[linux] 01/01: Update to 3.2.89

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Jun 8 15:20:23 UTC 2017


This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 6e088c79a81f5da14e39509a05664c07c5d866c1
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Jun 8 16:19:42 2017 +0100

    Update to 3.2.89
    
    Ignore ABI changes in IB.
---
 debian/changelog                                   |  98 +++++++--
 debian/config/defines                              |   2 +
 ...ash-fix-einprogress-notification-callback.patch | 226 ---------------------
 ...h-fully-restore-ahash-request-before-comp.patch |  35 ----
 ...-Fix-the-pointer-voodoo-in-unaligned-ahas.patch | 118 -----------
 ...-pull-out-the-functions-to-save-restore-r.patch | 152 --------------
 ...h-simplify-the-ahash_finup-implementation.patch | 115 -----------
 ...cp-tcp-do-not-inherit-mc_list-from-parent.patch |  38 ----
 ...ip6_find_1stfragopt-return-value-properly.patch |  81 --------
 ...p-do-not-inherit-ipv6_mc_list-from-parent.patch |  60 ------
 ...-out-of-bound-writes-in-__ip6_append_data.patch |  62 ------
 ...nt-overrun-when-parsing-v6-header-options.patch | 214 -------------------
 .../ipx-call-ipxitf_put-in-ioctl-error-path.patch  |  34 ----
 ...ow-keyrings-beginning-with-.-to-be-joined.patch |  76 -------
 ...yctl_set_reqkey_keyring-to-not-leak-threa.patch | 176 ----------------
 ...ate-eperm-for-a-key-type-name-beginning-w.patch |  39 ----
 ...special-dot-prefixed-keyring-name-bug-fix.patch |  49 -----
 ...y.c-fix-error-handling-in-set_mempolicy-a.patch |  72 -------
 ...-fix-overflow-in-check-for-priv-area-size.patch |  35 ----
 ...ket-fix-overflow-in-check-for-tp_frame_nr.patch |  32 ---
 ...cket-fix-overflow-in-check-for-tp_reserve.patch |  28 ---
 ...sd-check-for-oversized-nfsv2-v3-arguments.patch |  99 ---------
 ...icter-decoding-of-write-like-nfsv2-v3-ops.patch |  56 -----
 ...sd4-minor-nfsv2-v3-write-decoding-cleanup.patch |  79 -------
 ...cket-handle-too-big-packets-for-packet_v3.patch |  73 -------
 .../bugfix/all/ping-implement-proper-locking.patch |  49 -----
 ...-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch |  29 ---
 ...-strlcpy-instead-of-strcpy-in-__trace_fin.patch |  35 ----
 .../usb-iowarrior-fix-null-deref-at-probe.patch    |  53 -----
 ...io_ti-fix-information-leak-in-completion-.patch |  31 ---
 ...erial-omninet-fix-reference-leaks-at-open.patch |  35 ----
 ...e-xfrm_msg_newae-incoming-esn-size-harder.patch |  34 ----
 ..._newae-xfrma_replay_esn_val-replay_window.patch |  45 ----
 ...eger-overflow-in-vmw_surface_define_ioctl.patch |  36 ----
 ...r-dereference-in-vmw_surface_define_ioctl.patch |  33 ---
 debian/patches/series                              |  33 ---
 36 files changed, 82 insertions(+), 2380 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 2369a69..435aebe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,23 +1,85 @@
-linux (3.2.88-2) UNRELEASED; urgency=medium
-
-  * tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
-    (CVE-2017-0605)
-  * ipx: call ipxitf_put() in ioctl error path (CVE-2017-7487
-  * nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
-  * nfsd4: minor NFSv2/v3 write decoding cleanup
-  * nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)
-  * dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890)
-  * USB: serial: io_ti: fix information leak in completion handler
-    (CVE-2017-8924)
-  * USB: serial: omninet: fix reference leaks at open (CVE-2017-8925)
-  * ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074)
-  * ipv6: Check ip6_find_1stfragopt() return value properly.
+linux (3.2.89-1) UNRELEASED; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.89
+    - adm8211: return an error if adm8211_alloc_rings() fails
+    - ath5k: drop bogus warning on drv_set_key with unsupported cipher
+    - RDMA/core: Fix incorrect structure packing for booleans
+    - IB/ipoib: Set device connection mode only when needed
+    - IB/ipoib: Change list_del to list_del_init in the tx object
+    - USB: serial: ch341: fix modem-status handling
+    - USB: serial: ark3116: fix register-accessor error handling
+    - USB: serial: ark3116: fix open error handling
+    - USB: serial: ftdi_sio: fix modem-status error handling
+    - USB: serial: ftdi_sio: fix latency-timer error handling
+    - USB: serial: io_edgeport: fix epic-descriptor handling
+    - USB: serial: io_edgeport: fix descriptor error handling
+    - USB: serial: mct_u232: fix modem-status error handling
+    - USB: serial: ssu100: fix control-message error handling
+    - USB: serial: ti_usb_3410_5052: fix control-message error handling
+    - [x86] staging: rtl: fix possible NULL pointer dereference
+    - mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print
+    - usb: gadget: f_hid: Use spinlock instead of mutex
+    - USB: serial: ftdi_sio: fix extreme low-latency setting
+    - drm/ttm: Make sure BOs being swapped out are cacheable
+    - drm/radeon: handle vfct with multiple vbios images
+    - ext4: trim allocation requests to group size
+    - ext4: use private version of page_zero_new_buffers() for data=journal mode
+    - ext4: fix data corruption in data=journal mode
+    - bcma: use (get|put)_device when probing/removing device driver
+    - USB: serial: digi_acceleport: fix OOB data sanity check
+    - USB: serial: digi_acceleport: fix OOB-event processing
+    - USB: serial: digi_acceleport: fix incomplete rx sanity check
+    - USB: serial: keyspan_pda: fix receive sanity checks
+    - [x86] pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0
+    - jbd2: don't leak modified metadata buffers on an aborted journal
+    - ext4: preserve the needs_recovery flag when the journal is aborted
+    - USB: serial: ftdi_sio: fix line-status over-reporting
+    - USB: serial: mos7840: fix another NULL-deref at open
+    - KEYS: Fix an error code in request_master_key()
+    - [x86] drivers: hv: Turn off write permission on the hypercall page
+    - [armhf/omap] mmc: host: omap_hsmmc: avoid possible overflow of timeout
+      value
+    - md linear: fix a race between linear_add() and linear_congested()
+    - md: ensure md devices are freed before module is unloaded.
+    - nlm: Ensure callback code also checks that the files match
+    - nfsd: update mtime on truncate
+    - nfsd: minor nfsd_setattr cleanup
+    - nfsd: special case truncates some more
+    - NFSv4: Fix the underestimation of delegation XDR space reservation
+    - fuse: add missing FR_FORCE
+    - rdma_cm: fail iwarp accepts w/o connection params
+    - net/dccp: fix use after free in tw_timer_handler()
+    - scsi: aacraid: Fix memory leak in fib init path
+    - scsi: aacraid: Reorder Adapter status check
+    - NFSv4: Fix range checking in __nfs4_get_acl_uncached and
+      __nfs4_proc_set_acl
+    - NFSv4: fix getacl ERANGE for some ACL buffer sizes
+    - net sched actions: decrement module reference count after table flush.
+    - ALSA: timer: Reject user params with too small ticks
+    - ALSA: ctxfi: Fallback DMA mask to 32bit
+    - ALSA: seq: Fix link corruption by event error handling
+    - tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
+      (CVE-2017-0605)
+    - ipx: call ipxitf_put() in ioctl error path (CVE-2017-7487
+    - nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
+    - nfsd4: minor NFSv2/v3 write decoding cleanup
+    - nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)
+    - dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890)
+    - USB: serial: io_ti: fix information leak in completion handler
+      (CVE-2017-8924)
+    - USB: serial: omninet: fix reference leaks at open (CVE-2017-8925)
+    - ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074)
+    - ipv6: Check ip6_find_1stfragopt() return value properly.
+    - sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075)
+    - ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076,
+      CVE-2017-9077)
+    - ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242)
+
+  [ Ben Hutchings ]
   * ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
   * ipv6: Fix leak in ipv6_gso_segment().
-  * sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075)
-  * ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076,
-    CVE-2017-9077)
-  * ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242)
+  * Ignore ABI changes in IB
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 31 May 2017 11:48:09 +0100
 
diff --git a/debian/config/defines b/debian/config/defines
index ac7a1ba..c140f5b 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -99,6 +99,8 @@ ignore-changes:
  af_alg_*
  module:drivers/net/can/can-dev
  can_rx_register
+# Assume IB drivers are added/updated through OFED, which also updates IB core
+ module:drivers/infiniband/**
 
 [base]
 arches:
diff --git a/debian/patches/bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch b/debian/patches/bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
deleted file mode 100644
index 5d324c7..0000000
--- a/debian/patches/bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
+++ /dev/null
@@ -1,226 +0,0 @@
-From: Herbert Xu <herbert at gondor.apana.org.au>
-Date: Mon, 10 Apr 2017 17:27:57 +0800
-Subject: crypto: ahash - Fix EINPROGRESS notification callback
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git/commit?id=ef0579b64e93188710d48667cb5e014926af9f1b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7618
-
-The ahash API modifies the request's callback function in order
-to clean up after itself in some corner cases (unaligned final
-and missing finup).
-
-When the request is complete ahash will restore the original
-callback and everything is fine.  However, when the request gets
-an EBUSY on a full queue, an EINPROGRESS callback is made while
-the request is still ongoing.
-
-In this case the ahash API will incorrectly call its own callback.
-
-This patch fixes the problem by creating a temporary request
-object on the stack which is used to relay EINPROGRESS back to
-the original completion function.
-
-This patch also adds code to preserve the original flags value.
-
-Fixes: ab6bf4e5e5e4 ("crypto: hash - Fix the pointer voodoo in...")
-Cc: <stable at vger.kernel.org>
-Reported-by: Sabrina Dubroca <sd at queasysnail.net>
-Tested-by: Sabrina Dubroca <sd at queasysnail.net>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/ahash.c                 | 79 ++++++++++++++++++++++++++----------------
- include/crypto/internal/hash.h | 10 ++++++
- 2 files changed, 60 insertions(+), 29 deletions(-)
-
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -30,6 +30,7 @@ struct ahash_request_priv {
- 	crypto_completion_t complete;
- 	void *data;
- 	u8 *result;
-+	u32 flags;
- 	void *ubuf[] CRYPTO_MINALIGN_ATTR;
- };
- 
-@@ -232,6 +233,8 @@ static int ahash_save_req(struct ahash_r
- 	priv->result = req->result;
- 	priv->complete = req->base.complete;
- 	priv->data = req->base.data;
-+	priv->flags = req->base.flags;
-+
- 	/*
- 	 * WARNING: We do not backup req->priv here! The req->priv
- 	 *          is for internal use of the Crypto API and the
-@@ -246,38 +249,44 @@ static int ahash_save_req(struct ahash_r
- 	return 0;
- }
- 
--static void ahash_restore_req(struct ahash_request *req)
-+static void ahash_restore_req(struct ahash_request *req, int err)
- {
- 	struct ahash_request_priv *priv = req->priv;
- 
-+	if (!err)
-+		memcpy(priv->result, req->result,
-+		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-+
- 	/* Restore the original crypto request. */
- 	req->result = priv->result;
--	req->base.complete = priv->complete;
--	req->base.data = priv->data;
-+
-+	ahash_request_set_callback(req, priv->flags,
-+				   priv->complete, priv->data);
- 	req->priv = NULL;
- 
- 	/* Free the req->priv.priv from the ADJUSTED request. */
- 	kzfree(priv);
- }
- 
--static void ahash_op_unaligned_finish(struct ahash_request *req, int err)
-+static void ahash_notify_einprogress(struct ahash_request *req)
- {
- 	struct ahash_request_priv *priv = req->priv;
-+	struct crypto_async_request oreq;
- 
--	if (err == -EINPROGRESS)
--		return;
--
--	if (!err)
--		memcpy(priv->result, req->result,
--		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-+	oreq.data = priv->data;
- 
--	ahash_restore_req(req);
-+	priv->complete(&oreq, -EINPROGRESS);
- }
- 
- static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
- {
- 	struct ahash_request *areq = req->data;
- 
-+	if (err == -EINPROGRESS) {
-+		ahash_notify_einprogress(areq);
-+		return;
-+	}
-+
- 	/*
- 	 * Restore the original request, see ahash_op_unaligned() for what
- 	 * goes where.
