diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2017-02-19 18:06:52 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2017-02-19 18:06:52 -0500 |
| commit | 6e301f34686a1ec00db06b41657207a49403ea2e (patch) | |
| tree | 6ad8b2d676e144c13ec0020f3212f1fc749d1bd9 | |
| parent | grsecurity-3.1-4.9.10-201702162016 (diff) | |
| download | hardened-patchset-20170218.tar.gz hardened-patchset-20170218.tar.bz2 hardened-patchset-20170218.zip | |
grsecurity-3.1-4.9.11-20170218144420170218
| -rw-r--r-- | 4.9.11/0000_README (renamed from 4.9.10/0000_README) | 6 | ||||
| -rw-r--r-- | 4.9.11/1009_linux-4.9.10.patch (renamed from 4.9.10/1009_linux-4.9.10.patch) | 0 | ||||
| -rw-r--r-- | 4.9.11/1010_linux-4.9.11.patch | 1893 | ||||
| -rw-r--r-- | 4.9.11/4420_grsecurity-3.1-4.9.11-201702181444.patch (renamed from 4.9.10/4420_grsecurity-3.1-4.9.10-201702162016.patch) | 143 | ||||
| -rw-r--r-- | 4.9.11/4425_grsec_remove_EI_PAX.patch (renamed from 4.9.10/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 4.9.11/4426_default_XATTR_PAX_FLAGS.patch (renamed from 4.9.10/4426_default_XATTR_PAX_FLAGS.patch) | 0 | ||||
| -rw-r--r-- | 4.9.11/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.9.10/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 4.9.11/4430_grsec-remove-localversion-grsec.patch (renamed from 4.9.10/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 4.9.11/4435_grsec-mute-warnings.patch (renamed from 4.9.10/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 4.9.11/4440_grsec-remove-protected-paths.patch (renamed from 4.9.10/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 4.9.11/4450_grsec-kconfig-default-gids.patch (renamed from 4.9.10/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 4.9.11/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.9.10/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 4.9.11/4470_disable-compat_vdso.patch (renamed from 4.9.10/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 4.9.11/4475_emutramp_default_on.patch (renamed from 4.9.10/4475_emutramp_default_on.patch) | 0 |
14 files changed, 1970 insertions, 72 deletions
diff --git a/4.9.10/0000_README b/4.9.11/0000_README index 3bc6d08..27a4c3e 100644 --- a/4.9.10/0000_README +++ b/4.9.11/0000_README @@ -6,7 +6,11 @@ Patch: 1009_linux-4.9.10.patch From: http://www.kernel.org Desc: Linux 4.9.10 -Patch: 4420_grsecurity-3.1-4.9.10-201702162016.patch +Patch: 1010_linux-4.9.11.patch +From: http://www.kernel.org +Desc: Linux 4.9.11 + +Patch: 4420_grsecurity-3.1-4.9.11-201702181444.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.9.10/1009_linux-4.9.10.patch b/4.9.11/1009_linux-4.9.10.patch index 1767b59..1767b59 100644 --- a/4.9.10/1009_linux-4.9.10.patch +++ b/4.9.11/1009_linux-4.9.10.patch diff --git a/4.9.11/1010_linux-4.9.11.patch b/4.9.11/1010_linux-4.9.11.patch new file mode 100644 index 0000000..59eb5c7 --- /dev/null +++ b/4.9.11/1010_linux-4.9.11.patch @@ -0,0 +1,1893 @@ +diff --git a/Makefile b/Makefile +index d2fe757..18b0c5a 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 10 ++SUBLEVEL = 11 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c +index ebb4e95..96d80df 100644 +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -236,7 +236,8 @@ void fpstate_init(union fpregs_state *state) + * it will #GP. Make sure it is replaced after the memset(). + */ + if (static_cpu_has(X86_FEATURE_XSAVES)) +- state->xsave.header.xcomp_bv = XCOMP_BV_COMPACTED_FORMAT; ++ state->xsave.header.xcomp_bv = XCOMP_BV_COMPACTED_FORMAT | ++ xfeatures_mask; + + if (static_cpu_has(X86_FEATURE_FXSR)) + fpstate_init_fxstate(&state->fxsave); +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +index f2e8bed..4d3ddc2 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +@@ -507,8 +507,11 @@ void mlx4_en_recover_from_oom(struct mlx4_en_priv *priv) + return; + + for (ring = 0; ring < priv->rx_ring_num; ring++) { +- if (mlx4_en_is_ring_empty(priv->rx_ring[ring])) ++ if (mlx4_en_is_ring_empty(priv->rx_ring[ring])) { ++ local_bh_disable(); + napi_reschedule(&priv->rx_cq[ring]->napi); ++ local_bh_enable(); ++ } + } + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index 71382df..81d8e3b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -765,7 +765,8 @@ void mlx5e_disable_vlan_filter(struct mlx5e_priv *priv); + int mlx5e_modify_rqs_vsd(struct mlx5e_priv *priv, bool vsd); + + int mlx5e_redirect_rqt(struct mlx5e_priv *priv, u32 rqtn, int sz, int ix); +-void mlx5e_build_tir_ctx_hash(void *tirc, struct mlx5e_priv *priv); ++void mlx5e_build_indir_tir_ctx_hash(struct mlx5e_priv *priv, void *tirc, ++ enum mlx5e_traffic_types tt); + + int mlx5e_open_locked(struct net_device *netdev); + int mlx5e_close_locked(struct net_device *netdev); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 51c6a57..126cfeb 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -975,15 +975,18 @@ static int mlx5e_get_rxfh(struct net_device *netdev, u32 *indir, u8 *key, + + static void mlx5e_modify_tirs_hash(struct mlx5e_priv *priv, void *in, int inlen) + { +- struct mlx5_core_dev *mdev = priv->mdev; + void *tirc = MLX5_ADDR_OF(modify_tir_in, in, ctx); +- int i; ++ struct mlx5_core_dev *mdev = priv->mdev; ++ int ctxlen = MLX5_ST_SZ_BYTES(tirc); ++ int tt; + + MLX5_SET(modify_tir_in, in, bitmask.hash, 1); +- mlx5e_build_tir_ctx_hash(tirc, priv); + +- for (i = 0; i < MLX5E_NUM_INDIR_TIRS; i++) +- mlx5_core_modify_tir(mdev, priv->indir_tir[i].tirn, in, inlen); ++ for (tt = 0; tt < MLX5E_NUM_INDIR_TIRS; tt++) { ++ memset(tirc, 0, ctxlen); ++ mlx5e_build_indir_tir_ctx_hash(priv, tirc, tt); ++ mlx5_core_modify_tir(mdev, priv->indir_tir[tt].tirn, in, inlen); ++ } + } + + static int mlx5e_set_rxfh(struct net_device *dev, const u32 *indir, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 5dc3e24..b3067137 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -1978,8 +1978,23 @@ static void mlx5e_build_tir_ctx_lro(void *tirc, struct mlx5e_priv *priv) + MLX5_SET(tirc, tirc, lro_timeout_period_usecs, priv->params.lro_timeout); + } + +-void mlx5e_build_tir_ctx_hash(void *tirc, struct mlx5e_priv *priv) ++void mlx5e_build_indir_tir_ctx_hash(struct mlx5e_priv *priv, void *tirc, ++ enum mlx5e_traffic_types tt) + { ++ void *hfso = MLX5_ADDR_OF(tirc, tirc, rx_hash_field_selector_outer); ++ ++#define MLX5_HASH_IP (MLX5_HASH_FIELD_SEL_SRC_IP |\ ++ MLX5_HASH_FIELD_SEL_DST_IP) ++ ++#define MLX5_HASH_IP_L4PORTS (MLX5_HASH_FIELD_SEL_SRC_IP |\ ++ MLX5_HASH_FIELD_SEL_DST_IP |\ ++ MLX5_HASH_FIELD_SEL_L4_SPORT |\ ++ MLX5_HASH_FIELD_SEL_L4_DPORT) ++ ++#define MLX5_HASH_IP_IPSEC_SPI (MLX5_HASH_FIELD_SEL_SRC_IP |\ ++ MLX5_HASH_FIELD_SEL_DST_IP |\ ++ MLX5_HASH_FIELD_SEL_IPSEC_SPI) ++ + MLX5_SET(tirc, tirc, rx_hash_fn, + mlx5e_rx_hash_fn(priv->params.rss_hfunc)); + if (priv->params.rss_hfunc == ETH_RSS_HASH_TOP) { +@@ -1991,6 +2006,88 @@ void mlx5e_build_tir_ctx_hash(void *tirc, struct mlx5e_priv *priv) + MLX5_SET(tirc, tirc, rx_hash_symmetric, 1); + memcpy(rss_key, priv->params.toeplitz_hash_key, len); + } ++ ++ switch (tt) { ++ case MLX5E_TT_IPV4_TCP: ++ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, ++ MLX5_L3_PROT_TYPE_IPV4); ++ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, ++ MLX5_L4_PROT_TYPE_TCP); ++ MLX5_SET(rx_hash_field_select, hfso, selected_fields, ++ MLX5_HASH_IP_L4PORTS); ++ break; ++ ++ case MLX5E_TT_IPV6_TCP: ++ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, ++ MLX5_L3_PROT_TYPE_IPV6); ++ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, ++ MLX5_L4_PROT_TYPE_TCP); ++ MLX5_SET(rx_hash_field_select, hfso, selected_fields, ++ MLX5_HASH_IP_L4PORTS); ++ break; ++ ++ case MLX5E_TT_IPV4_UDP: ++ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, ++ MLX5_L3_PROT_TYPE_IPV4); ++ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, ++ MLX5_L4_PROT_TYPE_UDP); ++ MLX5_SET(rx_hash_field_select, hfso, selected_fields, ++ MLX5_HASH_IP_L4PORTS); ++ break; ++ ++ case MLX5E_TT_IPV6_UDP: ++ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, ++ MLX5_L3_PROT_TYPE_IPV6); ++ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, ++ MLX5_L4_PROT_TYPE_UDP); ++ MLX5_SET(rx_hash_field_select, hfso, selected_fields, ++ MLX5_HASH_IP_L4PORTS); ++ break; ++ ++ case MLX5E_TT_IPV4_IPSEC_AH: ++ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, ++ MLX5_L3_PROT_TYPE_IPV4); ++ MLX5_SET(rx_hash_field_select, hfso, selected_fields, ++ MLX5_HASH_IP_IPSEC_SPI); ++ break; ++ ++ case MLX5E_TT_IPV6_IPSEC_AH: ++ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, ++ MLX5_L3_PROT_TYPE_IPV6); ++ MLX5_SET(rx_hash_field_select, hfso, selected_fields, ++ MLX5_HASH_IP_IPSEC_SPI); ++ break; ++ ++ case MLX5E_TT_IPV4_IPSEC_ESP: ++ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, ++ MLX5_L3_PROT_TYPE_IPV4); ++ MLX5_SET(rx_hash_field_select, hfso, selected_fields, ++ MLX5_HASH_IP_IPSEC_SPI); ++ break; ++ ++ case MLX5E_TT_IPV6_IPSEC_ESP: ++ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, ++ MLX5_L3_PROT_TYPE_IPV6); ++ MLX5_SET(rx_hash_field_select, hfso, selected_fields, ++ MLX5_HASH_IP_IPSEC_SPI); ++ break; ++ ++ case MLX5E_TT_IPV4: ++ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, ++ MLX5_L3_PROT_TYPE_IPV4); ++ MLX5_SET(rx_hash_field_select, hfso, selected_fields, ++ MLX5_HASH_IP); ++ break; ++ ++ case MLX5E_TT_IPV6: ++ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, ++ MLX5_L3_PROT_TYPE_IPV6); ++ MLX5_SET(rx_hash_field_select, hfso, selected_fields, ++ MLX5_HASH_IP); ++ break; ++ default: ++ WARN_ONCE(true, "%s: bad traffic type!