val & SOF_TIMESTAMPING_OPT_ID && + !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) { +- if (sk->sk_protocol == IPPROTO_TCP) { ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_type == SOCK_STREAM) { + if (sk->sk_state != TCP_ESTABLISHED) { + ret = -EINVAL; + break; +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index 675cf94..6feddca 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol, + { + struct sock *sk; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 1d0c3ad..4b16cf3 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -261,6 +261,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + sock->state = SS_UNCONNECTED; + + /* Look for the requested type/protocol pair. */ +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index e0fcbbb..bd903fe 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -24,6 +24,7 @@ struct fou { + u16 type; + struct udp_offload udp_offloads; + struct list_head list; ++ struct rcu_head rcu; + }; + + #define FOU_F_REMCSUM_NOPARTIAL BIT(0) +@@ -417,7 +418,7 @@ static void fou_release(struct fou *fou) + list_del(&fou->list); + udp_tunnel_sock_release(sock); + +- kfree(fou); ++ kfree_rcu(fou, rcu); + } + + static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg *cfg) +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index a7739c8..d77be28 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1509,7 +1509,7 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb) + if (likely(sk->sk_rx_dst)) + skb_dst_drop(skb); + else +- skb_dst_force(skb); ++ skb_dst_force_safe(skb); + + __skb_queue_tail(&tp->ucopy.prequeue, skb); + tp->ucopy.memory += skb->truesize; +@@ -1710,8 +1710,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) + { + struct dst_entry *dst = skb_dst(skb); + +- if (dst) { +- dst_hold(dst); ++ if (dst && dst_hold_safe(dst)) { + sk->sk_rx_dst = dst; + inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; + } +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 3dbee0d..c958596 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3147,7 +3147,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn) + { + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_fastopen_request *fo = tp->fastopen_req; +- int syn_loss = 0, space, err = 0, copied; ++ int syn_loss = 0, space, err = 0; + unsigned long last_syn_loss = 0; + struct sk_buff *syn_data; + +@@ -3185,17 +3185,18 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn) + goto fallback; + syn_data->ip_summed = CHECKSUM_PARTIAL; + memcpy(syn_data->cb, syn->cb, sizeof(syn->cb)); +- copied = copy_from_iter(skb_put(syn_data, space), space, +- &fo->data->msg_iter); +- if (unlikely(!copied)) { +- kfree_skb(syn_data); +- goto fallback; +- } +- if (copied != space) { +- skb_trim(syn_data, copied); +- space = copied; ++ if (space) { ++ int copied = copy_from_iter(skb_put(syn_data, space), space, ++ &fo->data->msg_iter); ++ if (unlikely(!copied)) { ++ kfree_skb(syn_data); ++ goto fallback; ++ } ++ if (copied != space) { ++ skb_trim(syn_data, copied); ++ space = copied; ++ } + } +- + /* No more data pending in inet_wait_for_connect() */ + if (space == fo->size) + fo->data = NULL; +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 3939dd2..ddd3511 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -349,6 +349,12 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev) + setup_timer(&ndev->rs_timer, addrconf_rs_timer, + (unsigned long)ndev); + memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf)); ++ ++ if (ndev->cnf.stable_secret.initialized) ++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY; ++ else ++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64; ++ + ndev->cnf.mtu6 = dev->mtu; + ndev->cnf.sysctl = NULL; + ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl); +@@ -2453,7 +2459,7 @@ ok: + #ifdef CONFIG_IPV6_OPTIMISTIC_DAD + if (in6_dev->cnf.optimistic_dad && + !net->ipv6.devconf_all->forwarding && sllao) +- addr_flags = IFA_F_OPTIMISTIC; ++ addr_flags |= IFA_F_OPTIMISTIC; + #endif + + /* Do not allow to create too much of autoconfigured +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 38d66dd..df095ee 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + /* Look for the requested type/protocol pair. */ + lookup_protocol: + err = -ESOCKTNOSUPPORT; +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 3c7b931..e5ea177 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1571,13 +1571,11 @@ static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[], + return -EEXIST; + } else { + t = nt; +- +- ip6gre_tunnel_unlink(ign, t); +- ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); +- ip6gre_tunnel_link(ign, t); +- netdev_state_change(dev); + } + ++ ip6gre_tunnel_unlink(ign, t); ++ ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); ++ ip6gre_tunnel_link(ign, t); + return 0; + } + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 9e9b77b..8935dc1 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) + { + struct dst_entry *dst = skb_dst(skb); + +- if (dst) { ++ if (dst && dst_hold_safe(dst)) { + const struct rt6_info *rt = (const struct rt6_info *)dst; + +- dst_hold(dst); + sk->sk_rx_dst = dst; + inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; + inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt); +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index fae6822..25f63a8 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol, + struct sock *sk; + struct irda_sock *self; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (net != &init_net) + return -EAFNOSUPPORT; + +diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c +index 5009582..cad8c4b 100644 +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -53,6 +53,8 @@ struct ovs_conntrack_info { + struct md_labels labels; + }; + ++static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info); ++ + static u16 key_to_nfproto(const struct sw_flow_key *key) + { + switch (ntohs(key->eth.type)) { +@@ -141,6 +143,7 @@ static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state, + * previously sent the packet to conntrack via the ct action. + */ + static void ovs_ct_update_key(const struct sk_buff *skb, ++ const struct ovs_conntrack_info *info, + struct sw_flow_key *key, bool post_ct) + { + const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt; +@@ -158,13 +161,15 @@ static void ovs_ct_update_key(const struct sk_buff *skb, + zone = nf_ct_zone(ct); + } else if (post_ct) { + state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID; ++ if (info) ++ zone = &info->zone; + } + __ovs_ct_update_key(key, state, zone, ct); + } + + void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) + { +- ovs_ct_update_key(skb, key, false); ++ ovs_ct_update_key(skb, NULL, key, false); + } + + int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb) +@@ -418,7 +423,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, + } + } + +- ovs_ct_update_key(skb, key, true); ++ ovs_ct_update_key(skb, info, key, true); + + return 0; + } +@@ -708,7 +713,7 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, + nf_conntrack_get(&ct_info.ct->ct_general); + return 0; + err_free_ct: +- nf_conntrack_free(ct_info.ct); ++ __ovs_ct_free_action(&ct_info); + return err; + } + +@@ -750,6 +755,11 @@ void ovs_ct_free_action(const struct nlattr *a) + { + struct ovs_conntrack_info *ct_info = nla_data(a); + ++ __ovs_ct_free_action(ct_info); ++} ++ ++static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) ++{ + if (ct_info->helper) + module_put(ct_info->helper->me); + if (ct_info->ct) +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 7ec667d..b5c2cf2 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue, + } + lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock); + if (!netif_is_multiqueue(dev)) +- sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; ++ sch->flags |= TCQ_F_ONETXQUEUE; + } + + sch->handle = handle; +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index e917d27..40677cf 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -635,6 +635,7 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, + struct sock *newsk; + struct ipv6_pinfo *newnp, *np = inet6_sk(sk); + struct sctp6_sock *newsctp6sk; ++ struct ipv6_txoptions *opt; + + newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, 0); + if (!newsk) +@@ -654,6 +655,13 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, + + memcpy(newnp, np, sizeof(struct ipv6_pinfo)); + ++ rcu_read_lock(); ++ opt = rcu_dereference(np->opt); ++ if (opt) ++ opt = ipv6_dup_options(newsk, opt); ++ RCU_INIT_POINTER(newnp->opt, opt); ++ rcu_read_unlock(); ++ + /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname() + * and getpeername(). + */ +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index 7954c52..8d67d72 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_cookie(const struct sctp_endpoint *ep, + + /* Set an expiration time for the cookie. */ + cookie->c.expiration = ktime_add(asoc->cookie_life, +- ktime_get()); ++ ktime_get_real()); + + /* Copy the peer's init packet. */ + memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr, +@@ -1780,7 +1780,7 @@ no_hmac: + if (sock_flag(ep->base.sk, SOCK_TIMESTAMP)) + kt = skb_get_ktime(skb); + else +- kt = ktime_get(); ++ kt = ktime_get_real(); + + if (!asoc && ktime_before(bear_cookie->expiration, kt)) { + /* +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 3ec88be..84b1b50 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7163,6 +7163,7 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, + newsk->sk_type = sk->sk_type; + newsk->sk_bound_dev_if = sk->sk_bound_dev_if; + newsk->sk_flags = sk->sk_flags; ++ newsk->sk_tsflags = sk->sk_tsflags; + newsk->sk_no_check_tx = sk->sk_no_check_tx; + newsk->sk_no_check_rx = sk->sk_no_check_rx; + newsk->sk_reuse = sk->sk_reuse; +@@ -7195,6 +7196,9 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, + newinet->mc_ttl = 1; + newinet->mc_index = 0; + newinet->mc_list = NULL; ++ ++ if (newsk->sk_flags & SK_FLAGS_TIMESTAMP) ++ net_enable_timestamp(); + } + + static inline void sctp_copy_descendant(struct sock *sk_to, +diff --git a/net/socket.c b/net/socket.c +index 9963a0b..f3fbe17 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1702,6 +1702,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, + msg.msg_name = addr ? (struct sockaddr *)&address : NULL; + /* We assume all kernel code knows the size of sockaddr_storage */ + msg.msg_namelen = 0; ++ msg.msg_iocb = NULL; + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags); +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index 86f2e7c..73bdf1b 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb, + if (skb_headroom(skb) < UDP_MIN_HEADROOM) { + err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC); + if (err) +- goto tx_error; ++ return err; + } + + clone = skb_clone(skb, GFP_ATOMIC); +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 128b098..0fc6dba 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2255,14 +2255,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state) + /* Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg + */ +- err = mutex_lock_interruptible(&u->readlock); +- if (unlikely(err)) { +- /* recvmsg() in non blocking mode is supposed to return -EAGAIN +- * sk_rcvtimeo is not honored by mutex_lock_interruptible() +- */ +- err = noblock ? -EAGAIN : -ERESTARTSYS; +- goto out; +- } ++ mutex_lock(&u->readlock); + + if (flags & MSG_PEEK) + skip = sk_peek_offset(sk, flags); +@@ -2306,12 +2299,12 @@ again: + timeo = unix_stream_data_wait(sk, timeo, last, + last_len); + +- if (signal_pending(current) || +- mutex_lock_interruptible(&u->readlock)) { ++ if (signal_pending(current)) { + err = sock_intr_errno(timeo); + goto out; + } + ++ mutex_lock(&u->readlock); + continue; + unlock: + unix_state_unlock(sk); +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index 0b9ec78..26f0e0a 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) + + /* the key is probably readable - now try to read it */ + can_read_key: +- ret = key_validate(key); +- if (ret == 0) { +- ret = -EOPNOTSUPP; +- if (key->type->read) { +- /* read the data with the semaphore held (since we +- * might sleep) */ +- down_read(&key->sem); ++ ret = -EOPNOTSUPP; ++ if (key->type->read) { ++ /* Read the data with the semaphore held (since we might sleep) ++ * to protect against the key being updated or revoked. ++ */ ++ down_read(&key->sem); ++ ret = key_validate(key); ++ if (ret == 0) + ret = key->type->read(key, buffer, buflen); +- up_read(&key->sem); +- } ++ up_read(&key->sem); + } + + error2: +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index 43b4cdd..7877e5c 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { ++ key_put(keyring); + ret = 0; + goto error2; + } diff --git a/4.3.3/4420_grsecurity-3.1-4.3.3-201601192226.patch b/4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch index e9f29bb..db01d7f 100644 --- a/4.3.3/4420_grsecurity-3.1-4.3.3-201601192226.patch +++ b/4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch @@ -377,6 +377,47 @@ index 22a4b68..0ec4c2a 100644 pcbit= [HW,ISDN] pcd. [PARIDE] +diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt +index 88152f2..302b5ed 100644 +--- a/Documentation/sysctl/fs.txt ++++ b/Documentation/sysctl/fs.txt +@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs: + - nr_open + - overflowuid + - overflowgid ++- pipe-user-pages-hard ++- pipe-user-pages-soft + - protected_hardlinks + - protected_symlinks + - suid_dumpable +@@ -159,6 +161,27 @@ The default is 65534. + + ============================================================== + ++pipe-user-pages-hard: ++ ++Maximum total number of pages a non-privileged user may allocate for pipes. ++Once this limit is reached, no new pipes may be allocated until usage goes ++below the limit again. When set to 0, no limit is applied, which is the default ++setting. ++ ++============================================================== ++ ++pipe-user-pages-soft: ++ ++Maximum total number of pages a non-privileged user may allocate for pipes ++before the pipe size gets limited to a single page. Once this limit is reached, ++new pipes will be limited to a single page in size for this user in order to ++limit total memory usage, and trying to increase them using fcntl() will be ++denied until usage goes below the limit again. The default value allows to ++allocate up to 1024 pipes at their default size. When set to 0, no limit is ++applied. ++ ++============================================================== ++ + protected_hardlinks: + + A long-standing class of security issues is the hardlink-based diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index 6fccb69..60c7c7a 100644 --- a/Documentation/sysctl/kernel.txt @@ -411,7 +452,7 @@ index 6fccb69..60c7c7a 100644 A toggle value indicating if modules are allowed to be loaded diff --git a/Makefile b/Makefile -index 2070d16..0bc2be1 100644 +index 69430ed..8fa626c 100644 --- a/Makefile +++ b/Makefile @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -38027,7 +38068,7 @@ index 7cfbda4..74f738c 100644 set_no_mwait, "Extensa 5220", { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"), diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c -index 2f0d4db..b9e9b15 100644 +index 3fe1fbe..198eb5f 100644 --- a/drivers/acpi/sleep.c +++ b/drivers/acpi/sleep.c @@ -148,7 +148,7 @@ static int __init init_nvs_nosave(const struct dmi_system_id *d) @@ -52578,69 +52619,6 @@ index ed00446..943fe2c 100644 break; err = 0; break; -diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c -index 5e0b432..0a37f84 100644 ---- a/drivers/net/ppp/pppoe.c -+++ b/drivers/net/ppp/pppoe.c -@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket *sock, int kern) - sk->sk_family = PF_PPPOX; - sk->sk_protocol = PX_PROTO_OE; - -+ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work, -+ pppoe_unbind_sock_work); -+ - return 0; - } - -@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, - - lock_sock(sk); - -- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work); -- - error = -EINVAL; - if (sp->sa_protocol != PX_PROTO_OE) - goto end; -@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, - po->pppoe_dev = NULL; - } - -- memset(sk_pppox(po) + 1, 0, -- sizeof(struct pppox_sock) - sizeof(struct sock)); -+ po->pppoe_ifindex = 0; -+ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa)); -+ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay)); -+ memset(&po->chan, 0, sizeof(po->chan)); -+ po->next = NULL; -+ po->num = 0; -+ - sk->sk_state = PPPOX_NONE; - } - -diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c -index 686f37d..b910cae 100644 ---- a/drivers/net/ppp/pptp.c -+++ b/drivers/net/ppp/pptp.c -@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, - struct pptp_opt *opt = &po->proto.pptp; - int error = 0; - -+ if (sockaddr_len < sizeof(struct sockaddr_pppox)) -+ return -EINVAL; -+ - lock_sock(sk); - - opt->src_addr = sp->sa_addr.pptp; -@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr, - struct flowi4 fl4; - int error = 0; - -+ if (sockaddr_len < sizeof(struct sockaddr_pppox)) -+ return -EINVAL; -+ - if (sp->sa_protocol != PX_PROTO_PPTP) - return -EINVAL; - diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c index 079f7ad..7e59810 100644 --- a/drivers/net/slip/slhc.c @@ -52824,7 +52802,7 @@ index 111d907..1ee643e 100644 hso_start_serial_device(serial_table[i], GFP_NOIO); hso_kick_transmit(dev2ser(serial_table[i])); diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c -index d9427ca..37520a8 100644 +index 2e32c41..4899cb7 100644 --- a/drivers/net/usb/r8152.c +++ b/drivers/net/usb/r8152.c @@ -615,7 +615,7 @@ struct r8152 { @@ -52872,10 +52850,10 @@ index d8838ded..6c93f77 100644 #define VIRTNET_DRIVER_VERSION "1.0.0" diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c -index c9e309c..745a638 100644 +index 374feba..01ba30e 100644 --- a/drivers/net/vrf.c +++ b/drivers/net/vrf.c -@@ -618,7 +618,7 @@ static const struct nla_policy vrf_nl_policy[IFLA_VRF_MAX + 1] = { +@@ -628,7 +628,7 @@ static const struct nla_policy vrf_nl_policy[IFLA_VRF_MAX + 1] = { [IFLA_VRF_TABLE] = { .type = NLA_U32 }, }; @@ -59122,7 +59100,7 @@ index 4d64e5c4..e21932a 100644 wake_up(&usb_kill_urb_queue); usb_put_urb(urb); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 431839b..8d241f6 100644 +index 522f766..6ddc50b 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -26,6 +26,7 @@ @@ -59133,7 +59111,7 @@ index 