* [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.5.4/, 3.2.30/, 3.2.29/
@ 2012-09-21 10:03 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2012-09-21 10:03 UTC (permalink / raw
To: gentoo-commits
commit: cbb75ae1e8759f0da781d7b1843ed5b47f077622
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Fri Sep 21 10:02:44 2012 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Sep 21 10:02:44 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=cbb75ae1
Grsec/PaX: 2.9.1-{2.6.32.59,3.2.30,3.5.4}-201209192118
---
2.6.32/0000_README | 2 +-
..._grsecurity-2.9.1-2.6.32.59-201209192117.patch} | 290 ++++-
{3.2.29 => 3.2.30}/0000_README | 2 +-
{3.2.29 => 3.2.30}/1021_linux-3.2.22.patch | 0
{3.2.29 => 3.2.30}/1022_linux-3.2.23.patch | 0
{3.2.29 => 3.2.30}/1023_linux-3.2.24.patch | 0
{3.2.29 => 3.2.30}/1024_linux-3.2.25.patch | 0
{3.2.29 => 3.2.30}/1025_linux-3.2.26.patch | 0
{3.2.29 => 3.2.30}/1026_linux-3.2.27.patch | 0
{3.2.29 => 3.2.30}/1027_linux-3.2.28.patch | 0
{3.2.29 => 3.2.30}/1028_linux-3.2.29.patch | 0
...4420_grsecurity-2.9.1-3.2.30-201209192117.patch | 1358 ++++++++++++--------
.../4430_grsec-remove-localversion-grsec.patch | 0
{3.2.29 => 3.2.30}/4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
{3.2.29 => 3.2.30}/4470_disable-compat_vdso.patch | 0
3.5.4/0000_README | 2 +-
...4420_grsecurity-2.9.1-3.5.4-201209192118.patch} | 800 +++++++++++-
20 files changed, 1823 insertions(+), 631 deletions(-)
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 0955009..ac17e52 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.59
-Patch: 4420_grsecurity-2.9.1-2.6.32.59-201209171823.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.59-201209192117.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209171823.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209192117.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209171823.patch
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209192117.patch
index 1bc2c59..b4d700f 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209171823.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209192117.patch
@@ -22341,7 +22341,7 @@ index be25734..87fe232 100644
return pc;
}
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
-index 6bb7b85..8f88b4a 100644
+index 6bb7b85..aeb81c2 100644
--- a/arch/x86/kernel/tls.c
+++ b/arch/x86/kernel/tls.c
@@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
@@ -22365,7 +22365,7 @@ index 6bb7b85..8f88b4a 100644
(pos % sizeof(struct user_desc)) != 0 ||
(count % sizeof(struct user_desc)) != 0)
return -EINVAL;
-@@ -198,7 +203,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
+@@ -198,14 +203,14 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
const struct user_desc *info;
@@ -22374,6 +22374,14 @@ index 6bb7b85..8f88b4a 100644
(pos % sizeof(struct user_desc)) != 0 ||
(count % sizeof(struct user_desc)) != 0)
return -EINVAL;
+
+ if (kbuf)
+ info = kbuf;
+- else if (__copy_from_user(infobuf, ubuf, count))
++ else if (count > sizeof infobuf || __copy_from_user(infobuf, ubuf, count))
+ return -EFAULT;
+ else
+ info = infobuf;
diff --git a/arch/x86/kernel/trampoline_32.S b/arch/x86/kernel/trampoline_32.S
index 8508237..229b664 100644
--- a/arch/x86/kernel/trampoline_32.S
@@ -29518,7 +29526,7 @@ index 21e1aeb..2c0b3c4 100644
-}
-__setup("vdso=", vdso_setup);
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 0087b00..ec5c76f 100644
+index 0087b00..ba03036 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -71,8 +71,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -29539,6 +29547,25 @@ index 0087b00..ec5c76f 100644
end = start + __get_cpu_var(idt_desc).size + 1;
xen_mc_flush();
+@@ -718,12 +716,12 @@ static u32 xen_safe_apic_wait_icr_idle(void)
+
+ static void set_xen_basic_apic_ops(void)
+ {
+- apic->read = xen_apic_read;
+- apic->write = xen_apic_write;
+- apic->icr_read = xen_apic_icr_read;
+- apic->icr_write = xen_apic_icr_write;
+- apic->wait_icr_idle = xen_apic_wait_icr_idle;
+- apic->safe_wait_icr_idle = xen_safe_apic_wait_icr_idle;
++ *(void **)&apic->read = xen_apic_read;
++ *(void **)&apic->write = xen_apic_write;
++ *(void **)&apic->icr_read = xen_apic_icr_read;
++ *(void **)&apic->icr_write = xen_apic_icr_write;
++ *(void **)&apic->wait_icr_idle = xen_apic_wait_icr_idle;
++ *(void **)&apic->safe_wait_icr_idle = xen_safe_apic_wait_icr_idle;
+ }
+
+ #endif
@@ -945,7 +943,10 @@ static const struct pv_cpu_ops xen_cpu_ops __initdata = {
.wbinvd = native_wbinvd,
@@ -55721,9 +55748,27 @@ index cbc6290..eb323d7 100644
void *p, u32 len)
{}
diff --git a/drivers/net/wireless/iwlwifi/iwl-debugfs.c b/drivers/net/wireless/iwlwifi/iwl-debugfs.c
-index a198bcf..8e68233 100644
+index a198bcf..aaa4128 100644
--- a/drivers/net/wireless/iwlwifi/iwl-debugfs.c
+++ b/drivers/net/wireless/iwlwifi/iwl-debugfs.c
+@@ -166,7 +166,7 @@ static ssize_t iwl_dbgfs_tx_statistics_write(struct file *file,
+ struct iwl_priv *priv = file->private_data;
+ u32 clear_flag;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+
+ memset(buf, 0, sizeof(buf));
+ buf_size = min(count, sizeof(buf) - 1);
+@@ -285,7 +285,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[64];
+- int buf_size;
++ size_t buf_size;
+ u32 offset, len;
+
+ memset(buf, 0, sizeof(buf));
@@ -524,6 +524,8 @@ static ssize_t iwl_dbgfs_status_read(struct file *file,
int pos = 0;
const size_t bufsz = sizeof(buf);
@@ -55742,6 +55787,33 @@ index a198bcf..8e68233 100644
for (i = 0; i < AC_NUM; i++) {
pos += scnprintf(buf + pos, bufsz - pos,
"\tcw_min\tcw_max\taifsn\ttxop\n");
+@@ -739,7 +743,7 @@ static ssize_t iwl_dbgfs_disable_ht40_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int ht40;
+
+ memset(buf, 0, sizeof(buf));
+@@ -782,7 +786,7 @@ static ssize_t iwl_dbgfs_sleep_level_override_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int value;
+
+ memset(buf, 0, sizeof(buf));
+@@ -950,7 +954,7 @@ static ssize_t iwl_dbgfs_traffic_log_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int traffic_log;
+
+ memset(buf, 0, sizeof(buf));
diff --git a/drivers/net/wireless/iwlwifi/iwl-dev.h b/drivers/net/wireless/iwlwifi/iwl-dev.h
index 3539ea4..b174bfa 100644
--- a/drivers/net/wireless/iwlwifi/iwl-dev.h
@@ -90052,7 +90124,7 @@ index 6c31a2a..4b0e930 100644
/*
* prev_priority holds the scanning priority for this zone. It is
diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h
-index f58e9d8..3503935 100644
+index f58e9d83..3503935 100644
--- a/include/linux/mod_devicetable.h
+++ b/include/linux/mod_devicetable.h
@@ -12,7 +12,7 @@
@@ -93551,9 +93623,18 @@ index 267e484..ac41bc3 100644
if (context && context->in_syscall) {
diff --git a/kernel/capability.c b/kernel/capability.c
-index 8a944f5..db5001e 100644
+index 8a944f5..eed9491 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
+@@ -254,7 +254,7 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
+ if (pid != 0 && pid != task_pid_vnr(current))
+ return -EPERM;
+
+- if (copy_from_user(&kdata, data,
++ if (tocopy > _KERNEL_CAPABILITY_U32S || copy_from_user(&kdata, data,
+ tocopy * sizeof(struct __user_cap_data_struct)))
+ return -EFAULT;
+
@@ -305,10 +305,26 @@ int capable(int cap)
BUG();
}
@@ -103045,7 +103126,7 @@ index e48b493..24a601d 100644
mm->unmap_area = arch_unmap_area;
}
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
-index f34ffd0..95dd843 100644
+index f34ffd0..4b76d56 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
@@ -103274,6 +103355,15 @@ index f34ffd0..95dd843 100644
if (!vas || !vms)
goto err_free;
+@@ -2433,7 +2499,7 @@ static int s_show(struct seq_file *m, void *p)
+ {
+ struct vm_struct *v = p;
+
+- seq_printf(m, "0x%p-0x%p %7ld",
++ seq_printf(m, "0x%pP-0x%pP %7ld",
+ v->addr, v->addr + v->size, v->size);
+
+ if (v->caller) {
diff --git a/mm/vmstat.c b/mm/vmstat.c
index 42d76c6..5643dc4 100644
--- a/mm/vmstat.c
@@ -103527,9 +103617,18 @@ index 56b7322..c48b84e 100644
#undef __HANDLE_ITEM
}
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
-index 75302a9..45caaaa 100644
+index 75302a9..09e36d3 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
+@@ -511,7 +511,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char
+ uf.event_mask[1] = *((u32 *) f->event_mask + 1);
+ }
+
+- len = min_t(unsigned int, len, sizeof(uf));
++ len = min((size_t)len, sizeof(uf));
+ if (copy_from_user(&uf, optval, len)) {
+ err = -EFAULT;
+ break;
@@ -576,6 +576,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char
{
struct hci_filter *f = &hci_pi(sk)->filter;
@@ -103539,7 +103638,7 @@ index 75302a9..45caaaa 100644
uf.opcode = f->opcode;
uf.event_mask[0] = *((u32 *) f->event_mask + 0);
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
-index 1ae3f80..c47b7c4 100644
+index 1ae3f80..c5d763b 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -543,6 +543,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *
@@ -103550,6 +103649,15 @@ index 1ae3f80..c47b7c4 100644
sa->rc_family = AF_BLUETOOTH;
sa->rc_channel = rfcomm_pi(sk)->channel;
if (peer)
+@@ -792,7 +793,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
+
+ sec.level = BT_SECURITY_LOW;
+
+- len = min_t(unsigned int, sizeof(sec), optlen);
++ len = min(sizeof(sec), len);
+ if (copy_from_user((char *) &sec, optval, len)) {
+ err = -EFAULT;
+ break;
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 5f6a305..00b8f21 100644
--- a/net/bluetooth/rfcomm/tty.c
@@ -103637,7 +103745,7 @@ index 2ffd2e0..72a7486 100644
seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
seq_printf(m, " <<<\n");
diff --git a/net/compat.c b/net/compat.c
-index 9559afc..ccd74e1 100644
+index 9559afc..6c62f69 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -69,9 +69,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
@@ -103740,6 +103848,15 @@ index 9559afc..ccd74e1 100644
struct group_filter __user *kgf;
u32 interface, fmode, numsrc;
+@@ -765,7 +765,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+
+ if (call < SYS_SOCKET || call > SYS_ACCEPT4)
+ return -EINVAL;
+- if (copy_from_user(a, args, nas[call]))
++ if (nas[call] > sizeof a || copy_from_user(a, args, nas[call]))
+ return -EFAULT;
+ a0 = a[0];
+ a1 = a[1];
diff --git a/net/core/dev.c b/net/core/dev.c
index 84a0705..fb849b8 100644
--- a/net/core/dev.c
@@ -104341,7 +104458,7 @@ index f8d04c2..c1188f2 100644
return res;
}
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
-index c8b0cc3..4da5ae2 100644
+index c8b0cc3..ca974ff 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -934,6 +934,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
@@ -104352,6 +104469,33 @@ index c8b0cc3..4da5ae2 100644
info.valid_hooks = t->valid_hooks;
memcpy(info.hook_entry, private->hook_entry,
sizeof(info.hook_entry));
+@@ -943,7 +944,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -1702,7 +1703,7 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user,
+
+ switch (cmd) {
+ case ARPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case ARPT_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -1747,7 +1748,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
+
+ switch (cmd) {
+ case ARPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case ARPT_SO_GET_ENTRIES:
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index c156db2..e772975 100644
--- a/net/ipv4/netfilter/ip_queue.c
@@ -104377,7 +104521,7 @@ index c156db2..e772975 100644
skblen = skb->len;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
-index 0606db1..02e7e4c 100644
+index 0606db1..023c85c 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1141,6 +1141,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
@@ -104388,6 +104532,33 @@ index 0606db1..02e7e4c 100644
info.valid_hooks = t->valid_hooks;
memcpy(info.hook_entry, private->hook_entry,
sizeof(info.hook_entry));
+@@ -1150,7 +1151,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -1979,7 +1980,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case IPT_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -2026,7 +2027,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case IPT_SO_GET_ENTRIES:
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index ab996f9..3da5f96 100644
--- a/net/ipv4/raw.c
@@ -104953,7 +105124,7 @@ index 1cf3f0c..1d4376f 100644
skblen = skb->len;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
-index 78b5a36..7f37433 100644
+index 78b5a36..d2f7291 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1173,6 +1173,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
@@ -104964,6 +105135,33 @@ index 78b5a36..7f37433 100644
info.valid_hooks = t->valid_hooks;
memcpy(info.hook_entry, private->hook_entry,
sizeof(info.hook_entry));
+@@ -1182,7 +1183,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -2014,7 +2015,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IP6T_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case IP6T_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -2061,7 +2062,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IP6T_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case IP6T_SO_GET_ENTRIES:
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 4f24570..b813b34 100644
--- a/net/ipv6/raw.c
@@ -106177,9 +106375,27 @@ index 7a83495..ab0062f 100644
*uaddr_len = sizeof(struct sockaddr_ax25);
}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 35cfa79..4e78ff7 100644
+index 35cfa79..8ad1123 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
+@@ -1724,7 +1724,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ case PACKET_DROP_MEMBERSHIP:
+ {
+ struct packet_mreq_max mreq;
+- int len = optlen;
++ unsigned int len = optlen;
+ memset(&mreq, 0, sizeof(mreq));
+ if (len < sizeof(struct packet_mreq))
+ return -EINVAL;
+@@ -1895,7 +1895,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+ case PACKET_HDRLEN:
+ if (len > sizeof(int))
+ len = sizeof(int);
+- if (copy_from_user(&val, optval, len))
++ if (len > sizeof(val) || copy_from_user(&val, optval, len))
+ return -EFAULT;
+ switch (val) {
+ case TPACKET_V1:
@@ -2429,7 +2429,11 @@ static int packet_seq_show(struct seq_file *seq, void *v)
seq_printf(seq,
@@ -107489,10 +107705,27 @@ index f2f7c63..bc36b3d 100644
x->km.state = XFRM_STATE_VALID;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index b95a2d6..b6081b4 100644
+index b95a2d6..f6a9e08 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
-@@ -646,6 +646,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
+@@ -224,7 +224,7 @@ static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
+ if (!p)
+ return -ENOMEM;
+
+- strcpy(p->alg_name, algo->name);
++ strncpy(p->alg_name, algo->name, sizeof(p->alg_name));
+ *algpp = p;
+ return 0;
+ }
+@@ -506,6 +506,7 @@ out:
+
+ static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p)
+ {
++ memset(p, 0, sizeof(*p));
+ memcpy(&p->id, &x->id, sizeof(p->id));
+ memcpy(&p->sel, &x->sel, sizeof(p->sel));
+ memcpy(&p->lft, &x->lft, sizeof(p->lft));
+@@ -646,6 +647,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
{
struct xfrm_dump_info info;
struct sk_buff *skb;
@@ -107500,7 +107733,7 @@ index b95a2d6..b6081b4 100644
skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
if (!skb)
-@@ -656,9 +657,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
+@@ -656,9 +658,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
info.nlmsg_seq = seq;
info.nlmsg_flags = 0;
@@ -107513,7 +107746,15 @@ index b95a2d6..b6081b4 100644
}
return skb;
-@@ -1169,6 +1171,8 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
+@@ -1075,6 +1078,7 @@ static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy
+
+ static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir)
+ {
++ memset(p, 0, sizeof(*p));
+ memcpy(&p->sel, &xp->selector, sizeof(p->sel));
+ memcpy(&p->lft, &xp->lft, sizeof(p->lft));
+ memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft));
+@@ -1169,6 +1173,8 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
int i;
@@ -107522,7 +107763,7 @@ index b95a2d6..b6081b4 100644
if (xp->xfrm_nr == 0)
return 0;
-@@ -1176,6 +1180,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
+@@ -1176,6 +1182,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
struct xfrm_user_tmpl *up = &vec[i];
struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
@@ -107530,7 +107771,7 @@ index b95a2d6..b6081b4 100644
memcpy(&up->id, &kp->id, sizeof(up->id));
up->family = kp->encap_family;
memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
-@@ -1784,6 +1789,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
+@@ -1784,6 +1791,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
int err;
int n = 0;
@@ -107979,10 +108220,10 @@ index d52f7a0..b66cdd9 100755
rm -f tags
xtags ctags
diff --git a/security/Kconfig b/security/Kconfig
-index fb363cd..a34a964 100644
+index fb363cd..19e2105 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,882 @@
+@@ -4,6 +4,879 @@
menu "Security options"
@@ -108555,9 +108796,6 @@ index fb363cd..a34a964 100644
+ that is, enabling this option will make it harder to inject
+ and execute 'foreign' code in kernel memory itself.