\n", __func__); ++ } + } + + static int mlx5e_modify_tirs_lro(struct mlx5e_priv *priv) +@@ -2360,110 +2457,13 @@ void mlx5e_cleanup_nic_tx(struct mlx5e_priv *priv) + static void mlx5e_build_indir_tir_ctx(struct mlx5e_priv *priv, u32 *tirc, + enum mlx5e_traffic_types tt) + { +- void *hfso = MLX5_ADDR_OF(tirc, tirc, rx_hash_field_selector_outer); +- + MLX5_SET(tirc, tirc, transport_domain, priv->mdev->mlx5e_res.td.tdn); + +-#define MLX5_HASH_IP (MLX5_HASH_FIELD_SEL_SRC_IP |\ +- MLX5_HASH_FIELD_SEL_DST_IP) +- +-#define MLX5_HASH_IP_L4PORTS (MLX5_HASH_FIELD_SEL_SRC_IP |\ +- MLX5_HASH_FIELD_SEL_DST_IP |\ +- MLX5_HASH_FIELD_SEL_L4_SPORT |\ +- MLX5_HASH_FIELD_SEL_L4_DPORT) +- +-#define MLX5_HASH_IP_IPSEC_SPI (MLX5_HASH_FIELD_SEL_SRC_IP |\ +- MLX5_HASH_FIELD_SEL_DST_IP |\ +- MLX5_HASH_FIELD_SEL_IPSEC_SPI) +- + mlx5e_build_tir_ctx_lro(tirc, priv); + + MLX5_SET(tirc, tirc, disp_type, MLX5_TIRC_DISP_TYPE_INDIRECT); + MLX5_SET(tirc, tirc, indirect_table, priv->indir_rqt.rqtn); +- mlx5e_build_tir_ctx_hash(tirc, priv); +- +- switch (tt) { +- case MLX5E_TT_IPV4_TCP: +- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, +- MLX5_L3_PROT_TYPE_IPV4); +- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, +- MLX5_L4_PROT_TYPE_TCP); +- MLX5_SET(rx_hash_field_select, hfso, selected_fields, +- MLX5_HASH_IP_L4PORTS); +- break; +- +- case MLX5E_TT_IPV6_TCP: +- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, +- MLX5_L3_PROT_TYPE_IPV6); +- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, +- MLX5_L4_PROT_TYPE_TCP); +- MLX5_SET(rx_hash_field_select, hfso, selected_fields, +- MLX5_HASH_IP_L4PORTS); +- break; +- +- case MLX5E_TT_IPV4_UDP: +- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, +- MLX5_L3_PROT_TYPE_IPV4); +- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, +- MLX5_L4_PROT_TYPE_UDP); +- MLX5_SET(rx_hash_field_select, hfso, selected_fields, +- MLX5_HASH_IP_L4PORTS); +- break; +- +- case MLX5E_TT_IPV6_UDP: +- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, +- MLX5_L3_PROT_TYPE_IPV6); +- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, +- MLX5_L4_PROT_TYPE_UDP); +- MLX5_SET(rx_hash_field_select, hfso, selected_fields, +- MLX5_HASH_IP_L4PORTS); +- break; +- +- case MLX5E_TT_IPV4_IPSEC_AH: +- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, +- MLX5_L3_PROT_TYPE_IPV4); +- MLX5_SET(rx_hash_field_select, hfso, selected_fields, +- MLX5_HASH_IP_IPSEC_SPI); +- break; +- +- case MLX5E_TT_IPV6_IPSEC_AH: +- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, +- MLX5_L3_PROT_TYPE_IPV6); +- MLX5_SET(rx_hash_field_select, hfso, selected_fields, +- MLX5_HASH_IP_IPSEC_SPI); +- break; +- +- case MLX5E_TT_IPV4_IPSEC_ESP: +- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, +- MLX5_L3_PROT_TYPE_IPV4); +- MLX5_SET(rx_hash_field_select, hfso, selected_fields, +- MLX5_HASH_IP_IPSEC_SPI); +- break; +- +- case MLX5E_TT_IPV6_IPSEC_ESP: +- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, +- MLX5_L3_PROT_TYPE_IPV6); +- MLX5_SET(rx_hash_field_select, hfso, selected_fields, +- MLX5_HASH_IP_IPSEC_SPI); +- break; +- +- case MLX5E_TT_IPV4: +- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, +- MLX5_L3_PROT_TYPE_IPV4); +- MLX5_SET(rx_hash_field_select, hfso, selected_fields, +- MLX5_HASH_IP); +- break; +- +- case MLX5E_TT_IPV6: +- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, +- MLX5_L3_PROT_TYPE_IPV6); +- MLX5_SET(rx_hash_field_select, hfso, selected_fields, +- MLX5_HASH_IP); +- break; +- default: +- WARN_ONCE(true, +- "mlx5e_build_indir_tir_ctx: bad traffic type!\n"); +- } ++ mlx5e_build_indir_tir_ctx_hash(priv, tirc, tt); + } + + static void mlx5e_build_direct_tir_ctx(struct mlx5e_priv *priv, u32 *tirc, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 914e546..7e20e4b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1110,9 +1110,8 @@ static struct mlx5_flow_rule *add_rule_fg(struct mlx5_flow_group *fg, + return rule; + } + rule = add_rule_fte(fte, fg, dest); +- unlock_ref_node(&fte->node); + if (IS_ERR(rule)) +- goto unlock_fg; ++ goto unlock_fte; + else + goto add_rule; + } +@@ -1130,6 +1129,7 @@ static struct mlx5_flow_rule *add_rule_fg(struct mlx5_flow_group *fg, + goto unlock_fg; + } + tree_init_node(&fte->node, 0, del_fte); ++ nested_lock_ref_node(&fte->node, FS_MUTEX_CHILD); + rule = add_rule_fte(fte, fg, dest); + if (IS_ERR(rule)) { + kfree(fte); +@@ -1142,6 +1142,8 @@ static struct mlx5_flow_rule *add_rule_fg(struct mlx5_flow_group *fg, + list_add(&fte->node.list, prev); + add_rule: + tree_add_node(&rule->node, &fte->node); ++unlock_fte: ++ unlock_ref_node(&fte->node); + unlock_fg: + unlock_ref_node(&fg->node); + return rule; +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +index 7df4ff1..7d19029 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -305,8 +305,12 @@ static int dwmac1000_irq_status(struct mac_device_info *hw, + { + void __iomem *ioaddr = hw->pcsr; + u32 intr_status = readl(ioaddr + GMAC_INT_STATUS); ++ u32 intr_mask = readl(ioaddr + GMAC_INT_MASK); + int ret = 0; + ++ /* Discard masked bits */ ++ intr_status &= ~intr_mask; ++ + /* Not used events (e.g. MMC interrupts) are not handled. */ + if ((intr_status & GMAC_INT_STATUS_MMCTIS)) + x->mmc_tx_irq_n++; +diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c +index 6255973..1b65f0f 100644 +--- a/drivers/net/loopback.c ++++ b/drivers/net/loopback.c +@@ -164,6 +164,7 @@ static void loopback_setup(struct net_device *dev) + { + dev->mtu = 64 * 1024; + dev->hard_header_len = ETH_HLEN; /* 14 */ ++ dev->min_header_len = ETH_HLEN; /* 14 */ + dev->addr_len = ETH_ALEN; /* 6 */ + dev->type = ARPHRD_LOOPBACK; /* 0x0001*/ + dev->flags = IFF_LOOPBACK; +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 6f38daf..adea6f5 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -682,7 +682,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, + ssize_t n; + + if (q->flags & IFF_VNET_HDR) { +- vnet_hdr_len = q->vnet_hdr_sz; ++ vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); + + err = -EINVAL; + if (len < vnet_hdr_len) +@@ -822,7 +822,7 @@ static ssize_t macvtap_put_user(struct macvtap_queue *q, + + if (q->flags & IFF_VNET_HDR) { + struct virtio_net_hdr vnet_hdr; +- vnet_hdr_len = q->vnet_hdr_sz; ++ vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); + if (iov_iter_count(iter) < vnet_hdr_len) + return -EINVAL; + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 18402d7..b31aca8 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1187,9 +1187,11 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + } + + if (tun->flags & IFF_VNET_HDR) { +- if (len < tun->vnet_hdr_sz) ++ int vnet_hdr_sz = READ_ONCE(tun->vnet_hdr_sz); ++ ++ if (len < vnet_hdr_sz) + return -EINVAL; +- len -= tun->vnet_hdr_sz; ++ len -= vnet_hdr_sz; + + n = copy_from_iter(&gso, sizeof(gso), from); + if (n != sizeof(gso)) +@@ -1201,7 +1203,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + + if (tun16_to_cpu(tun, gso.hdr_len) > len) + return -EINVAL; +- iov_iter_advance(from, tun->vnet_hdr_sz - sizeof(gso)); ++ iov_iter_advance(from, vnet_hdr_sz - sizeof(gso)); + } + + if ((tun->flags & TUN_TYPE_MASK) == IFF_TAP) { +@@ -1348,7 +1350,7 @@ static ssize_t tun_put_user(struct tun_struct *tun, + vlan_hlen = VLAN_HLEN; + + if (tun->flags & IFF_VNET_HDR) +- vnet_hdr_sz = tun->vnet_hdr_sz; ++ vnet_hdr_sz = READ_ONCE(tun->vnet_hdr_sz); + + total = skb->len + vlan_hlen + vnet_hdr_sz; + +diff --git a/drivers/net/usb/catc.c b/drivers/net/usb/catc.c +index d9ca05d..4086415 100644 +--- a/drivers/net/usb/catc.c ++++ b/drivers/net/usb/catc.c +@@ -777,7 +777,7 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id + struct net_device *netdev; + struct catc *catc; + u8 broadcast[ETH_ALEN]; +- int i, pktsz; ++ int pktsz, ret; + + if (usb_set_interface(usbdev, + intf->altsetting->desc.bInterfaceNumber, 1)) { +@@ -812,12 +812,8 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id + if ((!catc->ctrl_urb) || (!catc->tx_urb) || + (!catc->rx_urb) || (!catc->irq_urb)) { + dev_err(&intf->dev, "No free urbs available.\n"); +- usb_free_urb(catc->ctrl_urb); +- usb_free_urb(catc->tx_urb); +- usb_free_urb(catc->rx_urb); +- usb_free_urb(catc->irq_urb); +- free_netdev(netdev); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto fail_free; + } + + /* The F5U011 has the same vendor/product as the netmate but a device version of 0x130 */ +@@ -845,15 +841,24 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id + catc->irq_buf, 2, catc_irq_done, catc, 1); + + if (!catc->is_f5u011) { ++ u32 *buf; ++ int i; ++ + dev_dbg(dev, "Checking memory size\n"); + +- i = 0x12345678; +- catc_write_mem(catc, 0x7a80, &i, 4); +- i = 0x87654321; +- catc_write_mem(catc, 0xfa80, &i, 4); +- catc_read_mem(catc, 0x7a80, &i, 4); ++ buf = kmalloc(4, GFP_KERNEL); ++ if (!buf) { ++ ret = -ENOMEM; ++ goto fail_free; ++ } ++ ++ *buf = 0x12345678; ++ catc_write_mem(catc, 0x7a80, buf, 4); ++ *buf = 0x87654321; ++ catc_write_mem(catc, 0xfa80, buf, 4); ++ catc_read_mem(catc, 0x7a80, buf, 4); + +- switch (i) { ++ switch (*buf) { + case 0x12345678: + catc_set_reg(catc, TxBufCount, 8); + catc_set_reg(catc, RxBufCount, 32); +@@ -868,6 +873,8 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id + dev_dbg(dev, "32k Memory\n"); + break; + } ++ ++ kfree(buf); + + dev_dbg(dev, "Getting MAC from SEEROM.\n"); + +@@ -914,16 +921,21 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id + usb_set_intfdata(intf, catc); + + SET_NETDEV_DEV(netdev, &intf->dev); +- if (register_netdev(netdev) != 0) { +- usb_set_intfdata(intf, NULL); +- usb_free_urb(catc->ctrl_urb); +- usb_free_urb(catc->tx_urb); +- usb_free_urb(catc->rx_urb); +- usb_free_urb(catc->irq_urb); +- free_netdev(netdev); +- return -EIO; +- } ++ ret = register_netdev(netdev); ++ if (ret) ++ goto fail_clear_intfdata; ++ + return 0; ++ ++fail_clear_intfdata: ++ usb_set_intfdata(intf, NULL); ++fail_free: ++ usb_free_urb(catc->ctrl_urb); ++ usb_free_urb(catc->tx_urb); ++ usb_free_urb(catc->rx_urb); ++ usb_free_urb(catc->irq_urb); ++ free_netdev(netdev); ++ return ret; + } + + static void catc_disconnect(struct usb_interface *intf) +diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c +index 1434e5d..ee40ac2 100644 +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb) + + static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data) + { ++ u8 *buf; + int ret; + ++ buf = kmalloc(size, GFP_NOIO); ++ if (!buf) ++ return -ENOMEM; ++ + ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0), + PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0, +- indx, data, size, 1000); ++ indx, buf, size, 1000); + if (ret < 0) + netif_dbg(pegasus, drv, pegasus->net, + "%s returned %d\n", __func__, ret); ++ else if (ret <= size) ++ memcpy(data, buf, ret); ++ kfree(buf); + return ret; + } + +-static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data) ++static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, ++ const void *data) + { ++ u8 *buf; + int ret; + ++ buf = kmemdup(data, size, GFP_NOIO); ++ if (!buf) ++ return -ENOMEM; ++ + ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0), + PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0, +- indx, data, size, 100); ++ indx, buf, size, 100); + if (ret < 0) + netif_dbg(pegasus, drv, pegasus->net, + "%s returned %d\n", __func__, ret); ++ kfree(buf); + return ret; + } + + static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data) + { ++ u8 *buf; + int ret; + ++ buf = kmemdup(&data, 1, GFP_NOIO); ++ if (!buf) ++ return -ENOMEM; ++ + ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0), + PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data, +- indx, &data, 1, 