-@@ -288,7 +297,7 @@ static void ahash_op_unaligned_done(stru
- 	 */
- 
- 	/* First copy req->result into req->priv.result */
--	ahash_op_unaligned_finish(areq, err);
-+	ahash_restore_req(areq, err);
- 
- 	/* Complete the ORIGINAL request. */
- 	areq->base.complete(&areq->base, err);
-@@ -304,7 +313,12 @@ static int ahash_op_unaligned(struct aha
- 		return err;
- 
- 	err = op(req);
--	ahash_op_unaligned_finish(req, err);
-+	if (err == -EINPROGRESS ||
-+	    (err == -EBUSY && (ahash_request_flags(req) &
-+			       CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+		return err;
-+
-+	ahash_restore_req(req, err);
- 
- 	return err;
- }
-@@ -339,25 +353,14 @@ int crypto_ahash_digest(struct ahash_req
- }
- EXPORT_SYMBOL_GPL(crypto_ahash_digest);
- 
--static void ahash_def_finup_finish2(struct ahash_request *req, int err)
-+static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
- {
--	struct ahash_request_priv *priv = req->priv;
-+	struct ahash_request *areq = req->data;
- 
- 	if (err == -EINPROGRESS)
- 		return;
- 
--	if (!err)
--		memcpy(priv->result, req->result,
--		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
--
--	ahash_restore_req(req);
--}
--
--static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
--{
--	struct ahash_request *areq = req->data;
--
--	ahash_def_finup_finish2(areq, err);
-+	ahash_restore_req(areq, err);
- 
- 	areq->base.complete(&areq->base, err);
- }
-@@ -368,11 +371,15 @@ static int ahash_def_finup_finish1(struc
- 		goto out;
- 
- 	req->base.complete = ahash_def_finup_done2;
--	req->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
-+
- 	err = crypto_ahash_reqtfm(req)->final(req);
-+	if (err == -EINPROGRESS ||
-+	    (err == -EBUSY && (ahash_request_flags(req) &
-+			       CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+		return err;
- 
- out:
--	ahash_def_finup_finish2(req, err);
-+	ahash_restore_req(req, err);
- 	return err;
- }
- 
-@@ -380,7 +387,16 @@ static void ahash_def_finup_done1(struct
- {
- 	struct ahash_request *areq = req->data;
- 
-+	if (err == -EINPROGRESS) {
-+		ahash_notify_einprogress(areq);
-+		return;
-+	}
-+
-+	areq->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
-+
- 	err = ahash_def_finup_finish1(areq, err);
-+	if (areq->priv)
-+		return;
- 
- 	areq->base.complete(&areq->base, err);
- }
-@@ -395,6 +411,11 @@ static int ahash_def_finup(struct ahash_
- 		return err;
- 
- 	err = tfm->update(req);
-+	if (err == -EINPROGRESS ||
-+	    (err == -EBUSY && (ahash_request_flags(req) &
-+			       CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+		return err;
-+
- 	return ahash_def_finup_finish1(req, err);
- }
- 
---- a/include/crypto/internal/hash.h
-+++ b/include/crypto/internal/hash.h
-@@ -149,6 +149,16 @@ static inline struct ahash_instance *aha
- 	return crypto_alloc_instance2(name, alg, ahash_instance_headroom());
- }
- 
-+static inline void ahash_request_complete(struct ahash_request *req, int err)
-+{
-+	req->base.complete(&req->base, err);
-+}
-+
-+static inline u32 ahash_request_flags(struct ahash_request *req)
-+{
-+	return req->base.flags;
-+}
-+
- static inline struct crypto_ahash *crypto_spawn_ahash(
- 	struct crypto_ahash_spawn *spawn)
- {
diff --git a/debian/patches/bugfix/all/crypto-ahash-fully-restore-ahash-request-before-comp.patch b/debian/patches/bugfix/all/crypto-ahash-fully-restore-ahash-request-before-comp.patch
deleted file mode 100644
index dbac0bd..0000000
--- a/debian/patches/bugfix/all/crypto-ahash-fully-restore-ahash-request-before-comp.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Marek Vasut <marex at denx.de>
-Date: Tue, 10 Dec 2013 20:26:19 +0100
-Subject: crypto: ahash - Fully restore ahash request before completing
-Origin: https://git.kernel.org/linus/1d9a394b97b833d3ab37f49caf12d0be3c88050b
-
-When finishing the ahash request, the ahash_op_unaligned_done() will
-call complete() on the request. Yet, this will not call the correct
-complete callback. The correct complete callback was previously stored
-in the requests' private data, as seen in ahash_op_unaligned(). This
-patch restores the correct complete callback and .data field of the
-request before calling complete() on it.
-
-Signed-off-by: Marek Vasut <marex at denx.de>
-Cc: David S. Miller <davem at davemloft.net>
-Cc: Fabio Estevam <fabio.estevam at freescale.com>
-Cc: Shawn Guo <shawn.guo at linaro.org>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/ahash.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -214,7 +214,10 @@ static void ahash_op_unaligned_done(stru
- 
- 	ahash_op_unaligned_finish(areq, err);
- 
--	complete(data, err);
-+	areq->base.complete = complete;
-+	areq->base.data = data;
-+
-+	complete(&areq->base, err);
- }
- 
- static int ahash_op_unaligned(struct ahash_request *req,
diff --git a/debian/patches/bugfix/all/crypto-hash-Fix-the-pointer-voodoo-in-unaligned-ahas.patch b/debian/patches/bugfix/all/crypto-hash-Fix-the-pointer-voodoo-in-unaligned-ahas.patch
deleted file mode 100644
index 69bfa93..0000000
--- a/debian/patches/bugfix/all/crypto-hash-Fix-the-pointer-voodoo-in-unaligned-ahas.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From: Marek Vasut <marex at denx.de>
-Date: Fri, 14 Mar 2014 02:37:04 +0100
-Subject: crypto: hash - Fix the pointer voodoo in unaligned ahash
-Origin: https://git.kernel.org/linus/ab6bf4e5e5e4298e8649e635bee25542cccbfd97
-
-Add documentation for the pointer voodoo that is happening in crypto/ahash.c
-in ahash_op_unaligned(). This code is quite confusing, so add a beefy chunk
-of documentation.
-
-Moreover, make sure the mangled request is completely restored after finishing
-this unaligned operation. This means restoring all of .result, .base.data
-and .base.complete .
-
-Also, remove the crypto_completion_t complete = ... line present in the
-ahash_op_unaligned_done() function. This type actually declares a function
-pointer, which is very confusing.
-
-Finally, yet very important nonetheless, make sure the req->priv is free()'d
-only after the original request is restored in ahash_op_unaligned_done().
-The req->priv data must not be free()'d before that in ahash_op_unaligned_finish(),
-since we would be accessing previously free()'d data in ahash_op_unaligned_done()
-and cause corruption.
-
-Signed-off-by: Marek Vasut <marex at denx.de>
-Cc: David S. Miller <davem at davemloft.net>
-Cc: Fabio Estevam <fabio.estevam at freescale.com>
-Cc: Herbert Xu <herbert at gondor.apana.org.au>
-Cc: Shawn Guo <shawn.guo at linaro.org>
-Cc: Tom Lendacky <thomas.lendacky at amd.com>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/ahash.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 49 insertions(+), 7 deletions(-)
-
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -202,22 +202,34 @@ static void ahash_op_unaligned_finish(st
- 		memcpy(priv->result, req->result,
- 		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
- 
-+	/* Restore the original crypto request. */
-+	req->result = priv->result;
-+	req->base.complete = priv->complete;
-+	req->base.data = priv->data;
-+	req->priv = NULL;
-+
-+	/* Free the req->priv.priv from the ADJUSTED request. */
- 	kzfree(priv);
- }
- 
- static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
- {
- 	struct ahash_request *areq = req->data;
--	struct ahash_request_priv *priv = areq->priv;
--	crypto_completion_t complete = priv->complete;
--	void *data = priv->data;
- 
--	ahash_op_unaligned_finish(areq, err);
-+	/*
-+	 * Restore the original request, see ahash_op_unaligned() for what
-+	 * goes where.
-+	 *
-+	 * The "struct ahash_request *req" here is in fact the "req.base"
-+	 * from the ADJUSTED request from ahash_op_unaligned(), thus as it
-+	 * is a pointer to self, it is also the ADJUSTED "req" .
-+	 */
- 
--	areq->base.complete = complete;
--	areq->base.data = data;
-+	/* First copy areq->result into areq->priv.result */
-+	ahash_op_unaligned_finish(areq, err);
- 
--	complete(&areq->base, err);
-+	/* Complete the ORIGINAL request. */
-+	areq->base.complete(&areq->base, err);
- }
- 
- static int ahash_op_unaligned(struct ahash_request *req,
-@@ -235,9 +247,39 @@ static int ahash_op_unaligned(struct aha
- 	if (!priv)
- 		return -ENOMEM;
- 
-+	/*
-+	 * WARNING: Voodoo programming below!
-+	 *
-+	 * The code below is obscure and hard to understand, thus explanation
-+	 * is necessary. See include/crypto/hash.h and include/linux/crypto.h
-+	 * to understand the layout of structures used here!
-+	 *
-+	 * The code here will replace portions of the ORIGINAL request with
-+	 * pointers to new code and buffers so the hashing operation can store
-+	 * the result in aligned buffer. We will call the modified request
-+	 * an ADJUSTED request.
-+	 *
-+	 * The newly mangled request will look as such:
-+	 *
-+	 * req {
-+	 *   .result        = ADJUSTED[new aligned buffer]
-+	 *   .base.complete = ADJUSTED[pointer to completion function]
-+	 *   .base.data     = ADJUSTED[*req (pointer to self)]
-+	 *   .priv          = ADJUSTED[new priv] {
-+	 *           .result   = ORIGINAL(result)
-+	 *           .complete = ORIGINAL(base.complete)
-+	 *           .data     = ORIGINAL(base.data)
-+	 *   }
-+	 */
-+
- 	priv->result = req->result;
- 	priv->complete = req->base.complete;
- 	priv->data = req->base.data;
-+	/*
-+	 * WARNING: We do not backup req->priv here! The req->priv
-+	 *          is for internal use of the Crypto API and the
-+	 *          user must _NOT_ _EVER_ depend on it's content!
-+	 */
- 
- 	req->result = PTR_ALIGN((u8 *)priv->ubuf, alignmask + 1);
- 	req->base.complete = ahash_op_unaligned_done;
diff --git a/debian/patches/bugfix/all/crypto-hash-pull-out-the-functions-to-save-restore-r.patch b/debian/patches/bugfix/all/crypto-hash-pull-out-the-functions-to-save-restore-r.patch
deleted file mode 100644
index 81bb8d2..0000000
--- a/debian/patches/bugfix/all/crypto-hash-pull-out-the-functions-to-save-restore-r.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-From: Marek Vasut <marex at denx.de>
-Date: Fri, 14 Mar 2014 02:37:05 +0100
-Subject: crypto: hash - Pull out the functions to save/restore request
-Origin: https://git.kernel.org/linus/1ffc9fbd1e5071948b6d48f9a27d845738ee890f
-
-The functions to save original request within a newly adjusted request
-and it's counterpart to restore the original request can be re-used by
-more code in the crypto/ahash.c file. Pull these functions out from the
-code so they're available.