431839b..8d241f6 100644 #include <asm/uaccess.h> #include <asm/byteorder.h> -@@ -4659,6 +4660,10 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, +@@ -4665,6 +4666,10 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, goto done; return; } @@ -83772,19 +83750,25 @@ index e38ee0f..6fc10e4 100644 struct ovl_entry *oe; struct ovl_fs *ufs; diff --git a/fs/pipe.c b/fs/pipe.c -index 8865f79..bd2c79b 100644 +index 8865f79..15e6391 100644 --- a/fs/pipe.c +++ b/fs/pipe.c -@@ -36,7 +36,7 @@ unsigned int pipe_max_size = 1048576; +@@ -36,7 +36,13 @@ unsigned int pipe_max_size = 1048576; /* * Minimum pipe size, as required by POSIX */ -unsigned int pipe_min_size = PAGE_SIZE; +unsigned int pipe_min_size __read_only = PAGE_SIZE; ++ ++/* Maximum allocatable pages per user. Hard limit is unset by default, soft ++ * matches default values. ++ */ ++unsigned long pipe_user_pages_hard; ++unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR; /* * We use a start+len construction, which provides full use of the -@@ -55,7 +55,7 @@ unsigned int pipe_min_size = PAGE_SIZE; +@@ -55,7 +61,7 @@ unsigned int pipe_min_size = PAGE_SIZE; static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass) { @@ -83793,7 +83777,7 @@ index 8865f79..bd2c79b 100644 mutex_lock_nested(&pipe->mutex, subclass); } -@@ -70,7 +70,7 @@ EXPORT_SYMBOL(pipe_lock); +@@ -70,7 +76,7 @@ EXPORT_SYMBOL(pipe_lock); void pipe_unlock(struct pipe_inode_info *pipe) { @@ -83802,7 +83786,7 @@ index 8865f79..bd2c79b 100644 mutex_unlock(&pipe->mutex); } EXPORT_SYMBOL(pipe_unlock); -@@ -291,9 +291,9 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to) +@@ -291,9 +297,9 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to) } if (bufs) /* More to do? */ continue; @@ -83814,7 +83798,7 @@ index 8865f79..bd2c79b 100644 /* syscall merging: Usually we must not sleep * if O_NONBLOCK is set, or if we got some data. * But if a writer sleeps in kernel space, then -@@ -350,7 +350,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from) +@@ -350,7 +356,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from) __pipe_lock(pipe); @@ -83823,7 +83807,7 @@ index 8865f79..bd2c79b 100644 send_sig(SIGPIPE, current, 0); ret = -EPIPE; goto out; -@@ -386,7 +386,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from) +@@ -386,7 +392,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from) for (;;) { int bufs; @@ -83832,7 +83816,7 @@ index 8865f79..bd2c79b 100644 send_sig(SIGPIPE, current, 0); if (!ret) ret = -EPIPE; -@@ -454,9 +454,9 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from) +@@ -454,9 +460,9 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from) kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); do_wakeup = 0; } @@ -83844,7 +83828,7 @@ index 8865f79..bd2c79b 100644 } out: __pipe_unlock(pipe); -@@ -511,7 +511,7 @@ pipe_poll(struct file *filp, poll_table *wait) +@@ -511,7 +517,7 @@ pipe_poll(struct file *filp, poll_table *wait) mask = 0; if (filp->f_mode & FMODE_READ) { mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0; @@ -83853,7 +83837,7 @@ index 8865f79..bd2c79b 100644 mask |= POLLHUP; } -@@ -521,7 +521,7 @@ pipe_poll(struct file *filp, poll_table *wait) +@@ -521,7 +527,7 @@ pipe_poll(struct file *filp, poll_table *wait) * Most Unices do not set POLLERR for FIFOs but on Linux they * behave exactly like pipes for poll(). */ @@ -83862,7 +83846,7 @@ index 8865f79..bd2c79b 100644 mask |= POLLERR; } -@@ -533,7 +533,7 @@ static void put_pipe_info(struct inode *inode, struct pipe_inode_info *pipe) +@@ -533,7 +539,7 @@ static void put_pipe_info(struct inode *inode, struct pipe_inode_info *pipe) int kill = 0; spin_lock(&inode->i_lock); @@ -83871,7 +83855,7 @@ index 8865f79..bd2c79b 100644 inode->i_pipe = NULL; kill = 1; } -@@ -550,11 +550,11 @@ pipe_release(struct inode *inode, struct file *file) +@@ -550,11 +556,11 @@ pipe_release(struct inode *inode, struct file *file) __pipe_lock(pipe); if (file->f_mode & FMODE_READ) @@ -83886,7 +83870,68 @@ index 8865f79..bd2c79b 100644 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP); kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT); -@@ -619,7 +619,7 @@ void free_pipe_info(struct pipe_inode_info *pipe) +@@ -584,20 +590,49 @@ pipe_fasync(int fd, struct file *filp, int on) + return retval; + } + ++static void account_pipe_buffers(struct pipe_inode_info *pipe, ++ unsigned long old, unsigned long new) ++{ ++ atomic_long_add(new - old, &pipe->user->pipe_bufs); ++} ++ ++static bool too_many_pipe_buffers_soft(struct user_struct *user) ++{ ++ return pipe_user_pages_soft && ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_soft; ++} ++ ++static bool too_many_pipe_buffers_hard(struct user_struct *user) ++{ ++ return pipe_user_pages_hard && ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_hard; ++} ++ + struct pipe_inode_info *alloc_pipe_info(void) + { + struct pipe_inode_info *pipe; + + pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL); + if (pipe) { +- pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * PIPE_DEF_BUFFERS, GFP_KERNEL); ++ unsigned long pipe_bufs = PIPE_DEF_BUFFERS; ++ struct user_struct *user = get_current_user(); ++ ++ if (!too_many_pipe_buffers_hard(user)) { ++ if (too_many_pipe_buffers_soft(user)) ++ pipe_bufs = 1; ++ pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * pipe_bufs, GFP_KERNEL); ++ } ++ + if (pipe->bufs) { + init_waitqueue_head(&pipe->wait); + pipe->r_counter = pipe->w_counter = 1; +- pipe->buffers = PIPE_DEF_BUFFERS; ++ pipe->buffers = pipe_bufs; ++ pipe->user = user; ++ account_pipe_buffers(pipe, 0, pipe_bufs); + mutex_init(&pipe->mutex); + return pipe; + } ++ free_uid(user); + kfree(pipe); + } + +@@ -608,6 +643,8 @@ void free_pipe_info(struct pipe_inode_info *pipe) + { + int i; + ++ account_pipe_buffers(pipe, pipe->buffers, 0); ++ free_uid(pipe->user); + for (i = 0; i < pipe->buffers; i++) { + struct pipe_buffer *buf = pipe->bufs + i; + if (buf->ops) +@@ -619,7 +656,7 @@ void free_pipe_info(struct pipe_inode_info *pipe) kfree(pipe); } @@ -83895,7 +83940,7 @@ index 8865f79..bd2c79b 100644 /* * pipefs_dname() is called from d_path(). -@@ -649,8 +649,9 @@ static struct inode * get_pipe_inode(void) +@@ -649,8 +686,9 @@ static struct inode * get_pipe_inode(void) goto fail_iput; inode->i_pipe = pipe; @@ -83907,7 +83952,7 @@ index 8865f79..bd2c79b 100644 inode->i_fop = &pipefifo_fops; /* -@@ -829,17 +830,17 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -829,17 +867,17 @@ static int fifo_open(struct inode *inode, struct file *filp) spin_lock(&inode->i_lock); if (inode->i_pipe) { pipe = inode->i_pipe; @@ -83928,7 +83973,7 @@ index 8865f79..bd2c79b 100644 spin_unlock(&inode->i_lock); free_pipe_info(pipe); pipe = inode->i_pipe; -@@ -864,10 +865,10 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -864,10 +902,10 @@ static int fifo_open(struct inode *inode, struct file *filp) * opened, even when there is no process writing the FIFO. */ pipe->r_counter++; @@ -83941,7 +83986,7 @@ index 8865f79..bd2c79b 100644 if ((filp->f_flags & O_NONBLOCK)) { /* suppress POLLHUP until we have * seen a writer */ -@@ -886,14 +887,14 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -886,14 +924,14 @@ static int fifo_open(struct inode *inode, struct file *filp) * errno=ENXIO when there is no process reading the FIFO. */ ret = -ENXIO; @@ -83959,7 +84004,7 @@ index 8865f79..bd2c79b 100644 if (wait_for_partner(pipe, &pipe->r_counter)) goto err_wr; } -@@ -907,11 +908,11 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -907,11 +945,11 @@ static int fifo_open(struct inode *inode, struct file *filp) * the process can at least talk to itself. */ @@ -83974,7 +84019,7 @@ index 8865f79..bd2c79b 100644 wake_up_partner(pipe); break; -@@ -925,13 +926,13 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -925,13 +963,13 @@ static int fifo_open(struct inode *inode, struct file *filp) return 0; err_rd: @@ -83990,7 +84035,15 @@ index 8865f79..bd2c79b 100644 wake_up_interruptible(&pipe->wait); ret = -ERESTARTSYS; goto err; -@@ -1007,7 +1008,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages) +@@ -996,6 +1034,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages) + memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer)); + } + ++ account_pipe_buffers(pipe, pipe->buffers, nr_pages); + pipe->curbuf = 0; + kfree(pipe->bufs); + pipe->bufs = bufs; +@@ -1007,7 +1046,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages) * Currently we rely on the pipe array holding a power-of-2 number * of pages. */ @@ -83999,7 +84052,7 @@ index 8865f79..bd2c79b 100644 { unsigned long nr_pages; -@@ -1055,13 +1056,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg) +@@ -1055,18 +1094,26 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg) switch (cmd) { case F_SETPIPE_SZ: { @@ -84019,6 +84072,16 @@ index 8865f79..bd2c79b 100644 goto out; if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) { + ret = -EPERM; + goto out; ++ } else if ((too_many_pipe_buffers_hard(pipe->user) || ++ too_many_pipe_buffers_soft(pipe->user)) && ++ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { ++ ret = -EPERM; ++ goto out; + } + ret = pipe_set_size(pipe, nr_pages); + break; diff --git a/fs/posix_acl.c b/fs/posix_acl.c index 