+
-+ Note that on x86_64 kernels there is a known regression when
-+ this feature and KVM/VMX are both enabled in the host kernel.
-+
+choice
+ prompt "Return Address Instrumentation Method"
+ default PAX_KERNEXEC_PLUGIN_METHOD_BTS
@@ -108865,7 +109103,7 @@ index fb363cd..a34a964 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -146,7 +1022,7 @@ config INTEL_TXT
+@@ -146,7 +1019,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
diff --git a/3.2.29/0000_README b/3.2.30/0000_README
similarity index 97%
rename from 3.2.29/0000_README
rename to 3.2.30/0000_README
index 77f70fa..94b2983 100644
--- a/3.2.29/0000_README
+++ b/3.2.30/0000_README
@@ -34,7 +34,7 @@ Patch: 1028_linux-3.2.29.patch
From: http://www.kernel.org
Desc: Linux 3.2.29
-Patch: 4420_grsecurity-2.9.1-3.2.29-201209171824.patch
+Patch: 4420_grsecurity-2.9.1-3.2.30-201209192117.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.29/1021_linux-3.2.22.patch b/3.2.30/1021_linux-3.2.22.patch
similarity index 100%
rename from 3.2.29/1021_linux-3.2.22.patch
rename to 3.2.30/1021_linux-3.2.22.patch
diff --git a/3.2.29/1022_linux-3.2.23.patch b/3.2.30/1022_linux-3.2.23.patch
similarity index 100%
rename from 3.2.29/1022_linux-3.2.23.patch
rename to 3.2.30/1022_linux-3.2.23.patch
diff --git a/3.2.29/1023_linux-3.2.24.patch b/3.2.30/1023_linux-3.2.24.patch
similarity index 100%
rename from 3.2.29/1023_linux-3.2.24.patch
rename to 3.2.30/1023_linux-3.2.24.patch
diff --git a/3.2.29/1024_linux-3.2.25.patch b/3.2.30/1024_linux-3.2.25.patch
similarity index 100%
rename from 3.2.29/1024_linux-3.2.25.patch
rename to 3.2.30/1024_linux-3.2.25.patch
diff --git a/3.2.29/1025_linux-3.2.26.patch b/3.2.30/1025_linux-3.2.26.patch
similarity index 100%
rename from 3.2.29/1025_linux-3.2.26.patch
rename to 3.2.30/1025_linux-3.2.26.patch
diff --git a/3.2.29/1026_linux-3.2.27.patch b/3.2.30/1026_linux-3.2.27.patch
similarity index 100%
rename from 3.2.29/1026_linux-3.2.27.patch
rename to 3.2.30/1026_linux-3.2.27.patch
diff --git a/3.2.29/1027_linux-3.2.28.patch b/3.2.30/1027_linux-3.2.28.patch
similarity index 100%
rename from 3.2.29/1027_linux-3.2.28.patch
rename to 3.2.30/1027_linux-3.2.28.patch
diff --git a/3.2.29/1028_linux-3.2.29.patch b/3.2.30/1028_linux-3.2.29.patch
similarity index 100%
rename from 3.2.29/1028_linux-3.2.29.patch
rename to 3.2.30/1028_linux-3.2.29.patch
diff --git a/3.2.29/4420_grsecurity-2.9.1-3.2.29-201209171824.patch b/3.2.30/4420_grsecurity-2.9.1-3.2.30-201209192117.patch
similarity index 99%
rename from 3.2.29/4420_grsecurity-2.9.1-3.2.29-201209171824.patch
rename to 3.2.30/4420_grsecurity-2.9.1-3.2.30-201209192117.patch
index 4eebb32..4976f3f 100644
--- a/3.2.29/4420_grsecurity-2.9.1-3.2.29-201209171824.patch
+++ b/3.2.30/4420_grsecurity-2.9.1-3.2.30-201209192117.patch
@@ -245,7 +245,7 @@ index 88fd7f5..b318a78 100644
==============================================================
diff --git a/Makefile b/Makefile
-index d96fc2a..f2f719f 100644
+index 9fd7e60..9b1943b 100644
--- a/Makefile
+++ b/Makefile
@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -1753,7 +1753,7 @@ index 8fc2c8f..064c150 100644
#endif
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
-index 8380bd1..3829a27 100644
+index 7ac5dfd..cbbbd34 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -259,6 +259,8 @@ static int __die(const char *str, int err, struct thread_info *thread, struct pt
@@ -3273,7 +3273,7 @@ index 4ce7a01..449202a 100644
#endif /* __ASM_OPENRISC_CACHE_H */
diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h
-index 4054b31..a10c105 100644
+index c4b779b..775b66b 100644
--- a/arch/parisc/include/asm/atomic.h
+++ b/arch/parisc/include/asm/atomic.h
@@ -335,6 +335,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
@@ -4275,7 +4275,7 @@ index 2e3200c..72095ce 100644
/* Find this entry, or if that fails, the next avail. entry */
while (entry->jump[0]) {
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
-index 6457574..08b28d3 100644
+index d687e3f..074a8cd 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -660,8 +660,8 @@ void show_regs(struct pt_regs * regs)
@@ -4289,7 +4289,7 @@ index 6457574..08b28d3 100644
#endif
show_stack(current, (unsigned long *) regs->gpr[1]);
if (!user_mode(regs))
-@@ -1165,10 +1165,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
+@@ -1157,10 +1157,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
newsp = stack[0];
ip = stack[STACK_FRAME_LR_SAVE];
if (!firstframe || ip != lr) {
@@ -4302,7 +4302,7 @@ index 6457574..08b28d3 100644
(void *)current->ret_stack[curr_frame].ret);
curr_frame--;
}
-@@ -1188,7 +1188,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
+@@ -1180,7 +1180,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
struct pt_regs *regs = (struct pt_regs *)
(sp + STACK_FRAME_OVERHEAD);
lr = regs->link;
@@ -4311,7 +4311,7 @@ index 6457574..08b28d3 100644
regs->trap, (void *)regs->nip, (void *)lr);
firstframe = 1;
}
-@@ -1263,58 +1263,3 @@ void thread_info_cache_init(void)
+@@ -1255,58 +1255,3 @@ void thread_info_cache_init(void)
}
#endif /* THREAD_SHIFT < PAGE_SHIFT */
@@ -4456,7 +4456,7 @@ index f2496f2..4e3cc47 100644
}
#endif
diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
-index 5459d14..10f8070 100644
+index 82dcd4d..a80088a 100644
--- a/arch/powerpc/kernel/traps.c
+++ b/arch/powerpc/kernel/traps.c
@@ -98,6 +98,8 @@ static void pmac_backlight_unblank(void)
@@ -19878,7 +19878,7 @@ index dd5fbf4..b7f2232 100644
return pc;
}
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
-index bcfec2d..8f88b4a 100644
+index bcfec2d..aeb81c2 100644
--- a/arch/x86/kernel/tls.c
+++ b/arch/x86/kernel/tls.c
@@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
@@ -19893,6 +19893,15 @@ index bcfec2d..8f88b4a 100644
set_tls_desc(p, idx, &info, 1);
return 0;
+@@ -205,7 +210,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
+
+ if (kbuf)
+ info = kbuf;
+- else if (__copy_from_user(infobuf, ubuf, count))
++ else if (count > sizeof infobuf || __copy_from_user(infobuf, ubuf, count))
+ return -EFAULT;
+ else
+ info = infobuf;
diff --git a/arch/x86/kernel/trampoline_32.S b/arch/x86/kernel/trampoline_32.S
index 451c0a7..e57f551 100644
--- a/arch/x86/kernel/trampoline_32.S
@@ -27395,7 +27404,7 @@ index 153407c..611cba9 100644
-}
-__setup("vdso=", vdso_setup);
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 44d4393..21c4541 100644
+index 44d4393..f1e62e4 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -86,8 +86,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -27407,6 +27416,25 @@ index 44d4393..21c4541 100644
RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
__read_mostly int xen_have_vector_callback;
EXPORT_SYMBOL_GPL(xen_have_vector_callback);
+@@ -761,12 +759,12 @@ static u32 xen_safe_apic_wait_icr_idle(void)
+
+ static void set_xen_basic_apic_ops(void)
+ {
+- apic->read = xen_apic_read;
+- apic->write = xen_apic_write;
+- apic->icr_read = xen_apic_icr_read;
+- apic->icr_write = xen_apic_icr_write;
+- apic->wait_icr_idle = xen_apic_wait_icr_idle;
+- apic->safe_wait_icr_idle = xen_safe_apic_wait_icr_idle;
++ *(void **)&apic->read = xen_apic_read;
++ *(void **)&apic->write = xen_apic_write;
++ *(void **)&apic->icr_read = xen_apic_icr_read;
++ *(void **)&apic->icr_write = xen_apic_icr_write;
++ *(void **)&apic->wait_icr_idle = xen_apic_wait_icr_idle;
++ *(void **)&apic->safe_wait_icr_idle = xen_safe_apic_wait_icr_idle;
+ }
+
+ #endif
@@ -1041,7 +1039,7 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
#endif
};
@@ -30613,7 +30641,7 @@ index 98723cb..10ca85b 100644
return -EINVAL;
}
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
-index 8323fc3..5c1d755 100644
+index 3f1799b..3a853eb 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -1379,7 +1379,7 @@ int drm_mode_getconnector(struct drm_device *dev, void *data,
@@ -30654,7 +30682,7 @@ index 8323fc3..5c1d755 100644
if (get_user(out_id, &set_connectors_ptr[i])) {
ret = -EFAULT;
goto out;
-@@ -1857,7 +1857,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
+@@ -1846,7 +1846,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
fb = obj_to_fb(obj);
num_clips = r->num_clips;
@@ -30663,7 +30691,7 @@ index 8323fc3..5c1d755 100644
if (!num_clips != !clips_ptr) {
ret = -EINVAL;
-@@ -2283,7 +2283,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
+@@ -2272,7 +2272,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
out_resp->flags = property->flags;
if ((out_resp->count_values >= value_count) && value_count) {
@@ -30672,7 +30700,7 @@ index 8323fc3..5c1d755 100644
for (i = 0; i < value_count; i++) {
if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) {
ret = -EFAULT;
-@@ -2296,7 +2296,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
+@@ -2285,7 +2285,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
if (property->flags & DRM_MODE_PROP_ENUM) {
if ((out_resp->count_enum_blobs >= enum_count) && enum_count) {
copied = 0;
@@ -30681,7 +30709,7 @@ index 8323fc3..5c1d755 100644
list_for_each_entry(prop_enum, &property->enum_blob_list, head) {
if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) {
-@@ -2319,7 +2319,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
+@@ -2308,7 +2308,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
if ((out_resp->count_enum_blobs >= blob_count) && blob_count) {
copied = 0;
blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr;
@@ -30690,7 +30718,7 @@ index 8323fc3..5c1d755 100644
list_for_each_entry(prop_blob, &property->enum_blob_list, head) {
if (put_user(prop_blob->base.id, blob_id_ptr + copied)) {
-@@ -2380,7 +2380,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev,
+@@ -2369,7 +2369,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev,
struct drm_mode_get_blob *out_resp = data;
struct drm_property_blob *blob;
int ret = 0;
@@ -30699,7 +30727,7 @@ index 8323fc3..5c1d755 100644
if (!drm_core_check_feature(dev, DRIVER_MODESET))
return -EINVAL;
-@@ -2394,7 +2394,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev,
+@@ -2383,7 +2383,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev,
blob = obj_to_blob(obj);
if (out_resp->length == blob->length) {
@@ -31100,7 +31128,7 @@ index a6c2f7a..0eea25d 100644
for (i = 0; i < count; i++) {
char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
-index 578ddfc..86ac0d0 100644
+index c8b5bc1..fee4e34 100644
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
@@ -496,7 +496,7 @@ static irqreturn_t ivybridge_irq_handler(DRM_IRQ_ARGS)
@@ -31149,7 +31177,7 @@ index 578ddfc..86ac0d0 100644
INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
INIT_WORK(&dev_priv->error_work, i915_error_work_func);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index 3eed270..5c6f250 100644
+index 6c3fb44..d49f3ac 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -2196,7 +2196,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb)
@@ -31161,16 +31189,7 @@ index 3eed270..5c6f250 100644
/* Big Hammer, we also need to ensure that any pending
* MI_WAIT_FOR_EVENT inside a user batch buffer on the
-@@ -2861,7 +2861,7 @@ static void intel_crtc_wait_for_pending_flips(struct drm_crtc *crtc)
- obj = to_intel_framebuffer(crtc->fb)->obj;
- dev_priv = crtc->dev->dev_private;
- wait_event(dev_priv->pending_flip_queue,
-- atomic_read(&obj->pending_flip) == 0);
-+ atomic_read_unchecked(&obj->pending_flip) == 0);
- }
-
- static bool intel_crtc_driving_pch(struct drm_crtc *crtc)
-@@ -6969,9 +6969,8 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
+@@ -6950,9 +6950,8 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
obj = work->old_fb_obj;
@@ -31182,7 +31201,7 @@ index 3eed270..5c6f250 100644
wake_up(&dev_priv->pending_flip_queue);
schedule_work(&work->work);
-@@ -7166,7 +7165,13 @@ static int intel_gen6_queue_flip(struct drm_device *dev,
+@@ -7147,7 +7146,13 @@ static int intel_gen6_queue_flip(struct drm_device *dev,
OUT_RING(fb->pitch | obj->tiling_mode);
OUT_RING(obj->gtt_offset);
@@ -31197,7 +31216,7 @@ index 3eed270..5c6f250 100644
pipesrc = I915_READ(PIPESRC(intel_crtc->pipe)) & 0x0fff0fff;
OUT_RING(pf | pipesrc);
ADVANCE_LP_RING();
-@@ -7298,7 +7303,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
+@@ -7279,7 +7284,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
/* Block clients from rendering to the new back buffer until
* the flip occurs and the object is no longer visible.
