aboutsummaryrefslogtreecommitdiffstats
path: root/main/linux-grsec
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-06-18 06:47:53 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-06-18 12:24:19 +0000
commitb52eb6193eb9c18980886ff25d2e4e41dd887078 (patch)
tree94f4ffbdefe87c8a6263138f8d7ea6da5c59288a /main/linux-grsec
parentedc3a2b2750975af7ab9550726659cc5055265ca (diff)
downloadaports-b52eb6193eb9c18980886ff25d2e4e41dd887078.tar.bz2
aports-b52eb6193eb9c18980886ff25d2e4e41dd887078.tar.xz
main/linux-grsec: upgrade to 3.9.6 and fix CVE-2013-2851
Diffstat (limited to 'main/linux-grsec')
-rw-r--r--main/linux-grsec/APKBUILD23
-rw-r--r--main/linux-grsec/CVE-2013-2851.patch60
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch)845
3 files changed, 836 insertions, 92 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index bbaacff686..cd5bb17371 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,12 +2,12 @@
_flavor=grsec
pkgname=linux-${_flavor}
-pkgver=3.9.5
+pkgver=3.9.6
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
-pkgrel=1
+pkgrel=0
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-2.9.1-3.9.5-201306111850.patch
+ grsecurity-2.9.1-3.9.6-201306171904.patch
0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
@@ -26,6 +26,8 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
+ CVE-2013-2851.patch
+
kernelconfig.x86
kernelconfig.x86_64
"
@@ -149,35 +151,38 @@ dev() {
}
md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz
-aa22187ae5cd482a69097e9e59244491 patch-3.9.5.xz
-cbc169ce43edf201acb158ce7e468516 grsecurity-2.9.1-3.9.5-201306111850.patch
+897cffc5167a561b38c6748e7f0a4215 patch-3.9.6.xz
+8c9e11d9121958fa866b330ed3dbe4bd grsecurity-2.9.1-3.9.6-201306171904.patch
a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
2a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
6ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
+eca3b4897b2a2191576ba719609cc654 CVE-2013-2851.patch
3e219a1f25136b204d00865939532fe9 kernelconfig.x86
1d057c89927a68e5f44896887ad3e379 kernelconfig.x86_64"
sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz
-f25145ff6ddde7a633839aabfd97b0d8239e14c494fd16210871229a35c1c0de patch-3.9.5.xz
-12ea825b5494c41529d1b3dda89fe592d6b4fc06d027b2e7f2e9a1ae41c3617c grsecurity-2.9.1-3.9.5-201306111850.patch
+13296dad939ef4e05adba87b9d0476aa8e2ccf92866f14835327dae8a1402fc3 patch-3.9.6.xz
+a14302153a717e8cf8346c44ed4ac620b87a38795afa72c3f61797eab221290d grsecurity-2.9.1-3.9.6-201306171904.patch
6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
+461d159751095d3624d74867dc8b3e3865e3a67c4b3cd48188f5ae2f1f1f66cb CVE-2013-2851.patch
cc3bd3d23f6a73ea6488c158de9d195ad5e3d87859ce02d92a04f0e08c9503d3 kernelconfig.x86
b780ef646b3b30a5b0307102367e17d45bb3a0ab7e37cf92a1ce783c3149243a kernelconfig.x86_64"
sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz
-8e9a064adadd062c7ca52c44de19dfd46b029e60f2832988a606e086b669ea699861ec57732d4abfb16e486f767d123fcfd66da7c2ddde380b7c13582bb44983 patch-3.9.5.xz
-e52a55753c0821c08578924abe2d6ccc02743050e71c827fefd21e616a887e45459f3a7eb56b22b6ec0d25555cbb37f0df5cd1fe695b2277dfd7109f4f84ae8a grsecurity-2.9.1-3.9.5-201306111850.patch
+6c79bde85d86c7e7dca160d5bdd5826ae05ed41cb372d0a94e4f9840413351a8bc1fec50159d59dbac462345bd13c31c6c4d8c47187ee6d87b4d71c8560093da patch-3.9.6.xz
+fe8a4fffb18b6ef88951e97cd20e464674e10d2a6a76a0b17d4922b87b24c6653a81d798f0b93dfb7545da011a29d73dfafd73b258f528bbe81984ef24c137ac grsecurity-2.9.1-3.9.6-201306171904.patch
81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
+5e5c9ac96b87efc811bd612774934a5fb8635a34d7fbe13ea80f5a8da19efa2a71f0bcab08a85224612f332d7485cea1d6cbd4d64644d90a3dd576f3458e5a99 CVE-2013-2851.patch
00fd8694455935f96e46b6624388b8c04af27ce4295040362da78c34bf9f08382bc69c1b8b273145573a59e3b4eecfa251119560da19ab390f171a8a6da18298 kernelconfig.x86
6276f503f9dd7ea228b1661f9a36edcf18d2c4cfb6d9c4e3e1496a4f70709cc693fc8498186d86dd3f303c909c50e478cb95e08a05f50bda77c9cf165aca1ba1 kernelconfig.x86_64"
diff --git a/main/linux-grsec/CVE-2013-2851.patch b/main/linux-grsec/CVE-2013-2851.patch
new file mode 100644
index 0000000000..3407731c7d
--- /dev/null
+++ b/main/linux-grsec/CVE-2013-2851.patch
@@ -0,0 +1,60 @@
+Subject: [PATCH 1/8] block: do not pass disk names as format strings
+
+Disk names may contain arbitrary strings, so they must not be interpreted
+as format strings. It seems that only md allows arbitrary strings to be
+used for disk names, but this could allow for a local memory corruption
+from uid 0 into ring 0.
