aboutsummaryrefslogtreecommitdiffstats
path: root/main/linux-grsec
diff options
context:
space:
mode:
Diffstat (limited to 'main/linux-grsec')
-rw-r--r--main/linux-grsec/APKBUILD10
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.6.5-201211042157.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.6.4-201210291446.patch)605
2 files changed, 498 insertions, 117 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 31b5fa664c..85f40da36c 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,9 +2,9 @@
_flavor=grsec
pkgname=linux-${_flavor}
-pkgver=3.6.4
+pkgver=3.6.5
_kernver=3.6
-pkgrel=1
+pkgrel=0
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-2.9.1-3.6.4-201210291446.patch
+ grsecurity-2.9.1-3.6.5-201211042157.patch
0004-arp-flush-arp-cache-on-device-change.patch
@@ -139,8 +139,8 @@ dev() {
}
md5sums="1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz
-d7efab4da2682c44662b684026b059f7 patch-3.6.4.xz
-4235328c981070bca82bc61b7f7bc7c1 grsecurity-2.9.1-3.6.4-201210291446.patch
+6ad8ceebb9b5c1bf69a0c07ef7cc81f2 patch-3.6.5.xz
+0affb0d4559c04d76251be6755338ae1 grsecurity-2.9.1-3.6.5-201211042157.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
0fe70e3640b55adb6800e6eebe74ea4d kernelconfig.x86
b7707e701f190d97c3552b7ec292b897 kernelconfig.x86_64"
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.6.4-201210291446.patch b/main/linux-grsec/grsecurity-2.9.1-3.6.5-201211042157.patch
index 08c581d833..18206e5084 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.6.4-201210291446.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.6.5-201211042157.patch
@@ -251,7 +251,7 @@ index ad7e2e5..199f49e 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index dcf132a..db194e3 100644
+index 6e4a00d..4c7aa4f 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -19013,7 +19013,7 @@ index 7a6f3b3..bed145d7 100644
1:
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 198e774..e880f29 100644
+index 5cee802..bc22bc3 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -440,7 +440,7 @@ static void __init parse_setup_data(void)
@@ -24577,7 +24577,7 @@ index b91e485..d00e7c9 100644
}
if (mm->get_unmapped_area == arch_get_unmapped_area)
diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
-index ab1f6a9..23030ba 100644
+index d7aea41..f753ad2 100644
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -16,6 +16,8 @@
@@ -24589,16 +24589,16 @@ index ab1f6a9..23030ba 100644
unsigned long __initdata pgt_buf_start;
unsigned long __meminitdata pgt_buf_end;
-@@ -38,7 +40,7 @@ struct map_range {
- static void __init find_early_table_space(struct map_range *mr, unsigned long end,
- int use_pse, int use_gbpages)
+@@ -44,7 +46,7 @@ static void __init find_early_table_space(struct map_range *mr, int nr_range)
{
-- unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
-+ unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end;
+ int i;
+ unsigned long puds = 0, pmds = 0, ptes = 0, tables;
+- unsigned long start = 0, good_end;
++ unsigned long start = 0x100000, good_end;
phys_addr_t base;
- puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
-@@ -317,10 +319,37 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
+ for (i = 0; i < nr_range; i++) {
+@@ -321,10 +323,37 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
* Access has to be given to non-kernel-ram areas as well, these contain the PCI
* mmio resources as well as potential bios/acpi data regions.
*/
@@ -24637,7 +24637,7 @@ index ab1f6a9..23030ba 100644
if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
return 0;
if (!page_is_ram(pagenr))
-@@ -377,8 +406,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
+@@ -381,8 +410,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
#endif
}
@@ -25034,7 +25034,7 @@ index 575d86f..4987469 100644
printk(KERN_INFO "Write protecting the kernel text: %luk\n",
size >> 10);
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index 2b6b4a3..c17210d 100644
+index 3baff25..8b37564 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -74,7 +74,7 @@ early_param("gbpages", parse_direct_gbpages_on);
@@ -25151,7 +25151,7 @@ index 2b6b4a3..c17210d 100644
adr = (void *)(((unsigned long)adr) | left);
return adr;
-@@ -548,7 +562,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
+@@ -553,7 +567,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
unmap_low_page(pmd);
spin_lock(&init_mm.page_table_lock);
@@ -25160,7 +25160,7 @@ index 2b6b4a3..c17210d 100644
spin_unlock(&init_mm.page_table_lock);
}
__flush_tlb_all();
-@@ -594,7 +608,7 @@ kernel_physical_mapping_init(unsigned long start,
+@@ -599,7 +613,7 @@ kernel_physical_mapping_init(unsigned long start,
unmap_low_page(pud);
spin_lock(&init_mm.page_table_lock);
@@ -25169,7 +25169,7 @@ index 2b6b4a3..c17210d 100644
spin_unlock(&init_mm.page_table_lock);
pgd_changed = true;
}
-@@ -686,6 +700,12 @@ void __init mem_init(void)
+@@ -691,6 +705,12 @@ void __init mem_init(void)
pci_iommu_alloc();
@@ -25182,7 +25182,7 @@ index 2b6b4a3..c17210d 100644
/* clear_bss() already clear the empty_zero_page */
reservedpages = 0;
-@@ -846,8 +866,8 @@ int kern_addr_valid(unsigned long addr)
+@@ -851,8 +871,8 @@ int kern_addr_valid(unsigned long addr)
static struct vm_area_struct gate_vma = {
.vm_start = VSYSCALL_START,
.vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
@@ -25193,7 +25193,7 @@ index 2b6b4a3..c17210d 100644
};
struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
-@@ -881,7 +901,7 @@ int in_gate_area_no_mm(unsigned long addr)
+@@ -886,7 +906,7 @@ int in_gate_area_no_mm(unsigned long addr)
const char *arch_vma_name(struct vm_area_struct *vma)
{
@@ -30813,7 +30813,7 @@ index 73fa3e1..ab2e9b9 100644
iir = I915_READ(IIR);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index b634f6f..84bb8ba 100644
+index b634f6f..43c62f5 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -2182,7 +2182,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb)
@@ -30825,16 +30825,17 @@ index b634f6f..84bb8ba 100644
/* Big Hammer, we also need to ensure that any pending
* MI_WAIT_FOR_EVENT inside a user batch buffer on the
-@@ -6168,7 +6168,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
+@@ -6168,8 +6168,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
obj = work->old_fb_obj;
- atomic_clear_mask(1 << intel_crtc->plane,
-+ atomic_clear_mask_unchecked(1 << intel_crtc->plane,
- &obj->pending_flip.counter);
+- &obj->pending_flip.counter);
++ atomic_clear_mask_unchecked(1 << intel_crtc->plane, &obj->pending_flip);
wake_up(&dev_priv->pending_flip_queue);
-@@ -6515,7 +6515,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
+ schedule_work(&work->work);
+@@ -6515,7 +6514,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
/* Block clients from rendering to the new back buffer until
* the flip occurs and the object is no longer visible.