*/
@@ -31206,7 +31225,7 @@ index 3eed270..5c6f250 100644
ret = dev_priv->display.queue_flip(dev, crtc, fb, obj);
if (ret)
-@@ -7312,7 +7317,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
+@@ -7293,7 +7298,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
return 0;
cleanup_pending:
@@ -31548,7 +31567,7 @@ index 28e69e9..d5836543 100644
/*
* Asic structures
diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
-index 9231564..78b00fd 100644
+index c5762e3..987ff1d 100644
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -687,7 +687,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
@@ -31801,7 +31820,7 @@ index d391f48..10c8ca3 100644
case VIA_IRQ_ABSOLUTE:
break;
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
-index dc27970..f18b008 100644
+index 0e3fa7d..35f9ed6 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
@@ -260,7 +260,7 @@ struct vmw_private {
@@ -31889,10 +31908,10 @@ index 8a8725c..afed796 100644
marker = list_first_entry(&queue->head,
struct vmw_marker, head);
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 5cc029f..5311bb9 100644
+index 0c8bea9..fe4b1e8 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
-@@ -2022,7 +2022,7 @@ static bool hid_ignore(struct hid_device *hdev)
+@@ -2025,7 +2025,7 @@ static bool hid_ignore(struct hid_device *hdev)
int hid_add_device(struct hid_device *hdev)
{
@@ -31901,7 +31920,7 @@ index 5cc029f..5311bb9 100644
int ret;
if (WARN_ON(hdev->status & HID_STAT_ADDED))
-@@ -2037,7 +2037,7 @@ int hid_add_device(struct hid_device *hdev)
+@@ -2040,7 +2040,7 @@ int hid_add_device(struct hid_device *hdev)
/* XXX hack, any other cleaner solution after the driver core
* is converted to allow more than 20 bytes as the device name? */
dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
@@ -35523,7 +35542,7 @@ index 4f4d52a..2317bbc 100644
u32 swsm2 = 0;
bool force_clear_smbi = false;
diff --git a/drivers/net/ethernet/intel/e1000e/e1000.h b/drivers/net/ethernet/intel/e1000e/e1000.h
-index f478a22..e854e9b 100644
+index 8e362bb..679d9da 100644
--- a/drivers/net/ethernet/intel/e1000e/e1000.h
+++ b/drivers/net/ethernet/intel/e1000e/e1000.h
@@ -175,7 +175,7 @@ struct e1000_info;
@@ -36038,7 +36057,7 @@ index 46db5c5..37c1536 100644
err = platform_driver_register(&sk_isa_driver);
if (err)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index a12c9bf..3b1862d 100644
+index a12c9bf..46dcc39 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -359,7 +359,7 @@ static void tun_free_netdev(struct net_device *dev)
@@ -36091,6 +36110,25 @@ index a12c9bf..3b1862d 100644
err_free_dev:
free_netdev(dev);
failed:
+@@ -1232,7 +1241,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg)
+ }
+
+ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+- unsigned long arg, int ifreq_len)
++ unsigned long arg, size_t ifreq_len)
+ {
+ struct tun_file *tfile = file->private_data;
+ struct tun_struct *tun;
+@@ -1243,6 +1252,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+ int vnet_hdr_sz;
+ int ret;
+
++ if (ifreq_len > sizeof ifr)
++ return -EFAULT;
++
+ if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {
+ if (copy_from_user(&ifr, argp, ifreq_len))
+ return -EFAULT;
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 304fe78..db112fa 100644
--- a/drivers/net/usb/hso.c
@@ -36496,6 +36534,167 @@ index 69a77e24..552b42c 100644
#define iwl_print_hex_dump(m, level, p, len)
#endif /* CONFIG_IWLWIFI_DEBUG */
+diff --git a/drivers/net/wireless/iwlwifi/iwl-debugfs.c b/drivers/net/wireless/iwlwifi/iwl-debugfs.c
+index 93e6179..534bbd8 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-debugfs.c
++++ b/drivers/net/wireless/iwlwifi/iwl-debugfs.c
+@@ -163,7 +163,7 @@ static ssize_t iwl_dbgfs_clear_traffic_statistics_write(struct file *file,
+ struct iwl_priv *priv = file->private_data;
+ u32 clear_flag;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+
+ memset(buf, 0, sizeof(buf));
+ buf_size = min(count, sizeof(buf) - 1);
+@@ -311,7 +311,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[64];
+- int buf_size;
++ size_t buf_size;
+ u32 offset, len;
+
+ memset(buf, 0, sizeof(buf));
+@@ -601,7 +601,7 @@ static ssize_t iwl_dbgfs_rx_handlers_write(struct file *file,
+ struct iwl_priv *priv = file->private_data;
+
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ u32 reset_flag;
+
+ memset(buf, 0, sizeof(buf));
+@@ -682,7 +682,7 @@ static ssize_t iwl_dbgfs_disable_ht40_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int ht40;
+
+ memset(buf, 0, sizeof(buf));
+@@ -737,7 +737,7 @@ static ssize_t iwl_dbgfs_sleep_level_override_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int value;
+
+ memset(buf, 0, sizeof(buf));
+@@ -897,7 +897,7 @@ static ssize_t iwl_dbgfs_traffic_log_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int traffic_log;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2078,7 +2078,7 @@ static ssize_t iwl_dbgfs_clear_ucode_statistics_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int clear;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2123,7 +2123,7 @@ static ssize_t iwl_dbgfs_ucode_tracing_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int trace;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2193,7 +2193,7 @@ static ssize_t iwl_dbgfs_missed_beacon_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int missed;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2234,7 +2234,7 @@ static ssize_t iwl_dbgfs_plcp_delta_write(struct file *file,
+
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int plcp;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2288,7 +2288,7 @@ static ssize_t iwl_dbgfs_force_reset_write(struct file *file,
+
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int reset, ret;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2314,7 +2314,7 @@ static ssize_t iwl_dbgfs_txfifo_flush_write(struct file *file,
+
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int flush;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2338,7 +2338,7 @@ static ssize_t iwl_dbgfs_wd_timeout_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int timeout;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2427,7 +2427,7 @@ static ssize_t iwl_dbgfs_protection_mode_write(struct file *file,
+
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int rts;
+
+ if (!priv->cfg->ht_params)
+@@ -2452,7 +2452,7 @@ static ssize_t iwl_dbgfs_echo_test_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+
+ memset(buf, 0, sizeof(buf));
+ buf_size = min(count, sizeof(buf) - 1);
+diff --git a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
+index 75da4bc..7737dff 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
++++ b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
+@@ -1890,7 +1890,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
+ struct isr_statistics *isr_stats = &trans_pcie->isr_stats;
+
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ u32 reset_flag;
+
+ memset(buf, 0, sizeof(buf));
+@@ -1911,7 +1911,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
+ {
+ struct iwl_trans *trans = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int csr;
+
+ memset(buf, 0, sizeof(buf));
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 523ad55..f8c5dc5 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
@@ -44586,7 +44785,7 @@ index 9a37a9b..35792b6 100644
/*
* We'll have a dentry and an inode for
diff --git a/fs/dcache.c b/fs/dcache.c
-index eb723d3..d59753b 100644
+index eb723d3..bed8460 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -103,11 +103,11 @@ static unsigned int d_hash_shift __read_mostly;
@@ -44605,6 +44804,24 @@ index eb723d3..d59753b 100644
return dentry_hashtable + (hash & D_HASHMASK);
}
+@@ -311,7 +311,7 @@ static struct dentry *d_kill(struct dentry *dentry, struct dentry *parent)
+ * Inform try_to_ascend() that we are no longer attached to the
+ * dentry tree
+ */
+- dentry->d_flags |= DCACHE_DISCONNECTED;
++ dentry->d_flags |= DCACHE_DENTRY_KILLED;
+ if (parent)
+ spin_unlock(&parent->d_lock);
+ dentry_iput(dentry);
+@@ -968,7 +968,7 @@ static struct dentry *try_to_ascend(struct dentry *old, int locked, unsigned seq
+ * or deletion
+ */
+ if (new != old->d_parent ||
+- (old->d_flags & DCACHE_DISCONNECTED) ||
++ (old->d_flags & DCACHE_DENTRY_KILLED) ||
+ (!locked && read_seqretry(&rename_lock, seq))) {
+ spin_unlock(&new->d_lock);
+ new = NULL;
@@ -3043,7 +3043,7 @@ void __init vfs_caches_init(unsigned long mempages)
mempages -= reserve;
@@ -44631,36 +44848,10 @@ index f3a257d..715ac0f 100644
}
EXPORT_SYMBOL_GPL(debugfs_create_dir);
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
-index af11098..4e6f039 100644
+index 7c7556b..4e6f039 100644
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
-@@ -640,6 +640,7 @@ ecryptfs_rename(struct inode *old_dir, struct dentry *old_dentry,
- struct dentry *lower_old_dir_dentry;
- struct dentry *lower_new_dir_dentry;
- struct dentry *trap = NULL;
-+ struct inode *target_inode;
-
- lower_old_dentry = ecryptfs_dentry_to_lower(old_dentry);
- lower_new_dentry = ecryptfs_dentry_to_lower(new_dentry);
-@@ -647,6 +648,7 @@ ecryptfs_rename(struct inode *old_dir, struct dentry *old_dentry,
- dget(lower_new_dentry);
- lower_old_dir_dentry = dget_parent(lower_old_dentry);
- lower_new_dir_dentry = dget_parent(lower_new_dentry);
-+ target_inode = new_dentry->d_inode;
- trap = lock_rename(lower_old_dir_dentry, lower_new_dir_dentry);
- /* source should not be ancestor of target */
- if (trap == lower_old_dentry) {
-@@ -662,6 +664,9 @@ ecryptfs_rename(struct inode *old_dir, struct dentry *old_dentry,
- lower_new_dir_dentry->d_inode, lower_new_dentry);
- if (rc)
- goto out_lock;
-+ if (target_inode)
-+ fsstack_copy_attr_all(target_inode,
-+ ecryptfs_inode_to_lower(target_inode));
- fsstack_copy_attr_all(new_dir, lower_new_dir_dentry->d_inode);
- if (new_dir != old_dir)
- fsstack_copy_attr_all(old_dir, lower_old_dir_dentry->d_inode);
-@@ -691,7 +696,7 @@ static int ecryptfs_readlink_lower(struct dentry *dentry, char **buf,
+@@ -696,7 +696,7 @@ static int ecryptfs_readlink_lower(struct dentry *dentry, char **buf,
old_fs = get_fs();
set_fs(get_ds());
rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
@@ -44669,7 +44860,7 @@ index af11098..4e6f039 100644
lower_bufsiz);
set_fs(old_fs);
if (rc < 0)
-@@ -737,7 +742,7 @@ static void *ecryptfs_follow_link(struct dentry *dentry, struct nameidata *nd)
+@@ -742,7 +742,7 @@ static void *ecryptfs_follow_link(struct dentry *dentry, struct nameidata *nd)
}
old_fs = get_fs();
set_fs(get_ds());
@@ -44678,7 +44869,7 @@ index af11098..4e6f039 100644
set_fs(old_fs);
if (rc < 0) {
kfree(buf);
-@@ -752,7 +757,7 @@ out:
+@@ -757,7 +757,7 @@ out:
static void
ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
{
@@ -47425,7 +47616,7 @@ index 3426521..3b75162 100644
cuse_class = class_create(THIS_MODULE, "cuse");
if (IS_ERR(cuse_class))
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
-index 2aaf3ea..8e50863 100644
+index 5c029fb..96e676c 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1242,7 +1242,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
@@ -48316,18 +48507,9 @@ index d774309..198ec0a 100644
void *data;
};
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
-index 50a15fa..ca113f9 100644
+index b78b5b6..c64d84f 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
-@@ -150,7 +150,7 @@ static void nfs_zap_caches_locked(struct inode *inode)
- nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
- nfsi->attrtimeo_timestamp = jiffies;
-
-- memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
-+ memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
- if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
- nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
- else
@@ -1002,16 +1002,16 @@ static int nfs_size_need_update(const struct inode *inode, const struct nfs_fatt
return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
}
@@ -61879,6 +62061,19 @@ index 8a94217..15d49e3 100644
#define crt_ablkcipher crt_u.ablkcipher
#define crt_aead crt_u.aead
+diff --git a/include/linux/dcache.h b/include/linux/dcache.h
+index 4eb8c80..1dfe974 100644
+--- a/include/linux/dcache.h
++++ b/include/linux/dcache.h
+@@ -219,6 +219,8 @@ struct dentry_operations {
+ #define DCACHE_MANAGED_DENTRY \
+ (DCACHE_MOUNTED|DCACHE_NEED_AUTOMOUNT|DCACHE_MANAGE_TRANSIT)
+
++#define DCACHE_DENTRY_KILLED 0x100000
++
+ extern seqlock_t rename_lock;
+
+ static inline int dname_external(struct dentry *dentry)
diff --git a/include/linux/decompress/mm.h b/include/linux/decompress/mm.h
index 7925bf0..d5143d2 100644
--- a/include/linux/decompress/mm.h
@@ -63539,19 +63734,6 @@ index b16f653..eb908f4 100644
#define request_module(mod...) __request_module(true, mod)
#define request_module_nowait(mod...) __request_module(false, mod)
#define try_then_request_module(x, mod...) \
-diff --git a/include/linux/kobject.h b/include/linux/kobject.h
-index ad81e1c..445f978 100644
---- a/include/linux/kobject.h
-+++ b/include/linux/kobject.h
-@@ -226,7 +226,7 @@ static inline int kobject_uevent_env(struct kobject *kobj,
-
- static inline __printf(2, 3)
- int add_uevent_var(struct kobj_uevent_env *env, const char *format, ...)
--{ return 0; }
-+{ return -ENOMEM; }
-
- static inline int kobject_action_type(const char *buf, size_t count,
- enum kobject_action *type)
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 6136821..b3ba6ba 100644
--- a/include/linux/kvm_host.h
@@ -64123,7 +64305,7 @@ index ffc0213..2c1f2cb 100644
return nd->saved_names[nd->depth];
}
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
-index cb52340..0761265 100644
+index 00ca32b..1f8accc 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -949,6 +949,7 @@ struct net_device_ops {
@@ -64210,7 +64392,7 @@ index 4633b2f..988bc08 100644
atomic_t refcnt;
unsigned int max_seq_nr;
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
-index b1f8912..8335421 100644
+index b669be6..8335421 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -748,8 +748,8 @@ struct perf_event {
@@ -64224,14 +64406,7 @@ index b1f8912..8335421 100644
/*
* These are the total time in nanoseconds that the event
-@@ -794,14 +794,14 @@ struct perf_event {
- struct hw_perf_event hw;
-
- struct perf_event_context *ctx;
-- struct file *filp;
-+ atomic_long_t refcount;
-
- /*
+@@ -800,8 +800,8 @@ struct perf_event {
* These accumulate total time (in nanoseconds) that children
* events have been enabled and running, respectively.
*/
@@ -65941,23 +66116,6 @@ index d786b4f..4c3dd41 100644
#ifdef CONFIG_IP_MROUTE
#ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
-diff --git a/include/net/scm.h b/include/net/scm.h
-index d456f4c..0c0017c 100644
---- a/include/net/scm.h
-+++ b/include/net/scm.h
-@@ -71,9 +71,11 @@ static __inline__ void scm_destroy(struct scm_cookie *scm)
- }
-
- static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
-- struct scm_cookie *scm)
-+ struct scm_cookie *scm, bool forcecreds)
- {
- memset(scm, 0, sizeof(*scm));
-+ if (forcecreds)
-+ scm_set_cred(scm, task_tgid(current), current_cred());
- unix_get_peersec_dgram(sock, scm);
- if (msg->msg_controllen <= 0)
- return 0;
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index ad03988..0c5a964 100644
--- a/include/net/sctp/sctp.h
@@ -65976,10 +66134,10 @@ index ad03988..0c5a964 100644
#define SCTP_DISABLE_DEBUG
#define SCTP_ASSERT(expr, str, func)
diff --git a/include/net/sock.h b/include/net/sock.h
-index 32e3937..b65e396 100644
+index ddf523c..1f06685 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
-@@ -277,7 +277,7 @@ struct sock {
+@@ -278,7 +278,7 @@ struct sock {
#ifdef CONFIG_RPS
__u32 sk_rxhash;
#endif
@@ -65988,7 +66146,7 @@ index 32e3937..b65e396 100644
int sk_rcvbuf;
struct sk_filter __rcu *sk_filter;
-@@ -1402,7 +1402,7 @@ static inline void sk_nocaps_add(struct sock *sk, int flags)
+@@ -1404,7 +1404,7 @@ static inline void sk_nocaps_add(struct sock *sk, int flags)
}
static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb,
@@ -65997,7 +66155,7 @@ index 32e3937..b65e396 100644
int copy, int offset)
{
if (skb->ip_summed == CHECKSUM_NONE) {
-@@ -1664,7 +1664,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk)
+@@ -1666,7 +1666,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk)
}
}
@@ -67588,7 +67746,7 @@ index 63786e7..0780cac 100644
#ifdef CONFIG_MODULE_UNLOAD
{
diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 58690af..66d5a8e 100644
+index 7d1f05e..66d5a8e 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -173,7 +173,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
@@ -67609,38 +67767,7 @@ index 58690af..66d5a8e 100644
}
static u64 perf_event_read(struct perf_event *event)
-@@ -3011,12 +3011,12 @@ EXPORT_SYMBOL_GPL(perf_event_release_kernel);
- /*
- * Called when the last reference to the file is gone.