+
+CVE-2013-2851
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Cc: Jens Axboe <axboe@kernel.dk>
+---
+ block/genhd.c | 2 +-
+ drivers/block/nbd.c | 3 ++-
+ drivers/scsi/osd/osd_uld.c | 2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 20625ee..cdeb527 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
+
+ ddev->parent = disk->driverfs_dev;
+
+- dev_set_name(ddev, disk->disk_name);
++ dev_set_name(ddev, "%s", disk->disk_name);
+
+ /* delay uevents, until we scanned partition table */
+ dev_set_uevent_suppress(ddev, 1);
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 037288e..46b35f7 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
+ else
+ blk_queue_flush(nbd->disk->queue, 0);
+
+- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
++ thread = kthread_create(nbd_thread, nbd, "%s",
++ nbd->disk->disk_name);
+ if (IS_ERR(thread)) {
+ mutex_lock(&nbd->tx_lock);
+ return PTR_ERR(thread);
+diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
+index 0fab6b5..9d86947 100644
+--- a/drivers/scsi/osd/osd_uld.c
++++ b/drivers/scsi/osd/osd_uld.c
+@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
+ oud->class_dev.class = &osd_uld_class;
+ oud->class_dev.parent = dev;
+ oud->class_dev.release = __remove;
+- error = dev_set_name(&oud->class_dev, disk->disk_name);
++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
+ if (error) {
+ OSD_ERR("dev_set_name failed => %d\n", error);
+ goto err_put_cdev;
+--
+1.7.9.5
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch
index 183d9f7a54..430bb2aca9 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.9.5-201306111850.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.9.6-201306171904.patch
@@ -259,7 +259,7 @@ index 8ccbf27..afffeb4 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 8818c95..ced0bb1 100644
+index 4a40307..9ac699b 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -6682,10 +6682,10 @@ index 2e3200c..72095ce 100644
/* Find this entry, or if that fails, the next avail. entry */
while (entry->jump[0]) {
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
-index 16e77a8..4501b41 100644
+index 9600c36..0c156d7 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
-@@ -870,8 +870,8 @@ void show_regs(struct pt_regs * regs)
+@@ -871,8 +871,8 @@ void show_regs(struct pt_regs * regs)
* Lookup NIP late so we have the best change of getting the
* above info out without failing
*/
@@ -6696,7 +6696,7 @@ index 16e77a8..4501b41 100644
#endif
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch);
-@@ -1330,10 +1330,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
+@@ -1331,10 +1331,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
newsp = stack[0];
ip = stack[STACK_FRAME_LR_SAVE];
if (!firstframe || ip != lr) {
@@ -6709,7 +6709,7 @@ index 16e77a8..4501b41 100644
(void *)current->ret_stack[curr_frame].ret);
curr_frame--;
}
-@@ -1353,7 +1353,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
+@@ -1354,7 +1354,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
struct pt_regs *regs = (struct pt_regs *)
(sp + STACK_FRAME_OVERHEAD);
lr = regs->link;
@@ -6718,7 +6718,7 @@ index 16e77a8..4501b41 100644
regs->trap, (void *)regs->nip, (void *)lr);
firstframe = 1;
}
-@@ -1395,58 +1395,3 @@ void __ppc64_runlatch_off(void)
+@@ -1396,58 +1396,3 @@ void __ppc64_runlatch_off(void)
mtspr(SPRN_CTRLT, ctrl);
}
#endif /* CONFIG_PPC64 */
@@ -6856,7 +6856,7 @@ index 3ce1f86..c30e629 100644
};
diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
-index 1c22b2d..3b56e67 100644
+index 29857c6..bd31e27 100644
--- a/arch/powerpc/kernel/traps.c
+++ b/arch/powerpc/kernel/traps.c
@@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs)
@@ -31363,10 +31363,10 @@ index e006c18..b9a7d6c 100644
.alloc_pud = xen_alloc_pmd_init,
.release_pud = xen_release_pmd_init,
diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
-index 22c800a..8915f1e 100644
+index 96c4e85..284fded 100644
--- a/arch/x86/xen/smp.c
+++ b/arch/x86/xen/smp.c
-@@ -229,11 +229,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
+@@ -230,11 +230,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
{
BUG_ON(smp_processor_id() != 0);
native_smp_prepare_boot_cpu();
@@ -31378,7 +31378,7 @@ index 22c800a..8915f1e 100644
xen_filter_cpu_maps();
xen_setup_vcpu_info_placement();
}
-@@ -303,7 +298,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
+@@ -304,7 +299,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
ctxt->user_regs.ss = __KERNEL_DS;
#ifdef CONFIG_X86_32
ctxt->user_regs.fs = __KERNEL_PERCPU;
@@ -31387,7 +31387,7 @@ index 22c800a..8915f1e 100644
#else
ctxt->gs_base_kernel = per_cpu_offset(cpu);
#endif
-@@ -313,8 +308,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
+@@ -314,8 +309,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
{
ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */
@@ -31398,7 +31398,7 @@ index 22c800a..8915f1e 100644
xen_copy_trap_info(ctxt->trap_ctxt);
-@@ -359,13 +354,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle)
+@@ -360,13 +355,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle)
int rc;
per_cpu(current_task, cpu) = idle;
@@ -31414,7 +31414,7 @@ index 22c800a..8915f1e 100644
#endif
xen_setup_runstate_info(cpu);
xen_setup_timer(cpu);
-@@ -634,7 +628,7 @@ static const struct smp_ops xen_smp_ops __initconst = {
+@@ -642,7 +636,7 @@ static const struct smp_ops xen_smp_ops __initconst = {
void __init xen_smp_init(void)
{
@@ -33945,7 +33945,7 @@ index 2c644af..d4d7f17 100644
static int memory_open(struct inode *inode, struct file *filp)
diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c
-index c689697..04e6d6a 100644
