diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2012-08-23 05:59:07 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2012-08-23 05:59:07 -0400 |
| commit | 05ef56fc07d1093768b292be3b639b3c333ba3af (patch) | |
| tree | 716d16075b011384edf0360b36d64af1874fb97f | |
| parent | Grsec/PaX: 2.9.1-{2.6.32.59,3.2.27,3.5.2}-201208201521 (diff) | |
| download | hardened-patchset-05ef56fc07d1093768b292be3b639b3c333ba3af.tar.gz hardened-patchset-05ef56fc07d1093768b292be3b639b3c333ba3af.tar.bz2 hardened-patchset-05ef56fc07d1093768b292be3b639b3c333ba3af.zip | |
Grsec/PaX: 2.9.1-{2.6.32.59,3.2.28,3.5.2}-20120822203120120822
| -rw-r--r-- | 2.6.32/0000_README | 2 | ||||
| -rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208201521.patch) | 152 | ||||
| -rw-r--r-- | 3.2.28/0000_README (renamed from 3.2.27/0000_README) | 6 | ||||
| -rw-r--r-- | 3.2.28/1021_linux-3.2.22.patch (renamed from 3.2.27/1021_linux-3.2.22.patch) | 0 | ||||
| -rw-r--r-- | 3.2.28/1022_linux-3.2.23.patch (renamed from 3.2.27/1022_linux-3.2.23.patch) | 0 | ||||
| -rw-r--r-- | 3.2.28/1023_linux-3.2.24.patch (renamed from 3.2.27/1023_linux-3.2.24.patch) | 0 | ||||
| -rw-r--r-- | 3.2.28/1024_linux-3.2.25.patch (renamed from 3.2.27/1024_linux-3.2.25.patch) | 0 | ||||
| -rw-r--r-- | 3.2.28/1025_linux-3.2.26.patch (renamed from 3.2.27/1025_linux-3.2.26.patch) | 0 | ||||
| -rw-r--r-- | 3.2.28/1026_linux-3.2.27.patch (renamed from 3.2.27/1026_linux-3.2.27.patch) | 0 | ||||
| -rw-r--r-- | 3.2.28/1027_linux-3.2.28.patch | 1114 | ||||
| -rw-r--r-- | 3.2.28/4420_grsecurity-2.9.1-3.2.28-201208222030.patch (renamed from 3.2.27/4420_grsecurity-2.9.1-3.2.27-201208201521.patch) | 469 | ||||
| -rw-r--r-- | 3.2.28/4430_grsec-remove-localversion-grsec.patch (renamed from 3.2.27/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.2.28/4435_grsec-mute-warnings.patch (renamed from 3.2.27/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.2.28/4440_grsec-remove-protected-paths.patch (renamed from 3.2.27/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.2.28/4450_grsec-kconfig-default-gids.patch (renamed from 3.2.27/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.2.28/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.2.27/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.2.28/4470_disable-compat_vdso.patch (renamed from 3.2.27/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.5.2/0000_README | 2 | ||||
| -rw-r--r-- | 3.5.2/4420_grsecurity-2.9.1-3.5.2-201208222031.patch (renamed from 3.5.2/4420_grsecurity-2.9.1-3.5.2-201208201522.patch) | 300 |
19 files changed, 1895 insertions, 150 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 0ba8a80..24bc841 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.59-201208201521.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208201521.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch index c356bad..a4b7131 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208201521.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch @@ -68211,7 +68211,7 @@ index a5bf577..6d19845 100644 return hit; } diff --git a/fs/compat.c b/fs/compat.c -index d1e2411..9a958d2 100644 +index d1e2411..84978fe 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(char __user *filename, struct compat_timeval _ @@ -68332,7 +68332,39 @@ index d1e2411..9a958d2 100644 goto out; if (!file->f_op) goto out; -@@ -1463,11 +1481,35 @@ int compat_do_execve(char * filename, +@@ -1208,11 +1226,14 @@ compat_sys_readv(unsigned long fd, const struct compat_iovec __user *vec, + struct file *file; + int fput_needed; + ssize_t ret; ++ loff_t pos; + + file = fget_light(fd, &fput_needed); + if (!file) + return -EBADF; +- ret = compat_readv(file, vec, vlen, &file->f_pos); ++ pos = file->f_pos; ++ ret = compat_readv(file, vec, vlen, &pos); ++ file->f_pos = pos; + fput_light(file, fput_needed); + return ret; + } +@@ -1265,11 +1286,14 @@ compat_sys_writev(unsigned long fd, const struct compat_iovec __user *vec, + struct file *file; + int fput_needed; + ssize_t ret; ++ loff_t pos; + + file = fget_light(fd, &fput_needed); + if (!file) + return -EBADF; +- ret = compat_writev(file, vec, vlen, &file->f_pos); ++ pos = file->f_pos; ++ ret = compat_writev(file, vec, vlen, &pos); ++ file->f_pos = pos; + fput_light(file, fput_needed); + return ret; + } +@@ -1463,11 +1487,35 @@ int compat_do_execve(char * filename, compat_uptr_t __user *envp, struct pt_regs * regs) { @@ -68368,7 +68400,7 @@ index d1e2411..9a958d2 100644 retval = unshare_files(&displaced); if (retval) -@@ -1493,12 +1535,26 @@ int compat_do_execve(char * filename, +@@ -1493,12 +1541,26 @@ int compat_do_execve(char * filename, if (IS_ERR(file)) goto out_unmark; @@ -68395,7 +68427,7 @@ index d1e2411..9a958d2 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1515,24 +1571,63 @@ int compat_do_execve(char * filename, +@@ -1515,24 +1577,63 @@ int compat_do_execve(char * filename, if (retval < 0) goto out; @@ -68463,7 +68495,7 @@ index d1e2411..9a958d2 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1541,6 +1636,14 @@ int compat_do_execve(char * filename, +@@ -1541,6 +1642,14 @@ int compat_do_execve(char * filename, put_files_struct(displaced); return retval; @@ -68478,7 +68510,7 @@ index d1e2411..9a958d2 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1711,6 +1814,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp, +@@ -1711,6 +1820,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp, struct fdtable *fdt; long stack_fds[SELECT_STACK_ALLOC/sizeof(long)]; @@ -68487,7 +68519,7 @@ index d1e2411..9a958d2 100644 if (n < 0) goto out_nofds; -@@ -2151,7 +2256,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd, +@@ -2151,7 +2262,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd, oldfs = get_fs(); set_fs(KERNEL_DS); /* The __user pointer casts are valid because of the set_fs() */ @@ -103033,6 +103065,18 @@ index 02cc7e7..4514f1b 100644 __SONET_ITEMS #undef __HANDLE_ITEM } +diff --git a/net/atm/common.c b/net/atm/common.c +index 950bd16..0baf05e 100644 +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -749,6 +749,7 @@ int vcc_getsockopt(struct socket *sock, int level, int optname, + if (!vcc->dev || + !test_bit(ATM_VF_ADDR,&vcc->flags)) + return -ENOTCONN; ++ memset(&pvc, 0, sizeof(pvc)); + pvc.sap_family = AF_ATMPVC; + pvc.sap_addr.itf = vcc->dev->number; + pvc.sap_addr.vpi = vcc->vpi; diff --git a/net/atm/lec.h b/net/atm/lec.h index 9d14d19..5c145f3 100644 --- a/net/atm/lec.h @@ -103114,6 +103158,20 @@ index ab8419a..aa91497 100644 else seq_printf(seq, "%3d %3d %5d ", vcc->dev->number, vcc->vpi, vcc->vci); +diff --git a/net/atm/pvc.c b/net/atm/pvc.c +index d4c0245..5f6d1fb 100644 +--- a/net/atm/pvc.c ++++ b/net/atm/pvc.c +@@ -92,7 +92,8 @@ static int pvc_getname(struct socket *sock,struct sockaddr *sockaddr, + + if (!vcc->dev || !test_bit(ATM_VF_ADDR,&vcc->flags)) return -ENOTCONN; + *sockaddr_len = sizeof(struct sockaddr_atmpvc); +- addr = (struct sockaddr_atmpvc *) sockaddr; ++ addr = (struct sockaddr_atmpvc *)sockaddr; ++ memset(addr, 0, sizeof(*addr)); + addr->sap_family = AF_ATMPVC; + addr->sap_addr.itf = vcc->dev->number; + addr->sap_addr.vpi = vcc->vpi; diff --git a/net/atm/resources.c b/net/atm/resources.c index 56b7322..c48b84e 100644 --- a/net/atm/resources.c @@ -103136,6 +103194,44 @@ index 