-
-Signed-off-by: Marek Vasut <marex at denx.de>
-Cc: David S. Miller <davem at davemloft.net>
-Cc: Fabio Estevam <fabio.estevam at freescale.com>
-Cc: Herbert Xu <herbert at gondor.apana.org.au>
-Cc: Shawn Guo <shawn.guo at linaro.org>
-Cc: Tom Lendacky <thomas.lendacky at amd.com>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/ahash.c | 107 +++++++++++++++++++++++++++++++++------------------------
- 1 file changed, 62 insertions(+), 45 deletions(-)
-
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -191,55 +191,12 @@ static inline unsigned int ahash_align_b
- 	return len + (mask & ~(crypto_tfm_ctx_alignment() - 1));
- }
- 
--static void ahash_op_unaligned_finish(struct ahash_request *req, int err)
--{
--	struct ahash_request_priv *priv = req->priv;
--
--	if (err == -EINPROGRESS)
--		return;
--
--	if (!err)
--		memcpy(priv->result, req->result,
--		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
--
--	/* Restore the original crypto request. */
--	req->result = priv->result;
--	req->base.complete = priv->complete;
--	req->base.data = priv->data;
--	req->priv = NULL;
--
--	/* Free the req->priv.priv from the ADJUSTED request. */
--	kzfree(priv);
--}
--
--static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
--{
--	struct ahash_request *areq = req->data;
--
--	/*
--	 * Restore the original request, see ahash_op_unaligned() for what
--	 * goes where.
--	 *
--	 * The "struct ahash_request *req" here is in fact the "req.base"
--	 * from the ADJUSTED request from ahash_op_unaligned(), thus as it
--	 * is a pointer to self, it is also the ADJUSTED "req" .
--	 */
--
--	/* First copy areq->result into areq->priv.result */
--	ahash_op_unaligned_finish(areq, err);
--
--	/* Complete the ORIGINAL request. */
--	areq->base.complete(&areq->base, err);
--}
--
--static int ahash_op_unaligned(struct ahash_request *req,
--			      int (*op)(struct ahash_request *))
-+static int ahash_save_req(struct ahash_request *req, crypto_completion_t cplt)
- {
- 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
- 	unsigned long alignmask = crypto_ahash_alignmask(tfm);
- 	unsigned int ds = crypto_ahash_digestsize(tfm);
- 	struct ahash_request_priv *priv;
--	int err;
- 
- 	priv = kmalloc(sizeof(*priv) + ahash_align_buffer_size(ds, alignmask),
- 		       (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
-@@ -282,10 +239,70 @@ static int ahash_op_unaligned(struct aha
- 	 */
- 
- 	req->result = PTR_ALIGN((u8 *)priv->ubuf, alignmask + 1);
--	req->base.complete = ahash_op_unaligned_done;
-+	req->base.complete = cplt;
- 	req->base.data = req;
- 	req->priv = priv;
- 
-+	return 0;
-+}
-+
-+static void ahash_restore_req(struct ahash_request *req)
-+{
-+	struct ahash_request_priv *priv = req->priv;
-+
-+	/* Restore the original crypto request. */
-+	req->result = priv->result;
-+	req->base.complete = priv->complete;
-+	req->base.data = priv->data;
-+	req->priv = NULL;
-+
-+	/* Free the req->priv.priv from the ADJUSTED request. */
-+	kzfree(priv);
-+}
-+
-+static void ahash_op_unaligned_finish(struct ahash_request *req, int err)
-+{
-+	struct ahash_request_priv *priv = req->priv;
-+
-+	if (err == -EINPROGRESS)
-+		return;
-+
-+	if (!err)
-+		memcpy(priv->result, req->result,
-+		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-+
-+	ahash_restore_req(req);
-+}
-+
-+static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
-+{
-+	struct ahash_request *areq = req->data;
-+
-+	/*
-+	 * Restore the original request, see ahash_op_unaligned() for what
-+	 * goes where.
-+	 *
-+	 * The "struct ahash_request *req" here is in fact the "req.base"
-+	 * from the ADJUSTED request from ahash_op_unaligned(), thus as it
-+	 * is a pointer to self, it is also the ADJUSTED "req" .
-+	 */
-+
-+	/* First copy req->result into req->priv.result */
-+	ahash_op_unaligned_finish(areq, err);
-+
-+	/* Complete the ORIGINAL request. */
-+	areq->base.complete(&areq->base, err);
-+}
-+
-+static int ahash_op_unaligned(struct ahash_request *req,
-+			      int (*op)(struct ahash_request *))
-+{
-+	int err;
-+
-+	err = ahash_save_req(req, ahash_op_unaligned_done);
-+	if (err)
-+		return err;
-+
- 	err = op(req);
- 	ahash_op_unaligned_finish(req, err);
- 
diff --git a/debian/patches/bugfix/all/crypto-hash-simplify-the-ahash_finup-implementation.patch b/debian/patches/bugfix/all/crypto-hash-simplify-the-ahash_finup-implementation.patch
deleted file mode 100644
index fd65c03..0000000
--- a/debian/patches/bugfix/all/crypto-hash-simplify-the-ahash_finup-implementation.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From: Marek Vasut <marex at denx.de>
-Date: Fri, 14 Mar 2014 02:37:06 +0100
-Subject: crypto: hash - Simplify the ahash_finup implementation
-Origin: https://git.kernel.org/linus/d4a7a0fbe959e12bdd071b79b50ed34853a6db8f
-
-The ahash_def_finup() can make use of the request save/restore functions,
-thus make it so. This simplifies the code a little and unifies the code
-paths.
-
-Note that the same remark about free()ing the req->priv applies here, the
-req->priv can only be free()'d after the original request was restored.
-
-Finally, squash a bug in the invocation of completion in the ASYNC path.
-In both ahash_def_finup_done{1,2}, the function areq->base.complete(X, err);
-was called with X=areq->base.data . This is incorrect , as X=&areq->base
-is the correct value. By analysis of the data structures, we see the areq is
-of type 'struct ahash_request' , areq->base is of type 'struct crypto_async_request'
-and areq->base.completion is of type crypto_completion_t, which is defined in
-include/linux/crypto.h as:
-
-  typedef void (*crypto_completion_t)(struct crypto_async_request *req, int err);
-
-This is one lead that the X should be &areq->base . Next up, we can inspect
-other code which calls the completion callback to give us kind-of statistical
-idea of how this callback is used. We can try:
-
-  $ git grep base\.complete\( drivers/crypto/
-
-Finally, by inspecting ahash_request_set_callback() implementation defined
-in include/crypto/hash.h , we observe that the .data entry of 'struct
-crypto_async_request' is intended for arbitrary data, not for completion
-argument.
-
-Signed-off-by: Marek Vasut <marex at denx.de>
-Cc: David S. Miller <davem at davemloft.net>
-Cc: Fabio Estevam <fabio.estevam at freescale.com>
-Cc: Herbert Xu <herbert at gondor.apana.org.au>
-Cc: Shawn Guo <shawn.guo at linaro.org>
-Cc: Tom Lendacky <thomas.lendacky at amd.com>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/ahash.c | 36 +++++++++---------------------------
- 1 file changed, 9 insertions(+), 27 deletions(-)
-
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -350,19 +350,16 @@ static void ahash_def_finup_finish2(stru
- 		memcpy(priv->result, req->result,
- 		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
- 
--	kzfree(priv);
-+	ahash_restore_req(req);
- }
- 
- static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
- {
- 	struct ahash_request *areq = req->data;
--	struct ahash_request_priv *priv = areq->priv;
--	crypto_completion_t complete = priv->complete;
--	void *data = priv->data;
- 
- 	ahash_def_finup_finish2(areq, err);
- 
--	complete(data, err);
-+	areq->base.complete(&areq->base, err);
- }
- 
- static int ahash_def_finup_finish1(struct ahash_request *req, int err)
-@@ -382,38 +379,23 @@ out:
- static void ahash_def_finup_done1(struct crypto_async_request *req, int err)
- {
- 	struct ahash_request *areq = req->data;
--	struct ahash_request_priv *priv = areq->priv;
--	crypto_completion_t complete = priv->complete;
--	void *data = priv->data;
- 
- 	err = ahash_def_finup_finish1(areq, err);
- 
--	complete(data, err);
-+	areq->base.complete(&areq->base, err);
- }
- 
- static int ahash_def_finup(struct ahash_request *req)
- {
- 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
--	unsigned long alignmask = crypto_ahash_alignmask(tfm);
--	unsigned int ds = crypto_ahash_digestsize(tfm);
--	struct ahash_request_priv *priv;
--
--	priv = kmalloc(sizeof(*priv) + ahash_align_buffer_size(ds, alignmask),
--		       (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
--		       GFP_KERNEL : GFP_ATOMIC);
--	if (!priv)
--		return -ENOMEM;
--
--	priv->result = req->result;
--	priv->complete = req->base.complete;
--	priv->data = req->base.data;
--
--	req->result = PTR_ALIGN((u8 *)priv->ubuf, alignmask + 1);
--	req->base.complete = ahash_def_finup_done1;
--	req->base.data = req;
--	req->priv = priv;
-+	int err;
- 
--	return ahash_def_finup_finish1(req, tfm->update(req));
-+	err = ahash_save_req(req, ahash_def_finup_done1);
-+	if (err)
-+		return err;
-+
-+	err = tfm->update(req);
-+	return ahash_def_finup_finish1(req, err);
- }
- 
- static int ahash_no_export(struct ahash_request *req, void *out)
diff --git a/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch b/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
deleted file mode 100644
index 65b151e..0000000
--- a/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Tue, 9 May 2017 06:29:19 -0700
-Subject: dccp/tcp: do not inherit mc_list from parent
-Origin: https://git.kernel.org/linus/657831ffc38e30092a2d5f03d385d710eb88b09a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8890
-
-syzkaller found a way to trigger double frees from ip_mc_drop_socket()
-
-It turns out that leave a copy of parent mc_list at accept() time,
-which is very bad.
-
-Very similar to commit 8b485ce69876 ("tcp: do not inherit
-fastopen_req from parent")
-
-Initial report from Pray3r, completed by Andrey one.
-Thanks a lot to them !
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Pray3r <pray3r.z at gmail.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
----
- net/ipv4/inet_connection_sock.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/ipv4/inet_connection_sock.c
-+++ b/net/ipv4/inet_connection_sock.c
-@@ -604,6 +604,8 @@ struct sock *inet_csk_clone(struct sock
- 		inet_sk(newsk)->inet_sport = inet_rsk(req)->loc_port;
- 		newsk->sk_write_space = sk_stream_write_space;
- 
-+		inet_sk(newsk)->mc_list = NULL;
-+
- 		newicsk->icsk_retransmits = 0;
- 		newicsk->icsk_backoff	  = 0;
- 		newicsk->icsk_probes_out  = 0;
diff --git a/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch b/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
deleted file mode 100644
index 9a1f54d..0000000
--- a/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From: "David S. Miller" <davem at davemloft.net>
-Date: Wed, 17 May 2017 22:54:11 -0400
-Subject: ipv6: Check ip6_find_1stfragopt() return value properly.
-Origin: https://git.kernel.org/linus/7dd7eb9513bd02184d45f000ab69d78cb1fa1531
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
-
-Do not use unsigned variables to see if it returns a negative
-error or not.
-
-Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
-Reported-by: Julia Lawall <julia.lawall at lip6.fr>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust filenames, context]
----
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -785,7 +785,6 @@ static struct sk_buff *ipv6_gso_segment(
- 	const struct inet6_protocol *ops;
- 	int proto;
- 	struct frag_hdr *fptr;
--	unsigned int unfrag_ip6hlen;
- 	u8 *prevhdr;
- 	int offset = 0;
- 
-@@ -824,11 +823,11 @@ static struct sk_buff *ipv6_gso_segment(
- 		ipv6h->payload_len = htons(skb->len - skb->mac_len -
- 					   sizeof(*ipv6h));
- 		if (proto == IPPROTO_UDP) {
--			unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
--			if (unfrag_ip6hlen < 0)
--				return ERR_PTR(unfrag_ip6hlen);
-+			int err = ip6_find_1stfragopt(skb, &prevhdr);
-+			if (err < 0)
-+				return ERR_PTR(err);
- 			fptr = (struct frag_hdr *)(skb_network_header(skb) +
--				unfrag_ip6hlen);
-+				err);
- 			fptr->frag_off = htons(offset);
- 			if (skb->next != NULL)
- 				fptr->frag_off |= htons(IP6_MF);
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -631,11 +631,10 @@ int ip6_fragment(struct sk_buff *skb, in
- 	u8 *prevhdr, nexthdr = 0;
- 	struct net *net = dev_net(skb_dst(skb)->dev);
- 
--	hlen = ip6_find_1stfragopt(skb, &prevhdr);
--	if (hlen < 0) {
--		err = hlen;
-+	err = ip6_find_1stfragopt(skb, &prevhdr);
-+	if (err < 0)
- 		goto fail;
--	}
-+	hlen = err;
- 	nexthdr = *prevhdr;
- 
- 	mtu = ip6_skb_dst_mtu(skb);
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -1316,6 +1316,7 @@ static struct sk_buff *udp6_ufo_fragment
- 	u8 frag_hdr_sz = sizeof(struct frag_hdr);
- 	int offset;
- 	__wsum csum;
-+	int err;
- 
- 	mss = skb_shinfo(skb)->gso_size;
- 	if (unlikely(skb->len <= mss))
-@@ -1352,9 +1353,10 @@ static struct sk_buff *udp6_ufo_fragment
- 	/* Find the unfragmentable header and shift it left by frag_hdr_sz
- 	 * bytes to insert fragment header.