+index c689697..04e6d6a2 100644
--- a/drivers/char/mwave/tp3780i.c
+++ b/drivers/char/mwave/tp3780i.c
@@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities
@@ -34259,7 +34259,7 @@ index ade7513..069445f 100644
};
diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
-index 57a8774..545e993 100644
+index bb5939b..d9accb7 100644
--- a/drivers/cpufreq/acpi-cpufreq.c
+++ b/drivers/cpufreq/acpi-cpufreq.c
@@ -172,7 +172,7 @@ static ssize_t show_global_boost(struct kobject *kobj,
@@ -35394,10 +35394,10 @@ index 3c7bb04..182e049 100644
iir = I915_READ(IIR);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index c2d173a..f4357cc 100644
+index 2ab65b4..acbd821 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -8722,13 +8722,13 @@ struct intel_quirk {
+@@ -8742,13 +8742,13 @@ struct intel_quirk {
int subsystem_vendor;
int subsystem_device;
void (*hook)(struct drm_device *dev);
@@ -35413,7 +35413,7 @@ index c2d173a..f4357cc 100644
static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
{
-@@ -8736,18 +8736,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
+@@ -8756,18 +8756,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
return 1;
}
@@ -35927,7 +35927,7 @@ index 6c0ce89..66f6d65 100644
#endif
return radeon_debugfs_add_files(rdev, radeon_mem_types_list, i);
diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c
-index 5706d2a..17aedaa 100644
+index fad6633..4ff94de 100644
--- a/drivers/gpu/drm/radeon/rs690.c
+++ b/drivers/gpu/drm/radeon/rs690.c
@@ -304,9 +304,11 @@ static void rs690_crtc_bandwidth_compute(struct radeon_device *rdev,
@@ -39635,6 +39635,19 @@ index 25309bf..fcfd54c 100644
#define CHIPREV_ID_5750_C2 0x4202
#define CHIPREV_ID_5752_A0_HW 0x5000
#define CHIPREV_ID_5752_A0 0x6000
+diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
+index 6e8bc9d..94d957d 100644
+--- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
++++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
+@@ -244,7 +244,7 @@ bnad_debugfs_lseek(struct file *file, loff_t offset, int orig)
+ file->f_pos += offset;
+ break;
+ case 2:
+- file->f_pos = debug->buffer_len - offset;
++ file->f_pos = debug->buffer_len + offset;
+ break;
+ default:
+ return -EINVAL;
diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
index 8cffcdf..aadf043 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
@@ -40374,6 +40387,19 @@ index 784e81c..349e01e 100644
struct ath_nf_limits {
s16 max;
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index 64b637a..911c4c0 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -2451,7 +2451,7 @@ static void b43_request_firmware(struct work_struct *work)
+ for (i = 0; i < B43_NR_FWTYPES; i++) {
+ errmsg = ctx->errors[i];
+ if (strlen(errmsg))
+- b43err(dev->wl, errmsg);
++ b43err(dev->wl, "%s", errmsg);
+ }
+ b43_print_fw_helptext(dev->wl, 1);
+ goto out;
diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c
index c353b5f..62aaca2 100644
--- a/drivers/net/wireless/iwlegacy/3945-mac.c
@@ -40575,6 +40601,46 @@ index 2b49f48..14fc244 100644
}
spin_lock_init(&hwsim_radio_lock);
+diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c
+index 753b568..a5f9875 100644
+--- a/drivers/net/wireless/mwifiex/debugfs.c
++++ b/drivers/net/wireless/mwifiex/debugfs.c
+@@ -26,10 +26,17 @@
+ static struct dentry *mwifiex_dfs_dir;
+
+ static char *bss_modes[] = {
+- "Unknown",
+- "Ad-hoc",
+- "Managed",
+- "Auto"
++ "UNSPECIFIED",
++ "ADHOC",
++ "STATION",
++ "AP",
++ "AP_VLAN",
++ "WDS",
++ "MONITOR",
++ "MESH_POINT",
++ "P2P_CLIENT",
++ "P2P_GO",
++ "P2P_DEVICE",
+ };
+
+ /* size/addr for mwifiex_debug_info */
+@@ -200,7 +207,12 @@ mwifiex_info_read(struct file *file, char __user *ubuf,
+ p += sprintf(p, "driver_version = %s", fmt);
+ p += sprintf(p, "\nverext = %s", priv->version_str);
+ p += sprintf(p, "\ninterface_name=\"%s\"\n", netdev->name);
+- p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
++
++ if (info.bss_mode >= ARRAY_SIZE(bss_modes))
++ p += sprintf(p, "bss_mode=\"%d\"\n", info.bss_mode);
++ else
++ p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
++
+ p += sprintf(p, "media_state=\"%s\"\n",
+ (!priv->media_connected ? "Disconnected" : "Connected"));
+ p += sprintf(p, "mac_address=\"%pM\"\n", netdev->dev_addr);
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index 525fd75..6c9f791 100644
--- a/drivers/net/wireless/rndis_wlan.c
@@ -41068,7 +41134,7 @@ index d320df6..ca9a8f6 100644
#define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index 5427787..8df273b 100644
+index 563771f..4e3c368 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -173,7 +173,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
@@ -41613,6 +41679,32 @@ index 23a90e7..9cf04ee 100644
/*
* Queue element to wait for room in request queue. FIFO order is
+diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c
+index 439c012..b63d534 100644
+--- a/drivers/scsi/bfa/bfad_debugfs.c
++++ b/drivers/scsi/bfa/bfad_debugfs.c
+@@ -186,7 +186,7 @@ bfad_debugfs_lseek(struct file *file, loff_t offset, int orig)
+ file->f_pos += offset;
+ break;
+ case 2:
+- file->f_pos = debug->buffer_len - offset;
++ file->f_pos = debug->buffer_len + offset;
+ break;
+ default:
+ return -EINVAL;
+diff --git a/drivers/scsi/fnic/fnic_debugfs.c b/drivers/scsi/fnic/fnic_debugfs.c
+index adc1f7f..85e1ffd 100644
+--- a/drivers/scsi/fnic/fnic_debugfs.c
++++ b/drivers/scsi/fnic/fnic_debugfs.c
+@@ -174,7 +174,7 @@ static loff_t fnic_trace_debugfs_lseek(struct file *file,
+ pos = file->f_pos + offset;
+ break;
+ case 2:
+- pos = fnic_dbg_prt->buffer_len - offset;
++ pos = fnic_dbg_prt->buffer_len + offset;
+ }
+ return (pos < 0 || pos > fnic_dbg_prt->buffer_len) ?
