diff options
Diffstat (limited to 'main/linux-grsec')
-rw-r--r-- | main/linux-grsec/APKBUILD | 10 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.6.5-201211042157.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.6.4-201210291446.patch) | 605 |
2 files changed, 498 insertions, 117 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 31b5fa664c..85f40da36c 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,9 +2,9 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.6.4 +pkgver=3.6.5 _kernver=3.6 -pkgrel=1 +pkgrel=0 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.6.4-201210291446.patch + grsecurity-2.9.1-3.6.5-201211042157.patch 0004-arp-flush-arp-cache-on-device-change.patch @@ -139,8 +139,8 @@ dev() { } md5sums="1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz -d7efab4da2682c44662b684026b059f7 patch-3.6.4.xz -4235328c981070bca82bc61b7f7bc7c1 grsecurity-2.9.1-3.6.4-201210291446.patch +6ad8ceebb9b5c1bf69a0c07ef7cc81f2 patch-3.6.5.xz +0affb0d4559c04d76251be6755338ae1 grsecurity-2.9.1-3.6.5-201211042157.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch 0fe70e3640b55adb6800e6eebe74ea4d kernelconfig.x86 b7707e701f190d97c3552b7ec292b897 kernelconfig.x86_64" diff --git a/main/linux-grsec/grsecurity-2.9.1-3.6.4-201210291446.patch b/main/linux-grsec/grsecurity-2.9.1-3.6.5-201211042157.patch index 08c581d833..18206e5084 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.6.4-201210291446.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.6.5-201211042157.patch @@ -251,7 +251,7 @@ index ad7e2e5..199f49e 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index dcf132a..db194e3 100644 +index 6e4a00d..4c7aa4f 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -19013,7 +19013,7 @@ index 7a6f3b3..bed145d7 100644 1: diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 198e774..e880f29 100644 +index 5cee802..bc22bc3 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -440,7 +440,7 @@ static void __init parse_setup_data(void) @@ -24577,7 +24577,7 @@ index b91e485..d00e7c9 100644 } if (mm->get_unmapped_area == arch_get_unmapped_area) diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c -index ab1f6a9..23030ba 100644 +index d7aea41..f753ad2 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -16,6 +16,8 @@ @@ -24589,16 +24589,16 @@ index ab1f6a9..23030ba 100644 unsigned long __initdata pgt_buf_start; unsigned long __meminitdata pgt_buf_end; -@@ -38,7 +40,7 @@ struct map_range { - static void __init find_early_table_space(struct map_range *mr, unsigned long end, - int use_pse, int use_gbpages) +@@ -44,7 +46,7 @@ static void __init find_early_table_space(struct map_range *mr, int nr_range) { -- unsigned long puds, pmds, ptes, tables, start = 0, good_end = end; -+ unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end; + int i; + unsigned long puds = 0, pmds = 0, ptes = 0, tables; +- unsigned long start = 0, good_end; ++ unsigned long start = 0x100000, good_end; phys_addr_t base; - puds = (end + PUD_SIZE - 1) >> PUD_SHIFT; -@@ -317,10 +319,37 @@ unsigned long __init_refok init_memory_mapping(unsigned long start, + for (i = 0; i < nr_range; i++) { +@@ -321,10 +323,37 @@ unsigned long __init_refok init_memory_mapping(unsigned long start, * Access has to be given to non-kernel-ram areas as well, these contain the PCI * mmio resources as well as potential bios/acpi data regions. */ @@ -24637,7 +24637,7 @@ index ab1f6a9..23030ba 100644 if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) return 0; if (!page_is_ram(pagenr)) -@@ -377,8 +406,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) +@@ -381,8 +410,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) #endif } @@ -25034,7 +25034,7 @@ index 575d86f..4987469 100644 printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index 2b6b4a3..c17210d 100644 +index 3baff25..8b37564 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -74,7 +74,7 @@ early_param("gbpages", parse_direct_gbpages_on); @@ -25151,7 +25151,7 @@ index 2b6b4a3..c17210d 100644 adr = (void *)(((unsigned long)adr) | left); return adr; -@@ -548,7 +562,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, +@@ -553,7 +567,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, unmap_low_page(pmd); spin_lock(&init_mm.page_table_lock); @@ -25160,7 +25160,7 @@ index 2b6b4a3..c17210d 100644 spin_unlock(&init_mm.page_table_lock); } __flush_tlb_all(); -@@ -594,7 +608,7 @@ kernel_physical_mapping_init(unsigned long start, +@@ -599,7 +613,7 @@ kernel_physical_mapping_init(unsigned long start, unmap_low_page(pud); spin_lock(&init_mm.page_table_lock); @@ -25169,7 +25169,7 @@ index 2b6b4a3..c17210d 100644 spin_unlock(&init_mm.page_table_lock); pgd_changed = true; } -@@ -686,6 +700,12 @@ void __init mem_init(void) +@@ -691,6 +705,12 @@ void __init mem_init(void) pci_iommu_alloc(); @@ -25182,7 +25182,7 @@ index 2b6b4a3..c17210d 100644 /* clear_bss() already clear the empty_zero_page */ reservedpages = 0; -@@ -846,8 +866,8 @@ int kern_addr_valid(unsigned long addr) +@@ -851,8 +871,8 @@ int kern_addr_valid(unsigned long addr) static struct vm_area_struct gate_vma = { .vm_start = VSYSCALL_START, .