diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-18 06:47:53 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-18 12:24:19 +0000 |
commit | b52eb6193eb9c18980886ff25d2e4e41dd887078 (patch) | |
tree | 94f4ffbdefe87c8a6263138f8d7ea6da5c59288a /main/linux-grsec | |
parent | edc3a2b2750975af7ab9550726659cc5055265ca (diff) | |
download | aports-b52eb6193eb9c18980886ff25d2e4e41dd887078.tar.bz2 aports-b52eb6193eb9c18980886ff25d2e4e41dd887078.tar.xz |
main/linux-grsec: upgrade to 3.9.6 and fix CVE-2013-2851
Diffstat (limited to 'main/linux-grsec')
-rw-r--r-- | main/linux-grsec/APKBUILD | 23 | ||||
-rw-r--r-- | main/linux-grsec/CVE-2013-2851.patch | 60 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch) | 845 |
3 files changed, 836 insertions, 92 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index bbaacff686..cd5bb17371 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,12 +2,12 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.9.5 +pkgver=3.9.6 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; esac -pkgrel=1 +pkgrel=0 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.9.5-201306111850.patch + grsecurity-2.9.1-3.9.6-201306171904.patch 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch @@ -26,6 +26,8 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch + CVE-2013-2851.patch + kernelconfig.x86 kernelconfig.x86_64 " @@ -149,35 +151,38 @@ dev() { } md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -aa22187ae5cd482a69097e9e59244491 patch-3.9.5.xz -cbc169ce43edf201acb158ce7e468516 grsecurity-2.9.1-3.9.5-201306111850.patch +897cffc5167a561b38c6748e7f0a4215 patch-3.9.6.xz +8c9e11d9121958fa866b330ed3dbe4bd grsecurity-2.9.1-3.9.6-201306171904.patch a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 2a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 6ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch +eca3b4897b2a2191576ba719609cc654 CVE-2013-2851.patch 3e219a1f25136b204d00865939532fe9 kernelconfig.x86 1d057c89927a68e5f44896887ad3e379 kernelconfig.x86_64" sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz -f25145ff6ddde7a633839aabfd97b0d8239e14c494fd16210871229a35c1c0de patch-3.9.5.xz -12ea825b5494c41529d1b3dda89fe592d6b4fc06d027b2e7f2e9a1ae41c3617c grsecurity-2.9.1-3.9.5-201306111850.patch +13296dad939ef4e05adba87b9d0476aa8e2ccf92866f14835327dae8a1402fc3 patch-3.9.6.xz +a14302153a717e8cf8346c44ed4ac620b87a38795afa72c3f61797eab221290d grsecurity-2.9.1-3.9.6-201306171904.patch 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch +461d159751095d3624d74867dc8b3e3865e3a67c4b3cd48188f5ae2f1f1f66cb CVE-2013-2851.patch cc3bd3d23f6a73ea6488c158de9d195ad5e3d87859ce02d92a04f0e08c9503d3 kernelconfig.x86 b780ef646b3b30a5b0307102367e17d45bb3a0ab7e37cf92a1ce783c3149243a kernelconfig.x86_64" sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz -8e9a064adadd062c7ca52c44de19dfd46b029e60f2832988a606e086b669ea699861ec57732d4abfb16e486f767d123fcfd66da7c2ddde380b7c13582bb44983 patch-3.9.5.xz -e52a55753c0821c08578924abe2d6ccc02743050e71c827fefd21e616a887e45459f3a7eb56b22b6ec0d25555cbb37f0df5cd1fe695b2277dfd7109f4f84ae8a grsecurity-2.9.1-3.9.5-201306111850.patch +6c79bde85d86c7e7dca160d5bdd5826ae05ed41cb372d0a94e4f9840413351a8bc1fec50159d59dbac462345bd13c31c6c4d8c47187ee6d87b4d71c8560093da patch-3.9.6.xz +fe8a4fffb18b6ef88951e97cd20e464674e10d2a6a76a0b17d4922b87b24c6653a81d798f0b93dfb7545da011a29d73dfafd73b258f528bbe81984ef24c137ac grsecurity-2.9.1-3.9.6-201306171904.patch 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch +5e5c9ac96b87efc811bd612774934a5fb8635a34d7fbe13ea80f5a8da19efa2a71f0bcab08a85224612f332d7485cea1d6cbd4d64644d90a3dd576f3458e5a99 CVE-2013-2851.patch 00fd8694455935f96e46b6624388b8c04af27ce4295040362da78c34bf9f08382bc69c1b8b273145573a59e3b4eecfa251119560da19ab390f171a8a6da18298 kernelconfig.x86 6276f503f9dd7ea228b1661f9a36edcf18d2c4cfb6d9c4e3e1496a4f70709cc693fc8498186d86dd3f303c909c50e478cb95e08a05f50bda77c9cf165aca1ba1 kernelconfig.x86_64" diff --git a/main/linux-grsec/CVE-2013-2851.patch b/main/linux-grsec/CVE-2013-2851.patch new file mode 100644 index 0000000000..3407731c7d --- /dev/null +++ b/main/linux-grsec/CVE-2013-2851.patch @@ -0,0 +1,60 @@ +Subject: [PATCH 1/8] block: do not pass disk names as format strings + +Disk names may contain arbitrary strings, so they must not be interpreted +as format strings. It seems that only md allows arbitrary strings to be +used for disk names, but this could allow for a local memory corruption +from uid 0 into ring 0. + +CVE-2013-2851 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@vger.kernel.org +Cc: Jens Axboe <axboe@kernel.dk> +--- + block/genhd.c | 2 +- + drivers/block/nbd.c | 3 ++- + drivers/scsi/osd/osd_uld.c | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/block/genhd.c b/block/genhd.c +index 20625ee..cdeb527 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk) + + ddev->parent = disk->driverfs_dev; + +- dev_set_name(ddev, disk->disk_name); ++ dev_set_name(ddev, "%s", disk->disk_name); + + /* delay uevents, until we scanned partition table */ + dev_set_uevent_suppress(ddev, 1); +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 037288e..46b35f7 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, + else + blk_queue_flush(nbd->disk->queue, 0); + +- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); ++ thread = kthread_create(nbd_thread, nbd, "%s", ++ nbd->disk->disk_name); + if (IS_ERR(thread)) { + mutex_lock(&nbd->tx_lock); + return PTR_ERR(thread); +diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c +index 0fab6b5..9d86947 100644 +--- a/drivers/scsi/osd/osd_uld.c ++++ b/drivers/scsi/osd/osd_uld.c +@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev) + oud->class_dev.class = &osd_uld_class; + oud->class_dev.parent = dev; + oud->class_dev.release = __remove; +- error = dev_set_name(&oud->class_dev, disk->disk_name); ++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); + if (error) { + OSD_ERR("dev_set_name failed => %d\n", error); + goto err_put_cdev; +-- +1.7.9.5 diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch index 183d9f7a54..430bb2aca9 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch @@ -259,7 +259,7 @@ index 8ccbf27..afffeb4 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 8818c95..ced0bb1 100644 +index 4a40307..9ac699b 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -6682,10 +6682,10 @@ index 2e3200c..72095ce 100644 /* Find this entry, or if that fails, the next avail. entry */ while (entry->jump[0]) { diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c -index 16e77a8..4501b41 100644 +index 9600c36..0c156d7 100644 --- a/arch/powerpc/kernel/process.c +++ b/arch/powerpc/kernel/process.c -@@ -870,8 +870,8 @@ void show_regs(struct pt_regs * regs) +@@ -871,8 +871,8 @@ void show_regs(struct pt_regs * regs) * Lookup NIP late so we have the best change of getting the * above info out without failing */ @@ -6696,7 +6696,7 @@ index 16e77a8..4501b41 100644 #endif #ifdef CONFIG_PPC_TRANSACTIONAL_MEM printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch); -@@ -1330,10 +1330,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) +@@ -1331,10 +1331,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) newsp = stack[0]; ip = stack[STACK_FRAME_LR_SAVE]; if (!firstframe || ip != lr) { @@ -6709,7 +6709,7 @@ index 16e77a8..4501b41 100644 (void *)current->ret_stack[curr_frame].ret); curr_frame--; } -@@ -1353,7 +1353,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) +@@ -1354,7 +1354,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) struct pt_regs *regs = (struct pt_regs *) (sp + STACK_FRAME_OVERHEAD); lr = regs->link; @@ -6718,7 +6718,7 @@ index 16e77a8..4501b41 100644 regs->trap, (void *)regs->nip, (void *)lr); firstframe = 1; } -@@ -1395,58 +1395,3 @@ void __ppc64_runlatch_off(void) +@@ -1396,58 +1396,3 @@ void __ppc64_runlatch_off(void) mtspr(SPRN_CTRLT, ctrl); } #endif /* CONFIG_PPC64 */ @@ -6856,7 +6856,7 @@ index 3ce1f86..c30e629 100644 }; diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c -index 1c22b2d..3b56e67 100644 +index 29857c6..bd31e27 100644 --- a/arch/powerpc/kernel/traps.c +++ b/arch/powerpc/kernel/traps.c @@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) @@ -31363,10 +31363,10 @@ index e006c18..b9a7d6c 100644 .alloc_pud = xen_alloc_pmd_init, .release_pud = xen_release_pmd_init, diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c -index 22c800a..8915f1e 100644 +index 96c4e85..284fded 100644 --- a/arch/x86/xen/smp.c +++ b/arch/x86/xen/smp.c -@@ -229,11 +229,6 @@ static void __init xen_smp_prepare_boot_cpu(void) +@@ -230,11 +230,6 @@ static void __init xen_smp_prepare_boot_cpu(void) { BUG_ON(smp_processor_id() != 0); native_smp_prepare_boot_cpu(); @@ -31378,7 +31378,7 @@ index 22c800a..8915f1e 100644 xen_filter_cpu_maps(); xen_setup_vcpu_info_placement(); } -@@ -303,7 +298,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) +@@ -304,7 +299,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) ctxt->user_regs.ss = __KERNEL_DS; #ifdef CONFIG_X86_32 ctxt->user_regs.fs = __KERNEL_PERCPU; @@ -31387,7 +31387,7 @@ index 22c800a..8915f1e 100644 #else ctxt->gs_base_kernel = per_cpu_offset(cpu); #endif -@@ -313,8 +308,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) +@@ -314,8 +309,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) { ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */ @@ -31398,7 +31398,7 @@ index 22c800a..8915f1e 100644 xen_copy_trap_info(ctxt->trap_ctxt); -@@ -359,13 +354,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle) +@@ -360,13 +355,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle) int rc; per_cpu(current_task, cpu) = idle; @@ -31414,7 +31414,7 @@ index 22c800a..8915f1e 100644 #endif xen_setup_runstate_info(cpu); xen_setup_timer(cpu); -@@ -634,7 +628,7 @@ static const struct smp_ops xen_smp_ops __initconst = { +@@ -642,7 +636,7 @@ static const struct smp_ops xen_smp_ops __initconst = { void __init xen_smp_init(void) { @@ -33945,7 +33945,7 @@ index 2c644af..d4d7f17 100644 static int memory_open(struct inode *inode, struct file *filp) diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c -index c689697..04e6d6a 100644 +index c689697..04e6d6a2 100644 --- a/drivers/char/mwave/tp3780i.c +++ b/drivers/char/mwave/tp3780i.c @@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities @@ -34259,7 +34259,7 @@ index ade7513..069445f 100644 }; diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c -index 57a8774..545e993 100644 +index bb5939b..d9accb7 100644 --- a/drivers/cpufreq/acpi-cpufreq.c +++ b/drivers/cpufreq/acpi-cpufreq.c @@ -172,7 +172,7 @@ static ssize_t show_global_boost(struct kobject *kobj, @@ -35394,10 +35394,10 @@ index 3c7bb04..182e049 100644 iir = I915_READ(IIR); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index c2d173a..f4357cc 100644 +index 2ab65b4..acbd821 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c -@@ -8722,13 +8722,13 @@ struct intel_quirk { +@@ -8742,13 +8742,13 @@ struct intel_quirk { int subsystem_vendor; int subsystem_device; void (*hook)(struct drm_device *dev); @@ -35413,7 +35413,7 @@ index c2d173a..f4357cc 100644 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) { -@@ -8736,18 +8736,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) +@@ -8756,18 +8756,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) return 1; } @@ -35927,7 +35927,7 @@ index 6c0ce89..66f6d65 100644 #endif return radeon_debugfs_add_files(rdev, radeon_mem_types_list, i); diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c -index 5706d2a..17aedaa 100644 +index fad6633..4ff94de 100644 --- a/drivers/gpu/drm/radeon/rs690.c +++ b/drivers/gpu/drm/radeon/rs690.c @@ -304,9 +304,11 @@ static void rs690_crtc_bandwidth_compute(struct radeon_device *rdev, @@ -39635,6 +39635,19 @@ index 25309bf..fcfd54c 100644 #define CHIPREV_ID_5750_C2 0x4202 #define CHIPREV_ID_5752_A0_HW 0x5000 #define CHIPREV_ID_5752_A0 0x6000 +diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c +index 6e8bc9d..94d957d 100644 +--- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c ++++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c +@@ -244,7 +244,7 @@ bnad_debugfs_lseek(struct file *file, loff_t offset, int orig) + file->f_pos += offset; + break; + case 2: +- file->f_pos = debug->buffer_len - offset; ++ file->f_pos = debug->buffer_len + offset; + break; + default: + return -EINVAL; diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h index 8cffcdf..aadf043 100644 --- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h @@ -40374,6 +40387,19 @@ index 784e81c..349e01e 100644 struct ath_nf_limits { s16 max; +diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c +index 64b637a..911c4c0 100644 +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -2451,7 +2451,7 @@ static void b43_request_firmware(struct work_struct *work) + for (i = 0; i < B43_NR_FWTYPES; i++) { + errmsg = ctx->errors[i]; + if (strlen(errmsg)) +- b43err(dev->wl, errmsg); ++ b43err(dev->wl, "%s", errmsg); + } + b43_print_fw_helptext(dev->wl, 