- */
--static int perf_release(struct inode *inode, struct file *file)
-+static void put_event(struct perf_event *event)
- {
-- struct perf_event *event = file->private_data;
- struct task_struct *owner;
-
-- file->private_data = NULL;
-+ if (!atomic_long_dec_and_test(&event->refcount))
-+ return;
-
- rcu_read_lock();
- owner = ACCESS_ONCE(event->owner);
-@@ -3051,7 +3051,13 @@ static int perf_release(struct inode *inode, struct file *file)
- put_task_struct(owner);
- }
-
-- return perf_event_release_kernel(event);
-+ perf_event_release_kernel(event);
-+}
-+
-+static int perf_release(struct inode *inode, struct file *file)
-+{
-+ put_event(file->private_data);
-+ return 0;
- }
-
- u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
-@@ -3065,9 +3071,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
+@@ -3071,9 +3071,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
mutex_lock(&event->child_mutex);
total += perf_event_read(event);
*enabled += event->total_time_enabled +
@@ -67652,51 +67779,7 @@ index 58690af..66d5a8e 100644
list_for_each_entry(child, &event->child_list, child_list) {
total += perf_event_read(child);
-@@ -3304,7 +3310,7 @@ unlock:
-
- static const struct file_operations perf_fops;
-
--static struct perf_event *perf_fget_light(int fd, int *fput_needed)
-+static struct file *perf_fget_light(int fd, int *fput_needed)
- {
- struct file *file;
-
-@@ -3318,7 +3324,7 @@ static struct perf_event *perf_fget_light(int fd, int *fput_needed)
- return ERR_PTR(-EBADF);
- }
-
-- return file->private_data;
-+ return file;
- }
-
- static int perf_event_set_output(struct perf_event *event,
-@@ -3350,19 +3356,21 @@ static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-
- case PERF_EVENT_IOC_SET_OUTPUT:
- {
-+ struct file *output_file = NULL;
- struct perf_event *output_event = NULL;
- int fput_needed = 0;
- int ret;
-
- if (arg != -1) {
-- output_event = perf_fget_light(arg, &fput_needed);
-- if (IS_ERR(output_event))
-- return PTR_ERR(output_event);
-+ output_file = perf_fget_light(arg, &fput_needed);
-+ if (IS_ERR(output_file))
-+ return PTR_ERR(output_file);
-+ output_event = output_file->private_data;
- }
-
- ret = perf_event_set_output(event, output_event);
- if (output_event)
-- fput_light(output_event->filp, fput_needed);
-+ fput_light(output_file, fput_needed);
-
- return ret;
- }
-@@ -3474,10 +3482,10 @@ void perf_event_update_userpage(struct perf_event *event)
+@@ -3482,10 +3482,10 @@ void perf_event_update_userpage(struct perf_event *event)
userpg->offset -= local64_read(&event->hw.prev_count);
userpg->time_enabled = enabled +
@@ -67709,7 +67792,7 @@ index 58690af..66d5a8e 100644
barrier();
++userpg->lock;
-@@ -3906,11 +3914,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
+@@ -3914,11 +3914,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
values[n++] = perf_event_count(event);
if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
values[n++] = enabled +
@@ -67723,7 +67806,7 @@ index 58690af..66d5a8e 100644
}
if (read_format & PERF_FORMAT_ID)
values[n++] = primary_event_id(event);
-@@ -4561,12 +4569,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
+@@ -4569,12 +4569,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
* need to add enough zero bytes after the string to handle
* the 64bit alignment we do later.
*/
@@ -67738,15 +67821,7 @@ index 58690af..66d5a8e 100644
if (IS_ERR(name)) {
name = strncpy(tmp, "//toolong", sizeof(tmp));
goto got_name;
-@@ -5912,6 +5920,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
-
- mutex_init(&event->mmap_mutex);
-
-+ atomic_long_set(&event->refcount, 1);
- event->cpu = cpu;
- event->attr = *attr;
- event->group_leader = group_leader;
-@@ -5921,7 +5930,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
+@@ -5930,7 +5930,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
event->parent = parent_event;
event->ns = get_pid_ns(current->nsproxy->pid_ns);
@@ -67755,40 +67830,7 @@ index 58690af..66d5a8e 100644
event->state = PERF_EVENT_STATE_INACTIVE;
-@@ -6182,12 +6191,12 @@ SYSCALL_DEFINE5(perf_event_open,
- return event_fd;
-
- if (group_fd != -1) {
-- group_leader = perf_fget_light(group_fd, &fput_needed);
-- if (IS_ERR(group_leader)) {
-- err = PTR_ERR(group_leader);
-+ group_file = perf_fget_light(group_fd, &fput_needed);
-+ if (IS_ERR(group_file)) {
-+ err = PTR_ERR(group_file);
- goto err_fd;
- }
-- group_file = group_leader->filp;
-+ group_leader = group_file->private_data;
- if (flags & PERF_FLAG_FD_OUTPUT)
- output_event = group_leader;
- if (flags & PERF_FLAG_FD_NO_GROUP)
-@@ -6322,7 +6331,6 @@ SYSCALL_DEFINE5(perf_event_open,
- put_ctx(gctx);
- }
-
-- event->filp = event_file;
- WARN_ON_ONCE(ctx->parent_ctx);
- mutex_lock(&ctx->mutex);
-
-@@ -6412,7 +6420,6 @@ perf_event_create_kernel_counter(struct perf_event_attr *attr, int cpu,
- goto err_free;
- }
-
-- event->filp = NULL;
- WARN_ON_ONCE(ctx->parent_ctx);
- mutex_lock(&ctx->mutex);
- perf_install_in_context(ctx, event, cpu);
-@@ -6443,10 +6450,10 @@ static void sync_child_event(struct perf_event *child_event,
+@@ -6450,10 +6450,10 @@ static void sync_child_event(struct perf_event *child_event,
/*
* Add back the child's count to the parent's count:
*/
@@ -67802,64 +67844,6 @@ index 58690af..66d5a8e 100644
&parent_event->child_total_time_running);
/*
-@@ -6461,7 +6468,7 @@ static void sync_child_event(struct perf_event *child_event,
- * Release the parent event, if this was the last
- * reference to it.
- */
-- fput(parent_event->filp);
-+ put_event(parent_event);
- }
-
- static void
-@@ -6537,9 +6544,8 @@ static void perf_event_exit_task_context(struct task_struct *child, int ctxn)
- *
- * __perf_event_exit_task()
- * sync_child_event()
-- * fput(parent_event->filp)
-- * perf_release()
-- * mutex_lock(&ctx->mutex)
-+ * put_event()
-+ * mutex_lock(&ctx->mutex)
- *
- * But since its the parent context it won't be the same instance.
- */
-@@ -6607,7 +6613,7 @@ static void perf_free_event(struct perf_event *event,
- list_del_init(&event->child_list);
- mutex_unlock(&parent->child_mutex);
-
-- fput(parent->filp);
-+ put_event(parent);
-
- perf_group_detach(event);
- list_del_event(event, ctx);
-@@ -6687,6 +6693,12 @@ inherit_event(struct perf_event *parent_event,
- NULL, NULL);
- if (IS_ERR(child_event))
- return child_event;
-+
-+ if (!atomic_long_inc_not_zero(&parent_event->refcount)) {
-+ free_event(child_event);
-+ return NULL;
-+ }
-+
- get_ctx(child_ctx);
-
- /*
-@@ -6728,14 +6740,6 @@ inherit_event(struct perf_event *parent_event,
- raw_spin_unlock_irqrestore(&child_ctx->lock, flags);
-
- /*
-- * Get a reference to the parent filp - we will fput it
-- * when the child event exits. This is safe to do because
-- * we are in the parent and we know that the filp still
-- * exists and has a nonzero count:
-- */
-- atomic_long_inc(&parent_event->filp->f_count);
--
-- /*
- * Link this into the parent event's child list
- */
- WARN_ON_ONCE(parent_event->ctx->parent_ctx);
diff --git a/kernel/exit.c b/kernel/exit.c
index 5a8a66e..ded4680 100644
--- a/kernel/exit.c
@@ -68644,7 +68628,7 @@ index a4bea97..7a1ae9a 100644
/*
* If ret is 0, either ____call_usermodehelper failed and the
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
-index bc90b87..43c7d8c 100644
+index bc90b87..cb67968 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_insn_slot(struct kprobe_insn_cache *c)
@@ -68683,6 +68667,15 @@ index bc90b87..43c7d8c 100644
head = &kprobe_table[i];
preempt_disable();
+@@ -2204,7 +2204,7 @@ static ssize_t write_enabled_file_bool(struct file *file,
+ const char __user *user_buf, size_t count, loff_t *ppos)
+ {
+ char buf[32];
+- int buf_size;
++ size_t buf_size;
+
+ buf_size = min(count, (sizeof(buf)-1));
+ if (copy_from_user(buf, user_buf, buf_size))
diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
index 4e316e1..5501eef 100644
--- a/kernel/ksysfs.c
@@ -70914,7 +70907,7 @@ index 2c71d91..1021f81 100644
struct tasklet_struct *list;
diff --git a/kernel/sys.c b/kernel/sys.c
-index 481611f..0754d86 100644
+index 481611f..71bdeea 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@@ -71038,18 +71031,34 @@ index 481611f..0754d86 100644
abort_creds(new);
return old_fsgid;
-@@ -1189,7 +1225,10 @@ static int override_release(char __user *release, int len)
+@@ -1170,13 +1206,13 @@ DECLARE_RWSEM(uts_sem);
+ * Work around broken programs that cannot handle "Linux 3.0".
+ * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
+ */
+-static int override_release(char __user *release, int len)
++static int override_release(char __user *release, size_t len)
+ {
+ int ret = 0;
+- char buf[65];
++ char buf[65] = { 0 };
++ const char *rest = UTS_RELEASE;
+
+ if (current->personality & UNAME26) {
+- char *rest = UTS_RELEASE;
+ int ndots = 0;
+ unsigned v;
+
+@@ -1188,7 +1224,10 @@ static int override_release(char __user *release, int len)
+ rest++;
}
v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
++ if (sizeof buf < len)
++ len = sizeof buf;
snprintf(buf, len, "2.6.%u%s", v, rest);
-- ret = copy_to_user(release, buf, len);
-+ if (len > sizeof(buf))
-+ ret = -EFAULT;
-+ else
-+ ret = copy_to_user(release, buf, len);
++ buf[len - 1] = 0;
+ ret = copy_to_user(release, buf, len);
}
return ret;
- }
@@ -1243,19 +1282,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
return -EFAULT;
@@ -71511,7 +71520,7 @@ index fd4a7b1..fae5c2a 100644
cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
tick_broadcast_clear_oneshot(cpu);
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
-index 03e67d4..21ae77b 100644
+index 5ee1ac0..335188f 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -14,6 +14,7 @@
@@ -71523,7 +71532,7 @@ index 03e67d4..21ae77b 100644
#include <linux/clocksource.h>
#include <linux/jiffies.h>
@@ -385,6 +386,8 @@ int do_settimeofday(const struct timespec *tv)
- if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
+ if (!timespec_valid_strict(tv))
return -EINVAL;
+ gr_log_timechange();
@@ -71940,6 +71949,19 @@ index 209b379..7f76423 100644
tsk->comm);
put_task_struct(tsk);
}
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 979d4de..bfde28d 100644
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -3447,7 +3447,7 @@ static int __cpuinit trustee_thread(void *__gcwq)
+ */
+ worker_flags |= WORKER_REBIND;
+ worker_flags &= ~WORKER_ROGUE;
+- ACCESS_ONCE(worker->flags) = worker_flags;
++ ACCESS_ONCE_RW(worker->flags) = worker_flags;
+
+ /* queue rebind_work, wq doesn't matter, use the default one */
+ if (test_and_set_bit(WORK_STRUCT_PENDING_BIT,
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 82928f5..92da771 100644
--- a/lib/Kconfig.debug
@@ -73354,7 +73376,7 @@ index 70f5daf..0964853 100644
* Make sure the vDSO gets into every core dump.
* Dumping its contents makes post-mortem fully interpretable later
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index c0007f9..3792cfe 100644
+index 11b8d47..3792cfe 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -640,6 +640,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
@@ -73428,15 +73450,6 @@ index c0007f9..3792cfe 100644
rcu_read_unlock();
err = -EPERM;
goto out;
-@@ -2533,7 +2565,7 @@ int mpol_to_str(char *buffer, int maxlen, struct mempolicy *pol, int no_context)
- break;
-
- default:
-- BUG();
-+ return -EINVAL;
- }
-
- l = strlen(policy_modes[mode]);
diff --git a/mm/migrate.c b/mm/migrate.c
index 180d97f..c75ef28 100644
--- a/mm/migrate.c
@@ -76539,7 +76552,7 @@ index 136ac4f..f917fa9 100644
mm->unmap_area = arch_unmap_area;
}
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
-index eeba3bb..b4410cf 100644
+index eeba3bb..1828c9e 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
@@ -76747,6 +76760,15 @@ index eeba3bb..b4410cf 100644
if (!vas || !vms)
goto err_free;
+@@ -2536,7 +2599,7 @@ static int s_show(struct seq_file *m, void *p)
+ {
+ struct vm_struct *v = p;
+
+- seq_printf(m, "0x%p-0x%p %7ld",
++ seq_printf(m, "0x%pP-0x%pP %7ld",
+ v->addr, v->addr + v->size, v->size);
+
+ if (v->caller)
diff --git a/mm/vmstat.c b/mm/vmstat.c
index 8fd603b..cf0d930 100644
--- a/mm/vmstat.c
@@ -76870,18 +76892,6 @@ index f41f026..fe76ea8 100644
__SONET_ITEMS
#undef __HANDLE_ITEM
}
-diff --git a/net/atm/common.c b/net/atm/common.c
-index 14ff9fe..0ca06e8 100644
---- a/net/atm/common.c
-+++ b/net/atm/common.c
-@@ -784,6 +784,7 @@ int vcc_getsockopt(struct socket *sock, int level, int optname,
-
- if (!vcc->dev || !test_bit(ATM_VF_ADDR, &vcc->flags))
- return -ENOTCONN;
-+ memset(&pvc, 0, sizeof(pvc));
- pvc.sap_family = AF_ATMPVC;
- pvc.sap_addr.itf = vcc->dev->number;
- pvc.sap_addr.vpi = vcc->vpi;
diff --git a/net/atm/lec.h b/net/atm/lec.h
index dfc0719..47c5322 100644
--- a/net/atm/lec.h
@@ -76925,18 +76935,6 @@ index 0d020de..011c7bb 100644
}
static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
-diff --git a/net/atm/pvc.c b/net/atm/pvc.c
-index 3a73491..ae03240 100644
---- a/net/atm/pvc.c
-+++ b/net/atm/pvc.c
-@@ -95,6 +95,7 @@ static int pvc_getname(struct socket *sock, struct sockaddr *sockaddr,
- return -ENOTCONN;
- *sockaddr_len = sizeof(struct sockaddr_atmpvc);
- addr = (struct sockaddr_atmpvc *)sockaddr;
-+ memset(addr, 0, sizeof(*addr));
- addr->sap_family = AF_ATMPVC;
- addr->sap_addr.itf = vcc->dev->number;
- addr->sap_addr.vpi = vcc->vpi;
diff --git a/net/atm/resources.c b/net/atm/resources.c
index 23f45ce..c748f1a 100644
--- a/net/atm/resources.c
@@ -77078,25 +77076,18 @@ index 98bfbd5..47ccdd6 100644
hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
}
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
-index f6afe3d..8361ee4 100644
+index 8361ee4..a4f0f18 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
-@@ -388,6 +388,7 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *add
- *addr_len = sizeof(*haddr);
- haddr->hci_family = AF_BLUETOOTH;
- haddr->hci_dev = hdev->id;
-+ haddr->hci_channel= 0;
-
- release_sock(sk);
- return 0;
-@@ -671,6 +672,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char
- {
- struct hci_filter *f = &hci_pi(sk)->filter;
+@@ -607,7 +607,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char
+ uf.event_mask[1] = *((u32 *) f->event_mask + 1);
+ }
-+ memset(&uf, 0, sizeof(uf));
- uf.type_mask = f->type_mask;
- uf.opcode = f->opcode;
- uf.event_mask[0] = *((u32 *) f->event_mask + 0);
+- len = min_t(unsigned int, len, sizeof(uf));
++ len = min((size_t)len, sizeof(uf));
+ if (copy_from_user(&uf, optval, len)) {
+ err = -EFAULT;
+ break;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index dd76177..5755273 100644
--- a/net/bluetooth/l2cap_core.c
@@ -77115,50 +77106,78 @@ index dd76177..5755273 100644
if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
rfc.mode != chan->mode)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
-index 5c406d3..6dedd6f 100644
+index 6dedd6f..6be4c8e 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
-@@ -293,6 +293,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
+@@ -484,7 +484,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
+ struct sock *sk = sock->sk;
+ struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+ struct l2cap_options opts;