*/
@@ -30843,7 +30844,7 @@ index b634f6f..84bb8ba 100644
ret = dev_priv->display.queue_flip(dev, crtc, fb, obj);
if (ret)
-@@ -6530,7 +6530,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
+@@ -6530,7 +6529,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
return 0;
cleanup_pending:
@@ -31504,10 +31505,10 @@ index 14599e2..711c965 100644
for (i = 0; i < hid->maxcollection; i++)
diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
-index 4065374..10ed7dc 100644
+index f4c3d28..82f45a9 100644
--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
-@@ -400,8 +400,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
+@@ -402,8 +402,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
int ret = 0;
int t;
@@ -34782,6 +34783,28 @@ index 51b9d6a..52af9a7 100644
#include <linux/mtd/mtd.h>
#include <linux/mtd/nand.h>
#include <linux/mtd/nftl.h>
+diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
+index dc15d24..ef8d2a0 100644
+--- a/drivers/net/bonding/bond_sysfs.c
++++ b/drivers/net/bonding/bond_sysfs.c
+@@ -1060,7 +1060,7 @@ static ssize_t bonding_store_primary(struct device *d,
+ goto out;
+ }
+
+- sscanf(buf, "%16s", ifname); /* IFNAMSIZ */
++ sscanf(buf, "%15s", ifname); /* IFNAMSIZ */
+
+ /* check to see if we are clearing primary */
+ if (!strlen(ifname) || buf[0] == '\n') {
+@@ -1237,7 +1237,7 @@ static ssize_t bonding_store_active_slave(struct device *d,
+ goto out;
+ }
+
+- sscanf(buf, "%16s", ifname); /* IFNAMSIZ */
++ sscanf(buf, "%15s", ifname); /* IFNAMSIZ */
+
+ /* check to see if we are clearing active */
+ if (!strlen(ifname) || buf[0] == '\n') {
diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c
index 57d64b8..623dd86 100644
--- a/drivers/net/ethernet/atheros/atlx/atl2.c
@@ -34795,6 +34818,22 @@ index 57d64b8..623dd86 100644
MODULE_PARM(X, "1-" __MODULE_STRING(ATL2_MAX_NIC) "i"); \
MODULE_PARM_DESC(X, desc);
#else
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+index 0875ecf..794cdf3 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -3051,9 +3051,8 @@ static void bnx2x_drv_info_ether_stat(struct bnx2x *bp)
+ struct eth_stats_info *ether_stat =
+ &bp->slowpath->drv_info_to_mcp.ether_stat;
+
+- /* leave last char as NULL */
+- memcpy(ether_stat->version, DRV_MODULE_VERSION,
+- ETH_STAT_INFO_VERSION_LEN - 1);
++ strlcpy(ether_stat->version, DRV_MODULE_VERSION,
++ ETH_STAT_INFO_VERSION_LEN);
+
+ bp->sp_objs[0].mac_obj.get_n_elements(bp, &bp->sp_objs[0].mac_obj,
+ DRV_INFO_ETH_STAT_NUM_MACS_REQUIRED,
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
index f83e033..8b4f43a 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
@@ -35258,6 +35297,18 @@ index 4a518a3..936b334 100644
#define VXGE_HW_VIRTUAL_PATH_HANDLE(vpath) \
((struct __vxge_hw_vpath_handle *)(vpath)->vpath_handles.next)
+diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c
+index 53743f7..af8b414 100644
+--- a/drivers/net/ethernet/nxp/lpc_eth.c
++++ b/drivers/net/ethernet/nxp/lpc_eth.c
+@@ -1524,6 +1524,7 @@ static int lpc_eth_drv_remove(struct platform_device *pdev)
+ pldat->dma_buff_base_p);
+ free_irq(ndev->irq, ndev);
+ iounmap(pldat->net_base);
++ mdiobus_unregister(pldat->mii_bus);
+ mdiobus_free(pldat->mii_bus);
+ clk_disable(pldat->clk);
+ clk_put(pldat->clk);
diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
index b47d5b3..273a516 100644
--- a/drivers/net/ethernet/realtek/r8169.c
@@ -35352,6 +35403,18 @@ index 1e88a10..1b01736 100644
/* Ignore return since this msg is optional. */
rndis_filter_send_request(dev, request);
+diff --git a/drivers/net/phy/mdio-bitbang.c b/drivers/net/phy/mdio-bitbang.c
+index daec9b0..6428fcb 100644
+--- a/drivers/net/phy/mdio-bitbang.c
++++ b/drivers/net/phy/mdio-bitbang.c
+@@ -234,6 +234,7 @@ void free_mdio_bitbang(struct mii_bus *bus)
+ struct mdiobb_ctrl *ctrl = bus->priv;
+
+ module_put(ctrl->ops->owner);
++ mdiobus_unregister(bus);
+ mdiobus_free(bus);
+ }
+ EXPORT_SYMBOL(free_mdio_bitbang);
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 5c05572..389610b 100644
--- a/drivers/net/ppp/ppp_generic.c
@@ -35500,6 +35563,27 @@ index 6169fbd..40e8422 100644
struct ath_common;
struct ath_bus_ops;
+diff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c
+index 2aab20e..b761ef8 100644
+--- a/drivers/net/wireless/ath/ath5k/base.c
++++ b/drivers/net/wireless/ath/ath5k/base.c
+@@ -1803,7 +1803,7 @@ ath5k_beacon_update(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
+ {
+ int ret;
+ struct ath5k_hw *ah = hw->priv;
