[linux] 01/04: Update to 3.16.39
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Dec 10 04:39:43 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 6a73b7ecd0bd2d460d22829422061f5110956941
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Fri Dec 9 21:04:15 2016 +0000
Update to 3.16.39
Drop/refresh patches as appropriate.
This has some ABI breakers which will need to be fixed.
---
debian/changelog | 462 +++++++++++-
...ort-sprintf-buffer-in-proc-keys-show-func.patch | 70 --
...ilter-ensure-number-of-counters-is-0-in-d.patch | 53 --
...ck-size-values-after-double-fetch-from-us.patch | 65 --
...sa-compress-fix-an-integer-overflow-check.patch | 31 -
...fix-leak-in-events-via-snd_timer_user_cca.patch | 33 -
...fix-leak-in-events-via-snd_timer_user_tin.patch | 33 -
...imer-fix-leak-in-sndrv_timer_ioctl_params.patch | 33 -
...uble-fetch-in-audit_log_single_execve_arg.patch | 414 -----------
.../batman-adv-fix-double-put-of-vlan-object.patch | 29 -
...ix-potential-null-dereference-in-rfcomm-b.patch | 62 --
...validate-num_values-for-hidiocgusages-hid.patch | 41 --
.../keys-potential-uninitialized-variable.patch | 86 ---
...up_flags-FOLL_WRITE-games-from-__get_user.patch | 77 --
...rp_tables-simplify-translate_compat_table.patch | 208 ------
...nsure-number-of-counters-is-0-in-do_repla.patch | 120 ----
...p6_tables-simplify-translate_compat_table.patch | 185 -----
...p_tables-simplify-translate_compat_table-.patch | 184 -----
..._tables-add-and-use-xt_check_entry_offset.patch | 151 ----
..._tables-add-compat-version-of-xt_check_en.patch | 105 ---
...ilter-x_tables-assert-minimum-target-size.patch | 25 -
...er-x_tables-check-for-bogus-target-offset.patch | 164 -----
...r-x_tables-check-standard-target-size-too.patch | 60 --
..._tables-do-compat-validation-via-translat.patch | 781 ---------------------
..._tables-don-t-move-to-non-existent-next-r.patch | 100 ---
..._tables-don-t-reject-valid-target-size-on.patch | 54 --
..._tables-introduce-and-use-xt_copy_counter.patch | 331 ---------
...etfilter-x_tables-kill-check_entry-helper.patch | 149 ----
...-x_tables-speed-up-jump-target-validation.patch | 493 -------------
..._tables-validate-all-offsets-and-sizes-in.patch | 137 ----
...filter-x_tables-validate-targets-of-jumps.patch | 131 ----
..._tables-xt_compat_match_from_user-doesn-t.patch | 234 ------
.../nfsd-check-permissions-when-setting-ACLs.patch | 146 ----
.../bugfix/all/posix_acl-Add-set_posix_acl.patch | 82 ---
.../rds-fix-an-infoleak-in-rds_inc_info_copy.patch | 31 -
...-Buffer-overflow-in-arcmsr_iop_message_xf.patch | 46 --
...e-after-free-in-tcp_xmit_retransmit_queue.patch | 50 --
.../tcp-make-challenge-acks-less-predictable.patch | 71 --
...x-an-infoleak-in-tipc_nl_compat_link_dump.patch | 26 -
...usb-usbfs-fix-potential-infoleak-in-devio.patch | 41 --
...always-reclaim-in-start_thread-for-exec-c.patch | 106 ---
...tl-fix-potential-information-leak-with-de.patch | 52 --
...x-for-double-fetch-security-bug-in-vop-dr.patch | 37 -
debian/patches/debian/kernelvariables.patch | 6 +-
...ioctl-data-read-write-error-for-adapter-t.patch | 47 +-
...019-arcmsr-simplify-ioctl-data-read-write.patch | 59 +-
.../features/all/kdbus/shm-add-sealing-API.patch | 4 +-
...l-accesses-to-kvm-irq_routing-into-irqchi.patch | 4 +-
.../KVM-PPC-Book3S-HV-Fix-ABIv2-on-LE.patch | 57 +-
...-Provide-and-use-accessors-for-irq-routin.patch | 45 +-
...spend-resume-quirks-for-apple-thunderbolt.patch | 8 +-
debian/patches/series | 42 --
52 files changed, 566 insertions(+), 5495 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index d599d3c..6fe2202 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,464 @@
-linux (3.16.36-2) UNRELEASED; urgency=medium
+linux (3.16.39-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.37
+ - [x86] iommu/vt-d: Ratelimit fault handler
+ - xfs: disallow rw remount on fs with unknown ro-compat features
+ - Bluetooth: vhci: fix open_timeout vs. hdev race
+ - [x86] drm/i915: Prevent machine death on Ivybridge context switching
+ - scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
+ - Revert "scsi: fix soft lockup in scsi_remove_target() on module removal"
+ - Bluetooth: vhci: Fix race at creating hci device
+ - EDAC: Increment correct counter in edac_inc_ue_error()
+ - ext4: fix data exposure after a crash
+ - [armhf] crypto: s5p-sss - Fix missed interrupts when working with
+ 8 kB blocks
+ - [armhf] crypto: s5p-sss - fix incorrect usage of scatterlists api
+ - btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in
+ btrfs_ioctl
+ - [arm*] KVM: Enforce Break-Before-Make on Stage-2 page tables
+ - aacraid: Relinquish CPU during timeout wait
+ - aacraid: Fix for aac_command_thread hang
+ - ext4: fix hang when processing corrupted orphaned inode list
+ - ext4: clean up error handling when orphan list is corrupted
+ - Revert "tty: Fix pty master poll() after slave closes v2"
+ - Fix OpenSSH pty regression on close
+ - cpufreq: Fix GOV_LIMITS handling for the userspace governor
+ - ACPI / sysfs: fix error code in get_status()
+ - ext4: fix oops on corrupted filesystem
+ - [arm64] Ensure pmd_present() returns false after pmd_mknotpresent()
+ - [armhf] dts: exynos: Add interrupt line to MAX8997 PMIC on
+ exynos4210-trats
+ - [mips*] Fix siginfo.h to use strict posix types
+ - USB: serial: keyspan,muxport,quatech2: fix use-after-free in probe
+ error path
+ - irqchip/gic: Ensure ordering between read of INTACK and shared data
+ - [powerpc*] mm/hash64: Fix subpage protection with 4K HPTE config
+ - rtlwifi: Fix logic error in enter/exit power-save mode
+ - sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded
+ systems
+ - [mips*] Fix race condition in lazy cache flushing.
+ - ring-buffer: Use long for nr_pages to avoid overflow failures
+ - ring-buffer: Prevent overflow of size in ring_buffer_resize()
+ - RDMA/iw_cxgb4: Always wake up waiter in c4iw_peer_abort_intr()
+ - IB/core: Fix a potential array overrun in CMA and SA agent
+ - i40e: fix an uninitialized variable bug
+ - mmc: mmc: Fix partition switch timeout for some eMMCs
+ - net/mlx4_core: Fix access to uninitialized index
+ - [x86] PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs
+ - PCI: Disable all BAR sizing for devices with non-compliant BARs
+ - netlink: Fix dump skb leak/double free
+ - sched/preempt: Fix preempt_count manipulations
+ - fs/cifs: correctly do anonymous authentication
+ - fs/cifs: remove directory incorrectly tries to set delete on close on
+ non-empty directories
+ - sunrpc: Update RPCBIND_MAXNETIDLEN
+ - cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter()
+ - batman-adv: fix skb deref after free
+ - batman-adv: Fix unexpected free of bcast_own on add_if error
+ - batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq
+ - xfs: xfs_iflush_cluster fails to abort on error
+ - xfs: fix inode validity check in xfs_iflush_cluster
+ - xfs: skip stale inodes in xfs_iflush_cluster
+ - crypto: public_key: select CRYPTO_AKCIPHER
+ - net: ehea: avoid null pointer dereference
+ - cifs: Create dedicated keyring for spnego operations
+ - Input: uinput - handle compat ioctl for UI_SET_PHYS
+ - PM / sleep: Handle failures in device_suspend_late() consistently
+ - tuntap: correctly wake up process during uninit
+ - scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands
+ - [x86] drm/i915: Don't leave old junk in ilk active watermarks on readout
+ - mmc: longer timeout for long read time quirk
+ - sunrpc: fix stripping of padded MIC tokens
+ - wait/ptrace: assume __WALL if the child is traced
+ - xen/events: Don't move disabled irqs
+ - UBI: do propagate positive error codes up
+ - UBI: fix missing brace control flow
+ - UBI: Fix static volume checks when Fastmap is used
+ - RDMA/cxgb3: device driver frees DMA memory with different size
+ - [x86] ALSA: hda - Fix headset mic detection problem for one Dell machine
+ - [x86] crypto: ccp - Fix AES XTS error for request sizes above 4096
+ - sfc: on MC reset, clear PIO buffer linkage in TXQs
+ - Input: xpad - prevent spurious input from wired Xbox 360 controllers
+ - Input: pwm-beeper - remove useless call to pwm_config()
+ - Input: pwm-beeper - fix - scheduling while atomic
+ - [mips*] fix read_msa_* & write_msa_* functions on non-MSA toolchains
+ - hpfs: fix remount failure when there are no options changed
+ - hpfs: implement the show_options method
+ - [powerpc*] pseries/eeh: Handle RTAS delay requests in configure_bridge
+ - [powerpc*] Fix definition of SIAR and SDAR registers
+ - [powerpc*] Use privileged SPR number for MMCR2
+ - mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL
+ - mac80211: mesh: flush mesh paths unconditionally
+ - [arm64] Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks
+ - scsi: Add QEMU CD-ROM to VPD Inquiry Blacklist
+ - ACPI / processor: Avoid reserving IO regions too early
+ - drm/nouveau/fbcon: fix out-of-bounds memory accesses
+ - [armel,armhf] fix PTRACE_SETVFPREGS on SMP systems
+ - KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi
+ - [x86] KVM: fix OOPS after invalid KVM_SET_DEBUGREGS
+ - ALSA: hda - Fix headset mic detection problem for Dell machine
+ - [powerpc*] pseries: Fix PCI config address for DDW
+ - mnt: fs_fully_visible test the proper mount for MNT_LOCKED
+ - IB/IPoIB: Fix race between ipoib_remove_one to sysfs functions
+ - IB/mlx5: Return PORT_ERR in Active to Initializing tranisition
+ - IB/mlx5: Fix returned values of query QP
+ - IB/IPoIB: Don't update neigh validity for unresolved entries
+ - tcp: record TLP and ER timer stats in v6 stats
+ - of: fix autoloading due to broken modalias with no 'compatible'
+ - [x86] cpufreq: intel_pstate: Fix ->set_policy() interface for no_turbo
+ - fs: fix d_walk()/non-delayed __d_free() race
+ - net/mlx5: Fix the size of modify QP mailbox
+ - net/mlx5: Fix masking of reserved bits in XRCD number
+ - uvc: Forward compat ioctls to their handlers directly
+ - [armhf] mfd: omap-usb-tll: Fix scheduling while atomic BUG
+ - [armhf] usb: dwc3: exynos: Fix deferred probing storm.
+ - usb: f_fs: off by one bug in _ffs_func_bind()
+ - usb: gadget: fix spinlock dead lock in gadgetfs
+ - usb: gadget: avoid exposing kernel stack
+ - HID: elo: kill not flush the work
+ - usb: xhci-plat: properly handle probe deferral for devm_clk_get()
+ - USB: quirks: Fix entries on wrong list in 3.16.y
+ - [armhf] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints
+ - [armhf] usb: musb: Stop bulk endpoint while queue is rotated
+ - iio: Fix error handling in iio_trigger_attach_poll_func
+ - scsi: fix race between simultaneous decrements of ->host_failed
+ - [armel,armhf] 8578/1: mm: ensure pmd_present only checks the valid bit
+ - [armel,armhf] 8579/1: mm: Fix definition of pmd_mknotpresent
+ - drm/radeon: fix asic initialization for virtualized environments
+ - [armhf] spi: sun4i: fix FIFO limit
+ - [armhf] spi: sunxi: fix transfer timeout
+ - [x86] kprobes: Clear TF bit in fault on single-stepping
+ - kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while
+ processing sysrq-w
+ - ipv6: fix endianness error in icmpv6_err
+ - net_sched: introduce qdisc_replace() helper
+ - net_sched: update hierarchical backlog too
+ - netem: fix a use after free
+ - net_sched: fix pfifo_head_drop behavior vs backlog
+ - [x86] drm/i915/ilk: Don't disable SSC source if it's in use
+ - base: make module_create_drivers_dir race-free
+ - kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
+ - [armhf] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing
+ - IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs
+ - isa: Call isa_bus_init before dependent ISA bus drivers register
+ - [x86] hwmon: (dell-smm) Restrict fan control and serial number to
+ CAP_SYS_ADMIN by default
+ - tracing: Handle NULL formats in hold_module_trace_bprintk_format()
+ - [arm64] mm: remove page_mapping check in __sync_icache_dcache
+ - pinctrl: single: Fix missing flush of posted write for a wakeirq
+ - net/mlx4_en: Fix the return value of a failure in VLAN VID add/kill
+ - ubi: Make recover_peb power cut aware
+ - mm: Export migrate_page_move_mapping and migrate_page_copy
+ - UBIFS: Implement ->migratepage()
+ - [ppc64el] bpf/jit: Disable classic BPF JIT on ppc64le
+ - can: fix oops caused by wrong rtnl dellink usage
+ - xen/pciback: Fix conf_space read/write overlap check.
+ - IB/mlx5: Fix post send fence logic
+ - IB/mlx4: Fix the SQ size of an RC QP
+ - IB/mlx4: Fix error flow when sending mads under SRIOV
+ - IB/mlx4: Verify port number in flow steering create flow
+ - IB/mlx4: Fix memory leak if QP creation failed
+ - Input: wacom_w8001 - w8001_MAX_LENGTH should be 13
+ - cifs: use CIFS_MAX_DOMAINNAME_LEN when converting the domain name
+ - cifs: dynamic allocation of ntlmssp blob
+ - ALSA: dummy: Fix a use-after-free at closing
+ - cifs: Fix reconnect to not defer smb3 session reconnect long after socket
+ reconnect
+ - tmpfs: don't undo fallocate past its last page
+ - fs/nilfs2: fix potential underflow in call to crc32_le
+ - staging: iio: accel: fix error check
+ - [armhf,arm64] KVM: Stop leaking vcpu pid references
+ - make nfs_atomic_open() call d_drop() on all ->open_context() errors.
+ - USB: don't free bandwidth_mutex too early
+ - ALSA: echoaudio: Fix memory allocation
+ - [s390x] fix test_fp_ctl inline assembly contraints
+ - net: bgmac: Start transmit queue in bgmac_open
+ - net: bgmac: Remove superflous netif_carrier_on()
+ - mac80211: Fix mesh estab_plinks counting in STA removal case
+ - Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address
+ - NFS: Fix another OPEN_DOWNGRADE bug
+ - ipr: Clear interrupt on croc/crocodile when running with LSI
+ - [powerpc*] tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0
+ - net: phy: Manage fixed PHY address space using IDA
+ - batman-adv: Fix memory leak on tt add with invalid vlan
+ - batman-adv: replace WARN with rate limited output on non-existing VLAN
+ - batman-adv: Fix use-after-free/double-free of tt_req_node
+ - batman-adv: Fix ICMP RR ethernet access after skb_linearize
+ - batman-adv: Clean up untagged vlan when destroying via rtnl-link
+ - qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag()
+ - ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
+ - [amd64] power: Fix kernel text mapping corruption during image
+ restoration
+ - [x86] amd_nb: Fix boot crash on non-AMD systems
+ - bonding: prevent out of bound accesses
+ - net/mlx5: Fix potential deadlock in command mode change
+ - net/mlx5: Add timeout handle to commands with callback
+ - block: fix use-after-free in sys_ioprio_get()
+ - ALSA: timer: Fix negative queue usage by racy accesses
+ - qeth: delete napi struct when removing a qeth device
+ - xenbus: don't bail early from xenbus_dev_request_and_reply()
+ - ecryptfs: don't allow mmap when the lower fs doesn't support it
+ - tmpfs: fix regression hang in fallocate undo
+ - fs: limit filesystem stacking depth
+ - proc: prevent stacking filesystems on top
+ - [powerpc*] KVM: Book3S HV: Pull out TM state save/restore into separate
+ procedures
+ - [powerpc*] KVM: Book3S HV: Save/restore TM state in H_CEDE
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.38
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.39
+ - HID: uhid: fix timeout when probe races with IO
+ - macvlan: Fix potential use-after free for broadcasts
+ - netlabel: add address family checks to netlbl_{sock,req}_delattr()
+ - em28xx-i2c: rt_mutex_trylock() returns zero on failure
+ - PCI: Mark Atheros AR9485 and QCA9882 to avoid bus reset
+ - [armhf] gpio: pca953x: Fix NBANK calculation for PCA9536
+ - random: print a warning for the first ten uninitialized random users
+ - [x86] random: add interrupt callback to VMBus IRQ handler
+ - sched/cputime: Fix prev steal time accouting during CPU hotplug
+ - [armel/kirkwood,armhf] mvebu: fix HW I/O coherency related deadlocks
+ - [armhf] usb: dwc3: fix for the isoc transfer EP_BUSY flag
+ - crypto: gcm - Filter out async ghash if necessary
+ - IB/mlx5: Fix MODIFY_QP command input structure
+ - drm/nouveau: Don't leak runtime pm ref on driver unload
+ - drm/radeon: Don't leak runtime pm ref on driver unload
+ - drm/radeon: Don't leak runtime pm ref on driver load
+ - tty/serial: atmel: fix RS485 half duplex with DMA
+ - [armhf] serial: samsung: Fix ERR pointer dereference on deferred probe
+ - [armhf] hwrng: omap - Fix assumption that runtime_get_sync will always
+ succeed
+ - hp-wmi: Fix wifi cannot be hard-unblocked
+ - Input: xpad - validate USB endpoint count during probe
+ - ath9k: Fix programming of minCCA power threshold
+ - ext4: check for extents that wrap around
+ - ext4: fix deadlock during page writeback
+ - ext4: don't call ext4_should_journal_data() on the journal inode
+ - batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag
+ - batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag
+ - batman-adv: Fix orig_node_vlan leak on orig_node_release
+ - batman-adv: lock crc access in bridge loop avoidance
+ - batman-adv: Fix non-atomic bla_claim::backbone_gw access
+ - batman-adv: Fix reference leak in batadv_find_router
+ - batman-adv: Free last_bonding_candidate on release of orig_node
+ - ext4: validate s_reserved_gdt_blocks on mount
+ - iwlwifi: pcie: fix access to scratch buffer
+ - [mips*] Fix page table corruption on THP permission changes.
+ - batman-adv: Fix speedy join in gateway client mode
+ - drm/radeon: add a delay after ATPX dGPU power off
+ - drm/radeon: Poll for both connect/disconnect on analog connectors
+ - ALSA: ctl: Stop notification after disconnection
+ - ALSA: pcm: Free chmap at PCM free callback, too
+ - [armhf] net: mvneta: set real interrupt per packet for tx_done
+ - ppp: defer netns reference release for ppp channel
+ - rtc: ds1307: Fix relying on reset value for weekday
+ - ngene: properly handle __user ptr
+ - media: dvb_ringbuffer: Add memory barriers
+ - [x86] quirks: Apply nvidia_bugs quirk only on root bus
+ - [x86] quirks: Reintroduce scanning of secondary buses
+ - [x86] quirks: Add early quirk to reset Apple AirPort card
+ - posix_cpu_timer: Exit early when process has been reaped
+ - ALSA: hda - fix use-after-free after module unload
+ - svc: Avoid garbage replies when pc_func() returns rpc_drop_reply
+ - NFS: Don't drop CB requests with invalid principals
+ - qxl: check for kmap failures
+ - cifs: Check for existing directory when opening file with O_CREAT
+ - net: ethoc: Fix early error paths
+ - [s390x] mm: fix gmap tlb flush issues
+ - [armel,armhf] 8561/3: dma-mapping: Don't use outer_flush_range when the
+ L2C is coherent
+ - [x86] KVM: nVMX: fix lifetime issues for vmcs02
+ - [x86] KVM: nVMX: Fix memory corruption when using VMCS shadowing
+ - ext4: fix reference counting bug on block allocation error
+ - ext4: short-cut orphan cleanup on error
+ - [powerpc*] tm: Fix stack pointer corruption in __tm_recheckpoint()
+ - Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU
+ - xfrm: fix crash in XFRM_MSG_GETSA netlink handler
+ - crypto: scatterwalk - Fix test in scatterwalk_done
+ - mmc: block: fix packed command header endianness
+ - crypto: nx - off by one bug in nx_of_update_msc()
+ - tpm: read burstcount from TPM_STS in one 32-bit transaction
+ - [arm64] debug: unmask PSTATE.D earlier
+ - brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain
+ - brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill
+ - brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()
+ - mtd: nand: fix bug writing 1 byte less than page size
+ - target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP
+ - target: Fix race between iscsi-target connection shutdown + ABORT_TASK
+ - target: Fix max_unmap_lba_count calc overflow
+ - cifs: fix crash due to race in hmac(md5) handling
+ - hwmon: (adt7411) set bit 3 in CFG1 register
+ - iscsi-target: Fix panic when adding second TCP connection to iSCSI session
+ - tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
+ - [mips*] bpf: fix off-by-one in ctx offset allocation
+ - libceph: set 'exists' flag for newly up osd
+ - libceph: apply new_state before new_up_client on incrementals
+ - [x86] gpio: intel-mid: Remove potentially harmful code
+ - nfs: don't create zero-length requests
+ - radix-tree: fix radix_tree_iter_retry() for tagged iterators.
+ - pps: do not crash when failed to register
+ - [armhf] OMAP3: hwmod data: Add sysc information for DSI
+ - net/irda: fix NULL pointer dereference on memory allocation failure
+ - l2tp: Correctly return -EBADF from pppol2tp_getname.
+ - ceph: Correctly return NXIO errors from ceph_llseek
+ - CIFS: Fix a possible invalid memory access in smb2_query_symlink()
+ - [mips*] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit
+ userspace
+ - drm/radeon: fix firmware info version checks
+ - fuse: fsync() did not return IO errors
+ - fuse: fuse_flush must check mapping->flags for errors
+ - fuse: fix wrong assignment of ->flags in fuse_send_init()
+ - ubi: Fix race condition between ubi device creation and udev
+ - ubi: Make volume resize power cut aware
+ - ubi: Be more paranoid while seaching for the most recent Fastmap
+ - drm/nouveau/fbcon: fix font width not divisible by 8
+ - drm/nouveau/acpi: ensure matching ACPI handle and supported functions
+ - drm/nouveau/acpi: check for function 0x1B before using it
+ - tcp: consider recv buf for the initial window scale
+ - ext4: validate that metadata blocks do not overlap superblock
+ - ALSA: hda - On-board speaker fixup on ACER Veriton
+ - [amd64] syscalls: Add compat_sys_keyctl for 32-bit userspace
+ - balloon: check the number of available pages in leak balloon
+ - dm flakey: error READ bios during the down_interval
+ - mm/hugetlb: avoid soft lockup in set_max_huge_pages()
+ - sysv, ipc: fix security-layer leaking
+ - ALSA: hda: Fix krealloc() with __GFP_ZERO usage
+ - block: fix use-after-free in seq file
+ - block: fix bdi vs gendisk lifetime mismatch
+ - mac80211: fix purging multicast PS buffer queue
+ - SUNRPC: allow for upcalls for same uid but different gss service
+ - USB: serial: fix memleak in driver-registration error path
+ - vfio/pci: Fix NULL pointer oops in error interrupt setup handling
+ - [x86] drm/edid: Add 6 bpc quirk for display AEO model 0.
+ - [x86] drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink
+ capability is unknown"
+ - [powerpc*] powernv: Fix MCE handler to avoid trashing CR0/CR1 registers.
+ - netfilter: nf_ct_expect: remove the redundant slash when policy name is
+ empty
+ - netfilter: nfnetlink_queue: reject verdict request from different portid
+ - [powerpc*] book3s: Fix MCE console messages for unrecoverable MCE.
+ - USB: validate wMaxPacketValue entries in endpoint descriptors
+ - cpuset: make sure new tasks conform to the current config of the cpuset
+ - [s390x] dasd: fix hanging device after clear subchannel
+ - [armhf] usb: dwc3: gadget: increment request->actual once
+ - [x86] mm: Disable preemption during CR3 read+write
+ - megaraid_sas: Fix probing cards without io port
+ - PM / hibernate: Restore processor state before using per-CPU variables
+ - ipv6: suppress sparse warnings in IP6_ECN_set_ce()
+ - USB: serial: mos7720: fix non-atomic allocation in write path
+ - USB: serial: mos7840: fix non-atomic allocation in write path
+ - cdc-acm: fix wrong pipe type on rx interrupt xfers
+ - scsi: fix upper bounds check of sense key in scsi_sense_key_string()
+ - xhci: always handle "Command Ring Stopped" events
+ - usb: xhci: Fix panic if disconnect
+ - xhci: don't dereference a xhci member after removing xhci
+ - [x86] KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write
+ - bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
+ - bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power
+ of two.
+ - drm/radeon: fix radeon_move_blit on 32bit systems
+ - net/mlx5: Added missing check of msg length in verifying its signature
+ - [x86] staging: comedi: daqboard2000: bug fix board type matching code
+ - [x86] staging: comedi: ni_mio_common: fix AO inttrig backwards
+ compatibility
+ - [armhf] iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access
+ - [powerpc*] pseries: use pci_host_bridge.release_fn() to kfree(phb)
+ - [powerpc*] prom: Fix sub-processor option passed to ibm,
+ client-architecture-support
+ - drm: Reject page_flip for !DRIVER_MODESET
+ - USB: fix typo in wMaxPacketSize validation
+ - USB: avoid left shift by -1
+ - ubifs: Fix assertion in layout_in_gaps()
+ - tun: fix transmit timestamp support
+ - timekeeping: Cap array access in timekeeping_debug
+ - [x86] apic: Do not init irq remapping if ioapic is disabled
+ - usb: gadget: udc: core: don't starve DMA resources
+ - qdisc: fix a module refcount leak in qdisc_create_dflt()
+ - [armel/kirkwood] ib62x0: fix size of u-boot environment partition
+ - batman-adv: Add missing refcnt for last_candidate
+ - [armhf] clocksource/drivers/sun4i: Clear interrupts after stopping timer
+ in probe function
+ - printk: fix parsing of "brl=" option
+ - fs/seq_file: fix out-of-bounds read
+ - [powerpc*] powernv : Drop reference added by kset_find_obj()
+ - ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
+ - ALSA: timer: fix NULL pointer dereference on memory allocation failure
+ - NFSv4.x: Fix a refcount leak in nfs_callback_up_net
+ - dm crypt: fix free of bad values after tfm allocation failure
+ - kernfs: don't depend on d_find_any_alias() when generating notifications
+ - ALSA: fireworks: accessing to user space outside spinlock
+ - ipv6: add missing netconf notif when 'all' is updated
+ - tcp: fastopen: fix rcv_wup initialization for TFO server on SYN/data
+ - kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd
+ - ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
+ - [x86] paravirt: Do not trace _paravirt_ident_*() functions
+ - IB/core: Fix use after free in send_leave function
+ - IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
+ - [x86] AMD: Apply erratum 665 on machines without a BIOS fix
+ - l2tp: fix use-after-free during module unload
+ - iio: fix pressure data output unit in hid-sensor-attributes
+ - sched/core: Fix a race between try_to_wake_up() and a woken up task
+ - [x86] efi/libstub: Allocate headspace in efi_get_memory_map()
+ - iio:core: fix IIO_VAL_FRACTIONAL sign handling
+ - Btrfs: add missing blk_finish_plug in btrfs_sync_log()
+ - Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns
+ - ipv6: addrconf: fix dev refcont leak when DAD failed
+ - crypto: cryptd - initialize child shash_desc on import
+ - ALSA: timer: Fix zero-division by continue of uninitialized instance
+ - ALSA: rawmidi: Fix possible deadlock with virmidi registration
+ - xfrm_user: propagate sec ctx allocation errors
+ - [armhf,arm64] kvm-arm: Unmap shadow pagetables properly
+ - [arm64] spinlocks: implement smp_mb__before_spinlock() as smp_mb()
+ - asm-generic: make copy_from_user() zero the destination properly
+ - NFSv4.1: Fix the CREATE_SESSION slot number accounting
+ - crypto: skcipher - Fix blkcipher walk OOM crash
+ - [arm64] crypto: aes-ctr - fix NULL dereference in tail processing
+ - nl80211: validate number of probe response CSA counters
+ - asm-generic: make get_user() clear the destination on errors
+ - [mips*] copy_from_user() must zero the destination on access_ok() failure
+ - [powerpc] ppc32: fix copy_from_user()
+ - [s390x] get_user() should zero on failure
+ - [x86] perf/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2
+ - USB: change bInterval default to 10 ms
+ - IB/ipoib: Don't allow MC joins during light MC flush
+ - IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV
+ - IB/mlx4: Fix code indentation in QP1 MAD flow
+ - IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV
+ - irda: Free skb on irda_accept error path.
+ - xfrm: Fix memory leak of aead algorithm name
+ - ocfs2/dlm: fix race between convert and migration
+ - fsnotify: add a way to stop queueing events on group shutdown
+ - ocfs2: fix start offset to ocfs2_zero_range_for_truncate()
+ - fix fault_in_multipages_...() on architectures with no-op access_ok()
+ - [x86] i2c-eg20t: fix race between i2c init and interrupt enable
+ - btrfs: ensure that file descriptor used with subvol ioctls is a dir
+ - can: dev: fix deadlock reported after bus-off
+ - ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path.
+ - ip6_gre: fix flowi6_proto value in ip6gre_xmit_other()
+ - tracing: Move mutex to protect against resetting of seq data
+ - ipmr, ip6mr: fix scheduling while atomic and a deadlock with
+ ipmr_get_route
+ - drm/radeon/si/dpm: add workaround for for Jet parts
+ - mm,ksm: fix endless looping in allocating memory when ksm enable
+ - [armel,armhf] 8617/1: dma: fix dma_max_pfn()
+ - [mips*/5kc-malta] Fix IOCU disable switch read for MIPS64
+ - mm: workingset: fix crash in shadow node shrinker caused by
+ replace_page_cache_page()
+ - [armhf] 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7
+ - [arm64] perf: reject groups spanning multiple HW PMUs (CVE-2015-8955)
+ - firewire: net: guard against rx buffer overflows (CVE-2016-8633)
+ - brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
+ - vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083,
+ CVE-2016-9084)
+ - fs: Give dentry to inode_change_ok() instead of inode
+ - fs: Avoid premature clearing of capabilities (CVE-2015-1350)
+ (Closes: #770492)
+ - posix_acl: Clear SGID bit when setting file permissions (CVE-2016-7097)
+ - staging: comedi: ni_mio_common: fix wrong insn_write handler
+ - xenbus: don't BUG() on user mode induced condition
+ - xenbus: don't look up transaction IDs for ordinary writes
+ - compiler-gcc: disable -ftracer for __noclone functions
+ - PM / devfreq: Fix incorrect type issue.