+ -EINVAL : (file->f_pos = pos);
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index df0c3c7..b00e1d0 100644
--- a/drivers/scsi/hosts.c
@@ -41967,7 +42059,7 @@ index 7706c99..3b4fc0c 100644
struct dentry *idiag_root;
struct dentry *idiag_pci_cfg;
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
-index f63f5ff..de29189 100644
+index f63f5ff..32549a4 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc,
@@ -42031,6 +42123,15 @@ index f63f5ff..de29189 100644
dtp->jif = jiffies;
#endif
return;
+@@ -1178,7 +1178,7 @@ lpfc_debugfs_lseek(struct file *file, loff_t off, int whence)
+ pos = file->f_pos + off;
+ break;
+ case 2:
+- pos = debug->len - off;
++ pos = debug->len + off;
+ }
+ return (pos < 0 || pos > debug->len) ? -EINVAL : (file->f_pos = pos);
+ }
@@ -4182,7 +4182,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
"slow_ring buffer\n");
goto debug_failed;
@@ -51123,6 +51224,45 @@ index f3190ab..84ffb21 100644
trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
return 0;
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index 3beae6a..8cc5637 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -79,12 +79,20 @@ static int verify_group_input(struct super_block *sb,
+ ext4_fsblk_t end = start + input->blocks_count;
+ ext4_group_t group = input->group;
+ ext4_fsblk_t itend = input->inode_table + sbi->s_itb_per_group;
+- unsigned overhead = ext4_group_overhead_blocks(sb, group);
+- ext4_fsblk_t metaend = start + overhead;
++ unsigned overhead;
++ ext4_fsblk_t metaend;
+ struct buffer_head *bh = NULL;
+ ext4_grpblk_t free_blocks_count, offset;
+ int err = -EINVAL;
+
++ if (group != sbi->s_groups_count) {
++ ext4_warning(sb, "Cannot add at group %u (only %u groups)",
++ input->group, sbi->s_groups_count);
++ return -EINVAL;
++ }
++
++ overhead = ext4_group_overhead_blocks(sb, group);
++ metaend = start + overhead;
+ input->free_blocks_count = free_blocks_count =
+ input->blocks_count - 2 - overhead - sbi->s_itb_per_group;
+
+@@ -96,10 +104,7 @@ static int verify_group_input(struct super_block *sb,
+ free_blocks_count, input->reserved_blocks);
+
+ ext4_get_group_no_and_offset(sb, start, NULL, &offset);
+- if (group != sbi->s_groups_count)
+- ext4_warning(sb, "Cannot add at group %u (only %u groups)",
+- input->group, sbi->s_groups_count);
+- else if (offset != 0)
++ if (offset != 0)
+ ext4_warning(sb, "Last group not full");
+ else if (input->reserved_blocks > input->blocks_count / 5)
+ ext4_warning(sb, "Reserved blocks too high (%u)",
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index febbe0e..782c4fd 100644
--- a/fs/ext4/super.c
@@ -71468,6 +71608,20 @@ index e8d702e..0a56eb4 100644
int sock_diag_register(const struct sock_diag_handler *h);
void sock_diag_unregister(const struct sock_diag_handler *h);
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index 2b9f74b..e897bdc 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -321,6 +321,9 @@ extern int put_cmsg(struct msghdr*, int level, int type, int len, void *data);
+
+ struct timespec;
+
++/* The __sys_...msg variants allow MSG_CMSG_COMPAT */
++extern long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags);
++extern long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags);
+ extern int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ unsigned int flags, struct timespec *timeout);
+ extern int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg,
diff --git a/include/linux/sonet.h b/include/linux/sonet.h
index 680f9a3..f13aeb0 100644
--- a/include/linux/sonet.h
@@ -74611,7 +74765,7 @@ index 00eb8f7..d7e3244 100644
#ifdef CONFIG_MODULE_UNLOAD
{
diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 9fcb094..8370228 100644
+index 9fcb094..353baaaf 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu;
@@ -74623,7 +74777,7 @@ index 9fcb094..8370228 100644
-int sysctl_perf_event_paranoid __read_mostly = 1;
+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
+int sysctl_perf_event_legitimately_concerned __read_mostly = 3;
-+#elif CONFIG_GRKERNSEC_HIDESYM
++#elif defined(CONFIG_GRKERNSEC_HIDESYM)
+int sysctl_perf_event_legitimately_concerned __read_mostly = 2;
+#else
+int sysctl_perf_event_legitimately_concerned __read_mostly = 1;
@@ -78324,7 +78478,7 @@ index 02fc5c9..e54c335 100644
mutex_unlock(&smpboot_threads_lock);
put_online_cpus();
diff --git a/kernel/softirq.c b/kernel/softirq.c
-index 14d7758..012121f 100644
+index d93dcb1..1cd8a71 100644
--- a/kernel/softirq.c
+++ b/kernel/softirq.c
@@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
@@ -78341,7 +78495,7 @@ index 14d7758..012121f 100644
"HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
"TASKLET", "SCHED", "HRTIMER", "RCU"
};
-@@ -244,7 +244,7 @@ restart:
+@@ -250,7 +250,7 @@ restart:
kstat_incr_softirqs_this_cpu(vec_nr);
trace_softirq_entry(vec_nr);
@@ -78350,7 +78504,7 @@ index 14d7758..012121f 100644
trace_softirq_exit(vec_nr);
if (unlikely(prev_count != preempt_count())) {
printk(KERN_ERR "huh, entered softirq %u %s %p"
-@@ -389,7 +389,7 @@ void __raise_softirq_irqoff(unsigned int nr)
+@@ -396,7 +396,7 @@ void __raise_softirq_irqoff(unsigned int nr)
or_softirq_pending(1UL << nr);
}
@@ -78359,7 +78513,7 @@ index 14d7758..012121f 100644
{
softirq_vec[nr].action = action;
}
-@@ -445,7 +445,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
+@@ -452,7 +452,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
EXPORT_SYMBOL(__tasklet_hi_schedule_first);
@@ -78368,7 +78522,7 @@ index 14d7758..012121f 100644
{
struct tasklet_struct *list;
-@@ -480,7 +480,7 @@ static void tasklet_action(struct softirq_action *a)
+@@ -487,7 +487,7 @@ static void tasklet_action(struct softirq_action *a)
}
}
@@ -78377,7 +78531,7 @@ index 14d7758..012121f 100644
{
struct tasklet_struct *list;
-@@ -716,7 +716,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self,
+@@ -723,7 +723,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self,
return NOTIFY_OK;
}
@@ -78386,7 +78540,7 @@ index 14d7758..012121f 100644
.notifier_call = remote_softirq_cpu_notify,
};
-@@ -833,11 +833,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb,
+@@ -840,11 +840,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb,
return NOTIFY_OK;
}
@@ -78912,7 +79066,7 @@ index 90ad470..1814e9a 100644
tick_broadcast_clear_oneshot(cpu);
} else {
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
-index 9a0bc98..fceb7d0 100644
+index 183df62..59b1442 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -15,6 +15,7 @@
@@ -81653,7 +81807,7 @@ index 79b7cf7..9944291 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index 0dceed8..671951c 100644
+index 0dceed8..e7cfc40 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -33,6 +33,7 @@
@@ -82402,11 +82556,10 @@ index 0dceed8..671951c 100644
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -2184,6 +2492,18 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2184,13 +2492,27 @@ int expand_downwards(struct vm_area_struct *vma,
vma->vm_pgoff -= grow;
anon_vma_interval_tree_post_update_vma(vma);
vma_gap_update(vma);
-+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
+
+#ifdef CONFIG_PAX_SEGMEXEC
+ if (vma_m) {
@@ -82420,8 +82573,18 @@ index 0dceed8..671951c 100644
+
spin_unlock(&vma->vm_mm->page_table_lock);
++ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
perf_event_mmap(vma);