+- struct ath5k_vif *avf = (void *)vif->drv_priv;
++ struct ath5k_vif *avf;
+ struct sk_buff *skb;
+
+ if (WARN_ON(!vif)) {
+@@ -1818,6 +1818,7 @@ ath5k_beacon_update(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
+ goto out;
+ }
+
++ avf = (void *)vif->drv_priv;
+ ath5k_txbuf_free_skb(ah, avf->bbuf);
+ avf->bbuf->skb = skb;
+ ret = ath5k_beacon_setup(ah, avf->bbuf);
diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
index 8d78253..bebbb68 100644
--- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c
@@ -37819,6 +37903,40 @@ index 0d4aa82..f7832d4 100644
extern void tmem_register_hostops(struct tmem_hostops *m);
/* core tmem accessor functions */
+diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
+index 9fc9a60..68d4c10 100644
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -850,20 +850,20 @@ int se_dev_check_shutdown(struct se_device *dev)
+
+ static u32 se_dev_align_max_sectors(u32 max_sectors, u32 block_size)
+ {
+- u32 tmp, aligned_max_sectors;
++ u32 aligned_max_sectors;
++ u32 alignment;
+ /*
+ * Limit max_sectors to a PAGE_SIZE aligned value for modern
+ * transport_allocate_data_tasks() operation.
+ */
+- tmp = rounddown((max_sectors * block_size), PAGE_SIZE);
+- aligned_max_sectors = (tmp / block_size);
+- if (max_sectors != aligned_max_sectors) {
+- printk(KERN_INFO "Rounding down aligned max_sectors from %u"
+- " to %u\n", max_sectors, aligned_max_sectors);
+- return aligned_max_sectors;
+- }
++ alignment = max(1ul, PAGE_SIZE / block_size);
++ aligned_max_sectors = rounddown(max_sectors, alignment);
+
+- return max_sectors;
++ if (max_sectors != aligned_max_sectors)
++ pr_info("Rounding down aligned max_sectors from %u to %u\n",
++ max_sectors, aligned_max_sectors);
++
++ return aligned_max_sectors;
+ }
+
+ void se_dev_set_default_attribs(
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 269f544..32def0d 100644
--- a/drivers/target/target_core_transport.c
@@ -42586,6 +42704,19 @@ index e56c934..fc22f4b 100644
} u;
struct list_head list;
};
+diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
+index 89f7625..ac72702 100644
+--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
+@@ -458,7 +458,7 @@ static ssize_t xenbus_file_write(struct file *filp,
+ goto out;
+
+ /* Can't write a xenbus message larger we can buffer */
+- if ((len + u->len) > sizeof(u->u.buffer)) {
++ if (len > sizeof(u->u.buffer) - u->len) {
+ /* On error, dump existing buffer */
+ u->len = 0;
+ rc = -EINVAL;
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index cbf9dbb..35c3af7 100644
--- a/fs/9p/vfs_inode.c
@@ -44019,6 +44150,19 @@ index e5b7731..b9c59fb 100644
int err;
u32 ftype;
struct ceph_mds_reply_info_parsed *rinfo;
+diff --git a/fs/ceph/export.c b/fs/ceph/export.c
+index 02ce909..9349bb3 100644
+--- a/fs/ceph/export.c
++++ b/fs/ceph/export.c
+@@ -90,6 +90,8 @@ static int ceph_encode_fh(struct inode *inode, u32 *rawfh, int *max_len,
+ *max_len = handle_length;
+ type = 255;
+ }
++ if (dentry)
++ dput(dentry);
+ return type;
+ }
+
diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index d9ea6ed..1e6c8ac 100644
--- a/fs/cifs/cifs_debug.c
@@ -44624,19 +44768,10 @@ index 112e45a..b59845b 100644
/*
diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
-index debdfe0..75d31d4 100644
+index 5d2069f..75d31d4 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
-@@ -210,6 +210,8 @@ static int do_video_set_spu_palette(unsigned int fd, unsigned int cmd,
-
- err = get_user(palp, &up->palette);
- err |= get_user(length, &up->length);
-+ if (err)
-+ return -EFAULT;
-
- up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
- err = put_user(compat_ptr(palp), &up_native->palette);
-@@ -621,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd,
+@@ -623,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd,
return -EFAULT;
if (__get_user(udata, &ss32->iomem_base))
return -EFAULT;
@@ -44645,7 +44780,7 @@ index debdfe0..75d31d4 100644
if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
__get_user(ss.port_high, &ss32->port_high))
return -EFAULT;
-@@ -796,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file,
+@@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file,
copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
@@ -44654,7 +44789,7 @@ index debdfe0..75d31d4 100644
return -EFAULT;
return ioctl_preallocate(file, p);
-@@ -1610,8 +1612,8 @@ asmlinkage long compat_sys_ioctl(unsigned int fd, unsigned int cmd,