+ - mm: filemap: don't plant shadow entries without radix tree node
[ Aurelien Jarno ]
* [mips*] Fix ptrace handling of any syscalls returning ENOSYS.
diff --git a/debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch b/debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
deleted file mode 100644
index 9041055..0000000
--- a/debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Thu, 13 Oct 2016 22:38:46 +0200
-Subject: KEYS: Fix short sprintf buffer in /proc/keys show function
-Origin: https://bugzilla.redhat.com/attachment.cgi?id=1200212
-
-Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector
-is turned on, this can cause a panic due to stack corruption.
-
-The problem is that xbuf[] is not big enough to hold a 64-bit timeout
-rendered as weeks:
-
- (gdb) p 0xffffffffffffffffULL/(60*60*24*7)
- $2 = 30500568904943
-
-That's 14 chars plus NUL, not 11 chars plus NUL.
-
-Expand the buffer to 16 chars.
-
-I think the unpatched code apparently works if the stack-protector is not
-enabled because on a 32-bit machine the buffer won't be overflowed and on a
-64-bit machine there's a 64-bit aligned pointer at one side and an int that
-isn't checked again on the other side.
-
-The panic incurred looks something like:
-
-Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
-CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
-Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
- 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
- ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
- ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
-Call Trace:
- [<ffffffff813d941f>] dump_stack+0x63/0x84
- [<ffffffff811b2cb6>] panic+0xde/0x22a
- [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
- [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
- [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
- [<ffffffff81350410>] ? key_validate+0x50/0x50
- [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
- [<ffffffff8126b31c>] seq_read+0x2cc/0x390
- [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
- [<ffffffff81244fc7>] __vfs_read+0x37/0x150
- [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
- [<ffffffff81246156>] vfs_read+0x96/0x130
- [<ffffffff81247635>] SyS_read+0x55/0xc0
- [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
-
-Reported-by: Ondrej Kozina <okozina at redhat.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-Tested-by: Ondrej Kozina <okozina at redhat.com>
----
- security/keys/proc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/security/keys/proc.c b/security/keys/proc.c
-index f0611a6..b9f531c 100644
---- a/security/keys/proc.c
-+++ b/security/keys/proc.c
-@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
- struct timespec now;
- unsigned long timo;
- key_ref_t key_ref, skey_ref;
-- char xbuf[12];
-+ char xbuf[16];
- int rc;
-
- struct keyring_search_context ctx = {
---
-2.9.3
-
diff --git a/debian/patches/bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch b/debian/patches/bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch
deleted file mode 100644
index 98ce9e7..0000000
--- a/debian/patches/bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From: Bernhard Thaler <bernhard.thaler at wvnet.at>
-Date: Thu, 28 May 2015 10:26:18 +0200
-Subject: Revert "netfilter: ensure number of counters is >0 in do_replace()"
-Origin: https://git.kernel.org/linus/d26e2c9ffa385dd1b646f43c1397ba12af9ed431
-
-This partially reverts commit 1086bbe97a07 ("netfilter: ensure number of
-counters is >0 in do_replace()") in net/bridge/netfilter/ebtables.c.
-
-Setting rules with ebtables does not work any more with 1086bbe97a07 place.
-
-There is an error message and no rules set in the end.
-
-e.g.
-
-~# ebtables -t nat -A POSTROUTING --src 12:34:56:78:9a:bc -j DROP
-Unable to update the kernel. Two possible causes:
-1. Multiple ebtables programs were executing simultaneously. The ebtables
- userspace tool doesn't by default support multiple ebtables programs
-running
-
-Reverting the ebtables part of 1086bbe97a07 makes this work again.
-
-Signed-off-by: Bernhard Thaler <bernhard.thaler at wvnet.at>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/bridge/netfilter/ebtables.c | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
-index 24c7c96..91180a7 100644
---- a/net/bridge/netfilter/ebtables.c
-+++ b/net/bridge/netfilter/ebtables.c
-@@ -1117,8 +1117,6 @@ static int do_replace(struct net *net, const void __user *user,
- return -ENOMEM;
- if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
- return -ENOMEM;
-- if (tmp.num_counters == 0)
-- return -EINVAL;
-
- tmp.name[sizeof(tmp.name) - 1] = 0;
-
-@@ -2161,8 +2159,6 @@ static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
- return -ENOMEM;
- if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
- return -ENOMEM;
-- if (tmp.num_counters == 0)
-- return -EINVAL;
-
- memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
-
---
-2.8.1
-
diff --git a/debian/patches/bugfix/all/aacraid-Check-size-values-after-double-fetch-from-us.patch b/debian/patches/bugfix/all/aacraid-Check-size-values-after-double-fetch-from-us.patch
deleted file mode 100644
index 5ad08eb..0000000
--- a/debian/patches/bugfix/all/aacraid-Check-size-values-after-double-fetch-from-us.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From: Dave Carroll <david.carroll at microsemi.com>
-Date: Fri, 5 Aug 2016 13:44:10 -0600
-Subject: aacraid: Check size values after double-fetch from user
-Origin: https://git.kernel.org/linus/fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3
-
-In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
-get the fib header's size and one for the fib itself. Later we use the
-size field from the second fetch to further process the fib. If for some
-reason the size from the second fetch is different than from the first
-fix, we may encounter an out-of- bounds access in aac_fib_send(). We
-also check the sender size to insure it is not out of bounds. This was
-reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
-assigned CVE-2016-6480.
-
-Reported-by: Pengfei Wang <wpengfeinudt at gmail.com>
-Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
-Cc: stable at vger.kernel.org
-Signed-off-by: Dave Carroll <david.carroll at microsemi.com>
-Reviewed-by: Johannes Thumshirn <jthumshirn at suse.de>
-Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
----
- drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
-index b381b37..5648b71 100644
---- a/drivers/scsi/aacraid/commctrl.c
-+++ b/drivers/scsi/aacraid/commctrl.c
-@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
- struct fib *fibptr;
- struct hw_fib * hw_fib = (struct hw_fib *)0;
- dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
-- unsigned size;
-+ unsigned int size, osize;
- int retval;
-
- if (dev->in_reset) {
-@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
- * will not overrun the buffer when we copy the memory. Return
- * an error if we would.
- */
-- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
-+ osize = size = le16_to_cpu(kfib->header.Size) +
-+ sizeof(struct aac_fibhdr);
- if (size < le16_to_cpu(kfib->header.SenderSize))
- size = le16_to_cpu(kfib->header.SenderSize);
- if (size > dev->max_fib_size) {
-@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
- goto cleanup;
- }
-
-+ /* Sanity check the second copy */
-+ if ((osize != le16_to_cpu(kfib->header.Size) +
-+ sizeof(struct aac_fibhdr))
-+ || (size < le16_to_cpu(kfib->header.SenderSize))) {
-+ retval = -EINVAL;
-+ goto cleanup;
-+ }
-+
- if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
- aac_adapter_interrupt(dev);
- /*
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch b/debian/patches/bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch
deleted file mode 100644
index 355f805..0000000
--- a/debian/patches/bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Dan Carpenter <dan.carpenter at oracle.com>
-Date: Wed, 16 Jul 2014 09:37:04 +0300
-Subject: ALSA: compress: fix an integer overflow check
-Origin: https://git.kernel.org/linus/6217e5ede23285ddfee10d2e4ba0cc2d4c046205
-
-I previously added an integer overflow check here but looking at it now,
-it's still buggy.
-
-The bug happens in snd_compr_allocate_buffer(). We multiply
-".fragments" and ".fragment_size" and that doesn't overflow but then we
-save it in an unsigned int so it truncates the high bits away and we
-allocate a smaller than expected size.
-
-Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
-Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
----
- sound/core/compress_offload.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/sound/core/compress_offload.c
-+++ b/sound/core/compress_offload.c
-@@ -500,7 +500,7 @@ static int snd_compress_check_input(stru
- {
- /* first let's check the buffer parameter's */
- if (params->buffer.fragment_size == 0 ||
-- params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
-+ params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
- return -EINVAL;
-
- /* now codec parameters */
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
deleted file mode 100644
index 3dc238a..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Tue, 3 May 2016 16:44:20 -0400
-Subject: ALSA: timer: Fix leak in events via snd_timer_user_ccallback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 306a93d..cc3c08d 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1223,6 +1223,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
- tu->tstamp = *tstamp;
- if ((tu->filter & (1 << event)) == 0 || !tu->tread)
- return;
-+ memset(&r1, 0, sizeof(r1));
- r1.event = event;
- r1.tstamp = *tstamp;
- r1.val = resolution;
---
-2.8.1
-
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
deleted file mode 100644
index e319d5b..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Tue, 3 May 2016 16:44:32 -0400
-Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/e4ec8cc8039a7063e24204299b462bd1383184a5
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index cc3c08d..e722022 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1266,6 +1266,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
- }
- if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
- tu->last_resolution != resolution) {
-+ memset(&r1, 0, sizeof(r1));
- r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
- r1.tstamp = tstamp;
- r1.val = resolution;
---
-2.8.1
-
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
deleted file mode 100644
index 76407cc..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Tue, 3 May 2016 16:44:07 -0400
-Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/cec8f96e49d9be372fdb0c3836dcf31ec71e457e
-
-The stack object “tread” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 0cfc028..306a93d 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1737,6 +1737,7 @@ static int snd_timer_user_params(struct file *file,
- if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
- if (tu->tread) {
- struct snd_timer_tread tread;
-+ memset(&tread, 0, sizeof(tread));
- tread.event = SNDRV_TIMER_EVENT_EARLY;
- tread.tstamp.tv_sec = 0;
- tread.tstamp.tv_nsec = 0;
---
-2.8.1
-
diff --git a/debian/patches/bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch b/debian/patches/bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
deleted file mode 100644
index 45567fd..0000000
--- a/debian/patches/bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
+++ /dev/null
@@ -1,414 +0,0 @@
-From: Paul Moore <paul at paul-moore.com>
-Date: Tue, 19 Jul 2016 17:42:57 -0400
-Subject: audit: fix a double fetch in audit_log_single_execve_arg()
-
-commit 43761473c254b45883a64441dd0bc85a42f3645c upstream.
-
-There is a double fetch problem in audit_log_single_execve_arg()
-where we first check the execve(2) argumnets for any "bad" characters
-which would require hex encoding and then re-fetch the arguments for
-logging in the audit record[1]. Of course this leaves a window of
-opportunity for an unsavory application to munge with the data.
-
-This patch reworks things by only fetching the argument data once[2]
-into a buffer where it is scanned and logged into the audit
-records(s). In addition to fixing the double fetch, this patch
-improves on the original code in a few other ways: better handling
-of large arguments which require encoding, stricter record length
-checking, and some performance improvements (completely unverified,
-but we got rid of some strlen() calls, that's got to be a good
-thing).
-
-As part of the development of this patch, I've also created a basic
-regression test for the audit-testsuite, the test can be tracked on
-GitHub at the following link:
-
- * https://github.com/linux-audit/audit-testsuite/issues/25
-
-[1] If you pay careful attention, there is actually a triple fetch
-problem due to a strnlen_user() call at the top of the function.
-
-[2] This is a tiny white lie, we do make a call to strnlen_user()
-prior to fetching the argument data. I don't like it, but due to the
-way the audit record is structured we really have no choice unless we
-copy the entire argument at once (which would require a rather
-wasteful allocation). The good news is that with this patch the
-kernel no longer relies on this strnlen_user() value for anything
-beyond recording it in the log, we also update it with a trustworthy
-value whenever possible.
-
-Reported-by: Pengfei Wang <wpengfeinudt at gmail.com>
-Signed-off-by: Paul Moore <paul at paul-moore.com>
-[bwh: Backported to 3.16: adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- kernel/auditsc.c | 332 +++++++++++++++++++++++++++----------------------------
- 1 file changed, 164 insertions(+), 168 deletions(-)
-
---- a/kernel/auditsc.c
-+++ b/kernel/auditsc.c
-@@ -71,6 +71,7 @@
- #include <linux/fs_struct.h>
- #include <linux/compat.h>
- #include <linux/ctype.h>
-+#include <linux/uaccess.h>
-
- #include "audit.h"
-
-@@ -79,7 +80,8 @@
- #define AUDITSC_SUCCESS 1
- #define AUDITSC_FAILURE 2
-
--/* no execve audit message should be longer than this (userspace limits) */
-+/* no execve audit message should be longer than this (userspace limits),
-+ * see the note near the top of audit_log_execve_info() about this value */
- #define MAX_EXECVE_AUDIT_LEN 7500
-
- /* max length to print of cmdline/proctitle value during audit */
-@@ -1015,185 +1017,178 @@ static int audit_log_pid_context(struct
- return rc;
- }
-
--/*
-- * to_send and len_sent accounting are very loose estimates. We aren't
-- * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
-- * within about 500 bytes (next page boundary)
-- *
-- * why snprintf? an int is up to 12 digits long. if we just assumed when
-- * logging that a[%d]= was going to be 16 characters long we would be wasting
-- * space in every audit message. In one 7500 byte message we can log up to
-- * about 1000 min size arguments. That comes down to about 50% waste of space
-- * if we didn't do the snprintf to find out how long arg_num_len was.
-- */
--static int audit_log_single_execve_arg(struct audit_context *context,
-- struct audit_buffer **ab,
-- int arg_num,
-- size_t *len_sent,
-- const char __user *p,
-- char *buf)
--{
-- char arg_num_len_buf[12];
-- const char __user *tmp_p = p;
-- /* how many digits are in arg_num? 5 is the length of ' a=""' */
-- size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
-- size_t len, len_left, to_send;
-- size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
-- unsigned int i, has_cntl = 0, too_long = 0;
-- int ret;
--
-- /* strnlen_user includes the null we don't want to send */
-- len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
-+static void audit_log_execve_info(struct audit_context *context,
-+ struct audit_buffer **ab)
-+{
-+ long len_max;
-+ long len_rem;
-+ long len_full;
-+ long len_buf;
-+ long len_abuf;
-+ long len_tmp;
-+ bool require_data;
-+ bool encode;
-+ unsigned int iter;
-+ unsigned int arg;
-+ char *buf_head;
-+ char *buf;
-+ const char __user *p = (const char __user *)current->mm->arg_start;
-
-- /*
-- * We just created this mm, if we can't find the strings
-- * we just copied into it something is _very_ wrong. Similar
-- * for strings that are too long, we should not have created
-- * any.
-- */
-- if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
-- WARN_ON(1);
-- send_sig(SIGKILL, current, 0);
-- return -1;
-+ /* NOTE: this buffer needs to be large enough to hold all the non-arg
-+ * data we put in the audit record for this argument (see the
-+ * code below) ... at this point in time 96 is plenty */
-+ char abuf[96];
-+
-+ /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
-+ * current value of 7500 is not as important as the fact that it
-+ * is less than 8k, a setting of 7500 gives us plenty of wiggle
-+ * room if we go over a little bit in the logging below */
-+ WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
-+ len_max = MAX_EXECVE_AUDIT_LEN;
-+
-+ /* scratch buffer to hold the userspace args */
-+ buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
-+ if (!buf_head) {
-+ audit_panic("out of memory for argv string");
-+ return;
- }
-+ buf = buf_head;
-+
-+ audit_log_format(*ab, "argc=%d", context->execve.argc);
-
-- /* walk the whole argument looking for non-ascii chars */
-+ len_rem = len_max;
-+ len_buf = 0;
-+ len_full = 0;
-+ require_data = true;
-+ encode = false;
-+ iter = 0;
-+ arg = 0;
- do {
-- if (len_left > MAX_EXECVE_AUDIT_LEN)
-- to_send = MAX_EXECVE_AUDIT_LEN;
-- else
-- to_send = len_left;
-- ret = copy_from_user(buf, tmp_p, to_send);
-- /*
-- * There is no reason for this copy to be short. We just
-- * copied them here, and the mm hasn't been exposed to user-
-- * space yet.
-- */
-- if (ret) {
-- WARN_ON(1);
-- send_sig(SIGKILL, current, 0);
-- return -1;
-- }
-- buf[to_send] = '\0';
-- has_cntl = audit_string_contains_control(buf, to_send);
-- if (has_cntl) {
-- /*
-- * hex messages get logged as 2 bytes, so we can only
-- * send half as much in each message
-- */
-- max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
-- break;
-- }
-- len_left -= to_send;
-- tmp_p += to_send;
-- } while (len_left > 0);
--
-- len_left = len;
--
-- if (len > max_execve_audit_len)
-- too_long = 1;
--
-- /* rewalk the argument actually logging the message */
-- for (i = 0; len_left > 0; i++) {
-- int room_left;
--
-- if (len_left > max_execve_audit_len)
-- to_send = max_execve_audit_len;
-- else
-- to_send = len_left;
--
-- /* do we have space left to send this argument in this ab? */
-- room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
-- if (has_cntl)
-- room_left -= (to_send * 2);
-- else
-- room_left -= to_send;
-- if (room_left < 0) {
-- *len_sent = 0;
-- audit_log_end(*ab);
-- *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
-- if (!*ab)
-- return 0;
-- }
-+ /* NOTE: we don't ever want to trust this value for anything
-+ * serious, but the audit record format insists we
-+ * provide an argument length for really long arguments,
-+ * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
-+ * to use strncpy_from_user() to obtain this value for
-+ * recording in the log, although we don't use it
-+ * anywhere here to avoid a double-fetch problem */
-+ if (len_full == 0)
-+ len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
-+
-+ /* read more data from userspace */
-+ if (require_data) {
-+ /* can we make more room in the buffer? */
-+ if (buf != buf_head) {
-+ memmove(buf_head, buf, len_buf);
-+ buf = buf_head;
-+ }
-
-- /*
-- * first record needs to say how long the original string was
-- * so we can be sure nothing was lost.
-- */
-- if ((i == 0) && (too_long))
-- audit_log_format(*ab, " a%d_len=%zu", arg_num,
-- has_cntl ? 2*len : len);
--
-- /*
-- * normally arguments are small enough to fit and we already
-- * filled buf above when we checked for control characters
-- * so don't bother with another copy_from_user
-- */
-- if (len >= max_execve_audit_len)
-- ret = copy_from_user(buf, p, to_send);
-- else
-- ret = 0;
-- if (ret) {
-- WARN_ON(1);
-- send_sig(SIGKILL, current, 0);
-- return -1;
-- }
-- buf[to_send] = '\0';
-+ /* fetch as much as we can of the argument */
-+ len_tmp = strncpy_from_user(&buf_head[len_buf], p,
-+ len_max - len_buf);
-+ if (len_tmp == -EFAULT) {
-+ /* unable to copy from userspace */
-+ send_sig(SIGKILL, current, 0);
-+ goto out;
-+ } else if (len_tmp == (len_max - len_buf)) {
-+ /* buffer is not large enough */
-+ require_data = true;
-+ /* NOTE: if we are going to span multiple
-+ * buffers force the encoding so we stand
-+ * a chance at a sane len_full value and
-+ * consistent record encoding */
-+ encode = true;
-+ len_full = len_full * 2;
-+ p += len_tmp;
-+ } else {
-+ require_data = false;
-+ if (!encode)
-+ encode = audit_string_contains_control(
-+ buf, len_tmp);
-+ /* try to use a trusted value for len_full */
-+ if (len_full < len_max)
-+ len_full = (encode ?
-+ len_tmp * 2 : len_tmp);
-+ p += len_tmp + 1;
-+ }
-+ len_buf += len_tmp;
-+ buf_head[len_buf] = '\0';
-
-- /* actually log it */
-- audit_log_format(*ab, " a%d", arg_num);
-- if (too_long)
-- audit_log_format(*ab, "[%d]", i);
-- audit_log_format(*ab, "=");
-- if (has_cntl)
-- audit_log_n_hex(*ab, buf, to_send);
-- else
-- audit_log_string(*ab, buf);
--
-- p += to_send;
-- len_left -= to_send;
-- *len_sent += arg_num_len;
-- if (has_cntl)
-- *len_sent += to_send * 2;
-- else
-- *len_sent += to_send;
-- }
-- /* include the null we didn't log */
-- return len + 1;
--}
-+ /* length of the buffer in the audit record? */
-+ len_abuf = (encode ? len_buf * 2 : len_buf + 2);
-+ }
-
--static void audit_log_execve_info(struct audit_context *context,
-- struct audit_buffer **ab)
--{
-- int i, len;
-- size_t len_sent = 0;
-- const char __user *p;
-- char *buf;
-+ /* write as much as we can to the audit log */
-+ if (len_buf > 0) {
-+ /* NOTE: some magic numbers here - basically if we
-+ * can't fit a reasonable amount of data into the
-+ * existing audit buffer, flush it and start with
-+ * a new buffer */
-+ if ((sizeof(abuf) + 8) > len_rem) {
-+ len_rem = len_max;
-+ audit_log_end(*ab);
-+ *ab = audit_log_start(context,
-+ GFP_KERNEL, AUDIT_EXECVE);
-+ if (!*ab)
-+ goto out;
-+ }
-
-- p = (const char __user *)current->mm->arg_start;
-+ /* create the non-arg portion of the arg record */
-+ len_tmp = 0;
-+ if (require_data || (iter > 0) ||
-+ ((len_abuf + sizeof(abuf)) > len_rem)) {
-+ if (iter == 0) {
-+ len_tmp += snprintf(&abuf[len_tmp],
-+ sizeof(abuf) - len_tmp,
-+ " a%d_len=%lu",
-+ arg, len_full);
-+ }
-+ len_tmp += snprintf(&abuf[len_tmp],
-+ sizeof(abuf) - len_tmp,
-+ " a%d[%d]=", arg, iter++);
-+ } else
-+ len_tmp += snprintf(&abuf[len_tmp],
-+ sizeof(abuf) - len_tmp,
-+ " a%d=", arg);
-+ WARN_ON(len_tmp >= sizeof(abuf));
-+ abuf[sizeof(abuf) - 1] = '\0';
-+
-+ /* log the arg in the audit record */
-+ audit_log_format(*ab, "%s", abuf);
-+ len_rem -= len_tmp;
-+ len_tmp = len_buf;
-+ if (encode) {
-+ if (len_abuf > len_rem)
-+ len_tmp = len_rem / 2; /* encoding */
-+ audit_log_n_hex(*ab, buf, len_tmp);
-+ len_rem -= len_tmp * 2;
-+ len_abuf -= len_tmp * 2;
-+ } else {
-+ if (len_abuf > len_rem)
-+ len_tmp = len_rem - 2; /* quotes */
-+ audit_log_n_string(*ab, buf, len_tmp);
-+ len_rem -= len_tmp + 2;
-+ /* don't subtract the "2" because we still need
-+ * to add quotes to the remaining string */
-+ len_abuf -= len_tmp;
-+ }
-+ len_buf -= len_tmp;
-+ buf += len_tmp;
-+ }
-
-- audit_log_format(*ab, "argc=%d", context->execve.argc);
-+ /* ready to move to the next argument? */
-+ if ((len_buf == 0) && !require_data) {
-+ arg++;
-+ iter = 0;
-+ len_full = 0;
-+ require_data = true;
-+ encode = false;
-+ }
-+ } while (arg < context->execve.argc);
-
-- /*
-- * we need some kernel buffer to hold the userspace args. Just
-- * allocate one big one rather than allocating one of the right size
-- * for every single argument inside audit_log_single_execve_arg()
-- * should be <8k allocation so should be pretty safe.
-- */
-- buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
-- if (!buf) {
-- audit_panic("out of memory for argv string");
-- return;
-- }
-+ /* NOTE: the caller handles the final audit_log_end() call */
-
-- for (i = 0; i < context->execve.argc; i++) {
-- len = audit_log_single_execve_arg(context, ab, i,
-- &len_sent, p, buf);
-- if (len <= 0)
-- break;
-- p += len;
-- }
-- kfree(buf);
-+out:
-+ kfree(buf_head);
- }
-
- static void show_special(struct audit_context *context, int *call_panic)
diff --git a/debian/patches/bugfix/all/batman-adv-fix-double-put-of-vlan-object.patch b/debian/patches/bugfix/all/batman-adv-fix-double-put-of-vlan-object.patch
deleted file mode 100644
index 0bf41c1..0000000
--- a/debian/patches/bugfix/all/batman-adv-fix-double-put-of-vlan-object.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sun, 26 Jun 2016 11:16:11 +0200
-Subject: batman-adv: Fix double-put of vlan object
-Origin: http://mid.gmane.org/1466932573-23105-3-git-send-email-sven@narfation.org
-
-Each batadv_tt_local_entry hold a single reference to a
-batadv_softif_vlan. In case a new entry cannot be added to the hash
-table, the error path puts the reference, but the reference will also
-now be dropped by batadv_tt_local_entry_release().
-
-Fixes: a33d970d0b54 ("batman-adv: Fix reference counting of vlan object for tt_local_entry")
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: Marek Lindner <mareklindner at neomailbox.ch>
-Signed-off-by: Sven Eckelmann <sven at narfation.org>
-[bwh: For 3.16: s/_put/_free_ref/ in function names]
----
- net/batman-adv/translation-table.c | 1 -
- 1 file changed, 1 deletion(-)
-
---- a/net/batman-adv/translation-table.c
-+++ b/net/batman-adv/translation-table.c
-@@ -613,7 +613,6 @@ bool batadv_tt_local_add(struct net_devi
- if (unlikely(hash_added != 0)) {
- /* remove the reference for the hash */
- batadv_tt_local_entry_free_ref(tt_local);
-- batadv_softif_vlan_free_ref(vlan);
- goto out;
- }
-
diff --git a/debian/patches/bugfix/all/bluetooth-fix-potential-null-dereference-in-rfcomm-b.patch b/debian/patches/bugfix/all/bluetooth-fix-potential-null-dereference-in-rfcomm-b.patch
deleted file mode 100644
index 34b2051..0000000
--- a/debian/patches/bugfix/all/bluetooth-fix-potential-null-dereference-in-rfcomm-b.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From: Jaganath Kanakkassery <jaganath.k at samsung.com>
-Date: Thu, 14 May 2015 12:58:08 +0530
-Subject: Bluetooth: Fix potential NULL dereference in RFCOMM bind callback
-Origin: https://git.kernel.org/linus/951b6a0717db97ce420547222647bcc40bf1eacd
-
-addr can be NULL and it should not be dereferenced before NULL checking.
-
-Signed-off-by: Jaganath Kanakkassery <jaganath.k at samsung.com>
-Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
----
- net/bluetooth/rfcomm/sock.c | 20 ++++++++++++--------
- 1 file changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
-index b2338e9..7511df7 100644
---- a/net/bluetooth/rfcomm/sock.c
-+++ b/net/bluetooth/rfcomm/sock.c
-@@ -334,16 +334,19 @@ static int rfcomm_sock_create(struct net *net, struct socket *sock,
-
- static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
- {
-- struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
-+ struct sockaddr_rc sa;
- struct sock *sk = sock->sk;
-- int chan = sa->rc_channel;
-- int err = 0;
--
-- BT_DBG("sk %p %pMR", sk, &sa->rc_bdaddr);
-+ int len, err = 0;
-
- if (!addr || addr->sa_family != AF_BLUETOOTH)
- return -EINVAL;
-
-+ memset(&sa, 0, sizeof(sa));
-+ len = min_t(unsigned int, sizeof(sa), addr_len);
-+ memcpy(&sa, addr, len);
-+
-+ BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
-+
- lock_sock(sk);
-
- if (sk->sk_state != BT_OPEN) {
-@@ -358,12 +361,13 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
-
- write_lock(&rfcomm_sk_list.lock);
-
-- if (chan && __rfcomm_get_listen_sock_by_addr(chan, &sa->rc_bdaddr)) {
-+ if (sa.rc_channel &&
-+ __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
- err = -EADDRINUSE;
- } else {
- /* Save source address */
-- bacpy(&rfcomm_pi(sk)->src, &sa->rc_bdaddr);
-- rfcomm_pi(sk)->channel = chan;
-+ bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
-+ rfcomm_pi(sk)->channel = sa.rc_channel;
- sk->sk_state = BT_BOUND;
- }
-
---
-2.9.3
-
diff --git a/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch b/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
deleted file mode 100644
index be2f2f1..0000000
--- a/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Scott Bauer <sbauer at plzdonthack.me>
-Date: Thu, 23 Jun 2016 08:59:47 -0600
-Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES
- commands
-Origin: https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5
-
-This patch validates the num_values parameter from userland during the
-HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
-to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
-leading to a heap overflow.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Scott Bauer <sbauer at plzdonthack.me>
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
----
- drivers/hid/usbhid/hiddev.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
-index 2f1ddca6f2e0..700145b15088 100644
---- a/drivers/hid/usbhid/hiddev.c
-+++ b/drivers/hid/usbhid/hiddev.c
-@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
- goto inval;
- } else if (uref->usage_index >= field->report_count)
- goto inval;
--
-- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-- uref->usage_index + uref_multi->num_values > field->report_count))
-- goto inval;
- }
-
-+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-+ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-+ uref->usage_index + uref_multi->num_values > field->report_count))
-+ goto inval;
-+
- switch (cmd) {
- case HIDIOCGUSAGE:
- uref->value = field->value[uref->usage_index];
diff --git a/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch b/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch
deleted file mode 100644
index e58c076..0000000
--- a/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From: Dan Carpenter <dan.carpenter at oracle.com>
-Date: Thu, 16 Jun 2016 15:48:57 +0100
-Subject: KEYS: potential uninitialized variable
-Origin: https://git.kernel.org/linus/38327424b40bcebe2de92d07312c89360ac9229a
-
-If __key_link_begin() failed then "edit" would be uninitialized. I've
-added a check to fix that.
-
-This allows a random user to crash the kernel, though it's quite
-difficult to achieve. There are three ways it can be done as the user
-would have to cause an error to occur in __key_link():
-
- (1) Cause the kernel to run out of memory. In practice, this is difficult
- to achieve without ENOMEM cropping up elsewhere and aborting the
- attempt.
-
- (2) Revoke the destination keyring between the keyring ID being looked up
- and it being tested for revocation. In practice, this is difficult to
- time correctly because the KEYCTL_REJECT function can only be used
- from the request-key upcall process. Further, users can only make use
- of what's in /sbin/request-key.conf, though this does including a
- rejection debugging test - which means that the destination keyring
- has to be the caller's session keyring in practice.
-
- (3) Have just enough key quota available to create a key, a new session
- keyring for the upcall and a link in the session keyring, but not then
- sufficient quota to create a link in the nominated destination keyring
- so that it fails with EDQUOT.
-
-The bug can be triggered using option (3) above using something like the
-following:
-
- echo 80 >/proc/sys/kernel/keys/root_maxbytes
- keyctl request2 user debug:fred negate @t
-
-The above sets the quota to something much lower (80) to make the bug
-easier to trigger, but this is dependent on the system. Note also that
-the name of the keyring created contains a random number that may be
-between 1 and 10 characters in size, so may throw the test off by
-changing the amount of quota used.
-
-Assuming the failure occurs, something like the following will be seen:
-
- kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
- ------------[ cut here ]------------
- kernel BUG at ../mm/slab.c:2821!
- ...
- RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
- RSP: 0018:ffff8804014a7de8 EFLAGS: 00010092
- RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
- RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
- RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
- R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
- R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
- ...