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE), @@ -25193,7 +25193,7 @@ index 2b6b4a3..c17210d 100644 }; struct vm_area_struct *get_gate_vma(struct mm_struct *mm) -@@ -881,7 +901,7 @@ int in_gate_area_no_mm(unsigned long addr) +@@ -886,7 +906,7 @@ int in_gate_area_no_mm(unsigned long addr) const char *arch_vma_name(struct vm_area_struct *vma) { @@ -30813,7 +30813,7 @@ index 73fa3e1..ab2e9b9 100644 iir = I915_READ(IIR); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index b634f6f..84bb8ba 100644 +index b634f6f..43c62f5 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -2182,7 +2182,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb) @@ -30825,16 +30825,17 @@ index b634f6f..84bb8ba 100644 /* Big Hammer, we also need to ensure that any pending * MI_WAIT_FOR_EVENT inside a user batch buffer on the -@@ -6168,7 +6168,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev, +@@ -6168,8 +6168,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev, obj = work->old_fb_obj; - atomic_clear_mask(1 << intel_crtc->plane, -+ atomic_clear_mask_unchecked(1 << intel_crtc->plane, - &obj->pending_flip.counter); +- &obj->pending_flip.counter); ++ atomic_clear_mask_unchecked(1 << intel_crtc->plane, &obj->pending_flip); wake_up(&dev_priv->pending_flip_queue); -@@ -6515,7 +6515,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, + schedule_work(&work->work); +@@ -6515,7 +6514,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, /* Block clients from rendering to the new back buffer until * the flip occurs and the object is no longer visible. */ @@ -30843,7 +30844,7 @@ index b634f6f..84bb8ba 100644 ret = dev_priv->display.queue_flip(dev, crtc, fb, obj); if (ret) -@@ -6530,7 +6530,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, +@@ -6530,7 +6529,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, return 0; cleanup_pending: @@ -31504,10 +31505,10 @@ index 14599e2..711c965 100644 for (i = 0; i < hid->maxcollection; i++) diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c -index 4065374..10ed7dc 100644 +index f4c3d28..82f45a9 100644 --- a/drivers/hv/channel.c +++ b/drivers/hv/channel.c -@@ -400,8 +400,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer, +@@ -402,8 +402,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer, int ret = 0; int t; @@ -34782,6 +34783,28 @@ index 51b9d6a..52af9a7 100644 #include <linux/mtd/mtd.h> #include <linux/mtd/nand.h> #include <linux/mtd/nftl.h> +diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c +index dc15d24..ef8d2a0 100644 +--- a/drivers/net/bonding/bond_sysfs.c ++++ b/drivers/net/bonding/bond_sysfs.c +@@ -1060,7 +1060,7 @@ static ssize_t bonding_store_primary(struct device *d, + goto out; + } + +- sscanf(buf, "%16s", ifname); /* IFNAMSIZ */ ++ sscanf(buf, "%15s", ifname); /* IFNAMSIZ */ + + /* check to see if we are clearing primary */ + if (!strlen(ifname) || buf[0] == '\n') { +@@ -1237,7 +1237,7 @@ static ssize_t bonding_store_active_slave(struct device *d, + goto out; + } + +- sscanf(buf, "%16s", ifname); /* IFNAMSIZ */ ++ sscanf(buf, "%15s", ifname); /* IFNAMSIZ */ + + /* check to see if we are clearing active */ + if (!strlen(ifname) || buf[0] == '\n') { diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c index 57d64b8..623dd86 100644 --- a/drivers/net/ethernet/atheros/atlx/atl2.c @@ -34795,6 +34818,22 @@ index 57d64b8..623dd86 100644 MODULE_PARM(X, "1-" __MODULE_STRING(ATL2_MAX_NIC) "i"); \ MODULE_PARM_DESC(X, desc); #else +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index 0875ecf..794cdf3 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -3051,9 +3051,8 @@ static void bnx2x_drv_info_ether_stat(struct bnx2x *bp) + struct eth_stats_info *ether_stat = + &bp->slowpath->drv_info_to_mcp.ether_stat; + +- /* leave last char as NULL */ +- memcpy(ether_stat->version, DRV_MODULE_VERSION, +- ETH_STAT_INFO_VERSION_LEN - 1); ++ strlcpy(ether_stat->version, DRV_MODULE_VERSION, ++ ETH_STAT_INFO_VERSION_LEN); + + bp->sp_objs[0].mac_obj.get_n_elements(bp, &bp->sp_objs[0].mac_obj, + DRV_INFO_ETH_STAT_NUM_MACS_REQUIRED, diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h index f83e033..8b4f43a 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h @@ -35258,6 +35297,18 @@ index 4a518a3..936b334 100644 #define VXGE_HW_VIRTUAL_PATH_HANDLE(vpath) \ ((struct __vxge_hw_vpath_handle *)(vpath)->vpath_handles.next) +diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c +index 53743f7..af8b414 100644 +--- a/drivers/net/ethernet/nxp/lpc_eth.c ++++ b/drivers/net/ethernet/nxp/lpc_eth.c +@@ -1524,6 +1524,7 @@ static int lpc_eth_drv_remove(struct platform_device *pdev) + pldat->dma_buff_base_p); + free_irq(ndev->irq, ndev); + iounmap(pldat->net_base); ++ mdiobus_unregister(pldat->mii_bus); + mdiobus_free(pldat->mii_bus); + clk_disable(pldat->clk); + clk_put(pldat->clk); diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c index b47d5b3..273a516 100644 --- a/drivers/net/ethernet/realtek/r8169.c @@ -35352,6 +35403,18 @@ index 1e88a10..1b01736 100644 /* Ignore return since this msg is optional. */ rndis_filter_send_request(dev, request); +diff --git a/drivers/net/phy/mdio-bitbang.c b/drivers/net/phy/mdio-bitbang.c +index daec9b0..6428fcb 100644 +--- a/drivers/net/phy/mdio-bitbang.c ++++ b/drivers/net/phy/mdio-bitbang.c +@@ -234,6 +234,7 @@ void free_mdio_bitbang(struct mii_bus *bus) + struct mdiobb_ctrl *ctrl = bus->priv; + + module_put(ctrl->ops->owner); ++ mdiobus_unregister(bus); + mdiobus_free(bus); + } + EXPORT_SYMBOL(free_mdio_bitbang); diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index 5c05572..389610b 100644 --- a/drivers/net/ppp/ppp_generic.c @@ -35500,6 +35563,27 @@ index 6169fbd..40e8422 100644 struct ath_common; struct ath_bus_ops; +diff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c +index 2aab20e..b761ef8 100644 +--- a/drivers/net/wireless/ath/ath5k/base.c ++++ b/drivers/net/wireless/ath/ath5k/base.c +@@ -1803,7 +1803,7 @@ ath5k_beacon_update(struct ieee80211_hw *hw, struct ieee80211_vif *vif) + { + int ret; + struct ath5k_hw *ah = hw->priv; +- struct ath5k_vif *avf = (void *)vif->drv_priv; ++ struct ath5k_vif *avf; + struct sk_buff *skb; + + if (WARN_ON(!vif)) { +@@ -1818,6 +1818,7 @@ ath5k_beacon_update(struct ieee80211_hw *hw, struct ieee80211_vif *vif) + goto out; + } + ++ avf = (void *)vif->drv_priv; + ath5k_txbuf_free_skb(ah, avf->bbuf); + avf->bbuf->skb = skb; + ret = ath5k_beacon_setup(ah, avf->bbuf); diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c index 8d78253..bebbb68 100644 --- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c @@ -37819,6 +37903,40 @@ index 0d4aa82..f7832d4 100644 extern void tmem_register_hostops(struct tmem_hostops *m); /* core tmem accessor functions */ +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index 9fc9a60..68d4c10 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -850,20 +850,20 @@ int se_dev_check_shutdown(struct se_device *dev) + + static u32 se_dev_align_max_sectors(u32 max_sectors, u32 block_size) + { +- u32 tmp, aligned_max_sectors; ++ u32 aligned_max_sectors; ++ u32 alignment; + /* + * Limit max_sectors to a PAGE_SIZE aligned value for modern + * transport_allocate_data_tasks() operation. + */ +- tmp = rounddown((max_sectors * block_size), PAGE_SIZE); +- aligned_max_sectors = (tmp / block_size); +- if (max_sectors != aligned_max_sectors) { +- printk(KERN_INFO "Rounding down aligned max_sectors from %u" +- " to %u\n", max_sectors, aligned_max_sectors); +- return aligned_max_sectors; +- } ++ alignment = max(1ul, PAGE_SIZE / block_size); ++ aligned_max_sectors = rounddown(max_sectors, alignment); + +- return max_sectors; ++ if (max_sectors != aligned_max_sectors) ++ pr_info("Rounding down aligned max_sectors from %u to %u\n", ++ max_sectors, aligned_max_sectors); ++ ++ return aligned_max_sectors; + } + + void se_dev_set_default_attribs( diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c index 269f544..32def0d 100644 --- a/drivers/target/target_core_transport.c @@ -42586,6 +42704,19 @@ index e56c934..fc22f4b 100644 } u; struct list_head list; }; +diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c +index 89f7625..ac72702 100644 +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -458,7 +458,7 @@ static ssize_t xenbus_file_write(struct file *filp, + goto out; + + /* Can't write a xenbus message larger we can buffer */ +- if ((len + u->len) > sizeof(u->u.buffer)) { ++ if (len > sizeof(u->u.buffer) - u->len) { + /* On error, dump existing buffer */ + u->len = 0; + rc = -EINVAL; diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c index cbf9dbb..35c3af7 100644 --- a/fs/9p/vfs_inode.c @@ -44019,6 +44150,19 @@ index e5b7731..b9c59fb 100644 int err; u32 ftype; struct ceph_mds_reply_info_parsed *rinfo; +diff --git a/fs/ceph/export.c b/fs/ceph/export.c +index 02ce909..9349bb3 100644 +--- a/fs/ceph/export.c ++++ b/fs/ceph/export.c +@@ -90,6 +90,8 @@ static int ceph_encode_fh(struct inode *inode, u32 *rawfh, int *max_len, + *max_len = handle_length; + type = 255; + } ++ if (dentry) ++ dput(dentry); + return type; + } + diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index d9ea6ed..1e6c8ac 100644 --- a/fs/cifs/cifs_debug.c @@ -44624,19 +44768,10 @@ index 112e45a..b59845b 100644 /* diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c -index debdfe0..75d31d4 100644 +index 5d2069f..75d31d4 100644 --- a/fs/compat_ioctl.c +++ b/fs/compat_ioctl.c -@@ -210,6 +210,8 @@ static int do_video_set_spu_palette(unsigned int fd, unsigned int cmd, - - err = get_user(palp, &up->palette); - err |= get_user(length, &up->length); -+ if (err) -+ return -EFAULT; - - up_native = compat_alloc_user_space(sizeof(struct video_spu_palette)); - err = put_user(compat_ptr(palp), &up_native->palette); -@@ -621,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd, +@@ -623,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd, return -EFAULT; if (__get_user(udata, &ss32->iomem_base)) return -EFAULT; @@ -44645,7 +44780,7 @@ index debdfe0..75d31d4 100644 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) || __get_user(ss.port_high, &ss32->port_high)) return -EFAULT; -@@ -796,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file, +@@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file, copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) || copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) || copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) || @@ -44654,7 +44789,7 @@ index debdfe0..75d31d4 100644 return -EFAULT; return ioctl_preallocate(file, p); -@@ -1610,8 +1612,8 @@ asmlinkage long compat_sys_ioctl(unsigned int fd, unsigned int cmd, +@@ -1612,8 +1612,8 @@ asmlinkage long compat_sys_ioctl(unsigned int fd, unsigned int cmd, static int __init init_sys32_ioctl_cmp(const void *p, const void *q) { unsigned int a, b; @@ -44780,7 +44915,7 @@ index b2a34a1..162fa69 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index 574cf4d..dfe774a 100644 +index fab2c6d..4fa20c0 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,6 +55,15 @@ @@ -45050,7 +45185,7 @@ index 574cf4d..dfe774a 100644 set_fs(old_fs); return result; } -@@ -1257,7 +1296,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) +@@ -1258,7 +1297,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -45059,7 +45194,7 @@ index 574cf4d..dfe774a 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1460,6 +1499,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) +@@ -1461,6 +1500,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) EXPORT_SYMBOL(search_binary_handler); @@ -45088,7 +45223,7 @@ index 574cf4d..dfe774a 100644 /* * sys_execve() executes a new program. */ -@@ -1468,6 +1529,11 @@ static int do_execve_common(const char *filename, +@@ -1469,6 +1530,11 @@ static int do_execve_common(const char *filename, struct user_arg_ptr envp, struct pt_regs *regs) { @@ -45100,7 +45235,7 @@ index 574cf4d..dfe774a 100644 struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1475,6 +1541,8 @@ static int do_execve_common(const char *filename, +@@ -1476,6 +1542,8 @@ static int do_execve_common(const char *filename, int retval; const struct cred *cred = current_cred(); @@ -45109,7 +45244,7 @@ index 574cf4d..dfe774a 100644 /* * We move the actual failure in case of RLIMIT_NPROC excess from * set*uid() to execve() because too many poorly written programs -@@ -1515,12 +1583,27 @@ static int do_execve_common(const char *filename, +@@ -1516,12 +1584,27 @@ static int do_execve_common(const char *filename, if (IS_ERR(file)) goto out_unmark; @@ -45137,7 +45272,7 @@ index 574cf4d..dfe774a 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1537,24 +1620,65 @@ static int do_execve_common(const char *filename, +@@ -1538,24 +1621,65 @@ static int do_execve_common(const char *filename, if (retval < 0) goto out; @@ -45207,7 +45342,7 @@ index 574cf4d..dfe774a 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1563,6 +1687,14 @@ static int do_execve_common(const char *filename, +@@ -1564,6 +1688,14 @@ static int do_execve_common(const char *filename, put_files_struct(displaced); return retval; @@ -45222,7 +45357,7 @@ index 574cf4d..dfe774a 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1636,7 +1768,7 @@ static int expand_corename(struct core_name *cn) +@@ -1637,7 +1769,7 @@ static int expand_corename(struct core_name *cn) { char *old_corename = cn->corename; @@ -45231,7 +45366,7 @@ index 574cf4d..dfe774a 100644 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL); if (!cn->corename) { -@@ -1733,7 +1865,7 @@ static int format_corename(struct core_name *cn, long signr) +@@ -1734,7 +1866,7 @@ static int format_corename(struct core_name *cn, long signr) int pid_in_pattern = 0; int err = 0; @@ -45240,7 +45375,7 @@ index 574cf4d..dfe774a 100644 cn->corename = kmalloc(cn->size, GFP_KERNEL); cn->used = 0; -@@ -1830,6 +1962,250 @@ out: +@@ -1831,6 +1963,250 @@ out: return ispipe; } @@ -45491,7 +45626,7 @@ index 574cf4d..dfe774a 100644 static int zap_process(struct task_struct *start, int exit_code) { struct task_struct *t; -@@ -2040,17 +2416,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -2041,17 +2417,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -45514,7 +45649,7 @@ index 574cf4d..dfe774a 100644 pipe_unlock(pipe); } -@@ -2105,7 +2481,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2106,7 +2482,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) int flag = 0; int ispipe; bool need_nonrelative = false; @@ -45523,7 +45658,7 @@ index 574cf4d..dfe774a 100644 struct coredump_params cprm = { .signr = signr, .regs = regs, -@@ -2120,6 +2496,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2121,6 +2497,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) audit_core_dumps(signr); @@ -45533,7 +45668,7 @@ index 574cf4d..dfe774a 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -2190,7 +2569,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2191,7 +2570,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } cprm.limit = RLIM_INFINITY; @@ -45542,7 +45677,7 @@ index 574cf4d..dfe774a 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -2217,6 +2596,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2218,6 +2597,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } else { struct inode *inode; @@ -45551,7 +45686,7 @@ index 574cf4d..dfe774a 100644 if (cprm.limit < binfmt->min_coredump) goto fail_unlock; -@@ -2268,7 +2649,7 @@ close_fail: +@@ -2269,7 +2650,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: if (ispipe) @@ -45560,7 +45695,7 @@ index 574cf4d..dfe774a 100644 fail_unlock: kfree(cn.corename); fail_corename: -@@ -2287,7 +2668,7 @@ fail: +@@ -2288,7 +2669,7 @@ fail: */ int dump_write(struct file *file, const void *addr, int nr) { @@ -45652,6 +45787,57 @@ index 5c69f2b..05dec7f 100644 atomic_t s_lock_busy; /* locality groups */ +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index 8ce0076..cc2d77c 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -716,6 +716,10 @@ repeat_in_this_group: + "inode=%lu", ino + 1); + continue; + } ++ BUFFER_TRACE(inode_bitmap_bh, "get_write_access"); ++ err = ext4_journal_get_write_access(handle, inode_bitmap_bh); ++ if (err) ++ goto fail; + ext4_lock_group(sb, group); + ret2 = ext4_test_and_set_bit(ino, inode_bitmap_bh->b_data); + ext4_unlock_group(sb, group); +@@ -729,6 +733,11 @@ repeat_in_this_group: + goto out; + + got: ++ BUFFER_TRACE(inode_bitmap_bh, "call ext4_handle_dirty_metadata"); ++ err = ext4_handle_dirty_metadata(handle, NULL, inode_bitmap_bh); ++ if (err) ++ goto fail; ++ + /* We may have to initialize the block bitmap if it isn't already */ + if (ext4_has_group_desc_csum(sb) && + gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { +@@ -762,11 +771,6 @@ got: + goto fail; + } + +- BUFFER_TRACE(inode_bitmap_bh, "get_write_access"); +- err = ext4_journal_get_write_access(handle, inode_bitmap_bh); +- if (err) +- goto fail; +- + BUFFER_TRACE(group_desc_bh, "get_write_access"); + err = ext4_journal_get_write_access(handle, group_desc_bh); + if (err) +@@ -814,11 +818,6 @@ got: + } + ext4_unlock_group(sb, group); + +- BUFFER_TRACE(inode_bitmap_bh, "call ext4_handle_dirty_metadata"); +- err = ext4_handle_dirty_metadata(handle, NULL, inode_bitmap_bh); +- if (err) +- goto fail; +- + BUFFER_TRACE(group_desc_bh, "call ext4_handle_dirty_metadata"); + err = ext4_handle_dirty_metadata(handle, NULL, group_desc_bh); + if (err) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index b26410c..7383d90 100644 --- a/fs/ext4/mballoc.c @@ -47551,7 +47737,7 @@ index 7e81bfc..c3649aa 100644 lock_flocks(); diff --git a/fs/namei.c b/fs/namei.c -index 81bd546..80149d9 100644 +index 091c4b7..c6d7e26 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -265,16 +265,32 @@ int generic_permission(struct inode *inode, int mask) @@ -50292,7 +50478,7 @@ index 41514dd..6564a93 100644 pipe_unlock(ipipe); diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c -index 6b0bb00..75db2fe 100644 +index 2fbdff6..5530a61 100644 --- a/fs/sysfs/dir.c +++ b/fs/sysfs/dir.c @@ -685,6 +685,18 @@ static int create_dir(struct kobject *kobj, struct sysfs_dirent *parent_sd, @@ -61439,10 +61625,10 @@ index 9c02a45..89fdd73 100644 unsigned int offset, size_t len); diff --git a/include/linux/efi.h b/include/linux/efi.h -index ec45ccd..9923c32 100644 +index 5782114..e9b1ba1 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -635,7 +635,7 @@ struct efivar_operations { +@@ -640,7 +640,7 @@ struct efivar_operations { efi_get_variable_t *get_variable; efi_get_next_variable_t *get_next_variable; efi_set_variable_t *set_variable; @@ -65051,6 +65237,26 @@ index 9e5425b..8136ffc 100644 struct list_head list; /* Protects from simultaneous access to first_req list */ spinlock_t info_list_lock; +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index f10553c..fb5204b 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -2633,6 +2633,15 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb); + unsigned int __attribute_const__ ieee80211_hdrlen(__le16 fc); + + /** ++ * ieee80211_get_mesh_hdrlen - get mesh extension header length ++ * @meshhdr: the mesh extension header, only the flags field ++ * (first byte) will be accessed ++ * Returns the length of the extension header, which is always at ++ * least 6 bytes and at most 18 if address 5 and 6 are present. ++ */ ++unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr); ++ ++/** + * DOC: Data path helpers + * + * In addition to generic utilities, cfg80211 also offers diff --git a/include/net/flow.h b/include/net/flow.h index 628e11b..4c475df 100644 --- a/include/net/flow.h @@ -66039,7 +66245,7 @@ index 84c6bf1..8899338 100644 next_state = Reset; return 0; diff --git a/init/main.c b/init/main.c -index b286730..9ff6135 100644 +index d61ec54..bd3144f 100644 --- a/init/main.c +++ b/init/main.c @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { } @@ -66113,7 +66319,7 @@ index b286730..9ff6135 100644 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, }; const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, }; static const char *panic_later, *panic_param; -@@ -675,6 +732,7 @@ int __init_or_module do_one_initcall(initcall_t fn) +@@ -678,6 +735,7 @@ int __init_or_module do_one_initcall(initcall_t fn) { int count = preempt_count(); int ret; @@ -66121,7 +66327,7 @@ index b286730..9ff6135 100644 if (initcall_debug) ret = do_one_initcall_debug(fn); -@@ -687,15 +745,15 @@ int __init_or_module do_one_initcall(initcall_t fn) +@@ -690,15 +748,15 @@ int __init_or_module do_one_initcall(initcall_t fn) sprintf(msgbuf, "error code %d ", ret); if (preempt_count() != count) { @@ -66141,7 +66347,7 @@ index b286730..9ff6135 100644 } return ret; -@@ -749,8 +807,14 @@ static void __init do_initcall_level(int level) +@@ -752,8 +810,14 @@ static void __init do_initcall_level(int level) level, level, &repair_env_string); @@ -66157,7 +66363,7 @@ index b286730..9ff6135 100644 } static void __init do_initcalls(void) -@@ -784,8 +848,14 @@ static void __init do_pre_smp_initcalls(void) +@@ -787,8 +851,14 @@ static void __init do_pre_smp_initcalls(void) { initcall_t *fn; @@ -66173,7 +66379,7 @@ index b286730..9ff6135 100644 } static void run_init_process(const char *init_filename) -@@ -867,7 +937,7 @@ static int __init kernel_init(void * unused) +@@ -870,7 +940,7 @@ static int __init kernel_init(void * unused) do_basic_setup(); /* Open the /dev/console on the rootfs, this should never fail */ @@ -66182,7 +66388,7 @@ index b286730..9ff6135 100644 printk(KERN_WARNING "Warning: unable to open an initial console.\n"); (void) sys_dup(0); -@@ -880,11 +950,13 @@ static int __init kernel_init(void * unused) +@@ -883,11 +953,13 @@ static int __init kernel_init(void * unused) if (!ramdisk_execute_command) ramdisk_execute_command = "/init"; @@ -72430,7 +72636,7 @@ index 5736170..8e04800 100644 return 0; } diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index 3d64b36..dbab433 100644 +index 3d64b36..c6ab69c 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -655,6 +655,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, @@ -72444,7 +72650,7 @@ index 3d64b36..dbab433 100644 vma = find_vma(mm, start); if (!vma || vma->vm_start > start) return -EFAULT; -@@ -691,9 +695,18 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, +@@ -691,9 +695,20 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, if (err) goto out; } @@ -72455,15 +72661,17 @@ index 3d64b36..dbab433 100644 + +#ifdef CONFIG_PAX_SEGMEXEC + vma_m = pax_find_mirror_vma(vma); -+ err = vma_replace_policy(vma_m, new_pol); -+ if (err) -+ goto out; ++ if (vma_m) { ++ err = vma_replace_policy(vma_m, new_pol); ++ if (err) ++ goto out; ++ } +#endif + } out: -@@ -1147,6 +1160,17 @@ static long do_mbind(unsigned long start, unsigned long len, +@@ -1147,6 +1162,17 @@ static long do_mbind(unsigned long start, unsigned long len, if (end < start) return -EINVAL; @@ -72481,7 +72689,7 @@ index 3d64b36..dbab433 100644 if (end == start) return 0; -@@ -1370,8 +1394,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, +@@ -1370,8 +1396,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, */ tcred = __task_cred(task); if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) && @@ -72491,7 +72699,7 @@ index 3d64b36..dbab433 100644 rcu_read_unlock(); err = -EPERM; goto out_put; -@@ -1402,6 +1425,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, +@@ -1402,6 +1427,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, goto out; } @@ -74365,10 +74573,10 @@ index 926b466..b23df53 100644 if (!mm || IS_ERR(mm)) { rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; diff --git a/mm/rmap.c b/mm/rmap.c -index 0f3b7cd..c5652b6 100644 +index aa95e59..b681a63 100644 --- a/mm/rmap.c +++ b/mm/rmap.c -@@ -167,6 +167,10 @@ int anon_vma_prepare(struct vm_area_struct *vma) +@@ -168,6 +168,10 @@ int anon_vma_prepare(struct vm_area_struct *vma) struct anon_vma *anon_vma = vma->anon_vma; struct anon_vma_chain *avc; @@ -74379,7 +74587,7 @@ index 0f3b7cd..c5652b6 100644 might_sleep(); if (unlikely(!anon_vma)) { struct mm_struct *mm = vma->vm_mm; -@@ -176,6 +180,12 @@ int anon_vma_prepare(struct vm_area_struct *vma) +@@ -177,6 +181,12 @@ int anon_vma_prepare(struct vm_area_struct *vma) if (!avc) goto out_enomem; @@ -74392,7 +74600,7 @@ index 0f3b7cd..c5652b6 100644 anon_vma = find_mergeable_anon_vma(vma); allocated = NULL; if (!anon_vma) { -@@ -189,6 +199,18 @@ int anon_vma_prepare(struct vm_area_struct *vma) +@@ -190,6 +200,18 @@ int anon_vma_prepare(struct vm_area_struct *vma) /* page_table_lock to protect against threads */ spin_lock(&mm->page_table_lock); if (likely(!vma->anon_vma)) { @@ -74411,7 +74619,7 @@ index 0f3b7cd..c5652b6 100644 vma->anon_vma = anon_vma; anon_vma_chain_link(vma, avc, anon_vma); allocated = NULL; -@@ -199,12 +221,24 @@ int anon_vma_prepare(struct vm_area_struct *vma) +@@ -200,12 +222,24 @@ int anon_vma_prepare(struct vm_area_struct *vma) if (unlikely(allocated)) put_anon_vma(allocated); @@ -74436,7 +74644,7 @@ index 0f3b7cd..c5652b6 100644 anon_vma_chain_free(avc); out_enomem: return -ENOMEM; -@@ -240,7 +274,7 @@ static inline void unlock_anon_vma_root(struct anon_vma *root) +@@ -241,7 +275,7 @@ static inline void unlock_anon_vma_root(struct anon_vma *root) * Attach the anon_vmas from src to dst. * Returns 0 on success, -ENOMEM on failure. */ @@ -74445,7 +74653,7 @@ index 0f3b7cd..c5652b6 100644 { struct anon_vma_chain *avc, *pavc; struct anon_vma *root = NULL; -@@ -318,7 +352,7 @@ void anon_vma_moveto_tail(struct vm_area_struct *dst) +@@ -319,7 +353,7 @@ void anon_vma_moveto_tail(struct vm_area_struct *dst) * the corresponding VMA in the parent process is attached to. * Returns 0 on success, non-zero on failure. */ @@ -77077,11 +77285,42 @@ index 2a1383c..ff99572 100644 get_random_bytes(&net->ipv4.dev_addr_genid, sizeof(net->ipv4.dev_addr_genid)); return 0; +diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c +index 813b43a..834857f 100644 +--- a/net/ipv4/tcp_illinois.c ++++ b/net/ipv4/tcp_illinois.c +@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext, + .tcpv_rttcnt = ca->cnt_rtt, + .tcpv_minrtt = ca->base_rtt, + }; +- u64 t = ca->sum_rtt; + +- do_div(t, ca->cnt_rtt); +- info.tcpv_rtt = t; ++ if (info.tcpv_rttcnt > 0) { ++ u64 t = ca->sum_rtt; + ++ do_div(t, info.tcpv_rttcnt); ++ info.tcpv_rtt = t; ++ } + nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); + } + } diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index d377f48..c2211ed 100644 +index d377f48..f19e3ec 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c -@@ -4728,7 +4728,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, +@@ -4556,6 +4556,9 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size) + struct tcphdr *th; + bool fragstolen; + ++ if (size == 0) ++ return 0; ++ + skb = alloc_skb(size + sizeof(*th), sk->sk_allocation); + if (!skb) + goto err; +@@ -4728,7 +4731,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, * simplifies code) */ static void @@ -77879,6 +78118,31 @@ index 34e4185..8823368 100644 } while (!res); return res; } +diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c +index 3bfb34a..69bf48d 100644 +--- a/net/l2tp/l2tp_eth.c ++++ b/net/l2tp/l2tp_eth.c +@@ -290,6 +290,7 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p + + out_del_dev: + free_netdev(dev); ++ spriv->dev = NULL; + out_del_session: + l2tp_session_delete(session); + out: +diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c +index 5746d62..327aa07 100644 +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -1074,7 +1074,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata, + sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH; + sdata->u.ibss.ibss_join_req = jiffies; + +- memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN); ++ memcpy(sdata->u.ibss.ssid, params->ssid, params->ssid_len); + sdata->u.ibss.ssid_len = params->ssid_len; + + mutex_unlock(&sdata->u.ibss.mtx); diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index bb61f77..3788d63 100644 --- a/net/mac80211/ieee80211_i.h @@ -77901,7 +78165,7 @@ index bb61f77..3788d63 100644 /* number of interfaces with corresponding FIF_ flags */ int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll, diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c -index bfb57dc..77c4b81 100644 +index c93d395..a305570 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -454,7 +454,7 @@ static int ieee80211_do_open(struct net_device *dev, bool coming_up) @@ -78037,8 +78301,108 @@ index c97a065..ff61928 100644 return -EFAULT; return p; +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 0cb4ede..884155d 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -491,6 +491,11 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx) + + if (ieee80211_is_action(hdr->frame_control)) { + u8 category; ++ ++ /* make sure category field is present */ ++ if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE) ++ return RX_DROP_MONITOR; ++ + mgmt = (struct ieee80211_mgmt *)hdr; + category = mgmt->u.action.category; + if (category != WLAN_CATEGORY_MESH_ACTION && +@@ -1426,7 +1431,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + frag = sc & IEEE80211_SCTL_FRAG; + + if (likely((!ieee80211_has_morefrags(fc) && frag == 0) || +- (rx->skb)->len < 24 || + is_multicast_ether_addr(hdr->addr1))) { + /* not fragmented */ + goto out; +@@ -1849,6 +1853,20 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + + hdr = (struct ieee80211_hdr *) skb->data; + hdrlen = ieee80211_hdrlen(hdr->frame_control); ++ ++ /* make sure fixed part of mesh header is there, also checks skb len */ ++ if (!pskb_may_pull(rx->skb, hdrlen + 6)) ++ return RX_DROP_MONITOR; ++ ++ mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); ++ ++ /* make sure full mesh header is there, also checks skb len */ ++ if (!pskb_may_pull(rx->skb, ++ hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr))) ++ return RX_DROP_MONITOR; ++ ++ /* reload