4fb17de..13d8c0f 100644 --- a/fs/posix_acl.c @@ -103305,10 +103368,16 @@ index 918b117..7af374b7 100644 extern struct pid_namespace init_pid_ns; diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h -index eb8b8ac..62649e1 100644 +index eb8b8ac..deb6089 100644 --- a/include/linux/pipe_fs_i.h +++ b/include/linux/pipe_fs_i.h -@@ -47,10 +47,10 @@ struct pipe_inode_info { +@@ -42,21 +42,23 @@ struct pipe_buffer { + * @fasync_readers: reader side fasync + * @fasync_writers: writer side fasync + * @bufs: the circular array of pipe buffers ++ * @user: the user who created this pipe + **/ + struct pipe_inode_info { struct mutex mutex; wait_queue_head_t wait; unsigned int nrbufs, curbuf, buffers; @@ -103323,6 +103392,22 @@ index eb8b8ac..62649e1 100644 unsigned int r_counter; unsigned int w_counter; struct page *tmp_page; + struct fasync_struct *fasync_readers; + struct fasync_struct *fasync_writers; + struct pipe_buffer *bufs; ++ struct user_struct *user; + }; + + /* +@@ -123,6 +125,8 @@ void pipe_unlock(struct pipe_inode_info *); + void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *); + + extern unsigned int pipe_max_size, pipe_min_size; ++extern unsigned long pipe_user_pages_hard; ++extern unsigned long pipe_user_pages_soft; + int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *); + + diff --git a/include/linux/pm.h b/include/linux/pm.h index 35d599e..c604209 100644 --- a/include/linux/pm.h @@ -103957,7 +104042,7 @@ index 556ec1e..38c19c9 100644 /* diff --git a/include/linux/sched.h b/include/linux/sched.h -index b7b9501..ab1a134 100644 +index b7b9501..f1e65cf 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -7,7 +7,7 @@ @@ -104024,11 +104109,12 @@ index b7b9501..ab1a134 100644 /* * Bits in flags field of signal_struct. -@@ -830,12 +855,21 @@ struct user_struct { +@@ -830,12 +855,22 @@ struct user_struct { unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */ #endif unsigned long locked_shm; /* How many pages of mlocked shm ? */ + unsigned long unix_inflight; /* How many files in flight in unix sockets */ ++ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */ #ifdef CONFIG_KEYS struct key *uid_keyring; /* UID specific keyring */ @@ -104046,7 +104132,7 @@ index b7b9501..ab1a134 100644 /* Hash table maintenance information */ struct hlist_node uidhash_node; kuid_t uid; -@@ -843,7 +877,7 @@ struct user_struct { +@@ -843,7 +878,7 @@ struct user_struct { #ifdef CONFIG_PERF_EVENTS atomic_long_t locked_vm; #endif @@ -104055,7 +104141,7 @@ index b7b9501..ab1a134 100644 extern int uids_sysfs_init(void); -@@ -1378,6 +1412,9 @@ struct tlbflush_unmap_batch { +@@ -1378,6 +1413,9 @@ struct tlbflush_unmap_batch { struct task_struct { volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */ void *stack; @@ -104065,7 +104151,7 @@ index b7b9501..ab1a134 100644 atomic_t usage; unsigned int flags; /* per process flags, defined below */ unsigned int ptrace; -@@ -1510,8 +1547,8 @@ struct task_struct { +@@ -1510,8 +1548,8 @@ struct task_struct { struct list_head thread_node; struct completion *vfork_done; /* for vfork() */ @@ -104076,7 +104162,7 @@ index b7b9501..ab1a134 100644 cputime_t utime, stime, utimescaled, stimescaled; cputime_t gtime; -@@ -1534,11 +1571,6 @@ struct task_struct { +@@ -1534,11 +1572,6 @@ struct task_struct { struct task_cputime cputime_expires; struct list_head cpu_timers[3]; @@ -104088,7 +104174,7 @@ index b7b9501..ab1a134 100644 char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) -@@ -1554,6 +1586,8 @@ struct task_struct { +@@ -1554,6 +1587,8 @@ struct task_struct { /* hung task detection */ unsigned long last_switch_count; #endif @@ -104097,7 +104183,7 @@ index b7b9501..ab1a134 100644 /* filesystem information */ struct fs_struct *fs; /* open file information */ -@@ -1630,6 +1664,10 @@ struct task_struct { +@@ -1630,6 +1665,10 @@ struct task_struct { gfp_t lockdep_reclaim_gfp; #endif @@ -104108,7 +104194,7 @@ index b7b9501..ab1a134 100644 /* journalling filesystem info */ void *journal_info; -@@ -1668,6 +1706,10 @@ struct task_struct { +@@ -1668,6 +1707,10 @@ struct task_struct { /* cg_list protected by css_set_lock and tsk->alloc_lock */ struct list_head cg_list; #endif @@ -104119,7 +104205,7 @@ index b7b9501..ab1a134 100644 #ifdef CONFIG_FUTEX struct robust_list_head __user *robust_list; #ifdef CONFIG_COMPAT -@@ -1783,7 +1825,7 @@ struct task_struct { +@@ -1783,7 +1826,7 @@ struct task_struct { * Number of functions that haven't been traced * because of depth overrun. */ @@ -104128,7 +104214,7 @@ index b7b9501..ab1a134 100644 /* Pause for the tracing */ atomic_t tracing_graph_pause; #endif -@@ -1812,22 +1854,89 @@ struct task_struct { +@@ -1812,22 +1855,89 @@ struct task_struct { unsigned long task_state_change; #endif int pagefault_disabled; @@ -104228,7 +104314,7 @@ index b7b9501..ab1a134 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -1909,7 +2018,7 @@ struct pid_namespace; +@@ -1909,7 +2019,7 @@ struct pid_namespace; pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type, struct pid_namespace *ns); @@ -104237,7 +104323,7 @@ index b7b9501..ab1a134 100644 { return tsk->pid; } -@@ -2270,6 +2379,25 @@ extern u64 sched_clock_cpu(int cpu); +@@ -2270,6 +2380,25 @@ extern u64 sched_clock_cpu(int cpu); extern void sched_clock_init(void); @@ -104263,7 +104349,7 @@ index b7b9501..ab1a134 100644 #ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK static inline void sched_clock_tick(void) { -@@ -2398,7 +2526,9 @@ extern void set_curr_task(int cpu, struct task_struct *p); +@@ -2398,7 +2527,9 @@ extern void set_curr_task(int cpu, struct task_struct *p); void yield(void); union thread_union { @@ -104273,7 +104359,7 @@ index b7b9501..ab1a134 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2431,6 +2561,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2431,6 +2562,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -104281,7 +104367,7 @@ index b7b9501..ab1a134 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2462,7 +2593,7 @@ extern void proc_caches_init(void); +@@ -2462,7 +2594,7 @@ extern void proc_caches_init(void); extern void flush_signals(struct task_struct *); extern void ignore_signals(struct task_struct *); extern void flush_signal_handlers(struct task_struct *, int force_default); @@ -104290,7 +104376,7 @@ index b7b9501..ab1a134 100644 static inline int dequeue_signal_lock(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) { -@@ -2608,7 +2739,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2608,7 +2740,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -104299,7 +104385,7 @@ index b7b9501..ab1a134 100644 extern int do_execve(struct filename *, const char __user * const __user *, -@@ -2723,11 +2854,13 @@ static inline int thread_group_empty(struct task_struct *p) +@@ -2723,11 +2855,13 @@ static inline int thread_group_empty(struct task_struct *p) * It must not be nested with write_lock_irq(&tasklist_lock), * neither inside nor outside. */ @@ -104313,7 +104399,7 @@ index b7b9501..ab1a134 100644 static inline void task_unlock(struct task_struct *p) { spin_unlock(&p->alloc_lock); -@@ -2813,9 +2946,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2813,9 +2947,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #define task_stack_end_corrupted(task) \ (*(end_of_stack(task)) != STACK_END_MAGIC) @@ -105919,50 +106005,6 @@ index f2ae33d..c457cf0 100644 struct list_head list; /* Protects from simultaneous access to first_req list */ spinlock_t info_list_lock; -diff --git a/include/net/dst.h b/include/net/dst.h -index 9261d92..e7fa2e2 100644 ---- a/include/net/dst.h -+++ b/include/net/dst.h -@@ -322,6 +322,39 @@ static inline void skb_dst_force(struct sk_buff *skb) - } - } - -+/** -+ * dst_hold_safe - Take a reference on a dst if possible -+ * @dst: pointer to dst entry -+ * -+ * This helper returns false if it could not safely -+ * take a reference on a dst. -+ */ -+static inline bool dst_hold_safe(struct dst_entry *dst) -+{ -+ if (dst->flags & DST_NOCACHE) -+ return atomic_inc_not_zero(&dst->__refcnt); -+ dst_hold(dst); -+ return true; -+} -+ -+/** -+ * skb_dst_force_safe - makes sure skb dst is refcounted -+ * @skb: buffer -+ * -+ * If dst is not yet refcounted and not destroyed, grab a ref on it. -+ */ -+static inline void skb_dst_force_safe(struct sk_buff *skb) -+{ -+ if (skb_dst_is_noref(skb)) { -+ struct dst_entry *dst = skb_dst(skb); -+ -+ if (!dst_hold_safe(dst)) -+ dst = NULL; -+ -+ skb->_skb_refdst = (unsigned long)dst; -+ } -+} -+ - - /** - * __skb_tunnel_rx - prepare skb for rx reinsert diff --git a/include/net/flow.h b/include/net/flow.h index 9b85db8..e76e5c7 100644 --- a/include/net/flow.h @@ -106029,7 +106071,7 @@ index 47eb67b..0e733b2 100644 unsigned char rr; unsigned char ts; diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h -index 4a6009d..f7d9c53 100644 +index 235c781..160d4a3 100644 --- a/include/net/inetpeer.h +++ b/include/net/inetpeer.h @@ -52,7 +52,7 @@ struct inet_peer { @@ -106327,6 +106369,26 @@ index 2dcea63..31d53ba 100644 } #endif /* __NET_NET_NAMESPACE_H */ +diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h +index c03f9c4..068b836 100644 +--- a/include/net/netfilter/nf_conntrack_core.h ++++ b/include/net/netfilter/nf_conntrack_core.h +@@ -78,12 +78,10 @@ print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_l3proto *l3proto, + const struct nf_conntrack_l4proto *proto); + +-#ifdef CONFIG_LOCKDEP +-# define CONNTRACK_LOCKS 8 +-#else +-# define CONNTRACK_LOCKS 1024 +-#endif ++#define CONNTRACK_LOCKS 1024 ++ + extern spinlock_t nf_conntrack_locks[CONNTRACK_LOCKS]; ++void nf_conntrack_lock(spinlock_t *lock); + + extern spinlock_t nf_conntrack_expect_lock; + diff --git a/include/net/netlink.h b/include/net/netlink.h index 2a5dbcc..8243656 100644 --- a/include/net/netlink.h @@ -106514,7 +106576,7 @@ index 495c87e..5b327ff 100644 /* Structure to track chunk fragments that have been acked, but peer diff --git a/include/net/sock.h b/include/net/sock.h -index e237170..6cfe0bf 100644 +index bca709a..75776c9 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -198,7 +198,7 @@ struct sock_common { @@ -106535,16 +106597,7 @@ index e237170..6cfe0bf 100644 int sk_rcvbuf; struct sk_filter __rcu *sk_filter; -@@ -798,7 +798,7 @@ void sk_stream_write_space(struct sock *sk); - static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb) - { - /* dont let skb dst not refcounted, we are going to leave rcu lock */ -- skb_dst_force(skb); -+ skb_dst_force_safe(skb); - - if (!sk->sk_backlog.tail) - sk->sk_backlog.head = skb; -@@ -1048,7 +1048,7 @@ struct proto { +@@ -1051,7 +1051,7 @@ struct proto { void (*destroy_cgroup)(struct mem_cgroup *memcg); struct cg_proto *(*proto_cgroup)(struct mem_cgroup *memcg); #endif @@ -106553,7 +106606,7 @@ index e237170..6cfe0bf 100644 int proto_register(struct proto *prot, int alloc_slab); void proto_unregister(struct proto *prot); -@@ -1188,7 +1188,7 @@ static inline void memcg_memory_allocated_sub(struct cg_proto *prot, +@@ -1191,7 +1191,7 @@ static inline void memcg_memory_allocated_sub(struct cg_proto *prot, page_counter_uncharge(&prot->memory_allocated, amt); } @@ -106562,7 +106615,7 @@ index e237170..6cfe0bf 100644 sk_memory_allocated(const struct sock *sk) { struct proto *prot = sk->sk_prot; -@@ -1769,7 +1769,7 @@ static inline void sk_nocaps_add(struct sock *sk, netdev_features_t flags) +@@ -1772,7 +1772,7 @@ static inline void sk_nocaps_add(struct sock *sk, netdev_features_t flags) } static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb, @@ -106571,7 +106624,7 @@ index e237170..6cfe0bf 100644 int copy, int offset) { if (skb->ip_summed == CHECKSUM_NONE) { -@@ -2016,7 +2016,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk) +@@ -2019,7 +2019,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk) } } @@ -106580,7 +106633,7 @@ index e237170..6cfe0bf 100644 bool force_schedule); /** -@@ -2092,7 +2092,7 @@ struct sock_skb_cb { +@@ -2095,7 +2095,7 @@ struct sock_skb_cb { static inline void sock_skb_set_dropcount(const struct sock *sk, struct sk_buff *skb) { @@ -113142,7 +113195,7 @@ index fa2f2f6..3682023 100644 if (!retval) { if (old_rlim) diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index e69201d..61cda5e 100644 +index e69201d..57f7b12 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -94,7 +94,6 @@ @@ -113360,7 +113413,28 @@ index e69201d..61cda5e 100644 #else { .procname = "nr_trim_pages", -@@ -1852,6 +1912,16 @@ int proc_dostring(struct ctl_table *table, int write, +@@ -1702,6 +1762,20 @@ static struct ctl_table fs_table[] = { + .proc_handler = &pipe_proc_fn, + .extra1 = &pipe_min_size, + }, ++ { ++ .procname = "pipe-user-pages-hard", ++ .data = &pipe_user_pages_hard, ++ .maxlen = sizeof(pipe_user_pages_hard), ++ .mode = 0644, ++ .proc_handler = proc_doulongvec_minmax, ++ }, ++ { ++ .procname = "pipe-user-pages-soft", ++ .data = &pipe_user_pages_soft, ++ .maxlen = sizeof(pipe_user_pages_soft), ++ .mode = 0644, ++ .proc_handler = proc_doulongvec_minmax, ++ }, + { } + }; + +@@ -1852,6 +1926,16 @@ int proc_dostring(struct ctl_table *table, int write, (char __user *)buffer, lenp, ppos); } @@ -113377,7 +113451,7 @@ index e69201d..61cda5e 100644 static size_t proc_skip_spaces(char **buf) { size_t ret; -@@ -1957,6 +2027,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, +@@ -1957,6 +2041,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, len = strlen(tmp); if (len > *size) len = *size; @@ -113386,7 +113460,7 @@ index e69201d..61cda5e 100644 if (copy_to_user(*buf, tmp, len)) return -EFAULT; *size -= len; -@@ -2135,6 +2207,44 @@ int proc_dointvec(struct ctl_table *table, int write, +@@ -2135,6 +2221,44 @@ int proc_dointvec(struct ctl_table *table, int write, NULL,NULL); } @@ -113431,7 +113505,7 @@ index e69201d..61cda5e 100644 /* * Taint values can only be increased * This means we can safely use a temporary. -@@ -2142,7 +2252,7 @@ int proc_dointvec(struct ctl_table *table, int write, +@@ -2142,7 +2266,7 @@ int proc_dointvec(struct ctl_table *table, int write, static int proc_taint(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -113440,7 +113514,7 @@ index e69201d..61cda5e 100644 unsigned long tmptaint = get_taint(); int err; -@@ -2170,16 +2280,14 @@ static int proc_taint(struct ctl_table *table, int write, +@@ -2170,16 +2294,14 @@ static int proc_taint(struct ctl_table *table, int write, return err; } @@ -113459,7 +113533,7 @@ index e69201d..61cda5e 100644 struct do_proc_dointvec_minmax_conv_param { int *min; -@@ -2210,6 +2318,32 @@ static int do_proc_dointvec_minmax_conv(bool *negp, unsigned long *lvalp, +@@ -2210,6 +2332,32 @@ static int do_proc_dointvec_minmax_conv(bool *negp, unsigned long *lvalp, return 0; } @@ -113492,7 +113566,7 @@ index e69201d..61cda5e 100644 /** * proc_dointvec_minmax - read a vector of integers with min/max values * @table: the sysctl table -@@ -2237,6 +2371,17 @@ int proc_dointvec_minmax(struct ctl_table *table, int write, +@@ -2237,6 +2385,17 @@ int proc_dointvec_minmax(struct ctl_table *table, int write, do_proc_dointvec_minmax_conv, ¶m); } @@ -113510,7 +113584,7 @@ index e69201d..61cda5e 100644 static void validate_coredump_safety(void) { #ifdef CONFIG_COREDUMP -@@ -2739,6 +2884,12 @@ int proc_dostring(struct ctl_table *table, int write, +@@ -2739,6 +2898,12 @@ int proc_dostring(struct ctl_table *table, int write, return -ENOSYS; } @@ -113523,7 +113597,7 @@ index e69201d..61cda5e 100644 int proc_dointvec(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { -@@ -2795,5 +2946,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); +@@ -2795,5 +2960,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); EXPORT_SYMBOL(proc_dointvec_ms_jiffies); EXPORT_SYMBOL(proc_dostring); @@ -114989,7 +115063,7 @@ index bd2bea9..6b3c95e 100644 return false; diff --git a/lib/kobject.c b/lib/kobject.c -index 3e3a5c3..4a12109 100644 +index 3e3a5c3..4a121091 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -935,9 +935,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add); @@ -115425,10 +115499,10 @@ index 1356454..70ce6c6 100644 void rb_insert_color(struct rb_node *node, struct rb_root *root) diff --git a/lib/rhashtable.c b/lib/rhashtable.c -index a54ff89..b4d4da9 100644 +index aa388a7..3172ae42 100644 --- a/lib/rhashtable.c +++ b/lib/rhashtable.c -@@ -542,8 +542,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_exit); +@@ -543,8 +543,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_exit); * will rewind back to the beginning and you may use it immediately * by calling rhashtable_walk_next. */ @@ -115438,7 +115512,7 @@ index a54ff89..b4d4da9 100644 { struct rhashtable *ht = iter->ht; -@@ -629,8 +629,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_next); +@@ -628,8 +628,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_next); * * Finish a hash table walk. */ @@ -121524,20 +121598,6 @@ index 8e385a0..a5bdd8e 100644 tty_port_close(&dev->port, tty, filp); } -diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c -index f315c8d..15cb6c55 100644 ---- a/net/bluetooth/sco.c -+++ b/net/bluetooth/sco.c -@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le - if (!addr || addr->sa_family != AF_BLUETOOTH) - return -EINVAL; - -+ if (addr_len < sizeof(struct sockaddr_sco)) -+ return -EINVAL; -+ - lock_sock(sk); - - if (sk->sk_state != BT_OPEN) { diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c index ea748c9..79056c3 100644 --- a/net/bridge/br_netlink.c @@ -122324,7 +122384,7 @@ index 8a1741b..20d20e7 100644 if (!err) err = put_user(SCM_RIGHTS, &cm->cmsg_type); diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index fab4599..daf360d 100644 +index 1c1f87c..aa15378 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -969,7 +969,8 @@ static void skb_headers_offset_update(struct sk_buff *skb, int off) @@ -122363,21 +122423,11 @@ index fab4599..daf360d 100644 NULL); } -@@ -3643,7 +3646,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb, - serr->ee.ee_info = tstype; - if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) { - serr->ee.ee_data = skb_shinfo(skb)->tskey; -- if (sk->sk_protocol == IPPROTO_TCP) -+ if (sk->sk_protocol == IPPROTO_TCP && -+ sk->sk_type == SOCK_STREAM) - serr->ee.ee_data -= sk->sk_tskey; - } - diff --git a/net/core/sock.c b/net/core/sock.c -index 3307c02..3a9bfdc 100644 +index dbbda99..41406c3 100644 --- a/net/core/sock.c +++ b/net/core/sock.c -@@ -441,7 +441,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) +@@ -439,7 +439,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) struct sk_buff_head *list = &sk->sk_receive_queue; if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) { @@ -122386,7 +122436,7 @@ index 3307c02..3a9bfdc 100644 trace_sock_rcvqueue_full(sk, skb); return -ENOMEM; } -@@ -451,7 +451,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) +@@ -449,7 +449,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) return err; if (!sk_rmem_schedule(sk, skb, skb->truesize)) { @@ -122395,7 +122445,7 @@ index 3307c02..3a9bfdc 100644 return -ENOBUFS; } -@@ -484,7 +484,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested) +@@ -482,7 +482,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested) skb->dev = NULL; if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) { @@ -122404,7 +122454,7 @@ index 3307c02..3a9bfdc 100644 goto discard_and_relse; } if (nested) -@@ -502,7 +502,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested) +@@ -500,7 +500,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested) mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_); } else if (sk_add_backlog(sk, skb, sk->sk_rcvbuf)) { bh_unlock_sock(sk); @@ -122413,17 +122463,7 @@ index 3307c02..3a9bfdc 100644 goto discard_and_relse; } -@@ -862,7 +862,8 @@ set_rcvbuf: - - if (val & SOF_TIMESTAMPING_OPT_ID && - !