+- int len, err = 0;
++ int err = 0;
++ size_t len = optlen;
+ u32 opt;
- BT_DBG("sock %p, sk %p", sock, sk);
+ BT_DBG("sk %p", sk);
+@@ -506,7 +507,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
+ opts.max_tx = chan->max_tx;
+ opts.txwin_size = (__u16)chan->tx_win;
-+ memset(la, 0, sizeof(struct sockaddr_l2));
- addr->sa_family = AF_BLUETOOTH;
- *len = sizeof(struct sockaddr_l2);
+- len = min_t(unsigned int, sizeof(opts), optlen);
++ len = min(sizeof(opts), len);
+ if (copy_from_user((char *) &opts, optval, len)) {
+ err = -EFAULT;
+ break;
+@@ -572,7 +573,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
+ struct bt_security sec;
+ struct bt_power pwr;
+ struct l2cap_conn *conn;
+- int len, err = 0;
++ int err = 0;
++ size_t len = optlen;
+ u32 opt;
-diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
-index 5417f61..7ee4ead 100644
---- a/net/bluetooth/rfcomm/sock.c
-+++ b/net/bluetooth/rfcomm/sock.c
-@@ -547,6 +547,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *
+ BT_DBG("sk %p", sk);
+@@ -595,7 +597,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
- BT_DBG("sock %p, sk %p", sock, sk);
+ sec.level = BT_SECURITY_LOW;
-+ memset(sa, 0, sizeof(*sa));
- sa->rc_family = AF_BLUETOOTH;
- sa->rc_channel = rfcomm_pi(sk)->channel;
- if (peer)
-@@ -835,6 +836,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
- }
+- len = min_t(unsigned int, sizeof(sec), optlen);
++ len = min(sizeof(sec), len);
+ if (copy_from_user((char *) &sec, optval, len)) {
+ err = -EFAULT;
+ break;
+@@ -671,7 +673,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
- sec.level = rfcomm_pi(sk)->sec_level;
-+ sec.key_size = 0;
+ pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
- len = min_t(unsigned int, len, sizeof(sec));
- if (copy_to_user(optval, (char *) &sec, len))
-diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
-index c258796..bc1eb56 100644
---- a/net/bluetooth/rfcomm/tty.c
-+++ b/net/bluetooth/rfcomm/tty.c
-@@ -471,7 +471,7 @@ static int rfcomm_get_dev_list(void __user *arg)
+- len = min_t(unsigned int, sizeof(pwr), optlen);
++ len = min(sizeof(pwr), len);
+ if (copy_from_user((char *) &pwr, optval, len)) {
+ err = -EFAULT;
+ break;
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 7ee4ead..fc81180 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -684,7 +684,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
+ struct sock *sk = sock->sk;
+ struct bt_security sec;
+ int err = 0;
+- size_t len;
++ size_t len = optlen;
+ u32 opt;
- size = sizeof(*dl) + dev_num * sizeof(*di);
+ BT_DBG("sk %p", sk);
+@@ -706,7 +706,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
-- dl = kmalloc(size, GFP_KERNEL);
-+ dl = kzalloc(size, GFP_KERNEL);
- if (!dl)
- return -ENOMEM;
+ sec.level = BT_SECURITY_LOW;
+- len = min_t(unsigned int, sizeof(sec), optlen);
++ len = min(sizeof(sec), len);
+ if (copy_from_user((char *) &sec, optval, len)) {
+ err = -EFAULT;
+ break;
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 5ac1811..7eb2320 100644
--- a/net/bridge/br_multicast.c
@@ -77173,7 +77192,7 @@ index 5ac1811..7eb2320 100644
/* Okay, we found ICMPv6 header */
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
-index 5864cc4..121f3a30 100644
+index 5864cc4..6ddb362 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1513,7 +1513,7 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
@@ -77185,6 +77204,24 @@ index 5864cc4..121f3a30 100644
BUGPRINT("c2u Didn't work\n");
ret = -EFAULT;
break;
+@@ -2323,7 +2323,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
+ goto out;
+ tmp.valid_hooks = t->valid_hooks;
+
+- if (copy_to_user(user, &tmp, *len) != 0) {
++ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
+ ret = -EFAULT;
+ break;
+ }
+@@ -2334,7 +2334,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
+ tmp.entries_size = t->table->entries_size;
+ tmp.valid_hooks = t->table->valid_hooks;
+
+- if (copy_to_user(user, &tmp, *len) != 0) {
++ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
+ ret = -EFAULT;
+ break;
+ }
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index a986280..13444a1 100644
--- a/net/caif/caif_socket.c
@@ -77449,7 +77486,7 @@ index 3d79b12..8de85fa 100644
diff --git a/net/compat.c b/net/compat.c
-index 6def90e..c6992fa 100644
+index 6def90e..ffd9b82 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
@@ -77579,6 +77616,15 @@ index 6def90e..c6992fa 100644
struct group_filter __user *kgf;
int __user *koptlen;
u32 interface, fmode, numsrc;
+@@ -790,7 +790,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+
+ if (call < SYS_SOCKET || call > SYS_SENDMMSG)
+ return -EINVAL;
+- if (copy_from_user(a, args, nas[call]))
++ if (nas[call] > sizeof a || copy_from_user(a, args, nas[call]))
+ return -EFAULT;
+ a0 = a[0];
+ a1 = a[1];
diff --git a/net/core/datagram.c b/net/core/datagram.c
index 68bbf9f..5ef0d12 100644
--- a/net/core/datagram.c
@@ -77593,10 +77639,10 @@ index 68bbf9f..5ef0d12 100644
return err;
diff --git a/net/core/dev.c b/net/core/dev.c
-index 4b18703..076f9cb 100644
+index 832ba6d..0b240ec 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
-@@ -1139,10 +1139,14 @@ void dev_load(struct net *net, const char *name)
+@@ -1142,10 +1142,14 @@ void dev_load(struct net *net, const char *name)
if (no_module && capable(CAP_NET_ADMIN))
no_module = request_module("netdev-%s", name);
if (no_module && capable(CAP_SYS_MODULE)) {
@@ -77611,7 +77657,7 @@ index 4b18703..076f9cb 100644
}
}
EXPORT_SYMBOL(dev_load);
-@@ -1594,7 +1598,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
+@@ -1597,7 +1601,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
{
if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) {
if (skb_copy_ubufs(skb, GFP_ATOMIC)) {
@@ -77620,7 +77666,7 @@ index 4b18703..076f9cb 100644
kfree_skb(skb);
return NET_RX_DROP;
}
-@@ -1604,7 +1608,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
+@@ -1607,7 +1611,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
nf_reset(skb);
if (unlikely(!is_skb_forwardable(dev, skb))) {
@@ -77629,7 +77675,7 @@ index 4b18703..076f9cb 100644
kfree_skb(skb);
return NET_RX_DROP;
}
-@@ -2031,7 +2035,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
+@@ -2046,7 +2050,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
struct dev_gso_cb {
void (*destructor)(struct sk_buff *skb);
@@ -77638,7 +77684,7 @@ index 4b18703..076f9cb 100644
#define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
-@@ -2944,7 +2948,7 @@ enqueue:
+@@ -2962,7 +2966,7 @@ enqueue:
local_irq_restore(flags);
@@ -77647,7 +77693,7 @@ index 4b18703..076f9cb 100644
kfree_skb(skb);
return NET_RX_DROP;
}
-@@ -3018,7 +3022,7 @@ int netif_rx_ni(struct sk_buff *skb)
+@@ -3036,7 +3040,7 @@ int netif_rx_ni(struct sk_buff *skb)
}
EXPORT_SYMBOL(netif_rx_ni);
@@ -77656,7 +77702,7 @@ index 4b18703..076f9cb 100644
{
struct softnet_data *sd = &__get_cpu_var(softnet_data);
-@@ -3307,7 +3311,7 @@ ncls:
+@@ -3325,7 +3329,7 @@ ncls:
if (pt_prev) {
ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
} else {
@@ -77665,7 +77711,7 @@ index 4b18703..076f9cb 100644
kfree_skb(skb);
/* Jamal, now you will not able to escape explaining
* me how you were going to use this. :-)
-@@ -3872,7 +3876,7 @@ void netif_napi_del(struct napi_struct *napi)
+@@ -3890,7 +3894,7 @@ void netif_napi_del(struct napi_struct *napi)
}
EXPORT_SYMBOL(netif_napi_del);
@@ -77674,7 +77720,7 @@ index 4b18703..076f9cb 100644
{
struct softnet_data *sd = &__get_cpu_var(softnet_data);
unsigned long time_limit = jiffies + 2;
-@@ -5900,7 +5904,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
+@@ -5918,7 +5922,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
} else {
netdev_stats_to_stats64(storage, &dev->stats);
}
@@ -77799,7 +77845,7 @@ index ff52ad0..aff1c0f 100644
{
int new_fd;
diff --git a/net/core/sock.c b/net/core/sock.c
-index 8d095b9..315c541 100644
+index 018fd41..6a03100 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -289,7 +289,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
@@ -77847,7 +77893,23 @@ index 8d095b9..315c541 100644
goto discard_and_relse;
}
-@@ -917,7 +917,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+@@ -771,12 +771,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+ struct timeval tm;
+ } v;
+
+- int lv = sizeof(int);
+- int len;
++ unsigned int lv = sizeof(int);
++ unsigned int len;
+
+ if (get_user(len, optlen))
+ return -EFAULT;
+- if (len < 0)
++ if (len > INT_MAX)
+ return -EINVAL;
+
+ memset(&v, 0, sizeof(v));
+@@ -917,18 +917,18 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
if (len > sizeof(peercred))
len = sizeof(peercred);
cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
@@ -77856,15 +77918,19 @@ index 8d095b9..315c541 100644
return -EFAULT;
goto lenout;
}
-@@ -930,7 +930,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+
+ case SO_PEERNAME:
+ {
+- char address[128];
++ char address[_K_SS_MAXSIZE];
+
+ if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2))
return -ENOTCONN;
- if (lv < len)
+- if (lv < len)
++ if (lv < len || sizeof address < len)
return -EINVAL;
-- if (copy_to_user(optval, address, len))
-+ if (len > sizeof(address) || copy_to_user(optval, address, len))
+ if (copy_to_user(optval, address, len))
return -EFAULT;
- goto lenout;
- }
@@ -963,7 +963,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
if (len > lv)
@@ -77874,7 +77940,7 @@ index 8d095b9..315c541 100644
return -EFAULT;
lenout:
if (put_user(len, optlen))
-@@ -2023,7 +2023,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
+@@ -2024,7 +2024,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
*/
smp_wmb();
atomic_set(&sk->sk_refcnt, 1);
@@ -77883,18 +77949,6 @@ index 8d095b9..315c541 100644
}
EXPORT_SYMBOL(sock_init_data);
-diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
-index 3d604e1..4caf63f 100644
---- a/net/dccp/ccids/ccid3.c
-+++ b/net/dccp/ccids/ccid3.c
-@@ -532,6 +532,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len,
- case DCCP_SOCKOPT_CCID_TX_INFO:
- if (len < sizeof(tfrc))
- return -EINVAL;
-+ memset(&tfrc, 0, sizeof(tfrc));
- tfrc.tfrctx_x = hc->tx_x;
- tfrc.tfrctx_x_recv = hc->tx_x_recv;
- tfrc.tfrctx_x_calc = hc->tx_x_calc;
diff --git a/net/decnet/sysctl_net_decnet.c b/net/decnet/sysctl_net_decnet.c
index 02e75d1..9a57a7c 100644
--- a/net/decnet/sysctl_net_decnet.c
@@ -78147,6 +78201,104 @@ index 99ec116..c5628fe 100644
set_fs(oldfs);
return res;
}
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index fd7a3f6..21e76da 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -880,14 +880,14 @@ static int compat_table_info(const struct xt_table_info *info,
+ #endif
+
+ static int get_info(struct net *net, void __user *user,
+- const int *len, int compat)
++ int len, int compat)
+ {
+ char name[XT_TABLE_MAXNAMELEN];
+ struct xt_table *t;
+ int ret;
+
+- if (*len != sizeof(struct arpt_getinfo)) {
+- duprintf("length %u != %Zu\n", *len,
++ if (len != sizeof(struct arpt_getinfo)) {
++ duprintf("length %u != %Zu\n", len,
+ sizeof(struct arpt_getinfo));
+ return -EINVAL;
+ }
+@@ -924,7 +924,7 @@ static int get_info(struct net *net, void __user *user,
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -1683,7 +1683,7 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user,
+
+ switch (cmd) {
+ case ARPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case ARPT_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -1728,7 +1728,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
+
+ switch (cmd) {
+ case ARPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case ARPT_SO_GET_ENTRIES:
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index 24e556e..f6918b4 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1069,14 +1069,14 @@ static int compat_table_info(const struct xt_table_info *info,
+ #endif
+
+ static int get_info(struct net *net, void __user *user,
+- const int *len, int compat)
++ int len, int compat)
+ {
+ char name[XT_TABLE_MAXNAMELEN];
+ struct xt_table *t;
+ int ret;
+
+- if (*len != sizeof(struct ipt_getinfo)) {
+- duprintf("length %u != %zu\n", *len,
++ if (len != sizeof(struct ipt_getinfo)) {
++ duprintf("length %u != %zu\n", len,
+ sizeof(struct ipt_getinfo));
+ return -EINVAL;
+ }
+@@ -1113,7 +1113,7 @@ static int get_info(struct net *net, void __user *user,
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -1967,7 +1967,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case IPT_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -2014,7 +2014,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case IPT_SO_GET_ENTRIES:
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 43d4c3b..1914409 100644
--- a/net/ipv4/ping.c
@@ -78558,10 +78710,10 @@ index 5a65eea..bd913a1 100644
int udp4_seq_show(struct seq_file *seq, void *v)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index a5521c5..984a2f4 100644
+index aef80d7..1624eee 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
-@@ -2153,7 +2153,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
+@@ -2151,7 +2151,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
p.iph.ihl = 5;
p.iph.protocol = IPPROTO_IPV6;
p.iph.ttl = 64;
@@ -78630,6 +78782,55 @@ index 26cb08c..8af9877 100644
msg.msg_controllen = len;
msg.msg_flags = flags;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 94874b0..a47969c 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1091,14 +1091,14 @@ static int compat_table_info(const struct xt_table_info *info,
+ #endif
+
+ static int get_info(struct net *net, void __user *user,
+- const int *len, int compat)
++ int len, int compat)
+ {
+ char name[XT_TABLE_MAXNAMELEN];
+ struct xt_table *t;
+ int ret;
+
+- if (*len != sizeof(struct ip6t_getinfo)) {
+- duprintf("length %u != %zu\n", *len,
++ if (len != sizeof(struct ip6t_getinfo)) {
++ duprintf("length %u != %zu\n", len,
+ sizeof(struct ip6t_getinfo));
+ return -EINVAL;
+ }
+@@ -1135,7 +1135,7 @@ static int get_info(struct net *net, void __user *user,
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -1989,7 +1989,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IP6T_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case IP6T_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -2036,7 +2036,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IP6T_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case IP6T_SO_GET_ENTRIES:
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 361ebf3..d5628fb 100644
--- a/net/ipv6/raw.c
@@ -79051,26 +79252,6 @@ index 1e733e9..3d73c9f 100644
} while (!res);
return res;
}
-diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
-index a18e6c3..99a60d5 100644
---- a/net/llc/af_llc.c
-+++ b/net/llc/af_llc.c
-@@ -966,14 +966,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
- struct sockaddr_llc sllc;
- struct sock *sk = sock->sk;
- struct llc_sock *llc = llc_sk(sk);
-- int rc = 0;
-+ int rc = -EBADF;
-
- memset(&sllc, 0, sizeof(sllc));
- lock_sock(sk);
- if (sock_flag(sk, SOCK_ZAPPED))
- goto out;
- *uaddrlen = sizeof(sllc);
-- memset(uaddr, 0, *uaddrlen);
- if (peer) {
- rc = -ENOTCONN;