- 	 */
--	unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
--	if (unfrag_ip6hlen < 0)
--		return ERR_PTR(unfrag_ip6hlen);
-+	err = ip6_find_1stfragopt(skb, &prevhdr);
-+	if (err < 0)
-+		return ERR_PTR(err);
-+	unfrag_ip6hlen = err;
- 	nexthdr = *prevhdr;
- 	*prevhdr = NEXTHDR_FRAGMENT;
- 	unfrag_len = skb_network_header(skb) - skb_mac_header(skb) +
diff --git a/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch b/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
deleted file mode 100644
index 01c6a47..0000000
--- a/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From: WANG Cong <xiyou.wangcong at gmail.com>
-Date: Tue, 9 May 2017 16:59:54 -0700
-Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent
-Origin: https://git.kernel.org/linus/83eaddab4378db256d00d295bda6ca997cd13a52
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9076
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9077
-
-Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
-we should clear ipv6_mc_list etc. for IPv6 sockets too.
-
-Cc: Eric Dumazet <edumazet at google.com>
-Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
----
- net/dccp/ipv6.c     | 6 ++++++
- net/ipv6/tcp_ipv6.c | 2 ++
- 2 files changed, 8 insertions(+)
-
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -499,6 +499,9 @@ static struct sock *dccp_v6_request_recv
- 		newsk->sk_backlog_rcv = dccp_v4_do_rcv;
- 		newnp->pktoptions  = NULL;
- 		newnp->opt	   = NULL;
-+		newnp->ipv6_mc_list = NULL;
-+		newnp->ipv6_ac_list = NULL;
-+		newnp->ipv6_fl_list = NULL;
- 		newnp->mcast_oif   = inet6_iif(skb);
- 		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
- 
-@@ -574,6 +577,9 @@ static struct sock *dccp_v6_request_recv
- 	/* Clone RX bits */
- 	newnp->rxopt.all = np->rxopt.all;
- 
-+	newnp->ipv6_mc_list = NULL;
-+	newnp->ipv6_ac_list = NULL;
-+	newnp->ipv6_fl_list = NULL;
- 	/* Clone pktoptions received with SYN */
- 	newnp->pktoptions = NULL;
- 	if (ireq6->pktopts != NULL) {
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -1386,6 +1386,7 @@ static struct sock * tcp_v6_syn_recv_soc
- 		newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
- #endif
- 
-+		newnp->ipv6_mc_list = NULL;
- 		newnp->ipv6_ac_list = NULL;
- 		newnp->ipv6_fl_list = NULL;
- 		newnp->pktoptions  = NULL;
-@@ -1451,6 +1452,7 @@ static struct sock * tcp_v6_syn_recv_soc
- 	   First: no IPv4 options.
- 	 */
- 	newinet->inet_opt = NULL;
-+	newnp->ipv6_mc_list = NULL;
- 	newnp->ipv6_ac_list = NULL;
- 	newnp->ipv6_fl_list = NULL;
- 
diff --git a/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch b/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
deleted file mode 100644
index 5ef51f4..0000000
--- a/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 19 May 2017 14:17:48 -0700
-Subject: ipv6: fix out of bound writes in __ip6_append_data()
-Origin: https://git.kernel.org/linus/232cd35d0804cc241eb887bb8d4d9b3b9881c64a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9242
-
-Andrey Konovalov and idaifish at gmail.com reported crashes caused by
-one skb shared_info being overwritten from __ip6_append_data()
-
-Andrey program lead to following state :
-
-copy -4200 datalen 2000 fraglen 2040
-maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200
-
-The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
-fraggap, 0); is overwriting skb->head and skb_shared_info
-
-Since we apparently detect this rare condition too late, move the
-code earlier to even avoid allocating skb and risking crashes.
-
-Once again, many thanks to Andrey and syzkaller team.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Reported-by: <idaifish at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/ip6_output.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1416,6 +1416,11 @@ alloc_new_skb:
- 			 */
- 			alloclen += sizeof(struct frag_hdr);
- 
-+			copy = datalen - transhdrlen - fraggap;
-+			if (copy < 0) {
-+				err = -EINVAL;
-+				goto error;
-+			}
- 			if (transhdrlen) {
- 				skb = sock_alloc_send_skb(sk,
- 						alloclen + hh_len,
-@@ -1467,13 +1472,9 @@ alloc_new_skb:
- 				data += fraggap;
- 				pskb_trim_unique(skb_prev, maxfraglen);
- 			}
--			copy = datalen - transhdrlen - fraggap;
--
--			if (copy < 0) {
--				err = -EINVAL;
--				kfree_skb(skb);
--				goto error;
--			} else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
-+			if (copy > 0 &&
-+			    getfrag(from, data + transhdrlen, offset,
-+				    copy, fraggap, skb) < 0) {
- 				err = -EFAULT;
- 				kfree_skb(skb);
- 				goto error;
diff --git a/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch b/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
deleted file mode 100644
index 3e7a96a..0000000
--- a/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-From: Craig Gallek <kraig at google.com>
-Date: Tue, 16 May 2017 14:36:23 -0400
-Subject: ipv6: Prevent overrun when parsing v6 header options
-Origin: https://git.kernel.org/linus/2423496af35d94a87156b063ea5cedffc10a70a1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
-
-The KASAN warning repoted below was discovered with a syzkaller
-program.  The reproducer is basically:
-  int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
-  send(s, &one_byte_of_data, 1, MSG_MORE);
-  send(s, &more_than_mtu_bytes_data, 2000, 0);
-
-The socket() call sets the nexthdr field of the v6 header to
-NEXTHDR_HOP, the first send call primes the payload with a non zero
-byte of data, and the second send call triggers the fragmentation path.
-
-The fragmentation code tries to parse the header options in order
-to figure out where to insert the fragment option.  Since nexthdr points
-to an invalid option, the calculation of the size of the network header
-can made to be much larger than the linear section of the skb and data
-is read outside of it.
-
-This fix makes ip6_find_1stfrag return an error if it detects
-running out-of-bounds.
-
-[   42.361487] ==================================================================
-[   42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
-[   42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
-[   42.366469]
-[   42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
-[   42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
-[   42.368824] Call Trace:
-[   42.369183]  dump_stack+0xb3/0x10b
-[   42.369664]  print_address_description+0x73/0x290
-[   42.370325]  kasan_report+0x252/0x370
-[   42.370839]  ? ip6_fragment+0x11c8/0x3730
-[   42.371396]  check_memory_region+0x13c/0x1a0
-[   42.371978]  memcpy+0x23/0x50
-[   42.372395]  ip6_fragment+0x11c8/0x3730
-[   42.372920]  ? nf_ct_expect_unregister_notifier+0x110/0x110
-[   42.373681]  ? ip6_copy_metadata+0x7f0/0x7f0
-[   42.374263]  ? ip6_forward+0x2e30/0x2e30
-[   42.374803]  ip6_finish_output+0x584/0x990
-[   42.375350]  ip6_output+0x1b7/0x690
-[   42.375836]  ? ip6_finish_output+0x990/0x990
-[   42.376411]  ? ip6_fragment+0x3730/0x3730
-[   42.376968]  ip6_local_out+0x95/0x160
-[   42.377471]  ip6_send_skb+0xa1/0x330
-[   42.377969]  ip6_push_pending_frames+0xb3/0xe0
-[   42.378589]  rawv6_sendmsg+0x2051/0x2db0
-[   42.379129]  ? rawv6_bind+0x8b0/0x8b0
-[   42.379633]  ? _copy_from_user+0x84/0xe0
-[   42.380193]  ? debug_check_no_locks_freed+0x290/0x290
-[   42.380878]  ? ___sys_sendmsg+0x162/0x930
-[   42.381427]  ? rcu_read_lock_sched_held+0xa3/0x120
-[   42.382074]  ? sock_has_perm+0x1f6/0x290
-[   42.382614]  ? ___sys_sendmsg+0x167/0x930
-[   42.383173]  ? lock_downgrade+0x660/0x660
-[   42.383727]  inet_sendmsg+0x123/0x500
-[   42.384226]  ? inet_sendmsg+0x123/0x500
-[   42.384748]  ? inet_recvmsg+0x540/0x540
-[   42.385263]  sock_sendmsg+0xca/0x110
-[   42.385758]  SYSC_sendto+0x217/0x380
-[   42.386249]  ? SYSC_connect+0x310/0x310
-[   42.386783]  ? __might_fault+0x110/0x1d0
-[   42.387324]  ? lock_downgrade+0x660/0x660
-[   42.387880]  ? __fget_light+0xa1/0x1f0
-[   42.388403]  ? __fdget+0x18/0x20
-[   42.388851]  ? sock_common_setsockopt+0x95/0xd0
-[   42.389472]  ? SyS_setsockopt+0x17f/0x260
-[   42.390021]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
-[   42.390650]  SyS_sendto+0x40/0x50
-[   42.391103]  entry_SYSCALL_64_fastpath+0x1f/0xbe
-[   42.391731] RIP: 0033:0x7fbbb711e383
-[   42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
-[   42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
-[   42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
-[   42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
-[   42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
-[   42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
-[   42.397257]
-[   42.397411] Allocated by task 3789:
-[   42.397702]  save_stack_trace+0x16/0x20
-[   42.398005]  save_stack+0x46/0xd0
-[   42.398267]  kasan_kmalloc+0xad/0xe0
-[   42.398548]  kasan_slab_alloc+0x12/0x20
-[   42.398848]  __kmalloc_node_track_caller+0xcb/0x380
-[   42.399224]  __kmalloc_reserve.isra.32+0x41/0xe0
-[   42.399654]  __alloc_skb+0xf8/0x580
-[   42.400003]  sock_wmalloc+0xab/0xf0
-[   42.400346]  __ip6_append_data.isra.41+0x2472/0x33d0
-[   42.400813]  ip6_append_data+0x1a8/0x2f0
-[   42.401122]  rawv6_sendmsg+0x11ee/0x2db0
-[   42.401505]  inet_sendmsg+0x123/0x500
-[   42.401860]  sock_sendmsg+0xca/0x110
-[   42.402209]  ___sys_sendmsg+0x7cb/0x930
-[   42.402582]  __sys_sendmsg+0xd9/0x190
-[   42.402941]  SyS_sendmsg+0x2d/0x50
-[   42.403273]  entry_SYSCALL_64_fastpath+0x1f/0xbe
-[   42.403718]
-[   42.403871] Freed by task 1794:
-[   42.404146]  save_stack_trace+0x16/0x20
-[   42.404515]  save_stack+0x46/0xd0
-[   42.404827]  kasan_slab_free+0x72/0xc0
-[   42.405167]  kfree+0xe8/0x2b0
-[   42.405462]  skb_free_head+0x74/0xb0
-[   42.405806]  skb_release_data+0x30e/0x3a0
-[   42.406198]  skb_release_all+0x4a/0x60
-[   42.406563]  consume_skb+0x113/0x2e0
-[   42.406910]  skb_free_datagram+0x1a/0xe0
-[   42.407288]  netlink_recvmsg+0x60d/0xe40
-[   42.407667]  sock_recvmsg+0xd7/0x110
-[   42.408022]  ___sys_recvmsg+0x25c/0x580
-[   42.408395]  __sys_recvmsg+0xd6/0x190
-[   42.408753]  SyS_recvmsg+0x2d/0x50
-[   42.409086]  entry_SYSCALL_64_fastpath+0x1f/0xbe
-[   42.409513]
-[   42.409665] The buggy address belongs to the object at ffff88000969e780
-[   42.409665]  which belongs to the cache kmalloc-512 of size 512
-[   42.410846] The buggy address is located 24 bytes inside of
-[   42.410846]  512-byte region [ffff88000969e780, ffff88000969e980)
-[   42.411941] The buggy address belongs to the page:
-[   42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
-[   42.413298] flags: 0x100000000008100(slab|head)
-[   42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
-[   42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
-[   42.415074] page dumped because: kasan: bad access detected
-[   42.415604]
-[   42.415757] Memory state around the buggy address:
-[   42.416222]  ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[   42.416904]  ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[   42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[   42.418273]                    ^
-[   42.418588]  ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[   42.419273]  ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[   42.419882] ==================================================================
-
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Craig Gallek <kraig at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2:
- - Adjust filenames, context]
----
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -825,6 +825,8 @@ static struct sk_buff *ipv6_gso_segment(
- 					   sizeof(*ipv6h));
- 		if (proto == IPPROTO_UDP) {
- 			unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+			if (unfrag_ip6hlen < 0)
-+				return ERR_PTR(unfrag_ip6hlen);
- 			fptr = (struct frag_hdr *)(skb_network_header(skb) +
- 				unfrag_ip6hlen);
- 			fptr->frag_off = htons(offset);
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -562,13 +562,12 @@ static void ip6_copy_metadata(struct sk_
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
- 	u16 offset = sizeof(struct ipv6hdr);
--	struct ipv6_opt_hdr *exthdr =
--				(struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
- 	unsigned int packet_len = skb->tail - skb->network_header;
- 	int found_rhdr = 0;
- 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
- 
--	while (offset + 1 <= packet_len) {
-+	while (offset <= packet_len) {
-+		struct ipv6_opt_hdr *exthdr;
- 
- 		switch (**nexthdr) {
- 
-@@ -589,13 +588,16 @@ int ip6_find_1stfragopt(struct sk_buff *
- 			return offset;
- 		}
- 
--		offset += ipv6_optlen(exthdr);
--		*nexthdr = &exthdr->nexthdr;
-+		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
-+			return -EINVAL;
-+
- 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
- 						 offset);
-+		offset += ipv6_optlen(exthdr);
-+		*nexthdr = &exthdr->nexthdr;
- 	}
- 
--	return offset;
-+	return -EINVAL;
- }
- 
- void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
-@@ -630,6 +632,10 @@ int ip6_fragment(struct sk_buff *skb, in
- 	struct net *net = dev_net(skb_dst(skb)->dev);
- 
- 	hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+	if (hlen < 0) {
-+		err = hlen;
-+		goto fail;
-+	}
- 	nexthdr = *prevhdr;
- 
- 	mtu = ip6_skb_dst_mtu(skb);
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -1353,6 +1353,8 @@ static struct sk_buff *udp6_ufo_fragment
- 	 * bytes to insert fragment header.