1000); ++ indx, buf, 1, 1000); + if (ret < 0) + netif_dbg(pegasus, drv, pegasus->net, + "%s returned %d\n", __func__, ret); ++ kfree(buf); + return ret; + } + +diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c +index 7c72bfa..dc4f7ea 100644 +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -155,16 +155,36 @@ static const char driver_name [] = "rtl8150"; + */ + static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data) + { +- return usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0), +- RTL8150_REQ_GET_REGS, RTL8150_REQT_READ, +- indx, 0, data, size, 500); ++ void *buf; ++ int ret; ++ ++ buf = kmalloc(size, GFP_NOIO); ++ if (!buf) ++ return -ENOMEM; ++ ++ ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0), ++ RTL8150_REQ_GET_REGS, RTL8150_REQT_READ, ++ indx, 0, buf, size, 500); ++ if (ret > 0 && ret <= size) ++ memcpy(data, buf, ret); ++ kfree(buf); ++ return ret; + } + +-static int set_registers(rtl8150_t * dev, u16 indx, u16 size, void *data) ++static int set_registers(rtl8150_t * dev, u16 indx, u16 size, const void *data) + { +- return usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), +- RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE, +- indx, 0, data, size, 500); ++ void *buf; ++ int ret; ++ ++ buf = kmemdup(data, size, GFP_NOIO); ++ if (!buf) ++ return -ENOMEM; ++ ++ ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), ++ RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE, ++ indx, 0, buf, size, 500); ++ kfree(buf); ++ return ret; + } + + static void async_set_reg_cb(struct urb *urb) +diff --git a/include/linux/can/core.h b/include/linux/can/core.h +index a087500..df08a41 100644 +--- a/include/linux/can/core.h ++++ b/include/linux/can/core.h +@@ -45,10 +45,9 @@ struct can_proto { + extern int can_proto_register(const struct can_proto *cp); + extern void can_proto_unregister(const struct can_proto *cp); + +-extern int can_rx_register(struct net_device *dev, canid_t can_id, +- canid_t mask, +- void (*func)(struct sk_buff *, void *), +- void *data, char *ident); ++int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask, ++ void (*func)(struct sk_buff *, void *), ++ void *data, char *ident, struct sock *sk); + + extern void can_rx_unregister(struct net_device *dev, canid_t can_id, + canid_t mask, +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index d83590e..bb9b102 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1508,6 +1508,7 @@ enum netdev_priv_flags { + * @mtu: Interface MTU value + * @type: Interface hardware type + * @hard_header_len: Maximum hardware header length. ++ * @min_header_len: Minimum hardware header length + * + * @needed_headroom: Extra headroom the hardware may need, but not in all + * cases can this be guaranteed +@@ -1728,6 +1729,7 @@ struct net_device { + unsigned int mtu; + unsigned short type; + unsigned short hard_header_len; ++ unsigned short min_header_len; + + unsigned short needed_headroom; + unsigned short needed_tailroom; +@@ -2783,6 +2785,8 @@ static inline bool dev_validate_header(const struct net_device *dev, + { + if (likely(len >= dev->hard_header_len)) + return true; ++ if (len < dev->min_header_len) ++ return false; + + if (capable(CAP_SYS_RAWIO)) { + memset(ll_header + len, 0, dev->hard_header_len - len); +diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h +index 3ebb168..a34b141 100644 +--- a/include/net/cipso_ipv4.h ++++ b/include/net/cipso_ipv4.h +@@ -309,6 +309,10 @@ static inline int cipso_v4_validate(const struct sk_buff *skb, + } + + for (opt_iter = 6; opt_iter < opt_len;) { ++ if (opt_iter + 1 == opt_len) { ++ err_offset = opt_iter; ++ goto out; ++ } + tag_len = opt[opt_iter + 1]; + if ((tag_len == 0) || (tag_len > (opt_len - opt_iter))) { + err_offset = opt_iter + 1; +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index f11ca83..7f15f95 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -871,7 +871,7 @@ int ip6_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb); + * upper-layer output functions + */ + int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, +- struct ipv6_txoptions *opt, int tclass); ++ __u32 mark, struct ipv6_txoptions *opt, int tclass); + + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr); + +diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h +index fc7c0db..3f40132 100644 +--- a/include/net/lwtunnel.h ++++ b/include/net/lwtunnel.h +@@ -176,7 +176,10 @@ static inline int lwtunnel_valid_encap_type(u16 encap_type) + } + static inline int lwtunnel_valid_encap_type_attr(struct nlattr *attr, int len) + { +- return -EOPNOTSUPP; ++ /* return 0 since we are not walking attr looking for ++ * RTA_ENCAP_TYPE attribute on nexthops. ++ */ ++ return 0; + } + + static inline int lwtunnel_build_state(struct net_device *dev, u16 encap_type, +diff --git a/net/can/af_can.c b/net/can/af_can.c +index 1108079..5488e4a 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -445,6 +445,7 @@ static struct hlist_head *find_rcv_list(canid_t *can_id, canid_t *mask, + * @func: callback function on filter match + * @data: returned parameter for callback function + * @ident: string for calling module identification ++ * @sk: socket pointer (might be NULL) + * + * Description: + * Invokes the callback function with the received sk_buff and the given +@@ -468,7 +469,7 @@ static struct hlist_head *find_rcv_list(canid_t *can_id, canid_t *mask, + */ + int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask, + void (*func)(struct sk_buff *, void *), void *data, +- char *ident) ++ char *ident, struct sock *sk) + { + struct receiver *r; + struct hlist_head *rl; +@@ -496,6 +497,7 @@ int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask, + r->func = func; + r->data = data; + r->ident = ident; ++ r->sk = sk; + + hlist_add_head_rcu(&r->list, rl); + d->entries++; +@@ -520,8 +522,11 @@ EXPORT_SYMBOL(can_rx_register); + static void can_rx_delete_receiver(struct rcu_head *rp) + { + struct receiver *r = container_of(rp, struct receiver, rcu); ++ struct sock *sk = r->sk; + + kmem_cache_free(rcv_cache, r); ++ if (sk) ++ sock_put(sk); + } + + /** +@@ -596,8 +601,11 @@ void can_rx_unregister(struct net_device *dev, canid_t can_id, canid_t mask, + spin_unlock(&can_rcvlists_lock); + + /* schedule the receiver item for deletion */ +- if (r) ++ if (r) { ++ if (r->sk) ++ sock_hold(r->sk); + call_rcu(&r->rcu, can_rx_delete_receiver); ++ } + } + EXPORT_SYMBOL(can_rx_unregister); + +diff --git a/net/can/af_can.h b/net/can/af_can.h +index fca0fe9..b86f512 100644 +--- a/net/can/af_can.h ++++ b/net/can/af_can.h +@@ -50,13 +50,14 @@ + + struct receiver { + struct hlist_node list; +- struct rcu_head rcu; + canid_t can_id; + canid_t mask; + unsigned long matches; + void (*func)(struct sk_buff *, void *); + void *data; + char *ident; ++ struct sock *sk; ++ struct rcu_head rcu; + }; + + #define CAN_SFF_RCV_ARRAY_SZ (1 << CAN_SFF_ID_BITS) +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 5e9ed5e..e4f694d 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1225,7 +1225,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + err = can_rx_register(dev, op->can_id, + REGMASK(op->can_id), + bcm_rx_handler, op, +- "bcm"); ++ "bcm", sk); + + op->rx_reg_dev = dev; + dev_put(dev); +@@ -1234,7 +1234,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + } else + err = can_rx_register(NULL, op->can_id, + REGMASK(op->can_id), +- bcm_rx_handler, op, "bcm"); ++ bcm_rx_handler, op, "bcm", sk); + if (err) { + /* this bcm rx op is broken -> remove it */ + list_del(&op->list); +diff --git a/net/can/gw.c b/net/can/gw.c +index 4551687..77c8af4 100644 +--- a/net/can/gw.c ++++ b/net/can/gw.c +@@ -442,7 +442,7 @@ static inline int cgw_register_filter(struct cgw_job *gwj) + { + return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id, + gwj->ccgw.filter.can_mask, can_can_gw_rcv, +- gwj, "gw"); ++ gwj, "gw", NULL); + } + + static inline void cgw_unregister_filter(struct cgw_job *gwj) +diff --git a/net/can/raw.c b/net/can/raw.c +index b075f02..6dc546a 100644 +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -190,7 +190,7 @@ static int raw_enable_filters(struct net_device *dev, struct sock *sk, + for (i = 0; i < count; i++) { + err = can_rx_register(dev, filter[i].can_id, + filter[i].can_mask, +- raw_rcv, sk, "raw"); ++ raw_rcv, sk, "raw", sk); + if (err) { + /* clean up successfully registered filters */ + while (--i >= 0) +@@ -211,7 +211,7 @@ static int raw_enable_errfilter(struct net_device *dev, struct sock *sk, + + if (err_mask) + err = can_rx_register(dev, 0, err_mask | CAN_ERR_FLAG, +- raw_rcv, sk, "raw"); ++ raw_rcv, sk, "raw", sk); + + return err; + } +diff --git a/net/core/dev.c b/net/core/dev.c +index df51c50..60b0a604 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1696,24 +1696,19 @@ EXPORT_SYMBOL_GPL(net_dec_egress_queue); + + static struct static_key netstamp_needed __read_mostly; + #ifdef HAVE_JUMP_LABEL +-/* We are not allowed to call static_key_slow_dec() from irq context +- * If net_disable_timestamp() is called from irq context, defer the +- * static_key_slow_dec() calls. +- */ + static atomic_t netstamp_needed_deferred; +-#endif +- +-void net_enable_timestamp(void) ++static void netstamp_clear(struct work_struct *work) + { +-#ifdef HAVE_JUMP_LABEL + int deferred = atomic_xchg(&netstamp_needed_deferred, 0); + +- if (deferred) { +- while (--deferred) +- static_key_slow_dec(&netstamp_needed); +- return; +- } ++ while (deferred--) ++ static_key_slow_dec(&netstamp_needed); ++} ++static DECLARE_WORK(netstamp_work, netstamp_clear); + #endif ++ ++void net_enable_timestamp(void) ++{ + static_key_slow_inc(&netstamp_needed); + } + EXPORT_SYMBOL(net_enable_timestamp); +@@ -1721,12 +1716,12 @@ EXPORT_SYMBOL(net_enable_timestamp); + void net_disable_timestamp(void) + { + #ifdef HAVE_JUMP_LABEL +- if (in_interrupt()) { +- atomic_inc(&netstamp_needed_deferred); +- return; +- } +-#endif ++ /* net_disable_timestamp() can be called from non process context */ ++ atomic_inc(&netstamp_needed_deferred); ++ schedule_work(&netstamp_work); ++#else + static_key_slow_dec(&netstamp_needed); ++#endif + } + EXPORT_SYMBOL(net_disable_timestamp); + +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 715e5d1..7506c03 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -227,7 +227,7 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req + opt = ireq->ipv6_opt; + if (!opt) + opt = rcu_dereference(np->opt); +- err = ip6_xmit(sk, skb, &fl6, opt, np->tclass); ++ err = ip6_xmit(sk, skb, &fl6, sk->sk_mark, opt, np->tclass); + rcu_read_unlock(); + err = net_xmit_eval(err); + } +@@ -281,7 +281,7 @@ static void dccp_v6_ctl_send_reset(const struct sock *sk, struct sk_buff *rxskb) + dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL); + if (!IS_ERR(dst)) { + skb_dst_set(skb, dst); +- ip6_xmit(ctl_sk, skb, &fl6, NULL, 0); ++ ip6_xmit(ctl_sk, skb, &fl6, 0, NULL, 0); + DCCP_INC_STATS(DCCP_MIB_OUTSEGS); + DCCP_INC_STATS(DCCP_MIB_OUTRSTS); + return; +diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c +index da38621..0f99297 100644 +--- a/net/dsa/dsa2.c ++++ b/net/dsa/dsa2.c +@@ -273,6 +273,7 @@ static int dsa_user_port_apply(struct device_node *port, u32 index, + if (err) { + dev_warn(ds->dev, "Failed to create slave %d: %d\n", + index, err); ++ ds->ports[index].netdev = NULL; + return err; + } + +diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c +index 02acfff..24d7aff 100644 +--- a/net/ethernet/eth.c ++++ b/net/ethernet/eth.c +@@ -356,6 +356,7 @@ void ether_setup(struct net_device *dev) + dev->header_ops = ð_header_ops; + dev->type = ARPHRD_ETHER; + dev->hard_header_len = ETH_HLEN; ++ dev->min_header_len = ETH_HLEN; + dev->mtu = ETH_DATA_LEN; + dev->addr_len = ETH_ALEN; + dev->tx_queue_len = 1000; /* Ethernet wants good queues */ +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index 72d6f05..ae20616 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1587,6 +1587,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option) + goto validate_return_locked; + } + ++ if (opt_iter + 1 == opt_len) { ++ err_offset = opt_iter; ++ goto validate_return_locked; ++ } + tag_len = tag[1]; + if (tag_len > (opt_len - opt_iter)) { + err_offset = opt_iter + 1; +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 32a08bc..1bc623d 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -1172,6 +1172,7 @@ static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im) + psf->sf_crcount = im->crcount; + } + in_dev_put(pmc->interface); ++ kfree(pmc); + } + spin_unlock_bh(&im->lock); + } +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 877bdb0..e5c1dbe 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1606,6 +1606,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + sk->sk_protocol = ip_hdr(skb)->protocol; + sk->sk_bound_dev_if = arg->bound_dev_if; + sk->sk_sndbuf = sysctl_wmem_default; ++ sk->sk_mark = fl4.flowi4_mark; + err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base, + len, 0, &ipc, &rt, MSG_DONTWAIT); + if (unlikely(err)) { +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index f226f408..65336f3 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -1215,7 +1215,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb) + pktinfo->ipi_ifindex = 0; + pktinfo->ipi_spec_dst.s_addr = 0; + } +- skb_dst_drop(skb); ++ /* We need to keep the dst for __ip_options_echo() ++ * We could restrict the test to opt.ts_needtime || opt.srr, ++ * but the following is good enough as IP options are not often used. ++ */ ++ if (unlikely(IPCB(skb)->opt.optlen)) ++ skb_dst_force(skb); ++ else ++ skb_dst_drop(skb); + } + + int ip_setsockopt(struct sock *sk, int level, +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 96b8e2b..105c074 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -642,6 +642,8 @@ static int ping_v4_push_pending_frames(struct sock *sk, struct pingfakehdr *pfh, + { + struct sk_buff *skb = skb_peek(&sk->sk_write_queue); + ++ if (!skb) ++ return 0; + pfh->wcheck = csum_partial((char *)&pfh->icmph, + sizeof(struct icmphdr), pfh->wcheck); + pfh->icmph.checksum = csum_fold(pfh->wcheck); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 814af89..6a90a0e 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -772,6 +772,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos, + ret = -EAGAIN; + break; + } ++ /* if __tcp_splice_read() got nothing while we have ++ * an skb in receive queue, we do not want to loop. ++ * This might happen with URG data. ++ */ ++ if (!skb_queue_empty(&sk->sk_receive_queue)) ++ break; + sk_wait_data(sk, &timeo, NULL); + if (signal_pending(current)) { + ret = sock_intr_errno(timeo); +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 896e9df..65d6189 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2436,9 +2436,11 @@ u32 __tcp_select_window(struct sock *sk) + int full_space = min_t(int, tp->window_clamp, allowed_space); + int window; + +- if (mss > full_space) ++ if (unlikely(mss > full_space)) { + mss = full_space; +- ++ if (mss <= 0) ++ return 0; ++ } + if (free_space < (full_space >> 1)) { + icsk->icsk_ack.quick = 0; + +diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c +index 532c3ef..798a095 100644 +--- a/net/ipv6/inet6_connection_sock.c ++++ b/net/ipv6/inet6_connection_sock.c +@@ -173,7 +173,7 @@ int inet6_csk_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl_unused + /* Restore final destination back after routing done */ + fl6.daddr = sk->sk_v6_daddr; + +- res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt), ++ res = ip6_xmit(sk, skb, &fl6, sk->sk_mark, rcu_dereference(np->opt), + np->tclass); + rcu_read_unlock(); + return res; +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index d7d6d3a..0a59220 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev) + + + static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, +- u8 type, u8 code, int offset, __be32 info) ++ u8 type, u8 code, int offset, __be32 info) + { +- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data; +- __be16 *p = (__be16 *)(skb->data + offset); +- int grehlen = offset + 4; ++ const struct gre_base_hdr *greh; ++ const struct ipv6hdr *ipv6h; ++ int grehlen = sizeof(*greh); + struct ip6_tnl *t; ++ int key_off = 0; + __be16 flags; ++ __be32 key; + +- flags = p[0]; +- if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) { +- if (flags&(GRE_VERSION|GRE_ROUTING)) +- return; +- if (flags&GRE_KEY) { +- grehlen += 4; +- if (flags&GRE_CSUM) +- grehlen += 4; +- } ++ if (!pskb_may_pull(skb, offset + grehlen)) ++ return; ++ greh = (const struct gre_base_hdr *)(skb->data + offset); ++ flags = greh->flags; ++ if (flags & (GRE_VERSION | GRE_ROUTING)) ++ return; ++ if (flags & GRE_CSUM) ++ grehlen += 4; ++ if (flags & GRE_KEY) { ++ key_off = grehlen + offset; ++ grehlen += 4; + } + +- /* If only 8 bytes returned, keyed message will be dropped here */ +- if (!pskb_may_pull(skb, grehlen)) ++ if (!pskb_may_pull(skb, offset + grehlen)) + return; + ipv6h = (const struct ipv6hdr *)skb->data; +- p = (__be16 *)(skb->data + offset); ++ greh = (const struct gre_base_hdr *)(skb->data + offset); ++ key = key_off ? *(__be32 *)(skb->data + key_off) : 0; + + t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr, +- flags & GRE_KEY ? +- *(((__be32 *)p) + (grehlen / 4) - 1) : 0, +- p[1]); ++ key, greh->protocol); + if (!t) + return; + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 59eb4ed..9a87bfb 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -163,7 +163,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) + * which are using proper atomic operations or spinlocks. + */ + int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, +- struct ipv6_txoptions *opt, int tclass) ++ __u32 mark, struct ipv6_txoptions *opt, int tclass) + { + struct net *net = sock_net(sk); + const struct ipv6_pinfo *np = inet6_sk(sk); +@@ -230,7 +230,7 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, + + skb->protocol = htons(ETH_P_IPV6); + skb->priority = sk->sk_priority; +- skb->mark = sk->sk_mark; ++ skb->mark = mark; + + mtu = dst_mtu(dst); + if ((skb->len <= mtu) || skb->ignore_df || skb_is_gso(skb)) { +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index f95437f..f6ba452 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -400,18 +400,19 @@ ip6_tnl_dev_uninit(struct net_device *dev) + + __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) + { +- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) raw; +- __u8 nexthdr = ipv6h->nexthdr; +- __u16 off = sizeof(*ipv6h); ++ const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw; ++ unsigned int nhoff = raw - skb->data; ++ unsigned int off = nhoff + sizeof(*ipv6h); ++ u8 next, nexthdr = ipv6h->nexthdr; + + while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) { +- __u16 optlen = 0; + struct ipv6_opt_hdr *hdr; +- if (raw + off + sizeof(*hdr) > skb->data && +- !pskb_may_pull(skb, raw - skb->data + off + sizeof (*hdr))) ++ u16 optlen; ++ ++ if (!pskb_may_pull(skb, off + sizeof(*hdr))) + break; + +- hdr = (struct ipv6_opt_hdr *) (raw + off); ++ hdr = (struct ipv6_opt_hdr *)(skb->data + off); + if (nexthdr == NEXTHDR_FRAGMENT) { + struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr; + if (frag_hdr->frag_off) +@@ -422,20 +423,29 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) + } else { + optlen = ipv6_optlen(hdr); + } ++ /* cache hdr->nexthdr, since pskb_may_pull() might ++ * invalidate hdr ++ */ ++ next = hdr->nexthdr; + if (nexthdr == NEXTHDR_DEST) { +- __u16 i = off + 2; ++ u16 i = 2; ++ ++ /* Remember : hdr is no longer valid at this point. */ ++ if (!pskb_may_pull(skb, off + optlen)) ++ break; ++ + while (1) { + struct ipv6_tlv_tnl_enc_lim *tel; + + /* No more room for encapsulation limit */ +- if (i + sizeof (*tel) > off + optlen) ++ if (i + sizeof(*tel) > optlen) + break; + +- tel = (struct ipv6_tlv_tnl_enc_lim *) &raw[i]; ++ tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i); + /* return index of option if found and valid */ + if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT && + tel->length == 1) +- return i; ++ return i + off - nhoff; + /* else jump to next option */ + if (tel->type) + i += tel->length + 2; +@@ -443,7 +453,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) + i++; + } + } +- nexthdr = hdr->nexthdr; ++ nexthdr = next; + off += optlen; + } + return 0; +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index 14a3903..1bdc703 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -81,7 +81,7 @@ static void mld_gq_timer_expire(unsigned long data); + static void mld_ifc_timer_expire(unsigned long data); + static void mld_ifc_event(struct inet6_dev *idev); + static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc); +-static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *addr); ++static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc); + static void mld_clear_delrec(struct inet6_dev *idev); + static bool mld_in_v1_mode(const struct inet6_dev *idev); + static int sf_setstate(struct ifmcaddr6 *pmc); +@@ -692,9 +692,9 @@ static void igmp6_group_dropped(struct ifmcaddr6 *mc) + dev_mc_del(dev, buf); + } + +- if (mc->mca_flags & MAF_NOREPORT) +- goto done; + spin_unlock_bh(&mc->mca_lock); ++ if (mc->mca_flags & MAF_NOREPORT) ++ return; + + if (!mc->idev->dead) + igmp6_leave_group(mc); +@@ -702,8 +702,6 @@ static void igmp6_group_dropped(struct ifmcaddr6 *mc) + spin_lock_bh(&mc->mca_lock); + if (del_timer(&mc->mca_timer)) + atomic_dec(&mc->mca_refcnt); +-done: +- ip6_mc_clear_src(mc); + spin_unlock_bh(&mc->mca_lock); + } + +@@ -748,10 +746,11 @@ static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im) + spin_unlock_bh(&idev->mc_lock); + } + +-static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca) ++static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im) + { + struct ifmcaddr6 *pmc, *pmc_prev; +- struct ip6_sf_list *psf, *psf_next; ++ struct ip6_sf_list *psf; ++ struct in6_addr *pmca = &im->mca_addr; + + spin_lock_bh(&idev->mc_lock); + pmc_prev = NULL; +@@ -768,14 +767,21 @@ static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca) + } + spin_unlock_bh(&idev->mc_lock); + ++ spin_lock_bh(&im->mca_lock); + if (pmc) { +- for (psf = pmc->mca_tomb; psf; psf = psf_next) { +- psf_next = psf->sf_next; +- kfree(psf); ++ im->idev = pmc->idev; ++ im->mca_crcount = idev->mc_qrv; ++ im->mca_sfmode = pmc->mca_sfmode; ++ if (pmc->mca_sfmode == MCAST_INCLUDE) { ++ im->mca_tomb = pmc->mca_tomb; ++ im->mca_sources = pmc->mca_sources; ++ for (psf = im->mca_sources; psf; psf = psf->sf_next) ++ psf->sf_crcount = im->mca_crcount; + } + in6_dev_put(pmc->idev); + kfree(pmc); + } ++ spin_unlock_bh(&im->mca_lock); + } + + static void mld_clear_delrec(struct inet6_dev *idev) +@@ -904,7 +910,7 @@ int ipv6_dev_mc_inc(struct net_device *dev, const struct in6_addr *addr) + mca_get(mc); + write_unlock_bh(&idev->lock); + +- mld_del_delrec(idev, &mc->mca_addr); ++ mld_del_delrec(idev, mc); + igmp6_group_added(mc); + ma_put(mc); + return 0; +@@ -927,6 +933,7 @@ int __ipv6_dev_mc_dec(struct inet6_dev *idev, const struct in6_addr *addr) + write_unlock_bh(&idev->lock); + + igmp6_group_dropped(ma); ++ ip6_mc_clear_src(ma); + + ma_put(ma); + return 0; +@@ -2501,15 +2508,17 @@ void ipv6_mc_down(struct inet6_dev *idev) + /* Withdraw multicast list */ + + read_lock_bh(&idev->lock); +- mld_ifc_stop_timer(idev); +- mld_gq_stop_timer(idev); +- mld_dad_stop_timer(idev); + + for (i = idev->mc_list; i; i = i->next) + igmp6_group_dropped(i); +- read_unlock_bh(&idev->lock); + +- mld_clear_delrec(idev); ++ /* Should stop timer after group drop. or we will ++ * start timer again in mld_ifc_event() ++ */ ++ mld_ifc_stop_timer(idev); ++ mld_gq_stop_timer(idev); ++ mld_dad_stop_timer(idev); ++ read_unlock_bh(&idev->lock); + } + + static void ipv6_mc_reset(struct inet6_dev *idev) +@@ -2531,8 +2540,10 @@ void ipv6_mc_up(struct inet6_dev *idev) + + read_lock_bh(&idev->lock); + ipv6_mc_reset(idev); +- for (i = idev->mc_list; i; i = i->next) ++ for (i = idev->mc_list; i; i = i->next) { ++ mld_del_delrec(idev, i); + igmp6_group_added(i); ++ } + read_unlock_bh(&idev->lock); + } + +@@ -2565,6 +2576,7 @@ void ipv6_mc_destroy_dev(struct inet6_dev *idev) + + /* Deactivate timers */ + ipv6_mc_down(idev); ++ mld_clear_delrec(idev); + + /* Delete all-nodes address. */ + /* We cannot call ipv6_dev_mc_dec() directly, our caller in +@@ -2579,11 +2591,9 @@ void ipv6_mc_destroy_dev(struct inet6_dev *idev) + write_lock_bh(&idev->lock); + while ((i = idev->mc_list) != NULL) { + idev->mc_list = i->next; +- write_unlock_bh(&idev->lock); + +- igmp6_group_dropped(i); ++ write_unlock_bh(&idev->lock); + ma_put(i); +- + write_lock_bh(&idev->lock); + } + write_unlock_bh(&idev->lock); +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index b1cdf80..40d7405 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1390,6 +1390,7 @@ static int ipip6_tunnel_init(struct net_device *dev) + err = dst_cache_init(&tunnel->dst_cache, GFP_KERNEL); + if (err) { + free_percpu(dev->tstats); ++ dev->tstats = NULL; + return err; + } + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index b9f1fee..6673965 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -467,7 +467,7 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst, + opt = ireq->ipv6_opt; + if (!opt) + opt = rcu_dereference(np->opt); +- err = ip6_xmit(sk, skb, fl6, opt, np->tclass); ++ err = ip6_xmit(sk, skb, fl6, sk->sk_mark, opt, np->tclass); + rcu_read_unlock(); + err = net_xmit_eval(err); + } +@@ -837,7 +837,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 + dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL); + if (!IS_ERR(dst)) { + skb_dst_set(buff, dst); +- ip6_xmit(ctl_sk, buff, &fl6, NULL, tclass); ++ ip6_xmit(ctl_sk, buff, &fl6, fl6.flowi6_mark, NULL, tclass); + TCP_INC_STATS(net, TCP_MIB_OUTSEGS); + if (rst) + TCP_INC_STATS(net, TCP_MIB_OUTRSTS); +@@ -987,6 +987,16 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + return 0; /* don't send reset */ + } + ++static void tcp_v6_restore_cb(struct sk_buff *skb) ++{ ++ /* We need to move header back to the beginning if xfrm6_policy_check() ++ * and tcp_v6_fill_cb() are going to be called again. ++ * ip6_datagram_recv_specific_ctl() also expects IP6CB to be there. ++ */ ++ memmove(IP6CB(skb), &TCP_SKB_CB(skb)->header.h6, ++ sizeof(struct inet6_skb_parm)); ++} ++ + static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *skb, + struct request_sock *req, + struct dst_entry *dst, +@@ -1178,8 +1188,10 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + sk_gfp_mask(sk, GFP_ATOMIC)); + consume_skb(ireq->pktopts); + ireq->pktopts = NULL; +- if (newnp->pktoptions) ++ if (newnp->pktoptions) { ++ tcp_v6_restore_cb(newnp->pktoptions); + skb_set_owner_r(newnp->pktoptions, newsk); ++ } + } + } + +@@ -1194,16 +1206,6 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + return NULL; + } + +-static void tcp_v6_restore_cb(struct sk_buff *skb) +-{ +- /* We need to move header back to the beginning if xfrm6_policy_check() +- * and tcp_v6_fill_cb() are going to be called again. +- * ip6_datagram_recv_specific_ctl() also expects IP6CB to be there. +- */ +- memmove(IP6CB(skb), &TCP_SKB_CB(skb)->header.h6, +- sizeof(struct inet6_skb_parm)); +-} +- + /* The socket must have it's spinlock held when we get + * here, unless it is a TCP_LISTEN socket. + * +diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h +index 2599af6..181e755c 100644 +--- a/net/l2tp/l2tp_core.h ++++ b/net/l2tp/l2tp_core.h +@@ -273,6 +273,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, + int l2tp_nl_register_ops(enum l2tp_pwtype pw_type, + const struct l2tp_nl_cmd_ops *ops); + void l2tp_nl_unregister_ops(enum l2tp_pwtype pw_type); ++int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg); + + /* Session reference counts. Incremented when code obtains a reference + * to a session. +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c +index 8938b6b..c0f0750 100644 +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -11,6 +11,7 @@ + + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + ++#include <asm/ioctls.h> + #include <linux/icmp.h> + #include <linux/module.h> + #include <linux/skbuff.h> +@@ -560,6 +561,30 @@ static int l2tp_ip_recvmsg(struct sock *sk, struct msghdr *msg, + return err ? err : copied; + } + ++int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg) ++{ ++ struct sk_buff *skb; ++ int amount; ++ ++ switch (cmd) { ++ case SIOCOUTQ: ++ amount = sk_wmem_alloc_get(sk); ++ break; ++ case SIOCINQ: ++ spin_lock_bh(&sk->sk_receive_queue.lock); ++ skb = skb_peek(&sk->sk_receive_queue); ++ amount = skb ? skb->len : 0; ++ spin_unlock_bh(&sk->sk_receive_queue.lock); ++ break; ++ ++ default: ++ return -ENOIOCTLCMD; ++ } ++ ++ return put_user(amount, (int __user *)arg); ++} ++EXPORT_SYMBOL(l2tp_ioctl); ++ + static struct proto l2tp_ip_prot = { + .name = "L2TP/IP", + .owner = THIS_MODULE, +@@ -568,7 +593,7 @@ static struct proto l2tp_ip_prot = { + .bind = l2tp_ip_bind, + .connect = l2tp_ip_connect, + .disconnect = l2tp_ip_disconnect, +- .ioctl = udp_ioctl, ++ .ioctl = l2tp_ioctl, + .destroy = l2tp_ip_destroy_sock, + .setsockopt = ip_setsockopt, + .getsockopt = ip_getsockopt, +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index aa821cb..1a65c9a 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -729,7 +729,7 @@ static struct proto l2tp_ip6_prot = { + .bind = l2tp_ip6_bind, + .connect = l2tp_ip6_connect, + .disconnect = l2tp_ip6_disconnect, +- .ioctl = udp_ioctl, ++ .ioctl = l2tp_ioctl, + .destroy = l2tp_ip6_destroy_sock, + .setsockopt = ipv6_setsockopt, + .getsockopt = ipv6_getsockopt, +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 94e4a59..458722b 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2813,7 +2813,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + struct virtio_net_hdr vnet_hdr = { 0 }; + int offset = 0; + struct packet_sock *po = pkt_sk(sk); +- int hlen, tlen; ++ int hlen, tlen, linear; + int extra_len = 0; + + /* +@@ -2874,8 +2874,9 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + err = -ENOBUFS; + hlen = LL_RESERVED_SPACE(dev); + tlen = dev->needed_tailroom; +- skb = packet_alloc_skb(sk, hlen + tlen, hlen, len, +- __virtio16_to_cpu(vio_le(), vnet_hdr.hdr_len), ++ linear = __virtio16_to_cpu(vio_le(), vnet_hdr.hdr_len); ++ linear = max(linear, min_t(int, len, dev->hard_header_len)); ++ skb = packet_alloc_skb(sk, hlen + tlen, hlen, len, linear, + msg->msg_flags & MSG_DONTWAIT, &err); + if (skb == NULL) + goto out_unlock; +diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c +index f935429..b12bc2a 100644 +--- a/net/sched/cls_matchall.c ++++ b/net/sched/cls_matchall.c +@@ -16,16 +16,11 @@ + #include <net/sch_generic.h> + #include <net/pkt_cls.h> + +-struct cls_mall_filter { ++struct cls_mall_head { + struct tcf_exts exts; + struct tcf_result res; + u32 handle; +- struct rcu_head rcu; + u32 flags; +-}; +- +-struct cls_mall_head { +- struct cls_mall_filter *filter; + struct rcu_head rcu; + }; + +@@ -33,38 +28,29 @@ static int mall_classify(struct sk_buff *skb, const struct tcf_proto *tp, + struct tcf_result *res) + { + struct cls_mall_head *head = rcu_dereference_bh(tp->root); +- struct cls_mall_filter *f = head->filter; + +- if (tc_skip_sw(f->flags)) ++ if (tc_skip_sw(head->flags)) + return -1; + +- return tcf_exts_exec(skb, &f->exts, res); ++ return tcf_exts_exec(skb, &head->exts, res); + } + + static int mall_init(struct tcf_proto *tp) + { +- struct cls_mall_head *head; +- +- head = kzalloc(sizeof(*head), GFP_KERNEL); +- if (!head) +- return -ENOBUFS; +- +- rcu_assign_pointer(tp->root, head); +- + return 0; + } + +-static void mall_destroy_filter(struct rcu_head *head) ++static