- if (sk->sk_state != TCP_ESTABLISHED)
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 73495f1..ad51356 100644
--- a/net/mac80211/ieee80211_i.h
@@ -79320,7 +79501,7 @@ index 6dc7d7d..e45913a 100644
if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
cp->protocol == IPPROTO_SCTP) {
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
-index e1a66cf..2772ca6 100644
+index 72f4253..2772ca6 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -788,7 +788,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
@@ -79359,15 +79540,7 @@ index e1a66cf..2772ca6 100644
entry.weight = atomic_read(&dest->weight);
entry.u_threshold = dest->u_threshold;
entry.l_threshold = dest->l_threshold;
-@@ -2713,6 +2713,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
- {
- struct ip_vs_timeout_user t;
-
-+ memset(&t, 0, sizeof(t));
- __ip_vs_get_timeouts(net, &t);
- if (copy_to_user(user, &t, sizeof(t)) != 0)
- ret = -EFAULT;
-@@ -3042,7 +3043,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
+@@ -3043,7 +3043,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
@@ -79561,7 +79734,7 @@ index 4fe4fb4..87a89e5 100644
return 0;
}
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index a99fb41..7a58852 100644
+index 38b78b9..7a58852 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -742,7 +742,7 @@ static void netlink_overrun(struct sock *sk)
@@ -79573,26 +79746,7 @@ index a99fb41..7a58852 100644
}
static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
-@@ -1333,7 +1333,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
- if (NULL == siocb->scm)
- siocb->scm = &scm;
-
-- err = scm_send(sock, msg, siocb->scm);
-+ err = scm_send(sock, msg, siocb->scm, true);
- if (err < 0)
- return err;
-
-@@ -1344,7 +1344,8 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
- dst_pid = addr->nl_pid;
- dst_group = ffs(addr->nl_groups);
- err = -EPERM;
-- if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
-+ if ((dst_group || dst_pid) &&
-+ !netlink_capable(sock, NL_NONROOT_SEND))
- goto out;
- } else {
- dst_pid = nlk->dst_pid;
-@@ -2001,7 +2002,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
+@@ -2002,7 +2002,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
sk_wmem_alloc_get(s),
nlk->cb,
atomic_read(&s->sk_refcnt),
@@ -79601,14 +79755,6 @@ index a99fb41..7a58852 100644
sock_i_ino(s)
);
-@@ -2103,6 +2104,7 @@ static void __init netlink_add_usersock_entry(void)
- rcu_assign_pointer(nl_table[NETLINK_USERSOCK].listeners, listeners);
- nl_table[NETLINK_USERSOCK].module = THIS_MODULE;
- nl_table[NETLINK_USERSOCK].registered = 1;
-+ nl_table[NETLINK_USERSOCK].nl_nonroot = NL_NONROOT_SEND;
-
- netlink_table_ungrab();
- }
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 732152f..60bb09e 100644
--- a/net/netrom/af_netrom.c
@@ -79630,10 +79776,10 @@ index 732152f..60bb09e 100644
*uaddr_len = sizeof(struct sockaddr_ax25);
}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index d9d4970..906059b 100644
+index 85afc13..f8c880b 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
-@@ -1675,7 +1675,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1684,7 +1684,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
spin_lock(&sk->sk_receive_queue.lock);
po->stats.tp_packets++;
@@ -79642,7 +79788,7 @@ index d9d4970..906059b 100644
__skb_queue_tail(&sk->sk_receive_queue, skb);
spin_unlock(&sk->sk_receive_queue.lock);
sk->sk_data_ready(sk, skb->len);
-@@ -1684,7 +1684,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1693,7 +1693,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
drop_n_acct:
spin_lock(&sk->sk_receive_queue.lock);
po->stats.tp_drops++;
@@ -79651,7 +79797,7 @@ index d9d4970..906059b 100644
spin_unlock(&sk->sk_receive_queue.lock);
drop_n_restore:
-@@ -2613,6 +2613,7 @@ out:
+@@ -2621,6 +2621,7 @@ out:
static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len)
{
@@ -79659,7 +79805,7 @@ index d9d4970..906059b 100644
struct sock_exterr_skb *serr;
struct sk_buff *skb, *skb2;
int copied, err;
-@@ -2634,8 +2635,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len)
+@@ -2642,8 +2643,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len)
sock_recv_timestamp(msg, sk, skb);
serr = SKB_EXT_ERR(skb);
@@ -79670,7 +79816,7 @@ index d9d4970..906059b 100644
msg->msg_flags |= MSG_ERRQUEUE;
err = copied;
-@@ -3266,7 +3268,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3274,7 +3276,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -79679,7 +79825,7 @@ index d9d4970..906059b 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -3316,7 +3318,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3324,7 +3326,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
if (put_user(len, optlen))
return -EFAULT;
@@ -80214,20 +80360,20 @@ index 1e2eee8..ce3967e 100644
assoc->assoc_id,
assoc->sndbuf_used,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 8e49d76..ba19fd7 100644
+index 8e49d76..52773ad 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
-@@ -4583,7 +4583,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4583,6 +4583,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
if (space_left < addrlen)
return -ENOMEM;
-- if (copy_to_user(to, &temp, addrlen))
-+ if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
++ if (addrlen > sizeof(temp) || addrlen < 0)
++ return -EFAULT;
+ if (copy_to_user(to, &temp, addrlen))
return -EFAULT;
to += addrlen;
- cnt++;
diff --git a/net/socket.c b/net/socket.c
-index 273cbce..ed22cd4 100644
+index 68879db..ed22cd4 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -88,6 +88,7 @@
@@ -80398,15 +80544,7 @@ index 273cbce..ed22cd4 100644
uaddr_len = COMPAT_NAMELEN(msg);
if (MSG_CMSG_COMPAT & flags) {
err = verify_compat_iovec(msg_sys, iov,
-@@ -2645,6 +2705,7 @@ static int dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32)
- if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf)))
- return -EFAULT;
-
-+ memset(&ifc, 0, sizeof(ifc));
- if (ifc32.ifcbuf == 0) {
- ifc32.ifc_len = 0;
- ifc.ifc_len = 0;
-@@ -2748,7 +2809,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2749,7 +2809,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
}
ifr = compat_alloc_user_space(buf_size);
@@ -80415,7 +80553,7 @@ index 273cbce..ed22cd4 100644
if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ))
return -EFAULT;
-@@ -2772,12 +2833,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2773,12 +2833,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
offsetof(struct ethtool_rxnfc, fs.ring_cookie));
if (copy_in_user(rxnfc, compat_rxnfc,
@@ -80432,7 +80570,7 @@ index 273cbce..ed22cd4 100644
copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
sizeof(rxnfc->rule_cnt)))
return -EFAULT;
-@@ -2789,12 +2850,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2790,12 +2850,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
if (convert_out) {
if (copy_in_user(compat_rxnfc, rxnfc,
@@ -80449,7 +80587,7 @@ index 273cbce..ed22cd4 100644
copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt,
sizeof(rxnfc->rule_cnt)))
return -EFAULT;
-@@ -2864,7 +2925,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2865,7 +2925,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
err = dev_ioctl(net, cmd,
@@ -80458,7 +80596,7 @@ index 273cbce..ed22cd4 100644
set_fs(old_fs);
return err;
-@@ -2973,7 +3034,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
+@@ -2974,7 +3034,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -80467,7 +80605,7 @@ index 273cbce..ed22cd4 100644
set_fs(old_fs);
if (cmd == SIOCGIFMAP && !err) {
-@@ -3078,7 +3139,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
+@@ -3079,7 +3139,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
ret |= __get_user(rtdev, &(ur4->rt_dev));
if (rtdev) {
ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -80476,7 +80614,7 @@ index 273cbce..ed22cd4 100644
devname[15] = 0;
} else
r4.rt_dev = NULL;
-@@ -3318,8 +3379,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+@@ -3319,8 +3379,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
int __user *uoptlen;
int err;
@@ -80487,7 +80625,7 @@ index 273cbce..ed22cd4 100644
set_fs(KERNEL_DS);
if (level == SOL_SOCKET)
-@@ -3339,7 +3400,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+@@ -3340,7 +3400,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
char __user *uoptval;
int err;
@@ -80800,7 +80938,7 @@ index 1983717..4d6102c 100644
sub->evt.event = htohl(event, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index d99678a..6786706 100644
+index 317bfe3..6786706 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -767,6 +767,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -80849,24 +80987,6 @@ index d99678a..6786706 100644
mutex_unlock(&path.dentry->d_inode->i_mutex);
dput(path.dentry);
path.dentry = dentry;
-@@ -1435,7 +1455,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
- if (NULL == siocb->scm)
- siocb->scm = &tmp_scm;
- wait_for_unix_gc();
-- err = scm_send(sock, msg, siocb->scm);
-+ err = scm_send(sock, msg, siocb->scm, false);
- if (err < 0)
- return err;
-
-@@ -1596,7 +1616,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
- if (NULL == siocb->scm)
- siocb->scm = &tmp_scm;
- wait_for_unix_gc();
-- err = scm_send(sock, msg, siocb->scm);
-+ err = scm_send(sock, msg, siocb->scm, false);
- if (err < 0)
- return err;
-
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 02c3be3..e022efa 100644
--- a/net/wireless/core.h
@@ -81010,10 +81130,119 @@ index 9414b9c..d14ecb6 100644
if (init_replay) {
err = xfrm_init_replay(x);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index 7cae73e..ca5c26f 100644
+index 7cae73e..3034d8f 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
-@@ -862,6 +862,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
+@@ -123,9 +123,17 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
+ struct nlattr **attrs)
+ {
+ struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
++ struct xfrm_replay_state_esn *rs;
+
+- if ((p->flags & XFRM_STATE_ESN) && !rt)
+- return -EINVAL;
++ if (p->flags & XFRM_STATE_ESN) {
++ if (!rt)
++ return -EINVAL;
++
++ rs = nla_data(rt);
++ if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
++ nla_len(rt) != sizeof(*rs))
++ return -EINVAL;
++ }
+
+ if (!rt)
+ return 0;
+@@ -370,14 +378,15 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
+ struct nlattr *rp)
+ {
+ struct xfrm_replay_state_esn *up;
++ size_t ulen;
+
+ if (!replay_esn || !rp)
+ return 0;
+
+ up = nla_data(rp);
++ ulen = xfrm_replay_state_esn_len(up);
+
+- if (xfrm_replay_state_esn_len(replay_esn) !=
+- xfrm_replay_state_esn_len(up))
++ if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+ return -EINVAL;
+
+ return 0;
+@@ -388,22 +397,28 @@ static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn
+ struct nlattr *rta)
+ {
+ struct xfrm_replay_state_esn *p, *pp, *up;
++ size_t klen, ulen;
+
+ if (!rta)
+ return 0;
+
+ up = nla_data(rta);
++ klen = xfrm_replay_state_esn_len(up);
++ ulen = nla_len(rta) > sizeof(*up) ? klen : sizeof(*up);
+
+- p = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL);
++ p = kzalloc(klen, GFP_KERNEL);
+ if (!p)
+ return -ENOMEM;
+
+- pp = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL);
++ pp = kzalloc(klen, GFP_KERNEL);
+ if (!pp) {
+ kfree(p);
+ return -ENOMEM;
+ }
+
++ memcpy(p, up, ulen);
++ memcpy(pp, up, ulen);
++
+ *replay_esn = p;
+ *preplay_esn = pp;
+
+@@ -442,10 +457,11 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
+ * somehow made shareable and move it to xfrm_state.c - JHS
+ *
+ */
+-static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs)
++static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
++ int update_esn)
+ {
+ struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
+- struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
++ struct nlattr *re = update_esn ? attrs[XFRMA_REPLAY_ESN_VAL] : NULL;
+ struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
+ struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
+ struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
+@@ -555,7 +571,7 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
+ goto error;
+
+ /* override default values from above */
+- xfrm_update_ae_params(x, attrs);
++ xfrm_update_ae_params(x, attrs, 0);
+
+ return x;
+
+@@ -689,6 +705,7 @@ out:
+
+ static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p)
+ {
++ memset(p, 0, sizeof(*p));
+ memcpy(&p->id, &x->id, sizeof(p->id));
+ memcpy(&p->sel, &x->sel, sizeof(p->sel));
+ memcpy(&p->lft, &x->lft, sizeof(p->lft));
+@@ -742,7 +759,7 @@ static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
+ return -EMSGSIZE;
+
+ algo = nla_data(nla);
+- strcpy(algo->alg_name, auth->alg_name);
++ strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name));
+ memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
+ algo->alg_key_len = auth->alg_key_len;
+
+@@ -862,6 +879,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
{
struct xfrm_dump_info info;
struct sk_buff *skb;
@@ -81021,7 +81250,7 @@ index 7cae73e..ca5c26f 100644
skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
if (!skb)
-@@ -872,9 +873,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
+@@ -872,9 +890,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
info.nlmsg_seq = seq;
info.nlmsg_flags = 0;
@@ -81034,7 +81263,15 @@ index 7cae73e..ca5c26f 100644
}
return skb;
-@@ -1401,6 +1403,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
+@@ -1297,6 +1316,7 @@ static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy
+
+ static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir)
+ {
++ memset(p, 0, sizeof(*p));
+ memcpy(&p->sel, &xp->selector, sizeof(p->sel));
+ memcpy(&p->lft, &xp->lft, sizeof(p->lft));
+ memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft));
+@@ -1401,6 +1421,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
struct xfrm_user_tmpl *up = &vec[i];
struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
@@ -81042,6 +81279,15 @@ index 7cae73e..ca5c26f 100644
memcpy(&up->id, &kp->id, sizeof(up->id));
up->family = kp->encap_family;
memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
+@@ -1794,7 +1815,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
+ goto out;
+
+ spin_lock_bh(&x->lock);
+- xfrm_update_ae_params(x, attrs);
++ xfrm_update_ae_params(x, attrs, 1);
+ spin_unlock_bh(&x->lock);
+
+ c.event = nlh->nlmsg_type;
diff --git a/scripts/Makefile.build b/scripts/Makefile.build
index d2b366c..2d5a6f8 100644
--- a/scripts/Makefile.build
@@ -81479,10 +81725,10 @@ index 38f6617..e70b72b 100755
exuberant()
diff --git a/security/Kconfig b/security/Kconfig
-index 51bd5a0..047aa78 100644
+index 51bd5a0..560318a 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,888 @@
+@@ -4,6 +4,885 @@
menu "Security options"
@@ -82057,9 +82303,6 @@ index 51bd5a0..047aa78 100644
+ that is, enabling this option will make it harder to inject
+ and execute 'foreign' code in kernel memory itself.
+
-+ Note that on x86_64 kernels there is a known regression when
-+ this feature and KVM/VMX are both enabled in the host kernel.