pointers */ ++ hdr = (struct ieee80211_hdr *) skb->data; + mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); + + /* frame is in RMC, don't forward */ +@@ -1871,9 +1889,12 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + if (is_multicast_ether_addr(hdr->addr1)) { + mpp_addr = hdr->addr3; + proxied_addr = mesh_hdr->eaddr1; +- } else { ++ } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) { ++ /* has_a4 already checked in ieee80211_rx_mesh_check */ + mpp_addr = hdr->addr4; + proxied_addr = mesh_hdr->eaddr2; ++ } else { ++ return RX_DROP_MONITOR; + } + + rcu_read_lock(); +@@ -2313,6 +2334,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx) + } + break; + case WLAN_CATEGORY_SELF_PROTECTED: ++ if (len < (IEEE80211_MIN_ACTION_SIZE + ++ sizeof(mgmt->u.action.u.self_prot.action_code))) ++ break; ++ + switch (mgmt->u.action.u.self_prot.action_code) { + case WLAN_SP_MESH_PEERING_OPEN: + case WLAN_SP_MESH_PEERING_CLOSE: +@@ -2331,6 +2356,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx) + } + break; + case WLAN_CATEGORY_MESH_ACTION: ++ if (len < (IEEE80211_MIN_ACTION_SIZE + ++ sizeof(mgmt->u.action.u.mesh_action.action_code))) ++ break; ++ + if (!ieee80211_vif_is_mesh(&sdata->vif)) + break; + if (mesh_action_is_path_sel(mgmt) && +@@ -2865,10 +2894,15 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw, + if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc)) + local->dot11ReceivedFragmentCount++; + +- if (ieee80211_is_mgmt(fc)) +- err = skb_linearize(skb); +- else ++ if (ieee80211_is_mgmt(fc)) { ++ /* drop frame if too short for header */ ++ if (skb->len < ieee80211_hdrlen(fc)) ++ err = -ENOBUFS; ++ else ++ err = skb_linearize(skb); ++ } else { + err = !pskb_may_pull(skb, ieee80211_hdrlen(fc)); ++ } + + if (err) { + dev_kfree_skb(skb); diff --git a/net/mac80211/util.c b/net/mac80211/util.c -index 39b82fe..5469ef4 100644 +index c9b52f7..4da1014 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1251,7 +1251,7 @@ int ieee80211_reconfig(struct ieee80211_local *local) @@ -78420,6 +78784,28 @@ index 7261eb8..44e8ac6 100644 sax->fsa_ax25.sax25_call = nr->source_addr; *uaddr_len = sizeof(struct sockaddr_ax25); } +diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c +index ddeb9aa..e18fffd 100644 +--- a/net/nfc/llcp/sock.c ++++ b/net/nfc/llcp/sock.c +@@ -443,15 +443,11 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + pr_debug("sock %p sk %p flags 0x%x\n", sock, sk, flags); + + if (!addr || len < sizeof(struct sockaddr_nfc) || +- addr->sa_family != AF_NFC) { +- pr_err("Invalid socket\n"); ++ addr->sa_family != AF_NFC) + return -EINVAL; +- } + +- if (addr->service_name_len == 0 && addr->dsap == 0) { +- pr_err("Missing service name or dsap\n"); ++ if (addr->service_name_len == 0 && addr->dsap == 0) + return -EINVAL; +- } + + pr_debug("addr dev_idx=%u target_idx=%u protocol=%u\n", addr->dev_idx, + addr->target_idx, addr->nfc_protocol); diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index c5c9e2a..4814ab1 100644 --- a/net/packet/af_packet.c @@ -79607,6 +79993,27 @@ index bc7430b..35349de 100644 struct rfkill *rfkill; struct work_struct rfkill_sync; +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 994e2f0..f67aeb1 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -309,7 +309,7 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb) + } + EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb); + +-static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr) ++unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr) + { + int ae = meshhdr->flags & MESH_FLAGS_AE; + /* 7.1.3.5a.2 */ +@@ -326,6 +326,7 @@ static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr) + return 6; + } + } ++EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen); + + int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr, + enum nl80211_iftype iftype) diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c index b0eb7aa..7d73e82 100644 --- a/net/wireless/wext-core.c @@ -89442,32 +89849,6 @@ index 6789d78..4afd019e 100644 + .endm + #endif -diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c -index af0f22f..9a7d479 100644 ---- a/usr/gen_init_cpio.c -+++ b/usr/gen_init_cpio.c -@@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name, const char *location, - int retval; - int rc = -1; - int namesize; -- int i; -+ unsigned int i; - - mode |= S_IFREG; - -@@ -392,9 +392,10 @@ static char *cpio_replace_env(char *new_location) - *env_var = *expanded = '\0'; - strncat(env_var, start + 2, end - start - 2); - strncat(expanded, new_location, start - new_location); -- strncat(expanded, getenv(env_var), PATH_MAX); -- strncat(expanded, end + 1, PATH_MAX); -+ strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded)); -+ strncat(expanded, end + 1, PATH_MAX - strlen(expanded)); - strncpy(new_location, expanded, PATH_MAX); -+ new_location[PATH_MAX] = 0; - } else - break; - } diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index d617f69..6b445d2 100644 --- a/virt/kvm/kvm_main.c |