-@@ -2288,6 +2608,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+ }
+ }
+ }
+ vma_unlock_anon_vma(vma);
++ if (lockprev)
++ vma_unlock_anon_vma(prev);
+ khugepaged_enter_vma_merge(vma);
+ validate_mm(vma->vm_mm);
+ return error;
+@@ -2288,6 +2610,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
do {
long nrpages = vma_pages(vma);
@@ -82435,7 +82598,7 @@ index 0dceed8..671951c 100644
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
-@@ -2333,6 +2660,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2333,6 +2662,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
@@ -82452,7 +82615,7 @@ index 0dceed8..671951c 100644
vma_rb_erase(vma, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -2364,14 +2701,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2364,14 +2703,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
struct vm_area_struct *new;
int err = -ENOMEM;
@@ -82486,7 +82649,7 @@ index 0dceed8..671951c 100644
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -2384,6 +2740,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2384,6 +2742,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
@@ -82509,7 +82672,7 @@ index 0dceed8..671951c 100644
pol = mpol_dup(vma_policy(vma));
if (IS_ERR(pol)) {
err = PTR_ERR(pol);
-@@ -2406,6 +2778,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2406,6 +2780,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
else
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
@@ -82546,7 +82709,7 @@ index 0dceed8..671951c 100644
/* Success. */
if (!err)
return 0;
-@@ -2415,10 +2817,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2415,10 +2819,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_ops->close(new);
if (new->vm_file)
fput(new->vm_file);
@@ -82566,7 +82729,7 @@ index 0dceed8..671951c 100644
kmem_cache_free(vm_area_cachep, new);
out_err:
return err;
-@@ -2431,6 +2841,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2431,6 +2843,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, int new_below)
{
@@ -82582,7 +82745,7 @@ index 0dceed8..671951c 100644
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -2442,11 +2861,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2442,11 +2863,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
@@ -82613,7 +82776,7 @@ index 0dceed8..671951c 100644
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -2521,6 +2959,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2521,6 +2961,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* Fix up all other VM information */
remove_vma_list(mm, vma);
@@ -82622,7 +82785,7 @@ index 0dceed8..671951c 100644
return 0;
}
-@@ -2529,6 +2969,13 @@ int vm_munmap(unsigned long start, size_t len)
+@@ -2529,6 +2971,13 @@ int vm_munmap(unsigned long start, size_t len)
int ret;
struct mm_struct *mm = current->mm;
@@ -82636,7 +82799,7 @@ index 0dceed8..671951c 100644
down_write(&mm->mmap_sem);
ret = do_munmap(mm, start, len);
up_write(&mm->mmap_sem);
-@@ -2542,16 +2989,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2542,16 +2991,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
return vm_munmap(addr, len);
}
@@ -82653,7 +82816,7 @@ index 0dceed8..671951c 100644
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2565,6 +3002,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2565,6 +3004,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
struct rb_node ** rb_link, * rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -82661,7 +82824,7 @@ index 0dceed8..671951c 100644
len = PAGE_ALIGN(len);
if (!len)
-@@ -2572,16 +3010,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2572,16 +3012,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
@@ -82693,7 +82856,7 @@ index 0dceed8..671951c 100644
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
-@@ -2598,21 +3050,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2598,21 +3052,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
/*
* Clear old maps. this also does some error checking for us
*/
@@ -82718,7 +82881,7 @@ index 0dceed8..671951c 100644
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2626,7 +3077,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2626,7 +3079,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
@@ -82727,7 +82890,7 @@ index 0dceed8..671951c 100644
return -ENOMEM;
}
-@@ -2640,9 +3091,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2640,9 +3093,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
perf_event_mmap(vma);
@@ -82740,7 +82903,7 @@ index 0dceed8..671951c 100644
return addr;
}
-@@ -2704,6 +3156,7 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2704,6 +3158,7 @@ void exit_mmap(struct mm_struct *mm)
while (vma) {
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += vma_pages(vma);
@@ -82748,7 +82911,7 @@ index 0dceed8..671951c 100644
vma = remove_vma(vma);
}
vm_unacct_memory(nr_accounted);
-@@ -2720,6 +3173,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2720,6 +3175,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
struct vm_area_struct *prev;
struct rb_node **rb_link, *rb_parent;
@@ -82762,7 +82925,7 @@ index 0dceed8..671951c 100644
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2743,7 +3203,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2743,7 +3205,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
@@ -82784,7 +82947,7 @@ index 0dceed8..671951c 100644
return 0;
}
-@@ -2763,6 +3237,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2763,6 +3239,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
struct mempolicy *pol;
bool faulted_in_anon_vma = true;
@@ -82793,7 +82956,7 @@ index 0dceed8..671951c 100644
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2829,6 +3305,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2829,6 +3307,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
return NULL;
}
@@ -82833,7 +82996,7 @@ index 0dceed8..671951c 100644
/*
* Return true if the calling process may expand its vm space by the passed
* number of pages
-@@ -2840,6 +3349,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2840,6 +3351,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
@@ -82841,7 +83004,7 @@ index 0dceed8..671951c 100644
if (cur + npages > lim)
return 0;
return 1;
-@@ -2910,6 +3420,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2910,6 +3422,22 @@ int install_special_mapping(struct mm_struct *mm,
vma->vm_start = addr;
vma->vm_end = addr + len;
@@ -85239,7 +85402,7 @@ index 6a93614..1415549 100644
err = -EFAULT;
break;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
-index 7c7e932..7a7815d 100644
+index 7c7e932..8d23158 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3395,8 +3395,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
@@ -85255,6 +85418,223 @@ index 7c7e932..7a7815d 100644
if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
rfc.mode != chan->mode)
+@@ -3568,10 +3570,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
+ }
+
+ static inline int l2cap_command_rej(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
+
++ if (cmd_len < sizeof(*rej))
++ return -EPROTO;
++
+ if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
+ return 0;
+
+@@ -3720,11 +3726,14 @@ sendresp:
+ }
+
+ static int l2cap_connect_req(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
+ {
+ struct hci_dev *hdev = conn->hcon->hdev;
+ struct hci_conn *hcon = conn->hcon;
+
++ if (cmd_len < sizeof(struct l2cap_conn_req))
++ return -EPROTO;
++
+ hci_dev_lock(hdev);
+ if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
+ !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
+@@ -3738,7 +3747,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn,
+ }
+
+ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
+ u16 scid, dcid, result, status;
+@@ -3746,6 +3756,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
+ u8 req[128];
+ int err;
+
++ if (cmd_len < sizeof(*rsp))
++ return -EPROTO;
++
+ scid = __le16_to_cpu(rsp->scid);
+ dcid = __le16_to_cpu(rsp->dcid);
+ result = __le16_to_cpu(rsp->result);
+@@ -3843,6 +3856,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
+ struct l2cap_chan *chan;
+ int len, err = 0;
+
++ if (cmd_len < sizeof(*req))
++ return -EPROTO;
++
+ dcid = __le16_to_cpu(req->dcid);
+ flags = __le16_to_cpu(req->flags);
+
+@@ -3866,7 +3882,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
+
+ /* Reject if config buffer is too small. */
+ len = cmd_len - sizeof(*req);
+- if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
++ if (chan->conf_len + len > sizeof(chan->conf_req)) {
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ l2cap_build_conf_rsp(chan, rsp,
+ L2CAP_CONF_REJECT, flags), rsp);
+@@ -3944,14 +3960,18 @@ unlock:
+ }
+
+ static inline int l2cap_config_rsp(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
+ u16 scid, flags, result;
+ struct l2cap_chan *chan;
+- int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
++ int len = cmd_len - sizeof(*rsp);
+ int err = 0;
+
++ if (cmd_len < sizeof(*rsp))
++ return -EPROTO;
++
+ scid = __le16_to_cpu(rsp->scid);
+ flags = __le16_to_cpu(rsp->flags);
+ result = __le16_to_cpu(rsp->result);
+@@ -4052,7 +4072,8 @@ done:
+ }
+
+ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
+ struct l2cap_disconn_rsp rsp;
+@@ -4060,6 +4081,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
+ struct l2cap_chan *chan;
+ struct sock *sk;
+
++ if (cmd_len != sizeof(*req))
++ return -EPROTO;
++
+ scid = __le16_to_cpu(req->scid);
+ dcid = __le16_to_cpu(req->dcid);
+
+@@ -4099,12 +4123,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
+ }
+
+ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
+ u16 dcid, scid;
+ struct l2cap_chan *chan;
+
++ if (cmd_len != sizeof(*rsp))
++ return -EPROTO;
++
+ scid = __le16_to_cpu(rsp->scid);
+ dcid = __le16_to_cpu(rsp->dcid);
+
+@@ -4134,11 +4162,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+ }
+
+ static inline int l2cap_information_req(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_info_req *req = (struct l2cap_info_req *) data;
+ u16 type;
+
++ if (cmd_len != sizeof(*req))
++ return -EPROTO;
++
+ type = __le16_to_cpu(req->type);
+
+ BT_DBG("type 0x%4.4x", type);
+@@ -4185,11 +4217,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
+ }
+
+ static inline int l2cap_information_rsp(struct l2cap_conn *conn,
+- struct l2cap_cmd_hdr *cmd, u8 *data)
++ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++ u8 *data)
+ {
+ struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
+ u16 type, result;
+
++ if (cmd_len != sizeof(*rsp))
++ return -EPROTO;
++
+ type = __le16_to_cpu(rsp->type);
+ result = __le16_to_cpu(rsp->result);
+
+@@ -5055,16 +5091,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+
+ switch (cmd->code) {
+ case L2CAP_COMMAND_REJ:
+- l2cap_command_rej(conn, cmd, data);
++ l2cap_command_rej(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_CONN_REQ:
+- err = l2cap_connect_req(conn, cmd, data);
++ err = l2cap_connect_req(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_CONN_RSP:
+ case L2CAP_CREATE_CHAN_RSP:
+- err = l2cap_connect_create_rsp(conn, cmd, data);
++ err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_CONF_REQ:
+@@ -5072,15 +5108,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ break;
+
+ case L2CAP_CONF_RSP:
+- err = l2cap_config_rsp(conn, cmd, data);
++ err = l2cap_config_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_DISCONN_REQ:
+- err = l2cap_disconnect_req(conn, cmd, data);
++ err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_DISCONN_RSP:
+- err = l2cap_disconnect_rsp(conn, cmd, data);
++ err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_ECHO_REQ:
+@@ -5091,11 +5127,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ break;
+
+ case L2CAP_INFO_REQ:
+- err = l2cap_information_req(conn, cmd, data);
++ err = l2cap_information_req(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_INFO_RSP:
+- err = l2cap_information_rsp(conn, cmd, data);
++ err = l2cap_information_rsp(conn, cmd, cmd_len, data);
+ break;
+
+ case L2CAP_CREATE_CHAN_REQ:
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 1bcfb84..dad9f98 100644
--- a/net/bluetooth/l2cap_sock.c
@@ -85486,7 +85866,7 @@ index 117814a..ad4fb73 100644
if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
diff --git a/net/compat.c b/net/compat.c
-index 79ae884..17c5c09 100644
+index 79ae884..0541331 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
@@ -85616,7 +85996,45 @@ index 79ae884..17c5c09 100644
struct group_filter __user *kgf;
int __user *koptlen;
u32 interface, fmode, numsrc;
-@@ -796,7 +796,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+@@ -734,19 +734,25 @@ static unsigned char nas[21] = {
+
+ asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
+ {
+- return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++ return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ }
+
+ asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+ unsigned int vlen, unsigned int flags)
+ {
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
+ return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ flags | MSG_CMSG_COMPAT);
+ }
+
+ asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
+ {
+- return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++ return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ }
+
+ asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned int flags)
+@@ -768,6 +774,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+ int datagrams;
+ struct timespec ktspec;
+
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++
+ if (COMPAT_USE_64BIT_TIME)
+ return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ flags | MSG_CMSG_COMPAT,
+@@ -796,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
if (call < SYS_SOCKET || call > SYS_SENDMMSG)
return -EINVAL;
@@ -86559,7 +86977,7 @@ index d9c4f11..02b82dbc 100644
msg.msg_flags = flags;
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
-index c3a4233..1412161 100644
+index c3a4233..7df5626 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -47,7 +47,7 @@
@@ -86571,7 +86989,17 @@ index c3a4233..1412161 100644
static int vti_net_id __read_mostly;
struct vti_net {
-@@ -886,7 +886,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
+@@ -399,8 +399,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
+ tunnel->err_count = 0;
+ }
+
+- IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
+- IPSKB_REROUTED);
++ memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+ skb_dst_drop(skb);
+ skb_dst_set(skb, &rt->dst);
+ nf_reset(skb);
+@@ -886,7 +885,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
[IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) },
};
@@ -88040,6 +88468,33 @@ index 5b1e5af..2358147 100644
} while (!res);
return res;
}