+@@ -1612,8 +1612,8 @@ asmlinkage long compat_sys_ioctl(unsigned int fd, unsigned int cmd,
static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
{
unsigned int a, b;
@@ -44780,7 +44915,7 @@ index b2a34a1..162fa69 100644
return rc;
}
diff --git a/fs/exec.c b/fs/exec.c
-index 574cf4d..dfe774a 100644
+index fab2c6d..4fa20c0 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,6 +55,15 @@
@@ -45050,7 +45185,7 @@ index 574cf4d..dfe774a 100644
set_fs(old_fs);
return result;
}
-@@ -1257,7 +1296,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1258,7 +1297,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
@@ -45059,7 +45194,7 @@ index 574cf4d..dfe774a 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
} else {
res = -EAGAIN;
-@@ -1460,6 +1499,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
+@@ -1461,6 +1500,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
EXPORT_SYMBOL(search_binary_handler);
@@ -45088,7 +45223,7 @@ index 574cf4d..dfe774a 100644
/*
* sys_execve() executes a new program.
*/
-@@ -1468,6 +1529,11 @@ static int do_execve_common(const char *filename,
+@@ -1469,6 +1530,11 @@ static int do_execve_common(const char *filename,
struct user_arg_ptr envp,
struct pt_regs *regs)
{
@@ -45100,7 +45235,7 @@ index 574cf4d..dfe774a 100644
struct linux_binprm *bprm;
struct file *file;
struct files_struct *displaced;
-@@ -1475,6 +1541,8 @@ static int do_execve_common(const char *filename,
+@@ -1476,6 +1542,8 @@ static int do_execve_common(const char *filename,
int retval;
const struct cred *cred = current_cred();
@@ -45109,7 +45244,7 @@ index 574cf4d..dfe774a 100644
/*
* We move the actual failure in case of RLIMIT_NPROC excess from
* set*uid() to execve() because too many poorly written programs
-@@ -1515,12 +1583,27 @@ static int do_execve_common(const char *filename,
+@@ -1516,12 +1584,27 @@ static int do_execve_common(const char *filename,
if (IS_ERR(file))
goto out_unmark;
@@ -45137,7 +45272,7 @@ index 574cf4d..dfe774a 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1537,24 +1620,65 @@ static int do_execve_common(const char *filename,
+@@ -1538,24 +1621,65 @@ static int do_execve_common(const char *filename,
if (retval < 0)
goto out;
@@ -45207,7 +45342,7 @@ index 574cf4d..dfe774a 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1563,6 +1687,14 @@ static int do_execve_common(const char *filename,
+@@ -1564,6 +1688,14 @@ static int do_execve_common(const char *filename,
put_files_struct(displaced);
return retval;
@@ -45222,7 +45357,7 @@ index 574cf4d..dfe774a 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1636,7 +1768,7 @@ static int expand_corename(struct core_name *cn)
+@@ -1637,7 +1769,7 @@ static int expand_corename(struct core_name *cn)
{
char *old_corename = cn->corename;
@@ -45231,7 +45366,7 @@ index 574cf4d..dfe774a 100644
cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
if (!cn->corename) {
-@@ -1733,7 +1865,7 @@ static int format_corename(struct core_name *cn, long signr)
+@@ -1734,7 +1866,7 @@ static int format_corename(struct core_name *cn, long signr)
int pid_in_pattern = 0;
int err = 0;
@@ -45240,7 +45375,7 @@ index 574cf4d..dfe774a 100644
cn->corename = kmalloc(cn->size, GFP_KERNEL);
cn->used = 0;
-@@ -1830,6 +1962,250 @@ out:
+@@ -1831,6 +1963,250 @@ out:
return ispipe;
}
@@ -45491,7 +45626,7 @@ index 574cf4d..dfe774a 100644
static int zap_process(struct task_struct *start, int exit_code)
{
struct task_struct *t;
-@@ -2040,17 +2416,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -2041,17 +2417,17 @@ static void wait_for_dump_helpers(struct file *file)
pipe = file->f_path.dentry->d_inode->i_pipe;
pipe_lock(pipe);
@@ -45514,7 +45649,7 @@ index 574cf4d..dfe774a 100644
pipe_unlock(pipe);
}
-@@ -2105,7 +2481,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2106,7 +2482,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
int flag = 0;
int ispipe;
bool need_nonrelative = false;
@@ -45523,7 +45658,7 @@ index 574cf4d..dfe774a 100644
struct coredump_params cprm = {
.signr = signr,
.regs = regs,
-@@ -2120,6 +2496,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2121,6 +2497,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
audit_core_dumps(signr);
@@ -45533,7 +45668,7 @@ index 574cf4d..dfe774a 100644
binfmt = mm->binfmt;
if (!binfmt || !binfmt->core_dump)
goto fail;
-@@ -2190,7 +2569,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2191,7 +2570,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