1); + goto out; diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c index c353b5f..62aaca2 100644 --- a/drivers/net/wireless/iwlegacy/3945-mac.c @@ -40575,6 +40601,46 @@ index 2b49f48..14fc244 100644 } spin_lock_init(&hwsim_radio_lock); +diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c +index 753b568..a5f9875 100644 +--- a/drivers/net/wireless/mwifiex/debugfs.c ++++ b/drivers/net/wireless/mwifiex/debugfs.c +@@ -26,10 +26,17 @@ + static struct dentry *mwifiex_dfs_dir; + + static char *bss_modes[] = { +- "Unknown", +- "Ad-hoc", +- "Managed", +- "Auto" ++ "UNSPECIFIED", ++ "ADHOC", ++ "STATION", ++ "AP", ++ "AP_VLAN", ++ "WDS", ++ "MONITOR", ++ "MESH_POINT", ++ "P2P_CLIENT", ++ "P2P_GO", ++ "P2P_DEVICE", + }; + + /* size/addr for mwifiex_debug_info */ +@@ -200,7 +207,12 @@ mwifiex_info_read(struct file *file, char __user *ubuf, + p += sprintf(p, "driver_version = %s", fmt); + p += sprintf(p, "\nverext = %s", priv->version_str); + p += sprintf(p, "\ninterface_name=\"%s\"\n", netdev->name); +- p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]); ++ ++ if (info.bss_mode >= ARRAY_SIZE(bss_modes)) ++ p += sprintf(p, "bss_mode=\"%d\"\n", info.bss_mode); ++ else ++ p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]); ++ + p += sprintf(p, "media_state=\"%s\"\n", + (!priv->media_connected ? "Disconnected" : "Connected")); + p += sprintf(p, "mac_address=\"%pM\"\n", netdev->dev_addr); diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c index 525fd75..6c9f791 100644 --- a/drivers/net/wireless/rndis_wlan.c @@ -41068,7 +41134,7 @@ index d320df6..ca9a8f6 100644 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c -index 5427787..8df273b 100644 +index 563771f..4e3c368 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -173,7 +173,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, @@ -41613,6 +41679,32 @@ index 23a90e7..9cf04ee 100644 /* * Queue element to wait for room in request queue. FIFO order is +diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c +index 439c012..b63d534 100644 +--- a/drivers/scsi/bfa/bfad_debugfs.c ++++ b/drivers/scsi/bfa/bfad_debugfs.c +@@ -186,7 +186,7 @@ bfad_debugfs_lseek(struct file *file, loff_t offset, int orig) + file->f_pos += offset; + break; + case 2: +- file->f_pos = debug->buffer_len - offset; ++ file->f_pos = debug->buffer_len + offset; + break; + default: + return -EINVAL; +diff --git a/drivers/scsi/fnic/fnic_debugfs.c b/drivers/scsi/fnic/fnic_debugfs.c +index adc1f7f..85e1ffd 100644 +--- a/drivers/scsi/fnic/fnic_debugfs.c ++++ b/drivers/scsi/fnic/fnic_debugfs.c +@@ -174,7 +174,7 @@ static loff_t fnic_trace_debugfs_lseek(struct file *file, + pos = file->f_pos + offset; + break; + case 2: +- pos = fnic_dbg_prt->buffer_len - offset; ++ pos = fnic_dbg_prt->buffer_len + offset; + } + return (pos < 0 || pos > fnic_dbg_prt->buffer_len) ? + -EINVAL : (file->f_pos = pos); diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c index df0c3c7..b00e1d0 100644 --- a/drivers/scsi/hosts.c @@ -41967,7 +42059,7 @@ index 7706c99..3b4fc0c 100644 struct dentry *idiag_root; struct dentry *idiag_pci_cfg; diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c -index f63f5ff..de29189 100644 +index f63f5ff..32549a4 100644 --- a/drivers/scsi/lpfc/lpfc_debugfs.c +++ b/drivers/scsi/lpfc/lpfc_debugfs.c @@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc, @@ -42031,6 +42123,15 @@ index f63f5ff..de29189 100644 dtp->jif = jiffies; #endif return; +@@ -1178,7 +1178,7 @@ lpfc_debugfs_lseek(struct file *file, loff_t off, int whence) + pos = file->f_pos + off; + break; + case 2: +- pos = debug->len - off; ++ pos = debug->len + off; + } + return (pos < 0 || pos > debug->len) ? -EINVAL : (file->f_pos = pos); + } @@ -4182,7 +4182,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) "slow_ring buffer\n"); goto debug_failed; @@ -51123,6 +51224,45 @@ index f3190ab..84ffb21 100644 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len); return 0; +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 3beae6a..8cc5637 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -79,12 +79,20 @@ static int verify_group_input(struct super_block *sb, + ext4_fsblk_t end = start + input->blocks_count; + ext4_group_t group = input->group; + ext4_fsblk_t itend = input->inode_table + sbi->s_itb_per_group; +- unsigned overhead = ext4_group_overhead_blocks(sb, group); +- ext4_fsblk_t metaend = start + overhead; ++ unsigned overhead; ++ ext4_fsblk_t metaend; + struct buffer_head *bh = NULL; + ext4_grpblk_t free_blocks_count, offset; + int err = -EINVAL; + ++ if (group != sbi->s_groups_count) { ++ ext4_warning(sb, "Cannot add at group %u (only %u groups)", ++ input->group, sbi->s_groups_count); ++ return -EINVAL; ++ } ++ ++ overhead = ext4_group_overhead_blocks(sb, group); ++ metaend = start + overhead; + input->free_blocks_count = free_blocks_count = + input->blocks_count - 2 - overhead - sbi->s_itb_per_group; + +@@ -96,10 +104,7 @@ static int verify_group_input(struct super_block *sb, + free_blocks_count, input->reserved_blocks); + + ext4_get_group_no_and_offset(sb, start, NULL, &offset); +- if (group != sbi->s_groups_count) +- ext4_warning(sb, "Cannot add at group %u (only %u groups)", +- input->group, sbi->s_groups_count); +- else if (offset != 0) ++ if (offset != 0) + ext4_warning(sb, "Last group not full"); + else if (input->reserved_blocks > input->blocks_count / 5) + ext4_warning(sb, "Reserved blocks too high (%u)", diff --git a/fs/ext4/super.c b/fs/ext4/super.c index febbe0e..782c4fd 100644 --- a/fs/ext4/super.c @@ -71468,6 +71608,20 @@ index e8d702e..0a56eb4 100644 int sock_diag_register(const struct sock_diag_handler *h); void sock_diag_unregister(const struct sock_diag_handler *h); +diff --git a/include/linux/socket.h b/include/linux/socket.h +index 2b9f74b..e897bdc 100644 +--- a/include/linux/socket.h ++++ b/include/linux/socket.h +@@ -321,6 +321,9 @@ extern int put_cmsg(struct msghdr*, int level, int type, int len, void *data); + + struct timespec; + ++/* The __sys_...msg variants allow MSG_CMSG_COMPAT */ ++extern long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags); ++extern long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags); + extern int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, + unsigned int flags, struct timespec *timeout); + extern int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, diff --git a/include/linux/sonet.h b/include/linux/sonet.h index 680f9a3..f13aeb0 100644 --- a/include/linux/sonet.h @@ -74611,7 +74765,7 @@ index 00eb8f7..d7e3244 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index 9fcb094..8370228 100644 +index 9fcb094..353baaaf 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu; @@ -74623,7 +74777,7 @@ index 9fcb094..8370228 100644 -int sysctl_perf_event_paranoid __read_mostly = 1; +#ifdef CONFIG_GRKERNSEC_PERF_HARDEN +int sysctl_perf_event_legitimately_concerned __read_mostly = 3; -+#elif CONFIG_GRKERNSEC_HIDESYM ++#elif defined(CONFIG_GRKERNSEC_HIDESYM) +int sysctl_perf_event_legitimately_concerned __read_mostly = 2; +#else +int sysctl_perf_event_legitimately_concerned __read_mostly = 1; @@ -78324,7 +78478,7 @@ index 02fc5c9..e54c335 100644 mutex_unlock(&smpboot_threads_lock); put_online_cpus(); diff --git a/kernel/softirq.c b/kernel/softirq.c -index 14d7758..012121f 100644 +index d93dcb1..1cd8a71 100644 --- a/kernel/softirq.c +++ b/kernel/softirq.c @@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned; @@ -78341,7 +78495,7 @@ index 14d7758..012121f 100644 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL", "TASKLET", "SCHED", "HRTIMER", "RCU" }; -@@ -244,7 +244,7 @@ restart: +@@ -250,7 +250,7 @@ restart: kstat_incr_softirqs_this_cpu(vec_nr); trace_softirq_entry(vec_nr); @@ -78350,7 +78504,7 @@ index 14d7758..012121f 100644 trace_softirq_exit(vec_nr); if (unlikely(prev_count != preempt_count())) { printk(KERN_ERR "huh, entered softirq %u %s %p" -@@ -389,7 +389,7 @@ void __raise_softirq_irqoff(unsigned int nr) +@@ -396,7 +396,7 @@ void __raise_softirq_irqoff(unsigned int nr) or_softirq_pending(1UL << nr); } @@ -78359,7 +78513,7 @@ index 14d7758..012121f 100644 { softirq_vec[nr].action = action; } -@@ -445,7 +445,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t) +@@ -452,7 +452,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t) EXPORT_SYMBOL(__tasklet_hi_schedule_first); @@ -78368,7 +78522,7 @@ index 14d7758..012121f 100644 { struct tasklet_struct *list; -@@ -480,7 +480,7 @@ static void tasklet_action(struct softirq_action *a) +@@ -487,7 +487,7 @@ static void tasklet_action(struct softirq_action *a) } } @@ -78377,7 +78531,7 @@ index 14d7758..012121f 100644 { struct tasklet_struct *list; -@@ -716,7 +716,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self, +@@ -723,7 +723,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self, return NOTIFY_OK; } @@ -78386,7 +78540,7 @@ index 14d7758..012121f 100644 .notifier_call = remote_softirq_cpu_notify, }; -@@ -833,11 +833,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb, +@@ -840,11 +840,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb, return NOTIFY_OK; } @@ -78912,7 +79066,7 @@ index 90ad470..1814e9a 100644 tick_broadcast_clear_oneshot(cpu); } else { diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c -index 9a0bc98..fceb7d0 100644 +index 183df62..59b1442 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -15,6 +15,7 @@ @@ -81653,7 +81807,7 @@ index 79b7cf7..9944291 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 0dceed8..671951c 100644 +index 0dceed8..e7cfc40 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -33,6 +33,7 @@ @@ -82402,11 +82556,10 @@ index 0dceed8..671951c 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -2184,6 +2492,18 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2184,13 +2492,27 @@ int expand_downwards(struct vm_area_struct *vma, vma->vm_pgoff -= grow; anon_vma_interval_tree_post_update_vma(vma); vma_gap_update(vma); -+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags); + +#ifdef CONFIG_PAX_SEGMEXEC + if (vma_m) { @@ -82420,8 +82573,18 @@ index 0dceed8..671951c 100644 + spin_unlock(&vma->vm_mm->page_table_lock); ++ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags); perf_event_mmap(vma); -@@ -2288,6 +2608,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) + } + } + } + vma_unlock_anon_vma(vma); ++ if (lockprev) ++ vma_unlock_anon_vma(prev); + khugepaged_enter_vma_merge(vma); + validate_mm(vma->vm_mm); + return error; +@@ -2288,6 +2610,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); @@ -82435,7 +82598,7 @@ index 0dceed8..671951c 100644 if (vma->vm_flags & VM_ACCOUNT) nr_accounted += nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); -@@ -2333,6 +2660,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2333,6 +2662,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -82452,7 +82615,7 @@ index 0dceed8..671951c 100644 vma_rb_erase(vma, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -2364,14 +2701,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2364,14 +2703,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, struct vm_area_struct *new; int err = -ENOMEM; @@ -82486,7 +82649,7 @@ index 0dceed8..671951c 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -2384,6 +2740,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2384,6 +2742,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -82509,7 +82672,7 @@ index 0dceed8..671951c 100644 pol = mpol_dup(vma_policy(vma)); if (IS_ERR(pol)) { err = PTR_ERR(pol); -@@ -2406,6 +2778,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2406,6 +2780,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -82546,7 +82709,7 @@ index 0dceed8..671951c 100644 /* Success. */ if (!err) return 0; -@@ -2415,10 +2817,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2415,10 +2819,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_ops->close(new); if (new->vm_file) fput(new->vm_file); @@ -82566,7 +82729,7 @@ index 0dceed8..671951c 100644 kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2431,6 +2841,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2431,6 +2843,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -82582,7 +82745,7 @@ index 0dceed8..671951c 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2442,11 +2861,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2442,11 +2863,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -82613,7 +82776,7 @@ index 0dceed8..671951c 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2521,6 +2959,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -2521,6 +2961,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -82622,7 +82785,7 @@ index 0dceed8..671951c 100644 return 0; } -@@ -2529,6 +2969,13 @@ int vm_munmap(unsigned long start, size_t len) +@@ -2529,6 +2971,13 @@ int vm_munmap(unsigned long start, size_t len) int ret; struct mm_struct *mm = current->mm; @@ -82636,7 +82799,7 @@ index 0dceed8..671951c 100644 down_write(&mm->mmap_sem); ret = do_munmap(mm, start, len); up_write(&mm->mmap_sem); -@@ -2542,16 +2989,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -2542,16 +2991,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) return vm_munmap(addr, len); } @@ -82653,7 +82816,7 @@ index 0dceed8..671951c 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2565,6 +3002,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2565,6 +3004,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -82661,7 +82824,7 @@ index 0dceed8..671951c 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2572,16 +3010,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2572,16 +3012,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -82693,7 +82856,7 @@ index 0dceed8..671951c 100644 locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; -@@ -2598,21 +3050,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2598,21 +3052,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -82718,7 +82881,7 @@ index 0dceed8..671951c 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2626,7 +3077,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2626,7 +3079,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -82727,7 +82890,7 @@ index 0dceed8..671951c 100644 return -ENOMEM; } -@@ -2640,9 +3091,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2640,9 +3093,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -82740,7 +82903,7 @@ index 0dceed8..671951c 100644 return addr; } -@@ -2704,6 +3156,7 @@ void exit_mmap(struct mm_struct *mm) +@@ -2704,6 +3158,7 @@ void exit_mmap(struct mm_struct *mm) while (vma) { if (vma->vm_flags & VM_ACCOUNT) nr_accounted += vma_pages(vma); @@ -82748,7 +82911,7 @@ index 0dceed8..671951c 100644 vma = remove_vma(vma); } vm_unacct_memory(nr_accounted); -@@ -2720,6 +3173,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2720,6 +3175,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) struct vm_area_struct *prev; struct rb_node **rb_link, *rb_parent; @@ -82762,7 +82925,7 @@ index 0dceed8..671951c 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2743,7 +3203,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2743,7 +3205,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -82784,7 +82947,7 @@ index 0dceed8..671951c 100644 return 0; } -@@ -2763,6 +3237,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2763,6 +3239,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct mempolicy *pol; bool faulted_in_anon_vma = true; @@ -82793,7 +82956,7 @@ index 0dceed8..671951c 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2829,6 +3305,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2829,6 +3307,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return NULL; } @@ -82833,7 +82996,7 @@ index 0dceed8..671951c 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2840,6 +3349,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2840,6 +3351,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; @@ -82841,7 +83004,7 @@ index 0dceed8..671951c 100644 if (cur + npages > lim) return 0; return 1; -@@ -2910,6 +3420,22 @@ int install_special_mapping(struct mm_struct *mm, +@@ -2910,6 +3422,22 @@ int install_special_mapping(struct mm_struct *mm, vma->vm_start = addr; vma->vm_end = addr + len; @@ -85239,7 +85402,7 @@ index 6a93614..1415549 100644 err = -EFAULT; break; diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c -index 7c7e932..7a7815d 100644 +index 7c7e932..8d23158 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -3395,8 +3395,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, @@ -85255,6 +85418,223 @@ index 7c7e932..7a7815d 100644 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && rfc.mode != chan->mode) +@@ -3568,10 +3570,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) + } + + static inline int l2cap_command_rej(struct l2cap_conn *conn, +- struct l2cap_cmd_hdr *cmd, u8 *data) ++ struct l2cap_cmd_hdr *cmd, u16 cmd_len, ++ u8 *data) + { + struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; + ++ if (cmd_len < sizeof(*rej)) ++ return -EPROTO; ++ + if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) + return 0; + +@@ -3720,11 +3726,14 @@ sendresp: + } + + static int l2cap_connect_req(struct l2cap_conn *conn, +- struct l2cap_cmd_hdr *cmd, u8 *data) ++ struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) + { + struct hci_dev *hdev = conn->hcon->hdev; + struct hci_conn *hcon = conn->hcon; + ++ if (cmd_len < sizeof(struct l2cap_conn_req)) ++ return -EPROTO; ++ + hci_dev_lock(hdev); + if (test_bit(HCI_MGMT, &hdev->dev_flags) && + !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags)) +@@ -3738,7 +3747,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn, + } + + static int l2cap_connect_create_rsp(struct l2cap_conn *conn, +- struct l2cap_cmd_hdr *cmd, u8 *data) ++ struct l2cap_cmd_hdr *cmd, u16 cmd_len, ++ u8 *data) + { + struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; + u16 scid, dcid, result, status; +@@ -3746,6 +3756,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, + u8 req[128]; + int err; + ++ if (cmd_len < sizeof(*rsp)) ++ return -EPROTO; ++ + scid = __le16_to_cpu(rsp->scid); + dcid = __le16_to_cpu(rsp->dcid); + result = __le16_to_cpu(rsp->result); +@@ -3843,6 +3856,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, + struct l2cap_chan *chan; + int len, err = 0; + ++ if (cmd_len < sizeof(*req)) ++ return -EPROTO; ++ + dcid = __le16_to_cpu(req->dcid); + flags = __le16_to_cpu(req->flags); + +@@ -3866,7 +3882,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, + + /* Reject if config buffer is too small. */ + len = cmd_len - sizeof(*req); +- if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) { ++ if (chan->conf_len + len > sizeof(chan->conf_req)) { + l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, + l2cap_build_conf_rsp(chan, rsp, + L2CAP_CONF_REJECT, flags), rsp); +@@ -3944,14 +3960,18 @@ unlock: + } + + static inline int l2cap_config_rsp(struct l2cap_conn *conn, +- struct l2cap_cmd_hdr *cmd, u8 *data) ++ struct l2cap_cmd_hdr *cmd, u16 cmd_len, ++ u8 *data) + { + struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; + u16 scid, flags, result; + struct l2cap_chan *chan; +- int len = le16_to_cpu(cmd->len) - sizeof(*rsp); ++ int len = cmd_len - sizeof(*rsp); + int err = 0; + ++ if (cmd_len < sizeof(*rsp)) ++ return -EPROTO; ++ + scid = __le16_to_cpu(rsp->scid); + flags = __le16_to_cpu(rsp->flags); + result = __le16_to_cpu(rsp->result); +@@ -4052,7 +4072,8 @@ done: + } + + static inline int l2cap_disconnect_req(struct l2cap_conn *conn, +- struct l2cap_cmd_hdr *cmd, u8 *data) ++ struct l2cap_cmd_hdr *cmd, u16 cmd_len, ++ u8 *data) + { + struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; + struct l2cap_disconn_rsp rsp; +@@ -4060,6 +4081,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + struct l2cap_chan *chan; + struct sock *sk; + ++ if (cmd_len != sizeof(*req)) ++ return -EPROTO; ++ + scid = __le16_to_cpu(req->scid); + dcid = __le16_to_cpu(req->dcid); + +@@ -4099,12 +4123,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + } + + static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, +- struct l2cap_cmd_hdr *cmd, u8 *data) ++ struct l2cap_cmd_hdr *cmd, u16 cmd_len, ++ u8 *data) + { + struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; + u16 dcid, scid; + struct l2cap_chan *chan; + ++ if (cmd_len != sizeof(*rsp)) ++ return -EPROTO; ++ + scid = __le16_to_cpu(rsp->scid); + dcid = __le16_to_cpu(rsp->dcid); + +@@ -4134,11 +4162,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + } + + static inline int l2cap_information_req(struct l2cap_conn *conn, +- struct l2cap_cmd_hdr *cmd, u8 *data) ++ struct l2cap_cmd_hdr *cmd, u16 cmd_len, ++ u8 *data) + { + struct l2cap_info_req *req = (struct l2cap_info_req *) data; + u16 type; + ++ if (cmd_len != sizeof(*req)) ++ return -EPROTO; ++ + type = __le16_to_cpu(req->type); + + BT_DBG("type 0x%4.4x", type); +@@ -4185,11 +4217,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn, + } + + static inline int l2cap_information_rsp(struct l2cap_conn *conn, +- struct l2cap_cmd_hdr *cmd, u8 *data) ++ struct l2cap_cmd_hdr *cmd, u16 cmd_len, ++ u8 *data) + { + struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; + u16 type, result; + ++ if (cmd_len != sizeof(*rsp)) ++ return -EPROTO; ++ + type = __le16_to_cpu(rsp->type); + result = __le16_to_cpu(rsp->result); + +@@ -5055,16 +5091,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, + + switch (cmd->code) { + case L2CAP_COMMAND_REJ: +- l2cap_command_rej(conn, cmd, data); ++ l2cap_command_rej(conn, cmd, cmd_len, data); + break; + + case L2CAP_CONN_REQ: +- err = l2cap_connect_req(conn, cmd, data); ++ err = l2cap_connect_req(conn, cmd, cmd_len, data); + break; + + case L2CAP_CONN_RSP: + case L2CAP_CREATE_CHAN_RSP: +- err = l2cap_connect_create_rsp(conn, cmd, data); ++ err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data); + break; + + case L2CAP_CONF_REQ: +@@ -5072,15 +5108,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, + break; + + case L2CAP_CONF_RSP: +- err = l2cap_config_rsp(conn, cmd, data); ++ err = l2cap_config_rsp(conn, cmd, cmd_len, data); + break; + + case L2CAP_DISCONN_REQ: +- err = l2cap_disconnect_req(conn, cmd, data); ++ err = l2cap_disconnect_req(conn, cmd, cmd_len, data); + break; + + case L2CAP_DISCONN_RSP: +- err = l2cap_disconnect_rsp(conn, cmd, data); ++ err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data); + break; + + case L2CAP_ECHO_REQ: +@@ -5091,11 +5127,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, + break; + + case L2CAP_INFO_REQ: +- err = l2cap_information_req(conn, cmd, data); ++ err = l2cap_information_req(conn, cmd, cmd_len, data); + break; + + case L2CAP_INFO_RSP: +- err = l2cap_information_rsp(conn, cmd, data); ++ err = l2cap_information_rsp(conn, cmd, cmd_len, data); + break; + + case L2CAP_CREATE_CHAN_REQ: diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 1bcfb84..dad9f98 100644 --- a/net/bluetooth/l2cap_sock.c @@ -85486,7 +85866,7 @@ index 117814a..ad4fb73 100644 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { diff --git a/net/compat.c b/net/compat.c -index 79ae884..17c5c09 100644 +index 79ae884..0541331 100644 --- a/net/compat.c +++ b/net/compat.c @@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) @@ -85616,7 +85996,45 @@ index 79ae884..17c5c09 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -796,7 +796,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -734,19 +734,25 @@ static unsigned char nas[21] = { + + asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags) + { +- return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); ++ if (flags & MSG_CMSG_COMPAT) ++ return -EINVAL; ++ return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); + } + + asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg, + unsigned int vlen, unsigned int flags) + { ++ if (flags & MSG_CMSG_COMPAT) ++ return -EINVAL; + return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT); + } + + asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags) + { +- return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); ++ if (flags & MSG_CMSG_COMPAT) ++ return -EINVAL; ++ return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); + } + + asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned int flags) +@@ -768,6 +774,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + int datagrams; + struct timespec ktspec; + ++ if (flags & MSG_CMSG_COMPAT) ++ return -EINVAL; ++ + if (COMPAT_USE_64BIT_TIME) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, +@@ -796,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -86559,7 +86977,7 @@ index d9c4f11..02b82dbc 100644 msg.msg_flags = flags; diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c -index c3a4233..1412161 100644 +index c3a4233..7df5626 100644 --- a/net/ipv4/ip_vti.c +++ b/net/ipv4/ip_vti.c @@ -47,7 +47,7 @@ @@ -86571,7 +86989,17 @@ index c3a4233..1412161 100644 static int vti_net_id __read_mostly; struct vti_net { -@@ -886,7 +886,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = { +@@ -399,8 +399,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) + tunnel->err_count = 0; + } + +- IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | +- IPSKB_REROUTED); ++ memset(IPCB(skb), 0, sizeof(*IPCB(skb))); + skb_dst_drop(skb); + skb_dst_set(skb, &rt->dst); + nf_reset(skb); +@@ -886,7 +885,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = { [IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) }, }; @@ -88040,6 +88468,33 @@ index 5b1e5af..2358147 100644 } while (!res); return res; } +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 637a341..8dec687 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh + skb_put(skb, 2); + + /* Copy user data into skb */ +- error = memcpy_fromiovec(skb->data, m->msg_iov, total_len); ++ error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov, ++ total_len); + if (error < 0) { + kfree_skb(skb); + goto error_put_sess_tun; + } +- skb_put(skb, total_len); + + l2tp_xmit_skb(session, skb, session->hdr_len); + + sock_put(ps->tunnel_sock); + sock_put(sk); + +- return error; ++ return total_len; + + error_put_sess_tun: + sock_put(ps->tunnel_sock); diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 843d8c4..cb04fa1 100644 --- a/net/mac80211/cfg.c @@ -88344,7 +88799,7 @@ index 61f49d2..6c8c5bc 100644 if (ipvs->sync_state & IP_VS_STATE_MASTER) ip_vs_sync_conn(net, cp, pkts); diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c -index 9e2d1cc..7f8f569 100644 +index 9e2d1cc..6ed0748 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -787,7 +787,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest, @@ -88383,7 +88838,14 @@ index 9e2d1cc..7f8f569 100644 atomic_read(&dest->weight), atomic_read(&dest->activeconns), atomic_read(&dest->inactconns)); -@@ -2568,7 +2568,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get, +@@ -2562,13 +2562,14 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get, + struct ip_vs_dest *dest; + struct ip_vs_dest_entry entry; + ++ memset(&entry, 0, sizeof(entry)); + list_for_each_entry(dest, &svc->destinations, n_list) { + if (count >= get->num_dests) + break; entry.addr = dest->addr.ip; entry.port = dest->port; @@ -88392,7 +88854,7 @@ index 9e2d1cc..7f8f569 100644 entry.weight = atomic_read(&dest->weight); entry.u_threshold = dest->u_threshold; entry.l_threshold = dest->l_threshold; -@@ -3104,7 +3104,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) +@@ -3104,7 +3105,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) || nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) || nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD, @@ -88401,7 +88863,7 @@ index 9e2d1cc..7f8f569 100644 IP_VS_CONN_F_FWD_MASK)) || nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight)) || -@@ -3694,7 +3694,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net) +@@ -3694,7 +3695,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net) { int idx; struct netns_ipvs *ipvs = net_ipvs(net); @@ -88847,7 +89309,7 @@ index 103bd70..f21aad3 100644 *uaddr_len = sizeof(struct sockaddr_ax25); } diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index f83e172..b57140d 100644 +index f83e172..223ffe1 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1571,7 +1571,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, @@ -88887,7 +89349,22 @@ index f83e172..b57140d 100644 msg->msg_flags |= MSG_ERRQUEUE; err = copied; -@@ -3205,7 +3207,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -2769,12 +2771,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, + return -EOPNOTSUPP; + + uaddr->sa_family = AF_PACKET; ++ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); + rcu_read_lock(); + dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); + if (dev) +- strncpy(uaddr->sa_data, dev->name, 14); +- else +- memset(uaddr->sa_data, 0, 14); ++ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); + rcu_read_unlock(); + *uaddr_len = sizeof(*uaddr); + +@@ -3205,7 +3206,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -88896,7 +89373,7 @@ index f83e172..b57140d 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3247,7 +3249,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3247,7 +3248,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, len = lv; if (put_user(len, optlen)) return -EFAULT; @@ -89432,6 +89909,33 @@ index 391a245..296b3d7 100644 } /* Initialize IPv6 support and register with socket layer. */ +diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c +index 01dca75..e9426bb 100644 +--- a/net/sctp/outqueue.c ++++ b/net/sctp/outqueue.c +@@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary, + */ + void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q) + { ++ memset(q, 0, sizeof(struct sctp_outq)); ++ + q->asoc = asoc; + INIT_LIST_HEAD(&q->out_chunk_list); + INIT_LIST_HEAD(&q->control_chunk_list); +@@ -213,13 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q) + INIT_LIST_HEAD(&q->sacked); + INIT_LIST_HEAD(&q->abandoned); + +- q->fast_rtx = 0; +- q->outstanding_bytes = 0; + q->empty = 1; +- q->cork = 0; +- +- q->malloced = 0; +- q->out_qlen = 0; + } + + /* Free the outqueue structure and any related pending chunks. diff --git a/net/sctp/probe.c b/net/sctp/probe.c index ad0dba8..e62c225 100644 --- a/net/sctp/probe.c @@ -89516,7 +90020,7 @@ index 8aab894..f6b7e7d 100644 sctp_generate_t1_cookie_event, sctp_generate_t1_init_event, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index b907073..57fef6c 100644 +index b907073..7bea2ca 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -2166,11 +2166,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, @@ -89534,7 +90038,20 @@ index b907073..57fef6c 100644 /* * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT, -@@ -4215,13 +4217,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, +@@ -4002,6 +4004,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk) + + /* Release our hold on the endpoint. */ + sp = sctp_sk(sk); ++ /* This could happen during socket init, thus we bail out ++ * early, since the rest of the below is not setup either. ++ */ ++ if (sp->ep == NULL) ++ return; ++ + if (sp->do_auto_asconf) { + sp->do_auto_asconf = 0; + list_del(&sp->auto_asconf_list); +@@ -4215,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -89552,7 +90069,7 @@ index b907073..57fef6c 100644 return -EFAULT; return 0; } -@@ -4239,6 +4244,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, +@@ -4239,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, */ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -89561,7 +90078,7 @@ index b907073..57fef6c 100644 /* Applicable to UDP-style socket only */ if (sctp_style(sk, TCP)) return -EOPNOTSUPP; -@@ -4247,7 +4254,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv +@@ -4247,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv len = sizeof(int); if (put_user(len, optlen)) return -EFAULT; @@ -89571,7 +90088,7 @@ index b907073..57fef6c 100644 return -EFAULT; return 0; } -@@ -4619,12 +4627,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, +@@ -4619,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, */ static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -89588,7 +90105,7 @@ index b907073..57fef6c 100644 return -EFAULT; return 0; } -@@ -4665,6 +4676,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4665,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; if (space_left < addrlen) return -ENOMEM; @@ -89620,7 +90137,7 @@ index bf3c6e8..376d8d0 100644 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); diff --git a/net/socket.c