- Call Trace:
- kfree+0xde/0x1bc
- assoc_array_cancel_edit+0x1f/0x36
- __key_link_end+0x55/0x63
- key_reject_and_link+0x124/0x155
- keyctl_reject_key+0xb6/0xe0
- keyctl_negate_key+0x10/0x12
- SyS_keyctl+0x9f/0xe7
- do_syscall_64+0x63/0x13a
- entry_SYSCALL64_slow_path+0x25/0x25
-
-Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
-Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-cc: stable at vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- security/keys/key.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/security/keys/key.c
-+++ b/security/keys/key.c
-@@ -575,7 +575,7 @@ int key_reject_and_link(struct key *key,
-
- mutex_unlock(&key_construction_mutex);
-
-- if (keyring)
-+ if (keyring && link_ret == 0)
- __key_link_end(keyring, &key->index_key, edit);
-
- /* wake up anyone waiting for a key to be constructed */
diff --git a/debian/patches/bugfix/all/mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch b/debian/patches/bugfix/all/mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch
deleted file mode 100644
index 8505ef0..0000000
--- a/debian/patches/bugfix/all/mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From bd2f56577e4066fcd61eab60d817e86ae8d4c6bf Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds at linux-foundation.org>
-Date: Thu, 13 Oct 2016 13:07:36 -0700
-Subject: [PATCH 01/11] mm: remove gup_flags FOLL_WRITE games from
- __get_user_pages()
-
-This is an ancient bug that was actually already fixed once (badly) by
-me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race
-for write access") but that was then undone due to problems on s390 by
-commit f33ea7f404e5 ("fix get_user_pages bug").
-
-In the meantime, the s390 situation has long been fixed, and we can once
-more try to fix it by checking the pte_dirty() bit properly (and do it
-better). We introduce a new internal FOLL_COW flag to mark the "yes, we
-already did a COW" rather than play racy games with FOLL_WRITE that is
-very fundamental.
-
-Reported-and-tested-by: Phil "not Paul" Oester <kernel at linuxace.com>
-Cc: Andy Lutomirski <luto at amacapital.net>
-Cc: Kees Cook <keescook at chromium.org>
-Cc: Oleg Nesterov <oleg at redhat.com>
-Cc: Willy Tarreau <w at 1wt.eu>
-Cc: stable at vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-[carnil: backport to 3.16, adjust context]
----
- include/linux/mm.h | 1 +
- mm/gup.c | 14 ++++++++++++--
- 2 files changed, 13 insertions(+), 2 deletions(-)
-
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -2029,6 +2029,7 @@ static inline struct page *follow_page(s
- #define FOLL_HWPOISON 0x100 /* check page is hwpoisoned */
- #define FOLL_NUMA 0x200 /* force NUMA hinting page fault */
- #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */
-+#define FOLL_COW 0x4000 /* internal GUP flag */
-
- typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
- void *data);
---- a/mm/gup.c
-+++ b/mm/gup.c
-@@ -28,6 +28,16 @@ static struct page *no_page_table(struct
- return NULL;
- }
-
-+/*
-+ * FOLL_FORCE can write to even unwritable pte's, but only
-+ * after we've gone through a COW cycle and they are dirty.
-+ */
-+static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
-+{
-+ return pte_write(pte) ||
-+ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
-+}
-+
- static struct page *follow_page_pte(struct vm_area_struct *vma,
- unsigned long address, pmd_t *pmd, unsigned int flags)
- {
-@@ -62,7 +72,7 @@ retry:
- }
- if ((flags & FOLL_NUMA) && pte_numa(pte))
- goto no_page;
-- if ((flags & FOLL_WRITE) && !pte_write(pte)) {
-+ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {
- pte_unmap_unlock(ptep, ptl);
- return NULL;
- }
-@@ -302,7 +312,7 @@ static int faultin_page(struct task_stru
- * reCOWed by userspace write).
- */
- if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
-- *flags &= ~FOLL_WRITE;
-+ *flags |= FOLL_COW;
- return 0;
- }
-
diff --git a/debian/patches/bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch b/debian/patches/bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch
deleted file mode 100644
index bbd7bdc..0000000
--- a/debian/patches/bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch
+++ /dev/null
@@ -1,208 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:32 +0200
-Subject: netfilter: arp_tables: simplify translate_compat_table args
-Origin: https://git.kernel.org/linus/8dddd32756f6fe8e4e82a63361119b7e2384e02f
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-[bwh: Backported to 3.6: adjust context]
----
- net/ipv4/netfilter/arp_tables.c | 82 ++++++++++++++++++-----------------------
- 1 file changed, 36 insertions(+), 46 deletions(-)
-
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -1204,6 +1204,18 @@ static int do_add_counters(struct net *n
- }
-
- #ifdef CONFIG_COMPAT
-+struct compat_arpt_replace {
-+ char name[XT_TABLE_MAXNAMELEN];
-+ u32 valid_hooks;
-+ u32 num_entries;
-+ u32 size;
-+ u32 hook_entry[NF_ARP_NUMHOOKS];
-+ u32 underflow[NF_ARP_NUMHOOKS];
-+ u32 num_counters;
-+ compat_uptr_t counters;
-+ struct compat_arpt_entry entries[0];
-+};
-+
- static inline void compat_release_entry(struct compat_arpt_entry *e)
- {
- struct xt_entry_target *t;
-@@ -1219,8 +1231,7 @@ check_compat_entry_size_and_hooks(struct
- const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
-- const unsigned int *underflows,
-- const char *name)
-+ const unsigned int *underflows)
- {
- struct xt_entry_target *t;
- struct xt_target *target;
-@@ -1291,7 +1302,7 @@ out:
-
- static int
- compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
-- unsigned int *size, const char *name,
-+ unsigned int *size,
- struct xt_table_info *newinfo, unsigned char *base)
- {
- struct xt_entry_target *t;
-@@ -1324,14 +1335,9 @@ compat_copy_entry_from_user(struct compa
- return ret;
- }
-
--static int translate_compat_table(const char *name,
-- unsigned int valid_hooks,
-- struct xt_table_info **pinfo,
-+static int translate_compat_table(struct xt_table_info **pinfo,
- void **pentry0,
-- unsigned int total_size,
-- unsigned int number,
-- unsigned int *hook_entries,
-- unsigned int *underflows)
-+ const struct compat_arpt_replace *compatr)
- {
- unsigned int i, j;
- struct xt_table_info *newinfo, *info;
-@@ -1343,8 +1349,8 @@ static int translate_compat_table(const
-
- info = *pinfo;
- entry0 = *pentry0;
-- size = total_size;
-- info->number = number;
-+ size = compatr->size;
-+ info->number = compatr->num_entries;
-
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
-@@ -1355,40 +1361,39 @@ static int translate_compat_table(const
- duprintf("translate_compat_table: size %u\n", info->size);
- j = 0;
- xt_compat_lock(NFPROTO_ARP);
-- xt_compat_init_offsets(NFPROTO_ARP, number);
-+ xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries);
- /* Walk through entries, checking offsets. */
-- xt_entry_foreach(iter0, entry0, total_size) {
-+ xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = check_compat_entry_size_and_hooks(iter0, info, &size,
- entry0,
-- entry0 + total_size,
-- hook_entries,
-- underflows,
-- name);
-+ entry0 + compatr->size,
-+ compatr->hook_entry,
-+ compatr->underflow);
- if (ret != 0)
- goto out_unlock;
- ++j;
- }
-
- ret = -EINVAL;
-- if (j != number) {
-+ if (j != compatr->num_entries) {
- duprintf("translate_compat_table: %u not %u entries\n",
-- j, number);
-+ j, compatr->num_entries);
- goto out_unlock;
- }
-
- /* Check hooks all assigned */
- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
- /* Only hooks which are valid */
-- if (!(valid_hooks & (1 << i)))
-+ if (!(compatr->valid_hooks & (1 << i)))
- continue;
- if (info->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
-- i, hook_entries[i]);
-+ i, info->hook_entry[i]);
- goto out_unlock;
- }
- if (info->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
-- i, underflows[i]);
-+ i, info->underflow[i]);
- goto out_unlock;
- }
- }
-@@ -1398,17 +1403,17 @@ static int translate_compat_table(const
- if (!newinfo)
- goto out_unlock;
-
-- newinfo->number = number;
-+ newinfo->number = compatr->num_entries;
- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = info->hook_entry[i];
- newinfo->underflow[i] = info->underflow[i];
- }
- entry1 = newinfo->entries[raw_smp_processor_id()];
- pos = entry1;
-- size = total_size;
-- xt_entry_foreach(iter0, entry0, total_size) {
-+ size = compatr->size;
-+ xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = compat_copy_entry_from_user(iter0, &pos, &size,
-- name, newinfo, entry1);
-+ newinfo, entry1);
- if (ret != 0)
- break;
- }
-@@ -1418,12 +1423,12 @@ static int translate_compat_table(const
- goto free_newinfo;
-
- ret = -ELOOP;
-- if (!mark_source_chains(newinfo, valid_hooks, entry1))
-+ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
- goto free_newinfo;
-
- i = 0;
- xt_entry_foreach(iter1, entry1, newinfo->size) {
-- ret = check_target(iter1, name);
-+ ret = check_target(iter1, compatr->name);
- if (ret != 0)
- break;
- ++i;
-@@ -1468,7 +1473,7 @@ static int translate_compat_table(const
- free_newinfo:
- xt_free_table_info(newinfo);
- out:
-- xt_entry_foreach(iter0, entry0, total_size) {
-+ xt_entry_foreach(iter0, entry0, compatr->size) {
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
-@@ -1480,18 +1485,6 @@ out_unlock:
- goto out;
- }
-
--struct compat_arpt_replace {
-- char name[XT_TABLE_MAXNAMELEN];
-- u32 valid_hooks;
-- u32 num_entries;
-- u32 size;
-- u32 hook_entry[NF_ARP_NUMHOOKS];
-- u32 underflow[NF_ARP_NUMHOOKS];
-- u32 num_counters;
-- compat_uptr_t counters;
-- struct compat_arpt_entry entries[0];
--};
--
- static int compat_do_replace(struct net *net, void __user *user,
- unsigned int len)
- {
-@@ -1522,10 +1515,7 @@ static int compat_do_replace(struct net
- goto free_newinfo;
- }
-
-- ret = translate_compat_table(tmp.name, tmp.valid_hooks,
-- &newinfo, &loc_cpu_entry, tmp.size,
-- tmp.num_entries, tmp.hook_entry,
-- tmp.underflow);
-+ ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp);
- if (ret != 0)
- goto free_newinfo;
-
diff --git a/debian/patches/bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch b/debian/patches/bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch
deleted file mode 100644
index 8d93acb..0000000
--- a/debian/patches/bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From: Dave Jones <davej at codemonkey.org.uk>
-Date: Tue, 19 May 2015 20:55:17 -0400
-Subject: netfilter: ensure number of counters is >0 in do_replace()
-Origin: https://git.kernel.org/linus/1086bbe97a074844188c6c988fa0b1a98c3ccbb9
-
-After improving setsockopt() coverage in trinity, I started triggering
-vmalloc failures pretty reliably from this code path:
-
-warn_alloc_failed+0xe9/0x140
-__vmalloc_node_range+0x1be/0x270
-vzalloc+0x4b/0x50
-__do_replace+0x52/0x260 [ip_tables]
-do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
-nf_setsockopt+0x65/0x90
-ip_setsockopt+0x61/0xa0
-raw_setsockopt+0x16/0x60
-sock_common_setsockopt+0x14/0x20
-SyS_setsockopt+0x71/0xd0
-
-It turns out we don't validate that the num_counters field in the
-struct we pass in from userspace is initialized.
-
-The same problem also exists in ebtables, arptables, ipv6, and the
-compat variants.
-
-Signed-off-by: Dave Jones <davej at codemonkey.org.uk>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/bridge/netfilter/ebtables.c | 4 ++++
- net/ipv4/netfilter/arp_tables.c | 6 ++++++
- net/ipv4/netfilter/ip_tables.c | 6 ++++++
- net/ipv6/netfilter/ip6_tables.c | 6 ++++++
- 4 files changed, 22 insertions(+)
-
---- a/net/bridge/netfilter/ebtables.c
-+++ b/net/bridge/netfilter/ebtables.c
-@@ -1105,6 +1105,8 @@ static int do_replace(struct net *net, c
- return -ENOMEM;
- if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
- return -ENOMEM;
-+ if (tmp.num_counters == 0)
-+ return -EINVAL;
-
- tmp.name[sizeof(tmp.name) - 1] = 0;
-
-@@ -2150,6 +2152,8 @@ static int compat_copy_ebt_replace_from_
- return -ENOMEM;
- if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
- return -ENOMEM;
-+ if (tmp.num_counters == 0)
-+ return -EINVAL;
-
- memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
-
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -1082,6 +1082,9 @@ static int do_replace(struct net *net, c
- /* overflow check */
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-+ if (tmp.num_counters == 0)
-+ return -EINVAL;
-+
- tmp.name[sizeof(tmp.name)-1] = 0;
-
- newinfo = xt_alloc_table_info(tmp.size);
-@@ -1392,6 +1395,9 @@ static int compat_do_replace(struct net
- return -ENOMEM;
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-+ if (tmp.num_counters == 0)
-+ return -EINVAL;
-+
- tmp.name[sizeof(tmp.name)-1] = 0;
-
- newinfo = xt_alloc_table_info(tmp.size);
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -1268,6 +1268,9 @@ do_replace(struct net *net, const void _
- /* overflow check */
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-+ if (tmp.num_counters == 0)
-+ return -EINVAL;
-+
- tmp.name[sizeof(tmp.name)-1] = 0;
-
- newinfo = xt_alloc_table_info(tmp.size);
-@@ -1669,6 +1672,9 @@ compat_do_replace(struct net *net, void
- return -ENOMEM;
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-+ if (tmp.num_counters == 0)
-+ return -EINVAL;
-+
- tmp.name[sizeof(tmp.name)-1] = 0;
-
- newinfo = xt_alloc_table_info(tmp.size);
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1278,6 +1278,9 @@ do_replace(struct net *net, const void _
- /* overflow check */
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-+ if (tmp.num_counters == 0)
-+ return -EINVAL;
-+
- tmp.name[sizeof(tmp.name)-1] = 0;
-
- newinfo = xt_alloc_table_info(tmp.size);
-@@ -1672,6 +1675,9 @@ compat_do_replace(struct net *net, void
- return -ENOMEM;
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-+ if (tmp.num_counters == 0)
-+ return -EINVAL;
-+
- tmp.name[sizeof(tmp.name)-1] = 0;
-
- newinfo = xt_alloc_table_info(tmp.size);
diff --git a/debian/patches/bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch b/debian/patches/bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch
deleted file mode 100644
index a565ef4..0000000
--- a/debian/patches/bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:31 +0200
-Subject: netfilter: ip6_tables: simplify translate_compat_table args
-Origin: https://git.kernel.org/linus/329a0807124f12fe1c8032f95d8a8eb47047fb0e
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-[bwh: Backported to 3.16: adjust context]
----
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1456,7 +1456,6 @@ compat_copy_entry_to_user(struct ip6t_en
-
- static int
- compat_find_calc_match(struct xt_entry_match *m,
-- const char *name,
- const struct ip6t_ip6 *ipv6,
- unsigned int hookmask,
- int *size)
-@@ -1494,8 +1493,7 @@ check_compat_entry_size_and_hooks(struct
- const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
-- const unsigned int *underflows,
-- const char *name)
-+ const unsigned int *underflows)
- {
- struct xt_entry_match *ematch;
- struct xt_entry_target *t;
-@@ -1531,8 +1529,8 @@ check_compat_entry_size_and_hooks(struct
- entry_offset = (void *)e - (void *)base;
- j = 0;
- xt_ematch_foreach(ematch, e) {
-- ret = compat_find_calc_match(ematch, name,
-- &e->ipv6, e->comefrom, &off);
-+ ret = compat_find_calc_match(ematch, &e->ipv6, e->comefrom,
-+ &off);
- if (ret != 0)
- goto release_matches;
- ++j;
-@@ -1581,7 +1579,7 @@ release_matches:
-
- static int
- compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
-- unsigned int *size, const char *name,
-+ unsigned int *size,
- struct xt_table_info *newinfo, unsigned char *base)
- {
- struct xt_entry_target *t;
-@@ -1655,14 +1653,9 @@ static int compat_check_entry(struct ip6
-
- static int
- translate_compat_table(struct net *net,
-- const char *name,
-- unsigned int valid_hooks,
- struct xt_table_info **pinfo,
- void **pentry0,
-- unsigned int total_size,
-- unsigned int number,
-- unsigned int *hook_entries,
-- unsigned int *underflows)
-+ const struct compat_ip6t_replace *compatr)
- {
- unsigned int i, j;
- struct xt_table_info *newinfo, *info;
-@@ -1674,8 +1667,8 @@ translate_compat_table(struct net *net,
-
- info = *pinfo;
- entry0 = *pentry0;
-- size = total_size;
-- info->number = number;
-+ size = compatr->size;
-+ info->number = compatr->num_entries;
-
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-@@ -1686,40 +1679,39 @@ translate_compat_table(struct net *net,
- duprintf("translate_compat_table: size %u\n", info->size);
- j = 0;
- xt_compat_lock(AF_INET6);
-- xt_compat_init_offsets(AF_INET6, number);
-+ xt_compat_init_offsets(AF_INET6, compatr->num_entries);
- /* Walk through entries, checking offsets. */
-- xt_entry_foreach(iter0, entry0, total_size) {
-+ xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = check_compat_entry_size_and_hooks(iter0, info, &size,
- entry0,
-- entry0 + total_size,
-- hook_entries,
-- underflows,
-- name);
-+ entry0 + compatr->size,
-+ compatr->hook_entry,
-+ compatr->underflow);
- if (ret != 0)
- goto out_unlock;
- ++j;
- }
-
- ret = -EINVAL;
-- if (j != number) {
-+ if (j != compatr->num_entries) {
- duprintf("translate_compat_table: %u not %u entries\n",
-- j, number);
-+ j, compatr->num_entries);
- goto out_unlock;
- }
-
- /* Check hooks all assigned */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- /* Only hooks which are valid */
-- if (!(valid_hooks & (1 << i)))
-+ if (!(compatr->valid_hooks & (1 << i)))
- continue;
- if (info->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
-- i, hook_entries[i]);
-+ i, info->hook_entry[i]);
- goto out_unlock;
- }
- if (info->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
-- i, underflows[i]);
-+ i, info->underflow[i]);
- goto out_unlock;
- }
- }
-@@ -1729,17 +1721,17 @@ translate_compat_table(struct net *net,
- if (!newinfo)
- goto out_unlock;
-
-- newinfo->number = number;
-+ newinfo->number = compatr->num_entries;
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = info->hook_entry[i];
- newinfo->underflow[i] = info->underflow[i];
- }
- entry1 = newinfo->entries[raw_smp_processor_id()];
- pos = entry1;
-- size = total_size;
-- xt_entry_foreach(iter0, entry0, total_size) {
-+ size = compatr->size;
-+ xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = compat_copy_entry_from_user(iter0, &pos, &size,
-- name, newinfo, entry1);
-+ newinfo, entry1);
- if (ret != 0)
- break;
- }
-@@ -1749,12 +1741,12 @@ translate_compat_table(struct net *net,
- goto free_newinfo;
-
- ret = -ELOOP;
-- if (!mark_source_chains(newinfo, valid_hooks, entry1))
-+ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
- goto free_newinfo;
-
- i = 0;
- xt_entry_foreach(iter1, entry1, newinfo->size) {
-- ret = compat_check_entry(iter1, net, name);
-+ ret = compat_check_entry(iter1, net, compatr->name);
- if (ret != 0)
- break;
- ++i;
-@@ -1799,7 +1791,7 @@ translate_compat_table(struct net *net,
- free_newinfo:
- xt_free_table_info(newinfo);
- out:
-- xt_entry_foreach(iter0, entry0, total_size) {
-+ xt_entry_foreach(iter0, entry0, compatr->size) {
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
-@@ -1842,10 +1834,7 @@ compat_do_replace(struct net *net, void
- goto free_newinfo;
- }
-
-- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
-- &newinfo, &loc_cpu_entry, tmp.size,
-- tmp.num_entries, tmp.hook_entry,
-- tmp.underflow);
-+ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
- if (ret != 0)
- goto free_newinfo;
-
diff --git a/debian/patches/bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch b/debian/patches/bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch
deleted file mode 100644
index 7518397..0000000
--- a/debian/patches/bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:30 +0200
-Subject: netfilter: ip_tables: simplify translate_compat_table args
-Origin: https://git.kernel.org/linus/7d3f843eed29222254c9feab481f55175a1afcc9
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-[bwh: Backported to 3.16: adjust context]
----
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -1444,7 +1444,6 @@ compat_copy_entry_to_user(struct ipt_ent
-
- static int
- compat_find_calc_match(struct xt_entry_match *m,
-- const char *name,
- const struct ipt_ip *ip,
- unsigned int hookmask,
- int *size)
-@@ -1482,8 +1481,7 @@ check_compat_entry_size_and_hooks(struct
- const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
-- const unsigned int *underflows,
-- const char *name)
-+ const unsigned int *underflows)
- {
- struct xt_entry_match *ematch;
- struct xt_entry_target *t;
-@@ -1519,8 +1517,7 @@ check_compat_entry_size_and_hooks(struct
- entry_offset = (void *)e - (void *)base;
- j = 0;
- xt_ematch_foreach(ematch, e) {
-- ret = compat_find_calc_match(ematch, name,
-- &e->ip, e->comefrom, &off);
-+ ret = compat_find_calc_match(ematch, &e->ip, e->comefrom, &off);
- if (ret != 0)
- goto release_matches;
- ++j;
-@@ -1569,7 +1566,7 @@ release_matches:
-
- static int
- compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
-- unsigned int *size, const char *name,
-+ unsigned int *size,
- struct xt_table_info *newinfo, unsigned char *base)
- {
- struct xt_entry_target *t;
-@@ -1645,14 +1642,9 @@ compat_check_entry(struct ipt_entry *e,
-
- static int
- translate_compat_table(struct net *net,
-- const char *name,
-- unsigned int valid_hooks,
- struct xt_table_info **pinfo,
- void **pentry0,
-- unsigned int total_size,
-- unsigned int number,
-- unsigned int *hook_entries,
-- unsigned int *underflows)
-+ const struct compat_ipt_replace *compatr)
- {
- unsigned int i, j;
- struct xt_table_info *newinfo, *info;
-@@ -1664,8 +1656,8 @@ translate_compat_table(struct net *net,
-
- info = *pinfo;
- entry0 = *pentry0;
-- size = total_size;
-- info->number = number;
-+ size = compatr->size;
-+ info->number = compatr->num_entries;
-
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-@@ -1676,40 +1668,39 @@ translate_compat_table(struct net *net,
- duprintf("translate_compat_table: size %u\n", info->size);
- j = 0;
- xt_compat_lock(AF_INET);
-- xt_compat_init_offsets(AF_INET, number);
-+ xt_compat_init_offsets(AF_INET, compatr->num_entries);
- /* Walk through entries, checking offsets. */
-- xt_entry_foreach(iter0, entry0, total_size) {
-+ xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = check_compat_entry_size_and_hooks(iter0, info, &size,
- entry0,
-- entry0 + total_size,
-- hook_entries,
-- underflows,
-- name);
-+ entry0 + compatr->size,
-+ compatr->hook_entry,
-+ compatr->underflow);
- if (ret != 0)
- goto out_unlock;
- ++j;
- }
-
- ret = -EINVAL;
-- if (j != number) {
-+ if (j != compatr->num_entries) {
- duprintf("translate_compat_table: %u not %u entries\n",
-- j, number);
-+ j, compatr->num_entries);
- goto out_unlock;
- }
-
- /* Check hooks all assigned */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- /* Only hooks which are valid */
-- if (!(valid_hooks & (1 << i)))
-+ if (!(compatr->valid_hooks & (1 << i)))
- continue;
- if (info->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
-- i, hook_entries[i]);
-+ i, info->hook_entry[i]);
- goto out_unlock;
- }
- if (info->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
-- i, underflows[i]);
-+ i, info->underflow[i]);
- goto out_unlock;
- }
- }
-@@ -1719,17 +1710,17 @@ translate_compat_table(struct net *net,
- if (!newinfo)
- goto out_unlock;
-
-- newinfo->number = number;
-+ newinfo->number = compatr->num_entries;
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = info->hook_entry[i];
- newinfo->underflow[i] = info->underflow[i];
- }
- entry1 = newinfo->entries[raw_smp_processor_id()];
- pos = entry1;
-- size = total_size;
-- xt_entry_foreach(iter0, entry0, total_size) {
-+ size = compatr->size;
-+ xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = compat_copy_entry_from_user(iter0, &pos, &size,
-- name, newinfo, entry1);
-+ newinfo, entry1);
- if (ret != 0)
- break;
- }
-@@ -1739,12 +1730,12 @@ translate_compat_table(struct net *net,
- goto free_newinfo;
-
- ret = -ELOOP;
-- if (!mark_source_chains(newinfo, valid_hooks, entry1))
-+ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
- goto free_newinfo;
-
- i = 0;
- xt_entry_foreach(iter1, entry1, newinfo->size) {
-- ret = compat_check_entry(iter1, net, name);
-+ ret = compat_check_entry(iter1, net, compatr->name);
- if (ret != 0)
- break;
- ++i;
-@@ -1789,7 +1780,7 @@ translate_compat_table(struct net *net,
- free_newinfo:
- xt_free_table_info(newinfo);
- out:
-- xt_entry_foreach(iter0, entry0, total_size) {
-+ xt_entry_foreach(iter0, entry0, compatr->size) {
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
-@@ -1832,10 +1823,7 @@ compat_do_replace(struct net *net, void
- goto free_newinfo;
- }
-
-- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
-- &newinfo, &loc_cpu_entry, tmp.size,
-- tmp.num_entries, tmp.hook_entry,
-- tmp.underflow);
-+ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
- if (ret != 0)
- goto free_newinfo;
-
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch b/debian/patches/bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch
deleted file mode 100644
index 7ee23c0..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:23 +0200
-Subject: netfilter: x_tables: add and use xt_check_entry_offsets
-Origin: https://git.kernel.org/linus/7d35812c3214afa5b37a675113555259cfd67b98
-
-Currently arp/ip and ip6tables each implement a short helper to check that
-the target offset is large enough to hold one xt_entry_target struct and
-that t->u.target_size fits within the current rule.
-
-Unfortunately these checks are not sufficient.
-
-To avoid adding new tests to all of ip/ip6/arptables move the current
-checks into a helper, then extend this helper in followup patches.
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- include/linux/netfilter/x_tables.h | 4 ++++
- net/ipv4/netfilter/arp_tables.c | 11 +----------
- net/ipv4/netfilter/ip_tables.c | 12 +-----------
- net/ipv6/netfilter/ip6_tables.c | 12 +-----------
- net/netfilter/x_tables.c | 34 ++++++++++++++++++++++++++++++++++
- 5 files changed, 41 insertions(+), 32 deletions(-)
-
---- a/include/linux/netfilter/x_tables.h
-+++ b/include/linux/netfilter/x_tables.h
-@@ -239,6 +239,10 @@ void xt_unregister_match(struct xt_match
- int xt_register_matches(struct xt_match *match, unsigned int n);
- void xt_unregister_matches(struct xt_match *match, unsigned int n);
-
-+int xt_check_entry_offsets(const void *base,
-+ unsigned int target_offset,
-+ unsigned int next_offset);
-+
- int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
- bool inv_proto);
- int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -492,19 +492,10 @@ static int mark_source_chains(const stru
-
- static inline int check_entry(const struct arpt_entry *e)
- {
-- const struct xt_entry_target *t;
--
- if (!arp_checkentry(&e->arp))
- return -EINVAL;
-
-- if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
-- return -EINVAL;
--
-- t = arpt_get_target_c(e);
-- if (e->target_offset + t->u.target_size > e->next_offset)
-- return -EINVAL;
--
-- return 0;
-+ return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
- }
-
- static inline int check_target(struct arpt_entry *e, const char *name)
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -586,20 +586,10 @@ static void cleanup_match(struct xt_entr
- static int
- check_entry(const struct ipt_entry *e)
- {
-- const struct xt_entry_target *t;
--
- if (!ip_checkentry(&e->ip))
- return -EINVAL;
-
-- if (e->target_offset + sizeof(struct xt_entry_target) >
-- e->next_offset)
-- return -EINVAL;
--
-- t = ipt_get_target_c(e);
-- if (e->target_offset + t->u.target_size > e->next_offset)
-- return -EINVAL;
--
-- return 0;
-+ return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
- }
-
- static int
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -596,20 +596,10 @@ static void cleanup_match(struct xt_entr
- static int
- check_entry(const struct ip6t_entry *e)
- {
-- const struct xt_entry_target *t;
--
- if (!ip6_checkentry(&e->ipv6))
- return -EINVAL;
-
-- if (e->target_offset + sizeof(struct xt_entry_target) >
-- e->next_offset)
-- return -EINVAL;
--
-- t = ip6t_get_target_c(e);
-- if (e->target_offset + t->u.target_size > e->next_offset)
-- return -EINVAL;
--
-- return 0;
-+ return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
- }
-
- static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -560,6 +560,40 @@ int xt_compat_match_to_user(const struct
- EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
- #endif /* CONFIG_COMPAT */
-
-+/**
-+ * xt_check_entry_offsets - validate arp/ip/ip6t_entry
-+ *
-+ * @base: pointer to arp/ip/ip6t_entry
-+ * @target_offset: the arp/ip/ip6_t->target_offset
-+ * @next_offset: the arp/ip/ip6_t->next_offset
-+ *
-+ * validates that target_offset and next_offset are sane.
-+ *
-+ * The arp/ip/ip6t_entry structure @base must have passed following tests:
-+ * - it must point to a valid memory location
-+ * - base to base + next_offset must be accessible, i.e. not exceed allocated
-+ * length.
-+ *
-+ * Return: 0 on success, negative errno on failure.
-+ */
-+int xt_check_entry_offsets(const void *base,
-+ unsigned int target_offset,
-+ unsigned int next_offset)
-+{
-+ const struct xt_entry_target *t;
-+ const char *e = base;
-+
-+ if (target_offset + sizeof(*t) > next_offset)
-+ return -EINVAL;
-+
-+ t = (void *)(e + target_offset);
-+ if (target_offset + t->u.target_size > next_offset)
-+ return -EINVAL;
-+
-+ return 0;
-+}
-+EXPORT_SYMBOL(xt_check_entry_offsets);
-+
- int xt_check_target(struct xt_tgchk_param *par,
- unsigned int size, u_int8_t proto, bool inv_proto)
- {
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch b/debian/patches/bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch
deleted file mode 100644
index d6eac7b..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:26 +0200
-Subject: netfilter: x_tables: add compat version of xt_check_entry_offsets
-Origin: https://git.kernel.org/linus/fc1221b3a163d1386d1052184202d5dc50d302d1
-
-32bit rulesets have different layout and alignment requirements, so once
-more integrity checks get added to xt_check_entry_offsets it will reject
-well-formed 32bit rulesets.