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 637a341..8dec687 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
+ skb_put(skb, 2);
+
+ /* Copy user data into skb */
+- error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
++ error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
++ total_len);
+ if (error < 0) {
+ kfree_skb(skb);
+ goto error_put_sess_tun;
+ }
+- skb_put(skb, total_len);
+
+ l2tp_xmit_skb(session, skb, session->hdr_len);
+
+ sock_put(ps->tunnel_sock);
+ sock_put(sk);
+
+- return error;
++ return total_len;
+
+ error_put_sess_tun:
+ sock_put(ps->tunnel_sock);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 843d8c4..cb04fa1 100644
--- a/net/mac80211/cfg.c
@@ -88344,7 +88799,7 @@ index 61f49d2..6c8c5bc 100644
if (ipvs->sync_state & IP_VS_STATE_MASTER)
ip_vs_sync_conn(net, cp, pkts);
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
-index 9e2d1cc..7f8f569 100644
+index 9e2d1cc..6ed0748 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -787,7 +787,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
@@ -88383,7 +88838,14 @@ index 9e2d1cc..7f8f569 100644
atomic_read(&dest->weight),
atomic_read(&dest->activeconns),
atomic_read(&dest->inactconns));
-@@ -2568,7 +2568,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
+@@ -2562,13 +2562,14 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
+ struct ip_vs_dest *dest;
+ struct ip_vs_dest_entry entry;
+
++ memset(&entry, 0, sizeof(entry));
+ list_for_each_entry(dest, &svc->destinations, n_list) {
+ if (count >= get->num_dests)
+ break;
entry.addr = dest->addr.ip;
entry.port = dest->port;
@@ -88392,7 +88854,7 @@ index 9e2d1cc..7f8f569 100644
entry.weight = atomic_read(&dest->weight);
entry.u_threshold = dest->u_threshold;
entry.l_threshold = dest->l_threshold;
-@@ -3104,7 +3104,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
+@@ -3104,7 +3105,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
@@ -88401,7 +88863,7 @@ index 9e2d1cc..7f8f569 100644
IP_VS_CONN_F_FWD_MASK)) ||
nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
atomic_read(&dest->weight)) ||
-@@ -3694,7 +3694,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
+@@ -3694,7 +3695,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
{
int idx;
struct netns_ipvs *ipvs = net_ipvs(net);
@@ -88847,7 +89309,7 @@ index 103bd70..f21aad3 100644
*uaddr_len = sizeof(struct sockaddr_ax25);
}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index f83e172..b57140d 100644
+index f83e172..223ffe1 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1571,7 +1571,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
@@ -88887,7 +89349,22 @@ index f83e172..b57140d 100644
msg->msg_flags |= MSG_ERRQUEUE;
err = copied;
-@@ -3205,7 +3207,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -2769,12 +2771,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ return -EOPNOTSUPP;
+
+ uaddr->sa_family = AF_PACKET;
++ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
+ rcu_read_lock();
+ dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
+ if (dev)
+- strncpy(uaddr->sa_data, dev->name, 14);
+- else
+- memset(uaddr->sa_data, 0, 14);
++ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+ rcu_read_unlock();
+ *uaddr_len = sizeof(*uaddr);
+
+@@ -3205,7 +3206,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -88896,7 +89373,7 @@ index f83e172..b57140d 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -3247,7 +3249,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3247,7 +3248,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
len = lv;
if (put_user(len, optlen))
return -EFAULT;
@@ -89432,6 +89909,33 @@ index 391a245..296b3d7 100644
}
/* Initialize IPv6 support and register with socket layer. */
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 01dca75..e9426bb 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
+ */
+ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ {
++ memset(q, 0, sizeof(struct sctp_outq));
++
+ q->asoc = asoc;
+ INIT_LIST_HEAD(&q->out_chunk_list);
+ INIT_LIST_HEAD(&q->control_chunk_list);
+@@ -213,13 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ INIT_LIST_HEAD(&q->sacked);
+ INIT_LIST_HEAD(&q->abandoned);
+
+- q->fast_rtx = 0;
+- q->outstanding_bytes = 0;
+ q->empty = 1;
+- q->cork = 0;
+-
+- q->malloced = 0;
+- q->out_qlen = 0;
+ }
+
+ /* Free the outqueue structure and any related pending chunks.
diff --git a/net/sctp/probe.c b/net/sctp/probe.c
index ad0dba8..e62c225 100644
--- a/net/sctp/probe.c
@@ -89516,7 +90020,7 @@ index 8aab894..f6b7e7d 100644
sctp_generate_t1_cookie_event,
sctp_generate_t1_init_event,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index b907073..57fef6c 100644
+index b907073..7bea2ca 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2166,11 +2166,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
@@ -89534,7 +90038,20 @@ index b907073..57fef6c 100644
/*
* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
-@@ -4215,13 +4217,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -4002,6 +4004,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
+
+ /* Release our hold on the endpoint. */
+ sp = sctp_sk(sk);
++ /* This could happen during socket init, thus we bail out
++ * early, since the rest of the below is not setup either.
++ */
++ if (sp->ep == NULL)
++ return;
++
+ if (sp->do_auto_asconf) {
+ sp->do_auto_asconf = 0;
+ list_del(&sp->auto_asconf_list);
+@@ -4215,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
@@ -89552,7 +90069,7 @@ index b907073..57fef6c 100644
return -EFAULT;
return 0;
}
-@@ -4239,6 +4244,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4239,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
*/
static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -89561,7 +90078,7 @@ index b907073..57fef6c 100644
/* Applicable to UDP-style socket only */
if (sctp_style(sk, TCP))
return -EOPNOTSUPP;
-@@ -4247,7 +4254,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4247,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
len = sizeof(int);
if (put_user(len, optlen))
return -EFAULT;
@@ -89571,7 +90088,7 @@ index b907073..57fef6c 100644
return -EFAULT;
return 0;
}
-@@ -4619,12 +4627,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4619,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
*/
static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -89588,7 +90105,7 @@ index b907073..57fef6c 100644
return -EFAULT;
return 0;
}
-@@ -4665,6 +4676,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4665,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
if (space_left < addrlen)
return -ENOMEM;
@@ -89620,7 +90137,7 @@ index bf3c6e8..376d8d0 100644
table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL);
diff --git a/net/socket.c b/net/socket.c
-index 88f759a..c6933de 100644
+index 88f759a..74be616 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -88,6 +88,7 @@
@@ -89791,6 +90308,15 @@ index 88f759a..c6933de 100644
int err, err2;
int fput_needed;
+@@ -1978,7 +2040,7 @@ struct used_address {
+ unsigned int name_len;
+ };
+
+-static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
++static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+ struct msghdr *msg_sys, unsigned int flags,
+ struct used_address *used_address)
+ {
@@ -2045,7 +2107,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
* checking falls down on this.