- 	 */
- 	unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+	if (unfrag_ip6hlen < 0)
-+		return ERR_PTR(unfrag_ip6hlen);
- 	nexthdr = *prevhdr;
- 	*prevhdr = NEXTHDR_FRAGMENT;
- 	unfrag_len = skb_network_header(skb) - skb_mac_header(skb) +
diff --git a/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch b/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
deleted file mode 100644
index 407a1a1..0000000
--- a/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Dan Carpenter <dan.carpenter at oracle.com>
-Date: Tue, 2 May 2017 13:58:53 +0300
-Subject: ipx: call ipxitf_put() in ioctl error path
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/ee0d8d8482345ff97a75a7d747efc309f13b0d80
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7487
-
-We should call ipxitf_put() if the copy_to_user() fails.
-
-Reported-by: 李强 <liqiang6-s at 360.cn>
-Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipx/af_ipx.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
---- a/net/ipx/af_ipx.c
-+++ b/net/ipx/af_ipx.c
-@@ -1194,11 +1194,10 @@ static int ipxitf_ioctl(unsigned int cmd
- 		sipx->sipx_network	= ipxif->if_netnum;
- 		memcpy(sipx->sipx_node, ipxif->if_node,
- 			sizeof(sipx->sipx_node));
--		rc = -EFAULT;
-+		rc = 0;
- 		if (copy_to_user(arg, &ifr, sizeof(ifr)))
--			break;
-+			rc = -EFAULT;
- 		ipxitf_put(ipxif);
--		rc = 0;
- 		break;
- 	}
- 	case SIOCAIPXITFCRT:
diff --git a/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch b/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
deleted file mode 100644
index 496bd33..0000000
--- a/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Tue, 18 Apr 2017 15:31:07 +0100
-Subject: KEYS: Disallow keyrings beginning with '.' to be joined as session
- keyrings
-Origin: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9604
-
-This fixes CVE-2016-9604.
-
-Keyrings whose name begin with a '.' are special internal keyrings and so
-userspace isn't allowed to create keyrings by this name to prevent
-shadowing.  However, the patch that added the guard didn't fix
-KEYCTL_JOIN_SESSION_KEYRING.  Not only can that create dot-named keyrings,
-it can also subscribe to them as a session keyring if they grant SEARCH
-permission to the user.
-
-This, for example, allows a root process to set .builtin_trusted_keys as
-its session keyring, at which point it has full access because now the
-possessor permissions are added.  This permits root to add extra public
-keys, thereby bypassing module verification.
-
-This also affects kexec and IMA.
-
-This can be tested by (as root):
-
-	keyctl session .builtin_trusted_keys
-	keyctl add user a a @s
-	keyctl list @s
-
-which on my test box gives me:
-
-	2 keys in keyring:
-	180010936: ---lswrv     0     0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
-	801382539: --alswrv     0     0 user: a
-
-
-Fix this by rejecting names beginning with a '.' in the keyctl.
-
-Signed-off-by: David Howells <dhowells at redhat.com>
-Acked-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
-cc: linux-ima-devel at lists.sourceforge.net
-cc: stable at vger.kernel.org
----
- security/keys/keyctl.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -263,7 +263,8 @@ error:
-  * Create and join an anonymous session keyring or join a named session
-  * keyring, creating it if necessary.  A named session keyring must have Search
-  * permission for it to be joined.  Session keyrings without this permit will
-- * be skipped over.
-+ * be skipped over.  It is not permitted for userspace to create or join
-+ * keyrings whose name begin with a dot.
-  *
-  * If successful, the ID of the joined session keyring will be returned.
-  */
-@@ -280,12 +281,16 @@ long keyctl_join_session_keyring(const c
- 			ret = PTR_ERR(name);
- 			goto error;
- 		}
-+
-+		ret = -EPERM;
-+		if (name[0] == '.')
-+			goto error_name;
- 	}
- 
- 	/* join the session */
- 	ret = join_session_keyring(name);
-+error_name:
- 	kfree(name);
--
- error:
- 	return ret;
- }
diff --git a/debian/patches/bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch b/debian/patches/bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
deleted file mode 100644
index e397f80..0000000
--- a/debian/patches/bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
+++ /dev/null
@@ -1,176 +0,0 @@
-From: Eric Biggers <ebiggers at google.com>
-Date: Tue, 18 Apr 2017 15:31:09 +0100
-Subject: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
-Origin: https://git.kernel.org/linus/c9f838d104fed6f2f61d68164712e3204bf5271b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7472
-
-This fixes CVE-2017-7472.
-
-Running the following program as an unprivileged user exhausts kernel
-memory by leaking thread keyrings:
-
-	#include <keyutils.h>
-
-	int main()
-	{
-		for (;;)
-			keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
-	}
-
-Fix it by only creating a new thread keyring if there wasn't one before.
-To make things more consistent, make install_thread_keyring_to_cred()
-and install_process_keyring_to_cred() both return 0 if the corresponding
-keyring is already present.
-
-Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
-Cc: stable at vger.kernel.org # 2.6.29+
-Signed-off-by: Eric Biggers <ebiggers at google.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-[bwh: Backported to 3.2: adjust context]
----
- security/keys/keyctl.c       | 11 ++++-------
- security/keys/process_keys.c | 44 +++++++++++++++++++++++++++-----------------
- 2 files changed, 31 insertions(+), 24 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -1183,8 +1183,8 @@ error:
-  * Read or set the default keyring in which request_key() will cache keys and
-  * return the old setting.
-  *
-- * If a process keyring is specified then this will be created if it doesn't
-- * yet exist.  The old setting will be returned if successful.
-+ * If a thread or process keyring is specified then it will be created if it
-+ * doesn't yet exist.  The old setting will be returned if successful.
-  */
- long keyctl_set_reqkey_keyring(int reqkey_defl)
- {
-@@ -1209,11 +1209,8 @@ long keyctl_set_reqkey_keyring(int reqke
- 
- 	case KEY_REQKEY_DEFL_PROCESS_KEYRING:
- 		ret = install_process_keyring_to_cred(new);
--		if (ret < 0) {
--			if (ret != -EEXIST)
--				goto error;
--			ret = 0;
--		}
-+		if (ret < 0)
-+			goto error;
- 		goto set;
- 
- 	case KEY_REQKEY_DEFL_DEFAULT:
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -121,13 +121,18 @@ error:
- }
- 
- /*
-- * Install a fresh thread keyring directly to new credentials.  This keyring is
-- * allowed to overrun the quota.
-+ * Install a thread keyring to the given credentials struct if it didn't have
-+ * one already.  This is allowed to overrun the quota.
-+ *
-+ * Return: 0 if a thread keyring is now present; -errno on failure.
-  */
- int install_thread_keyring_to_cred(struct cred *new)
- {
- 	struct key *keyring;
- 
-+	if (new->thread_keyring)
-+		return 0;
-+
- 	keyring = keyring_alloc("_tid", new->uid, new->gid, new,
- 				KEY_ALLOC_QUOTA_OVERRUN, NULL);
- 	if (IS_ERR(keyring))
-@@ -138,7 +143,9 @@ int install_thread_keyring_to_cred(struc
- }
- 
- /*
-- * Install a fresh thread keyring, discarding the old one.
-+ * Install a thread keyring to the current task if it didn't have one already.
-+ *
-+ * Return: 0 if a thread keyring is now present; -errno on failure.
-  */
- static int install_thread_keyring(void)
- {
-@@ -149,8 +156,6 @@ static int install_thread_keyring(void)
- 	if (!new)
- 		return -ENOMEM;
- 
--	BUG_ON(new->thread_keyring);
--
- 	ret = install_thread_keyring_to_cred(new);
- 	if (ret < 0) {
- 		abort_creds(new);
-@@ -161,10 +166,10 @@ static int install_thread_keyring(void)
- }
- 
- /*
-- * Install a process keyring directly to a credentials struct.
-+ * Install a process keyring to the given credentials struct if it didn't have
-+ * one already.  This is allowed to overrun the quota.
-  *
-- * Returns -EEXIST if there was already a process keyring, 0 if one installed,
-- * and other value on any other error
-+ * Return: 0 if a process keyring is now present; -errno on failure.
-  */
- int install_process_keyring_to_cred(struct cred *new)
- {
-@@ -172,7 +177,7 @@ int install_process_keyring_to_cred(stru
- 	int ret;
- 
- 	if (new->tgcred->process_keyring)
--		return -EEXIST;
-+		return 0;
- 
- 	keyring = keyring_alloc("_pid", new->uid, new->gid,
- 				new, KEY_ALLOC_QUOTA_OVERRUN, NULL);
-@@ -193,11 +198,9 @@ int install_process_keyring_to_cred(stru
- }
- 
- /*
-- * Make sure a process keyring is installed for the current process.  The
-- * existing process keyring is not replaced.
-+ * Install a process keyring to the current task if it didn't have one already.