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- include/linux/netfilter/x_tables.h | 3 +++
- net/ipv4/netfilter/arp_tables.c | 3 ++-
- net/ipv4/netfilter/ip_tables.c | 3 ++-
- net/ipv6/netfilter/ip6_tables.c | 3 ++-
- net/netfilter/x_tables.c | 22 ++++++++++++++++++++++
- 5 files changed, 31 insertions(+), 3 deletions(-)
-
---- a/include/linux/netfilter/x_tables.h
-+++ b/include/linux/netfilter/x_tables.h
-@@ -435,6 +435,9 @@ void xt_compat_target_from_user(struct x
- unsigned int *size);
- int xt_compat_target_to_user(const struct xt_entry_target *t,
- void __user **dstptr, unsigned int *size);
-+int xt_compat_check_entry_offsets(const void *base,
-+ unsigned int target_offset,
-+ unsigned int next_offset);
-
- #endif /* CONFIG_COMPAT */
- #endif /* _X_TABLES_H */
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -1244,7 +1244,8 @@ check_compat_entry_size_and_hooks(struct
- if (!arp_checkentry(&e->arp))
- return -EINVAL;
-
-- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
-+ ret = xt_compat_check_entry_offsets(e, e->target_offset,
-+ e->next_offset);
- if (ret)
- return ret;
-
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -1509,7 +1509,8 @@ check_compat_entry_size_and_hooks(struct
- if (!ip_checkentry(&e->ip))
- return -EINVAL;
-
-- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
-+ ret = xt_compat_check_entry_offsets(e,
-+ e->target_offset, e->next_offset);
- if (ret)
- return ret;
-
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1521,7 +1521,8 @@ check_compat_entry_size_and_hooks(struct
- if (!ip6_checkentry(&e->ipv6))
- return -EINVAL;
-
-- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
-+ ret = xt_compat_check_entry_offsets(e,
-+ e->target_offset, e->next_offset);
- if (ret)
- return ret;
-
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -558,6 +558,27 @@ int xt_compat_match_to_user(const struct
- return 0;
- }
- EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
-+
-+int xt_compat_check_entry_offsets(const void *base,
-+ unsigned int target_offset,
-+ unsigned int next_offset)
-+{
-+ const struct compat_xt_entry_target *t;
-+ const char *e = base;
-+
-+ if (target_offset + sizeof(*t) > next_offset)
-+ return -EINVAL;
-+
-+ t = (void *)(e + target_offset);
-+ if (t->u.target_size < sizeof(*t))
-+ return -EINVAL;
-+
-+ if (target_offset + t->u.target_size > next_offset)
-+ return -EINVAL;
-+
-+ return 0;
-+}
-+EXPORT_SYMBOL(xt_compat_check_entry_offsets);
- #endif /* CONFIG_COMPAT */
-
- /**
-@@ -568,6 +589,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_use
- * @next_offset: the arp/ip/ip6_t->next_offset
- *
- * validates that target_offset and next_offset are sane.
-+ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
- *
- * The arp/ip/ip6t_entry structure @base must have passed following tests:
- * - it must point to a valid memory location
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch b/debian/patches/bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch
deleted file mode 100644
index 8f32eb2..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:25 +0200
-Subject: netfilter: x_tables: assert minimum target size
-Origin: https://git.kernel.org/linus/a08e4e190b866579896c09af59b3bdca821da2cd
-
-The target size includes the size of the xt_entry_target struct.
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/netfilter/x_tables.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -587,6 +587,9 @@ int xt_check_entry_offsets(const void *b
- return -EINVAL;
-
- t = (void *)(e + target_offset);
-+ if (t->u.target_size < sizeof(*t))
-+ return -EINVAL;
-+
- if (target_offset + t->u.target_size > next_offset)
- return -EINVAL;
-
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch b/debian/patches/bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch
deleted file mode 100644
index 494910d..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:28 +0200
-Subject: netfilter: x_tables: check for bogus target offset
-Origin: https://git.kernel.org/linus/ce683e5f9d045e5d67d1312a42b359cb2ab2a13c
-
-We're currently asserting that targetoff + targetsize <= nextoff.
-
-Extend it to also check that targetoff is >= sizeof(xt_entry).
-Since this is generic code, add an argument pointing to the start of the
-match/target, we can then derive the base structure size from the delta.
-
-We also need the e->elems pointer in a followup change to validate matches.
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- include/linux/netfilter/x_tables.h | 4 ++--
- net/ipv4/netfilter/arp_tables.c | 5 +++--
- net/ipv4/netfilter/ip_tables.c | 5 +++--
- net/ipv6/netfilter/ip6_tables.c | 5 +++--
- net/netfilter/x_tables.c | 17 +++++++++++++++--
- 5 files changed, 26 insertions(+), 10 deletions(-)
-
---- a/include/linux/netfilter/x_tables.h
-+++ b/include/linux/netfilter/x_tables.h
-@@ -239,7 +239,7 @@ void xt_unregister_match(struct xt_match
- int xt_register_matches(struct xt_match *match, unsigned int n);
- void xt_unregister_matches(struct xt_match *match, unsigned int n);
-
--int xt_check_entry_offsets(const void *base,
-+int xt_check_entry_offsets(const void *base, const char *elems,
- unsigned int target_offset,
- unsigned int next_offset);
-
-@@ -435,7 +435,7 @@ void xt_compat_target_from_user(struct x
- unsigned int *size);
- int xt_compat_target_to_user(const struct xt_entry_target *t,
- void __user **dstptr, unsigned int *size);
--int xt_compat_check_entry_offsets(const void *base,
-+int xt_compat_check_entry_offsets(const void *base, const char *elems,
- unsigned int target_offset,
- unsigned int next_offset);
-
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -582,7 +582,8 @@ static inline int check_entry_size_and_h
- if (!arp_checkentry(&e->arp))
- return -EINVAL;
-
-- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
-+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
-+ e->next_offset);
- if (err)
- return err;
-
-@@ -1244,7 +1245,7 @@ check_compat_entry_size_and_hooks(struct
- if (!arp_checkentry(&e->arp))
- return -EINVAL;
-
-- ret = xt_compat_check_entry_offsets(e, e->target_offset,
-+ ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset,
- e->next_offset);
- if (ret)
- return ret;
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -742,7 +742,8 @@ check_entry_size_and_hooks(struct ipt_en
- if (!ip_checkentry(&e->ip))
- return -EINVAL;
-
-- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
-+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
-+ e->next_offset);
- if (err)
- return err;
-
-@@ -1509,7 +1510,7 @@ check_compat_entry_size_and_hooks(struct
- if (!ip_checkentry(&e->ip))
- return -EINVAL;
-
-- ret = xt_compat_check_entry_offsets(e,
-+ ret = xt_compat_check_entry_offsets(e, e->elems,
- e->target_offset, e->next_offset);
- if (ret)
- return ret;
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -753,7 +753,8 @@ check_entry_size_and_hooks(struct ip6t_e
- if (!ip6_checkentry(&e->ipv6))
- return -EINVAL;
-
-- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
-+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
-+ e->next_offset);
- if (err)
- return err;
-
-@@ -1521,7 +1522,7 @@ check_compat_entry_size_and_hooks(struct
- if (!ip6_checkentry(&e->ipv6))
- return -EINVAL;
-
-- ret = xt_compat_check_entry_offsets(e,
-+ ret = xt_compat_check_entry_offsets(e, e->elems,
- e->target_offset, e->next_offset);
- if (ret)
- return ret;
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -565,14 +565,17 @@ struct compat_xt_standard_target {
- compat_uint_t verdict;
- };
-
--/* see xt_check_entry_offsets */
--int xt_compat_check_entry_offsets(const void *base,
-+int xt_compat_check_entry_offsets(const void *base, const char *elems,
- unsigned int target_offset,
- unsigned int next_offset)
- {
-+ long size_of_base_struct = elems - (const char *)base;
- const struct compat_xt_entry_target *t;
- const char *e = base;
-
-+ if (target_offset < size_of_base_struct)
-+ return -EINVAL;
-+
- if (target_offset + sizeof(*t) > next_offset)
- return -EINVAL;
-
-@@ -596,12 +599,16 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs
- * xt_check_entry_offsets - validate arp/ip/ip6t_entry
- *
- * @base: pointer to arp/ip/ip6t_entry
-+ * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems
- * @target_offset: the arp/ip/ip6_t->target_offset
- * @next_offset: the arp/ip/ip6_t->next_offset
- *
- * validates that target_offset and next_offset are sane.
- * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
- *
-+ * This function does not validate the targets or matches themselves, it
-+ * only tests that all the offsets and sizes are correct.
-+ *
- * The arp/ip/ip6t_entry structure @base must have passed following tests:
- * - it must point to a valid memory location
- * - base to base + next_offset must be accessible, i.e. not exceed allocated
-@@ -610,12 +617,18 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs
- * Return: 0 on success, negative errno on failure.
- */
- int xt_check_entry_offsets(const void *base,
-+ const char *elems,
- unsigned int target_offset,
- unsigned int next_offset)
- {
-+ long size_of_base_struct = elems - (const char *)base;
- const struct xt_entry_target *t;
- const char *e = base;
-
-+ /* target start is within the ip/ip6/arpt_entry struct */
-+ if (target_offset < size_of_base_struct)
-+ return -EINVAL;
-+
- if (target_offset + sizeof(*t) > next_offset)
- return -EINVAL;
-
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch b/debian/patches/bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch
deleted file mode 100644
index 5e73ba5..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:27 +0200
-Subject: netfilter: x_tables: check standard target size too
-Origin: https://git.kernel.org/linus/7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44
-
-We have targets and standard targets -- the latter carries a verdict.
-
-The ip/ip6tables validation functions will access t->verdict for the
-standard targets to fetch the jump offset or verdict for chainloop
-detection, but this happens before the targets get checked/validated.
-
-Thus we also need to check for verdict presence here, else t->verdict
-can point right after a blob.
-
-Spotted with UBSAN while testing malformed blobs.
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/netfilter/x_tables.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -559,6 +559,13 @@ int xt_compat_match_to_user(const struct
- }
- EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
-
-+/* non-compat version may have padding after verdict */
-+struct compat_xt_standard_target {
-+ struct compat_xt_entry_target t;
-+ compat_uint_t verdict;
-+};
-+
-+/* see xt_check_entry_offsets */
- int xt_compat_check_entry_offsets(const void *base,
- unsigned int target_offset,
- unsigned int next_offset)
-@@ -576,6 +583,10 @@ int xt_compat_check_entry_offsets(const
- if (target_offset + t->u.target_size > next_offset)
- return -EINVAL;
-
-+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
-+ target_offset + sizeof(struct compat_xt_standard_target) != next_offset)
-+ return -EINVAL;
-+
- return 0;
- }
- EXPORT_SYMBOL(xt_compat_check_entry_offsets);
-@@ -615,6 +626,10 @@ int xt_check_entry_offsets(const void *b
- if (target_offset + t->u.target_size > next_offset)
- return -EINVAL;
-
-+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
-+ target_offset + sizeof(struct xt_standard_target) != next_offset)
-+ return -EINVAL;
-+
- return 0;
- }
- EXPORT_SYMBOL(xt_check_entry_offsets);
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch b/debian/patches/bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch
deleted file mode 100644
index 24e1b68..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch
+++ /dev/null
@@ -1,781 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:34 +0200
-Subject: netfilter: x_tables: do compat validation via translate_table
-Origin: https://git.kernel.org/linus/09d9686047dbbe1cf4faa558d3ecc4aae2046054
-
-This looks like refactoring, but its also a bug fix.
-
-Problem is that the compat path (32bit iptables, 64bit kernel) lacks a few
-sanity tests that are done in the normal path.
-
-For example, we do not check for underflows and the base chain policies.
-
-While its possible to also add such checks to the compat path, its more
-copy&pastry, for instance we cannot reuse check_underflow() helper as
-e->target_offset differs in the compat case.
-
-Other problem is that it makes auditing for validation errors harder; two
-places need to be checked and kept in sync.
-
-At a high level 32 bit compat works like this:
-1- initial pass over blob:
- validate match/entry offsets, bounds checking
- lookup all matches and targets
- do bookkeeping wrt. size delta of 32/64bit structures
- assign match/target.u.kernel pointer (points at kernel
- implementation, needed to access ->compatsize etc.)
-
-2- allocate memory according to the total bookkeeping size to
- contain the translated ruleset
-
-3- second pass over original blob:
- for each entry, copy the 32bit representation to the newly allocated
- memory. This also does any special match translations (e.g.
- adjust 32bit to 64bit longs, etc).
-
-4- check if ruleset is free of loops (chase all jumps)
-
-5-first pass over translated blob:
- call the checkentry function of all matches and targets.
-
-The alternative implemented by this patch is to drop steps 3&4 from the
-compat process, the translation is changed into an intermediate step
-rather than a full 1:1 translate_table replacement.
-
-In the 2nd pass (step #3), change the 64bit ruleset back to a kernel
-representation, i.e. put() the kernel pointer and restore ->u.user.name .
-
-This gets us a 64bit ruleset that is in the format generated by a 64bit
-iptables userspace -- we can then use translate_table() to get the
-'native' sanity checks.
-
-This has two drawbacks:
-
-1. we re-validate all the match and target entry structure sizes even
-though compat translation is supposed to never generate bogus offsets.
-2. we put and then re-lookup each match and target.
-
-THe upside is that we get all sanity tests and ruleset validations
-provided by the normal path and can remove some duplicated compat code.
-
-iptables-restore time of autogenerated ruleset with 300k chains of form
--A CHAIN0001 -m limit --limit 1/s -j CHAIN0002
--A CHAIN0002 -m limit --limit 1/s -j CHAIN0003
-
-shows no noticeable differences in restore times:
-old: 0m30.796s
-new: 0m31.521s
-64bit: 0m25.674s
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-[bwh: Backported to 3.16: deleted code is a little different]
----
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -1224,19 +1224,17 @@ static inline void compat_release_entry(
- module_put(t->u.kernel.target->me);
- }
-
--static inline int
-+static int
- check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
- struct xt_table_info *newinfo,
- unsigned int *size,
- const unsigned char *base,
-- const unsigned char *limit,
-- const unsigned int *hook_entries,
-- const unsigned int *underflows)
-+ const unsigned char *limit)
- {
- struct xt_entry_target *t;
- struct xt_target *target;
- unsigned int entry_offset;
-- int ret, off, h;
-+ int ret, off;
-
- duprintf("check_compat_entry_size_and_hooks %p\n", e);
- if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
-@@ -1281,17 +1279,6 @@ check_compat_entry_size_and_hooks(struct
- if (ret)
- goto release_target;
-
-- /* Check hooks & underflows */
-- for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
-- if ((unsigned char *)e - base == hook_entries[h])
-- newinfo->hook_entry[h] = hook_entries[h];
-- if ((unsigned char *)e - base == underflows[h])
-- newinfo->underflow[h] = underflows[h];
-- }
--
-- /* Clear counters and comefrom */
-- memset(&e->counters, 0, sizeof(e->counters));
-- e->comefrom = 0;
- return 0;
-
- release_target:
-@@ -1341,7 +1328,7 @@ static int translate_compat_table(struct
- struct xt_table_info *newinfo, *info;
- void *pos, *entry0, *entry1;
- struct compat_arpt_entry *iter0;
-- struct arpt_entry *iter1;
-+ struct arpt_replace repl;
- unsigned int size;
- int ret = 0;
-
-@@ -1350,12 +1337,6 @@ static int translate_compat_table(struct
- size = compatr->size;
- info->number = compatr->num_entries;
-
-- /* Init all hooks to impossible value. */
-- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
-- info->hook_entry[i] = 0xFFFFFFFF;
-- info->underflow[i] = 0xFFFFFFFF;
-- }
--
- duprintf("translate_compat_table: size %u\n", info->size);
- j = 0;
- xt_compat_lock(NFPROTO_ARP);
-@@ -1364,9 +1345,7 @@ static int translate_compat_table(struct
- xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = check_compat_entry_size_and_hooks(iter0, info, &size,
- entry0,
-- entry0 + compatr->size,
-- compatr->hook_entry,
-- compatr->underflow);
-+ entry0 + compatr->size);
- if (ret != 0)
- goto out_unlock;
- ++j;
-@@ -1379,23 +1358,6 @@ static int translate_compat_table(struct
- goto out_unlock;
- }
-
-- /* Check hooks all assigned */
-- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
-- /* Only hooks which are valid */
-- if (!(compatr->valid_hooks & (1 << i)))
-- continue;
-- if (info->hook_entry[i] == 0xFFFFFFFF) {
-- duprintf("Invalid hook entry %u %u\n",
-- i, info->hook_entry[i]);
-- goto out_unlock;
-- }
-- if (info->underflow[i] == 0xFFFFFFFF) {
-- duprintf("Invalid underflow %u %u\n",
-- i, info->underflow[i]);
-- goto out_unlock;
-- }
-- }
--
- ret = -ENOMEM;
- newinfo = xt_alloc_table_info(size);
- if (!newinfo)
-@@ -1412,51 +1374,24 @@ static int translate_compat_table(struct
- xt_entry_foreach(iter0, entry0, compatr->size)
- compat_copy_entry_from_user(iter0, &pos, &size,
- newinfo, entry1);
-+
-+ /* all module references in entry0 are now gone */
-+
- xt_compat_flush_offsets(NFPROTO_ARP);
- xt_compat_unlock(NFPROTO_ARP);
-
-- ret = -ELOOP;
-- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
-- goto free_newinfo;
--
-- i = 0;
-- xt_entry_foreach(iter1, entry1, newinfo->size) {
-- ret = check_target(iter1, compatr->name);
-- if (ret != 0)
-- break;
-- ++i;
-- if (strcmp(arpt_get_target(iter1)->u.user.name,
-- XT_ERROR_TARGET) == 0)
-- ++newinfo->stacksize;
-- }
-- if (ret) {
-- /*
-- * The first i matches need cleanup_entry (calls ->destroy)
-- * because they had called ->check already. The other j-i
-- * entries need only release.
-- */
-- int skip = i;
-- j -= i;
-- xt_entry_foreach(iter0, entry0, newinfo->size) {
-- if (skip-- > 0)
-- continue;
-- if (j-- == 0)
-- break;
-- compat_release_entry(iter0);
-- }
-- xt_entry_foreach(iter1, entry1, newinfo->size) {
-- if (i-- == 0)
-- break;
-- cleanup_entry(iter1);
-- }
-- xt_free_table_info(newinfo);
-- return ret;
-+ memcpy(&repl, compatr, sizeof(*compatr));
-+ for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
-+ repl.hook_entry[i] = newinfo->hook_entry[i];
-+ repl.underflow[i] = newinfo->underflow[i];
- }
-
-- /* And one copy for every other CPU */
-- for_each_possible_cpu(i)
-- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
-- memcpy(newinfo->entries[i], entry1, newinfo->size);
-+ repl.num_counters = 0;
-+ repl.counters = NULL;
-+ repl.size = newinfo->size;
-+ ret = translate_table(newinfo, entry1, &repl);
-+ if (ret)
-+ goto free_newinfo;
-
- *pinfo = newinfo;
- *pentry0 = entry1;
-@@ -1465,17 +1400,16 @@ static int translate_compat_table(struct
-
- free_newinfo:
- xt_free_table_info(newinfo);
--out:
-+ return ret;
-+out_unlock:
-+ xt_compat_flush_offsets(NFPROTO_ARP);
-+ xt_compat_unlock(NFPROTO_ARP);
- xt_entry_foreach(iter0, entry0, compatr->size) {
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- return ret;
--out_unlock:
-- xt_compat_flush_offsets(NFPROTO_ARP);
-- xt_compat_unlock(NFPROTO_ARP);
-- goto out;
- }
-
- static int compat_do_replace(struct net *net, void __user *user,
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -1479,16 +1479,14 @@ check_compat_entry_size_and_hooks(struct
- struct xt_table_info *newinfo,
- unsigned int *size,
- const unsigned char *base,
-- const unsigned char *limit,
-- const unsigned int *hook_entries,
-- const unsigned int *underflows)
-+ const unsigned char *limit)
- {
- struct xt_entry_match *ematch;
- struct xt_entry_target *t;
- struct xt_target *target;
- unsigned int entry_offset;
- unsigned int j;
-- int ret, off, h;
-+ int ret, off;
-
- duprintf("check_compat_entry_size_and_hooks %p\n", e);
- if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
-@@ -1540,17 +1538,6 @@ check_compat_entry_size_and_hooks(struct
- if (ret)
- goto out;
-
-- /* Check hooks & underflows */
-- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
-- if ((unsigned char *)e - base == hook_entries[h])
-- newinfo->hook_entry[h] = hook_entries[h];
-- if ((unsigned char *)e - base == underflows[h])
-- newinfo->underflow[h] = underflows[h];
-- }
--
-- /* Clear counters and comefrom */
-- memset(&e->counters, 0, sizeof(e->counters));
-- e->comefrom = 0;
- return 0;
-
- out:
-@@ -1593,6 +1580,7 @@ compat_copy_entry_from_user(struct compa
- xt_compat_target_from_user(t, dstptr, size);
-
- de->next_offset = e->next_offset - (origsize - *size);
-+
- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
- if ((unsigned char *)de - base < newinfo->hook_entry[h])
- newinfo->hook_entry[h] -= origsize - *size;
-@@ -1602,41 +1590,6 @@ compat_copy_entry_from_user(struct compa
- }
-
- static int
--compat_check_entry(struct ipt_entry *e, struct net *net, const char *name)
--{
-- struct xt_entry_match *ematch;
-- struct xt_mtchk_param mtpar;
-- unsigned int j;
-- int ret = 0;
--
-- j = 0;
-- mtpar.net = net;
-- mtpar.table = name;
-- mtpar.entryinfo = &e->ip;
-- mtpar.hook_mask = e->comefrom;
-- mtpar.family = NFPROTO_IPV4;
-- xt_ematch_foreach(ematch, e) {
-- ret = check_match(ematch, &mtpar);
-- if (ret != 0)
-- goto cleanup_matches;
-- ++j;
-- }
--
-- ret = check_target(e, net, name);
-- if (ret)
-- goto cleanup_matches;
-- return 0;
--
-- cleanup_matches:
-- xt_ematch_foreach(ematch, e) {
-- if (j-- == 0)
-- break;
-- cleanup_match(ematch, net);
-- }
-- return ret;
--}
--
--static int
- translate_compat_table(struct net *net,
- struct xt_table_info **pinfo,
- void **pentry0,
-@@ -1646,7 +1599,7 @@ translate_compat_table(struct net *net,
- struct xt_table_info *newinfo, *info;
- void *pos, *entry0, *entry1;
- struct compat_ipt_entry *iter0;
-- struct ipt_entry *iter1;
-+ struct ipt_replace repl;
- unsigned int size;
- int ret;
-
-@@ -1655,12 +1608,6 @@ translate_compat_table(struct net *net,
- size = compatr->size;
- info->number = compatr->num_entries;
-
-- /* Init all hooks to impossible value. */
-- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-- info->hook_entry[i] = 0xFFFFFFFF;
-- info->underflow[i] = 0xFFFFFFFF;
-- }
--
- duprintf("translate_compat_table: size %u\n", info->size);
- j = 0;
- xt_compat_lock(AF_INET);
-@@ -1669,9 +1616,7 @@ translate_compat_table(struct net *net,
- xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = check_compat_entry_size_and_hooks(iter0, info, &size,
- entry0,
-- entry0 + compatr->size,
-- compatr->hook_entry,
-- compatr->underflow);
-+ entry0 + compatr->size);
- if (ret != 0)
- goto out_unlock;
- ++j;
-@@ -1684,23 +1629,6 @@ translate_compat_table(struct net *net,
- goto out_unlock;
- }
-
-- /* Check hooks all assigned */
-- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-- /* Only hooks which are valid */
-- if (!(compatr->valid_hooks & (1 << i)))
-- continue;
-- if (info->hook_entry[i] == 0xFFFFFFFF) {
-- duprintf("Invalid hook entry %u %u\n",
-- i, info->hook_entry[i]);
-- goto out_unlock;
-- }
-- if (info->underflow[i] == 0xFFFFFFFF) {
-- duprintf("Invalid underflow %u %u\n",
-- i, info->underflow[i]);
-- goto out_unlock;
-- }
-- }
--
- ret = -ENOMEM;
- newinfo = xt_alloc_table_info(size);
- if (!newinfo)
-@@ -1708,8 +1636,8 @@ translate_compat_table(struct net *net,
-
- newinfo->number = compatr->num_entries;
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-- newinfo->hook_entry[i] = info->hook_entry[i];
-- newinfo->underflow[i] = info->underflow[i];
-+ newinfo->hook_entry[i] = compatr->hook_entry[i];
-+ newinfo->underflow[i] = compatr->underflow[i];
- }
- entry1 = newinfo->entries[raw_smp_processor_id()];
- pos = entry1;
-@@ -1718,51 +1646,29 @@ translate_compat_table(struct net *net,
- compat_copy_entry_from_user(iter0, &pos, &size,
- newinfo, entry1);
-
-+ /* all module references in entry0 are now gone.
-+ * entry1/newinfo contains a 64bit ruleset that looks exactly as
-+ * generated by 64bit userspace.
-+ *
-+ * Call standard translate_table() to validate all hook_entrys,
-+ * underflows, check for loops, etc.
-+ */
- xt_compat_flush_offsets(AF_INET);
- xt_compat_unlock(AF_INET);
-
-- ret = -ELOOP;
-- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
-- goto free_newinfo;
-+ memcpy(&repl, compatr, sizeof(*compatr));
-
-- i = 0;
-- xt_entry_foreach(iter1, entry1, newinfo->size) {
-- ret = compat_check_entry(iter1, net, compatr->name);
-- if (ret != 0)
-- break;
-- ++i;
-- if (strcmp(ipt_get_target(iter1)->u.user.name,
-- XT_ERROR_TARGET) == 0)
-- ++newinfo->stacksize;
-- }
-- if (ret) {
-- /*
-- * The first i matches need cleanup_entry (calls ->destroy)
-- * because they had called ->check already. The other j-i
-- * entries need only release.
-- */
-- int skip = i;
-- j -= i;
-- xt_entry_foreach(iter0, entry0, newinfo->size) {
-- if (skip-- > 0)
-- continue;
-- if (j-- == 0)
-- break;
-- compat_release_entry(iter0);
-- }
-- xt_entry_foreach(iter1, entry1, newinfo->size) {
-- if (i-- == 0)
-- break;
-- cleanup_entry(iter1, net);
-- }
-- xt_free_table_info(newinfo);
-- return ret;
-+ for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-+ repl.hook_entry[i] = newinfo->hook_entry[i];
-+ repl.underflow[i] = newinfo->underflow[i];
- }
-
-- /* And one copy for every other CPU */
-- for_each_possible_cpu(i)
-- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
-- memcpy(newinfo->entries[i], entry1, newinfo->size);
-+ repl.num_counters = 0;
-+ repl.counters = NULL;
-+ repl.size = newinfo->size;
-+ ret = translate_table(net, newinfo, entry1, &repl);
-+ if (ret)
-+ goto free_newinfo;
-
- *pinfo = newinfo;
- *pentry0 = entry1;
-@@ -1771,17 +1677,16 @@ translate_compat_table(struct net *net,
-
- free_newinfo:
- xt_free_table_info(newinfo);
--out:
-+ return ret;
-+out_unlock:
-+ xt_compat_flush_offsets(AF_INET);
-+ xt_compat_unlock(AF_INET);
- xt_entry_foreach(iter0, entry0, compatr->size) {
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- return ret;
--out_unlock:
-- xt_compat_flush_offsets(AF_INET);
-- xt_compat_unlock(AF_INET);
-- goto out;
- }
-
- static int
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1491,16 +1491,14 @@ check_compat_entry_size_and_hooks(struct
- struct xt_table_info *newinfo,
- unsigned int *size,
- const unsigned char *base,
-- const unsigned char *limit,
-- const unsigned int *hook_entries,
-- const unsigned int *underflows)
-+ const unsigned char *limit)
- {
- struct xt_entry_match *ematch;
- struct xt_entry_target *t;
- struct xt_target *target;
- unsigned int entry_offset;
- unsigned int j;
-- int ret, off, h;
-+ int ret, off;
-
- duprintf("check_compat_entry_size_and_hooks %p\n", e);
- if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
-@@ -1553,17 +1551,6 @@ check_compat_entry_size_and_hooks(struct
- if (ret)
- goto out;
-
-- /* Check hooks & underflows */
-- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
-- if ((unsigned char *)e - base == hook_entries[h])
-- newinfo->hook_entry[h] = hook_entries[h];
-- if ((unsigned char *)e - base == underflows[h])
-- newinfo->underflow[h] = underflows[h];
-- }
--
-- /* Clear counters and comefrom */
-- memset(&e->counters, 0, sizeof(e->counters));
-- e->comefrom = 0;
- return 0;
-
- out:
-@@ -1612,41 +1599,6 @@ compat_copy_entry_from_user(struct compa
- }
- }
-
--static int compat_check_entry(struct ip6t_entry *e, struct net *net,
-- const char *name)
--{
-- unsigned int j;
-- int ret = 0;
-- struct xt_mtchk_param mtpar;
-- struct xt_entry_match *ematch;
--
-- j = 0;
-- mtpar.net = net;
-- mtpar.table = name;
-- mtpar.entryinfo = &e->ipv6;
-- mtpar.hook_mask = e->comefrom;
-- mtpar.family = NFPROTO_IPV6;
-- xt_ematch_foreach(ematch, e) {
-- ret = check_match(ematch, &mtpar);
-- if (ret != 0)
-- goto cleanup_matches;
-- ++j;
-- }
--
-- ret = check_target(e, net, name);
-- if (ret)
-- goto cleanup_matches;
-- return 0;
--
-- cleanup_matches:
-- xt_ematch_foreach(ematch, e) {
-- if (j-- == 0)
-- break;
-- cleanup_match(ematch, net);
-- }
-- return ret;
--}
--
- static int
- translate_compat_table(struct net *net,
- struct xt_table_info **pinfo,
-@@ -1657,7 +1609,7 @@ translate_compat_table(struct net *net,
- struct xt_table_info *newinfo, *info;
- void *pos, *entry0, *entry1;
- struct compat_ip6t_entry *iter0;
-- struct ip6t_entry *iter1;
-+ struct ip6t_replace repl;
- unsigned int size;
- int ret = 0;
-
-@@ -1666,12 +1618,6 @@ translate_compat_table(struct net *net,
- size = compatr->size;
- info->number = compatr->num_entries;
-
-- /* Init all hooks to impossible value. */
-- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-- info->hook_entry[i] = 0xFFFFFFFF;
-- info->underflow[i] = 0xFFFFFFFF;
-- }
--
- duprintf("translate_compat_table: size %u\n", info->size);
- j = 0;
- xt_compat_lock(AF_INET6);
-@@ -1680,9 +1626,7 @@ translate_compat_table(struct net *net,
- xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = check_compat_entry_size_and_hooks(iter0, info, &size,
- entry0,
-- entry0 + compatr->size,
-- compatr->hook_entry,
-- compatr->underflow);
-+ entry0 + compatr->size);
- if (ret != 0)
- goto out_unlock;
- ++j;
-@@ -1695,23 +1639,6 @@ translate_compat_table(struct net *net,
- goto out_unlock;
- }
-
-- /* Check hooks all assigned */
-- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-- /* Only hooks which are valid */
-- if (!(compatr->valid_hooks & (1 << i)))
-- continue;
-- if (info->hook_entry[i] == 0xFFFFFFFF) {
-- duprintf("Invalid hook entry %u %u\n",
-- i, info->hook_entry[i]);
-- goto out_unlock;
-- }
-- if (info->underflow[i] == 0xFFFFFFFF) {
-- duprintf("Invalid underflow %u %u\n",
-- i, info->underflow[i]);
-- goto out_unlock;
-- }
-- }
--
- ret = -ENOMEM;
- newinfo = xt_alloc_table_info(size);
- if (!newinfo)
-@@ -1719,60 +1646,33 @@ translate_compat_table(struct net *net,
-
- newinfo->number = compatr->num_entries;
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-- newinfo->hook_entry[i] = info->hook_entry[i];
-- newinfo->underflow[i] = info->underflow[i];
-+ newinfo->hook_entry[i] = compatr->hook_entry[i];
-+ newinfo->underflow[i] = compatr->underflow[i];
- }
- entry1 = newinfo->entries[raw_smp_processor_id()];
- pos = entry1;
-+ size = compatr->size;
- xt_entry_foreach(iter0, entry0, compatr->size)
- compat_copy_entry_from_user(iter0, &pos, &size,
- newinfo, entry1);
-
-+ /* all module references in entry0 are now gone. */
- xt_compat_flush_offsets(AF_INET6);
- xt_compat_unlock(AF_INET6);
-
-- ret = -ELOOP;
-- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
-- goto free_newinfo;
-+ memcpy(&repl, compatr, sizeof(*compatr));
-
-- i = 0;
-- xt_entry_foreach(iter1, entry1, newinfo->size) {
-- ret = compat_check_entry(iter1, net, compatr->name);
-- if (ret != 0)
-- break;
-- ++i;
-- if (strcmp(ip6t_get_target(iter1)->u.user.name,
-- XT_ERROR_TARGET) == 0)
-- ++newinfo->stacksize;
-- }
-- if (ret) {
-- /*
-- * The first i matches need cleanup_entry (calls ->destroy)
-- * because they had called ->check already. The other j-i
-- * entries need only release.
-- */
-- int skip = i;
-- j -= i;
-- xt_entry_foreach(iter0, entry0, newinfo->size) {
-- if (skip-- > 0)
-- continue;
-- if (j-- == 0)
-- break;
-- compat_release_entry(iter0);
-- }
-- xt_entry_foreach(iter1, entry1, newinfo->size) {
-- if (i-- == 0)
-- break;
-- cleanup_entry(iter1, net);
-- }
-- xt_free_table_info(newinfo);
-- return ret;
-+ for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-+ repl.hook_entry[i] = newinfo->hook_entry[i];
-+ repl.underflow[i] = newinfo->underflow[i];
- }
-
-- /* And one copy for every other CPU */
-- for_each_possible_cpu(i)
-- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
-- memcpy(newinfo->entries[i], entry1, newinfo->size);
-+ repl.num_counters = 0;
-+ repl.counters = NULL;
-+ repl.size = newinfo->size;
-+ ret = translate_table(net, newinfo, entry1, &repl);
-+ if (ret)
-+ goto free_newinfo;
-
- *pinfo = newinfo;
- *pentry0 = entry1;
-@@ -1781,17 +1681,16 @@ translate_compat_table(struct net *net,
-
- free_newinfo:
- xt_free_table_info(newinfo);
--out:
-+ return ret;
-+out_unlock:
-+ xt_compat_flush_offsets(AF_INET6);
-+ xt_compat_unlock(AF_INET6);
- xt_entry_foreach(iter0, entry0, compatr->size) {
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- return ret;
--out_unlock:
-- xt_compat_flush_offsets(AF_INET6);
-- xt_compat_unlock(AF_INET6);
-- goto out;
- }
-
- static int
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -552,6 +552,7 @@ void xt_compat_match_from_user(struct xt
- struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
- int pad, off = xt_compat_match_offset(match);
- u_int16_t msize = cm->u.user.match_size;
-+ char name[sizeof(m->u.user.name)];
-
- m = *dstptr;
- memcpy(m, cm, sizeof(*cm));
-@@ -565,6 +566,9 @@ void xt_compat_match_from_user(struct xt
-
- msize += off;
- m->u.user.match_size = msize;
-+ strlcpy(name, match->name, sizeof(name));
-+ module_put(match->me);
-+ strncpy(m->u.user.name, name, sizeof(m->u.user.name));
-
- *size += off;
- *dstptr += msize;
-@@ -782,6 +786,7 @@ void xt_compat_target_from_user(struct x
- struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
- int pad, off = xt_compat_target_offset(target);
- u_int16_t tsize = ct->u.user.target_size;
-+ char name[sizeof(t->u.user.name)];
-
- t = *dstptr;
- memcpy(t, ct, sizeof(*ct));
-@@ -795,6 +800,9 @@ void xt_compat_target_from_user(struct x
-
- tsize += off;
- t->u.user.target_size = tsize;
-+ strlcpy(name, target->name, sizeof(name));
-+ module_put(target->me);
-+ strncpy(t->u.user.name, name, sizeof(t->u.user.name));
-
- *size += off;
- *dstptr += tsize;
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch b/debian/patches/bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch
deleted file mode 100644
index ed9dc85..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:21 +0200
-Subject: netfilter: x_tables: don't move to non-existent next rule
-Origin: https://git.kernel.org/linus/f24e230d257af1ad7476c6e81a8dc3127a74204e
-
-Ben Hawkes says:
-
- In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
- is possible for a user-supplied ipt_entry structure to have a large
- next_offset field. This field is not bounds checked prior to writing a
- counter value at the supplied offset.
-
-Base chains enforce absolute verdict.
-
-User defined chains are supposed to end with an unconditional return,
-xtables userspace adds them automatically.
-
-But if such return is missing we will move to non-existent next rule.
-
-Reported-by: Ben Hawkes <hawkes at google.com>
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/ipv4/netfilter/arp_tables.c | 8 +++++---
- net/ipv4/netfilter/ip_tables.c | 4 ++++
- net/ipv6/netfilter/ip6_tables.c | 4 ++++
- 3 files changed, 13 insertions(+), 3 deletions(-)
-
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -435,6 +435,8 @@ static int mark_source_chains(const stru
- size = e->next_offset;
- e = (struct arpt_entry *)
- (entry0 + pos + size);
-+ if (pos + size >= newinfo->size)
-+ return 0;
- e->counters.pcnt = pos;
- pos += size;
- } else {
-@@ -457,6 +459,8 @@ static int mark_source_chains(const stru
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
-+ if (newpos >= newinfo->size)
-+ return 0;
- }
- e = (struct arpt_entry *)
- (entry0 + newpos);
-@@ -680,10 +684,8 @@ static int translate_table(struct xt_tab
- }
- }
-
-- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) {
-- duprintf("Looping hook\n");
-+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
- return -ELOOP;
-- }
-
- /* Finally, each sanity check must pass */
- i = 0;
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -516,6 +516,8 @@ mark_source_chains(const struct xt_table
- size = e->next_offset;
- e = (struct ipt_entry *)
- (entry0 + pos + size);
-+ if (pos + size >= newinfo->size)
-+ return 0;
- e->counters.pcnt = pos;
- pos += size;
- } else {
-@@ -537,6 +539,8 @@ mark_source_chains(const struct xt_table
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
-+ if (newpos >= newinfo->size)
-+ return 0;
- }
- e = (struct ipt_entry *)
- (entry0 + newpos);
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -526,6 +526,8 @@ mark_source_chains(const struct xt_table
- size = e->next_offset;
- e = (struct ip6t_entry *)
- (entry0 + pos + size);
-+ if (pos + size >= newinfo->size)
-+ return 0;
- e->counters.pcnt = pos;
- pos += size;
- } else {
-@@ -547,6 +549,8 @@ mark_source_chains(const struct xt_table
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
-+ if (newpos >= newinfo->size)
-+ return 0;
- }
- e = (struct ip6t_entry *)
- (entry0 + newpos);
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch b/debian/patches/bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch
deleted file mode 100644
index 1d2a14e..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Wed, 1 Jun 2016 02:04:44 +0200
-Subject: netfilter: x_tables: don't reject valid target size on some
- architectures
-Origin: https://git.kernel.org/linus/7b7eba0f3515fca3296b8881d583f7c1042f5226
-
-Quoting John Stultz:
- In updating a 32bit arm device from 4.6 to Linus' current HEAD, I
- noticed I was having some trouble with networking, and realized that
- /proc/net/ip_tables_names was suddenly empty.
- Digging through the registration process, it seems we're catching on the:
-
- if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
- target_offset + sizeof(struct xt_standard_target) != next_offset)
- return -EINVAL;
-
- Where next_offset seems to be 4 bytes larger then the
- offset + standard_target struct size.
-
-next_offset needs to be aligned via XT_ALIGN (so we can access all members
-of ip(6)t_entry struct).
-
-This problem didn't show up on i686 as it only needs 4-byte alignment for
-u64, but iptables userspace on other 32bit arches does insert extra padding.
-
-Reported-by: John Stultz <john.stultz at linaro.org>
-Tested-by: John Stultz <john.stultz at linaro.org>
-Fixes: 7ed2abddd20cf ("netfilter: x_tables: check standard target size too")
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/netfilter/x_tables.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -628,7 +628,7 @@ int xt_compat_check_entry_offsets(const
- return -EINVAL;
-
- if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
-- target_offset + sizeof(struct compat_xt_standard_target) != next_offset)
-+ COMPAT_XT_ALIGN(target_offset + sizeof(struct compat_xt_standard_target)) != next_offset)
- return -EINVAL;
-
- /* compat_xt_entry match has less strict aligment requirements,
-@@ -710,7 +710,7 @@ int xt_check_entry_offsets(const void *b
- return -EINVAL;
-
- if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
-- target_offset + sizeof(struct xt_standard_target) != next_offset)
-+ XT_ALIGN(target_offset + sizeof(struct xt_standard_target)) != next_offset)
- return -EINVAL;
-
- return xt_check_entry_match(elems, base + target_offset,
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch b/debian/patches/bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch
deleted file mode 100644
index 982785b..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch
+++ /dev/null
@@ -1,331 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 15:37:59 +0200
-Subject: netfilter: x_tables: introduce and use xt_copy_counters_from_user
-Origin: https://git.kernel.org/linus/d7591f0c41ce3e67600a982bab6989ef0f07b3ce
-
-The three variants use same copy&pasted code, condense this into a
-helper and use that.
-
-Make sure info.name is 0-terminated.
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- include/linux/netfilter/x_tables.h | 3 ++
- net/ipv4/netfilter/arp_tables.c | 48 +++----------------------
- net/ipv4/netfilter/ip_tables.c | 48 +++----------------------
- net/ipv6/netfilter/ip6_tables.c | 49 +++----------------------
- net/netfilter/x_tables.c | 74 ++++++++++++++++++++++++++++++++++++++
- 5 files changed, 92 insertions(+), 130 deletions(-)
-
---- a/include/linux/netfilter/x_tables.h
-+++ b/include/linux/netfilter/x_tables.h
-@@ -248,6 +248,9 @@ int xt_check_match(struct xt_mtchk_param
- int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
- bool inv_proto);
-
-+void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
-+ struct xt_counters_info *info, bool compat);
-+
- struct xt_table *xt_register_table(struct net *net,
- const struct xt_table *table,
- struct xt_table_info *bootstrap,
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -1121,56 +1121,18 @@ static int do_add_counters(struct net *n
- unsigned int i, curcpu;
- struct xt_counters_info tmp;
- struct xt_counters *paddc;
-- unsigned int num_counters;
-- const char *name;
-- int size;
-- void *ptmp;
- struct xt_table *t;
- const struct xt_table_info *private;
- int ret = 0;
- void *loc_cpu_entry;
- struct arpt_entry *iter;
- unsigned int addend;
--#ifdef CONFIG_COMPAT
-- struct compat_xt_counters_info compat_tmp;
-
-- if (compat) {
-- ptmp = &compat_tmp;
-- size = sizeof(struct compat_xt_counters_info);
-- } else
--#endif
-- {
-- ptmp = &tmp;
-- size = sizeof(struct xt_counters_info);
-- }
--
-- if (copy_from_user(ptmp, user, size) != 0)
-- return -EFAULT;
--
--#ifdef CONFIG_COMPAT
-- if (compat) {
-- num_counters = compat_tmp.num_counters;
-- name = compat_tmp.name;
-- } else
--#endif
-- {
-- num_counters = tmp.num_counters;
-- name = tmp.name;
-- }
--
-- if (len != size + num_counters * sizeof(struct xt_counters))
-- return -EINVAL;
--
-- paddc = vmalloc(len - size);
-- if (!paddc)
-- return -ENOMEM;
--
-- if (copy_from_user(paddc, user + size, len - size) != 0) {
-- ret = -EFAULT;
-- goto free;
-- }
-+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
-+ if (IS_ERR(paddc))
-+ return PTR_ERR(paddc);
-
-- t = xt_find_table_lock(net, NFPROTO_ARP, name);
-+ t = xt_find_table_lock(net, NFPROTO_ARP, tmp.name);
- if (IS_ERR_OR_NULL(t)) {
- ret = t ? PTR_ERR(t) : -ENOENT;
- goto free;
-@@ -1178,7 +1140,7 @@ static int do_add_counters(struct net *n
-
- local_bh_disable();
- private = t->private;
-- if (private->number != num_counters) {
-+ if (private->number != tmp.num_counters) {
- ret = -EINVAL;
- goto unlock_up_free;
- }
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -1308,56 +1308,18 @@ do_add_counters(struct net *net, const v
- unsigned int i, curcpu;
- struct xt_counters_info tmp;
- struct xt_counters *paddc;
-- unsigned int num_counters;
-- const char *name;
-- int size;
-- void *ptmp;
- struct xt_table *t;
- const struct xt_table_info *private;
- int ret = 0;
- void *loc_cpu_entry;
- struct ipt_entry *iter;
- unsigned int addend;
--#ifdef CONFIG_COMPAT
-- struct compat_xt_counters_info compat_tmp;
-
-- if (compat) {
-- ptmp = &compat_tmp;
-- size = sizeof(struct compat_xt_counters_info);
-- } else
--#endif
-- {
-- ptmp = &tmp;
-- size = sizeof(struct xt_counters_info);
-- }
--
-- if (copy_from_user(ptmp, user, size) != 0)
-- return -EFAULT;
--
--#ifdef CONFIG_COMPAT
-- if (compat) {
-- num_counters = compat_tmp.num_counters;
-- name = compat_tmp.name;
-- } else
--#endif
-- {
-- num_counters = tmp.num_counters;
-- name = tmp.name;
-- }
--
-- if (len != size + num_counters * sizeof(struct xt_counters))
-- return -EINVAL;
--
-- paddc = vmalloc(len - size);
-- if (!paddc)
-- return -ENOMEM;
--
-- if (copy_from_user(paddc, user + size, len - size) != 0) {
-- ret = -EFAULT;
-- goto free;
-- }
-+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
-+ if (IS_ERR(paddc))
-+ return PTR_ERR(paddc);
-
-- t = xt_find_table_lock(net, AF_INET, name);
-+ t = xt_find_table_lock(net, AF_INET, tmp.name);
- if (IS_ERR_OR_NULL(t)) {
- ret = t ? PTR_ERR(t) : -ENOENT;
- goto free;
-@@ -1365,7 +1327,7 @@ do_add_counters(struct net *net, const v
-
- local_bh_disable();
- private = t->private;
-- if (private->number != num_counters) {
-+ if (private->number != tmp.num_counters) {
- ret = -EINVAL;
- goto unlock_up_free;
- }
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1318,56 +1318,17 @@ do_add_counters(struct net *net, const v
- unsigned int i, curcpu;
- struct xt_counters_info tmp;
- struct xt_counters *paddc;
-- unsigned int num_counters;
-- char *name;
-- int size;
-- void *ptmp;
- struct xt_table *t;
- const struct xt_table_info *private;
- int ret = 0;
- const void *loc_cpu_entry;
- struct ip6t_entry *iter;
- unsigned int addend;
--#ifdef CONFIG_COMPAT
-- struct compat_xt_counters_info compat_tmp;
-
-- if (compat) {
-- ptmp = &compat_tmp;
-- size = sizeof(struct compat_xt_counters_info);
-- } else
--#endif
-- {
-- ptmp = &tmp;
-- size = sizeof(struct xt_counters_info);
-- }
--
-- if (copy_from_user(ptmp, user, size) != 0)
-- return -EFAULT;
--
--#ifdef CONFIG_COMPAT
-- if (compat) {
-- num_counters = compat_tmp.num_counters;
-- name = compat_tmp.name;
-- } else
--#endif
-- {
-- num_counters = tmp.num_counters;
-- name = tmp.name;
-- }
--
-- if (len != size + num_counters * sizeof(struct xt_counters))
-- return -EINVAL;
--
-- paddc = vmalloc(len - size);
-- if (!paddc)
-- return -ENOMEM;
--
-- if (copy_from_user(paddc, user + size, len - size) != 0) {
-- ret = -EFAULT;
-- goto free;
-- }
--
-- t = xt_find_table_lock(net, AF_INET6, name);
-+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
-+ if (IS_ERR(paddc))
-+ return PTR_ERR(paddc);
-+ t = xt_find_table_lock(net, AF_INET6, tmp.name);
- if (IS_ERR_OR_NULL(t)) {
- ret = t ? PTR_ERR(t) : -ENOENT;
- goto free;
-@@ -1376,7 +1337,7 @@ do_add_counters(struct net *net, const v
-
- local_bh_disable();
- private = t->private;
-- if (private->number != num_counters) {
-+ if (private->number != tmp.num_counters) {
- ret = -EINVAL;
- goto unlock_up_free;
- }
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -771,6 +771,80 @@ int xt_check_target(struct xt_tgchk_para
- }
- EXPORT_SYMBOL_GPL(xt_check_target);
-
-+/**
-+ * xt_copy_counters_from_user - copy counters and metadata from userspace
-+ *
-+ * @user: src pointer to userspace memory
-+ * @len: alleged size of userspace memory
-+ * @info: where to store the xt_counters_info metadata
-+ * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel
-+ *
-+ * Copies counter meta data from @user and stores it in @info.
-+ *
-+ * vmallocs memory to hold the counters, then copies the counter data
-+ * from @user to the new memory and returns a pointer to it.
-+ *
-+ * If @compat is true, @info gets converted automatically to the 64bit
-+ * representation.
-+ *
-+ * The metadata associated with the counters is stored in @info.
-+ *
-+ * Return: returns pointer that caller has to test via IS_ERR().
-+ * If IS_ERR is false, caller has to vfree the pointer.
-+ */
-+void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
-+ struct xt_counters_info *info, bool compat)
-+{
-+ void *mem;
-+ u64 size;
-+
-+#ifdef CONFIG_COMPAT
-+ if (compat) {
-+ /* structures only differ in size due to alignment */
-+ struct compat_xt_counters_info compat_tmp;
-+
-+ if (len <= sizeof(compat_tmp))
-+ return ERR_PTR(-EINVAL);
-+
-+ len -= sizeof(compat_tmp);
-+ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
-+ return ERR_PTR(-EFAULT);
-+
-+ strlcpy(info->name, compat_tmp.name, sizeof(info->name));
-+ info->num_counters = compat_tmp.num_counters;
-+ user += sizeof(compat_tmp);
-+ } else
-+#endif
-+ {
-+ if (len <= sizeof(*info))
-+ return ERR_PTR(-EINVAL);
-+
-+ len -= sizeof(*info);
-+ if (copy_from_user(info, user, sizeof(*info)) != 0)
-+ return ERR_PTR(-EFAULT);
-+
-+ info->name[sizeof(info->name) - 1] = '\0';
-+ user += sizeof(*info);
-+ }
-+
-+ size = sizeof(struct xt_counters);
-+ size *= info->num_counters;
-+
-+ if (size != (u64)len)
-+ return ERR_PTR(-EINVAL);
-+
-+ mem = vmalloc(len);
-+ if (!mem)
-+ return ERR_PTR(-ENOMEM);
-+
-+ if (copy_from_user(mem, user, len) == 0)
-+ return mem;
-+
-+ vfree(mem);
-+ return ERR_PTR(-EFAULT);
-+}
-+EXPORT_SYMBOL_GPL(xt_copy_counters_from_user);
-+
- #ifdef CONFIG_COMPAT
- int xt_compat_target_offset(const struct xt_target *target)
- {
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch b/debian/patches/bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch
deleted file mode 100644
index 4dfba53..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch
+++ /dev/null
@@ -1,149 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:24 +0200
-Subject: netfilter: x_tables: kill check_entry helper
-Origin: https://git.kernel.org/linus/aa412ba225dd3bc36d404c28cdc3d674850d80d0
-
-Once we add more sanity testing to xt_check_entry_offsets it
-becomes relvant if we're expecting a 32bit 'config_compat' blob
-or a normal one.
-
-Since we already have a lot of similar-named functions (check_entry,
-compat_check_entry, find_and_check_entry, etc.) and the current
-incarnation is short just fold its contents into the callers.
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/ipv4/netfilter/arp_tables.c | 19 ++++++++-----------
- net/ipv4/netfilter/ip_tables.c | 20 ++++++++------------
- net/ipv6/netfilter/ip6_tables.c | 20 ++++++++------------
- 3 files changed, 24 insertions(+), 35 deletions(-)
-
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -490,14 +490,6 @@ static int mark_source_chains(const stru
- return 1;
- }
-
--static inline int check_entry(const struct arpt_entry *e)
--{
-- if (!arp_checkentry(&e->arp))
-- return -EINVAL;
--
-- return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
--}
--
- static inline int check_target(struct arpt_entry *e, const char *name)
- {
- struct xt_entry_target *t = arpt_get_target(e);
-@@ -587,7 +579,10 @@ static inline int check_entry_size_and_h
- return -EINVAL;
- }
-
-- err = check_entry(e);
-+ if (!arp_checkentry(&e->arp))
-+ return -EINVAL;
-+
-+ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
- if (err)
- return err;
-
-@@ -1246,8 +1241,10 @@ check_compat_entry_size_and_hooks(struct
- return -EINVAL;
- }
-
-- /* For purposes of check_entry casting the compat entry is fine */
-- ret = check_entry((struct arpt_entry *)e);
-+ if (!arp_checkentry(&e->arp))
-+ return -EINVAL;
-+
-+ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
- if (ret)
- return ret;
-
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -584,15 +584,6 @@ static void cleanup_match(struct xt_entr
- }
-
- static int
--check_entry(const struct ipt_entry *e)
--{
-- if (!ip_checkentry(&e->ip))
-- return -EINVAL;
--
-- return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
--}
--
--static int
- check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
- {
- const struct ipt_ip *ip = par->entryinfo;
-@@ -748,7 +739,10 @@ check_entry_size_and_hooks(struct ipt_en
- return -EINVAL;
- }
-
-- err = check_entry(e);
-+ if (!ip_checkentry(&e->ip))
-+ return -EINVAL;
-+
-+ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
- if (err)
- return err;
-
-@@ -1512,8 +1506,10 @@ check_compat_entry_size_and_hooks(struct
- return -EINVAL;
- }
-
-- /* For purposes of check_entry casting the compat entry is fine */
-- ret = check_entry((struct ipt_entry *)e);
-+ if (!ip_checkentry(&e->ip))
-+ return -EINVAL;
-+
-+ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
- if (ret)
- return ret;
-
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -593,15 +593,6 @@ static void cleanup_match(struct xt_entr
- module_put(par.match->me);
- }
-
--static int
--check_entry(const struct ip6t_entry *e)
--{
-- if (!ip6_checkentry(&e->ipv6))
-- return -EINVAL;
--
-- return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
--}
--
- static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
- {
- const struct ip6t_ip6 *ipv6 = par->entryinfo;
-@@ -759,7 +750,10 @@ check_entry_size_and_hooks(struct ip6t_e
- return -EINVAL;
- }
-
-- err = check_entry(e);
-+ if (!ip6_checkentry(&e->ipv6))
-+ return -EINVAL;
-+
-+ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
- if (err)
- return err;
-
-@@ -1524,8 +1518,10 @@ check_compat_entry_size_and_hooks(struct
- return -EINVAL;
- }
-
-- /* For purposes of check_entry casting the compat entry is fine */
-- ret = check_entry((struct ip6t_entry *)e);
-+ if (!ip6_checkentry(&e->ipv6))
-+ return -EINVAL;
-+
-+ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
- if (ret)
- return ret;
-
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-speed-up-jump-target-validation.patch b/debian/patches/bugfix/all/netfilter-x_tables-speed-up-jump-target-validation.patch
deleted file mode 100644
index e0861f1..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-speed-up-jump-target-validation.patch
+++ /dev/null
@@ -1,493 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Wed, 3 Aug 2016 11:34:46 -0400
-Subject: netfilter: x_tables: speed up jump target validation
-Origin: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=f5bba514aff9bb5a7f2ea8e918d8c53684fb6195
-
-[ Upstream commit f4dc77713f8016d2e8a3295e1c9c53a21f296def ]
-
-The dummy ruleset I used to test the original validation change was broken,
-most rules were unreachable and were not tested by mark_source_chains().
-
-In some cases rulesets that used to load in a few seconds now require
-several minutes.
-
-sample ruleset that shows the behaviour:
-
-echo "*filter"
-for i in $(seq 0 100000);do
- printf ":chain_%06x - [0:0]\n" $i
-done
-for i in $(seq 0 100000);do
- printf -- "-A INPUT -j chain_%06x\n" $i
- printf -- "-A INPUT -j chain_%06x\n" $i
- printf -- "-A INPUT -j chain_%06x\n" $i
-done
-echo COMMIT
-
-[ pipe result into iptables-restore ]
-
-This ruleset will be about 74mbyte in size, with ~500k searches
-though all 500k[1] rule entries. iptables-restore will take forever
-(gave up after 10 minutes)
-
-Instead of always searching the entire blob for a match, fill an
-array with the start offsets of every single ipt_entry struct,
-then do a binary search to check if the jump target is present or not.
-
-After this change ruleset restore times get again close to what one
-gets when reverting 36472341017529e (~3 seconds on my workstation).
-
-[1] every user-defined rule gets an implicit RETURN, so we get
-300k jumps + 100k userchains + 100k returns -> 500k rule entries
-
-Fixes: 36472341017529e ("netfilter: x_tables: validate targets of jumps")
-Reported-by: Jeff Wu <wujiafu at gmail.com>
-Tested-by: Jeff Wu <wujiafu at gmail.com>
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Sasha Levin <alexander.levin at verizon.com>
-[carnil: backport to 3.16, adjust context]
----
- include/linux/netfilter/x_tables.h | 4 +++
- net/ipv4/netfilter/arp_tables.c | 48 ++++++++++++++++++------------------
- net/ipv4/netfilter/ip_tables.c | 45 ++++++++++++++++++----------------
- net/ipv6/netfilter/ip6_tables.c | 45 ++++++++++++++++++----------------
- net/netfilter/x_tables.c | 50 ++++++++++++++++++++++++++++++++++++++
- 5 files changed, 127 insertions(+), 65 deletions(-)
-
---- a/include/linux/netfilter/x_tables.h
-+++ b/include/linux/netfilter/x_tables.h
-@@ -243,6 +243,10 @@ int xt_check_entry_offsets(const void *b
- unsigned int target_offset,
- unsigned int next_offset);
-
-+unsigned int *xt_alloc_entry_offsets(unsigned int size);
-+bool xt_find_jump_offset(const unsigned int *offsets,
-+ unsigned int target, unsigned int size);
-+
- int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
- bool inv_proto);
- int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -363,24 +363,12 @@ static inline bool unconditional(const s
- memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
- }
-
--static bool find_jump_target(const struct xt_table_info *t,
-- const void *entry0,
-- const struct arpt_entry *target)
--{
-- struct arpt_entry *iter;
--
-- xt_entry_foreach(iter, entry0, t->size) {
-- if (iter == target)
-- return true;
-- }
-- return false;
--}
--
- /* Figures out from what hook each rule can be called: returns 0 if
- * there are loops. Puts hook bitmask in comefrom.
- */
- static int mark_source_chains(const struct xt_table_info *newinfo,
-- unsigned int valid_hooks, void *entry0)
-+ unsigned int valid_hooks, void *entry0,
-+ unsigned int *offsets)
- {
- unsigned int hook;
-
-@@ -469,10 +457,11 @@ static int mark_source_chains(const stru
- /* This a jump; chase it. */
- duprintf("Jump rule %u -> %u\n",
- pos, newpos);
-+ if (!xt_find_jump_offset(offsets, newpos,
-+ newinfo->number))
-+ return 0;
- e = (struct arpt_entry *)
- (entry0 + newpos);
-- if (!find_jump_target(newinfo, entry0, e))
-- return 0;
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
-@@ -632,6 +621,7 @@ static int translate_table(struct xt_tab
- const struct arpt_replace *repl)
- {
- struct arpt_entry *iter;
-+ unsigned int *offsets;
- unsigned int i;
- int ret = 0;
-
-@@ -645,8 +635,10 @@ static int translate_table(struct xt_tab
- }
-
- duprintf("translate_table: size %u\n", newinfo->size);
-+ offsets = xt_alloc_entry_offsets(newinfo->number);
-+ if (!offsets)
-+ return -ENOMEM;
- i = 0;
--
- /* Walk through entries, checking offsets. */
- xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = check_entry_size_and_hooks(iter, newinfo, entry0,
-@@ -655,7 +647,9 @@ static int translate_table(struct xt_tab
- repl->underflow,
- repl->valid_hooks);
- if (ret != 0)
-- break;
-+ goto out_free;
-+ if (i < repl->num_entries)
-+ offsets[i] = (void *)iter - entry0;
- ++i;
- if (strcmp(arpt_get_target(iter)->u.user.name,
- XT_ERROR_TARGET) == 0)
-@@ -663,12 +657,13 @@ static int translate_table(struct xt_tab
- }
- duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
- if (ret != 0)
-- return ret;
-+ goto out_free;
-
-+ ret = -EINVAL;
- if (i != repl->num_entries) {
- duprintf("translate_table: %u not %u entries\n",
- i, repl->num_entries);
-- return -EINVAL;
-+ goto out_free;
- }
-
- /* Check hooks all assigned */
-@@ -679,17 +674,20 @@ static int translate_table(struct xt_tab
- if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, repl->hook_entry[i]);
-- return -EINVAL;
-+ goto out_free;
- }
- if (newinfo->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, repl->underflow[i]);
-- return -EINVAL;
-+ goto out_free;
- }
- }
-
-- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
-- return -ELOOP;
-+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
-+ ret = -ELOOP;
-+ goto out_free;
-+ }
-+ kvfree(offsets);
-
- /* Finally, each sanity check must pass */
- i = 0;
-@@ -716,6 +714,9 @@ static int translate_table(struct xt_tab
- }
-
- return ret;
-+ out_free:
-+ kvfree(offsets);
-+ return ret;
- }
-
- static void get_counters(const struct xt_table_info *t,
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -439,24 +439,12 @@ ipt_do_table(struct sk_buff *skb,
- #endif
- }
-
--static bool find_jump_target(const struct xt_table_info *t,
-- const void *entry0,
-- const struct ipt_entry *target)
--{
-- struct ipt_entry *iter;
--
-- xt_entry_foreach(iter, entry0, t->size) {
-- if (iter == target)
-- return true;
-- }
-- return false;
--}
--
- /* Figures out from what hook each rule can be called: returns 0 if
- there are loops. Puts hook bitmask in comefrom. */
- static int
- mark_source_chains(const struct xt_table_info *newinfo,
-- unsigned int valid_hooks, void *entry0)
-+ unsigned int valid_hooks, void *entry0,
-+ unsigned int *offsets)
- {
- unsigned int hook;
-
-@@ -549,10 +537,11 @@ mark_source_chains(const struct xt_table
- /* This a jump; chase it. */
- duprintf("Jump rule %u -> %u\n",
- pos, newpos);
-+ if (!xt_find_jump_offset(offsets, newpos,
-+ newinfo->number))
-+ return 0;
- e = (struct ipt_entry *)
- (entry0 + newpos);
-- if (!find_jump_target(newinfo, entry0, e))
-- return 0;
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
-@@ -799,6 +788,7 @@ translate_table(struct net *net, struct
- const struct ipt_replace *repl)
- {
- struct ipt_entry *iter;
-+ unsigned int *offsets;
- unsigned int i;
- int ret = 0;
-
-@@ -812,6 +802,9 @@ translate_table(struct net *net, struct
- }
-
- duprintf("translate_table: size %u\n", newinfo->size);
-+ offsets = xt_alloc_entry_offsets(newinfo->number);
-+ if (!offsets)
-+ return -ENOMEM;
- i = 0;
- /* Walk through entries, checking offsets. */
- xt_entry_foreach(iter, entry0, newinfo->size) {
-@@ -821,17 +814,20 @@ translate_table(struct net *net, struct
- repl->underflow,
- repl->valid_hooks);
- if (ret != 0)
-- return ret;
-+ goto out_free;
-+ if (i < repl->num_entries)
-+ offsets[i] = (void *)iter - entry0;
- ++i;
- if (strcmp(ipt_get_target(iter)->u.user.name,
- XT_ERROR_TARGET) == 0)
- ++newinfo->stacksize;
- }
-
-+ ret = -EINVAL;
- if (i != repl->num_entries) {
- duprintf("translate_table: %u not %u entries\n",
- i, repl->num_entries);
-- return -EINVAL;
-+ goto out_free;
- }
-
- /* Check hooks all assigned */
-@@ -842,17 +838,20 @@ translate_table(struct net *net, struct
- if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, repl->hook_entry[i]);
-- return -EINVAL;
-+ goto out_free;
- }
- if (newinfo->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, repl->underflow[i]);
-- return -EINVAL;
-+ goto out_free;
- }
- }
-
-- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
-- return -ELOOP;
-+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
-+ ret = -ELOOP;
-+ goto out_free;
-+ }
-+ kvfree(offsets);
-
- /* Finally, each sanity check must pass */
- i = 0;
-@@ -879,6 +878,9 @@ translate_table(struct net *net, struct
- }
-
- return ret;
-+ out_free:
-+ kvfree(offsets);
-+ return ret;
- }
-
- static void
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -449,24 +449,12 @@ ip6t_do_table(struct sk_buff *skb,
- #endif
- }
-
--static bool find_jump_target(const struct xt_table_info *t,
-- const void *entry0,
-- const struct ip6t_entry *target)
--{
-- struct ip6t_entry *iter;
--
-- xt_entry_foreach(iter, entry0, t->size) {
-- if (iter == target)
-- return true;
-- }
-- return false;
--}
--
- /* Figures out from what hook each rule can be called: returns 0 if
- there are loops. Puts hook bitmask in comefrom. */
- static int
- mark_source_chains(const struct xt_table_info *newinfo,
-- unsigned int valid_hooks, void *entry0)
-+ unsigned int valid_hooks, void *entry0,
-+ unsigned int *offsets)
- {
- unsigned int hook;
-
-@@ -559,10 +547,11 @@ mark_source_chains(const struct xt_table
- /* This a jump; chase it. */
- duprintf("Jump rule %u -> %u\n",
- pos, newpos);
-+ if (!xt_find_jump_offset(offsets, newpos,
-+ newinfo->number))
-+ return 0;
- e = (struct ip6t_entry *)
- (entry0 + newpos);
-- if (!find_jump_target(newinfo, entry0, e))
-- return 0;
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
-@@ -809,6 +798,7 @@ translate_table(struct net *net, struct
- const struct ip6t_replace *repl)
- {
- struct ip6t_entry *iter;
-+ unsigned int *offsets;
- unsigned int i;
- int ret = 0;
-
-@@ -822,6 +812,9 @@ translate_table(struct net *net, struct
- }
-
- duprintf("translate_table: size %u\n", newinfo->size);
-+ offsets = xt_alloc_entry_offsets(newinfo->number);
-+ if (!offsets)
-+ return -ENOMEM;
- i = 0;
- /* Walk through entries, checking offsets. */
- xt_entry_foreach(iter, entry0, newinfo->size) {
-@@ -831,17 +824,20 @@ translate_table(struct net *net, struct
- repl->underflow,
- repl->valid_hooks);
- if (ret != 0)
-- return ret;
-+ goto out_free;
-+ if (i < repl->num_entries)
-+ offsets[i] = (void *)iter - entry0;
- ++i;
- if (strcmp(ip6t_get_target(iter)->u.user.name,
- XT_ERROR_TARGET) == 0)
- ++newinfo->stacksize;
- }
-
-+ ret = -EINVAL;
- if (i != repl->num_entries) {
- duprintf("translate_table: %u not %u entries\n",
- i, repl->num_entries);
-- return -EINVAL;
-+ goto out_free;
- }
-
- /* Check hooks all assigned */
-@@ -852,17 +848,20 @@ translate_table(struct net *net, struct
- if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, repl->hook_entry[i]);
-- return -EINVAL;
-+ goto out_free;
- }
- if (newinfo->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, repl->underflow[i]);
-- return -EINVAL;
-+ goto out_free;
- }
- }
-
-- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
-- return -ELOOP;
-+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
-+ ret = -ELOOP;
-+ goto out_free;
-+ }
-+ kvfree(offsets);
-
- /* Finally, each sanity check must pass */
- i = 0;
-@@ -889,6 +888,9 @@ translate_table(struct net *net, struct
- }
-
- return ret;
-+ out_free:
-+ kvfree(offsets);
-+ return ret;
- }
-
- static void
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -721,6 +721,56 @@ int xt_check_entry_offsets(const void *b
- }
- EXPORT_SYMBOL(xt_check_entry_offsets);
-
-+/**
-+ * xt_alloc_entry_offsets - allocate array to store rule head offsets
-+ *
-+ * @size: number of entries
-+ *
-+ * Return: NULL or kmalloc'd or vmalloc'd array
-+ */
-+unsigned int *xt_alloc_entry_offsets(unsigned int size)
-+{
-+ unsigned int *off;
-+
-+ off = kcalloc(size, sizeof(unsigned int), GFP_KERNEL | __GFP_NOWARN);
-+
-+ if (off)
-+ return off;
-+
-+ if (size < (SIZE_MAX / sizeof(unsigned int)))
-+ off = vmalloc(size * sizeof(unsigned int));
-+
-+ return off;
-+}
-+EXPORT_SYMBOL(xt_alloc_entry_offsets);
-+
-+/**
-+ * xt_find_jump_offset - check if target is a valid jump offset
-+ *
-+ * @offsets: array containing all valid rule start offsets of a rule blob
-+ * @target: the jump target to search for
-+ * @size: entries in @offset
-+ */
-+bool xt_find_jump_offset(const unsigned int *offsets,
-+ unsigned int target, unsigned int size)
-+{
-+ int m, low = 0, hi = size;
-+
-+ while (hi > low) {
-+ m = (low + hi) / 2u;
-+
-+ if (offsets[m] > target)
-+ hi = m;
-+ else if (offsets[m] < target)
-+ low = m + 1;
-+ else
-+ return true;
-+ }
-+
-+ return false;
-+}
-+EXPORT_SYMBOL(xt_find_jump_offset);
-+
- int xt_check_target(struct xt_tgchk_param *par,
- unsigned int size, u_int8_t proto, bool inv_proto)
- {
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch b/debian/patches/bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch
deleted file mode 100644
index fff80bd..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:29 +0200
-Subject: netfilter: x_tables: validate all offsets and sizes in a rule
-Origin: https://git.kernel.org/linus/13631bfc604161a9d69cd68991dff8603edd66f9
-
-Validate that all matches (if any) add up to the beginning of
-the target and that each match covers at least the base structure size.
-
-The compat path should be able to safely re-use the function
-as the structures only differ in alignment; added a
-BUILD_BUG_ON just in case we have an arch that adds padding as well.
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/netfilter/x_tables.c | 81 +++++++++++++++++++++++++++++++++++++++++++++---
- 1 file changed, 76 insertions(+), 5 deletions(-)
-
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -435,6 +435,47 @@ int xt_check_match(struct xt_mtchk_param
- }
- EXPORT_SYMBOL_GPL(xt_check_match);
-
-+/** xt_check_entry_match - check that matches end before start of target
-+ *
-+ * @match: beginning of xt_entry_match
-+ * @target: beginning of this rules target (alleged end of matches)
-+ * @alignment: alignment requirement of match structures
-+ *
-+ * Validates that all matches add up to the beginning of the target,
-+ * and that each match covers at least the base structure size.
-+ *
-+ * Return: 0 on success, negative errno on failure.
-+ */
-+static int xt_check_entry_match(const char *match, const char *target,
-+ const size_t alignment)
-+{
-+ const struct xt_entry_match *pos;
-+ int length = target - match;
-+
-+ if (length == 0) /* no matches */
-+ return 0;
-+
-+ pos = (struct xt_entry_match *)match;
-+ do {
-+ if ((unsigned long)pos % alignment)
-+ return -EINVAL;
-+
-+ if (length < (int)sizeof(struct xt_entry_match))
-+ return -EINVAL;
-+
-+ if (pos->u.match_size < sizeof(struct xt_entry_match))
-+ return -EINVAL;
-+
-+ if (pos->u.match_size > length)
-+ return -EINVAL;
-+
-+ length -= pos->u.match_size;
-+ pos = ((void *)((char *)(pos) + (pos)->u.match_size));
-+ } while (length > 0);
-+
-+ return 0;
-+}
-+
- #ifdef CONFIG_COMPAT
- int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
- {
-@@ -590,7 +631,14 @@ int xt_compat_check_entry_offsets(const
- target_offset + sizeof(struct compat_xt_standard_target) != next_offset)
- return -EINVAL;
-
-- return 0;
-+ /* compat_xt_entry match has less strict aligment requirements,
-+ * otherwise they are identical. In case of padding differences
-+ * we need to add compat version of xt_check_entry_match.
-+ */
-+ BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match));
-+
-+ return xt_check_entry_match(elems, base + target_offset,
-+ __alignof__(struct compat_xt_entry_match));
- }
- EXPORT_SYMBOL(xt_compat_check_entry_offsets);
- #endif /* CONFIG_COMPAT */
-@@ -603,17 +651,39 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs
- * @target_offset: the arp/ip/ip6_t->target_offset
- * @next_offset: the arp/ip/ip6_t->next_offset
- *
-- * validates that target_offset and next_offset are sane.
-- * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
-+ * validates that target_offset and next_offset are sane and that all
-+ * match sizes (if any) align with the target offset.
- *
- * This function does not validate the targets or matches themselves, it
-- * only tests that all the offsets and sizes are correct.
-+ * only tests that all the offsets and sizes are correct, that all
-+ * match structures are aligned, and that the last structure ends where
-+ * the target structure begins.
-+ *
-+ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
- *
- * The arp/ip/ip6t_entry structure @base must have passed following tests:
- * - it must point to a valid memory location
- * - base to base + next_offset must be accessible, i.e. not exceed allocated
- * length.
- *
-+ * A well-formed entry looks like this:
-+ *
-+ * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry
-+ * e->elems[]-----' | |
-+ * matchsize | |
-+ * matchsize | |
-+ * | |
-+ * target_offset---------------------------------' |
-+ * next_offset---------------------------------------------------'
-+ *
-+ * elems[]: flexible array member at end of ip(6)/arpt_entry struct.
-+ * This is where matches (if any) and the target reside.
-+ * target_offset: beginning of target.
-+ * next_offset: start of the next rule; also: size of this rule.
-+ * Since targets have a minimum size, target_offset + minlen <= next_offset.
-+ *
-+ * Every match stores its size, sum of sizes must not exceed target_offset.
-+ *
- * Return: 0 on success, negative errno on failure.
- */
- int xt_check_entry_offsets(const void *base,
-@@ -643,7 +713,8 @@ int xt_check_entry_offsets(const void *b
- target_offset + sizeof(struct xt_standard_target) != next_offset)
- return -EINVAL;
-
-- return 0;
-+ return xt_check_entry_match(elems, base + target_offset,
-+ __alignof__(struct xt_entry_match));
- }
- EXPORT_SYMBOL(xt_check_entry_offsets);
-
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch b/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch
deleted file mode 100644
index d8d50e3..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:22 +0200
-Subject: netfilter: x_tables: validate targets of jumps
-Origin: https://git.kernel.org/linus/36472341017529e2b12573093cc0f68719300997
-
-When we see a jump also check that the offset gets us to beginning of
-a rule (an ipt_entry).
-
-The extra overhead is negible, even with absurd cases.
-
-300k custom rules, 300k jumps to 'next' user chain:
-[ plus one jump from INPUT to first userchain ]:
-
-Before:
-real 0m24.874s
-user 0m7.532s
-sys 0m16.076s
-
-After:
-real 0m27.464s
-user 0m7.436s
-sys 0m18.840s
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- net/ipv4/netfilter/arp_tables.c | 16 ++++++++++++++++
- net/ipv4/netfilter/ip_tables.c | 16 ++++++++++++++++
- net/ipv6/netfilter/ip6_tables.c | 16 ++++++++++++++++
- 3 files changed, 48 insertions(+)
-
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -363,6 +363,19 @@ static inline bool unconditional(const s
- memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
- }
-
-+static bool find_jump_target(const struct xt_table_info *t,
-+ const void *entry0,
-+ const struct arpt_entry *target)
-+{
-+ struct arpt_entry *iter;
-+
-+ xt_entry_foreach(iter, entry0, t->size) {
-+ if (iter == target)
-+ return true;
-+ }
-+ return false;
-+}
-+
- /* Figures out from what hook each rule can be called: returns 0 if
- * there are loops. Puts hook bitmask in comefrom.
- */
-@@ -456,6 +468,10 @@ static int mark_source_chains(const stru
- /* This a jump; chase it. */
- duprintf("Jump rule %u -> %u\n",
- pos, newpos);
-+ e = (struct arpt_entry *)
-+ (entry0 + newpos);
-+ if (!find_jump_target(newinfo, entry0, e))
-+ return 0;
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -439,6 +439,19 @@ ipt_do_table(struct sk_buff *skb,
- #endif
- }
-
-+static bool find_jump_target(const struct xt_table_info *t,
-+ const void *entry0,
-+ const struct ipt_entry *target)
-+{
-+ struct ipt_entry *iter;
-+
-+ xt_entry_foreach(iter, entry0, t->size) {
-+ if (iter == target)
-+ return true;
-+ }
-+ return false;
-+}
-+
- /* Figures out from what hook each rule can be called: returns 0 if
- there are loops. Puts hook bitmask in comefrom. */
- static int
-@@ -536,6 +548,10 @@ mark_source_chains(const struct xt_table
- /* This a jump; chase it. */
- duprintf("Jump rule %u -> %u\n",
- pos, newpos);
-+ e = (struct ipt_entry *)
-+ (entry0 + newpos);
-+ if (!find_jump_target(newinfo, entry0, e))
-+ return 0;
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -449,6 +449,19 @@ ip6t_do_table(struct sk_buff *skb,
- #endif
- }
-
-+static bool find_jump_target(const struct xt_table_info *t,
-+ const void *entry0,
-+ const struct ip6t_entry *target)
-+{
-+ struct ip6t_entry *iter;
-+
-+ xt_entry_foreach(iter, entry0, t->size) {
-+ if (iter == target)
-+ return true;
-+ }
-+ return false;
-+}
-+
- /* Figures out from what hook each rule can be called: returns 0 if
- there are loops. Puts hook bitmask in comefrom. */
- static int
-@@ -546,6 +558,10 @@ mark_source_chains(const struct xt_table
- /* This a jump; chase it. */
- duprintf("Jump rule %u -> %u\n",
- pos, newpos);
-+ e = (struct ip6t_entry *)
-+ (entry0 + newpos);
-+ if (!find_jump_target(newinfo, entry0, e))
-+ return 0;
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch b/debian/patches/bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch
deleted file mode 100644
index 388627d..0000000
--- a/debian/patches/bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch
+++ /dev/null
@@ -1,234 +0,0 @@
-From: Florian Westphal <fw at strlen.de>
-Date: Fri, 1 Apr 2016 14:17:33 +0200
-Subject: netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
-Origin: https://git.kernel.org/linus/0188346f21e6546498c2a0f84888797ad4063fc5
-
-Always returned 0.
-
-Signed-off-by: Florian Westphal <fw at strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- include/linux/netfilter/x_tables.h | 2 +-
- net/ipv4/netfilter/arp_tables.c | 17 +++++------------
- net/ipv4/netfilter/ip_tables.c | 26 +++++++++-----------------
- net/ipv6/netfilter/ip6_tables.c | 27 +++++++++------------------
- net/netfilter/x_tables.c | 5 ++---
- 5 files changed, 26 insertions(+), 51 deletions(-)
-
---- a/include/linux/netfilter/x_tables.h
-+++ b/include/linux/netfilter/x_tables.h
-@@ -425,7 +425,7 @@ void xt_compat_init_offsets(u_int8_t af,
- int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
-
- int xt_compat_match_offset(const struct xt_match *match);
--int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
-+void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
- unsigned int *size);
- int xt_compat_match_to_user(const struct xt_entry_match *m,
- void __user **dstptr, unsigned int *size);
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -1300,7 +1300,7 @@ out:
- return ret;
- }
-
--static int
-+static void
- compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
- unsigned int *size,
- struct xt_table_info *newinfo, unsigned char *base)
-@@ -1309,9 +1309,8 @@ compat_copy_entry_from_user(struct compa
- struct xt_target *target;
- struct arpt_entry *de;
- unsigned int origsize;
-- int ret, h;
-+ int h;
-
-- ret = 0;
- origsize = *size;
- de = (struct arpt_entry *)*dstptr;
- memcpy(de, e, sizeof(struct arpt_entry));
-@@ -1332,7 +1331,6 @@ compat_copy_entry_from_user(struct compa
- if ((unsigned char *)de - base < newinfo->underflow[h])
- newinfo->underflow[h] -= origsize - *size;
- }
-- return ret;
- }
-
- static int translate_compat_table(struct xt_table_info **pinfo,
-@@ -1411,16 +1409,11 @@ static int translate_compat_table(struct
- entry1 = newinfo->entries[raw_smp_processor_id()];
- pos = entry1;
- size = compatr->size;
-- xt_entry_foreach(iter0, entry0, compatr->size) {
-- ret = compat_copy_entry_from_user(iter0, &pos, &size,
-- newinfo, entry1);
-- if (ret != 0)
-- break;
-- }
-+ xt_entry_foreach(iter0, entry0, compatr->size)
-+ compat_copy_entry_from_user(iter0, &pos, &size,
-+ newinfo, entry1);
- xt_compat_flush_offsets(NFPROTO_ARP);
- xt_compat_unlock(NFPROTO_ARP);
-- if (ret)
-- goto free_newinfo;
-
- ret = -ELOOP;
- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -1564,7 +1564,7 @@ release_matches:
- return ret;
- }
-
--static int
-+static void
- compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
- unsigned int *size,
- struct xt_table_info *newinfo, unsigned char *base)
-@@ -1573,10 +1573,9 @@ compat_copy_entry_from_user(struct compa
- struct xt_target *target;
- struct ipt_entry *de;
- unsigned int origsize;
-- int ret, h;
-+ int h;
- struct xt_entry_match *ematch;
-
-- ret = 0;
- origsize = *size;
- de = (struct ipt_entry *)*dstptr;
- memcpy(de, e, sizeof(struct ipt_entry));
-@@ -1585,11 +1584,9 @@ compat_copy_entry_from_user(struct compa
- *dstptr += sizeof(struct ipt_entry);
- *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
-
-- xt_ematch_foreach(ematch, e) {
-- ret = xt_compat_match_from_user(ematch, dstptr, size);
-- if (ret != 0)
-- return ret;
-- }
-+ xt_ematch_foreach(ematch, e)
-+ xt_compat_match_from_user(ematch, dstptr, size);
-+
- de->target_offset = e->target_offset - (origsize - *size);
- t = compat_ipt_get_target(e);
- target = t->u.kernel.target;
-@@ -1602,7 +1599,6 @@ compat_copy_entry_from_user(struct compa
- if ((unsigned char *)de - base < newinfo->underflow[h])
- newinfo->underflow[h] -= origsize - *size;
- }
-- return ret;
- }
-
- static int
-@@ -1718,16 +1714,12 @@ translate_compat_table(struct net *net,
- entry1 = newinfo->entries[raw_smp_processor_id()];
- pos = entry1;
- size = compatr->size;
-- xt_entry_foreach(iter0, entry0, compatr->size) {
-- ret = compat_copy_entry_from_user(iter0, &pos, &size,
-- newinfo, entry1);
-- if (ret != 0)
-- break;
-- }
-+ xt_entry_foreach(iter0, entry0, compatr->size)
-+ compat_copy_entry_from_user(iter0, &pos, &size,
-+ newinfo, entry1);
-+
- xt_compat_flush_offsets(AF_INET);
- xt_compat_unlock(AF_INET);
-- if (ret)
-- goto free_newinfo;
-
- ret = -ELOOP;
- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1577,7 +1577,7 @@ release_matches:
- return ret;
- }
-
--static int
-+static void
- compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
- unsigned int *size,
- struct xt_table_info *newinfo, unsigned char *base)
-@@ -1585,10 +1585,9 @@ compat_copy_entry_from_user(struct compa
- struct xt_entry_target *t;
- struct ip6t_entry *de;
- unsigned int origsize;
-- int ret, h;
-+ int h;
- struct xt_entry_match *ematch;
-
-- ret = 0;
- origsize = *size;
- de = (struct ip6t_entry *)*dstptr;
- memcpy(de, e, sizeof(struct ip6t_entry));
-@@ -1597,11 +1596,9 @@ compat_copy_entry_from_user(struct compa
- *dstptr += sizeof(struct ip6t_entry);
- *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
-
-- xt_ematch_foreach(ematch, e) {
-- ret = xt_compat_match_from_user(ematch, dstptr, size);
-- if (ret != 0)
-- return ret;
-- }
-+ xt_ematch_foreach(ematch, e)
-+ xt_compat_match_from_user(ematch, dstptr, size);
-+
- de->target_offset = e->target_offset - (origsize - *size);
- t = compat_ip6t_get_target(e);
- xt_compat_target_from_user(t, dstptr, size);
-@@ -1613,7 +1610,6 @@ compat_copy_entry_from_user(struct compa
- if ((unsigned char *)de - base < newinfo->underflow[h])
- newinfo->underflow[h] -= origsize - *size;
- }
-- return ret;
- }
-
- static int compat_check_entry(struct ip6t_entry *e, struct net *net,
-@@ -1728,17 +1724,12 @@ translate_compat_table(struct net *net,
- }
- entry1 = newinfo->entries[raw_smp_processor_id()];
- pos = entry1;
-- size = compatr->size;
-- xt_entry_foreach(iter0, entry0, compatr->size) {
-- ret = compat_copy_entry_from_user(iter0, &pos, &size,
-- newinfo, entry1);
-- if (ret != 0)
-- break;
-- }
-+ xt_entry_foreach(iter0, entry0, compatr->size)
-+ compat_copy_entry_from_user(iter0, &pos, &size,
-+ newinfo, entry1);
-+
- xt_compat_flush_offsets(AF_INET6);
- xt_compat_unlock(AF_INET6);
-- if (ret)
-- goto free_newinfo;
-
- ret = -ELOOP;
- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
---- a/net/netfilter/x_tables.c
-+++ b/net/netfilter/x_tables.c
-@@ -545,8 +545,8 @@ int xt_compat_match_offset(const struct
- }
- EXPORT_SYMBOL_GPL(xt_compat_match_offset);
-
--int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
-- unsigned int *size)
-+void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
-+ unsigned int *size)
- {
- const struct xt_match *match = m->u.kernel.match;
- struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
-@@ -568,7 +568,6 @@ int xt_compat_match_from_user(struct xt_
-
- *size += off;
- *dstptr += msize;
-- return 0;
- }
- EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
-
diff --git a/debian/patches/bugfix/all/nfsd-check-permissions-when-setting-ACLs.patch b/debian/patches/bugfix/all/nfsd-check-permissions-when-setting-ACLs.patch
deleted file mode 100644
index ad02271..0000000
--- a/debian/patches/bugfix/all/nfsd-check-permissions-when-setting-ACLs.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Wed, 22 Jun 2016 19:43:35 +0100
-Subject: [2/2] nfsd: check permissions when setting ACLs
-Origin: https://git.kernel.org/linus/999653786df6954a31044528ac3f7a5dadca08f4
-
-Use set_posix_acl, which includes proper permission checks, instead of
-calling ->set_acl directly. Without this anyone may be able to grant
-themselves permissions to a file by setting the ACL.
-
-Lock the inode to make the new checks atomic with respect to set_acl.
-(Also, nfsd was the only caller of set_acl not locking the inode, so I
-suspect this may fix other races.)
-
-This also simplifies the code, and ensures our ACLs are checked by
-posix_acl_valid.
-
-The permission checks and the inode locking were lost with commit
-4ac7249e, which changed nfsd to use the set_acl inode operation directly
-instead of going through xattr handlers.
-
-Reported-by: David Sinquin <david at sinquin.eu>
-[agreunba at redhat.com: use set_posix_acl]
-Fixes: 4ac7249e
-Cc: Christoph Hellwig <hch at infradead.org>
-Cc: Al Viro <viro at zeniv.linux.org.uk>
-Cc: stable at vger.kernel.org
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
-[carnil: backport for 3.16: adjust context]
----
- fs/nfsd/nfs2acl.c | 20 ++++++++++----------
- fs/nfsd/nfs3acl.c | 16 +++++++---------
- fs/nfsd/nfs4acl.c | 16 ++++++++--------
- 3 files changed, 25 insertions(+), 27 deletions(-)
-
---- a/fs/nfsd/nfs2acl.c
-+++ b/fs/nfsd/nfs2acl.c
-@@ -104,22 +104,21 @@ static __be32 nfsacld_proc_setacl(struct
- goto out;
-
- inode = fh->fh_dentry->d_inode;
-- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
-- error = -EOPNOTSUPP;
-- goto out_errno;
-- }
-
- error = fh_want_write(fh);
- if (error)
- goto out_errno;
-
-- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
-+ fh_lock(fh);
-+
-+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
- if (error)
-- goto out_drop_write;
-- error = inode->i_op->set_acl(inode, argp->acl_default,
-- ACL_TYPE_DEFAULT);
-+ goto out_drop_lock;
-+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
- if (error)
-- goto out_drop_write;
-+ goto out_drop_lock;
-+
-+ fh_unlock(fh);
-
- fh_drop_write(fh);
-
-@@ -131,7 +130,8 @@ out:
- posix_acl_release(argp->acl_access);
- posix_acl_release(argp->acl_default);
- return nfserr;
--out_drop_write:
-+out_drop_lock:
-+ fh_unlock(fh);
- fh_drop_write(fh);
- out_errno:
- nfserr = nfserrno(error);
---- a/fs/nfsd/nfs3acl.c
-+++ b/fs/nfsd/nfs3acl.c
-@@ -95,22 +95,20 @@ static __be32 nfsd3_proc_setacl(struct s
- goto out;
-
- inode = fh->fh_dentry->d_inode;
-- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
-- error = -EOPNOTSUPP;
-- goto out_errno;
-- }
-
- error = fh_want_write(fh);
- if (error)
- goto out_errno;
-
-- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
-+ fh_lock(fh);
-+
-+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
- if (error)
-- goto out_drop_write;
-- error = inode->i_op->set_acl(inode, argp->acl_default,
-- ACL_TYPE_DEFAULT);
-+ goto out_drop_lock;
-+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
-
--out_drop_write:
-+out_drop_lock:
-+ fh_unlock(fh);
- fh_drop_write(fh);
- out_errno:
- nfserr = nfserrno(error);
---- a/fs/nfsd/nfs4acl.c
-+++ b/fs/nfsd/nfs4acl.c
-@@ -822,9 +822,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
- dentry = fhp->fh_dentry;
- inode = dentry->d_inode;
-
-- if (!inode->i_op->set_acl || !IS_POSIXACL(inode))
-- return nfserr_attrnotsupp;
--
- if (S_ISDIR(inode->i_mode))
- flags = NFS4_ACL_DIR;
-
-@@ -834,16 +831,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
- if (host_error < 0)
- goto out_nfserr;
-
-- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS);
-+ fh_lock(fhp);
-+
-+ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl);
- if (host_error < 0)
-- goto out_release;
-+ goto out_drop_lock;
-
- if (S_ISDIR(inode->i_mode)) {
-- host_error = inode->i_op->set_acl(inode, dpacl,
-- ACL_TYPE_DEFAULT);
-+ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl);
- }
-
--out_release:
-+out_drop_lock:
-+ fh_unlock(fhp);
-+
- posix_acl_release(pacl);
- posix_acl_release(dpacl);
- out_nfserr:
diff --git a/debian/patches/bugfix/all/posix_acl-Add-set_posix_acl.patch b/debian/patches/bugfix/all/posix_acl-Add-set_posix_acl.patch
deleted file mode 100644
index 56fae1d..0000000
--- a/debian/patches/bugfix/all/posix_acl-Add-set_posix_acl.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From: Andreas Gruenbacher <agruenba at redhat.com>
-Date: Wed, 22 Jun 2016 23:57:25 +0200
-Subject: [1/2] posix_acl: Add set_posix_acl
-Origin: https://git.kernel.org/linus/485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f
-
-Factor out part of posix_acl_xattr_set into a common function that takes
-a posix_acl, which nfsd can also call.
-
-The prototype already exists in include/linux/posix_acl.h.
-
-Signed-off-by: Andreas Gruenbacher <agruenba at redhat.com>
-Cc: stable at vger.kernel.org
-Cc: Christoph Hellwig <hch at infradead.org>
-Cc: Al Viro <viro at zeniv.linux.org.uk>
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
-[carnil: backport to 3.16: adjust context]
----
- fs/posix_acl.c | 42 +++++++++++++++++++++++-------------------
- 1 file changed, 23 insertions(+), 19 deletions(-)
-
---- a/fs/posix_acl.c
-+++ b/fs/posix_acl.c
-@@ -787,38 +787,42 @@ posix_acl_xattr_get(struct dentry *dentr
- return error;
- }
-
--static int
--posix_acl_xattr_set(struct dentry *dentry, const char *name,
-- const void *value, size_t size, int flags, int type)
-+int
-+set_posix_acl(struct inode *inode, int type, struct posix_acl *acl)
- {
-- struct inode *inode = dentry->d_inode;
-- struct posix_acl *acl = NULL;
-- int ret;
--
- if (!IS_POSIXACL(inode))
- return -EOPNOTSUPP;
- if (!inode->i_op->set_acl)
- return -EOPNOTSUPP;
-
- if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
-- return value ? -EACCES : 0;
-+ return acl ? -EACCES : 0;
- if (!inode_owner_or_capable(inode))
- return -EPERM;
-
-+ if (acl) {
-+ int ret = posix_acl_valid(acl);
-+ if (ret)
-+ return ret;
-+ }
-+ return inode->i_op->set_acl(inode, acl, type);
-+}
-+EXPORT_SYMBOL(set_posix_acl);
-+
-+static int
-+posix_acl_xattr_set(struct dentry *dentry, const char *name,
-+ const void *value, size_t size, int flags, int type)
-+{
-+ struct inode *inode = dentry->d_inode;
-+ struct posix_acl *acl = NULL;
-+ int ret;
-+
- if (value) {
- acl = posix_acl_from_xattr(&init_user_ns, value, size);
- if (IS_ERR(acl))
- return PTR_ERR(acl);
--
-- if (acl) {
-- ret = posix_acl_valid(acl);
-- if (ret)
-- goto out;
-- }
- }
--
-- ret = inode->i_op->set_acl(inode, acl, type);
--out:
-+ ret = set_posix_acl(inode, type, acl);
- posix_acl_release(acl);
- return ret;
- }
diff --git a/debian/patches/bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch b/debian/patches/bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
deleted file mode 100644
index fdc486b..0000000
--- a/debian/patches/bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Thu, 2 Jun 2016 04:11:20 -0400
-Subject: rds: fix an infoleak in rds_inc_info_copy
-Origin: https://git.kernel.org/linus/4116def2337991b39919f3b448326e21c40e0dbb
-
-The last field "flags" of object "minfo" is not initialized.
-Copying this object out may leak kernel stack data.
-Assign 0 to it to avoid leak.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Acked-by: Santosh Shilimkar <santosh.shilimkar at oracle.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/rds/recv.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/net/rds/recv.c b/net/rds/recv.c
-index c0be1ec..8413f6c 100644
---- a/net/rds/recv.c
-+++ b/net/rds/recv.c
-@@ -561,5 +561,7 @@ void rds_inc_info_copy(struct rds_incoming *inc,
- minfo.fport = inc->i_hdr.h_dport;
- }
-
-+ minfo.flags = 0;
-+
- rds_info_copy(iter, &minfo, sizeof(minfo));
- }
---
-2.8.1
-
diff --git a/debian/patches/bugfix/all/scsi-arcmsr-Buffer-overflow-in-arcmsr_iop_message_xf.patch b/debian/patches/bugfix/all/scsi-arcmsr-Buffer-overflow-in-arcmsr_iop_message_xf.patch
deleted file mode 100644
index 33fb567..0000000
--- a/debian/patches/bugfix/all/scsi-arcmsr-Buffer-overflow-in-arcmsr_iop_message_xf.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Dan Carpenter <dan.carpenter at oracle.com>
-Date: Thu, 15 Sep 2016 16:44:56 +0300
-Subject: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
-Origin: https://git.kernel.org/linus/7bc2b55a5c030685b399bb65b6baa9ccc3d1f167
-
-We need to put an upper bound on "user_len" so the memcpy() doesn't
-overflow.
-
-Cc: <stable at vger.kernel.org>
-Reported-by: Marco Grassi <marco.gra at gmail.com>
-Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
-Reviewed-by: Tomas Henzl <thenzl at redhat.com>
-Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
----
- drivers/scsi/arcmsr/arcmsr_hba.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
-index 7640498..110eca9 100644
---- a/drivers/scsi/arcmsr/arcmsr_hba.c
-+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
-@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
- }
- case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
- unsigned char *ver_addr;
-- int32_t user_len, cnt2end;
-+ uint32_t user_len;
-+ int32_t cnt2end;
- uint8_t *pQbuffer, *ptmpuserbuffer;
- ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
- if (!ver_addr) {
-@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
- }
- ptmpuserbuffer = ver_addr;
- user_len = pcmdmessagefld->cmdmessage.Length;
-+ if (user_len > ARCMSR_API_DATA_BUFLEN) {
-+ retvalue = ARCMSR_MESSAGE_FAIL;
-+ kfree(ver_addr);
-+ goto message_out;
-+ }
- memcpy(ptmpuserbuffer,
- pcmdmessagefld->messagedatabuffer, user_len);
- spin_lock_irqsave(&acb->wqbuffer_lock, flags);
---
-2.9.3
-
diff --git a/debian/patches/bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch b/debian/patches/bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
deleted file mode 100644
index 9b64443..0000000
--- a/debian/patches/bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Wed, 17 Aug 2016 05:56:26 -0700
-Subject: tcp: fix use after free in tcp_xmit_retransmit_queue()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/bb1fceca22492109be12640d49f5ea5a544c6bb4
-
-When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
-tail of the write queue using tcp_add_write_queue_tail()
-
-Then it attempts to copy user data into this fresh skb.
-
-If the copy fails, we undo the work and remove the fresh skb.
-
-Unfortunately, this undo lacks the change done to tp->highest_sack and
-we can leave a dangling pointer (to a freed skb)
-
-Later, tcp_xmit_retransmit_queue() can dereference this pointer and
-access freed memory. For regular kernels where memory is not unmapped,
-this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
-returning garbage instead of tp->snd_nxt, but with various debug
-features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
-
-This bug was found by Marco Grassi thanks to syzkaller.
-
-Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
-Reported-by: Marco Grassi <marco.gra at gmail.com>
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Cc: Ilpo Järvinen <ilpo.jarvinen at helsinki.fi>
-Cc: Yuchung Cheng <ycheng at google.com>
-Cc: Neal Cardwell <ncardwell at google.com>
-Acked-by: Neal Cardwell <ncardwell at google.com>
-Reviewed-by: Cong Wang <xiyou.wangcong at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- include/net/tcp.h | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/include/net/tcp.h
-+++ b/include/net/tcp.h
-@@ -1413,6 +1413,8 @@ static inline void tcp_check_send_head(s
- {
- if (sk->sk_send_head == skb_unlinked)
- sk->sk_send_head = NULL;
-+ if (tcp_sk(sk)->highest_sack == skb_unlinked)
-+ tcp_sk(sk)->highest_sack = NULL;
- }
-
- static inline void tcp_init_send_head(struct sock *sk)
diff --git a/debian/patches/bugfix/all/tcp-make-challenge-acks-less-predictable.patch b/debian/patches/bugfix/all/tcp-make-challenge-acks-less-predictable.patch
deleted file mode 100644
index f9c07f5..0000000
--- a/debian/patches/bugfix/all/tcp-make-challenge-acks-less-predictable.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Sun, 10 Jul 2016 10:04:02 +0200
-Subject: tcp: make challenge acks less predictable
-Origin: https://git.kernel.org/linus/75ff39ccc1bd5d3c455b6822ab09e533c551f758
-
-Yue Cao claims that current host rate limiting of challenge ACKS
-(RFC 5961) could leak enough information to allow a patient attacker
-to hijack TCP sessions. He will soon provide details in an academic
-paper.
-
-This patch increases the default limit from 100 to 1000, and adds
-some randomization so that the attacker can no longer hijack
-sessions without spending a considerable amount of probes.
-
-Based on initial analysis and patch from Linus.
-
-Note that we also have per socket rate limiting, so it is tempting
-to remove the host limit in the future.
-
-v2: randomize the count of challenge acks per second, not the period.
-
-Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
-Reported-by: Yue Cao <ycao009 at ucr.edu>
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Yuchung Cheng <ycheng at google.com>
-Cc: Neal Cardwell <ncardwell at google.com>
-Acked-by: Neal Cardwell <ncardwell at google.com>
-Acked-by: Yuchung Cheng <ycheng at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16:
- - Adjust context
- - Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- net/ipv4/tcp_input.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_most
- EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
-
- /* rfc5961 challenge ack rate limiting */
--int sysctl_tcp_challenge_ack_limit = 100;
-+int sysctl_tcp_challenge_ack_limit = 1000;
-
- int sysctl_tcp_stdurg __read_mostly;
- int sysctl_tcp_rfc1337 __read_mostly;
-@@ -3285,13 +3285,18 @@ static void tcp_send_challenge_ack(struc
- /* unprotected vars, we dont care of overwrites */
- static u32 challenge_timestamp;
- static unsigned int challenge_count;
-- u32 now = jiffies / HZ;
-+ u32 count, now = jiffies / HZ;
-
- if (now != challenge_timestamp) {
-+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
-+
- challenge_timestamp = now;
-- challenge_count = 0;
-+ ACCESS_ONCE(challenge_count) =
-+ half + prandom_u32_max(sysctl_tcp_challenge_ack_limit);
- }
-- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
-+ count = ACCESS_ONCE(challenge_count);
-+ if (count > 0) {
-+ ACCESS_ONCE(challenge_count) = count - 1;
- NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
- tcp_send_ack(sk);
- }
diff --git a/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch b/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
deleted file mode 100644
index 9a05947..0000000
--- a/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Thu, 2 Jun 2016 04:04:56 -0400
-Subject: tipc: fix an infoleak in tipc_nl_compat_link_dump
-Origin: https://git.kernel.org/linus/5d2be1422e02ccd697ccfcd45c85b4a26e6178e2
-
-link_info.str is a char array of size 60. Memory after the NULL
-byte is not initialized. Sending the whole object out can cause
-a leak.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[carnil: Backported to 3.16 (same as bwh did for 3.2): the unpadded strcpy() is
-in tipc_node_get_links() and no nlattr is involved, so use strncpy()]
----
---- a/net/tipc/node.c
-+++ b/net/tipc/node.c
-@@ -417,7 +417,8 @@ struct sk_buff *tipc_node_get_links(cons
- continue;
- link_info.dest = htonl(n_ptr->addr);
- link_info.up = htonl(tipc_link_is_up(n_ptr->links[i]));
-- strcpy(link_info.str, n_ptr->links[i]->name);
-+ strncpy(link_info.str, n_ptr->links[i]->name,
-+ sizeof(link_info.str));
- tipc_cfg_append_tlv(buf, TIPC_TLV_LINK_INFO,
- &link_info, sizeof(link_info));
- }
diff --git a/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
deleted file mode 100644
index 18616fe..0000000
--- a/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Tue, 3 May 2016 16:32:16 -0400
-Subject: USB: usbfs: fix potential infoleak in devio
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/681fef8380eb818c0b845fca5d2ab1dcbab114ee
-
-The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
-are padding bytes which are not initialized and leaked to userland
-via “copy_to_user”.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/usb/core/devio.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
-index 73ce871..e9f5043 100644
---- a/drivers/usb/core/devio.c
-+++ b/drivers/usb/core/devio.c
-@@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
-
- static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
- {
-- struct usbdevfs_connectinfo ci = {
-- .devnum = ps->dev->devnum,
-- .slow = ps->dev->speed == USB_SPEED_LOW
-- };
-+ struct usbdevfs_connectinfo ci;
-+
-+ memset(&ci, 0, sizeof(ci));
-+ ci.devnum = ps->dev->devnum;
-+ ci.slow = ps->dev->speed == USB_SPEED_LOW;
-
- if (copy_to_user(arg, &ci, sizeof(ci)))
- return -EFAULT;
---
-2.8.1
-
diff --git a/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch b/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
deleted file mode 100644
index 949390a..0000000
--- a/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From: Cyril Bur <cyrilbur at gmail.com>
-Date: Fri, 17 Jun 2016 14:58:34 +1000
-Subject: powerpc/tm: Always reclaim in start_thread() for exec() class
- syscalls
-Origin: https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit?id=8e96a87c5431c256feb65bcfc5aec92d9f7839b6
-
-Userspace can quite legitimately perform an exec() syscall with a
-suspended transaction. exec() does not return to the old process, rather
-it load a new one and starts that, the expectation therefore is that the
-new process starts not in a transaction. Currently exec() is not treated
-any differently to any other syscall which creates problems.
-
-Firstly it could allow a new process to start with a suspended
-transaction for a binary that no longer exists. This means that the
-checkpointed state won't be valid and if the suspended transaction were
-ever to be resumed and subsequently aborted (a possibility which is
-exceedingly likely as exec()ing will likely doom the transaction) the
-new process will jump to invalid state.
-
-Secondly the incorrect attempt to keep the transactional state while
-still zeroing state for the new process creates at least two TM Bad
-Things. The first triggers on the rfid to return to userspace as
-start_thread() has given the new process a 'clean' MSR but the suspend
-will still be set in the hardware MSR. The second TM Bad Thing triggers
-in __switch_to() as the processor is still transactionally suspended but
-__switch_to() wants to zero the TM sprs for the new process.
-
-This is an example of the outcome of calling exec() with a suspended
-transaction. Note the first 700 is likely the first TM bad thing
-decsribed earlier only the kernel can't report it as we've loaded
-userspace registers. c000000000009980 is the rfid in
-fast_exception_return()
-
- Bad kernel stack pointer 3fffcfa1a370 at c000000000009980
- Oops: Bad kernel stack pointer, sig: 6 [#1]
- CPU: 0 PID: 2006 Comm: tm-execed Not tainted
- NIP: c000000000009980 LR: 0000000000000000 CTR: 0000000000000000
- REGS: c00000003ffefd40 TRAP: 0700 Not tainted
- MSR: 8000000300201031 <SF,ME,IR,DR,LE,TM[SE]> CR: 00000000 XER: 00000000
- CFAR: c0000000000098b4 SOFTE: 0
- PACATMSCRATCH: b00000010000d033
- GPR00: 0000000000000000 00003fffcfa1a370 0000000000000000 0000000000000000
- GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
- GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
- GPR12: 00003fff966611c0 0000000000000000 0000000000000000 0000000000000000
- NIP [c000000000009980] fast_exception_return+0xb0/0xb8
- LR [0000000000000000] (null)
- Call Trace:
- Instruction dump:
- f84d0278 e9a100d8 7c7b03a6 e84101a0 7c4ff120 e8410170 7c5a03a6 e8010070
- e8410080 e8610088 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed023b
-
- Kernel BUG at c000000000043e80 [verbose debug info unavailable]
- Unexpected TM Bad Thing exception at c000000000043e80 (msr 0x201033)
- Oops: Unrecoverable exception, sig: 6 [#2]
- CPU: 0 PID: 2006 Comm: tm-execed Tainted: G D
- task: c0000000fbea6d80 ti: c00000003ffec000 task.ti: c0000000fb7ec000
- NIP: c000000000043e80 LR: c000000000015a24 CTR: 0000000000000000
- REGS: c00000003ffef7e0 TRAP: 0700 Tainted: G D
- MSR: 8000000300201033 <SF,ME,IR,DR,RI,LE,TM[SE]> CR: 28002828 XER: 00000000
- CFAR: c000000000015a20 SOFTE: 0
- PACATMSCRATCH: b00000010000d033
- GPR00: 0000000000000000 c00000003ffefa60 c000000000db5500 c0000000fbead000
- GPR04: 8000000300001033 2222222222222222 2222222222222222 00000000ff160000
- GPR08: 0000000000000000 800000010000d033 c0000000fb7e3ea0 c00000000fe00004
- GPR12: 0000000000002200 c00000000fe00000 0000000000000000 0000000000000000
- GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
- GPR20: 0000000000000000 0000000000000000 c0000000fbea7410 00000000ff160000
- GPR24: c0000000ffe1f600 c0000000fbea8700 c0000000fbea8700 c0000000fbead000
- GPR28: c000000000e20198 c0000000fbea6d80 c0000000fbeab680 c0000000fbea6d80
- NIP [c000000000043e80] tm_restore_sprs+0xc/0x1c
- LR [c000000000015a24] __switch_to+0x1f4/0x420
- Call Trace:
- Instruction dump:
- 7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8
- 4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020
-
-This fixes CVE-2016-5828.
-
-Fixes: bc2a9408fa65 ("powerpc: Hook in new transactional memory code")
-Cc: stable at vger.kernel.org # v3.9+
-Signed-off-by: Cyril Bur <cyrilbur at gmail.com>
-Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
----
- arch/powerpc/kernel/process.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/arch/powerpc/kernel/process.c
-+++ b/arch/powerpc/kernel/process.c
-@@ -1239,6 +1239,16 @@ void start_thread(struct pt_regs *regs,
- current->thread.regs = regs - 1;
- }
-
-+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
-+ /*
-+ * Clear any transactional state, we're exec()ing. The cause is
-+ * not important as there will never be a recheckpoint so it's not
-+ * user visible.
-+ */
-+ if (MSR_TM_SUSPENDED(mfmsr()))
-+ tm_reclaim_current(0);
-+#endif
-+
- memset(regs->gpr, 0, sizeof(regs->gpr));
- regs->ctr = 0;
- regs->link = 0;
diff --git a/debian/patches/bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch b/debian/patches/bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch
deleted file mode 100644
index 0407cb8..0000000
--- a/debian/patches/bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: Martin Schwidefsky <schwidefsky at de.ibm.com>
-Date: Mon, 25 Apr 2016 17:54:28 +0200
-Subject: s390/sclp_ctl: fix potential information leak with /dev/sclp
-Origin: https://git.kernel.org/linus/532c34b5fbf1687df63b3fcd5b2846312ac943c6
-
-The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
-retrieve the sclp request from user space. The first copy_from_user
-fetches the length of the request which is stored in the first two
-bytes of the request. The second copy_from_user gets the complete
-sclp request, but this copies the length field a second time.
-A malicious user may have changed the length in the meantime.
-
-Reported-by: Pengfei Wang <wpengfeinudt at gmail.com>
-Reviewed-by: Michael Holzheu <holzheu at linux.vnet.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
----
- drivers/s390/char/sclp_ctl.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/s390/char/sclp_ctl.c b/drivers/s390/char/sclp_ctl.c
-index 648cb86afd42..ea607a4a1bdd 100644
---- a/drivers/s390/char/sclp_ctl.c
-+++ b/drivers/s390/char/sclp_ctl.c
-@@ -56,6 +56,7 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area)
- {
- struct sclp_ctl_sccb ctl_sccb;
- struct sccb_header *sccb;
-+ unsigned long copied;
- int rc;
-
- if (copy_from_user(&ctl_sccb, user_area, sizeof(ctl_sccb)))
-@@ -65,14 +66,15 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area)
- sccb = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
- if (!sccb)
- return -ENOMEM;
-- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sizeof(*sccb))) {
-+ copied = PAGE_SIZE -
-+ copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), PAGE_SIZE);
-+ if (offsetof(struct sccb_header, length) +
-+ sizeof(sccb->length) > copied || sccb->length > copied) {
- rc = -EFAULT;
- goto out_free;
- }
-- if (sccb->length > PAGE_SIZE || sccb->length < 8)
-- return -EINVAL;
-- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sccb->length)) {
-- rc = -EFAULT;
-+ if (sccb->length < 8) {
-+ rc = -EINVAL;
- goto out_free;
- }
- rc = sclp_sync_request(ctl_sccb.cmdw, sccb);
diff --git a/debian/patches/bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch b/debian/patches/bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch
deleted file mode 100644
index f39302f..0000000
--- a/debian/patches/bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Ashutosh Dixit <ashutosh.dixit at intel.com>
-Date: Wed, 27 Apr 2016 14:36:05 -0700
-Subject: misc: mic: Fix for double fetch security bug in VOP driver
-Origin: https://git.kernel.org/linus/9bf292bfca94694a721449e3fd752493856710f6
-
-The MIC VOP driver does two successive reads from user space to read a
-variable length data structure. Kernel memory corruption can result if
-the data structure changes between the two reads. This patch disallows
-the chance of this happening.
-
-Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
-Reported by: Pengfei Wang <wpengfeinudt at gmail.com>
-Reviewed-by: Sudeep Dutt <sudeep.dutt at intel.com>
-Signed-off-by: Ashutosh Dixit <ashutosh.dixit at intel.com>
-Cc: stable <stable at vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-[bwh: Backported to 3.16:
- - Adjust filename, context
- - goto exit on failure]
----
- drivers/misc/mic/host/mic_virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/drivers/misc/mic/host/mic_virtio.c
-+++ b/drivers/misc/mic/host/mic_virtio.c
-@@ -456,6 +456,11 @@ static int mic_copy_dp_entry(struct mic_
- __func__, __LINE__, ret);
- goto exit;
- }
-+ /* Ensure desc has not changed between the two reads */
-+ if (memcmp(&dd, dd_config, sizeof(dd))) {
-+ ret = -EINVAL;
-+ goto exit;
-+ }
-
- vqconfig = mic_vq_config(dd_config);
- for (i = 0; i < dd.num_vq; i++) {
diff --git a/debian/patches/debian/kernelvariables.patch b/debian/patches/debian/kernelvariables.patch
index a10a953..39aaf6d 100644
--- a/debian/patches/debian/kernelvariables.patch
+++ b/debian/patches/debian/kernelvariables.patch
@@ -14,7 +14,7 @@ use of $(ARCH) needs to be moved after this.
--- a/Makefile
+++ b/Makefile
-@@ -195,42 +195,6 @@ export KBUILD_BUILDHOST := $(SUBARCH)
+@@ -257,42 +257,6 @@ SUBARCH := $(shell uname -m | sed -e s/i
ARCH ?= $(SUBARCH)
CROSS_COMPILE ?= $(CONFIG_CROSS_COMPILE:"%"=%)
@@ -57,9 +57,9 @@ use of $(ARCH) needs to be moved after this.
KCONFIG_CONFIG ?= .config
export KCONFIG_CONFIG
-@@ -349,6 +313,44 @@ CFLAGS_KERNEL =
+@@ -383,6 +347,44 @@ CFLAGS_KERNEL =
AFLAGS_KERNEL =
- CFLAGS_GCOV = -fprofile-arcs -ftest-coverage
+ CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im
+-include $(obj)/.kernelvariables
+
diff --git a/debian/patches/features/all/arcmsr/0013-arcmsr-fix-ioctl-data-read-write-error-for-adapter-t.patch b/debian/patches/features/all/arcmsr/0013-arcmsr-fix-ioctl-data-read-write-error-for-adapter-t.patch
index 3244dd4..468d9cf 100644
--- a/debian/patches/features/all/arcmsr/0013-arcmsr-fix-ioctl-data-read-write-error-for-adapter-t.patch
+++ b/debian/patches/features/all/arcmsr/0013-arcmsr-fix-ioctl-data-read-write-error-for-adapter-t.patch
@@ -10,14 +10,14 @@ read/write error and change data I/O access from byte to Dword.
Signed-off-by: Ching Huang <ching2048 at areca.com.tw>
Reviewed-by: Tomas Henzl <thenzl at redhat.com>
Signed-off-by: Christoph Hellwig <hch at lst.de>
+[bwh: Adjust context to apply after "scsi: arcmsr: Buffer overflow in
+ arcmsr_iop_message_xfer()" in 3.16.39]
---
drivers/scsi/arcmsr/arcmsr.h | 8 +-
drivers/scsi/arcmsr/arcmsr_attr.c | 101 +++++--
drivers/scsi/arcmsr/arcmsr_hba.c | 572 ++++++++++++++++++++++++--------------
3 files changed, 442 insertions(+), 239 deletions(-)
-diff --git a/drivers/scsi/arcmsr/arcmsr.h b/drivers/scsi/arcmsr/arcmsr.h
-index 83c0a7d..799393e 100644
--- a/drivers/scsi/arcmsr/arcmsr.h
+++ b/drivers/scsi/arcmsr/arcmsr.h
@@ -518,6 +518,8 @@ struct AdapterControlBlock
@@ -42,11 +42,9 @@ index 83c0a7d..799393e 100644
extern struct QBUFFER __iomem *arcmsr_get_iop_rqbuffer(struct AdapterControlBlock *);
extern struct device_attribute *arcmsr_host_attrs[];
extern int arcmsr_alloc_sysfs_attr(struct AdapterControlBlock *);
-diff --git a/drivers/scsi/arcmsr/arcmsr_attr.c b/drivers/scsi/arcmsr/arcmsr_attr.c
-index acdae33..16422ad 100644
--- a/drivers/scsi/arcmsr/arcmsr_attr.c
+++ b/drivers/scsi/arcmsr/arcmsr_attr.c
-@@ -70,40 +70,75 @@ static ssize_t arcmsr_sysfs_iop_message_read(struct file *filp,
+@@ -70,40 +70,75 @@ static ssize_t arcmsr_sysfs_iop_message_
struct AdapterControlBlock *acb = (struct AdapterControlBlock *) host->hostdata;
uint8_t *pQbuffer,*ptmpQbuffer;
int32_t allxfer_len = 0;
@@ -143,7 +141,7 @@ index acdae33..16422ad 100644
}
static ssize_t arcmsr_sysfs_iop_message_write(struct file *filp,
-@@ -117,6 +152,7 @@ static ssize_t arcmsr_sysfs_iop_message_write(struct file *filp,
+@@ -117,6 +152,7 @@ static ssize_t arcmsr_sysfs_iop_message_
struct AdapterControlBlock *acb = (struct AdapterControlBlock *) host->hostdata;
int32_t my_empty_len, user_len, wqbuf_firstindex, wqbuf_lastindex;
uint8_t *pQbuffer, *ptmpuserbuffer;
@@ -151,7 +149,7 @@ index acdae33..16422ad 100644
if (!capable(CAP_SYS_ADMIN))
return -EACCES;
-@@ -125,18 +161,19 @@ static ssize_t arcmsr_sysfs_iop_message_write(struct file *filp,
+@@ -125,18 +161,19 @@ static ssize_t arcmsr_sysfs_iop_message_
/* do message unit write. */
ptmpuserbuffer = (uint8_t *)buf;
user_len = (int32_t)count;
@@ -175,7 +173,7 @@ index acdae33..16422ad 100644
memcpy(pQbuffer, ptmpuserbuffer, 1);
acb->wqbuf_lastindex++;
acb->wqbuf_lastindex %= ARCMSR_MAX_QBUFFER;
-@@ -146,10 +183,12 @@ static ssize_t arcmsr_sysfs_iop_message_write(struct file *filp,
+@@ -146,10 +183,12 @@ static ssize_t arcmsr_sysfs_iop_message_
if (acb->acb_flags & ACB_F_MESSAGE_WQBUFFER_CLEARED) {
acb->acb_flags &=
~ACB_F_MESSAGE_WQBUFFER_CLEARED;
@@ -189,7 +187,7 @@ index acdae33..16422ad 100644
return 0; /*need retry*/
}
}
-@@ -165,22 +204,24 @@ static ssize_t arcmsr_sysfs_iop_message_clear(struct file *filp,
+@@ -165,22 +204,24 @@ static ssize_t arcmsr_sysfs_iop_message_
struct Scsi_Host *host = class_to_shost(dev);
struct AdapterControlBlock *acb = (struct AdapterControlBlock *) host->hostdata;
uint8_t *pQbuffer;
@@ -218,11 +216,9 @@ index acdae33..16422ad 100644
pQbuffer = acb->rqbuffer;
memset(pQbuffer, 0, sizeof (struct QBUFFER));
pQbuffer = acb->wqbuffer;
-diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
-index fc0dfbc..1576805 100644
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
-@@ -653,6 +653,8 @@ static int arcmsr_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+@@ -653,6 +653,8 @@ static int arcmsr_probe(struct pci_dev *
}
spin_lock_init(&acb->eh_lock);
spin_lock_init(&acb->ccblist_lock);
@@ -231,7 +227,7 @@ index fc0dfbc..1576805 100644
acb->acb_flags |= (ACB_F_MESSAGE_WQBUFFER_CLEARED |
ACB_F_MESSAGE_RQBUFFER_CLEARED |
ACB_F_MESSAGE_WQBUFFER_READED);
-@@ -1449,68 +1451,175 @@ static struct QBUFFER __iomem *arcmsr_get_iop_wqbuffer(struct AdapterControlBloc
+@@ -1449,68 +1451,175 @@ static struct QBUFFER __iomem *arcmsr_ge
return pqbuffer;
}
@@ -322,14 +318,14 @@ index fc0dfbc..1576805 100644
+ arcmsr_iop_message_read(acb);
+ return 1;
+}
-
-- else {
++
+static void arcmsr_iop2drv_data_wrote_handle(struct AdapterControlBlock *acb)
+{
+ unsigned long flags;
+ struct QBUFFER __iomem *prbuffer;
+ int32_t buf_empty_len;
-+
+
+- else {
+ spin_lock_irqsave(&acb->rqbuffer_lock, flags);
+ prbuffer = arcmsr_get_iop_rqbuffer(acb);
+ buf_empty_len = (acb->rqbuf_lastindex - acb->rqbuf_firstindex - 1) &
@@ -428,12 +424,12 @@ index fc0dfbc..1576805 100644
arcmsr_iop_message_wrote(acb);
}
+}
-+
+
+- if (acb->wqbuf_firstindex == acb->wqbuf_lastindex) {
+static void arcmsr_iop2drv_data_read_handle(struct AdapterControlBlock *acb)
+{
+ unsigned long flags;
-
-- if (acb->wqbuf_firstindex == acb->wqbuf_lastindex) {
++
+ spin_lock_irqsave(&acb->wqbuffer_lock, flags);
+ acb->acb_flags |= ACB_F_MESSAGE_WQBUFFER_READED;
+ if (acb->wqbuf_firstindex != acb->wqbuf_lastindex)
@@ -445,7 +441,7 @@ index fc0dfbc..1576805 100644
}
static void arcmsr_hbaA_doorbell_isr(struct AdapterControlBlock *acb)
-@@ -1768,296 +1877,345 @@ static void arcmsr_iop_parking(struct AdapterControlBlock *acb)
+@@ -1768,129 +1877,162 @@ static void arcmsr_iop_parking(struct Ad
}
}
@@ -665,7 +661,8 @@ index fc0dfbc..1576805 100644
+ }
case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
unsigned char *ver_addr;
- int32_t my_empty_len, user_len, wqbuf_firstindex, wqbuf_lastindex;
+ uint32_t user_len;
+ int32_t my_empty_len, wqbuf_firstindex, wqbuf_lastindex;
uint8_t *pQbuffer, *ptmpuserbuffer;
-
ver_addr = kmalloc(1032, GFP_ATOMIC);
@@ -682,6 +679,11 @@ index fc0dfbc..1576805 100644
- }
ptmpuserbuffer = ver_addr;
user_len = pcmdmessagefld->cmdmessage.Length;
+ if (user_len > 1032) {
+@@ -1898,172 +2040,188 @@ static int arcmsr_iop_message_xfer(struc
+ kfree(ver_addr);
+ goto message_out;
+ }
- memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len);
+ memcpy(ptmpuserbuffer,
+ pcmdmessagefld->messagedatabuffer, user_len);
@@ -960,6 +962,3 @@ index fc0dfbc..1576805 100644
return retvalue;
}
---
-2.8.1
-
diff --git a/debian/patches/features/all/arcmsr/0019-arcmsr-simplify-ioctl-data-read-write.patch b/debian/patches/features/all/arcmsr/0019-arcmsr-simplify-ioctl-data-read-write.patch
index 1e08001..6c5204a 100644
--- a/debian/patches/features/all/arcmsr/0019-arcmsr-simplify-ioctl-data-read-write.patch
+++ b/debian/patches/features/all/arcmsr/0019-arcmsr-simplify-ioctl-data-read-write.patch
@@ -7,14 +7,14 @@ Bug-Debian: https://bugs.debian.org/698821
Signed-off-by: Ching Huang <ching 2048 at areca.com.tw>
Reviewed-by: Tomas Henzl <thenzl at redhat.com>
Signed-off-by: Christoph Hellwig <hch at lst.de>
+[bwh: Adjust context to apply after "scsi: arcmsr: Buffer overflow in
+ arcmsr_iop_message_xfer()" in 3.16.39]
---
drivers/scsi/arcmsr/arcmsr.h | 13 +--
drivers/scsi/arcmsr/arcmsr_attr.c | 127 ++++++++---------------
drivers/scsi/arcmsr/arcmsr_hba.c | 208 +++++++++++++-------------------------
3 files changed, 119 insertions(+), 229 deletions(-)
-diff --git a/drivers/scsi/arcmsr/arcmsr.h b/drivers/scsi/arcmsr/arcmsr.h
-index d1c78ef..3bcaaac 100644
--- a/drivers/scsi/arcmsr/arcmsr.h
+++ b/drivers/scsi/arcmsr/arcmsr.h
@@ -52,7 +52,7 @@ struct device_attribute;
@@ -59,8 +59,6 @@ index d1c78ef..3bcaaac 100644
/* last of write buffer */
uint8_t devstate[ARCMSR_MAX_TARGETID][ARCMSR_MAX_TARGETLUN];
/* id0 ..... id15, lun0...lun7 */
-diff --git a/drivers/scsi/arcmsr/arcmsr_attr.c b/drivers/scsi/arcmsr/arcmsr_attr.c
-index 16422ad..9c86481 100644
--- a/drivers/scsi/arcmsr/arcmsr_attr.c
+++ b/drivers/scsi/arcmsr/arcmsr_attr.c
@@ -50,6 +50,7 @@
@@ -71,7 +69,7 @@ index 16422ad..9c86481 100644
#include <scsi/scsi_cmnd.h>
#include <scsi/scsi_device.h>
-@@ -68,7 +69,7 @@ static ssize_t arcmsr_sysfs_iop_message_read(struct file *filp,
+@@ -68,7 +69,7 @@ static ssize_t arcmsr_sysfs_iop_message_
struct device *dev = container_of(kobj,struct device,kobj);
struct Scsi_Host *host = class_to_shost(dev);
struct AdapterControlBlock *acb = (struct AdapterControlBlock *) host->hostdata;
@@ -80,7 +78,7 @@ index 16422ad..9c86481 100644
int32_t allxfer_len = 0;
unsigned long flags;
-@@ -78,57 +79,22 @@ static ssize_t arcmsr_sysfs_iop_message_read(struct file *filp,
+@@ -78,57 +79,22 @@ static ssize_t arcmsr_sysfs_iop_message_
/* do message unit read. */
ptmpQbuffer = (uint8_t *)buf;
spin_lock_irqsave(&acb->rqbuffer_lock, flags);
@@ -153,7 +151,7 @@ index 16422ad..9c86481 100644
}
if (acb->acb_flags & ACB_F_IOPDATA_OVERFLOW) {
struct QBUFFER __iomem *prbuffer;
-@@ -150,47 +116,42 @@ static ssize_t arcmsr_sysfs_iop_message_write(struct file *filp,
+@@ -150,47 +116,42 @@ static ssize_t arcmsr_sysfs_iop_message_
struct device *dev = container_of(kobj,struct device,kobj);
struct Scsi_Host *host = class_to_shost(dev);
struct AdapterControlBlock *acb = (struct AdapterControlBlock *) host->hostdata;
@@ -222,7 +220,7 @@ index 16422ad..9c86481 100644
}
}
-@@ -215,12 +176,12 @@ static ssize_t arcmsr_sysfs_iop_message_clear(struct file *filp,
+@@ -215,12 +176,12 @@ static ssize_t arcmsr_sysfs_iop_message_
| ACB_F_MESSAGE_RQBUFFER_CLEARED
| ACB_F_MESSAGE_WQBUFFER_READED);
spin_lock_irqsave(&acb->rqbuffer_lock, flags);
@@ -239,7 +237,7 @@ index 16422ad..9c86481 100644
spin_unlock_irqrestore(&acb->wqbuffer_lock, flags);
pQbuffer = acb->rqbuffer;
memset(pQbuffer, 0, sizeof (struct QBUFFER));
-@@ -234,7 +195,7 @@ static struct bin_attribute arcmsr_sysfs_message_read_attr = {
+@@ -234,7 +195,7 @@ static struct bin_attribute arcmsr_sysfs
.name = "mu_read",
.mode = S_IRUSR ,
},
@@ -248,7 +246,7 @@ index 16422ad..9c86481 100644
.read = arcmsr_sysfs_iop_message_read,
};
-@@ -243,7 +204,7 @@ static struct bin_attribute arcmsr_sysfs_message_write_attr = {
+@@ -243,7 +204,7 @@ static struct bin_attribute arcmsr_sysfs
.name = "mu_write",
.mode = S_IWUSR,
},
@@ -257,8 +255,6 @@ index 16422ad..9c86481 100644
.write = arcmsr_sysfs_iop_message_write,
};
-diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
-index 0dd38cc..0b44fb5 100644
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
@@ -58,6 +58,7 @@
@@ -269,7 +265,7 @@ index 0dd38cc..0b44fb5 100644
#include <asm/dma.h>
#include <asm/io.h>
#include <asm/uaccess.h>
-@@ -1701,16 +1702,15 @@ arcmsr_Read_iop_rqbuffer_in_DWORD(struct AdapterControlBlock *acb,
+@@ -1701,16 +1702,15 @@ arcmsr_Read_iop_rqbuffer_in_DWORD(struct
buf2 = (uint32_t *)buf1;
}
while (iop_len > 0) {
@@ -290,7 +286,7 @@ index 0dd38cc..0b44fb5 100644
/* let IOP know data has been read */
arcmsr_iop_message_read(acb);
return 1;
-@@ -1729,10 +1729,10 @@ arcmsr_Read_iop_rqbuffer_data(struct AdapterControlBlock *acb,
+@@ -1729,10 +1729,10 @@ arcmsr_Read_iop_rqbuffer_data(struct Ada
iop_data = (uint8_t __iomem *)prbuffer->data;
iop_len = readl(&prbuffer->data_len);
while (iop_len > 0) {
@@ -304,7 +300,7 @@ index 0dd38cc..0b44fb5 100644
iop_data++;
iop_len--;
}
-@@ -1748,7 +1748,7 @@ static void arcmsr_iop2drv_data_wrote_handle(struct AdapterControlBlock *acb)
+@@ -1748,7 +1748,7 @@ static void arcmsr_iop2drv_data_wrote_ha
spin_lock_irqsave(&acb->rqbuffer_lock, flags);
prbuffer = arcmsr_get_iop_rqbuffer(acb);
@@ -313,7 +309,7 @@ index 0dd38cc..0b44fb5 100644
(ARCMSR_MAX_QBUFFER - 1);
if (buf_empty_len >= readl(&prbuffer->data_len)) {
if (arcmsr_Read_iop_rqbuffer_data(acb, prbuffer) == 0)
-@@ -1775,12 +1775,12 @@ static void arcmsr_write_ioctldata2iop_in_DWORD(struct AdapterControlBlock *acb)
+@@ -1775,12 +1775,12 @@ static void arcmsr_write_ioctldata2iop_i
acb->acb_flags &= (~ACB_F_MESSAGE_WQBUFFER_READED);
pwbuffer = arcmsr_get_iop_wqbuffer(acb);
iop_data = (uint32_t __iomem *)pwbuffer->data;
@@ -330,7 +326,7 @@ index 0dd38cc..0b44fb5 100644
buf1++;
allxfer_len++;
}
-@@ -1818,12 +1818,12 @@ arcmsr_write_ioctldata2iop(struct AdapterControlBlock *acb)
+@@ -1818,12 +1818,12 @@ arcmsr_write_ioctldata2iop(struct Adapte
acb->acb_flags &= (~ACB_F_MESSAGE_WQBUFFER_READED);
pwbuffer = arcmsr_get_iop_wqbuffer(acb);
iop_data = (uint8_t __iomem *)pwbuffer->data;
@@ -347,7 +343,7 @@ index 0dd38cc..0b44fb5 100644
iop_data++;
allxfer_len++;
}
-@@ -1838,9 +1838,9 @@ static void arcmsr_iop2drv_data_read_handle(struct AdapterControlBlock *acb)
+@@ -1838,9 +1838,9 @@ static void arcmsr_iop2drv_data_read_han
spin_lock_irqsave(&acb->wqbuffer_lock, flags);
acb->acb_flags |= ACB_F_MESSAGE_WQBUFFER_READED;
@@ -359,7 +355,7 @@ index 0dd38cc..0b44fb5 100644
acb->acb_flags |= ACB_F_MESSAGE_WQBUFFER_CLEARED;
spin_unlock_irqrestore(&acb->wqbuffer_lock, flags);
}
-@@ -2210,14 +2210,14 @@ void arcmsr_clear_iop2drv_rqueue_buffer(struct AdapterControlBlock *acb)
+@@ -2210,14 +2210,14 @@ void arcmsr_clear_iop2drv_rqueue_buffer(
for (i = 0; i < 15; i++) {
if (acb->acb_flags & ACB_F_IOPDATA_OVERFLOW) {
acb->acb_flags &= ~ACB_F_IOPDATA_OVERFLOW;
@@ -380,7 +376,7 @@ index 0dd38cc..0b44fb5 100644
mdelay(30);
} else
break;
-@@ -2256,9 +2256,9 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+@@ -2256,9 +2256,9 @@ static int arcmsr_iop_message_xfer(struc
switch (controlcode) {
case ARCMSR_MESSAGE_READ_RQBUFFER: {
unsigned char *ver_addr;
@@ -392,7 +388,7 @@ index 0dd38cc..0b44fb5 100644
if (!ver_addr) {
retvalue = ARCMSR_MESSAGE_FAIL;
pr_info("%s: memory not enough!\n", __func__);
-@@ -2266,66 +2266,22 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+@@ -2266,66 +2266,22 @@ static int arcmsr_iop_message_xfer(struc
}
ptmpQbuffer = ver_addr;
spin_lock_irqsave(&acb->rqbuffer_lock, flags);
@@ -474,19 +470,19 @@ index 0dd38cc..0b44fb5 100644
}
memcpy(pcmdmessagefld->messagedatabuffer, ver_addr,
allxfer_len);
-@@ -2349,9 +2305,9 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
- }
+@@ -2350,9 +2306,9 @@ static int arcmsr_iop_message_xfer(struc
case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
unsigned char *ver_addr;
-- int32_t my_empty_len, user_len, wqbuf_firstindex, wqbuf_lastindex;
-+ int32_t user_len, cnt2end;
+ uint32_t user_len;
+- int32_t my_empty_len, wqbuf_firstindex, wqbuf_lastindex;
++ int32_t cnt2end;
uint8_t *pQbuffer, *ptmpuserbuffer;
- ver_addr = kmalloc(1032, GFP_ATOMIC);
+ ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
if (!ver_addr) {
retvalue = ARCMSR_MESSAGE_FAIL;
goto message_out;
-@@ -2361,9 +2317,7 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+@@ -2367,9 +2323,7 @@ static int arcmsr_iop_message_xfer(struc
memcpy(ptmpuserbuffer,
pcmdmessagefld->messagedatabuffer, user_len);
spin_lock_irqsave(&acb->wqbuffer_lock, flags);
@@ -497,7 +493,7 @@ index 0dd38cc..0b44fb5 100644
struct SENSE_DATA *sensebuffer =
(struct SENSE_DATA *)cmd->sense_buffer;
arcmsr_write_ioctldata2iop(acb);
-@@ -2375,48 +2329,22 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+@@ -2381,48 +2335,22 @@ static int arcmsr_iop_message_xfer(struc
sensebuffer->Valid = 1;
retvalue = ARCMSR_MESSAGE_FAIL;
} else {
@@ -561,7 +557,7 @@ index 0dd38cc..0b44fb5 100644
}
}
spin_unlock_irqrestore(&acb->wqbuffer_lock, flags);
-@@ -2435,8 +2363,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+@@ -2441,8 +2369,8 @@ static int arcmsr_iop_message_xfer(struc
arcmsr_clear_iop2drv_rqueue_buffer(acb);
spin_lock_irqsave(&acb->rqbuffer_lock, flags);
acb->acb_flags |= ACB_F_MESSAGE_RQBUFFER_CLEARED;
@@ -572,7 +568,7 @@ index 0dd38cc..0b44fb5 100644
memset(pQbuffer, 0, ARCMSR_MAX_QBUFFER);
spin_unlock_irqrestore(&acb->rqbuffer_lock, flags);
if (acb->fw_flag == FW_DEADLOCK)
-@@ -2452,8 +2380,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+@@ -2458,8 +2386,8 @@ static int arcmsr_iop_message_xfer(struc
spin_lock_irqsave(&acb->wqbuffer_lock, flags);
acb->acb_flags |= (ACB_F_MESSAGE_WQBUFFER_CLEARED |
ACB_F_MESSAGE_WQBUFFER_READED);
@@ -583,7 +579,7 @@ index 0dd38cc..0b44fb5 100644
memset(pQbuffer, 0, ARCMSR_MAX_QBUFFER);
spin_unlock_irqrestore(&acb->wqbuffer_lock, flags);
if (acb->fw_flag == FW_DEADLOCK)
-@@ -2469,16 +2397,16 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+@@ -2475,16 +2403,16 @@ static int arcmsr_iop_message_xfer(struc
arcmsr_clear_iop2drv_rqueue_buffer(acb);
spin_lock_irqsave(&acb->rqbuffer_lock, flags);
acb->acb_flags |= ACB_F_MESSAGE_RQBUFFER_CLEARED;
@@ -604,6 +600,3 @@ index 0dd38cc..0b44fb5 100644
pQbuffer = acb->wqbuffer;
memset(pQbuffer, 0, sizeof(struct QBUFFER));
spin_unlock_irqrestore(&acb->wqbuffer_lock, flags);
---
-2.8.1
-
diff --git a/debian/patches/features/all/kdbus/shm-add-sealing-API.patch b/debian/patches/features/all/kdbus/shm-add-sealing-API.patch
index c09f655..093713e 100644
--- a/debian/patches/features/all/kdbus/shm-add-sealing-API.patch
+++ b/debian/patches/features/all/kdbus/shm-add-sealing-API.patch
@@ -113,7 +113,7 @@ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
#include <asm/poll.h>
#include <asm/siginfo.h>
-@@ -336,6 +337,10 @@ static long do_fcntl(int fd, unsigned in
+@@ -339,6 +340,10 @@ static long do_fcntl(int fd, unsigned in
case F_GETPIPE_SZ:
err = pipe_fcntl(filp, cmd, arg);
break;
@@ -203,7 +203,7 @@ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ struct shmem_inode_info *info = SHMEM_I(inode);
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
@@ -548,6 +550,11 @@ static int shmem_setattr(struct dentry *
loff_t oldsize = inode->i_size;
loff_t newsize = attr->ia_size;
diff --git a/debian/patches/features/powerpc/KVM-Move-all-accesses-to-kvm-irq_routing-into-irqchi.patch b/debian/patches/features/powerpc/KVM-Move-all-accesses-to-kvm-irq_routing-into-irqchi.patch
index 84df9b0..7ca62f0 100644
--- a/debian/patches/features/powerpc/KVM-Move-all-accesses-to-kvm-irq_routing-into-irqchi.patch
+++ b/debian/patches/features/powerpc/KVM-Move-all-accesses-to-kvm-irq_routing-into-irqchi.patch
@@ -22,6 +22,8 @@ Signed-off-by: Paul Mackerras <paulus at samba.org>
Tested-by: Eric Auger <eric.auger at linaro.org>
Tested-by: Cornelia Huck <cornelia.huck at de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[bwh: Adjust to apply after "KVM: irqfd: fix NULL pointer dereference in
+ kvm_irq_map_gsi" in 3.16.37]
---
include/linux/kvm_host.h | 35 +++++++----------------------------
virt/kvm/eventfd.c | 22 +++++++++-------------
@@ -237,7 +239,7 @@ index f4648dd..04faac5 100644
+ irq_rt = srcu_dereference_check(kvm->irq_routing, &kvm->irq_srcu,
+ lockdep_is_held(&kvm->irq_lock));
- if (gsi < irq_rt->nr_rt_entries) {
+ if (irq_rt && gsi < irq_rt->nr_rt_entries) {
hlist_for_each_entry(e, &irq_rt->map[gsi], link) {
entries[n] = *e;
@@ -47,21 +61,21 @@ int kvm_irq_map_gsi(struct kvm_kernel_irq_routing_entry *entries,
diff --git a/debian/patches/features/powerpc/KVM-PPC-Book3S-HV-Fix-ABIv2-on-LE.patch b/debian/patches/features/powerpc/KVM-PPC-Book3S-HV-Fix-ABIv2-on-LE.patch
index 434820d..a4e6cfc 100644
--- a/debian/patches/features/powerpc/KVM-PPC-Book3S-HV-Fix-ABIv2-on-LE.patch
+++ b/debian/patches/features/powerpc/KVM-PPC-Book3S-HV-Fix-ABIv2-on-LE.patch
@@ -9,6 +9,8 @@ names, giving us compatibility with ABIv1 and ABIv2.
Do this for the compiled-in code of HV KVM.
Signed-off-by: Alexander Graf <agraf at suse.de>
+[bwh: Adjust hunk addresses and order to apply after "KVM: PPC: Book3S HV:
+ Pull out TM state save/restore into separate procedures" in 3.16.37]
---
arch/powerpc/kvm/book3s_hv_rmhandlers.S | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
@@ -17,31 +19,7 @@ diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_h
index 364ca0c..855521e 100644
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
-@@ -668,9 +668,9 @@ END_FTR_SECTION_IFCLR(CPU_FTR_TM)
-
- mr r31, r4
- addi r3, r31, VCPU_FPRS_TM
-- bl .load_fp_state
-+ bl load_fp_state
- addi r3, r31, VCPU_VRS_TM
-- bl .load_vr_state
-+ bl load_vr_state
- mr r4, r31
- lwz r7, VCPU_VRSAVE_TM(r4)
- mtspr SPRN_VRSAVE, r7
-@@ -1414,9 +1414,9 @@ END_FTR_SECTION_IFCLR(CPU_FTR_TM)
-
- /* Save FP/VSX. */
- addi r3, r9, VCPU_FPRS_TM
-- bl .store_fp_state
-+ bl store_fp_state
- addi r3, r9, VCPU_VRS_TM
-- bl .store_vr_state
-+ bl store_vr_state
- mfspr r6, SPRN_VRSAVE
- stw r6, VCPU_VRSAVE_TM(r9)
- 1:
-@@ -2430,11 +2430,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_VSX)
+@@ -2248,11 +2248,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_VSX)
mtmsrd r8
isync
addi r3,r3,VCPU_FPRS
@@ -55,7 +33,7 @@ index 364ca0c..855521e 100644
END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
#endif
mfspr r6,SPRN_VRSAVE
-@@ -2466,11 +2466,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_VSX)
+@@ -2284,11 +2284,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_VSX)
mtmsrd r8
isync
addi r3,r4,VCPU_FPRS
@@ -69,6 +47,27 @@ index 364ca0c..855521e 100644
END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
#endif
lwz r7,VCPU_VRSAVE(r31)
---
-1.7.10.4
-
+@@ -2388,9 +2388,9 @@ END_FTR_SECTION_IFCLR(CPU_FTR_TM)
+
+ /* Save FP/VSX. */
+ addi r3, r9, VCPU_FPRS_TM
+- bl .store_fp_state
++ bl store_fp_state
+ addi r3, r9, VCPU_VRS_TM
+- bl .store_vr_state
++ bl store_vr_state
+ mfspr r6, SPRN_VRSAVE
+ stw r6, VCPU_VRSAVE_TM(r9)
+ 1:
+@@ -2462,9 +2462,9 @@ END_FTR_SECTION_IFCLR(CPU_FTR_TM)
+
+ mr r31, r4
+ addi r3, r31, VCPU_FPRS_TM
+- bl .load_fp_state
++ bl load_fp_state
+ addi r3, r31, VCPU_VRS_TM
+- bl .load_vr_state
++ bl load_vr_state
+ mr r4, r31
+ lwz r7, VCPU_VRSAVE_TM(r4)
+ mtspr SPRN_VRSAVE, r7
diff --git a/debian/patches/features/powerpc/KVM-irqchip-Provide-and-use-accessors-for-irq-routin.patch b/debian/patches/features/powerpc/KVM-irqchip-Provide-and-use-accessors-for-irq-routin.patch
index a4b2967..6b88c59 100644
--- a/debian/patches/features/powerpc/KVM-irqchip-Provide-and-use-accessors-for-irq-routin.patch
+++ b/debian/patches/features/powerpc/KVM-irqchip-Provide-and-use-accessors-for-irq-routin.patch
@@ -24,6 +24,8 @@ Signed-off-by: Paul Mackerras <paulus at samba.org>
Tested-by: Eric Auger <eric.auger at linaro.org>
Tested-by: Cornelia Huck <cornelia.huck at de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[bwh: Adjust to apply after "KVM: irqfd: fix NULL pointer dereference in
+ kvm_irq_map_gsi" in 3.16.37]
---
arch/powerpc/kvm/mpic.c | 4 +---
arch/s390/kvm/interrupt.c | 3 +--
@@ -33,11 +35,9 @@ Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
virt/kvm/irqchip.c | 42 ++++++++++++++++++++++++++++++++++--------
6 files changed, 57 insertions(+), 30 deletions(-)
-diff --git a/arch/powerpc/kvm/mpic.c b/arch/powerpc/kvm/mpic.c
-index b68d0dc..39b3a8f 100644
--- a/arch/powerpc/kvm/mpic.c
+++ b/arch/powerpc/kvm/mpic.c
-@@ -1826,8 +1826,7 @@ int kvm_set_msi(struct kvm_kernel_irq_routing_entry *e,
+@@ -1826,8 +1826,7 @@ int kvm_set_msi(struct kvm_kernel_irq_ro
return 0;
}
@@ -47,7 +47,7 @@ index b68d0dc..39b3a8f 100644
const struct kvm_irq_routing_entry *ue)
{
int r = -EINVAL;
-@@ -1839,7 +1838,6 @@ int kvm_set_routing_entry(struct kvm_irq_routing_table *rt,
+@@ -1839,7 +1838,6 @@ int kvm_set_routing_entry(struct kvm_irq
e->irqchip.pin = ue->u.irqchip.pin;
if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS)
goto out;
@@ -55,11 +55,9 @@ index b68d0dc..39b3a8f 100644
break;
case KVM_IRQ_ROUTING_MSI:
e->set = kvm_set_msi;
-diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
-index 92528a0..f4c819b 100644
--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
-@@ -1556,8 +1556,7 @@ static int set_adapter_int(struct kvm_kernel_irq_routing_entry *e,
+@@ -1596,8 +1596,7 @@ static int set_adapter_int(struct kvm_ke
return ret;
}
@@ -69,11 +67,9 @@ index 92528a0..f4c819b 100644
const struct kvm_irq_routing_entry *ue)
{
int ret;
-diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index 5065b95..4956149 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
-@@ -752,6 +752,11 @@ void kvm_unregister_irq_mask_notifier(struct kvm *kvm, int irq,
+@@ -752,6 +752,11 @@ void kvm_unregister_irq_mask_notifier(st
void kvm_fire_mask_notifiers(struct kvm *kvm, unsigned irqchip, unsigned pin,
bool mask);
@@ -95,11 +91,9 @@ index 5065b95..4956149 100644
const struct kvm_irq_routing_entry *ue);
void kvm_free_irq_routing(struct kvm *kvm);
-diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
-index bae593a..15fa948 100644
--- a/virt/kvm/eventfd.c
+++ b/virt/kvm/eventfd.c
-@@ -282,20 +282,22 @@ static void irqfd_update(struct kvm *kvm, struct _irqfd *irqfd,
+@@ -282,20 +282,22 @@ static void irqfd_update(struct kvm *kvm
struct kvm_irq_routing_table *irq_rt)
{
struct kvm_kernel_irq_routing_entry *e;
@@ -126,11 +120,9 @@ index bae593a..15fa948 100644
write_seqcount_end(&irqfd->irq_entry_sc);
}
-diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
-index a228ee8..1758445 100644
--- a/virt/kvm/irq_comm.c
+++ b/virt/kvm/irq_comm.c
-@@ -160,6 +160,7 @@ static int kvm_set_msi_inatomic(struct kvm_kernel_irq_routing_entry *e,
+@@ -160,6 +160,7 @@ static int kvm_set_msi_inatomic(struct k
*/
int kvm_set_irq_inatomic(struct kvm *kvm, int irq_source_id, u32 irq, int level)
{
@@ -138,7 +130,7 @@ index a228ee8..1758445 100644
struct kvm_kernel_irq_routing_entry *e;
int ret = -EINVAL;
struct kvm_irq_routing_table *irq_rt;
-@@ -177,14 +178,13 @@ int kvm_set_irq_inatomic(struct kvm *kvm, int irq_source_id, u32 irq, int level)
+@@ -177,14 +178,13 @@ int kvm_set_irq_inatomic(struct kvm *kvm
*/
idx = srcu_read_lock(&kvm->irq_srcu);
irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
@@ -160,7 +152,7 @@ index a228ee8..1758445 100644
srcu_read_unlock(&kvm->irq_srcu, idx);
return ret;
}
-@@ -272,8 +272,7 @@ void kvm_fire_mask_notifiers(struct kvm *kvm, unsigned irqchip, unsigned pin,
+@@ -272,8 +272,7 @@ void kvm_fire_mask_notifiers(struct kvm
srcu_read_unlock(&kvm->irq_srcu, idx);
}
@@ -170,7 +162,7 @@ index a228ee8..1758445 100644
const struct kvm_irq_routing_entry *ue)
{
int r = -EINVAL;
-@@ -304,7 +303,6 @@ int kvm_set_routing_entry(struct kvm_irq_routing_table *rt,
+@@ -304,7 +303,6 @@ int kvm_set_routing_entry(struct kvm_irq
e->irqchip.pin = ue->u.irqchip.pin + delta;
if (e->irqchip.pin >= max_pin)
goto out;
@@ -178,8 +170,6 @@ index a228ee8..1758445 100644
break;
case KVM_IRQ_ROUTING_MSI:
e->set = kvm_set_msi;
-diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c
-index b43c275..f4648dd 100644
--- a/virt/kvm/irqchip.c
+++ b/virt/kvm/irqchip.c
@@ -31,13 +31,37 @@
@@ -192,7 +182,7 @@ index b43c275..f4648dd 100644
+ struct kvm_kernel_irq_routing_entry *e;
+ int n = 0;
+
-+ if (gsi < irq_rt->nr_rt_entries) {
++ if (irq_rt && gsi < irq_rt->nr_rt_entries) {
+ hlist_for_each_entry(e, &irq_rt->map[gsi], link) {
+ entries[n] = *e;
+ ++n;
@@ -238,7 +228,7 @@ index b43c275..f4648dd 100644
if (gsi != -1)
hlist_for_each_entry_rcu(kian, &kvm->irq_ack_notifier_list,
link)
-@@ -115,8 +141,8 @@ int kvm_send_userspace_msi(struct kvm *kvm, struct kvm_msi *msi)
+@@ -115,8 +141,8 @@ int kvm_send_userspace_msi(struct kvm *k
int kvm_set_irq(struct kvm *kvm, int irq_source_id, u32 irq, int level,
bool line_status)
{
@@ -249,18 +239,18 @@ index b43c275..f4648dd 100644
struct kvm_irq_routing_table *irq_rt;
trace_kvm_set_irq(irq, level, irq_source_id);
-@@ -127,9 +153,7 @@ int kvm_set_irq(struct kvm *kvm, int irq_source_id, u32 irq, int level,
+@@ -127,9 +153,7 @@ int kvm_set_irq(struct kvm *kvm, int irq
*/
idx = srcu_read_lock(&kvm->irq_srcu);
irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
-- if (irq < irq_rt->nr_rt_entries)
+- if (irq_rt && irq < irq_rt->nr_rt_entries)
- hlist_for_each_entry(e, &irq_rt->map[irq], link)
- irq_set[i++] = *e;
+ i = kvm_irq_map_gsi(irq_set, irq_rt, irq);
srcu_read_unlock(&kvm->irq_srcu, idx);
while(i--) {
-@@ -171,9 +195,11 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
+@@ -171,9 +195,11 @@ static int setup_routing_entry(struct kv
e->gsi = ue->gsi;
e->type = ue->type;
@@ -273,6 +263,3 @@ index b43c275..f4648dd 100644
hlist_add_head(&e->link, &rt->map[e->gsi]);
r = 0;
---
-1.7.10.4
-
diff --git a/debian/patches/features/x86/apple-tb/pci-suspend-resume-quirks-for-apple-thunderbolt.patch b/debian/patches/features/x86/apple-tb/pci-suspend-resume-quirks-for-apple-thunderbolt.patch
index f09a3b1..b6785bf 100644
--- a/debian/patches/features/x86/apple-tb/pci-suspend-resume-quirks-for-apple-thunderbolt.patch
+++ b/debian/patches/features/x86/apple-tb/pci-suspend-resume-quirks-for-apple-thunderbolt.patch
@@ -30,9 +30,9 @@ Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
-@@ -3020,6 +3020,103 @@ static void quirk_no_bus_reset(struct pc
- */
- DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0030, quirk_no_bus_reset);
+@@ -3084,6 +3084,103 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_A
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0032, quirk_no_bus_reset);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset);
+#ifdef CONFIG_ACPI
+/*
@@ -136,7 +136,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
{
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
-@@ -1489,7 +1489,9 @@ enum pci_fixup_pass {
+@@ -1492,7 +1492,9 @@ enum pci_fixup_pass {
pci_fixup_resume, /* pci_device_resume() */
pci_fixup_suspend, /* pci_device_suspend() */
pci_fixup_resume_early, /* pci_device_resume_early() */
diff --git a/debian/patches/series b/debian/patches/series
index 4dbbf17..68a879e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -652,50 +652,8 @@ features/all/chaoskey/hwrng-chaoskey-Fix-URB-warning-due-to-timeout-on-Ale.patch
features/all/chaoskey/chaoskey-3.16-no-hwrng-quality.patch
# Security fixes
-bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
-bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
-bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
-bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
-bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
-bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch
-bugfix/all/keys-potential-uninitialized-variable.patch
-bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch
-bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch
-bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch
-bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch
-bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch
-bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch
-bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch
-bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch
-bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch
-bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch
-bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch
-bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch
-bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch
-bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch
-bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch
-bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch
-bugfix/all/posix_acl-Add-set_posix_acl.patch
-bugfix/all/nfsd-check-permissions-when-setting-ACLs.patch
-bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch
-bugfix/all/batman-adv-fix-double-put-of-vlan-object.patch
-bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch
-bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch
-bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch
-bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
-bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
-bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch
-bugfix/all/tcp-make-challenge-acks-less-predictable.patch
-bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
-bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
-bugfix/all/aacraid-Check-size-values-after-double-fetch-from-us.patch
-bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
-bugfix/all/scsi-arcmsr-Buffer-overflow-in-arcmsr_iop_message_xf.patch
-bugfix/all/bluetooth-fix-potential-null-dereference-in-rfcomm-b.patch
-bugfix/all/netfilter-x_tables-speed-up-jump-target-validation.patch
-bugfix/all/mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list