*/
@@ -89800,7 +90326,83 @@ index 88f759a..c6933de 100644
ctl_len))
goto out_freectl;
msg_sys->msg_control = ctl_buf;
-@@ -2185,7 +2247,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2093,20 +2155,28 @@ out:
+ * BSD sendmsg interface
+ */
+
++long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
++{
++ int fput_needed, err;
++ struct msghdr msg_sys;
++ struct socket *sock;
++
++ sock = sockfd_lookup_light(fd, &err, &fput_needed);
++ if (!sock)
++ goto out;
++
++ err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
++
++ fput_light(sock->file, fput_needed);
++out:
++ return err;
++}
++
+ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags)
+ {
+- int fput_needed, err;
+- struct msghdr msg_sys;
+- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+-
+- if (!sock)
+- goto out;
+-
+- err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
+-
+- fput_light(sock->file, fput_needed);
+-out:
+- return err;
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++ return __sys_sendmsg(fd, msg, flags);
+ }
+
+ /*
+@@ -2139,15 +2209,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+
+ while (datagrams < vlen) {
+ if (MSG_CMSG_COMPAT & flags) {
+- err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
+- &msg_sys, flags, &used_address);
++ err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
++ &msg_sys, flags, &used_address);
+ if (err < 0)
+ break;
+ err = __put_user(err, &compat_entry->msg_len);
+ ++compat_entry;
+ } else {
+- err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
+- &msg_sys, flags, &used_address);
++ err = ___sys_sendmsg(sock,
++ (struct msghdr __user *)entry,
++ &msg_sys, flags, &used_address);
+ if (err < 0)
+ break;
+ err = put_user(err, &entry->msg_len);
+@@ -2171,10 +2242,12 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
+ unsigned int, vlen, unsigned int, flags)
+ {
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
+ return __sys_sendmmsg(fd, mmsg, vlen, flags);
+ }
+
+-static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
++static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+ struct msghdr *msg_sys, unsigned int flags, int nosec)
+ {
+ struct compat_msghdr __user *msg_compat =
+@@ -2185,7 +2258,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
int err, total_len, len;
/* kernel mode address */
@@ -89809,7 +90411,7 @@ index 88f759a..c6933de 100644
/* user mode address pointers */
struct sockaddr __user *uaddr;
-@@ -2213,7 +2275,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2213,7 +2286,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
* kernel msghdr to use the kernel address space)
*/
@@ -89818,7 +90420,84 @@ index 88f759a..c6933de 100644
uaddr_len = COMPAT_NAMELEN(msg);
if (MSG_CMSG_COMPAT & flags) {
err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
-@@ -2952,7 +3014,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2266,21 +2339,29 @@ out:
+ * BSD recvmsg interface
+ */
+
++long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags)
++{
++ int fput_needed, err;
++ struct msghdr msg_sys;
++ struct socket *sock;
++
++ sock = sockfd_lookup_light(fd, &err, &fput_needed);
++ if (!sock)
++ goto out;
++
++ err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0);
++
++ fput_light(sock->file, fput_needed);
++out:
++ return err;
++}
++
+ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
+ unsigned int, flags)
+ {
+- int fput_needed, err;
+- struct msghdr msg_sys;
+- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+-
+- if (!sock)
+- goto out;
+-
+- err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0);
+-
+- fput_light(sock->file, fput_needed);
+-out:
+- return err;
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++ return __sys_recvmsg(fd, msg, flags);
+ }
+
+ /*
+@@ -2320,17 +2401,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ * No need to ask LSM for more than the first datagram.
+ */
+ if (MSG_CMSG_COMPAT & flags) {
+- err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
+- &msg_sys, flags & ~MSG_WAITFORONE,
+- datagrams);
++ err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
++ &msg_sys, flags & ~MSG_WAITFORONE,
++ datagrams);
+ if (err < 0)
+ break;
+ err = __put_user(err, &compat_entry->msg_len);
+ ++compat_entry;
+ } else {
+- err = __sys_recvmsg(sock, (struct msghdr __user *)entry,
+- &msg_sys, flags & ~MSG_WAITFORONE,
+- datagrams);
++ err = ___sys_recvmsg(sock,
++ (struct msghdr __user *)entry,
++ &msg_sys, flags & ~MSG_WAITFORONE,
++ datagrams);
+ if (err < 0)
+ break;
+ err = put_user(err, &entry->msg_len);
+@@ -2397,6 +2479,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
+ int datagrams;
+ struct timespec timeout_sys;
+
++ if (flags & MSG_CMSG_COMPAT)
++ return -EINVAL;
++
+ if (!timeout)
+ return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL);
+
+@@ -2952,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
err = dev_ioctl(net, cmd,
@@ -89827,7 +90506,7 @@ index 88f759a..c6933de 100644
set_fs(old_fs);
return err;
-@@ -3061,7 +3123,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
+@@ -3061,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -89836,7 +90515,7 @@ index 88f759a..c6933de 100644
set_fs(old_fs);
if (cmd == SIOCGIFMAP && !err) {
-@@ -3166,7 +3228,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
+@@ -3166,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
ret |= __get_user(rtdev, &(ur4->rt_dev));
if (rtdev) {
ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -89845,7 +90524,7 @@ index 88f759a..c6933de 100644
devname[15] = 0;
} else
r4.rt_dev = NULL;
-@@ -3392,8 +3454,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+@@ -3392,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
int __user *uoptlen;
int err;
@@ -89856,7 +90535,7 @@ index 88f759a..c6933de 100644
set_fs(KERNEL_DS);
if (level == SOL_SOCKET)
-@@ -3413,7 +3475,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+@@ -3413,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
char __user *uoptval;
int err;