void mall_destroy_rcu(struct rcu_head *rcu) + { +- struct cls_mall_filter *f = container_of(head, struct cls_mall_filter, rcu); ++ struct cls_mall_head *head = container_of(rcu, struct cls_mall_head, ++ rcu); + +- tcf_exts_destroy(&f->exts); +- +- kfree(f); ++ tcf_exts_destroy(&head->exts); ++ kfree(head); + } + + static int mall_replace_hw_filter(struct tcf_proto *tp, +- struct cls_mall_filter *f, ++ struct cls_mall_head *head, + unsigned long cookie) + { + struct net_device *dev = tp->q->dev_queue->dev; +@@ -74,7 +60,7 @@ static int mall_replace_hw_filter(struct tcf_proto *tp, + offload.type = TC_SETUP_MATCHALL; + offload.cls_mall = &mall_offload; + offload.cls_mall->command = TC_CLSMATCHALL_REPLACE; +- offload.cls_mall->exts = &f->exts; ++ offload.cls_mall->exts = &head->exts; + offload.cls_mall->cookie = cookie; + + return dev->netdev_ops->ndo_setup_tc(dev, tp->q->handle, tp->protocol, +@@ -82,7 +68,7 @@ static int mall_replace_hw_filter(struct tcf_proto *tp, + } + + static void mall_destroy_hw_filter(struct tcf_proto *tp, +- struct cls_mall_filter *f, ++ struct cls_mall_head *head, + unsigned long cookie) + { + struct net_device *dev = tp->q->dev_queue->dev; +@@ -103,29 +89,20 @@ static bool mall_destroy(struct tcf_proto *tp, bool force) + { + struct cls_mall_head *head = rtnl_dereference(tp->root); + struct net_device *dev = tp->q->dev_queue->dev; +- struct cls_mall_filter *f = head->filter; + +- if (!force && f) +- return false; ++ if (!head) ++ return true; + +- if (f) { +- if (tc_should_offload(dev, tp, f->flags)) +- mall_destroy_hw_filter(tp, f, (unsigned long) f); ++ if (tc_should_offload(dev, tp, head->flags)) ++ mall_destroy_hw_filter(tp, head, (unsigned long) head); + +- call_rcu(&f->rcu, mall_destroy_filter); +- } +- kfree_rcu(head, rcu); ++ call_rcu(&head->rcu, mall_destroy_rcu); + return true; + } + + static unsigned long mall_get(struct tcf_proto *tp, u32 handle) + { +- struct cls_mall_head *head = rtnl_dereference(tp->root); +- struct cls_mall_filter *f = head->filter; +- +- if (f && f->handle == handle) +- return (unsigned long) f; +- return 0; ++ return 0UL; + } + + static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = { +@@ -134,7 +111,7 @@ static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = { + }; + + static int mall_set_parms(struct net *net, struct tcf_proto *tp, +- struct cls_mall_filter *f, ++ struct cls_mall_head *head, + unsigned long base, struct nlattr **tb, + struct nlattr *est, bool ovr) + { +@@ -147,11 +124,11 @@ static int mall_set_parms(struct net *net, struct tcf_proto *tp, + return err; + + if (tb[TCA_MATCHALL_CLASSID]) { +- f->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); +- tcf_bind_filter(tp, &f->res, base); ++ head->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); ++ tcf_bind_filter(tp, &head->res, base); + } + +- tcf_exts_change(tp, &f->exts, &e); ++ tcf_exts_change(tp, &head->exts, &e); + + return 0; + } +@@ -162,21 +139,17 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + unsigned long *arg, bool ovr) + { + struct cls_mall_head *head = rtnl_dereference(tp->root); +- struct cls_mall_filter *fold = (struct cls_mall_filter *) *arg; + struct net_device *dev = tp->q->dev_queue->dev; +- struct cls_mall_filter *f; + struct nlattr *tb[TCA_MATCHALL_MAX + 1]; ++ struct cls_mall_head *new; + u32 flags = 0; + int err; + + if (!tca[TCA_OPTIONS]) + return -EINVAL; + +- if (head->filter) +- return -EBUSY; +- +- if (fold) +- return -EINVAL; ++ if (head) ++ return -EEXIST; + + err = nla_parse_nested(tb, TCA_MATCHALL_MAX, + tca[TCA_OPTIONS], mall_policy); +@@ -189,23 +162,23 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + return -EINVAL; + } + +- f = kzalloc(sizeof(*f), GFP_KERNEL); +- if (!f) ++ new = kzalloc(sizeof(*new), GFP_KERNEL); ++ if (!new) + return -ENOBUFS; + +- tcf_exts_init(&f->exts, TCA_MATCHALL_ACT, 0); ++ tcf_exts_init(&new->exts, TCA_MATCHALL_ACT, 0); + + if (!handle) + handle = 1; +- f->handle = handle; +- f->flags = flags; ++ new->handle = handle; ++ new->flags = flags; + +- err = mall_set_parms(net, tp, f, base, tb, tca[TCA_RATE], ovr); ++ err = mall_set_parms(net, tp, new, base, tb, tca[TCA_RATE], ovr); + if (err) + goto errout; + + if (tc_should_offload(dev, tp, flags)) { +- err = mall_replace_hw_filter(tp, f, (unsigned long) f); ++ err = mall_replace_hw_filter(tp, new, (unsigned long) new); + if (err) { + if (tc_skip_sw(flags)) + goto errout; +@@ -214,39 +187,29 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + } + } + +- *arg = (unsigned long) f; +- rcu_assign_pointer(head->filter, f); +- ++ *arg = (unsigned long) head; ++ rcu_assign_pointer(tp->root, new); ++ if (head) ++ call_rcu(&head->rcu, mall_destroy_rcu); + return 0; + + errout: +- kfree(f); ++ kfree(new); + return err; + } + + static int mall_delete(struct tcf_proto *tp, unsigned long arg) + { +- struct cls_mall_head *head = rtnl_dereference(tp->root); +- struct cls_mall_filter *f = (struct cls_mall_filter *) arg; +- struct net_device *dev = tp->q->dev_queue->dev; +- +- if (tc_should_offload(dev, tp, f->flags)) +- mall_destroy_hw_filter(tp, f, (unsigned long) f); +- +- RCU_INIT_POINTER(head->filter, NULL); +- tcf_unbind_filter(tp, &f->res); +- call_rcu(&f->rcu, mall_destroy_filter); +- return 0; ++ return -EOPNOTSUPP; + } + + static void mall_walk(struct tcf_proto *tp, struct tcf_walker *arg) + { + struct cls_mall_head *head = rtnl_dereference(tp->root); +- struct cls_mall_filter *f = head->filter; + + if (arg->count < arg->skip) + goto skip; +- if (arg->fn(tp, (unsigned long) f, arg) < 0) ++ if (arg->fn(tp, (unsigned long) head, arg) < 0) + arg->stop = 1; + skip: + arg->count++; +@@ -255,28 +218,28 @@ static void mall_walk(struct tcf_proto *tp, struct tcf_walker *arg) + static int mall_dump(struct net *net, struct tcf_proto *tp, unsigned long fh, + struct sk_buff *skb, struct tcmsg *t) + { +- struct cls_mall_filter *f = (struct cls_mall_filter *) fh; ++ struct cls_mall_head *head = (struct cls_mall_head *) fh; + struct nlattr *nest; + +- if (!f) ++ if (!head) + return skb->len; + +- t->tcm_handle = f->handle; ++ t->tcm_handle = head->handle; + + nest = nla_nest_start(skb, TCA_OPTIONS); + if (!nest) + goto nla_put_failure; + +- if (f->res.classid && +- nla_put_u32(skb, TCA_MATCHALL_CLASSID, f->res.classid)) ++ if (head->res.classid && ++ nla_put_u32(skb, TCA_MATCHALL_CLASSID, head->res.classid)) + goto nla_put_failure; + +- if (tcf_exts_dump(skb, &f->exts)) ++ if (tcf_exts_dump(skb, &head->exts)) + goto nla_put_failure; + + nla_nest_end(skb, nest); + +- if (tcf_exts_dump_stats(skb, &f->exts) < 0) ++ if (tcf_exts_dump_stats(skb, &head->exts) < 0) + goto nla_put_failure; + + return skb->len; +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 176af30..6a2532d 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -222,7 +222,8 @@ static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport) + SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS); + + rcu_read_lock(); +- res = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), np->tclass); ++ res = ip6_xmit(sk, skb, fl6, sk->sk_mark, rcu_dereference(np->opt), ++ np->tclass); + rcu_read_unlock(); + return res; + } +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index ca12aa3..6cbe5bd 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7427,7 +7427,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + */ + release_sock(sk); + current_timeo = schedule_timeout(current_timeo); +- BUG_ON(sk != asoc->base.sk); ++ if (sk != asoc->base.sk) ++ goto do_error; + lock_sock(sk); + + *timeo_p = current_timeo; diff --git a/4.9.10/4420_grsecurity-3.1-4.9.10-201702162016.patch b/4.9.11/4420_grsecurity-3.1-4.9.11-201702181444.patch index ef4d7f3..91575ee 100644 --- a/4.9.10/4420_grsecurity-3.1-4.9.10-201702162016.patch +++ b/4.9.11/4420_grsecurity-3.1-4.9.11-201702181444.patch @@ -419,7 +419,7 @@ index 3d0ae15..84e5412 100644 cmd_syscalls = $(CONFIG_SHELL) $< $(CC) $(c_flags) $(missing_syscalls_flags) diff --git a/Makefile b/Makefile -index d2fe757..92fd198 100644 +index 18b0c5a..54a9fea 100644 --- a/Makefile +++ b/Makefile @@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -30440,7 +30440,7 @@ index 04f89ca..43ad7de 100644 unlock_done: mutex_unlock(&espfix_init_mutex); diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c -index ebb4e95..37e51387 100644 +index 96d80df..1932b44 100644 --- a/arch/x86/kernel/fpu/core.c +++ b/arch/x86/kernel/fpu/core.c @@ -136,7 +136,7 @@ void __kernel_fpu_end(void) @@ -30461,7 +30461,7 @@ index ebb4e95..37e51387 100644 else fpregs_deactivate(fpu); } -@@ -261,7 +261,7 @@ int fpu__copy(struct fpu *dst_fpu, struct fpu *src_fpu) +@@ -262,7 +262,7 @@ int fpu__copy(struct fpu *dst_fpu, struct fpu *src_fpu) * leak into the child task: */ if (use_eager_fpu()) @@ -30470,7 +30470,7 @@ index ebb4e95..37e51387 100644 /* * Save current FPU registers directly into the child -@@ -280,11 +280,10 @@ int fpu__copy(struct fpu *dst_fpu, struct fpu *src_fpu) +@@ -281,11 +281,10 @@ int fpu__copy(struct fpu *dst_fpu, struct fpu *src_fpu) */ preempt_disable(); if (!copy_fpregs_to_fpstate(dst_fpu)) { @@ -30484,7 +30484,7 @@ index ebb4e95..37e51387 100644 else fpregs_deactivate(src_fpu); } -@@ -305,7 +304,7 @@ void fpu__activate_curr(struct fpu *fpu) +@@ -306,7 +305,7 @@ void fpu__activate_curr(struct fpu *fpu) WARN_ON_FPU(fpu != ¤t->thread.fpu); if (!fpu->fpstate_active) { @@ -30493,7 +30493,7 @@ index ebb4e95..37e51387 100644 trace_x86_fpu_init_state(fpu); trace_x86_fpu_activate_state(fpu); -@@ -333,7 +332,7 @@ void fpu__activate_fpstate_read(struct fpu *fpu) +@@ -334,7 +333,7 @@ void fpu__activate_fpstate_read(struct fpu *fpu) fpu__save(fpu); } else { if (!fpu->fpstate_active) { @@ -30502,7 +30502,7 @@ index ebb4e95..37e51387 100644 trace_x86_fpu_init_state(fpu); trace_x86_fpu_activate_state(fpu); -@@ -368,7 +367,7 @@ void fpu__activate_fpstate_write(struct fpu *fpu) +@@ -369,7 +368,7 @@ void fpu__activate_fpstate_write(struct fpu *fpu) /* Invalidate any lazy state: */ fpu->last_cpu = -1; } else { @@ -30511,7 +30511,7 @@ index ebb4e95..37e51387 100644 trace_x86_fpu_init_state(fpu); trace_x86_fpu_activate_state(fpu); -@@ -431,7 +430,7 @@ void fpu__current_fpstate_write_end(void) +@@ -432,7 +431,7 @@ void fpu__current_fpstate_write_end(void) * an XRSTOR if they are active. */ if (fpregs_active()) @@ -30520,7 +30520,7 @@ index ebb4e95..37e51387 100644 /* * Our update is done and the fpregs/fpstate are in sync -@@ -458,7 +457,7 @@ void fpu__restore(struct fpu *fpu) +@@ -459,7 +458,7 @@ void fpu__restore(struct fpu *fpu) kernel_fpu_disable(); trace_x86_fpu_before_restore(fpu); fpregs_activate(fpu); @@ -30529,7 +30529,7 @@ index ebb4e95..37e51387 100644 fpu->counter++; trace_x86_fpu_after_restore(fpu); kernel_fpu_enable(); -@@ -554,11 +553,11 @@ int fpu__exception_code(struct fpu *fpu, int trap_nr) +@@ -555,11 +554,11 @@ int fpu__exception_code(struct fpu *fpu, int trap_nr) * fully reproduce the context of the exception. */ if (boot_cpu_has(X86_FEATURE_FXSR)) { @@ -30545,7 +30545,7 @@ index ebb4e95..37e51387 100644 } err = swd & ~cwd; -@@ -572,7 +571,7 @@ int fpu__exception_code(struct fpu *fpu, int trap_nr) +@@ -573,7 +572,7 @@ int fpu__exception_code(struct fpu *fpu, int trap_nr) unsigned short mxcsr = MXCSR_DEFAULT; if (boot_cpu_has(X86_FEATURE_XMM)) @@ -69593,10 +69593,10 @@ index f9db2ce..6cd460c 100644 } diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c -index 6255973..7ae59f5 100644 +index 1b65f0f..55b35dc 100644 --- a/drivers/net/loopback.c +++ b/drivers/net/loopback.c -@@ -216,6 +216,6 @@ static __net_init int loopback_net_init(struct net *net) +@@ -217,6 +217,6 @@ static __net_init int loopback_net_init(struct net *net) } /* Registered in net/core/dev.c */ @@ -69663,7 +69663,7 @@ index 26d6f0b..af4d2ad 100644 }; diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index 6f38daf..5a5bedd 100644 +index adea6f5..5991765 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c @@ -514,7 +514,7 @@ static void macvtap_setup(struct net_device *dev) @@ -69854,7 +69854,7 @@ index a380649..fd8fe79c 100644 }; diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 18402d7..61603d0 100644 +index b31aca8..3853488 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -966,7 +966,7 @@ static void tun_set_headroom(struct net_device *dev, int new_hr) @@ -69866,7 +69866,7 @@ index 18402d7..61603d0 100644 new_hr = NET_SKB_PAD; tun->align = new_hr; -@@ -1548,7 +1548,7 @@ static int tun_validate(struct nlattr *tb[], struct nlattr *data[]) +@@ -1550,7 +1550,7 @@ static int tun_validate(struct nlattr *tb[], struct nlattr *data[]) return -EINVAL; } @@ -69875,7 +69875,7 @@ index 18402d7..61603d0 100644 .kind = DRV_NAME, .priv_size = sizeof(struct tun_struct), .setup = tun_setup, -@@ -1977,7 +1977,7 @@ static int tun_set_queue(struct file *file, struct ifreq *ifr) +@@ -1979,7 +1979,7 @@ static int tun_set_queue(struct file *file, struct ifreq *ifr) } static long __tun_chr_ioctl(struct file *file, unsigned int cmd, @@ -69884,7 +69884,7 @@ index 18402d7..61603d0 100644 { struct tun_file *tfile = file->private_data; struct tun_struct *tun; -@@ -1991,6 +1991,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, +@@ -1993,6 +1993,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, int le; int ret; @@ -69894,7 +69894,7 @@ index 18402d7..61603d0 100644 if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) { if (copy_from_user(&ifr, argp, ifreq_len)) return -EFAULT; -@@ -2506,7 +2509,7 @@ static int tun_device_event(struct notifier_block *unused, +@@ -2508,7 +2511,7 @@ static int tun_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -141755,7 +141755,7 @@ index cd0c8bd..8c20e41 100644 struct iovec; struct kvec; diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h -index d83590e..7bd7c11 100644 +index bb9b102..1969a64 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -1324,6 +1324,7 @@ struct net_device_ops { @@ -141766,7 +141766,7 @@ index d83590e..7bd7c11 100644 /** * enum net_device_priv_flags - &struct net_device priv_flags -@@ -1651,7 +1652,7 @@ struct net_device { +@@ -1652,7 +1653,7 @@ struct net_device { unsigned long base_addr; int irq; @@ -141775,7 +141775,7 @@ index d83590e..7bd7c11 100644 /* * Some hardware also needs these fields (state,dev_list, -@@ -1691,9 +1692,9 @@ struct net_device { +@@ -1692,9 +1693,9 @@ struct net_device { struct net_device_stats stats; @@ -141788,7 +141788,7 @@ index d83590e..7bd7c11 100644 #ifdef CONFIG_WIRELESS_EXT const struct iw_handler_def *wireless_handlers; -@@ -3364,7 +3365,7 @@ static __always_inline int ____dev_forward_skb(struct net_device *dev, +@@ -3368,7 +3369,7 @@ static __always_inline int ____dev_forward_skb(struct net_device *dev, { if (skb_orphan_frags(skb, GFP_ATOMIC) || unlikely(!is_skb_forwardable(dev, skb))) { @@ -141797,7 +141797,7 @@ index d83590e..7bd7c11 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -4290,7 +4291,7 @@ static inline bool netif_reduces_vlan_mtu(struct net_device *dev) +@@ -4294,7 +4295,7 @@ static inline bool netif_reduces_vlan_mtu(struct net_device *dev) return dev->priv_flags & IFF_MACSEC; } @@ -145591,7 +145591,7 @@ index cd6018a..996671f 100644 struct list_head est_list; /* estimator list */ spinlock_t est_lock; diff --git a/include/net/ipv6.h b/include/net/ipv6.h -index f11ca83..bec016e 100644 +index 7f15f95..d381999 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h @@ -788,7 +788,7 @@ static inline __be32 ip6_make_flowlabel(struct net *net, struct sk_buff *skb, @@ -163663,10 +163663,10 @@ index 3408ed5..885aab5 100644 .priv_size = sizeof(struct chnl_net), .setup = ipcaif_net_setup, diff --git a/net/can/af_can.c b/net/can/af_can.c -index 1108079..1871d16 100644 +index 5488e4a..823ad05 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c -@@ -890,7 +890,7 @@ static const struct net_proto_family can_family_ops = { +@@ -898,7 +898,7 @@ static const struct net_proto_family can_family_ops = { }; /* notifier block for netdevice event */ @@ -163676,7 +163676,7 @@ index 1108079..1871d16 100644 }; diff --git a/net/can/bcm.c b/net/can/bcm.c -index 5e9ed5e..916d38c 100644 +index e4f694d..62ad313 100644 --- a/net/can/bcm.c +++ b/net/can/bcm.c @@ -1699,7 +1699,7 @@ static int __init bcm_module_init(void) @@ -163689,7 +163689,7 @@ index 5e9ed5e..916d38c 100644 } diff --git a/net/can/gw.c b/net/can/gw.c -index 4551687..4e82e9b 100644 +index 77c8af4..7d32a8b 100644 --- a/net/can/gw.c +++ b/net/can/gw.c @@ -80,7 +80,6 @@ MODULE_PARM_DESC(max_hops, @@ -163899,10 +163899,10 @@ index b7de71f..808387d 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index df51c50..26e1440 100644 +index 60b0a604..920cbea 100644 --- a/net/core/dev.c +++ b/net/core/dev.c -@@ -3000,7 +3000,7 @@ static struct sk_buff *validate_xmit_skb(struct sk_buff *skb, struct net_device +@@ -2995,7 +2995,7 @@ static struct sk_buff *validate_xmit_skb(struct sk_buff *skb, struct net_device out_kfree_skb: kfree_skb(skb); out_null: @@ -163911,7 +163911,7 @@ index df51c50..26e1440 100644 return NULL; } -@@ -3411,7 +3411,7 @@ static int __dev_queue_xmit(struct sk_buff *skb, void *accel_priv) +@@ -3406,7 +3406,7 @@ static int __dev_queue_xmit(struct sk_buff *skb, void *accel_priv) rc = -ENETDOWN; rcu_read_unlock_bh(); @@ -163920,7 +163920,7 @@ index df51c50..26e1440 100644 kfree_skb_list(skb); return rc; out: -@@ -3764,7 +3764,7 @@ static int enqueue_to_backlog(struct sk_buff *skb, int cpu, +@@ -3759,7 +3759,7 @@ static int enqueue_to_backlog(struct sk_buff *skb, int cpu, local_irq_restore(flags); @@ -163929,7 +163929,7 @@ index df51c50..26e1440 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -3841,7 +3841,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -3836,7 +3836,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -163938,7 +163938,7 @@ index df51c50..26e1440 100644 { struct softnet_data *sd = this_cpu_ptr(&softnet_data); -@@ -4208,9 +4208,9 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) +@@ -4203,9 +4203,9 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) } else { drop: if (!deliver_exact) @@ -163950,7 +163950,7 @@ index df51c50..26e1440 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -5197,7 +5197,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) +@@ -5192,7 +5192,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) return work; } @@ -163959,7 +163959,7 @@ index df51c50..26e1440 100644 { struct softnet_data *sd = this_cpu_ptr(&softnet_data); unsigned long time_limit = jiffies + 2; -@@ -7540,9 +7540,9 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -7535,9 +7535,9 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -163972,7 +163972,7 @@ index df51c50..26e1440 100644 return storage; } EXPORT_SYMBOL(dev_get_stats); -@@ -8167,7 +8167,7 @@ static void __net_exit netdev_exit(struct net *net) +@@ -8162,7 +8162,7 @@ static void __net_exit netdev_exit(struct net *net) kfree(net->dev_index_head); } @@ -163981,7 +163981,7 @@ index df51c50..26e1440 100644 .init = netdev_init, .exit = netdev_exit, }; -@@ -8267,7 +8267,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list) +@@ -8262,7 +8262,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list) rtnl_unlock(); } @@ -165507,10 +165507,10 @@ index d6feabb..9cb3988 100644 ICMP_PROT_UNREACH, 0); } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index f226f408..87ab217 100644 +index 65336f3..3c7e4b7 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c -@@ -1335,7 +1335,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1342,7 +1342,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, len = min_t(unsigned int, len, opt->optlen); if (put_user(len, optlen)) return -EFAULT; @@ -165520,7 +165520,7 @@ index f226f408..87ab217 100644 return -EFAULT; return 0; } -@@ -1471,7 +1472,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1478,7 +1479,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, if (sk->sk_type != SOCK_STREAM) return -ENOPROTOOPT; @@ -165721,7 +165721,7 @@ index 4a9e6db..06174e1 100644 pr_err("Unable to proc dir entry\n"); return -ENOMEM; diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 96b8e2b..fb38f77 100644 +index 105c074..6c5033d 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -59,7 +59,7 @@ struct ping_table { @@ -165760,7 +165760,7 @@ index 96b8e2b..fb38f77 100644 info, (u8 *)icmph); #endif } -@@ -923,10 +923,10 @@ int ping_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock, +@@ -925,10 +925,10 @@ int ping_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock, } if (inet6_sk(sk)->rxopt.all) @@ -165773,7 +165773,7 @@ index 96b8e2b..fb38f77 100644 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags) ip_cmsg_recv(msg, skb); #endif -@@ -1123,7 +1123,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, +@@ -1125,7 +1125,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -166770,7 +166770,7 @@ index ef54852..56699bb 100644 return new; } diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index d7d6d3a..eaae042 100644 +index 0a59220..645d4d6 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -71,8 +71,8 @@ struct ip6gre_net { @@ -166784,7 +166784,7 @@ index d7d6d3a..eaae042 100644 static int ip6gre_tunnel_init(struct net_device *dev); static void ip6gre_tunnel_setup(struct net_device *dev); static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t); -@@ -1067,7 +1067,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev) +@@ -1069,7 +1069,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev) } @@ -166793,7 +166793,7 @@ index d7d6d3a..eaae042 100644 .handler = gre_rcv, .err_handler = ip6gre_err, .