}
cprm.limit = RLIM_INFINITY;
@@ -45542,7 +45677,7 @@ index 574cf4d..dfe774a 100644
if (core_pipe_limit && (core_pipe_limit < dump_count)) {
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
task_tgid_vnr(current), current->comm);
-@@ -2217,6 +2596,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2218,6 +2597,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
} else {
struct inode *inode;
@@ -45551,7 +45686,7 @@ index 574cf4d..dfe774a 100644
if (cprm.limit < binfmt->min_coredump)
goto fail_unlock;
-@@ -2268,7 +2649,7 @@ close_fail:
+@@ -2269,7 +2650,7 @@ close_fail:
filp_close(cprm.file, NULL);
fail_dropcount:
if (ispipe)
@@ -45560,7 +45695,7 @@ index 574cf4d..dfe774a 100644
fail_unlock:
kfree(cn.corename);
fail_corename:
-@@ -2287,7 +2668,7 @@ fail:
+@@ -2288,7 +2669,7 @@ fail:
*/
int dump_write(struct file *file, const void *addr, int nr)
{
@@ -45652,6 +45787,57 @@ index 5c69f2b..05dec7f 100644
atomic_t s_lock_busy;
/* locality groups */
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index 8ce0076..cc2d77c 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -716,6 +716,10 @@ repeat_in_this_group:
+ "inode=%lu", ino + 1);
+ continue;
+ }
++ BUFFER_TRACE(inode_bitmap_bh, "get_write_access");
++ err = ext4_journal_get_write_access(handle, inode_bitmap_bh);
++ if (err)
++ goto fail;
+ ext4_lock_group(sb, group);
+ ret2 = ext4_test_and_set_bit(ino, inode_bitmap_bh->b_data);
+ ext4_unlock_group(sb, group);
+@@ -729,6 +733,11 @@ repeat_in_this_group:
+ goto out;
+
+ got:
++ BUFFER_TRACE(inode_bitmap_bh, "call ext4_handle_dirty_metadata");
++ err = ext4_handle_dirty_metadata(handle, NULL, inode_bitmap_bh);
++ if (err)
++ goto fail;
++
+ /* We may have to initialize the block bitmap if it isn't already */
+ if (ext4_has_group_desc_csum(sb) &&
+ gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
+@@ -762,11 +771,6 @@ got:
+ goto fail;
+ }
+
+- BUFFER_TRACE(inode_bitmap_bh, "get_write_access");
+- err = ext4_journal_get_write_access(handle, inode_bitmap_bh);
+- if (err)
+- goto fail;
+-
+ BUFFER_TRACE(group_desc_bh, "get_write_access");
+ err = ext4_journal_get_write_access(handle, group_desc_bh);
+ if (err)
+@@ -814,11 +818,6 @@ got:
+ }
+ ext4_unlock_group(sb, group);
+
+- BUFFER_TRACE(inode_bitmap_bh, "call ext4_handle_dirty_metadata");
+- err = ext4_handle_dirty_metadata(handle, NULL, inode_bitmap_bh);
+- if (err)
+- goto fail;
+-
+ BUFFER_TRACE(group_desc_bh, "call ext4_handle_dirty_metadata");
+ err = ext4_handle_dirty_metadata(handle, NULL, group_desc_bh);
+ if (err)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index b26410c..7383d90 100644
--- a/fs/ext4/mballoc.c
@@ -47551,7 +47737,7 @@ index 7e81bfc..c3649aa 100644
lock_flocks();
diff --git a/fs/namei.c b/fs/namei.c
-index 81bd546..80149d9 100644
+index 091c4b7..c6d7e26 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -265,16 +265,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -50292,7 +50478,7 @@ index 41514dd..6564a93 100644
pipe_unlock(ipipe);
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
-index 6b0bb00..75db2fe 100644
+index 2fbdff6..5530a61 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -685,6 +685,18 @@ static int create_dir(struct kobject *kobj, struct sysfs_dirent *parent_sd,
@@ -61439,10 +61625,10 @@ index 9c02a45..89fdd73 100644
unsigned int offset, size_t len);
diff --git a/include/linux/efi.h b/include/linux/efi.h
-index ec45ccd..9923c32 100644
+index 5782114..e9b1ba1 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -635,7 +635,7 @@ struct efivar_operations {
+@@ -640,7 +640,7 @@ struct efivar_operations {
efi_get_variable_t *get_variable;
efi_get_next_variable_t *get_next_variable;
efi_set_variable_t *set_variable;
@@ -65051,6 +65237,26 @@ index 9e5425b..8136ffc 100644
struct list_head list;
/* Protects from simultaneous access to first_req list */
spinlock_t info_list_lock;
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index f10553c..fb5204b 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -2633,6 +2633,15 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb);
+ unsigned int __attribute_const__ ieee80211_hdrlen(__le16 fc);
+
+ /**
++ * ieee80211_get_mesh_hdrlen - get mesh extension header length
++ * @meshhdr: the mesh extension header, only the flags field
++ * (first byte) will be accessed
++ * Returns the length of the extension header, which is always at
++ * least 6 bytes and at most 18 if address 5 and 6 are present.
++ */
++unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr);
++
++/**
+ * DOC: Data path helpers
+ *
+ * In addition to generic utilities, cfg80211 also offers
diff --git a/include/net/flow.h b/include/net/flow.h
index 628e11b..4c475df 100644
--- a/include/net/flow.h
@@ -66039,7 +66245,7 @@ index 84c6bf1..8899338 100644
next_state = Reset;
return 0;
diff --git a/init/main.c b/init/main.c
-index b286730..9ff6135 100644
+index d61ec54..bd3144f 100644
--- a/init/main.c
+++ b/init/main.c
@@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { }
@@ -66113,7 +66319,7 @@ index b286730..9ff6135 100644
static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
static const char *panic_later, *panic_param;
-@@ -675,6 +732,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -678,6 +735,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
{
int count = preempt_count();
int ret;
@@ -66121,7 +66327,7 @@ index b286730..9ff6135 100644
if (initcall_debug)
ret = do_one_initcall_debug(fn);
-@@ -687,15 +745,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -690,15 +748,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
sprintf(msgbuf, "error code %d ", ret);
if (preempt_count() != count) {
@@ -66141,7 +66347,7 @@ index b286730..9ff6135 100644
}
return ret;
-@@ -749,8 +807,14 @@ static void __init do_initcall_level(int level)
+@@ -752,8 +810,14 @@ static void __init do_initcall_level(int level)
level, level,
&repair_env_string);
@@ -66157,7 +66363,7 @@ index b286730..9ff6135 100644
}
static void __init do_initcalls(void)
-@@ -784,8 +848,14 @@ static void __init do_pre_smp_initcalls(void)
+@@ -787,8 +851,14 @@ static void __init do_pre_smp_initcalls(void)
{
initcall_t *fn;
@@ -66173,7 +66379,7 @@ index b286730..9ff6135 100644
}
static void run_init_process(const char *init_filename)
-@@ -867,7 +937,7 @@ static int __init kernel_init(void * unused)
+@@ -870,7 +940,7 @@ static int __init kernel_init(void * unused)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -66182,7 +66388,7 @@ index b286730..9ff6135 100644
printk(KERN_WARNING "Warning: unable to open an initial console.\n");
(void) sys_dup(0);
-@@ -880,11 +950,13 @@ static int __init kernel_init(void * unused)
+@@ -883,11 +953,13 @@ static int __init kernel_init(void * unused)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -72430,7 +72636,7 @@ index 5736170..8e04800 100644
return 0;
}
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index 3d64b36..dbab433 100644
+index 3d64b36..c6ab69c 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -655,6 +655,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
@@ -72444,7 +72650,7 @@ index 3d64b36..dbab433 100644
vma = find_vma(mm, start);
if (!vma || vma->vm_start > start)
return -EFAULT;
-@@ -691,9 +695,18 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
+@@ -691,9 +695,20 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
if (err)
goto out;
}
@@ -72455,15 +72661,17 @@ index 3d64b36..dbab433 100644
+
+#ifdef CONFIG_PAX_SEGMEXEC
+ vma_m = pax_find_mirror_vma(vma);
-+ err = vma_replace_policy(vma_m, new_pol);
-+ if (err)
-+ goto out;
++ if (vma_m) {
++ err = vma_replace_policy(vma_m, new_pol);
++ if (err)
++ goto out;
++ }
+#endif
+
}
out:
-@@ -1147,6 +1160,17 @@ static long do_mbind(unsigned long start, unsigned long len,
+@@ -1147,6 +1162,17 @@ static long do_mbind(unsigned long start, unsigned long len,
if (end < start)
return -EINVAL;
@@ -72481,7 +72689,7 @@ index 3d64b36..dbab433 100644
if (end == start)
return 0;
-@@ -1370,8 +1394,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
+@@ -1370,8 +1396,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
*/
tcred = __task_cred(task);
if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
@@ -72491,7 +72699,7 @@ index 3d64b36..dbab433 100644
rcu_read_unlock();
err = -EPERM;
goto out_put;
-@@ -1402,6 +1425,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
+@@ -1402,6 +1427,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
goto out;
}
@@ -74365,10 +74573,10 @@ index 926b466..b23df53 100644
if (!mm || IS_ERR(mm)) {
rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
diff --git a/mm/rmap.c b/mm/rmap.c
-index 0f3b7cd..c5652b6 100644
+index aa95e59..b681a63 100644
--- a/mm/rmap.c
+++ b/mm/rmap.c
-@@ -167,6 +167,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
+@@ -168,6 +168,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
struct anon_vma *anon_vma = vma->anon_vma;
struct anon_vma_chain *avc;
@@ -74379,7 +74587,7 @@ index 0f3b7cd..c5652b6 100644
might_sleep();
if (unlikely(!anon_vma)) {
struct mm_struct *mm = vma->vm_mm;
-@@ -176,6 +180,12 @@ int anon_vma_prepare(struct vm_area_struct *vma)
+@@ -177,6 +181,12 @@ int anon_vma_prepare(struct vm_area_struct *vma)
if (!avc)
goto out_enomem;
@@ -74392,7 +74600,7 @@ index 0f3b7cd..c5652b6 100644
anon_vma = find_mergeable_anon_vma(vma);
allocated = NULL;
if (!anon_vma) {
-@@ -189,6 +199,18 @@ int anon_vma_prepare(struct vm_area_struct *vma)
+@@ -190,6 +200,18 @@ int anon_vma_prepare(struct vm_area_struct *vma)
/* page_table_lock to protect against threads */
spin_lock(&mm->page_table_lock);
if (likely(!vma->anon_vma)) {
@@ -74411,7 +74619,7 @@ index 0f3b7cd..c5652b6 100644
vma->anon_vma = anon_vma;
anon_vma_chain_link(vma, avc, anon_vma);
allocated = NULL;
-@@ -199,12 +221,24 @@ int anon_vma_prepare(struct vm_area_struct *vma)
+@@ -200,12 +222,24 @@ int anon_vma_prepare(struct vm_area_struct *vma)
if (unlikely(allocated))
put_anon_vma(allocated);
@@ -74436,7 +74644,7 @@ index 0f3b7cd..c5652b6 100644
anon_vma_chain_free(avc);
out_enomem:
return -ENOMEM;
-@@ -240,7 +274,7 @@ static inline void unlock_anon_vma_root(struct anon_vma *root)
+@@ -241,7 +275,7 @@ static inline void unlock_anon_vma_root(struct anon_vma *root)
* Attach the anon_vmas from src to dst.
* Returns 0 on success, -ENOMEM on failure.
*/
@@ -74445,7 +74653,7 @@ index 0f3b7cd..c5652b6 100644
{
struct anon_vma_chain *avc, *pavc;
struct anon_vma *root = NULL;
-@@ -318,7 +352,7 @@ void anon_vma_moveto_tail(struct vm_area_struct *dst)
+@@ -319,7 +353,7 @@ void anon_vma_moveto_tail(struct vm_area_struct *dst)
* the corresponding VMA in the parent process is attached to.
* Returns 0 on success, non-zero on failure.
*/
@@ -77077,11 +77285,42 @@ index 2a1383c..ff99572 100644
get_random_bytes(&net->ipv4.dev_addr_genid,
sizeof(net->ipv4.dev_addr_genid));
return 0;
+diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
+index 813b43a..834857f 100644
+--- a/net/ipv4/tcp_illinois.c
++++ b/net/ipv4/tcp_illinois.c
+@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
+ .tcpv_rttcnt = ca->cnt_rtt,
+ .tcpv_minrtt = ca->base_rtt,
+ };
+- u64 t = ca->sum_rtt;
+
+- do_div(t, ca->cnt_rtt);
+- info.tcpv_rtt = t;
++ if (info.tcpv_rttcnt > 0) {
++ u64 t = ca->sum_rtt;
+
++ do_div(t, info.tcpv_rttcnt);
++ info.tcpv_rtt = t;
++ }
+ nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
+ }
+ }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index d377f48..c2211ed 100644
+index d377f48..f19e3ec 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
-@@ -4728,7 +4728,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
+@@ -4556,6 +4556,9 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
+ struct tcphdr *th;
+ bool fragstolen;
+
++ if (size == 0)
++ return 0;
++
+ skb = alloc_skb(size + sizeof(*th), sk->sk_allocation);
+ if (!skb)
+ goto err;
+@@ -4728,7 +4731,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
* simplifies code)
*/
static void
@@ -77879,6 +78118,31 @@ index 34e4185..8823368 100644
} while (!res);
return res;
}
+diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
+index 3bfb34a..69bf48d 100644
+--- a/net/l2tp/l2tp_eth.c
++++ b/net/l2tp/l2tp_eth.c
+@@ -290,6 +290,7 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
+
+ out_del_dev:
+ free_netdev(dev);
++ spriv->dev = NULL;
+ out_del_session:
+ l2tp_session_delete(session);
+ out:
+diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
+index 5746d62..327aa07 100644
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -1074,7 +1074,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
+ sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
+ sdata->u.ibss.ibss_join_req = jiffies;
+
+- memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);
++ memcpy(sdata->u.ibss.ssid, params->ssid, params->ssid_len);
+ sdata->u.ibss.ssid_len = params->ssid_len;
+
+ mutex_unlock(&sdata->u.ibss.mtx);
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index bb61f77..3788d63 100644
--- a/net/mac80211/ieee80211_i.h
@@ -77901,7 +78165,7 @@ index bb61f77..3788d63 100644
/* number of interfaces with corresponding FIF_ flags */
int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
-index bfb57dc..77c4b81 100644
+index c93d395..a305570 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -454,7 +454,7 @@ static int ieee80211_do_open(struct net_device *dev, bool coming_up)
@@ -78037,8 +78301,108 @@ index c97a065..ff61928 100644
return -EFAULT;
return p;
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 0cb4ede..884155d 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -491,6 +491,11 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
+
+ if (ieee80211_is_action(hdr->frame_control)) {
+ u8 category;
++
++ /* make sure category field is present */
++ if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
++ return RX_DROP_MONITOR;
++
+ mgmt = (struct ieee80211_mgmt *)hdr;
+ category = mgmt->u.action.category;
+ if (category != WLAN_CATEGORY_MESH_ACTION &&
+@@ -1426,7 +1431,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ frag = sc & IEEE80211_SCTL_FRAG;
+
+ if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
+- (rx->skb)->len < 24 ||
+ is_multicast_ether_addr(hdr->addr1))) {
+ /* not fragmented */
+ goto out;
+@@ -1849,6 +1853,20 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
+
+ hdr = (struct ieee80211_hdr *) skb->data;
+ hdrlen = ieee80211_hdrlen(hdr->frame_control);
++
++ /* make sure fixed part of mesh header is there, also checks skb len */
++ if (!pskb_may_pull(rx->skb, hdrlen + 6))
++ return RX_DROP_MONITOR;
++
++ mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
++
++ /* make sure full mesh header is there, also checks skb len */
++ if (!pskb_may_pull(rx->skb,
++ hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
++ return RX_DROP_MONITOR;
++
++ /* reload pointers */
++ hdr = (struct ieee80211_hdr *) skb->data;
+ mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
+
+ /* frame is in RMC, don't forward */
+@@ -1871,9 +1889,12 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