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) { -- if (sk->sk_protocol == IPPROTO_TCP) { -+ if (sk->sk_protocol == IPPROTO_TCP && -+ sk->sk_type == SOCK_STREAM) { - if (sk->sk_state != TCP_ESTABLISHED) { - ret = -EINVAL; - break; -@@ -908,6 +909,7 @@ set_rcvbuf: +@@ -907,6 +907,7 @@ set_rcvbuf: } break; @@ -122431,7 +122471,7 @@ index 3307c02..3a9bfdc 100644 case SO_ATTACH_BPF: ret = -EINVAL; if (optlen == sizeof(u32)) { -@@ -920,7 +922,7 @@ set_rcvbuf: +@@ -919,7 +920,7 @@ set_rcvbuf: ret = sk_attach_bpf(ufd, sk); } break; @@ -122440,7 +122480,7 @@ index 3307c02..3a9bfdc 100644 case SO_DETACH_FILTER: ret = sk_detach_filter(sk); break; -@@ -1022,12 +1024,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname, +@@ -1021,12 +1022,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname, struct timeval tm; } v; @@ -122456,7 +122496,7 @@ index 3307c02..3a9bfdc 100644 return -EINVAL; memset(&v, 0, sizeof(v)); -@@ -1165,11 +1167,11 @@ int sock_getsockopt(struct socket *sock, int level, int optname, +@@ -1164,11 +1165,11 @@ int sock_getsockopt(struct socket *sock, int level, int optname, case SO_PEERNAME: { @@ -122470,7 +122510,7 @@ index 3307c02..3a9bfdc 100644 return -EINVAL; if (copy_to_user(optval, address, len)) return -EFAULT; -@@ -1257,7 +1259,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, +@@ -1256,7 +1257,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, if (len > lv) len = lv; @@ -122479,7 +122519,7 @@ index 3307c02..3a9bfdc 100644 return -EFAULT; lenout: if (put_user(len, optlen)) -@@ -1550,7 +1552,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority) +@@ -1549,7 +1550,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority) newsk->sk_err = 0; newsk->sk_priority = 0; newsk->sk_incoming_cpu = raw_smp_processor_id(); @@ -122488,7 +122528,7 @@ index 3307c02..3a9bfdc 100644 /* * Before updating sk_refcnt, we must commit prior changes to memory * (Documentation/RCU/rculist_nulls.txt for details) -@@ -2359,7 +2361,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) +@@ -2358,7 +2359,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) */ smp_wmb(); atomic_set(&sk->sk_refcnt, 1); @@ -122497,7 +122537,7 @@ index 3307c02..3a9bfdc 100644 } EXPORT_SYMBOL(sock_init_data); -@@ -2487,6 +2489,7 @@ void sock_enable_timestamp(struct sock *sk, int flag) +@@ -2486,6 +2487,7 @@ void sock_enable_timestamp(struct sock *sk, int flag) int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, int level, int type) { @@ -122505,7 +122545,7 @@ index 3307c02..3a9bfdc 100644 struct sock_exterr_skb *serr; struct sk_buff *skb; int copied, err; -@@ -2508,7 +2511,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, +@@ -2507,7 +2509,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, sock_recv_timestamp(msg, sk, skb); serr = SKB_EXT_ERR(skb); @@ -122655,7 +122695,7 @@ index 95b6139..3048623 100644 .exit = sysctl_core_net_exit, }; diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c -index 675cf94..9279a75 100644 +index 6feddca..92b3468 100644 --- a/net/decnet/af_decnet.c +++ b/net/decnet/af_decnet.c @@ -466,6 +466,7 @@ static struct proto dn_proto = { @@ -122785,10 +122825,10 @@ index 214d44a..dcb7f86 100644 return -ENOMEM; } diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c -index 1d0c3ad..408f17b 100644 +index 4b16cf3..443b1d4 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c -@@ -1396,7 +1396,7 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) +@@ -1399,7 +1399,7 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) return ip_recv_error(sk, msg, len, addr_len); #if IS_ENABLED(CONFIG_IPV6) if (sk->sk_family == AF_INET6) @@ -123713,7 +123753,7 @@ index 0a2b61d..563a1d2 100644 write_pnet(&ireq->ireq_net, sock_net(sk_listener)); ireq->ireq_family = sk_listener->sk_family; diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index a7739c8..5bbbf64 100644 +index d77be28..5bbbf64 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -89,6 +89,10 @@ int sysctl_tcp_tw_reuse __read_mostly; @@ -123737,15 +123777,6 @@ index a7739c8..5bbbf64 100644 tcp_v4_send_reset(rsk, skb); discard: kfree_skb(skb); -@@ -1509,7 +1516,7 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb) - if (likely(sk->sk_rx_dst)) - skb_dst_drop(skb); - else -- skb_dst_force(skb); -+ skb_dst_force_safe(skb); - - __skb_queue_tail(&tp->ucopy.prequeue, skb); - tp->ucopy.memory += skb->truesize; @@ -1592,12 +1599,19 @@ int tcp_v4_rcv(struct sk_buff *skb) TCP_SKB_CB(skb)->sacked = 0; @@ -123780,16 +123811,6 @@ index a7739c8..5bbbf64 100644 tcp_v4_send_reset(NULL, skb); } -@@ -1710,8 +1728,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) - { - struct dst_entry *dst = skb_dst(skb); - -- if (dst) { -- dst_hold(dst); -+ if (dst && dst_hold_safe(dst)) { - sk->sk_rx_dst = dst; - inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; - } diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index def7659..b710969 100644 --- a/net/ipv4/tcp_minisocks.c @@ -124044,7 +124065,7 @@ index c10a9ee..c621a01 100644 return -ENOMEM; } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index 3939dd2..7372e9a 100644 +index ddd3511..9cad64b 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { @@ -124065,20 +124086,7 @@ index 3939dd2..7372e9a 100644 .autoconf = 1, .force_mld_version = 0, .mldv1_unsolicited_report_interval = 10 * HZ, -@@ -349,6 +349,12 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev) - setup_timer(&ndev->rs_timer, addrconf_rs_timer, - (unsigned long)ndev); - memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf)); -+ -+ if (ndev->cnf.stable_secret.initialized) -+ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY; -+ else -+ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64; -+ - ndev->cnf.mtu6 = dev->mtu; - ndev->cnf.sysctl = NULL; - ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl); -@@ -636,7 +642,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, +@@ -642,7 +642,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, idx = 0; head = &net->dev_index_head[h]; rcu_read_lock(); @@ -124087,7 +124095,7 @@ index 3939dd2..7372e9a 100644 net->dev_base_seq; hlist_for_each_entry_rcu(dev, head, index_hlist) { if (idx < s_idx) -@@ -2576,7 +2582,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) +@@ -2582,7 +2582,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) p.iph.ihl = 5; p.iph.protocol = IPPROTO_IPV6; p.iph.ttl = 64; @@ -124096,7 +124104,7 @@ index 3939dd2..7372e9a 100644 if (ops->ndo_do_ioctl) { mm_segment_t oldfs = get_fs(); -@@ -3844,16 +3850,23 @@ static const struct file_operations if6_fops = { +@@ -3850,16 +3850,23 @@ static const struct file_operations if6_fops = { .release = seq_release_net, }; @@ -124121,7 +124129,7 @@ index 3939dd2..7372e9a 100644 } static struct pernet_operations if6_proc_net_ops = { -@@ -4472,7 +4485,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, +@@ -4478,7 +4485,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, s_ip_idx = ip_idx = cb->args[2]; rcu_read_lock(); @@ -124130,7 +124138,7 @@ index 3939dd2..7372e9a 100644 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { idx = 0; head = &net->dev_index_head[h]; -@@ -5140,7 +5153,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) +@@ -5146,7 +5153,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) rt_genid_bump_ipv6(net); break; } @@ -124139,7 +124147,7 @@ index 3939dd2..7372e9a 100644 } static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) -@@ -5160,7 +5173,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, +@@ -5166,7 +5173,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -124148,7 +124156,7 @@ index 3939dd2..7372e9a 100644 int ret; /* -@@ -5185,7 +5198,7 @@ int addrconf_sysctl_mtu(struct ctl_table *ctl, int write, +@@ -5191,7 +5198,7 @@ int addrconf_sysctl_mtu(struct ctl_table *ctl, int write, { struct inet6_dev *idev = ctl->extra1; int min_mtu = IPV6_MIN_MTU; @@ -124157,7 +124165,7 @@ index 3939dd2..7372e9a 100644 lctl = *ctl; lctl.extra1 = &min_mtu; -@@ -5260,7 +5273,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write, +@@ -5266,7 +5273,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -124166,7 +124174,7 @@ index 3939dd2..7372e9a 100644 int ret; /* -@@ -5325,7 +5338,7 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write, +@@ -5331,7 +5338,7 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write, int err; struct in6_addr addr; char str[IPV6_MAX_STRLEN]; @@ -124175,7 +124183,7 @@ index 3939dd2..7372e9a 100644 struct net *net = ctl->extra2; struct ipv6_stable_secret *secret = ctl->data; -@@ -5343,13 +5356,10 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write, +@@ -5349,13 +5356,10 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write, goto out; } @@ -124193,7 +124201,7 @@ index 3939dd2..7372e9a 100644 } err = proc_dostring(&lctl, write, buffer, lenp, ppos); -@@ -5397,7 +5407,7 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct ctl_table *ctl, +@@ -5403,7 +5407,7 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct ctl_table *ctl, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -124203,10 +124211,10 @@ index 3939dd2..7372e9a 100644 /* ctl->data points to idev->cnf.ignore_routes_when_linkdown diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c -index 38d66dd..dc7991d 100644 +index df095ee..537199c 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c -@@ -777,7 +777,7 @@ static int __net_init inet6_net_init(struct net *net) +@@ -780,7 +780,7 @@ static int __net_init inet6_net_init(struct net *net) net->ipv6.sysctl.idgen_retries = 3; net->ipv6.sysctl.idgen_delay = 1 * HZ; net->ipv6.sysctl.flowlabel_state_ranges = 0; @@ -124256,7 +124264,7 @@ index 6cedc62..998bd5b 100644 return new; } diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index 3c7b931..bcdd2bf 100644 +index e5ea177..54bf9fb 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -71,8 +71,8 @@ struct ip6gre_net { @@ -124279,7 +124287,7 @@ index 3c7b931..bcdd2bf 100644 .handler = ip6gre_rcv, .err_handler = ip6gre_err, .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL, -@@ -1658,7 +1658,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = { +@@ -1656,7 +1656,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = { [IFLA_GRE_FLAGS] = { .type = NLA_U32 }, }; @@ -124288,7 +124296,7 @@ index 3c7b931..bcdd2bf 100644 .kind = "ip6gre", .maxtype = IFLA_GRE_MAX, .policy = ip6gre_policy, -@@ -1673,7 +1673,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = { +@@ -1671,7 +1671,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = { .get_link_net = ip6_tnl_get_link_net, }; @@ -124684,21 +124692,10 @@ index 45243bb..cdb398e 100644 struct ctl_table *ipv6_icmp_table; int err; diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index 9e9b77b..bdfd1ee 100644 +index 8935dc1..bdfd1ee 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c -@@ -93,16 +93,19 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) - { - struct dst_entry *dst = skb_dst(skb); - -- if (dst) { -+ if (dst && dst_hold_safe(dst)) { - const struct rt6_info *rt = (const struct rt6_info *)dst; - -- dst_hold(dst); - sk->sk_rx_dst = dst; - inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; - inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt); +@@ -102,6 +102,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) } } @@ -124709,7 +124706,7 @@ index 9e9b77b..bdfd1ee 100644 static __u32 tcp_v6_init_sequence(const struct sk_buff *skb) { return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32, -@@ -1286,6 +1289,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) +@@ -1285,6 +1289,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) return 0; reset: @@ -124719,7 +124716,7 @@ index 9e9b77b..bdfd1ee 100644 tcp_v6_send_reset(sk, skb); discard: if (opt_skb) -@@ -1395,12 +1401,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) +@@ -1394,12 +1401,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest, inet6_iif(skb)); @@ -124742,7 +124739,7 @@ index 9e9b77b..bdfd1ee 100644 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) { NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP); -@@ -1452,6 +1466,10 @@ csum_error: +@@ -1451,6 +1466,10 @@ csum_error: bad_packet: TCP_INC_STATS_BH(net, TCP_MIB_INERRS); } else { @@ -125662,10 +125659,93 @@ index 45da11a..ef3e5dc 100644 table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table), GFP_KERNEL); diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c -index c09d6c7..360b90c 100644 +index c09d6c7..290e086 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c -@@ -1749,6 +1749,10 @@ void nf_conntrack_init_end(void) +@@ -66,6 +66,21 @@ EXPORT_SYMBOL_GPL(nf_conntrack_locks); + __cacheline_aligned_in_smp DEFINE_SPINLOCK(nf_conntrack_expect_lock); + EXPORT_SYMBOL_GPL(nf_conntrack_expect_lock); + ++static __read_mostly spinlock_t nf_conntrack_locks_all_lock; ++static __read_mostly bool nf_conntrack_locks_all; ++ ++void nf_conntrack_lock(spinlock_t *lock) __acquires(lock) ++{ ++ spin_lock(lock); ++ while (unlikely(nf_conntrack_locks_all)) { ++ spin_unlock(lock); ++ spin_lock(&nf_conntrack_locks_all_lock); ++ spin_unlock(&nf_conntrack_locks_all_lock); ++ spin_lock(lock); ++ } ++} ++EXPORT_SYMBOL_GPL(nf_conntrack_lock); ++ + static void nf_conntrack_double_unlock(unsigned int h1, unsigned int h2) + { + h1 %= CONNTRACK_LOCKS; +@@ -82,12 +97,12 @@ static bool nf_conntrack_double_lock(struct net *net, unsigned int h1, + h1 %= CONNTRACK_LOCKS; + h2 %= CONNTRACK_LOCKS; + if (h1 <= h2) { +- spin_lock(&nf_conntrack_locks[h1]); ++ nf_conntrack_lock(&nf_conntrack_locks[h1]); + if (h1 != h2) + spin_lock_nested(&nf_conntrack_locks[h2], + SINGLE_DEPTH_NESTING); + } else { +- spin_lock(&nf_conntrack_locks[h2]); ++ nf_conntrack_lock(&nf_conntrack_locks[h2]); + spin_lock_nested(&nf_conntrack_locks[h1], + SINGLE_DEPTH_NESTING); + } +@@ -102,16 +117,19 @@ static void nf_conntrack_all_lock(void) + { + int i; + +- for (i = 0; i < CONNTRACK_LOCKS; i++) +- spin_lock_nested(&nf_conntrack_locks[i], i); +-} ++ spin_lock(&nf_conntrack_locks_all_lock); ++ nf_conntrack_locks_all = true; + +-static void nf_conntrack_all_unlock(void) +-{ +- int i; +- +- for (i = 0; i < CONNTRACK_LOCKS; i++) ++ for (i = 0; i < CONNTRACK_LOCKS; i++) { ++ spin_lock(&nf_conntrack_locks[i]); + spin_unlock(&nf_conntrack_locks[i]); ++ } ++} ++ ++static void nf_conntrack_all_unlock(void) ++{ ++ nf_conntrack_locks_all = false; ++ spin_unlock(&nf_conntrack_locks_all_lock); + } + + unsigned int nf_conntrack_htable_size __read_mostly; +@@ -755,7 +773,7 @@ restart: + hash = hash_bucket(_hash, net); + for (; i < net->ct.htable_size; i++) { + lockp = &nf_conntrack_locks[hash % CONNTRACK_LOCKS]; +- spin_lock(lockp); ++ nf_conntrack_lock(lockp); + if (read_seqcount_retry(&net->ct.generation, sequence)) { + spin_unlock(lockp); + goto restart; +@@ -1376,7 +1394,7 @@ get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data), + for (; *bucket < net->ct.htable_size; (*bucket)++) { + lockp = &nf_conntrack_locks[*bucket % CONNTRACK_LOCKS]; + local_bh_disable(); +- spin_lock(lockp); ++ nf_conntrack_lock(lockp); + if (*bucket < net->ct.htable_size) { + hlist_nulls_for_each_entry(h, n, &net->ct.hash[*bucket], hnnode) { + if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) +@@ -1749,6 +1767,10 @@ void nf_conntrack_init_end(void) #define DYING_NULLS_VAL ((1<<30)+1) #define TEMPLATE_NULLS_VAL ((1<<30)+2) @@ -125676,7 +125756,7 @@ index c09d6c7..360b90c 100644 int nf_conntrack_init_net(struct net *net) { int ret = -ENOMEM; -@@ -1773,7 +1777,11 @@ int nf_conntrack_init_net(struct net *net) +@@ -1773,7 +1795,11 @@ int nf_conntrack_init_net(struct net *net) if (!net->ct.stat) goto err_pcpu_lists; @@ -125702,7 +125782,7 @@ index 4e78c57..ec8fb74 100644 table = kmemdup(event_sysctl_table, sizeof(event_sysctl_table), GFP_KERNEL); diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c -index bd9d315..989947e 100644 +index bd9d315..fbd2fb7 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -57,7 +57,7 @@ static struct ctl_table helper_sysctl_table[] = { @@ -125714,6 +125794,28 @@ index bd9d315..989947e 100644 table = kmemdup(helper_sysctl_table, sizeof(helper_sysctl_table), GFP_KERNEL); +@@ -425,7 +425,7 @@ static void __nf_conntrack_helper_unregister(struct nf_conntrack_helper *me, + } + local_bh_disable(); + for (i = 0; i < net->ct.htable_size; i++) { +- spin_lock(&nf_conntrack_locks[i % CONNTRACK_LOCKS]); ++ nf_conntrack_lock(&nf_conntrack_locks[i % CONNTRACK_LOCKS]); + if (i < net->ct.htable_size) { + hlist_nulls_for_each_entry(h, nn, &net->ct.hash[i], hnnode) + unhelp(h, me); +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 94a6654..9c275f7 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -840,7 +840,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) { + restart: + lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS]; +- spin_lock(lockp); ++ nf_conntrack_lock(lockp); + if (cb->args[0] >= net->ct.htable_size) { + spin_unlock(lockp); + goto out; diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index b65d586..beec902 100644 --- a/net/netfilter/nf_conntrack_proto.c @@ -126570,19 +126672,6 @@ index f226709..0e735a8 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); -diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c -index 7ec667d..b5c2cf2 100644 ---- a/net/sched/sch_api.c -+++ b/net/sched/sch_api.c -@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue, - } - lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock); - if (!netif_is_multiqueue(dev)) -- sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; -+ sch->flags |= TCQ_F_ONETXQUEUE; - } - - sch->handle = handle; diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c index e82a1ad..a7df216b 100644 --- a/net/sched/sch_generic.c @@ -126618,10 +126707,10 @@ index e82a1ad..a7df216b 100644 kfree((char *) qdisc - qdisc->padded); } diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c -index e917d27..13e2a4c 100644 +index 40677cf..9656f92 100644 --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c -@@ -973,7 +973,7 @@ static const struct inet6_protocol sctpv6_protocol = { +@@ -981,7 +981,7 @@ static const struct inet6_protocol sctpv6_protocol = { .flags = INET6_PROTO_NOPOLICY | INET6_PROTO_FINAL, }; @@ -126630,7 +126719,7 @@ index e917d27..13e2a4c 100644 .sa_family = AF_INET6, .sctp_xmit = sctp_v6_xmit, .setsockopt = ipv6_setsockopt, -@@ -1003,7 +1003,7 @@ static struct sctp_af sctp_af_inet6 = { +@@ -1011,7 +1011,7 @@ static struct sctp_af sctp_af_inet6 = { #endif }; @@ -126639,7 +126728,7 @@ index e917d27..13e2a4c 100644 .event_msgname = sctp_inet6_event_msgname, .skb_msgname = sctp_inet6_skb_msgname, .af_supported = sctp_inet6_af_supported, -@@ -1030,7 +1030,7 @@ void sctp_v6_pf_init(void) +@@ -1038,7 +1038,7 @@ void sctp_v6_pf_init(void) void sctp_v6_pf_exit(void) { @@ -126836,7 +126925,7 @@ index d7eaa73..9042a5d 100644 /* diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 3ec88be..a8d9d222 100644 +index 84b1b50..e2a95d3 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -972,7 +972,7 @@ static int sctp_setsockopt_bindx(struct sock *sk, @@ -127020,7 +127109,7 @@ index 26d50c5..289fe22 100644 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); diff --git a/net/socket.c b/net/socket.c -index 9963a0b..b88ff74 100644 +index f3fbe17..b88ff74 100644 --- a/net/socket.c +++ b/net/socket.c @@ -89,6 +89,7 @@ @@ -127221,15 +127310,7 @@ index 9963a0b..b88ff74 100644 int err, err2; int fput_needed; -@@ -1702,6 +1767,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, - msg.msg_name = addr ? (struct sockaddr *)&address : NULL; - /* We assume all kernel code knows the size of sockaddr_storage */ - msg.msg_namelen = 0; -+ msg.msg_iocb = NULL; - if (sock->file->f_flags & O_NONBLOCK) - flags |= MSG_DONTWAIT; - err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags); -@@ -1927,7 +1993,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg, +@@ -1928,7 +1993,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg, * checking falls down on this. */ if (copy_from_user(ctl_buf, @@ -127238,7 +127319,7 @@ index 9963a0b..b88ff74 100644 ctl_len)) goto out_freectl; msg_sys->msg_control = ctl_buf; -@@ -2077,7 +2143,7 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg, +@@ -2078,7 +2143,7 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg, ssize_t err; /* kernel mode address */ @@ -127247,7 +127328,7 @@ index 9963a0b..b88ff74 100644 /* user mode address pointers */ struct sockaddr __user *uaddr; -@@ -2722,7 +2788,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2723,7 +2788,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) ifr = compat_alloc_user_space(buf_size); rxnfc = (void __user *)ifr + ALIGN(sizeof(struct ifreq), 8); @@ -127256,7 +127337,7 @@ index 9963a0b..b88ff74 100644 return -EFAULT; if (put_user(convert_in ? rxnfc : compat_ptr(data), -@@ -2833,7 +2899,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2834,7 +2899,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -127265,7 +127346,7 @@ index 9963a0b..b88ff74 100644 set_fs(old_fs); return err; -@@ -2926,7 +2992,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -2927,7 +2992,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -127274,7 +127355,7 @@ index 9963a0b..b88ff74 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3010,7 +3076,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3011,7 +3076,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -127283,7 +127364,7 @@ index 9963a0b..b88ff74 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3237,8 +3303,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3238,8 +3303,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -127294,7 +127375,7 @@ index 9963a0b..b88ff74 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3258,7 +3324,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3259,7 +3324,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -127725,7 +127806,7 @@ index 350cca3..a108fc5 100644 sub->evt.event = htohl(event, sub->swap); sub->evt.found_lower = htohl(found_lower, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 128b098..b66988b 100644 +index 0fc6dba..adadbef 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -918,6 +918,12 @@ static struct sock *unix_find_other(struct net *net, @@ -127934,7 +128015,7 @@ index 128b098..b66988b 100644 return max_level; } -@@ -2772,9 +2821,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2765,9 +2814,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_puts(seq, "Num RefCount Protocol Flags Type St " "Inode Path\n"); else { @@ -127949,7 +128030,7 @@ index 128b098..b66988b 100644 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", s, -@@ -2799,10 +2852,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2792,10 +2845,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_putc(seq, '@'); i++; } @@ -130505,36 +130586,6 @@ index aee2ec5..c276071 100644 /* record the root user tracking */ rb_link_node(&root_key_user.node, -diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c -index 0b9ec78..26f0e0a 100644 ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) - - /* the key is probably readable - now try to read it */ - can_read_key: -- ret = key_validate(key); -- if (ret == 0) { -- ret = -EOPNOTSUPP; -- if (key->type->read) { -- /* read the data with the semaphore held (since we -- * might sleep) */ -- down_read(&key->sem); -+ ret = -EOPNOTSUPP; -+ if (key->type->read) { -+ /* Read the data with the semaphore held (since we might sleep) -+ * to protect against the key being updated or revoked. -+ */ -+ down_read(&key->sem); -+ ret = key_validate(key); -+ if (ret == 0) - ret = key->type->read(key, buffer, buflen); -- up_read(&key->sem); -- } -+ up_read(&key->sem); - } - - error2: diff --git a/security/keys/keyring.c b/security/keys/keyring.c index d334370..b03e5a8 100644 --- a/security/keys/keyring.c @@ -130557,18 +130608,6 @@ index d334370..b03e5a8 100644 { BUG_ON(index_key->type == NULL); kenter("%d,%s,", keyring->serial, index_key->type->name); -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index 43b4cdd..7877e5c 100644 ---- a/security/keys/process_keys.c -+++ b/security/keys/process_keys.c -@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) - ret = PTR_ERR(keyring); - goto error2; - } else if (keyring == new->session_keyring) { -+ key_put(keyring); - ret = 0; - goto error2; - } diff --git a/security/min_addr.c b/security/min_addr.c index f728728..6457a0c 100644 --- a/security/min_addr.c diff --git a/4.3.3/4425_grsec_remove_EI_PAX.patch b/4.3.4/4425_grsec_remove_EI_PAX.patch index 2a1aa6c..2a1aa6c 100644 --- a/4.3.3/4425_grsec_remove_EI_PAX.patch +++ b/4.3.4/4425_grsec_remove_EI_PAX.patch diff --git a/4.3.3/4427_force_XATTR_PAX_tmpfs.patch b/4.3.4/4427_force_XATTR_PAX_tmpfs.patch index 22c9273..22c9273 100644 --- a/4.3.3/4427_force_XATTR_PAX_tmpfs.patch +++ b/4.3.4/4427_force_XATTR_PAX_tmpfs.patch diff --git a/4.3.3/4430_grsec-remove-localversion-grsec.patch b/4.3.4/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/4.3.3/4430_grsec-remove-localversion-grsec.patch +++ b/4.3.4/4430_grsec-remove-localversion-grsec.patch diff --git a/4.3.3/4435_grsec-mute-warnings.patch b/4.3.4/4435_grsec-mute-warnings.patch index b7564e4..b7564e4 100644 --- a/4.3.3/4435_grsec-mute-warnings.patch +++ b/4.3.4/4435_grsec-mute-warnings.patch diff --git a/4.3.3/4440_grsec-remove-protected-paths.patch b/4.3.4/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/4.3.3/4440_grsec-remove-protected-paths.patch +++ b/4.3.4/4440_grsec-remove-protected-paths.patch diff --git a/4.3.3/4450_grsec-kconfig-default-gids.patch b/4.3.4/4450_grsec-kconfig-default-gids.patch index 9524b1f..9524b1f 100644 --- a/4.3.3/4450_grsec-kconfig-default-gids.patch +++ b/4.3.4/4450_grsec-kconfig-default-gids.patch diff --git a/4.3.3/4465_selinux-avc_audit-log-curr_ip.patch b/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch index 28f2163..28f2163 100644 --- a/4.3.3/4465_selinux-avc_audit-log-curr_ip.patch +++ b/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/4.3.3/4470_disable-compat_vdso.patch b/4.3.4/4470_disable-compat_vdso.patch index 8fd85dc..8fd85dc 100644 --- a/4.3.3/4470_disable-compat_vdso.patch +++ b/4.3.4/4470_disable-compat_vdso.patch diff --git a/4.3.3/4475_emutramp_default_on.patch b/4.3.4/4475_emutramp_default_on.patch index afd6019..afd6019 100644 --- a/4.3.3/4475_emutramp_default_on.patch +++ b/4.3.4/4475_emutramp_default_on.patch |