b/net/socket.c -index 88f759a..c6933de 100644 +index 88f759a..74be616 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -89791,6 +90308,15 @@ index 88f759a..c6933de 100644 int err, err2; int fput_needed; +@@ -1978,7 +2040,7 @@ struct used_address { + unsigned int name_len; + }; + +-static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, ++static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, + struct msghdr *msg_sys, unsigned int flags, + struct used_address *used_address) + { @@ -2045,7 +2107,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, * checking falls down on this. */ @@ -89800,7 +90326,83 @@ index 88f759a..c6933de 100644 ctl_len)) goto out_freectl; msg_sys->msg_control = ctl_buf; -@@ -2185,7 +2247,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2093,20 +2155,28 @@ out: + * BSD sendmsg interface + */ + ++long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags) ++{ ++ int fput_needed, err; ++ struct msghdr msg_sys; ++ struct socket *sock; ++ ++ sock = sockfd_lookup_light(fd, &err, &fput_needed); ++ if (!sock) ++ goto out; ++ ++ err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL); ++ ++ fput_light(sock->file, fput_needed); ++out: ++ return err; ++} ++ + SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags) + { +- int fput_needed, err; +- struct msghdr msg_sys; +- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed); +- +- if (!sock) +- goto out; +- +- err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL); +- +- fput_light(sock->file, fput_needed); +-out: +- return err; ++ if (flags & MSG_CMSG_COMPAT) ++ return -EINVAL; ++ return __sys_sendmsg(fd, msg, flags); + } + + /* +@@ -2139,15 +2209,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, + + while (datagrams < vlen) { + if (MSG_CMSG_COMPAT & flags) { +- err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry, +- &msg_sys, flags, &used_address); ++ err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry, ++ &msg_sys, flags, &used_address); + if (err < 0) + break; + err = __put_user(err, &compat_entry->msg_len); + ++compat_entry; + } else { +- err = __sys_sendmsg(sock, (struct msghdr __user *)entry, +- &msg_sys, flags, &used_address); ++ err = ___sys_sendmsg(sock, ++ (struct msghdr __user *)entry, ++ &msg_sys, flags, &used_address); + if (err < 0) + break; + err = put_user(err, &entry->msg_len); +@@ -2171,10 +2242,12 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, + SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg, + unsigned int, vlen, unsigned int, flags) + { ++ if (flags & MSG_CMSG_COMPAT) ++ return -EINVAL; + return __sys_sendmmsg(fd, mmsg, vlen, flags); + } + +-static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, ++static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, + struct msghdr *msg_sys, unsigned int flags, int nosec) + { + struct compat_msghdr __user *msg_compat = +@@ -2185,7 +2258,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, int err, total_len, len; /* kernel mode address */ @@ -89809,7 +90411,7 @@ index 88f759a..c6933de 100644 /* user mode address pointers */ struct sockaddr __user *uaddr; -@@ -2213,7 +2275,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2213,7 +2286,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, * kernel msghdr to use the kernel address space) */ @@ -89818,7 +90420,84 @@ index 88f759a..c6933de 100644 uaddr_len = COMPAT_NAMELEN(msg); if (MSG_CMSG_COMPAT & flags) { err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); -@@ -2952,7 +3014,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2266,21 +2339,29 @@ out: + * BSD recvmsg interface + */ + ++long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags) ++{ ++ int fput_needed, err; ++ struct msghdr msg_sys; ++ struct socket *sock; ++ ++ sock = sockfd_lookup_light(fd, &err, &fput_needed); ++ if (!sock) ++ goto out; ++ ++ err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0); ++ ++ fput_light(sock->file, fput_needed); ++out: ++ return err; ++} ++ + SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg, + unsigned int, flags) + { +- int fput_needed, err; +- struct msghdr msg_sys; +- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed); +- +- if (!sock) +- goto out; +- +- err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0); +- +- fput_light(sock->file, fput_needed); +-out: +- return err; ++ if (flags & MSG_CMSG_COMPAT) ++ return -EINVAL; ++ return __sys_recvmsg(fd, msg, flags); + } + + /* +@@ -2320,17 +2401,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, + * No need to ask LSM for more than the first datagram. + */ + if (MSG_CMSG_COMPAT & flags) { +- err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry, +- &msg_sys, flags & ~MSG_WAITFORONE, +- datagrams); ++ err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry, ++ &msg_sys, flags & ~MSG_WAITFORONE, ++ datagrams); + if (err < 0) + break; + err = __put_user(err, &compat_entry->msg_len); + ++compat_entry; + } else { +- err = __sys_recvmsg(sock, (struct msghdr __user *)entry, +- &msg_sys, flags & ~MSG_WAITFORONE, +- datagrams); ++ err = ___sys_recvmsg(sock, ++ (struct msghdr __user *)entry, ++ &msg_sys, flags & ~MSG_WAITFORONE, ++ datagrams); + if (err < 0) + break; + err = put_user(err, &entry->msg_len); +@@ -2397,6 +2479,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, + int datagrams; + struct timespec timeout_sys; + ++ if (flags & MSG_CMSG_COMPAT) ++ return -EINVAL; ++ + if (!timeout) + return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL); + +@@ -2952,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -89827,7 +90506,7 @@ index 88f759a..c6933de 100644 set_fs(old_fs); return err; -@@ -3061,7 +3123,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -3061,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -89836,7 +90515,7 @@ index 88f759a..c6933de 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3166,7 +3228,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3166,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= __get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -89845,7 +90524,7 @@ index 88f759a..c6933de 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3392,8 +3454,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3392,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -89856,7 +90535,7 @@ index 88f759a..c6933de 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3413,7 +3475,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3413,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; |