+ if (is_multicast_ether_addr(hdr->addr1)) {
+ mpp_addr = hdr->addr3;
+ proxied_addr = mesh_hdr->eaddr1;
+- } else {
++ } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
++ /* has_a4 already checked in ieee80211_rx_mesh_check */
+ mpp_addr = hdr->addr4;
+ proxied_addr = mesh_hdr->eaddr2;
++ } else {
++ return RX_DROP_MONITOR;
+ }
+
+ rcu_read_lock();
+@@ -2313,6 +2334,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
+ }
+ break;
+ case WLAN_CATEGORY_SELF_PROTECTED:
++ if (len < (IEEE80211_MIN_ACTION_SIZE +
++ sizeof(mgmt->u.action.u.self_prot.action_code)))
++ break;
++
+ switch (mgmt->u.action.u.self_prot.action_code) {
+ case WLAN_SP_MESH_PEERING_OPEN:
+ case WLAN_SP_MESH_PEERING_CLOSE:
+@@ -2331,6 +2356,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
+ }
+ break;
+ case WLAN_CATEGORY_MESH_ACTION:
++ if (len < (IEEE80211_MIN_ACTION_SIZE +
++ sizeof(mgmt->u.action.u.mesh_action.action_code)))
++ break;
++
+ if (!ieee80211_vif_is_mesh(&sdata->vif))
+ break;
+ if (mesh_action_is_path_sel(mgmt) &&
+@@ -2865,10 +2894,15 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
+ if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
+ local->dot11ReceivedFragmentCount++;
+
+- if (ieee80211_is_mgmt(fc))
+- err = skb_linearize(skb);
+- else
++ if (ieee80211_is_mgmt(fc)) {
++ /* drop frame if too short for header */
++ if (skb->len < ieee80211_hdrlen(fc))
++ err = -ENOBUFS;
++ else
++ err = skb_linearize(skb);
++ } else {
+ err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
++ }
+
+ if (err) {
+ dev_kfree_skb(skb);
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
-index 39b82fe..5469ef4 100644
+index c9b52f7..4da1014 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1251,7 +1251,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
@@ -78420,6 +78784,28 @@ index 7261eb8..44e8ac6 100644
sax->fsa_ax25.sax25_call = nr->source_addr;
*uaddr_len = sizeof(struct sockaddr_ax25);
}
+diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
+index ddeb9aa..e18fffd 100644
+--- a/net/nfc/llcp/sock.c
++++ b/net/nfc/llcp/sock.c
+@@ -443,15 +443,11 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
+ pr_debug("sock %p sk %p flags 0x%x\n", sock, sk, flags);
+
+ if (!addr || len < sizeof(struct sockaddr_nfc) ||
+- addr->sa_family != AF_NFC) {
+- pr_err("Invalid socket\n");
++ addr->sa_family != AF_NFC)
+ return -EINVAL;
+- }
+
+- if (addr->service_name_len == 0 && addr->dsap == 0) {
+- pr_err("Missing service name or dsap\n");
++ if (addr->service_name_len == 0 && addr->dsap == 0)
+ return -EINVAL;
+- }
+
+ pr_debug("addr dev_idx=%u target_idx=%u protocol=%u\n", addr->dev_idx,
+ addr->target_idx, addr->nfc_protocol);
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index c5c9e2a..4814ab1 100644
--- a/net/packet/af_packet.c
@@ -79607,6 +79993,27 @@ index bc7430b..35349de 100644
struct rfkill *rfkill;
struct work_struct rfkill_sync;
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index 994e2f0..f67aeb1 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -309,7 +309,7 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb)
+ }
+ EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb);
+
+-static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
++unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
+ {
+ int ae = meshhdr->flags & MESH_FLAGS_AE;
+ /* 7.1.3.5a.2 */
+@@ -326,6 +326,7 @@ static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
+ return 6;
+ }
+ }
++EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen);
+
+ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
+ enum nl80211_iftype iftype)
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index b0eb7aa..7d73e82 100644
--- a/net/wireless/wext-core.c
@@ -89442,32 +89849,6 @@ index 6789d78..4afd019e 100644
+ .endm
+
#endif
-diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
-index af0f22f..9a7d479 100644
---- a/usr/gen_init_cpio.c
-+++ b/usr/gen_init_cpio.c
-@@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name, const char *location,
- int retval;
- int rc = -1;
- int namesize;
-- int i;
-+ unsigned int i;
-
- mode |= S_IFREG;
-
-@@ -392,9 +392,10 @@ static char *cpio_replace_env(char *new_location)
- *env_var = *expanded = '\0';
- strncat(env_var, start + 2, end - start - 2);
- strncat(expanded, new_location, start - new_location);
-- strncat(expanded, getenv(env_var), PATH_MAX);
-- strncat(expanded, end + 1, PATH_MAX);
-+ strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
-+ strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
- strncpy(new_location, expanded, PATH_MAX);
-+ new_location[PATH_MAX] = 0;
- } else
- break;
- }
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index d617f69..6b445d2 100644
--- a/virt/kvm/kvm_main.c