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL, -@@ -1520,7 +1520,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = { +@@ -1522,7 +1522,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = { [IFLA_GRE_ENCAP_DPORT] = { .type = NLA_U16 }, }; @@ -166802,7 +166802,7 @@ index d7d6d3a..eaae042 100644 .kind = "ip6gre", .maxtype = IFLA_GRE_MAX, .policy = ip6gre_policy, -@@ -1535,7 +1535,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = { +@@ -1537,7 +1537,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = { .get_link_net = ip6_tnl_get_link_net, }; @@ -166812,7 +166812,7 @@ index d7d6d3a..eaae042 100644 .maxtype = IFLA_GRE_MAX, .policy = ip6gre_policy, diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c -index f95437f..9bca401 100644 +index f6ba452..b04707b 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c @@ -81,7 +81,7 @@ static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2) @@ -166824,7 +166824,7 @@ index f95437f..9bca401 100644 static int ip6_tnl_net_id __read_mostly; struct ip6_tnl_net { -@@ -2093,7 +2093,7 @@ static const struct nla_policy ip6_tnl_policy[IFLA_IPTUN_MAX + 1] = { +@@ -2103,7 +2103,7 @@ static const struct nla_policy ip6_tnl_policy[IFLA_IPTUN_MAX + 1] = { [IFLA_IPTUN_COLLECT_METADATA] = { .type = NLA_FLAG }, }; @@ -167201,7 +167201,7 @@ index bff4460..4551e9a 100644 table = kmemdup(ipv6_route_table_template, sizeof(ipv6_route_table_template), diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c -index b1cdf80..18a97a9 100644 +index 40d7405..dc61f2b 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -74,7 +74,7 @@ static void ipip6_tunnel_setup(struct net_device *dev); @@ -167213,7 +167213,7 @@ index b1cdf80..18a97a9 100644 static int sit_net_id __read_mostly; struct sit_net { -@@ -1735,7 +1735,7 @@ static void ipip6_dellink(struct net_device *dev, struct list_head *head) +@@ -1736,7 +1736,7 @@ static void ipip6_dellink(struct net_device *dev, struct list_head *head) unregister_netdevice_queue(dev, head); } @@ -167236,7 +167236,7 @@ index 69c50e7..ec875fa 100644 struct ctl_table *ipv6_icmp_table; int err; diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index b9f1fee..3e0f50f 100644 +index 6673965..16ec3de 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -101,6 +101,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) @@ -167250,7 +167250,7 @@ index b9f1fee..3e0f50f 100644 static __u32 tcp_v6_init_sequence(const struct sk_buff *skb) { return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32, -@@ -1300,6 +1304,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) +@@ -1302,6 +1306,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) return 0; reset: @@ -167260,7 +167260,7 @@ index b9f1fee..3e0f50f 100644 tcp_v6_send_reset(sk, skb); discard: if (opt_skb) -@@ -1404,12 +1411,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) +@@ -1406,12 +1413,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) sk = __inet6_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source, th->dest, inet6_iif(skb), &refcounted); @@ -167283,7 +167283,7 @@ index b9f1fee..3e0f50f 100644 if (sk->sk_state == TCP_NEW_SYN_RECV) { struct request_sock *req = inet_reqsk(sk); -@@ -1499,6 +1514,10 @@ static int tcp_v6_rcv(struct sk_buff *skb) +@@ -1501,6 +1516,10 @@ static int tcp_v6_rcv(struct sk_buff *skb) bad_packet: __TCP_INC_STATS(net, TCP_MIB_INERRS); } else { @@ -168246,10 +168246,10 @@ index 965f7e3..daa74100 100644 } diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c -index 8938b6b..bd9ca60 100644 +index c0f0750..7f2e432 100644 --- a/net/l2tp/l2tp_ip.c +++ b/net/l2tp/l2tp_ip.c -@@ -616,7 +616,7 @@ static struct inet_protosw l2tp_ip_protosw = { +@@ -641,7 +641,7 @@ static struct inet_protosw l2tp_ip_protosw = { .ops = &l2tp_ip_ops, }; @@ -168259,7 +168259,7 @@ index 8938b6b..bd9ca60 100644 .netns_ok = 1, }; diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c -index aa821cb..045ff78 100644 +index 1a65c9a..46ac95e 100644 --- a/net/l2tp/l2tp_ip6.c +++ b/net/l2tp/l2tp_ip6.c @@ -777,7 +777,7 @@ static struct inet_protosw l2tp_ip6_protosw = { @@ -169936,7 +169936,7 @@ index 7eb955e..479c9a6 100644 static int __init ovs_vxlan_tnl_init(void) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 94e4a59..0339089 100644 +index 458722b..5852eae 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -278,7 +278,7 @@ static int packet_direct_xmit(struct sk_buff *skb) @@ -169991,7 +169991,7 @@ index 94e4a59..0339089 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -3847,7 +3847,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3848,7 +3848,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -170000,7 +170000,7 @@ index 94e4a59..0339089 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3882,9 +3882,9 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3883,9 +3883,9 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_ROLLOVER_STATS: if (!po->rollover) return -EINVAL; @@ -170013,7 +170013,7 @@ index 94e4a59..0339089 100644 data = &rstats; lv = sizeof(rstats); break; -@@ -3902,7 +3902,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3903,7 +3903,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, len = lv; if (put_user(len, optlen)) return -EFAULT; @@ -170469,10 +170469,10 @@ index 6cfb6e9..eaa7ef4 100644 } } diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c -index 176af30..585194b 100644 +index 6a2532d..09ce23f 100644 --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c -@@ -990,7 +990,7 @@ static const struct inet6_protocol sctpv6_protocol = { +@@ -991,7 +991,7 @@ static const struct inet6_protocol sctpv6_protocol = { .flags = INET6_PROTO_NOPOLICY | INET6_PROTO_FINAL, }; @@ -170481,7 +170481,7 @@ index 176af30..585194b 100644 .sa_family = AF_INET6, .sctp_xmit = sctp_v6_xmit, .setsockopt = ipv6_setsockopt, -@@ -1047,7 +1047,7 @@ void sctp_v6_pf_init(void) +@@ -1048,7 +1048,7 @@ void sctp_v6_pf_init(void) void sctp_v6_pf_exit(void) { @@ -170560,7 +170560,7 @@ index c345bf1..41a50e5 100644 NULL, sctp_cname, sctp_tname, sctp_oname, sctp_pname, }; diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index ca12aa3..7a691ba 100644 +index 6cbe5bd..04c4e00 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4719,7 +4719,7 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv @@ -170581,7 +170581,7 @@ index ca12aa3..7a691ba 100644 if (copy_to_user(to, &temp, addrlen)) return -EFAULT; to += addrlen; -@@ -7854,6 +7856,10 @@ struct proto sctp_prot = { +@@ -7855,6 +7857,10 @@ struct proto sctp_prot = { .unhash = sctp_unhash, .get_port = sctp_get_port, .obj_size = sizeof(struct sctp_sock), @@ -209399,10 +209399,10 @@ index 0000000..1181e93 +size_mei_msg_data_65529_fields size mei_msg_data 0 65529 NULL diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_fns.data b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data new file mode 100644 -index 0000000..0d6ca5e +index 0000000..75e575c --- /dev/null +++ b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data -@@ -0,0 +1,5031 @@ +@@ -0,0 +1,5032 @@ +logi_dj_recv_query_paired_devices_fndecl_13_fns logi_dj_recv_query_paired_devices fndecl 0 13 NULL +response_length_ib_uverbs_ex_destroy_wq_resp_15_fns response_length ib_uverbs_ex_destroy_wq_resp 0 15 NULL +kfd_wait_on_events_fndecl_19_fns kfd_wait_on_events fndecl 2 19 NULL @@ -210555,6 +210555,7 @@ index 0000000..0d6ca5e +elem_size_snd_array_15155_fns elem_size snd_array 0 15155 NULL nohasharray +chaoskey_read_fndecl_15155_fns chaoskey_read fndecl 3 15155 &elem_size_snd_array_15155_fns +walk_hugetlb_range_fndecl_15190_fns walk_hugetlb_range fndecl 0 15190 NULL ++get_registers_fndecl_15192_fns get_registers fndecl 3 15192 NULL +max_clk_sdhci_host_15206_fns max_clk sdhci_host 0 15206 NULL +nlm_end_grace_read_fndecl_15209_fns nlm_end_grace_read fndecl 3 15209 NULL +genwqe_ffdc_buff_size_fndecl_15236_fns genwqe_ffdc_buff_size fndecl 0 15236 NULL diff --git a/4.9.10/4425_grsec_remove_EI_PAX.patch b/4.9.11/4425_grsec_remove_EI_PAX.patch index 594598a..594598a 100644 --- a/4.9.10/4425_grsec_remove_EI_PAX.patch +++ b/4.9.11/4425_grsec_remove_EI_PAX.patch diff --git a/4.9.10/4426_default_XATTR_PAX_FLAGS.patch b/4.9.11/4426_default_XATTR_PAX_FLAGS.patch index f7e97b5..f7e97b5 100644 --- a/4.9.10/4426_default_XATTR_PAX_FLAGS.patch +++ b/4.9.11/4426_default_XATTR_PAX_FLAGS.patch diff --git a/4.9.10/4427_force_XATTR_PAX_tmpfs.patch b/4.9.11/4427_force_XATTR_PAX_tmpfs.patch index 3871139..3871139 100644 --- a/4.9.10/4427_force_XATTR_PAX_tmpfs.patch +++ b/4.9.11/4427_force_XATTR_PAX_tmpfs.patch diff --git a/4.9.10/4430_grsec-remove-localversion-grsec.patch b/4.9.11/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/4.9.10/4430_grsec-remove-localversion-grsec.patch +++ b/4.9.11/4430_grsec-remove-localversion-grsec.patch diff --git a/4.9.10/4435_grsec-mute-warnings.patch b/4.9.11/4435_grsec-mute-warnings.patch index 8929222..8929222 100644 --- a/4.9.10/4435_grsec-mute-warnings.patch +++ b/4.9.11/4435_grsec-mute-warnings.patch diff --git a/4.9.10/4440_grsec-remove-protected-paths.patch b/4.9.11/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/4.9.10/4440_grsec-remove-protected-paths.patch +++ b/4.9.11/4440_grsec-remove-protected-paths.patch diff --git a/4.9.10/4450_grsec-kconfig-default-gids.patch b/4.9.11/4450_grsec-kconfig-default-gids.patch index cee6e27..cee6e27 100644 --- a/4.9.10/4450_grsec-kconfig-default-gids.patch +++ b/4.9.11/4450_grsec-kconfig-default-gids.patch diff --git a/4.9.10/4465_selinux-avc_audit-log-curr_ip.patch b/4.9.11/4465_selinux-avc_audit-log-curr_ip.patch index 06a5294..06a5294 100644 --- a/4.9.10/4465_selinux-avc_audit-log-curr_ip.patch +++ b/4.9.11/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/4.9.10/4470_disable-compat_vdso.patch b/4.9.11/4470_disable-compat_vdso.patch index a1401d8..a1401d8 100644 --- a/4.9.10/4470_disable-compat_vdso.patch +++ b/4.9.11/4470_disable-compat_vdso.patch diff --git a/4.9.10/4475_emutramp_default_on.patch b/4.9.11/4475_emutramp_default_on.patch index feb8c7b..feb8c7b 100644 --- a/4.9.10/4475_emutramp_default_on.patch +++ b/4.9.11/4475_emutramp_default_on.patch |