-  *
-- * Returns 0 if there is a process keyring by the end of this function, some
-- * error otherwise.
-+ * Return: 0 if a process keyring is now present; -errno on failure.
-  */
- static int install_process_keyring(void)
- {
-@@ -211,14 +214,18 @@ static int install_process_keyring(void)
- 	ret = install_process_keyring_to_cred(new);
- 	if (ret < 0) {
- 		abort_creds(new);
--		return ret != -EEXIST ? ret : 0;
-+		return ret;
- 	}
- 
- 	return commit_creds(new);
- }
- 
- /*
-- * Install a session keyring directly to a credentials struct.
-+ * Install the given keyring as the session keyring of the given credentials
-+ * struct, replacing the existing one if any.  If the given keyring is NULL,
-+ * then install a new anonymous session keyring.
-+ *
-+ * Return: 0 on success; -errno on failure.
-  */
- int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
- {
-@@ -258,8 +265,11 @@ int install_session_keyring_to_cred(stru
- }
- 
- /*
-- * Install a session keyring, discarding the old one.  If a keyring is not
-- * supplied, an empty one is invented.
-+ * Install the given keyring as the session keyring of the current task,
-+ * replacing the existing one if any.  If the given keyring is NULL, then
-+ * install a new anonymous session keyring.
-+ *
-+ * Return: 0 on success; -errno on failure.
-  */
- static int install_session_keyring(struct key *keyring)
- {
diff --git a/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch b/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
deleted file mode 100644
index 31c3553..0000000
--- a/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Tue, 16 Sep 2014 17:29:03 +0100
-Subject: KEYS: Reinstate EPERM for a key type name beginning with a '.'
-Origin: https://git.kernel.org/linus/54e2c2c1a9d6cbb270b0999a38545fa9a69bee43
-
-Reinstate the generation of EPERM for a key type name beginning with a '.' in
-a userspace call.  Types whose name begins with a '.' are internal only.
-
-The test was removed by:
-
-	commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
-	Author: Mimi Zohar <zohar at linux.vnet.ibm.com>
-	Date:   Thu May 22 14:02:23 2014 -0400
-	Subject: KEYS: special dot prefixed keyring name bug fix
-
-I think we want to keep the restriction on type name so that userspace can't
-add keys of a special internal type.
-
-Note that removal of the test causes several of the tests in the keyutils
-testsuite to fail.
-
-Signed-off-by: David Howells <dhowells at redhat.com>
-Acked-by: Vivek Goyal <vgoyal at redhat.com>
-cc: Mimi Zohar <zohar at linux.vnet.ibm.com>
----
- security/keys/keyctl.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -35,6 +35,8 @@ static int key_get_type_from_user(char *
- 		return ret;
- 	if (ret == 0 || ret >= len)
- 		return -EINVAL;
-+	if (type[0] == '.')
-+		return -EPERM;
- 	type[len - 1] = '\0';
- 	return 0;
- }
diff --git a/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch b/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
deleted file mode 100644
index 16bb626..0000000
--- a/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From: Mimi Zohar <zohar at linux.vnet.ibm.com>
-Date: Thu, 22 May 2014 14:02:23 -0400
-Subject: KEYS: special dot prefixed keyring name bug fix
-Origin: https://git.kernel.org/linus/a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
-
-Dot prefixed keyring names are supposed to be reserved for the
-kernel, but add_key() calls key_get_type_from_user(), which
-incorrectly verifies the 'type' field, not the 'description' field.
-This patch verifies the 'description' field isn't dot prefixed,
-when creating a new keyring, and removes the dot prefix test in
-key_get_type_from_user().
-
-Changelog v6:
-- whitespace and other cleanup
-
-Changelog v5:
-- Only prevent userspace from creating a dot prefixed keyring, not
-  regular keys  - Dmitry
-
-Reported-by: Dmitry Kasatkin <d.kasatkin at samsung.com>
-Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
-Acked-by: David Howells <dhowells at redhat.com>
-[bwh: Backported to 3.2: adjust context, indentation]
----
- security/keys/keyctl.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -35,8 +35,6 @@ static int key_get_type_from_user(char *
- 		return ret;
- 	if (ret == 0 || ret >= len)
- 		return -EINVAL;
--	if (type[0] == '.')
--		return -EPERM;
- 	type[len - 1] = '\0';
- 	return 0;
- }
-@@ -75,6 +73,10 @@ SYSCALL_DEFINE5(add_key, const char __us
- 	if (IS_ERR(description)) {
- 		ret = PTR_ERR(description);
- 		goto error;
-+	} else if ((description[0] == '.') &&
-+		   (strncmp(type, "keyring", 7) == 0)) {
-+		ret = -EPERM;
-+		goto error2;
- 	}
- 
- 	/* pull the payload in if one was supplied */
diff --git a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch b/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
deleted file mode 100644
index c1d314c..0000000
--- a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From: Chris Salls <salls at cs.ucsb.edu>
-Date: Fri, 7 Apr 2017 23:48:11 -0700
-Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
-Origin: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7616
-
-In the case that compat_get_bitmap fails we do not want to copy the
-bitmap to the user as it will contain uninitialized stack data and leak
-sensitive data.
-
-Signed-off-by: Chris Salls <salls at cs.ucsb.edu>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- mm/mempolicy.c | 20 ++++++++------------
- 1 file changed, 8 insertions(+), 12 deletions(-)
-
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -1446,7 +1446,6 @@ asmlinkage long compat_sys_get_mempolicy
- asmlinkage long compat_sys_set_mempolicy(int mode, compat_ulong_t __user *nmask,
- 				     compat_ulong_t maxnode)
- {
--	long err = 0;
- 	unsigned long __user *nm = NULL;
- 	unsigned long nr_bits, alloc_size;
- 	DECLARE_BITMAP(bm, MAX_NUMNODES);
-@@ -1455,14 +1454,13 @@ asmlinkage long compat_sys_set_mempolicy
- 	alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
- 
- 	if (nmask) {
--		err = compat_get_bitmap(bm, nmask, nr_bits);
-+		if (compat_get_bitmap(bm, nmask, nr_bits))
-+			return -EFAULT;
- 		nm = compat_alloc_user_space(alloc_size);
--		err |= copy_to_user(nm, bm, alloc_size);
-+		if (copy_to_user(nm, bm, alloc_size))
-+			return -EFAULT;
- 	}
- 
--	if (err)
--		return -EFAULT;
--
- 	return sys_set_mempolicy(mode, nm, nr_bits+1);
- }
- 
-@@ -1470,7 +1468,6 @@ asmlinkage long compat_sys_mbind(compat_
- 			     compat_ulong_t mode, compat_ulong_t __user *nmask,
- 			     compat_ulong_t maxnode, compat_ulong_t flags)
- {
--	long err = 0;
- 	unsigned long __user *nm = NULL;
- 	unsigned long nr_bits, alloc_size;
- 	nodemask_t bm;
-@@ -1479,14 +1476,13 @@ asmlinkage long compat_sys_mbind(compat_
- 	alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
- 
- 	if (nmask) {
--		err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
-+		if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
-+			return -EFAULT;
- 		nm = compat_alloc_user_space(alloc_size);
--		err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
-+		if (copy_to_user(nm, nodes_addr(bm), alloc_size))
-+			return -EFAULT;
- 	}
- 
--	if (err)
--		return -EFAULT;
--
- 	return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
- }
- 
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
deleted file mode 100644
index c17248b..0000000
--- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Wed, 29 Mar 2017 16:11:20 +0200
-Subject: [1/3] net/packet: fix overflow in check for priv area size
-Origin: https://git.kernel.org/linus/2b6867c2ce76c596676bec7d2d525af525fdc6e2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
-
-Subtracting tp_sizeof_priv from tp_block_size and casting to int
-to check whether one is less then the other doesn't always work
-(both of them are unsigned ints).
-
-Compare them as is instead.
-
-Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
-it can overflow inside BLK_PLUS_PRIV otherwise.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3637,8 +3637,8 @@ static int packet_set_ring(struct sock *
- 		if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
- 			goto out;
- 		if (po->tp_version >= TPACKET_V3 &&
--		    (int)(req->tp_block_size -
--			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
-+		    req->tp_block_size <=
-+			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
- 			goto out;
- 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
- 					po->tp_reserve))
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
deleted file mode 100644
index 9e6b4f3..0000000
--- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Wed, 29 Mar 2017 16:11:21 +0200
-Subject: [2/3] net/packet: fix overflow in check for tp_frame_nr
-Origin: https://git.kernel.org/linus/8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
-
-When calculating rb->frames_per_block * req->tp_block_nr the result
-can overflow.
-
-Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
-
-Since frames_per_block <= tp_block_size, the expression would
-never overflow.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3649,6 +3649,8 @@ static int packet_set_ring(struct sock *
- 		rb->frames_per_block = req->tp_block_size/req->tp_frame_size;
- 		if (unlikely(rb->frames_per_block <= 0))
- 			goto out;
-+		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
-+			goto out;
- 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
- 					req->tp_frame_nr))
- 			goto out;
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
deleted file mode 100644
index 981a8d1..0000000
--- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Wed, 29 Mar 2017 16:11:22 +0200
-Subject: [3/3] net/packet: fix overflow in check for tp_reserve
-Origin: https://git.kernel.org/linus/bcc5364bdcfe131e6379363f089e7b4108d35b70
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
-
-When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
-
-Fix by checking that tp_reserve <= INT_MAX on assign.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3136,6 +3136,8 @@ packet_setsockopt(struct socket *sock, i
- 			return -EBUSY;
- 		if (copy_from_user(&val, optval, sizeof(val)))
- 			return -EFAULT;
-+		if (val > INT_MAX)
-+			return -EINVAL;
- 		po->tp_reserve = val;
- 		return 0;
- 	}
diff --git a/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch b/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
deleted file mode 100644
index c84e29f..0000000
--- a/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Fri, 21 Apr 2017 16:10:18 -0400
-Subject: nfsd: check for oversized NFSv2/v3 arguments
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/e6838a29ecb484c97e4efef9429643b9851fba6e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7645
-
-A client can append random data to the end of an NFSv2 or NFSv3 RPC call
-without our complaining; we'll just stop parsing at the end of the
-expected data and ignore the rest.
-
-Encoded arguments and replies are stored together in an array of pages,
-and if a call is too large it could leave inadequate space for the
-reply.  This is normally OK because NFS RPC's typically have either
-short arguments and long replies (like READ) or long arguments and short
-replies (like WRITE).  But a client that sends an incorrectly long reply
-can violate those assumptions.  This was observed to cause crashes.
-
-Also, several operations increment rq_next_page in the decode routine
-before checking the argument size, which can leave rq_next_page pointing
-well past the end of the page array, causing trouble later in
-svc_free_pages.
-
-So, following a suggestion from Neil Brown, add a central check to
-enforce our expectation that no NFSv2/v3 call has both a large call and
-a large reply.
-
-As followup we may also want to rewrite the encoding routines to check
-more carefully that they aren't running off the end of the page array.
-
-We may also consider rejecting calls that have any extra garbage
-appended.  That would be safer, and within our rights by spec, but given
-the age of our server and the NFS protocol, and the fact that we've
-never enforced this before, we may need to balance that against the
-possibility of breaking some oddball client.