-+
+choice
+ prompt "Return Address Instrumentation Method"
+ default PAX_KERNEXEC_PLUGIN_METHOD_BTS
@@ -82371,7 +82614,7 @@ index 51bd5a0..047aa78 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -169,7 +1051,7 @@ config INTEL_TXT
+@@ -169,7 +1048,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -90139,7 +90382,7 @@ index af0f22f..9a7d479 100644
break;
}
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index ec747dc..da361c4 100644
+index ec747dc..d3e1f29 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -75,7 +75,7 @@ LIST_HEAD(vm_list);
@@ -90151,6 +90394,15 @@ index ec747dc..da361c4 100644
struct kmem_cache *kvm_vcpu_cache;
EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
+@@ -659,7 +659,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
+ /* We can read the guest memory with __xxx_user() later on. */
+ if (user_alloc &&
+ ((mem->userspace_addr & (PAGE_SIZE - 1)) ||
+- !access_ok(VERIFY_WRITE,
++ !__access_ok(VERIFY_WRITE,
+ (void __user *)(unsigned long)mem->userspace_addr,
+ mem->memory_size)))
+ goto out;
@@ -2274,7 +2274,7 @@ static void hardware_enable_nolock(void *junk)
if (r) {
diff --git a/3.2.29/4430_grsec-remove-localversion-grsec.patch b/3.2.30/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 3.2.29/4430_grsec-remove-localversion-grsec.patch
rename to 3.2.30/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.2.29/4435_grsec-mute-warnings.patch b/3.2.30/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 3.2.29/4435_grsec-mute-warnings.patch
rename to 3.2.30/4435_grsec-mute-warnings.patch
diff --git a/3.2.29/4440_grsec-remove-protected-paths.patch b/3.2.30/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 3.2.29/4440_grsec-remove-protected-paths.patch
rename to 3.2.30/4440_grsec-remove-protected-paths.patch
diff --git a/3.2.29/4450_grsec-kconfig-default-gids.patch b/3.2.30/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 3.2.29/4450_grsec-kconfig-default-gids.patch
rename to 3.2.30/4450_grsec-kconfig-default-gids.patch
diff --git a/3.2.29/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.30/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 3.2.29/4465_selinux-avc_audit-log-curr_ip.patch
rename to 3.2.30/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.2.29/4470_disable-compat_vdso.patch b/3.2.30/4470_disable-compat_vdso.patch
similarity index 100%
rename from 3.2.29/4470_disable-compat_vdso.patch
rename to 3.2.30/4470_disable-compat_vdso.patch
diff --git a/3.5.4/0000_README b/3.5.4/0000_README
index 2253a6b..430fd0c 100644
--- a/3.5.4/0000_README
+++ b/3.5.4/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.5.4-201209171824.patch
+Patch: 4420_grsecurity-2.9.1-3.5.4-201209192118.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.5.4/4420_grsecurity-2.9.1-3.5.4-201209171824.patch b/3.5.4/4420_grsecurity-2.9.1-3.5.4-201209192118.patch
similarity index 99%
rename from 3.5.4/4420_grsecurity-2.9.1-3.5.4-201209171824.patch
rename to 3.5.4/4420_grsecurity-2.9.1-3.5.4-201209192118.patch
index ca159d7..b72425c 100644
--- a/3.5.4/4420_grsecurity-2.9.1-3.5.4-201209171824.patch
+++ b/3.5.4/4420_grsecurity-2.9.1-3.5.4-201209192118.patch
@@ -19712,7 +19712,7 @@ index 24d3c91..d06b473 100644
return pc;
}
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
-index 9d9d2f9..ed344e4 100644
+index 9d9d2f9..cad418a 100644
--- a/arch/x86/kernel/tls.c
+++ b/arch/x86/kernel/tls.c
@@ -84,6 +84,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
@@ -19727,6 +19727,15 @@ index 9d9d2f9..ed344e4 100644
set_tls_desc(p, idx, &info, 1);
return 0;
+@@ -204,7 +209,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
+
+ if (kbuf)
+ info = kbuf;
+- else if (__copy_from_user(infobuf, ubuf, count))
++ else if (count > sizeof infobuf || __copy_from_user(infobuf, ubuf, count))
+ return -EFAULT;
+ else
+ info = infobuf;
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 05b31d9..501d3ba 100644
--- a/arch/x86/kernel/traps.c
@@ -27188,7 +27197,7 @@ index 00aaf04..4a26505 100644
-}
-__setup("vdso=", vdso_setup);
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index ff962d4..2bb5e83 100644
+index ff962d4..d34a191 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -97,8 +97,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -27200,6 +27209,41 @@ index ff962d4..2bb5e83 100644
RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
__read_mostly int xen_have_vector_callback;
EXPORT_SYMBOL_GPL(xen_have_vector_callback);
+@@ -885,21 +883,21 @@ static u32 xen_safe_apic_wait_icr_idle(void)
+
+ static void set_xen_basic_apic_ops(void)
+ {
+- apic->read = xen_apic_read;
+- apic->write = xen_apic_write;
+- apic->icr_read = xen_apic_icr_read;
+- apic->icr_write = xen_apic_icr_write;
+- apic->wait_icr_idle = xen_apic_wait_icr_idle;
+- apic->safe_wait_icr_idle = xen_safe_apic_wait_icr_idle;
+- apic->set_apic_id = xen_set_apic_id;
+- apic->get_apic_id = xen_get_apic_id;
++ *(void **)&apic->read = xen_apic_read;
++ *(void **)&apic->write = xen_apic_write;
++ *(void **)&apic->icr_read = xen_apic_icr_read;
++ *(void **)&apic->icr_write = xen_apic_icr_write;
++ *(void **)&apic->wait_icr_idle = xen_apic_wait_icr_idle;
++ *(void **)&apic->safe_wait_icr_idle = xen_safe_apic_wait_icr_idle;
++ *(void **)&apic->set_apic_id = xen_set_apic_id;
++ *(void **)&apic->get_apic_id = xen_get_apic_id;
+
+ #ifdef CONFIG_SMP
+- apic->send_IPI_allbutself = xen_send_IPI_allbutself;
+- apic->send_IPI_mask_allbutself = xen_send_IPI_mask_allbutself;
+- apic->send_IPI_mask = xen_send_IPI_mask;
+- apic->send_IPI_all = xen_send_IPI_all;
+- apic->send_IPI_self = xen_send_IPI_self;
++ *(void **)&apic->send_IPI_allbutself = xen_send_IPI_allbutself;
++ *(void **)&apic->send_IPI_mask_allbutself = xen_send_IPI_mask_allbutself;
++ *(void **)&apic->send_IPI_mask = xen_send_IPI_mask;
++ *(void **)&apic->send_IPI_all = xen_send_IPI_all;
++ *(void **)&apic->send_IPI_self = xen_send_IPI_self;
+ #endif
+ }
+
@@ -1175,30 +1173,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
#endif
};
@@ -35296,6 +35340,29 @@ index 5c05572..389610b 100644
break;
err = 0;
break;
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 5fb59ae..989715a 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1243,7 +1243,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg)
+ }
+
+ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+- unsigned long arg, int ifreq_len)
++ unsigned long arg, size_t ifreq_len)
+ {
+ struct tun_file *tfile = file->private_data;
+ struct tun_struct *tun;
+@@ -1254,6 +1254,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+ int vnet_hdr_sz;
+ int ret;
+
++ if (ifreq_len > sizeof ifr)
++ return -EFAULT;
++
+ if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {
+ if (copy_from_user(&ifr, argp, ifreq_len))
+ return -EFAULT;
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 62f30b4..ff99dfd 100644
--- a/drivers/net/usb/hso.c
@@ -35663,6 +35730,149 @@ index faec404..a5277f1 100644
}
D_INFO("*** LOAD DRIVER ***\n");
+diff --git a/drivers/net/wireless/iwlwifi/iwl-debugfs.c b/drivers/net/wireless/iwlwifi/iwl-debugfs.c
+index 7f97dec..a41d2cf 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-debugfs.c
++++ b/drivers/net/wireless/iwlwifi/iwl-debugfs.c
+@@ -204,7 +204,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[64];
+- int buf_size;
++ size_t buf_size;
+ u32 offset, len;
+
+ memset(buf, 0, sizeof(buf));
+@@ -481,7 +481,7 @@ static ssize_t iwl_dbgfs_rx_handlers_write(struct file *file,
+ struct iwl_priv *priv = file->private_data;
+
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ u32 reset_flag;
+
+ memset(buf, 0, sizeof(buf));
+@@ -562,7 +562,7 @@ static ssize_t iwl_dbgfs_disable_ht40_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int ht40;
+
+ memset(buf, 0, sizeof(buf));
+@@ -614,7 +614,7 @@ static ssize_t iwl_dbgfs_sleep_level_override_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int value;
+
+ memset(buf, 0, sizeof(buf));
+@@ -1879,7 +1879,7 @@ static ssize_t iwl_dbgfs_clear_ucode_statistics_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int clear;
+
+ memset(buf, 0, sizeof(buf));
+@@ -1924,7 +1924,7 @@ static ssize_t iwl_dbgfs_ucode_tracing_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int trace;
+
+ memset(buf, 0, sizeof(buf));
+@@ -1995,7 +1995,7 @@ static ssize_t iwl_dbgfs_missed_beacon_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int missed;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2036,7 +2036,7 @@ static ssize_t iwl_dbgfs_plcp_delta_write(struct file *file,
+
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int plcp;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2096,7 +2096,7 @@ static ssize_t iwl_dbgfs_txfifo_flush_write(struct file *file,
+
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int flush;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2186,7 +2186,7 @@ static ssize_t iwl_dbgfs_protection_mode_write(struct file *file,
+
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int rts;
+
+ if (!priv->cfg->ht_params)
+@@ -2228,7 +2228,7 @@ static ssize_t iwl_dbgfs_echo_test_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+
+ memset(buf, 0, sizeof(buf));
+ buf_size = min(count, sizeof(buf) - 1);
+@@ -2264,7 +2264,7 @@ static ssize_t iwl_dbgfs_log_event_write(struct file *file,
+ struct iwl_priv *priv = file->private_data;
+ u32 event_log_flag;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+
+ memset(buf, 0, sizeof(buf));
+ buf_size = min(count, sizeof(buf) - 1);
+@@ -2314,7 +2314,7 @@ static ssize_t iwl_dbgfs_calib_disabled_write(struct file *file,
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+ u32 calib_disabled;
+- int buf_size;
++ size_t buf_size;
+
+ memset(buf, 0, sizeof(buf));
+ buf_size = min(count, sizeof(buf) - 1);
+diff --git a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
+index 79c6b91..c75e8a3 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
++++ b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
+@@ -1948,7 +1948,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
+ struct isr_statistics *isr_stats = &trans_pcie->isr_stats;
+
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ u32 reset_flag;
+
+ memset(buf, 0, sizeof(buf));
+@@ -1969,7 +1969,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
+ {
+ struct iwl_trans *trans = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int csr;
+
+ memset(buf, 0, sizeof(buf));
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index a0b7cfd..20b49f7 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
@@ -44284,9 +44494,27 @@ index 7e6c52d..94bc756 100644
/*
* We'll have a dentry and an inode for
diff --git a/fs/dcache.c b/fs/dcache.c
-index 4046904..5e31505 100644
+index 4046904..a58db1d 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
+@@ -389,7 +389,7 @@ static struct dentry *d_kill(struct dentry *dentry, struct dentry *parent)
+ * Inform try_to_ascend() that we are no longer attached to the
+ * dentry tree
+ */
+- dentry->d_flags |= DCACHE_DISCONNECTED;
++ dentry->d_flags |= DCACHE_DENTRY_KILLED;
+ if (parent)
+ spin_unlock(&parent->d_lock);
+ dentry_iput(dentry);
+@@ -1046,7 +1046,7 @@ static struct dentry *try_to_ascend(struct dentry *old, int locked, unsigned seq
+ * or deletion
+ */
+ if (new != old->d_parent ||
+- (old->d_flags & DCACHE_DISCONNECTED) ||
++ (old->d_flags & DCACHE_DENTRY_KILLED) ||
+ (!locked && read_seqretry(&rename_lock, seq))) {
+ spin_unlock(&new->d_lock);
+ new = NULL;
@@ -3154,7 +3154,7 @@ void __init vfs_caches_init(unsigned long mempages)
mempages -= reserve;
@@ -49266,7 +49494,7 @@ index 06e1cc1..177cd98 100644
rcu_read_lock();
task = pid_task(proc_pid(dir), PIDTYPE_PID);
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
-index 3476bca..cb6d86a 100644
+index 3476bca..75e1775 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -12,11 +12,15 @@
@@ -49287,7 +49515,15 @@ index 3476bca..cb6d86a 100644
void proc_sys_poll_notify(struct ctl_table_poll *poll)
{
-@@ -470,8 +474,14 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
+@@ -462,17 +466,22 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
+
+ err = ERR_PTR(-ENOMEM);
+ inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
+- if (h)
+- sysctl_head_finish(h);
+-
+ if (!inode)
+ goto out;
err = NULL;
d_set_d_op(dentry, &proc_sys_dentry_operations);
@@ -49300,9 +49536,12 @@ index 3476bca..cb6d86a 100644
+ err = ERR_PTR(-ENOENT);
+
out:
++ if (h)
++ sysctl_head_finish(h);
sysctl_head_finish(head);
return err;
-@@ -483,18 +493,20 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+ }
+@@ -483,18 +492,20 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
struct inode *inode = filp->f_path.dentry->d_inode;
struct ctl_table_header *head = grab_header(inode);
struct ctl_table *table = PROC_I(inode)->sysctl_entry;
@@ -49324,7 +49563,7 @@ index 3476bca..cb6d86a 100644
goto out;
/* if that can happen at all, it should be -EINVAL, not -EISDIR */
-@@ -502,6 +514,22 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+@@ -502,6 +513,22 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
if (!table->proc_handler)
goto out;
@@ -49347,7 +49586,7 @@ index 3476bca..cb6d86a 100644
/* careful: calling conventions are nasty here */
res = count;
error = table->proc_handler(table, write, buf, &res, ppos);
-@@ -599,6 +627,9 @@ static int proc_sys_fill_cache(struct file *filp, void *dirent,
+@@ -599,6 +626,9 @@ static int proc_sys_fill_cache(struct file *filp, void *dirent,
return -ENOMEM;
} else {
d_set_d_op(child, &proc_sys_dentry_operations);
@@ -49357,7 +49596,7 @@ index 3476bca..cb6d86a 100644
d_add(child, inode);
}
} else {
-@@ -642,6 +673,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table,
+@@ -642,6 +672,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table,
if ((*pos)++ < file->f_pos)
return 0;
@@ -49367,7 +49606,7 @@ index 3476bca..cb6d86a 100644
if (unlikely(S_ISLNK(table->mode)))
res = proc_sys_link_fill_cache(file, dirent, filldir, head, table);
else
-@@ -759,6 +793,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
+@@ -759,6 +792,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
if (IS_ERR(head))
return PTR_ERR(head);
@@ -49377,7 +49616,7 @@ index 3476bca..cb6d86a 100644
generic_fillattr(inode, stat);
if (table)
stat->mode = (stat->mode & S_IFMT) | table->mode;
-@@ -781,13 +818,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
+@@ -781,13 +817,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
.llseek = generic_file_llseek,
};
@@ -61169,6 +61408,19 @@ index b92eadf..b4ecdc1 100644
#define crt_ablkcipher crt_u.ablkcipher
#define crt_aead crt_u.aead
+diff --git a/include/linux/dcache.h b/include/linux/dcache.h
+index 094789f..525ab12 100644
+--- a/include/linux/dcache.h
++++ b/include/linux/dcache.h
+@@ -206,6 +206,8 @@ struct dentry_operations {
+ #define DCACHE_MANAGED_DENTRY \
+ (DCACHE_MOUNTED|DCACHE_NEED_AUTOMOUNT|DCACHE_MANAGE_TRANSIT)
+
++#define DCACHE_DENTRY_KILLED 0x100000
++
+ extern seqlock_t rename_lock;
+
+ static inline int dname_external(struct dentry *dentry)
diff --git a/include/linux/decompress/mm.h b/include/linux/decompress/mm.h
index 7925bf0..d5143d2 100644
--- a/include/linux/decompress/mm.h
@@ -68838,6 +69090,31 @@ index e86b291a..e8b0fb5 100644
struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
{
struct pid *pid;
+diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
+index b3c7fd5..6144bab 100644
+--- a/kernel/pid_namespace.c
++++ b/kernel/pid_namespace.c
+@@ -232,15 +232,19 @@ static int pid_ns_ctl_handler(struct ctl_table *table, int write,
+ */
+
+ tmp.data = ¤t->nsproxy->pid_ns->last_pid;
+- return proc_dointvec(&tmp, write, buffer, lenp, ppos);
++ return proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
+ }
+
++extern int pid_max;
++static int zero = 0;
+ static struct ctl_table pid_ns_ctl_table[] = {
+ {
+ .procname = "ns_last_pid",
+ .maxlen = sizeof(int),
+ .mode = 0666, /* permissions are checked in the handler */
+ .proc_handler = pid_ns_ctl_handler,
++ .extra1 = &zero,
++ .extra2 = &pid_max,
+ },
+ { }
+ };
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
index 125cb67..a4d1c30 100644
--- a/kernel/posix-cpu-timers.c
@@ -70038,7 +70315,7 @@ index 2095be3..9a5b89d 100644
}
EXPORT_SYMBOL_GPL(__srcu_read_unlock);
diff --git a/kernel/sys.c b/kernel/sys.c
-index 2d39a84..f778b49 100644
+index 2d39a84..51030e1 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -157,6 +157,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@@ -70162,18 +70439,34 @@ index 2d39a84..f778b49 100644
abort_creds(new);
return old_fsgid;
-@@ -1283,7 +1319,10 @@ static int override_release(char __user *release, int len)
+@@ -1264,13 +1300,13 @@ DECLARE_RWSEM(uts_sem);
+ * Work around broken programs that cannot handle "Linux 3.0".
+ * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
+ */
+-static int override_release(char __user *release, int len)
++static int override_release(char __user *release, size_t len)
+ {
+ int ret = 0;
+- char buf[65];
++ char buf[65] = { 0 };
++ const char *rest = UTS_RELEASE;
+
+ if (current->personality & UNAME26) {
+- char *rest = UTS_RELEASE;
+ int ndots = 0;
+ unsigned v;
+
+@@ -1282,7 +1318,10 @@ static int override_release(char __user *release, int len)
+ rest++;
}
v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
++ if (sizeof buf < len)
++ len = sizeof buf;
snprintf(buf, len, "2.6.%u%s", v, rest);
-- ret = copy_to_user(release, buf, len);
-+ if (len > sizeof(buf))
-+ ret = -EFAULT;
-+ else
-+ ret = copy_to_user(release, buf, len);
++ buf[len - 1] = 0;
+ ret = copy_to_user(release, buf, len);
}
return ret;
- }
@@ -1337,19 +1376,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
return -EFAULT;
@@ -75368,7 +75661,7 @@ index 8c7265a..c96d884 100644
mm->unmap_area = arch_unmap_area;
}
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
-index 2aad499..4006a74 100644
+index 2aad499..8aad8b1 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
@@ -75565,6 +75858,15 @@ index 2aad499..4006a74 100644
if ((PAGE_SIZE-1) & (unsigned long)addr)
return -EINVAL;
+@@ -2560,7 +2623,7 @@ static int s_show(struct seq_file *m, void *p)
+ {
+ struct vm_struct *v = p;
+
+- seq_printf(m, "0x%p-0x%p %7ld",
++ seq_printf(m, "0x%pK-0x%pK %7ld",
+ v->addr, v->addr + v->size, v->size);
+
+ if (v->caller)
diff --git a/mm/vmstat.c b/mm/vmstat.c
index 1bbbbd9..ff35669 100644
--- a/mm/vmstat.c
@@ -75899,7 +76201,7 @@ index 74175c2..32f8901 100644
frag2->seqno = htons(seqno);
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
-index 5914623..bedc768 100644
+index 5914623..a4a2b19 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -706,6 +706,7 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *add
@@ -75910,6 +76212,15 @@ index 5914623..bedc768 100644
release_sock(sk);
return 0;
+@@ -941,7 +942,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char
+ uf.event_mask[1] = *((u32 *) f->event_mask + 1);
+ }
+
+- len = min_t(unsigned int, len, sizeof(uf));
++ len = min((size_t)len, sizeof(uf));
+ if (copy_from_user(&uf, optval, len)) {
+ err = -EFAULT;
+ break;
@@ -1016,6 +1017,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char
{
struct hci_filter *f = &hci_pi(sk)->filter;
@@ -75936,7 +76247,7 @@ index 7568a6f..ea3097b 100644
if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
rfc.mode != chan->mode)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
-index 3bb1611..fcf656b 100644
+index 3bb1611..d2f89c1 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -246,6 +246,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
@@ -75947,8 +76258,55 @@ index 3bb1611..fcf656b 100644
addr->sa_family = AF_BLUETOOTH;
*len = sizeof(struct sockaddr_l2);
+@@ -451,7 +452,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
+ struct sock *sk = sock->sk;
+ struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+ struct l2cap_options opts;
+- int len, err = 0;
++ int err = 0;
++ size_t len = optlen;
+ u32 opt;
+
+ BT_DBG("sk %p", sk);
+@@ -473,7 +475,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
+ opts.max_tx = chan->max_tx;
+ opts.txwin_size = chan->tx_win;
+
+- len = min_t(unsigned int, sizeof(opts), optlen);
++ len = min(sizeof(opts), len);
+ if (copy_from_user((char *) &opts, optval, len)) {
+ err = -EFAULT;
+ break;
+@@ -546,7 +548,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
+ struct bt_security sec;
+ struct bt_power pwr;
+ struct l2cap_conn *conn;
+- int len, err = 0;
++ int err = 0;
++ size_t len = optlen;
+ u32 opt;
+
+ BT_DBG("sk %p", sk);
+@@ -569,7 +572,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
+
+ sec.level = BT_SECURITY_LOW;
+
+- len = min_t(unsigned int, sizeof(sec), optlen);
++ len = min(sizeof(sec), len);
+ if (copy_from_user((char *) &sec, optval, len)) {
+ err = -EFAULT;
+ break;
+@@ -666,7 +669,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
+
+ pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
+
+- len = min_t(unsigned int, sizeof(pwr), optlen);
++ len = min(sizeof(pwr), len);
+ if (copy_from_user((char *) &pwr, optval, len)) {
+ err = -EFAULT;
+ break;
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
-index e8707de..2df6956 100644
+index e8707de..4b24eef 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -547,6 +547,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *
@@ -75959,6 +76317,24 @@ index e8707de..2df6956 100644
sa->rc_family = AF_BLUETOOTH;
sa->rc_channel = rfcomm_pi(sk)->channel;
if (peer)
+@@ -685,7 +686,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
+ struct sock *sk = sock->sk;
+ struct bt_security sec;
+ int err = 0;
+- size_t len;
++ size_t len = optlen;
+ u32 opt;
+
+ BT_DBG("sk %p", sk);
+@@ -707,7 +708,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
+
+ sec.level = BT_SECURITY_LOW;
+
+- len = min_t(unsigned int, sizeof(sec), optlen);
++ len = min(sizeof(sec), len);
+ if (copy_from_user((char *) &sec, optval, len)) {
+ err = -EFAULT;
+ break;
@@ -841,6 +842,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
}
@@ -76016,7 +76392,7 @@ index d1820ff..4f8c8f6 100644
if (dev->tty_dev->parent)
device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
-index 5fe2ff3..10968b5 100644
+index 5fe2ff3..121d696 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1523,7 +1523,7 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
@@ -76028,6 +76404,24 @@ index 5fe2ff3..10968b5 100644
BUGPRINT("c2u Didn't work\n");
ret = -EFAULT;
break;
+@@ -2327,7 +2327,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
+ goto out;
+ tmp.valid_hooks = t->valid_hooks;
+
+- if (copy_to_user(user, &tmp, *len) != 0) {
++ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
+ ret = -EFAULT;
+ break;
+ }
+@@ -2338,7 +2338,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
+ tmp.entries_size = t->table->entries_size;
+ tmp.valid_hooks = t->table->valid_hooks;
+
+- if (copy_to_user(user, &tmp, *len) != 0) {
++ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
+ ret = -EFAULT;
+ break;
+ }
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
index 047cd0e..461fd28 100644
--- a/net/caif/cfctrl.c
@@ -76100,7 +76494,7 @@ index b41acf2..3affb3a 100644
diff --git a/net/compat.c b/net/compat.c
-index 74ed1d7..62f7ea6 100644
+index 74ed1d7..3695bd9 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
@@ -76230,6 +76624,15 @@ index 74ed1d7..62f7ea6 100644
struct group_filter __user *kgf;
int __user *koptlen;
u32 interface, fmode, numsrc;
+@@ -797,7 +797,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+
+ if (call < SYS_SOCKET || call > SYS_SENDMMSG)
+ return -EINVAL;
+- if (copy_from_user(a, args, nas[call]))
++ if (nas[call] > sizeof a || copy_from_user(a, args, nas[call]))
+ return -EFAULT;
+ a0 = a[0];
+ a1 = a[1];
diff --git a/net/core/datagram.c b/net/core/datagram.c
index ae6acf6..d5c8f66 100644
--- a/net/core/datagram.c
@@ -76463,7 +76866,7 @@ index 611c5ef..88f6d6d 100644
{
int new_fd;
diff --git a/net/core/sock.c b/net/core/sock.c
-index 9e5b71f..66dec30 100644
+index 9e5b71f..ee7aab4 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -344,7 +344,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
@@ -76511,7 +76914,23 @@ index 9e5b71f..66dec30 100644
goto discard_and_relse;
}
-@@ -976,7 +976,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+@@ -830,12 +830,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+ struct timeval tm;
+ } v;
+
+- int lv = sizeof(int);
+- int len;
++ unsigned int lv = sizeof(int);
++ unsigned int len;
+
+ if (get_user(len, optlen))
+ return -EFAULT;
+- if (len < 0)
++ if (len > INT_MAX)
+ return -EINVAL;
+
+ memset(&v, 0, sizeof(v));
+@@ -976,18 +976,18 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
if (len > sizeof(peercred))
len = sizeof(peercred);
cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
@@ -76520,15 +76939,19 @@ index 9e5b71f..66dec30 100644
return -EFAULT;
goto lenout;
}
-@@ -989,7 +989,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+
+ case SO_PEERNAME:
+ {
+- char address[128];
++ char address[_K_SS_MAXSIZE];
+
+ if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2))
return -ENOTCONN;
- if (lv < len)
+- if (lv < len)
++ if (lv < len || sizeof address < len)
return -EINVAL;
-- if (copy_to_user(optval, address, len))
-+ if (len > sizeof(address) || copy_to_user(optval, address, len))
+ if (copy_to_user(optval, address, len))
return -EFAULT;
- goto lenout;
- }
@@ -1035,7 +1035,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
if (len > lv)
@@ -76765,6 +77188,104 @@ index 67e8a6b..386764d 100644
set_fs(oldfs);
return res;
}
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index 97e61ea..cac1bbb 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -879,14 +879,14 @@ static int compat_table_info(const struct xt_table_info *info,
+ #endif
+
+ static int get_info(struct net *net, void __user *user,
+- const int *len, int compat)
++ int len, int compat)
+ {
+ char name[XT_TABLE_MAXNAMELEN];
+ struct xt_table *t;
+ int ret;
+
+- if (*len != sizeof(struct arpt_getinfo)) {
+- duprintf("length %u != %Zu\n", *len,
++ if (len != sizeof(struct arpt_getinfo)) {
++ duprintf("length %u != %Zu\n", len,
+ sizeof(struct arpt_getinfo));
+ return -EINVAL;
+ }
+@@ -923,7 +923,7 @@ static int get_info(struct net *net, void __user *user,
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -1682,7 +1682,7 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user,
+
+ switch (cmd) {
+ case ARPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case ARPT_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -1727,7 +1727,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
+
+ switch (cmd) {
+ case ARPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case ARPT_SO_GET_ENTRIES:
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index 170b1fd..6105b91 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1068,14 +1068,14 @@ static int compat_table_info(const struct xt_table_info *info,
+ #endif
+
+ static int get_info(struct net *net, void __user *user,
+- const int *len, int compat)
++ int len, int compat)
+ {
+ char name[XT_TABLE_MAXNAMELEN];
+ struct xt_table *t;
+ int ret;
+
+- if (*len != sizeof(struct ipt_getinfo)) {
+- duprintf("length %u != %zu\n", *len,
++ if (len != sizeof(struct ipt_getinfo)) {
++ duprintf("length %u != %zu\n", len,
+ sizeof(struct ipt_getinfo));
+ return -EINVAL;
+ }
+@@ -1112,7 +1112,7 @@ static int get_info(struct net *net, void __user *user,
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -1966,7 +1966,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case IPT_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -2013,7 +2013,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case IPT_SO_GET_ENTRIES:
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 2c00e8b..45b3bdd 100644
--- a/net/ipv4/ping.c
@@ -77240,6 +77761,55 @@ index ba6d13d..6899122 100644
msg.msg_controllen = len;
msg.msg_flags = flags;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index d7cb045..8c0ded6 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1078,14 +1078,14 @@ static int compat_table_info(const struct xt_table_info *info,
+ #endif
+
+ static int get_info(struct net *net, void __user *user,
+- const int *len, int compat)
++ int len, int compat)
+ {
+ char name[XT_TABLE_MAXNAMELEN];
+ struct xt_table *t;
+ int ret;
+
+- if (*len != sizeof(struct ip6t_getinfo)) {
+- duprintf("length %u != %zu\n", *len,
++ if (len != sizeof(struct ip6t_getinfo)) {
++ duprintf("length %u != %zu\n", len,
+ sizeof(struct ip6t_getinfo));
+ return -EINVAL;
+ }
+@@ -1122,7 +1122,7 @@ static int get_info(struct net *net, void __user *user,
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -1976,7 +1976,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IP6T_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case IP6T_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -2023,7 +2023,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IP6T_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case IP6T_SO_GET_ENTRIES:
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 93d6983..8e54c4d 100644
--- a/net/ipv6/raw.c
@@ -78841,18 +79411,18 @@ index 1e2eee8..ce3967e 100644
assoc->assoc_id,
assoc->sndbuf_used,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 31c7bfc..bc380ae 100644
+index 31c7bfc..af7bfdc 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
-@@ -4577,7 +4577,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4577,6 +4577,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
if (space_left < addrlen)
return -ENOMEM;
-- if (copy_to_user(to, &temp, addrlen))
-+ if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
++ if (addrlen > sizeof(temp) || addrlen < 0)
++ return -EFAULT;
+ if (copy_to_user(to, &temp, addrlen))
return -EFAULT;
to += addrlen;
- cnt++;
diff --git a/net/socket.c b/net/socket.c
index a990aa9..5af9802 100644
--- a/net/socket.c
@@ -79624,10 +80194,119 @@ index 5b228f9..6aca4e3 100644
if (init_replay) {
err = xfrm_init_replay(x);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index 44293b3..2c00fd0 100644
+index 44293b3..78de610 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
-@@ -872,6 +872,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
+@@ -123,9 +123,17 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
+ struct nlattr **attrs)
+ {
+ struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
++ struct xfrm_replay_state_esn *rs;
+
+- if ((p->flags & XFRM_STATE_ESN) && !rt)
+- return -EINVAL;
++ if (p->flags & XFRM_STATE_ESN) {
++ if (!rt)
++ return -EINVAL;
++
++ rs = nla_data(rt);
++ if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
++ nla_len(rt) != sizeof(*rs))
++ return -EINVAL;
++ }
+
+ if (!rt)
+ return 0;
+@@ -370,14 +378,15 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
+ struct nlattr *rp)
+ {
+ struct xfrm_replay_state_esn *up;
++ size_t ulen;
+
+ if (!replay_esn || !rp)
+ return 0;
+
+ up = nla_data(rp);
++ ulen = xfrm_replay_state_esn_len(up);
+
+- if (xfrm_replay_state_esn_len(replay_esn) !=
+- xfrm_replay_state_esn_len(up))
++ if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+ return -EINVAL;
+
+ return 0;
+@@ -388,22 +397,28 @@ static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn
+ struct nlattr *rta)
+ {
+ struct xfrm_replay_state_esn *p, *pp, *up;
++ size_t klen, ulen;
+
+ if (!rta)
+ return 0;
+
+ up = nla_data(rta);
++ klen = xfrm_replay_state_esn_len(up);
++ ulen = nla_len(rta) > sizeof(*up) ? klen : sizeof(*up);
+
+- p = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL);
++ p = kzalloc(klen, GFP_KERNEL);
+ if (!p)
+ return -ENOMEM;
+
+- pp = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL);
++ pp = kzalloc(klen, GFP_KERNEL);
+ if (!pp) {
+ kfree(p);
+ return -ENOMEM;
+ }
+
++ memcpy(p, up, ulen);
++ memcpy(pp, up, ulen);
++
+ *replay_esn = p;
+ *preplay_esn = pp;
+
+@@ -442,10 +457,11 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
+ * somehow made shareable and move it to xfrm_state.c - JHS
+ *
+ */
+-static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs)
++static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
++ int update_esn)
+ {
+ struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
+- struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
++ struct nlattr *re = update_esn ? attrs[XFRMA_REPLAY_ESN_VAL] : NULL;
+ struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
+ struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
+ struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
+@@ -555,7 +571,7 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
+ goto error;
+
+ /* override default values from above */
+- xfrm_update_ae_params(x, attrs);
++ xfrm_update_ae_params(x, attrs, 0);
+
+ return x;
+
+@@ -689,6 +705,7 @@ out:
+
+ static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p)
+ {
++ memset(p, 0, sizeof(*p));
+ memcpy(&p->id, &x->id, sizeof(p->id));
+ memcpy(&p->sel, &x->sel, sizeof(p->sel));
+ memcpy(&p->lft, &x->lft, sizeof(p->lft));
+@@ -742,7 +759,7 @@ static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
+ return -EMSGSIZE;
+
+ algo = nla_data(nla);
+- strcpy(algo->alg_name, auth->alg_name);
++ strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name));
+ memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
+ algo->alg_key_len = auth->alg_key_len;
+
+@@ -872,6 +889,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
{
struct xfrm_dump_info info;
struct sk_buff *skb;
@@ -79635,7 +80314,7 @@ index 44293b3..2c00fd0 100644
skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
if (!skb)
-@@ -882,9 +883,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
+@@ -882,9 +900,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
info.nlmsg_seq = seq;
info.nlmsg_flags = 0;
@@ -79648,7 +80327,15 @@ index 44293b3..2c00fd0 100644
}
return skb;
-@@ -1413,6 +1415,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
+@@ -1309,6 +1328,7 @@ static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy
+
+ static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir)
+ {
++ memset(p, 0, sizeof(*p));
+ memcpy(&p->sel, &xp->selector, sizeof(p->sel));
+ memcpy(&p->lft, &xp->lft, sizeof(p->lft));
+ memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft));
+@@ -1413,6 +1433,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
struct xfrm_user_tmpl *up = &vec[i];
struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
@@ -79656,6 +80343,15 @@ index 44293b3..2c00fd0 100644
memcpy(&up->id, &kp->id, sizeof(up->id));
up->family = kp->encap_family;
memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
+@@ -1812,7 +1833,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
+ goto out;
+
+ spin_lock_bh(&x->lock);
+- xfrm_update_ae_params(x, attrs);
++ xfrm_update_ae_params(x, attrs, 1);
+ spin_unlock_bh(&x->lock);
+
+ c.event = nlh->nlmsg_type;
diff --git a/scripts/Makefile.build b/scripts/Makefile.build
index ff1720d..ed8475e 100644
--- a/scripts/Makefile.build
@@ -80051,10 +80747,10 @@ index 5c11312..72742b5 100644
write_hex_cnt = 0;
for (i = 0; i < logo_clutsize; i++) {
diff --git a/security/Kconfig b/security/Kconfig
-index e9c6ac7..58348f4 100644
+index e9c6ac7..5ff1ad1 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,888 @@
+@@ -4,6 +4,885 @@
menu "Security options"
@@ -80629,9 +81325,6 @@ index e9c6ac7..58348f4 100644
+ that is, enabling this option will make it harder to inject
+ and execute 'foreign' code in kernel memory itself.
+
-+ Note that on x86_64 kernels there is a known regression when
-+ this feature and KVM/VMX are both enabled in the host kernel.
-+
+choice
+ prompt "Return Address Instrumentation Method"
+ default PAX_KERNEXEC_PLUGIN_METHOD_BTS
@@ -80943,7 +81636,7 @@ index e9c6ac7..58348f4 100644
source security/keys/Kconfig
config SECURITY_DMESG_RESTRICT
-@@ -103,7 +985,7 @@ config INTEL_TXT
+@@ -103,7 +982,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -88819,7 +89512,7 @@ index af0f22f..9a7d479 100644
break;
}
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 44ee712..7da730b 100644
+index 44ee712..a01c4b8 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -75,7 +75,7 @@ LIST_HEAD(vm_list);
@@ -88831,6 +89524,15 @@ index 44ee712..7da730b 100644
struct kmem_cache *kvm_vcpu_cache;
EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
+@@ -703,7 +703,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
+ /* We can read the guest memory with __xxx_user() later on. */
+ if (user_alloc &&
+ ((mem->userspace_addr & (PAGE_SIZE - 1)) ||
+- !access_ok(VERIFY_WRITE,
++ !__access_ok(VERIFY_WRITE,
+ (void __user *)(unsigned long)mem->userspace_addr,
+ mem->memory_size)))
+ goto out;
@@ -2291,7 +2291,7 @@ static void hardware_enable_nolock(void *junk)
if (r) {
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2012-09-21 10:03 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-21 10:03 [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.5.4/, 3.2.30/, 3.2.29/ Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox