[linux] 01/04: Update to 3.2.82
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Oct 17 18:39:41 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit cafc51969a5ff81879814f350b031d2a0b8b92db
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon Oct 17 17:59:14 2016 +0100
Update to 3.2.82
Drop patches that were applied upstream or otherwise made redundant.
Move procfs/ecryptfs stacking check into ecryptfs, to avoid ABI change.
---
debian/changelog | 72 ++++
...fix-leak-in-events-via-snd_timer_user_cca.patch | 28 --
...fix-leak-in-events-via-snd_timer_user_tin.patch | 28 --
...imer-fix-leak-in-sndrv_timer_ioctl_params.patch | 28 --
...uble-fetch-in-audit_log_single_execve_arg.patch | 422 ---------------------
...forbid-opening-files-without-mmap-handler.patch | 38 --
...validate-num_values-for-hidiocgusages-hid.patch | 39 --
.../keys-potential-uninitialized-variable.patch | 87 -----
.../rds-fix-an-infoleak-in-rds_inc_info_copy.patch | 26 --
.../tcp-make-challenge-acks-less-predictable.patch | 75 ----
...x-an-infoleak-in-tipc_nl_compat_link_dump.patch | 26 --
...usb-usbfs-fix-potential-infoleak-in-devio.patch | 36 --
...cfs-ecryptfs-stacking-check-into-ecryptfs.patch | 94 +++++
debian/patches/debian/kernelvariables.patch | 6 +-
...ice-introduce-help-function-eth_zero_addr.patch | 39 --
.../hidepid/0004-proc-fix-mount-t-proc-o-AAA.patch | 8 +-
debian/patches/series | 13 +-
17 files changed, 173 insertions(+), 892 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index b07465a..ba2780a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,75 @@
+linux (3.2.82-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.82
+ - PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive()
+ - aacraid: Fix for aac_command_thread hang
+ - ext4: fix hang when processing corrupted orphaned inode list
+ - char: Drop bogus dependency of DEVPORT on !M68K
+ - tty: vt, return error when con_startup fails
+ - ACPI / sysfs: fix error code in get_status()
+ - sched/loadavg: Fix loadavg artifacts on fully idle and on fully
+ loaded systems
+ - mmc: mmc: Fix partition switch timeout for some eMMCs
+ - net/mlx4_core: Fix access to uninitialized index
+ - [x86] PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs
+ - PCI: Disable all BAR sizing for devices with non-compliant BARs
+ - fs/cifs: correctly do anonymous authentication
+ - sunrpc: Update RPCBIND_MAXNETIDLEN
+ - Input: uinput - handle compat ioctl for UI_SET_PHYS
+ - wait/ptrace: assume __WALL if the child is traced
+ - [x86] xen/events: Don't move disabled irqs
+ - RDMA/cxgb3: device driver frees DMA memory with different size
+ - Input: xpad - prevent spurious input from wired Xbox 360 controllers
+ - mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL
+ - [armhf] fix PTRACE_SETVFPREGS on SMP systems
+ - [x86] KVM: fix OOPS after invalid KVM_SET_DEBUGREGS
+ - fs: fix d_walk()/non-delayed __d_free() race
+ - usb: f_fs: off by one bug in _ffs_func_bind()
+ - [armhf/omap] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints
+ - [armhf/omap] usb: musb: Stop bulk endpoint while queue is rotated
+ - [armhf/omap] staging:iio: trigger fixes for repeat request of same
+ trigger and allocation failure
+ - [armhf/omap] iio: Fix error handling in iio_trigger_attach_poll_func
+ - [x86] drm/radeon: fix asic initialization for virtualized environments
+ - [x86] kprobes: Clear TF bit in fault on single-stepping
+ - kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while
+ processing sysrq-w
+ - base: make module_create_drivers_dir race-free
+ - [x86] kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
+ - IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs
+ - isa: Call isa_bus_init before dependent ISA bus drivers register
+ - [x86] hwmon: (dell-smm) Restrict fan control and serial number to
+ CAP_SYS_ADMIN by default
+ - ubi: Make recover_peb power cut aware
+ - UBIFS: Implement ->migratepage()
+ - can: fix oops caused by wrong rtnl dellink usage
+ - [x86] xen/pciback: Fix conf_space read/write overlap check.
+ - IB/mlx4: Fix the SQ size of an RC QP
+ - Input: wacom_w8001 - w8001_MAX_LENGTH should be 13
+ - ALSA: dummy: Fix a use-after-free at closing
+ - fs/nilfs2: fix potential underflow in call to crc32_le
+ - [armhf/omap] staging: iio: accel: fix error check
+ - ALSA: echoaudio: Fix memory allocation
+ - NFS: Fix another OPEN_DOWNGRADE bug
+ - batman-adv: Fix use-after-free/double-free of tt_req_node
+ - [x86] ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
+ - [x86] amd_nb: Fix boot crash on non-AMD systems
+ - bonding: prevent out of bound accesses
+ - ALSA: timer: Fix negative queue usage by racy accesses
+ - qeth: delete napi struct when removing a qeth device
+ - ecryptfs: don't allow mmap when the lower fs doesn't support it
+ (CVE-2016-1583)
+ - cifs: dynamic allocation of ntlmssp blob
+ - proc: prevent stacking filesystems on top (CVE-2016-1583)
+
+ [ Ben Hutchings ]
+ * Revert "ecryptfs: forbid opening files without mmap handler", redundant
+ with upstream fixes
+ * fs: Move procfs/ecryptfs stacking check into ecryptfs, to avoid ABI change
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 04 Sep 2016 14:08:46 +0100
+
linux (3.2.81-2) wheezy-security; urgency=high
* linux-source: Fix build failure for non-modular configurations
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
deleted file mode 100644
index 14172f4..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Tue, 3 May 2016 16:44:20 -0400
-Subject: [1/2] ALSA: timer: Fix leak in events via snd_timer_user_ccallback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1213,6 +1213,7 @@ static void snd_timer_user_ccallback(str
- tu->tstamp = *tstamp;
- if ((tu->filter & (1 << event)) == 0 || !tu->tread)
- return;
-+ memset(&r1, 0, sizeof(r1));
- r1.event = event;
- r1.tstamp = *tstamp;
- r1.val = resolution;
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
deleted file mode 100644
index 00dee65..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Tue, 3 May 2016 16:44:32 -0400
-Subject: [2/2] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/e4ec8cc8039a7063e24204299b462bd1383184a5
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1248,6 +1248,7 @@ static void snd_timer_user_tinterrupt(st
- }
- if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
- tu->last_resolution != resolution) {
-+ memset(&r1, 0, sizeof(r1));
- r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
- r1.tstamp = tstamp;
- r1.val = resolution;
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
deleted file mode 100644
index 1bd1a62..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Tue, 3 May 2016 16:44:07 -0400
-Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/cec8f96e49d9be372fdb0c3836dcf31ec71e457e
-
-The stack object “tread” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1712,6 +1712,7 @@ static int snd_timer_user_params(struct
- if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
- if (tu->tread) {
- struct snd_timer_tread tread;
-+ memset(&tread, 0, sizeof(tread));
- tread.event = SNDRV_TIMER_EVENT_EARLY;
- tread.tstamp.tv_sec = 0;
- tread.tstamp.tv_nsec = 0;
diff --git a/debian/patches/bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch b/debian/patches/bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
deleted file mode 100644
index a063d1e..0000000
--- a/debian/patches/bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
+++ /dev/null
@@ -1,422 +0,0 @@
-From: Paul Moore <paul at paul-moore.com>
-Date: Tue, 19 Jul 2016 17:42:57 -0400
-Subject: audit: fix a double fetch in audit_log_single_execve_arg()
-Origin: https://git.kernel.org/linus/43761473c254b45883a64441dd0bc85a42f3645c
-
-There is a double fetch problem in audit_log_single_execve_arg()
-where we first check the execve(2) argumnets for any "bad" characters
-which would require hex encoding and then re-fetch the arguments for
-logging in the audit record[1]. Of course this leaves a window of
-opportunity for an unsavory application to munge with the data.
-
-This patch reworks things by only fetching the argument data once[2]
-into a buffer where it is scanned and logged into the audit
-records(s). In addition to fixing the double fetch, this patch
-improves on the original code in a few other ways: better handling
-of large arguments which require encoding, stricter record length
-checking, and some performance improvements (completely unverified,
-but we got rid of some strlen() calls, that's got to be a good
-thing).
-
-As part of the development of this patch, I've also created a basic
-regression test for the audit-testsuite, the test can be tracked on
-GitHub at the following link:
-
- * https://github.com/linux-audit/audit-testsuite/issues/25
-
-[1] If you pay careful attention, there is actually a triple fetch
-problem due to a strnlen_user() call at the top of the function.
-
-[2] This is a tiny white lie, we do make a call to strnlen_user()
-prior to fetching the argument data. I don't like it, but due to the
-way the audit record is structured we really have no choice unless we
-copy the entire argument at once (which would require a rather
-wasteful allocation). The good news is that with this patch the
-kernel no longer relies on this strnlen_user() value for anything
-beyond recording it in the log, we also update it with a trustworthy
-value whenever possible.
-
-Reported-by: Pengfei Wang <wpengfeinudt at gmail.com>
-Signed-off-by: Paul Moore <paul at paul-moore.com>
-[bwh: Backported to 3.2:
- - In audit_log_execve_info() various information is retrieved via
- the extra parameter struct audit_aux_data_execve *axi
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- kernel/auditsc.c | 332 +++++++++++++++++++++++++++----------------------------
- 1 file changed, 164 insertions(+), 168 deletions(-)
-
---- a/kernel/auditsc.c
-+++ b/kernel/auditsc.c
-@@ -67,6 +67,7 @@
- #include <linux/syscalls.h>
- #include <linux/capability.h>
- #include <linux/fs_struct.h>
-+#include <linux/uaccess.h>
-
- #include "audit.h"
-
-@@ -77,7 +78,8 @@
- /* Indicates that audit should log the full pathname. */
- #define AUDIT_NAME_FULL -1
-
--/* no execve audit message should be longer than this (userspace limits) */
-+/* no execve audit message should be longer than this (userspace limits),
-+ * see the note near the top of audit_log_execve_info() about this value */
- #define MAX_EXECVE_AUDIT_LEN 7500
-
- /* number of audit rules */
-@@ -1026,189 +1028,184 @@ static int audit_log_pid_context(struct
- return rc;
- }
-
--/*
-- * to_send and len_sent accounting are very loose estimates. We aren't
-- * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
-- * within about 500 bytes (next page boundary)
-- *
-- * why snprintf? an int is up to 12 digits long. if we just assumed when
-- * logging that a[%d]= was going to be 16 characters long we would be wasting
-- * space in every audit message. In one 7500 byte message we can log up to
-- * about 1000 min size arguments. That comes down to about 50% waste of space
-- * if we didn't do the snprintf to find out how long arg_num_len was.
-- */
--static int audit_log_single_execve_arg(struct audit_context *context,
-- struct audit_buffer **ab,
-- int arg_num,
-- size_t *len_sent,
-- const char __user *p,
-- char *buf)
--{
-- char arg_num_len_buf[12];
-- const char __user *tmp_p = p;
-- /* how many digits are in arg_num? 5 is the length of ' a=""' */
-- size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
-- size_t len, len_left, to_send;
-- size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
-- unsigned int i, has_cntl = 0, too_long = 0;
-- int ret;
--
-- /* strnlen_user includes the null we don't want to send */
-- len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
--
-- /*
-- * We just created this mm, if we can't find the strings
-- * we just copied into it something is _very_ wrong. Similar
-- * for strings that are too long, we should not have created
-- * any.
-- */
-- if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
-- WARN_ON(1);
-- send_sig(SIGKILL, current, 0);
-- return -1;
-- }
--
-- /* walk the whole argument looking for non-ascii chars */
-- do {
-- if (len_left > MAX_EXECVE_AUDIT_LEN)
-- to_send = MAX_EXECVE_AUDIT_LEN;
-- else
-- to_send = len_left;
-- ret = copy_from_user(buf, tmp_p, to_send);
-- /*
-- * There is no reason for this copy to be short. We just
-- * copied them here, and the mm hasn't been exposed to user-
-- * space yet.
-- */
-- if (ret) {
-- WARN_ON(1);
-- send_sig(SIGKILL, current, 0);
-- return -1;
-- }
-- buf[to_send] = '\0';
-- has_cntl = audit_string_contains_control(buf, to_send);
-- if (has_cntl) {
-- /*
-- * hex messages get logged as 2 bytes, so we can only
-- * send half as much in each message
-- */
-- max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
-- break;
-- }
-- len_left -= to_send;
-- tmp_p += to_send;
-- } while (len_left > 0);
--
-- len_left = len;
--
-- if (len > max_execve_audit_len)
-- too_long = 1;
--
-- /* rewalk the argument actually logging the message */
-- for (i = 0; len_left > 0; i++) {
-- int room_left;
--
-- if (len_left > max_execve_audit_len)
-- to_send = max_execve_audit_len;
-- else
-- to_send = len_left;
--
-- /* do we have space left to send this argument in this ab? */
-- room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
-- if (has_cntl)
-- room_left -= (to_send * 2);
-- else
-- room_left -= to_send;
-- if (room_left < 0) {
-- *len_sent = 0;
-- audit_log_end(*ab);
-- *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
-- if (!*ab)
-- return 0;
-- }
--
-- /*
-- * first record needs to say how long the original string was
-- * so we can be sure nothing was lost.
-- */
-- if ((i == 0) && (too_long))
-- audit_log_format(*ab, " a%d_len=%zu", arg_num,
-- has_cntl ? 2*len : len);
--
-- /*
-- * normally arguments are small enough to fit and we already
-- * filled buf above when we checked for control characters
-- * so don't bother with another copy_from_user
-- */
-- if (len >= max_execve_audit_len)
-- ret = copy_from_user(buf, p, to_send);
-- else
-- ret = 0;
-- if (ret) {
-- WARN_ON(1);
-- send_sig(SIGKILL, current, 0);
-- return -1;
-- }
-- buf[to_send] = '\0';
--
-- /* actually log it */
-- audit_log_format(*ab, " a%d", arg_num);
-- if (too_long)
-- audit_log_format(*ab, "[%d]", i);
-- audit_log_format(*ab, "=");
-- if (has_cntl)
-- audit_log_n_hex(*ab, buf, to_send);
-- else
-- audit_log_string(*ab, buf);
--
-- p += to_send;
-- len_left -= to_send;
-- *len_sent += arg_num_len;
-- if (has_cntl)
-- *len_sent += to_send * 2;
-- else
-- *len_sent += to_send;
-- }
-- /* include the null we didn't log */
-- return len + 1;
--}
--
- static void audit_log_execve_info(struct audit_context *context,
- struct audit_buffer **ab,
- struct audit_aux_data_execve *axi)
- {
-- int i;
-- size_t len, len_sent = 0;
-- const char __user *p;
-+ long len_max;
-+ long len_rem;
-+ long len_full;
-+ long len_buf;
-+ long len_abuf;
-+ long len_tmp;
-+ bool require_data;
-+ bool encode;
-+ unsigned int iter;
-+ unsigned int arg;
-+ char *buf_head;
- char *buf;
-+ const char __user *p;
-+
-+ /* NOTE: this buffer needs to be large enough to hold all the non-arg
-+ * data we put in the audit record for this argument (see the
-+ * code below) ... at this point in time 96 is plenty */
-+ char abuf[96];
-
- if (axi->mm != current->mm)
- return; /* execve failed, no additional info */
-
- p = (const char __user *)axi->mm->arg_start;
-
-- audit_log_format(*ab, "argc=%d", axi->argc);
--
-- /*
-- * we need some kernel buffer to hold the userspace args. Just
-- * allocate one big one rather than allocating one of the right size
-- * for every single argument inside audit_log_single_execve_arg()
-- * should be <8k allocation so should be pretty safe.
-- */
-- buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
-- if (!buf) {
-+ /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
-+ * current value of 7500 is not as important as the fact that it
-+ * is less than 8k, a setting of 7500 gives us plenty of wiggle
-+ * room if we go over a little bit in the logging below */
-+ WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
-+ len_max = MAX_EXECVE_AUDIT_LEN;
-+
-+ /* scratch buffer to hold the userspace args */
-+ buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
-+ if (!buf_head) {
- audit_panic("out of memory for argv string\n");
- return;
- }
-+ buf = buf_head;
-
-- for (i = 0; i < axi->argc; i++) {
-- len = audit_log_single_execve_arg(context, ab, i,
-- &len_sent, p, buf);
-- if (len <= 0)
-- break;
-- p += len;
-- }
-- kfree(buf);
-+ audit_log_format(*ab, "argc=%d", axi->argc);
-+
-+ len_rem = len_max;
-+ len_buf = 0;
-+ len_full = 0;
-+ require_data = true;
-+ encode = false;
-+ iter = 0;
-+ arg = 0;
-+ do {
-+ /* NOTE: we don't ever want to trust this value for anything
-+ * serious, but the audit record format insists we
-+ * provide an argument length for really long arguments,
-+ * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
-+ * to use strncpy_from_user() to obtain this value for
-+ * recording in the log, although we don't use it
-+ * anywhere here to avoid a double-fetch problem */
-+ if (len_full == 0)
-+ len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
-+
-+ /* read more data from userspace */
-+ if (require_data) {
-+ /* can we make more room in the buffer? */
-+ if (buf != buf_head) {
-+ memmove(buf_head, buf, len_buf);
-+ buf = buf_head;
-+ }
-+
-+ /* fetch as much as we can of the argument */
-+ len_tmp = strncpy_from_user(&buf_head[len_buf], p,
-+ len_max - len_buf);
-+ if (len_tmp == -EFAULT) {
-+ /* unable to copy from userspace */
-+ send_sig(SIGKILL, current, 0);
-+ goto out;
-+ } else if (len_tmp == (len_max - len_buf)) {
-+ /* buffer is not large enough */
-+ require_data = true;
-+ /* NOTE: if we are going to span multiple
-+ * buffers force the encoding so we stand
-+ * a chance at a sane len_full value and
-+ * consistent record encoding */
-+ encode = true;
-+ len_full = len_full * 2;
-+ p += len_tmp;
-+ } else {
-+ require_data = false;
-+ if (!encode)
-+ encode = audit_string_contains_control(
-+ buf, len_tmp);
-+ /* try to use a trusted value for len_full */
-+ if (len_full < len_max)
-+ len_full = (encode ?
-+ len_tmp * 2 : len_tmp);
-+ p += len_tmp + 1;
-+ }
-+ len_buf += len_tmp;
-+ buf_head[len_buf] = '\0';
-+
-+ /* length of the buffer in the audit record? */
-+ len_abuf = (encode ? len_buf * 2 : len_buf + 2);
-+ }
-+
-+ /* write as much as we can to the audit log */
-+ if (len_buf > 0) {
-+ /* NOTE: some magic numbers here - basically if we
-+ * can't fit a reasonable amount of data into the
-+ * existing audit buffer, flush it and start with
-+ * a new buffer */
-+ if ((sizeof(abuf) + 8) > len_rem) {
-+ len_rem = len_max;
-+ audit_log_end(*ab);
-+ *ab = audit_log_start(context,
-+ GFP_KERNEL, AUDIT_EXECVE);
-+ if (!*ab)
-+ goto out;
-+ }
-+
-+ /* create the non-arg portion of the arg record */
-+ len_tmp = 0;
-+ if (require_data || (iter > 0) ||
-+ ((len_abuf + sizeof(abuf)) > len_rem)) {
-+ if (iter == 0) {
-+ len_tmp += snprintf(&abuf[len_tmp],
-+ sizeof(abuf) - len_tmp,
-+ " a%d_len=%lu",
-+ arg, len_full);
-+ }
-+ len_tmp += snprintf(&abuf[len_tmp],
-+ sizeof(abuf) - len_tmp,
-+ " a%d[%d]=", arg, iter++);
-+ } else
-+ len_tmp += snprintf(&abuf[len_tmp],
-+ sizeof(abuf) - len_tmp,
-+ " a%d=", arg);
-+ WARN_ON(len_tmp >= sizeof(abuf));
-+ abuf[sizeof(abuf) - 1] = '\0';
-+
-+ /* log the arg in the audit record */
-+ audit_log_format(*ab, "%s", abuf);
-+ len_rem -= len_tmp;
-+ len_tmp = len_buf;
-+ if (encode) {
-+ if (len_abuf > len_rem)
-+ len_tmp = len_rem / 2; /* encoding */
-+ audit_log_n_hex(*ab, buf, len_tmp);
-+ len_rem -= len_tmp * 2;
-+ len_abuf -= len_tmp * 2;
-+ } else {
-+ if (len_abuf > len_rem)
-+ len_tmp = len_rem - 2; /* quotes */
-+ audit_log_n_string(*ab, buf, len_tmp);
-+ len_rem -= len_tmp + 2;
-+ /* don't subtract the "2" because we still need
-+ * to add quotes to the remaining string */
-+ len_abuf -= len_tmp;
-+ }
-+ len_buf -= len_tmp;
-+ buf += len_tmp;
-+ }
-+
-+ /* ready to move to the next argument? */
-+ if ((len_buf == 0) && !require_data) {
-+ arg++;
-+ iter = 0;
-+ len_full = 0;
-+ require_data = true;
-+ encode = false;
-+ }
-+ } while (arg < axi->argc);
-+
-+ /* NOTE: the caller handles the final audit_log_end() call */
-+
-+out:
-+ kfree(buf_head);
- }
-
- static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
diff --git a/debian/patches/bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch b/debian/patches/bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch
deleted file mode 100644
index 3cd3345..0000000
--- a/debian/patches/bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From: Jann Horn <jannh at google.com>
-Date: Wed, 1 Jun 2016 11:55:06 +0200
-Subject: ecryptfs: forbid opening files without mmap handler
-Origin: https://git.kernel.org/linus/2f36db71009304b3f0b95afacd8eba1f9f046b87
-
-This prevents users from triggering a stack overflow through a recursive
-invocation of pagefault handling that involves mapping procfs files into
-virtual memory.
-
-Signed-off-by: Jann Horn <jannh at google.com>
-Acked-by: Tyler Hicks <tyhicks at canonical.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-[bwh: Backported to 3.2: There is more to clean up in
- ecryptfs_privileged_open(), so instead of changing labels and gotos
- skip the new check if rc != 0.]
----
---- a/fs/ecryptfs/kthread.c
-+++ b/fs/ecryptfs/kthread.c
-@@ -25,6 +25,7 @@
- #include <linux/slab.h>
- #include <linux/wait.h>
- #include <linux/mount.h>
-+#include <linux/file.h>
- #include "ecryptfs_kernel.h"
-
- struct kmem_cache *ecryptfs_open_req_cache;
-@@ -193,5 +194,10 @@ out_unlock:
- out_free:
- kmem_cache_free(ecryptfs_open_req_cache, req);
- out:
-+ if (rc == 0 && (*lower_file)->f_op->mmap == NULL) {
-+ fput(*lower_file);
-+ *lower_file = NULL;
-+ rc = -EMEDIUMTYPE;
-+ }
- return rc;
- }
diff --git a/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch b/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
deleted file mode 100644
index 7c9e8df..0000000
--- a/debian/patches/bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: Scott Bauer <sbauer at plzdonthack.me>
-Date: Thu, 23 Jun 2016 08:59:47 -0600
-Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES
- commands
-Origin: https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5
-
-This patch validates the num_values parameter from userland during the
-HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
-to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
-leading to a heap overflow.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Scott Bauer <sbauer at plzdonthack.me>
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
----
- drivers/hid/usbhid/hiddev.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
---- a/drivers/hid/usbhid/hiddev.c
-+++ b/drivers/hid/usbhid/hiddev.c
-@@ -515,13 +515,13 @@ static noinline int hiddev_ioctl_usage(s
- goto inval;
- } else if (uref->usage_index >= field->report_count)
- goto inval;
--
-- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-- uref->usage_index + uref_multi->num_values > field->report_count))
-- goto inval;
- }
-
-+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-+ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-+ uref->usage_index + uref_multi->num_values > field->report_count))
-+ goto inval;
-+
- switch (cmd) {
- case HIDIOCGUSAGE:
- uref->value = field->value[uref->usage_index];
diff --git a/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch b/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch
deleted file mode 100644
index d7c7f49..0000000
--- a/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From: Dan Carpenter <dan.carpenter at oracle.com>
-Date: Thu, 16 Jun 2016 15:48:57 +0100
-Subject: KEYS: potential uninitialized variable
-Origin: https://git.kernel.org/linus/38327424b40bcebe2de92d07312c89360ac9229a
-
-If __key_link_begin() failed then "edit" would be uninitialized. I've
-added a check to fix that.
-
-This allows a random user to crash the kernel, though it's quite
-difficult to achieve. There are three ways it can be done as the user
-would have to cause an error to occur in __key_link():
-
- (1) Cause the kernel to run out of memory. In practice, this is difficult
- to achieve without ENOMEM cropping up elsewhere and aborting the
- attempt.
-
- (2) Revoke the destination keyring between the keyring ID being looked up
- and it being tested for revocation. In practice, this is difficult to
- time correctly because the KEYCTL_REJECT function can only be used
- from the request-key upcall process. Further, users can only make use
- of what's in /sbin/request-key.conf, though this does including a
- rejection debugging test - which means that the destination keyring
- has to be the caller's session keyring in practice.
-
- (3) Have just enough key quota available to create a key, a new session
- keyring for the upcall and a link in the session keyring, but not then
- sufficient quota to create a link in the nominated destination keyring
- so that it fails with EDQUOT.
-
-The bug can be triggered using option (3) above using something like the
-following:
-
- echo 80 >/proc/sys/kernel/keys/root_maxbytes
- keyctl request2 user debug:fred negate @t
-
-The above sets the quota to something much lower (80) to make the bug
-easier to trigger, but this is dependent on the system. Note also that
-the name of the keyring created contains a random number that may be
-between 1 and 10 characters in size, so may throw the test off by
-changing the amount of quota used.
-
-Assuming the failure occurs, something like the following will be seen:
-
- kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
- ------------[ cut here ]------------
- kernel BUG at ../mm/slab.c:2821!
- ...
- RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
- RSP: 0018:ffff8804014a7de8 EFLAGS: 00010092
- RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
- RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
- RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
- R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
- R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
- ...
- Call Trace:
- kfree+0xde/0x1bc
- assoc_array_cancel_edit+0x1f/0x36
- __key_link_end+0x55/0x63
- key_reject_and_link+0x124/0x155
- keyctl_reject_key+0xb6/0xe0
- keyctl_negate_key+0x10/0x12
- SyS_keyctl+0x9f/0xe7
- do_syscall_64+0x63/0x13a
- entry_SYSCALL64_slow_path+0x25/0x25
-
-Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
-Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-cc: stable at vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-[bwh: Backported to 3.2: adjust context]
----
- security/keys/key.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/security/keys/key.c
-+++ b/security/keys/key.c
-@@ -572,7 +572,7 @@ int key_reject_and_link(struct key *key,
-
- mutex_unlock(&key_construction_mutex);
-
-- if (keyring)
-+ if (keyring && link_ret == 0)
- __key_link_end(keyring, key->type, prealloc);
-
- /* wake up anyone waiting for a key to be constructed */
diff --git a/debian/patches/bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch b/debian/patches/bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
deleted file mode 100644
index cdee992..0000000
--- a/debian/patches/bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Thu, 2 Jun 2016 04:11:20 -0400
-Subject: rds: fix an infoleak in rds_inc_info_copy
-Origin: https://git.kernel.org/linus/4116def2337991b39919f3b448326e21c40e0dbb
-
-The last field "flags" of object "minfo" is not initialized.
-Copying this object out may leak kernel stack data.
-Assign 0 to it to avoid leak.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Acked-by: Santosh Shilimkar <santosh.shilimkar at oracle.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/rds/recv.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/rds/recv.c
-+++ b/net/rds/recv.c
-@@ -544,5 +544,7 @@ void rds_inc_info_copy(struct rds_incomi
- minfo.fport = inc->i_hdr.h_dport;
- }
-
-+ minfo.flags = 0;
-+
- rds_info_copy(iter, &minfo, sizeof(minfo));
- }
diff --git a/debian/patches/bugfix/all/tcp-make-challenge-acks-less-predictable.patch b/debian/patches/bugfix/all/tcp-make-challenge-acks-less-predictable.patch
deleted file mode 100644
index 9602ab1..0000000
--- a/debian/patches/bugfix/all/tcp-make-challenge-acks-less-predictable.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Sun, 10 Jul 2016 10:04:02 +0200
-Subject: tcp: make challenge acks less predictable
-Origin: https://git.kernel.org/linus/75ff39ccc1bd5d3c455b6822ab09e533c551f758
-
-Yue Cao claims that current host rate limiting of challenge ACKS
-(RFC 5961) could leak enough information to allow a patient attacker
-to hijack TCP sessions. He will soon provide details in an academic
-paper.
-
-This patch increases the default limit from 100 to 1000, and adds
-some randomization so that the attacker can no longer hijack
-sessions without spending a considerable amount of probes.
-
-Based on initial analysis and patch from Linus.
-
-Note that we also have per socket rate limiting, so it is tempting
-to remove the host limit in the future.
-
-v2: randomize the count of challenge acks per second, not the period.
-
-Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
-Reported-by: Yue Cao <ycao009 at ucr.edu>
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Yuchung Cheng <ycheng at google.com>
-Cc: Neal Cardwell <ncardwell at google.com>
-Acked-by: Neal Cardwell <ncardwell at google.com>
-Acked-by: Yuchung Cheng <ycheng at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2:
- - Adjust context
- - Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()
- - Open-code prandom_u32_max()]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- net/ipv4/tcp_input.c | 17 ++++++++++++-----
- 1 file changed, 12 insertions(+), 5 deletions(-)
-
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_most
- EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
-
- /* rfc5961 challenge ack rate limiting */
--int sysctl_tcp_challenge_ack_limit = 100;
-+int sysctl_tcp_challenge_ack_limit = 1000;
-
- int sysctl_tcp_stdurg __read_mostly;
- int sysctl_tcp_rfc1337 __read_mostly;
-@@ -3715,13 +3715,20 @@ static void tcp_send_challenge_ack(struc
- /* unprotected vars, we dont care of overwrites */
- static u32 challenge_timestamp;
- static unsigned int challenge_count;
-- u32 now = jiffies / HZ;
-+ u32 count, now = jiffies / HZ;
-
- if (now != challenge_timestamp) {
-+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
-+
- challenge_timestamp = now;
-- challenge_count = 0;
-- }
-- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
-+ ACCESS_ONCE(challenge_count) =
-+ half + (u32)(
-+ ((u64) random32() * sysctl_tcp_challenge_ack_limit)
-+ >> 32);
-+ }
-+ count = ACCESS_ONCE(challenge_count);
-+ if (count > 0) {
-+ ACCESS_ONCE(challenge_count) = count - 1;
- NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
- tcp_send_ack(sk);
- }
diff --git a/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch b/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
deleted file mode 100644
index ad03a49..0000000
--- a/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Thu, 2 Jun 2016 04:04:56 -0400
-Subject: tipc: fix an infoleak in tipc_nl_compat_link_dump
-Origin: https://git.kernel.org/linus/5d2be1422e02ccd697ccfcd45c85b4a26e6178e2
-
-link_info.str is a char array of size 60. Memory after the NULL
-byte is not initialized. Sending the whole object out can cause
-a leak.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: the unpadded strcpy() is in tipc_node_get_links()
- and no nlattr is involved, so use strncpy()]
----
---- a/net/tipc/node.c
-+++ b/net/tipc/node.c
-@@ -485,7 +485,8 @@ struct sk_buff *tipc_node_get_links(cons
- continue;
- link_info.dest = htonl(n_ptr->addr);
- link_info.up = htonl(tipc_link_is_up(n_ptr->links[i]));
-- strcpy(link_info.str, n_ptr->links[i]->name);
-+ strncpy(link_info.str, n_ptr->links[i]->name,
-+ sizeof(link_info.str));
- tipc_cfg_append_tlv(buf, TIPC_TLV_LINK_INFO,
- &link_info, sizeof(link_info));
- }
diff --git a/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
deleted file mode 100644
index 0aea2b8..0000000
--- a/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Kangjie Lu <kangjielu at gmail.com>
-Date: Tue, 3 May 2016 16:32:16 -0400
-Subject: USB: usbfs: fix potential infoleak in devio
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/681fef8380eb818c0b845fca5d2ab1dcbab114ee
-
-The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
-are padding bytes which are not initialized and leaked to userland
-via “copy_to_user”.
-
-Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/usb/core/devio.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
---- a/drivers/usb/core/devio.c
-+++ b/drivers/usb/core/devio.c
-@@ -1005,10 +1005,11 @@ static int proc_getdriver(struct dev_sta
-
- static int proc_connectinfo(struct dev_state *ps, void __user *arg)
- {
-- struct usbdevfs_connectinfo ci = {
-- .devnum = ps->dev->devnum,
-- .slow = ps->dev->speed == USB_SPEED_LOW
-- };
-+ struct usbdevfs_connectinfo ci;
-+
-+ memset(&ci, 0, sizeof(ci));
-+ ci.devnum = ps->dev->devnum;
-+ ci.slow = ps->dev->speed == USB_SPEED_LOW;
-
- if (copy_to_user(arg, &ci, sizeof(ci)))
- return -EFAULT;
diff --git a/debian/patches/debian/fs-move-procfs-ecryptfs-stacking-check-into-ecryptfs.patch b/debian/patches/debian/fs-move-procfs-ecryptfs-stacking-check-into-ecryptfs.patch
new file mode 100644
index 0000000..150b165
--- /dev/null
+++ b/debian/patches/debian/fs-move-procfs-ecryptfs-stacking-check-into-ecryptfs.patch
@@ -0,0 +1,94 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 17 Oct 2016 16:51:59 +0100
+Subject: fs: Move procfs/ecryptfs stacking check into ecryptfs
+Forwarded: not-needed
+
+The final upstream fix for CVE-2016-1583 relies on the
+super_block::s_stack_depth field which did not exist in 3.2, so that
+was added as part of the backport in 3.2.82. However, that addition
+changes ABI.
+
+Revert the changes to add and use s_stack_depth. Instead, make
+ecryptfs specifically prevent mounting on top of procfs, same as it
+already did for ecryptfs.
+
+We don't need to touch overlayfs since that doesn't exist here. We do
+have aufs, but that already prevents mounting on top of ecryptfs,
+procfs and itself. It's still possible to mount ecryptfs on top of
+aufs, but with only one layer of each, which is consistent with the
+upstream restriction to a total of 2 stacked layers.
+
+---
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -539,10 +539,11 @@ static struct dentry *ecryptfs_mount(str
+ ecryptfs_printk(KERN_WARNING, "kern_path() failed\n");
+ goto out1;
+ }
+- if (path.dentry->d_sb->s_type == &ecryptfs_fs_type) {
++ if (path.dentry->d_sb->s_type == &ecryptfs_fs_type ||
++ path.dentry->d_sb->s_magic == PROC_SUPER_MAGIC) {
+ rc = -EINVAL;
+ printk(KERN_ERR "Mount on filesystem of type "
+- "eCryptfs explicitly disallowed due to "
++ "eCryptfs or procfs explicitly disallowed due to "
+ "known incompatibilities\n");
+ goto out_free;
+ }
+@@ -576,13 +577,6 @@ static struct dentry *ecryptfs_mount(str
+ s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
+ s->s_blocksize = path.dentry->d_sb->s_blocksize;
+ s->s_magic = ECRYPTFS_SUPER_MAGIC;
+- s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
+-
+- rc = -EINVAL;
+- if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
+- pr_err("eCryptfs: maximum fs stacking depth exceeded\n");
+- goto out_free;
+- }
+
+ inode = ecryptfs_get_inode(path.dentry->d_inode, s);
+ rc = PTR_ERR(inode);
+--- a/fs/proc/root.c
++++ b/fs/proc/root.c
+@@ -115,13 +115,6 @@ static struct dentry *proc_mount(struct
+ if (IS_ERR(sb))
+ return ERR_CAST(sb);
+
+- /*
+- * procfs isn't actually a stacking filesystem; however, there is
+- * too much magic going on inside it to permit stacking things on
+- * top of it
+- */
+- sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
+-
+ if (!proc_parse_options(options, ns)) {
+ deactivate_locked_super(sb);
+ return ERR_PTR(-EINVAL);
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -488,12 +488,6 @@ struct iattr {
+ */
+ #include <linux/quota.h>
+
+-/*
+- * Maximum number of layers of fs stack. Needs to be limited to
+- * prevent kernel stack overflow
+- */
+-#define FILESYSTEM_MAX_STACK_DEPTH 2
+-
+ /**
+ * enum positive_aop_returns - aop return codes with specific semantics
+ *
+@@ -1506,11 +1500,6 @@ struct super_block {
+ int cleancache_poolid;
+
+ struct shrinker s_shrink; /* per-sb shrinker handle */
+-
+- /*
+- * Indicates how deep in a filesystem stack this SB is
+- */
+- int s_stack_depth;
+ };
+
+ /* superblock cache pruning functions */
diff --git a/debian/patches/debian/kernelvariables.patch b/debian/patches/debian/kernelvariables.patch
index 623cbf2..ef13272 100644
--- a/debian/patches/debian/kernelvariables.patch
+++ b/debian/patches/debian/kernelvariables.patch
@@ -14,7 +14,7 @@ use of $(ARCH) needs to be moved after this.
--- a/Makefile
+++ b/Makefile
-@@ -195,46 +195,6 @@
+@@ -195,46 +195,6 @@ export KBUILD_BUILDHOST := $(SUBARCH)
ARCH ?= $(SUBARCH)
CROSS_COMPILE ?= $(CONFIG_CROSS_COMPILE:"%"=%)
@@ -61,9 +61,9 @@ use of $(ARCH) needs to be moved after this.
KCONFIG_CONFIG ?= .config
export KCONFIG_CONFIG
-@@ -354,6 +314,44 @@
+@@ -354,6 +314,44 @@ CFLAGS_KERNEL =
AFLAGS_KERNEL =
- CFLAGS_GCOV = -fprofile-arcs -ftest-coverage
+ CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im
+-include $(obj)/.kernelvariables
+
diff --git a/debian/patches/features/all/etherdevice-introduce-help-function-eth_zero_addr.patch b/debian/patches/features/all/etherdevice-introduce-help-function-eth_zero_addr.patch
deleted file mode 100644
index e37dc67..0000000
--- a/debian/patches/features/all/etherdevice-introduce-help-function-eth_zero_addr.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: Duan Jiong <djduanjiong at gmail.com>
-Date: Sat, 8 Sep 2012 16:32:28 +0000
-Subject: [PATCH] etherdevice: introduce help function eth_zero_addr()
-Origin: https://git.kernel.org/linus/6d57e9078e880a3dd232d579f42ac437a8f1ef7b
-
-a lot of code has either the memset or an inefficient copy
-from a static array that contains the all-zeros Ethernet address.
-Introduce help function eth_zero_addr() to fill an address with
-all zeros, making the code clearer and allowing us to get rid of
-some constant arrays.
-
-Signed-off-by: Duan Jiong <djduanjiong at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- include/linux/etherdevice.h | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h
-index 0ca91de..71929cd 100644
---- a/include/linux/etherdevice.h
-+++ b/include/linux/etherdevice.h
-@@ -154,6 +154,17 @@ static inline void dev_hw_addr_random(struct net_device *dev, u8 *hwaddr)
- }
-
- /**
-+ * eth_zero_addr - Assign zero address
-+ * @addr: Pointer to a six-byte array containing the Ethernet address
-+ *
-+ * Assign the zero address to the given address array.
-+ */
-+static inline void eth_zero_addr(u8 *addr)
-+{
-+ memset(addr, 0x00, ETH_ALEN);
-+}
-+
-+/**
- * eth_hw_addr_random - Generate software assigned random Ethernet and
- * set device flag
- * @dev: pointer to net_device structure
diff --git a/debian/patches/features/all/hidepid/0004-proc-fix-mount-t-proc-o-AAA.patch b/debian/patches/features/all/hidepid/0004-proc-fix-mount-t-proc-o-AAA.patch
index da1a2f4..19a8cd8 100644
--- a/debian/patches/features/all/hidepid/0004-proc-fix-mount-t-proc-o-AAA.patch
+++ b/debian/patches/features/all/hidepid/0004-proc-fix-mount-t-proc-o-AAA.patch
@@ -25,13 +25,11 @@ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
fs/proc/root.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
-diff --git a/fs/proc/root.c b/fs/proc/root.c
-index 46a15d8..eed44bf 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
-@@ -115,12 +115,13 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
- if (IS_ERR(sb))
- return ERR_CAST(sb);
+@@ -122,12 +122,13 @@ static struct dentry *proc_mount(struct
+ */
+ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
+ if (!proc_parse_options(options, ns)) {
+ deactivate_locked_super(sb);
diff --git a/debian/patches/series b/debian/patches/series
index 19fe7c6..0197aba 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -479,7 +479,6 @@ features/all/PCI-Add-accessors-for-PCI-Express-Capability.patch
features/all/phy-add-the-EEE-support-and-the-way-to-access-to-the.patch
features/all/PCI-Add-standard-PCIe-Capability-Link-ASPM-field-nam.patch
features/all/DMA-API-provide-a-helper-to-set-both-DMA-and-coheren.patch
-features/all/etherdevice-introduce-help-function-eth_zero_addr.patch
# iguanair driver from 3.7
features/all/iguanair/0001-media-Add-support-for-the-IguanaWorks-USB-IR-Transce.patch
@@ -1106,18 +1105,7 @@ features/all/hpsa/0011-hpsa-add-in-P840ar-controller-model-name.patch
# Security fixes
bugfix/all/netfilter-ipset-Check-and-reject-crazy-0-input-param.patch
bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
-bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
-bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
-bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
-bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
-bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
-bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
-bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch
-bugfix/all/keys-potential-uninitialized-variable.patch
-bugfix/all/hid-hiddev-validate-num_values-for-hidiocgusages-hid.patch
-bugfix/all/tcp-make-challenge-acks-less-predictable.patch
-bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
bugfix/arm/arm-oabi-compat-add-missing-access-checks.patch
bugfix/all/aacraid-check-size-values-after-double-fetch-from-us.patch
bugfix/all/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
@@ -1185,3 +1173,4 @@ debian/fs-fix-abi-change-in-3.2.80.patch
debian/pci-fix-abi-change-in-3.2.80.patch
debian/revert-net-ipv6-add-sysctl-option-accept_ra_min_hop_limit.patch
debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch
+debian/fs-move-procfs-ecryptfs-stacking-check-into-ecryptfs.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list