-
-Reported-by: Tuomas Haanpää <thaan at synopsys.com>
-Reported-by: Ari Kauppi <ari at synopsys.com>
-Cc: stable at vger.kernel.org
-Reviewed-by: NeilBrown <neilb at suse.com>
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++
- 1 file changed, 36 insertions(+)
-
---- a/fs/nfsd/nfssvc.c
-+++ b/fs/nfsd/nfssvc.c
-@@ -561,6 +561,37 @@ static __be32 map_new_errors(u32 vers, _
- 	return nfserr;
- }
- 
-+/*
-+ * A write procedure can have a large argument, and a read procedure can
-+ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
-+ * reply that can both be larger than a page.  The xdr code has taken
-+ * advantage of this assumption to be a sloppy about bounds checking in
-+ * some cases.  Pending a rewrite of the NFSv2/v3 xdr code to fix that
-+ * problem, we enforce these assumptions here:
-+ */
-+static bool nfs_request_too_big(struct svc_rqst *rqstp,
-+				struct svc_procedure *proc)
-+{
-+	/*
-+	 * The ACL code has more careful bounds-checking and is not
-+	 * susceptible to this problem:
-+	 */
-+	if (rqstp->rq_prog != NFS_PROGRAM)
-+		return false;
-+	/*
-+	 * Ditto NFSv4 (which can in theory have argument and reply both
-+	 * more than a page):
-+	 */
-+	if (rqstp->rq_vers >= 4)
-+		return false;
-+	/* The reply will be small, we're OK: */
-+	if (proc->pc_xdrressize > 0 &&
-+	    proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
-+		return false;
-+
-+	return rqstp->rq_arg.len > PAGE_SIZE;
-+}
-+
- int
- nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
- {
-@@ -573,6 +604,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __
- 				rqstp->rq_vers, rqstp->rq_proc);
- 	proc = rqstp->rq_procinfo;
- 
-+	if (nfs_request_too_big(rqstp, proc)) {
-+		dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
-+		*statp = rpc_garbage_args;
-+		return 1;
-+	}
- 	/*
- 	 * Give the xdr decoder a chance to change this if it wants
- 	 * (necessary in the NFSv4.0 compound case)
diff --git a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch b/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
deleted file mode 100644
index e07cc3f..0000000
--- a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Fri, 21 Apr 2017 15:26:30 -0400
-Subject: [2/2] nfsd: stricter decoding of write-like NFSv2/v3 ops
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/13bf9fbff0e5e099e2b6f003a0ab8ae145436309
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
-
-The NFSv2/v3 code does not systematically check whether we decode past
-the end of the buffer.  This generally appears to be harmless, but there
-are a few places where we do arithmetic on the pointers involved and
-don't account for the possibility that a length could be negative.  Add
-checks to catch these.
-
-Reported-by: Tuomas Haanpää <thaan at synopsys.com>
-Reported-by: Ari Kauppi <ari at synopsys.com>
-Reviewed-by: NeilBrown <neilb at suse.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfsd/nfs3xdr.c | 4 ++++
- fs/nfsd/nfsxdr.c  | 2 ++
- 2 files changed, 6 insertions(+)
-
---- a/fs/nfsd/nfs3xdr.c
-+++ b/fs/nfsd/nfs3xdr.c
-@@ -363,6 +363,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
- 	args->count = ntohl(*p++);
- 	args->stable = ntohl(*p++);
- 	len = args->len = ntohl(*p++);
-+	if ((void *)p > head->iov_base + head->iov_len)
-+		return 0;
- 	/*
- 	 * The count must equal the amount of data passed.
- 	 */
-@@ -467,6 +469,8 @@ nfs3svc_decode_symlinkargs(struct svc_rq
- 	/* first copy and check from the first page */
- 	old = (char*)p;
- 	vec = &rqstp->rq_arg.head[0];
-+	if ((void *)old > vec->iov_base + vec->iov_len)
-+		return 0;
- 	avail = vec->iov_len - (old - (char*)vec->iov_base);
- 	while (len && avail && *old) {
- 		*new++ = *old++;
---- a/fs/nfsd/nfsxdr.c
-+++ b/fs/nfsd/nfsxdr.c
-@@ -298,6 +298,8 @@ nfssvc_decode_writeargs(struct svc_rqst
- 	 * bytes.
- 	 */
- 	hdr = (void*)p - head->iov_base;
-+	if (hdr > head->iov_len)
-+		return 0;
- 	dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
- 
- 	/*
diff --git a/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch b/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
deleted file mode 100644
index c0c417c..0000000
--- a/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Tue, 25 Apr 2017 16:21:34 -0400
-Subject: [1/2] nfsd4: minor NFSv2/v3 write decoding cleanup
-Origin: https://git.kernel.org/linus/db44bac41bbfc0c0d9dd943092d8bded3c9db19b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
-
-Use a couple shortcuts that will simplify a following bugfix.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
-[bwh: Backported to 3.2: in nfs3svc_decode_writeargs(), dlen doesn't include
- tail]
----
- fs/nfsd/nfs3xdr.c | 9 +++++----
- fs/nfsd/nfsxdr.c  | 8 ++++----
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
---- a/fs/nfsd/nfs3xdr.c
-+++ b/fs/nfsd/nfs3xdr.c
-@@ -354,6 +354,7 @@ nfs3svc_decode_writeargs(struct svc_rqst
- {
- 	unsigned int len, v, hdr, dlen;
- 	u32 max_blocksize = svc_max_payload(rqstp);
-+	struct kvec *head = rqstp->rq_arg.head;
- 
- 	if (!(p = decode_fh(p, &args->fh)))
- 		return 0;
-@@ -372,9 +373,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
- 	 * Check to make sure that we got the right number of
- 	 * bytes.
- 	 */
--	hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
--	dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
--		- hdr;
-+	hdr = (void*)p - head->iov_base;
-+	dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
- 	/*
- 	 * Round the length of the data which was specified up to
- 	 * the next multiple of XDR units and then compare that
-@@ -391,7 +391,7 @@ nfs3svc_decode_writeargs(struct svc_rqst
- 		len = args->len = max_blocksize;
- 	}
- 	rqstp->rq_vec[0].iov_base = (void*)p;
--	rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
-+	rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
- 	v = 0;
- 	while (len > rqstp->rq_vec[v].iov_len) {
- 		len -= rqstp->rq_vec[v].iov_len;
---- a/fs/nfsd/nfsxdr.c
-+++ b/fs/nfsd/nfsxdr.c
-@@ -277,6 +277,7 @@ nfssvc_decode_writeargs(struct svc_rqst
- 					struct nfsd_writeargs *args)
- {
- 	unsigned int len, hdr, dlen;
-+	struct kvec *head = rqstp->rq_arg.head;
- 	int v;
- 
- 	if (!(p = decode_fh(p, &args->fh)))
-@@ -296,9 +297,8 @@ nfssvc_decode_writeargs(struct svc_rqst
- 	 * Check to make sure that we got the right number of
- 	 * bytes.
- 	 */
--	hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
--	dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
--		- hdr;
-+	hdr = (void*)p - head->iov_base;
-+	dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
- 
- 	/*
- 	 * Round the length of the data which was specified up to
-@@ -312,7 +312,7 @@ nfssvc_decode_writeargs(struct svc_rqst
- 		return 0;
- 
- 	rqstp->rq_vec[0].iov_base = (void*)p;
--	rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
-+	rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
- 	v = 0;
- 	while (len > rqstp->rq_vec[v].iov_len) {
- 		len -= rqstp->rq_vec[v].iov_len;
diff --git a/debian/patches/bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch b/debian/patches/bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch
deleted file mode 100644
index f5991e2..0000000
--- a/debian/patches/bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 15 Aug 2014 09:16:04 -0700
-Subject: packet: handle too big packets for PACKET_V3
-Origin: https://git.kernel.org/linus/dc808110bb62b64a448696ecac3938902c92e1ab
-
-af_packet can currently overwrite kernel memory by out of bound
-accesses, because it assumed a [new] block can always hold one frame.
-
-This is not generally the case, even if most existing tools do it right.
-
-This patch clamps too long frames as API permits, and issue a one time
-error on syslog.
-
-[  394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82
-
-In this example, packet header tp_snaplen was set to 3966,
-and tp_len was set to 5042 (skb->len)
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
-Acked-by: Daniel Borkmann <dborkman at redhat.com>
-Acked-by: Neil Horman <nhorman at tuxdriver.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust filename]
----
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -195,6 +195,7 @@ struct tpacket_kbdq_core {
- 	char		*pkblk_start;
- 	char		*pkblk_end;
- 	int		kblk_size;
-+	unsigned int	max_frame_len;
- 	unsigned int	knum_blocks;
- 	uint64_t	knxt_seq_num;
- 	char		*prev;
-@@ -616,6 +617,7 @@ static void init_prb_bdqc(struct packet_
- 	p1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov);
- 	p1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv;
- 
-+	p1->max_frame_len = p1->kblk_size - BLK_PLUS_PRIV(p1->blk_sizeof_priv);
- 	prb_init_ft_ops(p1, req_u);
- 	prb_setup_retire_blk_timer(po, tx_ring);
- 	prb_open_block(p1, pbd);
-@@ -1775,6 +1777,18 @@ static int tpacket_rcv(struct sk_buff *s
- 			if ((int)snaplen < 0)
- 				snaplen = 0;
- 		}
-+	} else if (unlikely(macoff + snaplen >
-+			    GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
-+		u32 nval;
-+
-+		nval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff;
-+		pr_err_once("tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\n",
-+			    snaplen, nval, macoff);
-+		snaplen = nval;
-+		if (unlikely((int)snaplen < 0)) {
-+			snaplen = 0;
-+			macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
-+		}
- 	}
- 	spin_lock(&sk->sk_receive_queue.lock);
- 	h.raw = packet_current_rx_frame(po, skb,
-@@ -3622,6 +3636,10 @@ static int packet_set_ring(struct sock *
- 			goto out;
- 		if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
- 			goto out;
-+		if (po->tp_version >= TPACKET_V3 &&
-+		    (int)(req->tp_block_size -
-+			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
-+			goto out;
- 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
- 					po->tp_reserve))
- 			goto out;
diff --git a/debian/patches/bugfix/all/ping-implement-proper-locking.patch b/debian/patches/bugfix/all/ping-implement-proper-locking.patch
deleted file mode 100644
index d403747..0000000
--- a/debian/patches/bugfix/all/ping-implement-proper-locking.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 24 Mar 2017 19:36:13 -0700
-Subject: ping: implement proper locking
-Origin: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2671
-
-We got a report of yet another bug in ping
-
-http://www.openwall.com/lists/oss-security/2017/03/24/6
-
-->disconnect() is not called with socket lock held.
-
-Fix this by acquiring ping rwlock earlier.
-
-Thanks to Daniel, Alexander and Andrey for letting us know this problem.
-
-Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Daniel Jiang <danieljiang0415 at gmail.com>
-Reported-by: Solar Designer <solar at openwall.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
----
- net/ipv4/ping.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -135,16 +135,17 @@ static void ping_v4_hash(struct sock *sk
- static void ping_v4_unhash(struct sock *sk)
- {
- 	struct inet_sock *isk = inet_sk(sk);
-+
- 	pr_debug("ping_v4_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
-+	write_lock_bh(&ping_table.lock);
- 	if (sk_hashed(sk)) {
--		write_lock_bh(&ping_table.lock);
- 		hlist_nulls_del(&sk->sk_nulls_node);
- 		sk_nulls_node_init(&sk->sk_nulls_node);
- 		sock_put(sk);
- 		isk->inet_num = isk->inet_sport = 0;
- 		sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
--		write_unlock_bh(&ping_table.lock);
- 	}
-+	write_unlock_bh(&ping_table.lock);
- }
- 
- static struct sock *ping_v4_lookup(struct net *net, u32 saddr, u32 daddr,
diff --git a/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch b/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
deleted file mode 100644
index 3f5353c..0000000
--- a/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Wed, 17 May 2017 07:16:40 -0700
-Subject: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
-Origin: https://git.kernel.org/linus/fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9075
-
-SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
-ipv6_mc_list from parent"), otherwise bad things can happen.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/sctp/ipv6.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/sctp/ipv6.c
-+++ b/net/sctp/ipv6.c
-@@ -655,6 +655,9 @@ static struct sock *sctp_v6_create_accep
- 	newnp = inet6_sk(newsk);
- 
- 	memcpy(newnp, np, sizeof(struct ipv6_pinfo));
-+	newnp->ipv6_mc_list = NULL;
-+	newnp->ipv6_ac_list = NULL;
-+	newnp->ipv6_fl_list = NULL;
- 
- 	rcu_read_lock();
- 	opt = rcu_dereference(np->opt);
diff --git a/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch b/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
deleted file mode 100644
index d44c388..0000000
--- a/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Amey Telawane <ameyt at codeaurora.org>
-Date: Wed, 3 May 2017 15:41:14 +0530
-Subject: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
-Origin: https://git.kernel.org/linus/e09e28671cda63e6308b31798b997639120e2a21
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0605
-
-Strcpy is inherently not safe, and strlcpy() should be used instead.
-__trace_find_cmdline() uses strcpy() because the comms saved must have a
-terminating nul character, but it doesn't hurt to add the extra protection
-of using strlcpy() instead of strcpy().
-
-Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org
-
-Signed-off-by: Amey Telawane <ameyt at codeaurora.org>
-[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10
-https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477]
-Signed-off-by: Amit Pundir <amit.pundir at linaro.org>
-[ Updated change log and removed the "- 1" from len parameter ]
-Signed-off-by: Steven Rostedt (VMware) <rostedt at goodmis.org>
-[bwh: Backported to 3.2: adjust context]
----
- kernel/trace/trace.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/kernel/trace/trace.c
-+++ b/kernel/trace/trace.c
-@@ -1100,7 +1100,7 @@ void trace_find_cmdline(int pid, char co
- 	arch_spin_lock(&trace_cmdline_lock);
- 	map = map_pid_to_cmdline[pid];
- 	if (map != NO_CMDLINE_MAP)
--		strcpy(comm, saved_cmdlines[map]);
-+		strlcpy(comm, saved_cmdlines[map], TASK_COMM_LEN);
- 	else
- 		strcpy(comm, "<...>");
- 
diff --git a/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch b/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
deleted file mode 100644
index a880c1f..0000000
--- a/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Tue, 7 Mar 2017 16:11:03 +0100
-Subject: USB: iowarrior: fix NULL-deref at probe
-Origin: https://git.kernel.org/linus/b7321e81fc369abe353cf094d4f0dc2fe11ab95f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-2188
-
-Make sure to check for the required interrupt-in endpoint to avoid
-dereferencing a NULL-pointer should a malicious device lack such an
-endpoint.
-
-Note that a fairly recent change purported to fix this issue, but added
-an insufficient test on the number of endpoints only, a test which can
-now be removed.
-
-Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
-Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
-Cc: stable <stable at vger.kernel.org>	# 2.6.21
-Signed-off-by: Johan Hovold <johan at kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-[bwh: Backported to 3.2: adjust context]
----
- drivers/usb/misc/iowarrior.c | 13 +++++++------
- 1 file changed, 7 insertions(+), 6 deletions(-)
-
---- a/drivers/usb/misc/iowarrior.c
-+++ b/drivers/usb/misc/iowarrior.c
-@@ -792,12 +792,6 @@ static int iowarrior_probe(struct usb_in
- 	iface_desc = interface->cur_altsetting;
- 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
- 
--	if (iface_desc->desc.bNumEndpoints < 1) {
--		dev_err(&interface->dev, "Invalid number of endpoints\n");
--		retval = -EINVAL;
--		goto error;
--	}
--
- 	/* set up the endpoint information */
- 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
- 		endpoint = &iface_desc->endpoint[i].desc;
-@@ -808,6 +802,13 @@ static int iowarrior_probe(struct usb_in
- 			/* this one will match for the IOWarrior56 only */
- 			dev->int_out_endpoint = endpoint;
- 	}
-+
-+	if (!dev->int_in_endpoint) {
-+		dev_err(&interface->dev, "no interrupt-in endpoint found\n");
-+		retval = -ENODEV;
-+		goto error;
-+	}
-+
- 	/* we have to check the report_size often, so remember it in the endianess suitable for our machine */
- 	dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
- 	if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
diff --git a/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch b/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
deleted file mode 100644
index 1d0c295..0000000
--- a/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Mon, 6 Mar 2017 17:36:40 +0100
-Subject: USB: serial: io_ti: fix information leak in completion handler
-Origin: https://git.kernel.org/linus/654b404f2a222f918af9b0cd18ad469d0c941a8e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8924
-
-Add missing sanity check to the bulk-in completion handler to avoid an
-integer underflow that can be triggered by a malicious device.
-
-This avoids leaking 128 kB of memory content from after the URB transfer
-buffer to user space.
-
-Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Cc: stable <stable at vger.kernel.org>	# 2.6.30
-Signed-off-by: Johan Hovold <johan at kernel.org>
----
- drivers/usb/serial/io_ti.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/usb/serial/io_ti.c
-+++ b/drivers/usb/serial/io_ti.c
-@@ -1762,7 +1762,7 @@ static void edge_bulk_in_callback(struct
- 
- 	port_number = edge_port->port->number - edge_port->port->serial->minor;
- 
--	if (edge_port->lsr_event) {
-+	if (urb->actual_length > 0 && edge_port->lsr_event) {
- 		edge_port->lsr_event = 0;
- 		dbg("%s ===== Port %u LSR Status = %02x, Data = %02x ======",
- 		     __func__, port_number, edge_port->lsr_mask, *data);
diff --git a/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch b/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
deleted file mode 100644
index d8d2ab6..0000000
--- a/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Mon, 6 Mar 2017 17:36:38 +0100
-Subject: USB: serial: omninet: fix reference leaks at open
-Origin: https://git.kernel.org/linus/30572418b445d85fcfe6c8fe84c947d2606767d8
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8925
-
-This driver needlessly took another reference to the tty on open, a
-reference which was then never released on close. This lead to not just
-a leak of the tty, but also a driver reference leak that prevented the
-driver from being unloaded after a port had once been opened.
-
-Fixes: 4a90f09b20f4 ("tty: usb-serial krefs")
-Cc: stable <stable at vger.kernel.org>	# 2.6.28
-Signed-off-by: Johan Hovold <johan at kernel.org>
-[bwh: Backported to 3.2:
- - The 'serial' variable is still needed for other initialisation
- - Adjust context]
----
---- a/drivers/usb/serial/omninet.c
-+++ b/drivers/usb/serial/omninet.c
-@@ -171,14 +171,10 @@ static int omninet_attach(struct usb_ser
- static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port)
- {
- 	struct usb_serial	*serial = port->serial;
--	struct usb_serial_port	*wport;
- 	int			result = 0;
- 
- 	dbg("%s - port %d", __func__, port->number);
- 
--	wport = serial->port[1];
--	tty_port_tty_set(&wport->port, tty);
--
- 	/* Start reading from the device */
- 	usb_fill_bulk_urb(port->read_urb, serial->dev,
- 			usb_rcvbulkpipe(serial->dev,
diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
deleted file mode 100644
index 59f64e6..0000000
--- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Andy Whitcroft <apw at canonical.com>
-Date: Thu, 23 Mar 2017 07:45:44 +0000
-Subject: [2/2] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
-Origin: https://git.kernel.org/linus/f843ee6dd019bcece3e74e76ad9df0155655d0df
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
-
-Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
-wrapping issues.  To ensure we are correctly ensuring that the two ESN
-structures are the same size compare both the overall size as reported
-by xfrm_replay_state_esn_len() and the internal length are the same.
-
-CVE-2017-7184
-Signed-off-by: Andy Whitcroft <apw at canonical.com>
-Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- net/xfrm/xfrm_user.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/net/xfrm/xfrm_user.c
-+++ b/net/xfrm/xfrm_user.c
-@@ -390,7 +390,11 @@ static inline int xfrm_replay_verify_len
- 	up = nla_data(rp);
- 	ulen = xfrm_replay_state_esn_len(up);
- 
--	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
-+	/* Check the overall length and the internal bitmap length to avoid
-+	 * potential overflow. */
-+	if (nla_len(rp) < ulen ||
-+	    xfrm_replay_state_esn_len(replay_esn) != ulen ||
-+	    replay_esn->bmp_len != up->bmp_len)
- 		return -EINVAL;
- 
- 	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
deleted file mode 100644
index 296b110..0000000
--- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Andy Whitcroft <apw at canonical.com>
-Date: Wed, 22 Mar 2017 07:29:31 +0000
-Subject: [1/2] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL
- replay_window
-Origin: https://git.kernel.org/linus/677e806da4d916052585301785d847c3b3e6186a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
-
-When a new xfrm state is created during an XFRM_MSG_NEWSA call we
-validate the user supplied replay_esn to ensure that the size is valid
-and to ensure that the replay_window size is within the allocated
-buffer.  However later it is possible to update this replay_esn via a
-XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
-buffer matches the existing state and if so inject the contents.  We do
-not at this point check that the replay_window is within the allocated
-memory.  This leads to out-of-bounds reads and writes triggered by
-netlink packets.  This leads to memory corruption and the potential for
-priviledge escalation.
-
-We already attempt to validate the incoming replay information in
-xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
-is not trying to change the size of the replay state buffer which
-includes the replay_esn.  It however does not check the replay_window
-remains within that buffer.  Add validation of the contained
-replay_window.
-
-CVE-2017-7184
-Signed-off-by: Andy Whitcroft <apw at canonical.com>
-Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- net/xfrm/xfrm_user.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/xfrm/xfrm_user.c
-+++ b/net/xfrm/xfrm_user.c
-@@ -393,6 +393,9 @@ static inline int xfrm_replay_verify_len
- 	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
- 		return -EINVAL;
- 
-+	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
-+		return -EINVAL;
-+
- 	return 0;
- }
- 
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
deleted file mode 100644
index a710645..0000000
--- a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Li Qiang <liq3ea at gmail.com>
-Date: Mon, 27 Mar 2017 20:10:53 -0700
-Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
-Origin: https://git.kernel.org/linus/e7e11f99564222d82f0ce84bd521e57d78a6b678
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294
-
-In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
-'req->mip_levels' array. This array can be assigned any value from
-the user space. As both the 'num_sizes' and the array is uint32_t,
-it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
-used as the loop count. This can lead an oob write. Add the check of
-'req->mip_levels' to avoid this.
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
-Reviewed-by: Thomas Hellstrom <thellstrom at vmware.com>
-[bwh: Backported to 3.2: adjust filename]
----
- drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-@@ -1304,8 +1304,11 @@ int vmw_surface_define_ioctl(struct drm_
- 			128;
- 
- 	num_sizes = 0;
--	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
-+	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
-+		if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
-+			return -EINVAL;
- 		num_sizes += req->mip_levels[i];
-+	}
- 
- 	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
- 	    num_sizes == 0)
diff --git a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
deleted file mode 100644
index d7fbb06..0000000
--- a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Murray McAllister <murray.mcallister at insomniasec.com>
-Date: Mon, 27 Mar 2017 11:12:53 +0200
-Subject: drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
-Origin: https://git.kernel.org/linus/36274ab8c596f1240c606bb514da329add2a1bcd
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7261
-
-Before memory allocations vmw_surface_define_ioctl() checks the
-upper-bounds of a user-supplied size, but does not check if the
-supplied size is 0.
-
-Add check to avoid NULL pointer dereferences.
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Murray McAllister <murray.mcallister at insomniasec.com>
-Reviewed-by: Sinclair Yeh <syeh at vmware.com>
-[bwh: Backported to 3.2: adjust filename]
----
- drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-@@ -1307,8 +1307,8 @@ int vmw_surface_define_ioctl(struct drm_
- 	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
- 		num_sizes += req->mip_levels[i];
- 
--	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
--	    DRM_VMW_MAX_MIP_LEVELS)
-+	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
-+	    num_sizes == 0)
- 		return -EINVAL;
- 
- 	size = vmw_user_surface_size + 128 +
diff --git a/debian/patches/series b/debian/patches/series
index a371fc7..c509b9b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1107,41 +1107,8 @@ bugfix/all/netfilter-ipset-Check-and-reject-crazy-0-input-param.patch
 bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
 bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
 bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
-bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
-bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
-bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
-bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
-bugfix/all/ping-implement-proper-locking.patch
-bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
-bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
-bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
-bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
-bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
-bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
-bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
-bugfix/all/crypto-ahash-fully-restore-ahash-request-before-comp.patch
-bugfix/all/crypto-hash-Fix-the-pointer-voodoo-in-unaligned-ahas.patch
-bugfix/all/crypto-hash-pull-out-the-functions-to-save-restore-r.patch
-bugfix/all/crypto-hash-simplify-the-ahash_finup-implementation.patch
-bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
-bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
-bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
-bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
-bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
-bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
-bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
-bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
-bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
-bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
-bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
 bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
 bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
-bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
-bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
-bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git



More information about the Kernel-svn-changes mailing list