56b7322..c48b84e 100644 __AAL_STAT_ITEMS #undef __HANDLE_ITEM } +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 75302a9..45caaaa 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -576,6 +576,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char + { + struct hci_filter *f = &hci_pi(sk)->filter; + ++ memset(&uf, 0, sizeof(uf)); + uf.type_mask = f->type_mask; + uf.opcode = f->opcode; + uf.event_mask[0] = *((u32 *) f->event_mask + 0); +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index 1ae3f80..c47b7c4 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -543,6 +543,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int * + + BT_DBG("sock %p, sk %p", sock, sk); + ++ memset(sa, 0, sizeof(*sa)); + sa->rc_family = AF_BLUETOOTH; + sa->rc_channel = rfcomm_pi(sk)->channel; + if (peer) +diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c +index 5f6a305..00b8f21 100644 +--- a/net/bluetooth/rfcomm/tty.c ++++ b/net/bluetooth/rfcomm/tty.c +@@ -472,7 +472,8 @@ static int rfcomm_get_dev_list(void __user *arg) + + size = sizeof(*dl) + dev_num * sizeof(*di); + +- if (!(dl = kmalloc(size, GFP_KERNEL))) ++ dl = kzalloc(size, GFP_KERNEL); ++ if (!dl) + return -ENOMEM; + + di = dl->dev_info; diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index 8567d47..bba2292 100644 --- a/net/bridge/br_private.h @@ -103592,6 +103688,28 @@ index 6605e75..3acebda 100644 } EXPORT_SYMBOL(sock_init_data); +diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h +index facedd2..ab260b0 100644 +--- a/net/dccp/ccid.h ++++ b/net/dccp/ccid.h +@@ -214,7 +214,7 @@ static inline int ccid_hc_rx_getsockopt(struct ccid *ccid, struct sock *sk, + u32 __user *optval, int __user *optlen) + { + int rc = -ENOPROTOOPT; +- if (ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL) ++ if (ccid != NULL && ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL) + rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len, + optval, optlen); + return rc; +@@ -225,7 +225,7 @@ static inline int ccid_hc_tx_getsockopt(struct ccid *ccid, struct sock *sk, + u32 __user *optval, int __user *optlen) + { + int rc = -ENOPROTOOPT; +- if (ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL) ++ if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL) + rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len, + optval, optlen); + return rc; diff --git a/net/decnet/sysctl_net_decnet.c b/net/decnet/sysctl_net_decnet.c index 2036568..c55883d 100644 --- a/net/decnet/sysctl_net_decnet.c @@ -104961,6 +105079,26 @@ index bda96d1..c038b72 100644 used = 1; } +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index 2da8d14..606b6ad 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -912,14 +912,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr, + struct sockaddr_llc sllc; + struct sock *sk = sock->sk; + struct llc_sock *llc = llc_sk(sk); +- int rc = 0; ++ int rc = -EBADF; + + memset(&sllc, 0, sizeof(sllc)); + lock_sock(sk); + if (sock_flag(sk, SOCK_ZAPPED)) + goto out; + *uaddrlen = sizeof(sllc); +- memset(uaddr, 0, *uaddrlen); + if (peer) { + rc = -ENOTCONN; + if (sk->sk_state != TCP_ESTABLISHED) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index fe2d3f8..e57f683 100644 --- a/net/mac80211/cfg.c diff --git a/3.2.27/0000_README b/3.2.28/0000_README index f12c523..c88942b 100644 --- a/3.2.27/0000_README +++ b/3.2.28/0000_README @@ -26,7 +26,11 @@ Patch: 1026_linux-3.2.27.patch From: http://www.kernel.org Desc: Linux 3.2.27 -Patch: 4420_grsecurity-2.9.1-3.2.27-201208201521.patch +Patch: 1027_linux-3.2.28.patch +From: http://www.kernel.org +Desc: Linux 3.2.28 + +Patch: 4420_grsecurity-2.9.1-3.2.28-201208222030.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.27/1021_linux-3.2.22.patch b/3.2.28/1021_linux-3.2.22.patch index e6ad93a..e6ad93a 100644 --- a/3.2.27/1021_linux-3.2.22.patch +++ b/3.2.28/1021_linux-3.2.22.patch diff --git a/3.2.27/1022_linux-3.2.23.patch b/3.2.28/1022_linux-3.2.23.patch index 3d796d0..3d796d0 100644 --- a/3.2.27/1022_linux-3.2.23.patch +++ b/3.2.28/1022_linux-3.2.23.patch diff --git a/3.2.27/1023_linux-3.2.24.patch b/3.2.28/1023_linux-3.2.24.patch index 4692eb4..4692eb4 100644 --- a/3.2.27/1023_linux-3.2.24.patch +++ b/3.2.28/1023_linux-3.2.24.patch diff --git a/3.2.27/1024_linux-3.2.25.patch b/3.2.28/1024_linux-3.2.25.patch index e95c213..e95c213 100644 --- a/3.2.27/1024_linux-3.2.25.patch +++ b/3.2.28/1024_linux-3.2.25.patch diff --git a/3.2.27/1025_linux-3.2.26.patch b/3.2.28/1025_linux-3.2.26.patch index 44065b9..44065b9 100644 --- a/3.2.27/1025_linux-3.2.26.patch +++ b/3.2.28/1025_linux-3.2.26.patch diff --git a/3.2.27/1026_linux-3.2.27.patch b/3.2.28/1026_linux-3.2.27.patch index 5878eb4..5878eb4 100644 --- a/3.2.27/1026_linux-3.2.27.patch +++ b/3.2.28/1026_linux-3.2.27.patch diff --git a/3.2.28/1027_linux-3.2.28.patch b/3.2.28/1027_linux-3.2.28.patch new file mode 100644 index 0000000..4dbba4b --- /dev/null +++ b/3.2.28/1027_linux-3.2.28.patch @@ -0,0 +1,1114 @@ +diff --git a/Makefile b/Makefile +index bdf851f..5368961 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 2 +-SUBLEVEL = 27 ++SUBLEVEL = 28 + EXTRAVERSION = + NAME = Saber-toothed Squirrel + +diff --git a/arch/arm/configs/mxs_defconfig b/arch/arm/configs/mxs_defconfig +index 6ee781b..3ee3e84 100644 +--- a/arch/arm/configs/mxs_defconfig ++++ b/arch/arm/configs/mxs_defconfig +@@ -32,7 +32,6 @@ CONFIG_NO_HZ=y + CONFIG_HIGH_RES_TIMERS=y + CONFIG_PREEMPT_VOLUNTARY=y + CONFIG_AEABI=y +-CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 + CONFIG_AUTO_ZRELADDR=y + CONFIG_FPE_NWFPE=y + CONFIG_NET=y +diff --git a/arch/arm/mach-pxa/raumfeld.c b/arch/arm/mach-pxa/raumfeld.c +index f0c05f4..ae7786d 100644 +--- a/arch/arm/mach-pxa/raumfeld.c ++++ b/arch/arm/mach-pxa/raumfeld.c +@@ -951,12 +951,12 @@ static struct i2c_board_info raumfeld_connector_i2c_board_info __initdata = { + + static struct eeti_ts_platform_data eeti_ts_pdata = { + .irq_active_high = 1, ++ .irq_gpio = GPIO_TOUCH_IRQ, + }; + + static struct i2c_board_info raumfeld_controller_i2c_board_info __initdata = { + .type = "eeti_ts", + .addr = 0x0a, +- .irq = gpio_to_irq(GPIO_TOUCH_IRQ), + .platform_data = &eeti_ts_pdata, + }; + +diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c +index 84a9828..38c6645 100644 +--- a/arch/s390/kernel/compat_linux.c ++++ b/arch/s390/kernel/compat_linux.c +@@ -615,7 +615,6 @@ asmlinkage unsigned long old32_mmap(struct mmap_arg_struct_emu31 __user *arg) + return -EFAULT; + if (a.offset & ~PAGE_MASK) + return -EINVAL; +- a.addr = (unsigned long) compat_ptr(a.addr); + return sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd, + a.offset >> PAGE_SHIFT); + } +@@ -626,7 +625,6 @@ asmlinkage long sys32_mmap2(struct mmap_arg_struct_emu31 __user *arg) + + if (copy_from_user(&a, arg, sizeof(a))) + return -EFAULT; +- a.addr = (unsigned long) compat_ptr(a.addr); + return sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd, a.offset); + } + +diff --git a/arch/s390/kernel/compat_wrapper.S b/arch/s390/kernel/compat_wrapper.S +index 18c51df..25408d3 100644 +--- a/arch/s390/kernel/compat_wrapper.S ++++ b/arch/s390/kernel/compat_wrapper.S +@@ -1636,7 +1636,7 @@ ENTRY(compat_sys_process_vm_readv_wrapper) + llgfr %r6,%r6 # unsigned long + llgf %r0,164(%r15) # unsigned long + stg %r0,160(%r15) +- jg sys_process_vm_readv ++ jg compat_sys_process_vm_readv + + ENTRY(compat_sys_process_vm_writev_wrapper) + lgfr %r2,%r2 # compat_pid_t +@@ -1646,4 +1646,4 @@ ENTRY(compat_sys_process_vm_writev_wrapper) + llgfr %r6,%r6 # unsigned long + llgf %r0,164(%r15) # unsigned long + stg %r0,160(%r15) +- jg sys_process_vm_writev ++ jg compat_sys_process_vm_writev +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 7315488..407789b 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1956,6 +1956,7 @@ static __init void nested_vmx_setup_ctls_msrs(void) + #endif + CPU_BASED_MOV_DR_EXITING | CPU_BASED_UNCOND_IO_EXITING | + CPU_BASED_USE_IO_BITMAPS | CPU_BASED_MONITOR_EXITING | ++ CPU_BASED_RDPMC_EXITING | + CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; + /* + * We can allow some features even when not supported by the +diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h +index d62c731..c364358 100644 +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -1170,12 +1170,7 @@ i915_seqno_passed(uint32_t seq1, uint32_t seq2) + return (int32_t)(seq1 - seq2) >= 0; + } + +-static inline u32 +-i915_gem_next_request_seqno(struct intel_ring_buffer *ring) +-{ +- drm_i915_private_t *dev_priv = ring->dev->dev_private; +- return ring->outstanding_lazy_request = dev_priv->next_seqno; +-} ++u32 i915_gem_next_request_seqno(struct intel_ring_buffer *ring); + + int __must_check i915_gem_object_get_fence(struct drm_i915_gem_object *obj, + struct intel_ring_buffer *pipelined); +diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c +index 3e2edc6..548a400 100644 +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -1647,6 +1647,28 @@ i915_gem_process_flushing_list(struct intel_ring_buffer *ring, + } + } + ++static u32 ++i915_gem_get_seqno(struct drm_device *dev) ++{ ++ drm_i915_private_t *dev_priv = dev->dev_private; ++ u32 seqno = dev_priv->next_seqno; ++ ++ /* reserve 0 for non-seqno */ ++ if (++dev_priv->next_seqno == 0) ++ dev_priv->next_seqno = 1; ++ ++ return seqno; ++} ++ ++u32 ++i915_gem_next_request_seqno(struct intel_ring_buffer *ring) ++{ ++ if (ring->outstanding_lazy_request == 0) ++ ring->outstanding_lazy_request = i915_gem_get_seqno(ring->dev); ++ ++ return ring->outstanding_lazy_request; ++} ++ + int + i915_add_request(struct intel_ring_buffer *ring, + struct drm_file *file, +@@ -1658,6 +1680,7 @@ i915_add_request(struct intel_ring_buffer *ring, + int ret; + + BUG_ON(request == NULL); ++ seqno = i915_gem_next_request_seqno(ring); + + ret = ring->add_request(ring, &seqno); + if (ret) +diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c +index f6613dc..19085c0 100644 +--- a/drivers/gpu/drm/i915/intel_ringbuffer.c ++++ b/drivers/gpu/drm/i915/intel_ringbuffer.c +@@ -52,20 +52,6 @@ static inline int ring_space(struct intel_ring_buffer *ring) + return space; + } + +-static u32 i915_gem_get_seqno(struct drm_device *dev) +-{ +- drm_i915_private_t *dev_priv = dev->dev_private; +- u32 seqno; +- +- seqno = dev_priv->next_seqno; +- +- /* reserve 0 for non-seqno */ +- if (++dev_priv->next_seqno == 0) +- dev_priv->next_seqno = 1; +- +- return seqno; +-} +- + static int + render_ring_flush(struct intel_ring_buffer *ring, + u32 invalidate_domains, +@@ -277,8 +263,6 @@ static int init_ring_common(struct intel_ring_buffer *ring) + I915_WRITE_HEAD(ring, 0); + ring->write_tail(ring, 0); + +- /* Initialize the ring. */ +- I915_WRITE_START(ring, obj->gtt_offset); + head = I915_READ_HEAD(ring) & HEAD_ADDR; + + /* G45 ring initialization fails to reset head to zero */ +@@ -304,14 +288,19 @@ static int init_ring_common(struct intel_ring_buffer *ring) + } + } + ++ /* Initialize the ring. This must happen _after_ we've cleared the ring ++ * registers with the above sequence (the readback of the HEAD registers ++ * also enforces ordering), otherwise the hw might lose the new ring ++ * register values. */ ++ I915_WRITE_START(ring, obj->gtt_offset); + I915_WRITE_CTL(ring, + ((ring->size - PAGE_SIZE) & RING_NR_PAGES) + | RING_VALID); + + /* If the head is still not zero, the ring is dead */ +- if ((I915_READ_CTL(ring) & RING_VALID) == 0 || +- I915_READ_START(ring) != obj->gtt_offset || +- (I915_READ_HEAD(ring) & HEAD_ADDR) != 0) { ++ if (wait_for((I915_READ_CTL(ring) & RING_VALID) != 0 && ++ I915_READ_START(ring) == obj->gtt_offset && ++ (I915_READ_HEAD(ring) & HEAD_ADDR) == 0, 50)) { + DRM_ERROR("%s initialization failed " + "ctl %08x head %08x tail %08x start %08x\n", + ring->name, +@@ -488,7 +477,7 @@ gen6_add_request(struct intel_ring_buffer *ring, + mbox1_reg = ring->signal_mbox[0]; + mbox2_reg = ring->signal_mbox[1]; + +- *seqno = i915_gem_get_seqno(ring->dev); ++ *seqno = i915_gem_next_request_seqno(ring); + + update_mboxes(ring, *seqno, mbox1_reg); + update_mboxes(ring, *seqno, mbox2_reg); +@@ -586,8 +575,7 @@ static int + pc_render_add_request(struct intel_ring_buffer *ring, + u32 *result) + { +- struct drm_device *dev = ring->dev; +- u32 seqno = i915_gem_get_seqno(dev); ++ u32 seqno = i915_gem_next_request_seqno(ring); + struct pipe_control *pc = ring->private; + u32 scratch_addr = pc->gtt_offset + 128; + int ret; +@@ -638,8 +626,7 @@ static int + render_ring_add_request(struct intel_ring_buffer *ring, + u32 *result) + { +- struct drm_device *dev = ring->dev; +- u32 seqno = i915_gem_get_seqno(dev); ++ u32 seqno = i915_gem_next_request_seqno(ring); + int ret; + + ret = intel_ring_begin(ring, 4); +@@ -813,7 +800,7 @@ ring_add_request(struct intel_ring_buffer *ring, + if (ret) + return ret; + +- seqno = i915_gem_get_seqno(ring->dev); ++ seqno = i915_gem_next_request_seqno(ring); + + intel_ring_emit(ring, MI_STORE_DWORD_INDEX); + intel_ring_emit(ring, I915_GEM_HWS_INDEX << MI_STORE_DWORD_INDEX_SHIFT); +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c +index 931f4df..fc0633c 100644 +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -1065,24 +1065,8 @@ void evergreen_agp_enable(struct radeon_device *rdev) + + void evergreen_mc_stop(struct radeon_device *rdev, struct evergreen_mc_save *save) + { +- save->vga_control[0] = RREG32(D1VGA_CONTROL); +- save->vga_control[1] = RREG32(D2VGA_CONTROL); + save->vga_render_control = RREG32(VGA_RENDER_CONTROL); + save->vga_hdp_control = RREG32(VGA_HDP_CONTROL); +- save->crtc_control[0] = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET); +- save->crtc_control[1] = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET); +- if (rdev->num_crtc >= 4) { +- save->vga_control[2] = RREG32(EVERGREEN_D3VGA_CONTROL); +- save->vga_control[3] = RREG32(EVERGREEN_D4VGA_CONTROL); +- save->crtc_control[2] = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET); +- save->crtc_control[3] = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET); +- } +- if (rdev->num_crtc >= 6) { +- save->vga_control[4] = RREG32(EVERGREEN_D5VGA_CONTROL); +- save->vga_control[5] = RREG32(EVERGREEN_D6VGA_CONTROL); +- save->crtc_control[4] = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET); +- save->crtc_control[5] = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET); +- } + + /* Stop all video */ + WREG32(VGA_RENDER_CONTROL, 0); +@@ -1193,47 +1177,6 @@ void evergreen_mc_resume(struct radeon_device *rdev, struct evergreen_mc_save *s + /* Unlock host access */ + WREG32(VGA_HDP_CONTROL, save->vga_hdp_control); + mdelay(1); +- /* Restore video state */ +- WREG32(D1VGA_CONTROL, save->vga_control[0]); +- WREG32(D2VGA_CONTROL, save->vga_control[1]); +- if (rdev->num_crtc >= 4) { +- WREG32(EVERGREEN_D3VGA_CONTROL, save->vga_control[2]); +- WREG32(EVERGREEN_D4VGA_CONTROL, save->vga_control[3]); +- } +- if (rdev->num_crtc >= 6) { +- WREG32(EVERGREEN_D5VGA_CONTROL, save->vga_control[4]); +- WREG32(EVERGREEN_D6VGA_CONTROL, save->vga_control[5]); +- } +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC0_REGISTER_OFFSET, 1); +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC1_REGISTER_OFFSET, 1); +- if (rdev->num_crtc >= 4) { +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC2_REGISTER_OFFSET, 1); +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC3_REGISTER_OFFSET, 1); +- } +- if (rdev->num_crtc >= 6) { +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC4_REGISTER_OFFSET, 1); +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC5_REGISTER_OFFSET, 1); +- } +- WREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET, save->crtc_control[0]); +- WREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET, save->crtc_control[1]); +- if (rdev->num_crtc >= 4) { +- WREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET, save->crtc_control[2]); +- WREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET, save->crtc_control[3]); +- } +- if (rdev->num_crtc >= 6) { +- WREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET, save->crtc_control[4]); +- WREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET, save->crtc_control[5]); +- } +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC0_REGISTER_OFFSET, 0); +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC1_REGISTER_OFFSET, 0); +- if (rdev->num_crtc >= 4) { +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC2_REGISTER_OFFSET, 0); +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC3_REGISTER_OFFSET, 0); +- } +- if (rdev->num_crtc >= 6) { +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC4_REGISTER_OFFSET, 0); +- WREG32(EVERGREEN_CRTC_UPDATE_LOCK + EVERGREEN_CRTC5_REGISTER_OFFSET, 0); +- } + WREG32(VGA_RENDER_CONTROL, save->vga_render_control); + } + +@@ -2080,10 +2023,18 @@ static void evergreen_gpu_init(struct radeon_device *rdev) + if (rdev->flags & RADEON_IS_IGP) + rdev->config.evergreen.tile_config |= 1 << 4; + else { +- if ((mc_arb_ramcfg & NOOFBANK_MASK) >> NOOFBANK_SHIFT) +- rdev->config.evergreen.tile_config |= 1 << 4; +- else ++ switch ((mc_arb_ramcfg & NOOFBANK_MASK) >> NOOFBANK_SHIFT) { ++ case 0: /* four banks */ + rdev->config.evergreen.tile_config |= 0 << 4; ++ break; ++ case 1: /* eight banks */ ++ rdev->config.evergreen.tile_config |= 1 << 4; ++ break; ++ case 2: /* sixteen banks */ ++ default: ++ rdev->config.evergreen.tile_config |= 2 << 4; ++ break; ++ } + } + rdev->config.evergreen.tile_config |= + ((mc_arb_ramcfg & BURSTLENGTH_MASK) >> BURSTLENGTH_SHIFT) << 8; +diff --git a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c +index 9e50814..636255b 100644 +--- a/drivers/gpu/drm/radeon/ni.c ++++ b/drivers/gpu/drm/radeon/ni.c +@@ -804,10 +804,18 @@ static void cayman_gpu_init(struct radeon_device *rdev) + rdev->config.cayman.tile_config |= (3 << 0); + break; + } +- if ((mc_arb_ramcfg & NOOFBANK_MASK) >> NOOFBANK_SHIFT) +- rdev->config.cayman.tile_config |= 1 << 4; +- else ++ switch ((mc_arb_ramcfg & NOOFBANK_MASK) >> NOOFBANK_SHIFT) { ++ case 0: /* four banks */ + rdev->config.cayman.tile_config |= 0 << 4; ++ break; ++ case 1: /* eight banks */ ++ rdev->config.cayman.tile_config |= 1 << 4; ++ break; ++ case 2: /* sixteen banks */ ++ default: ++ rdev->config.cayman.tile_config |= 2 << 4; ++ break; ++ } + rdev->config.cayman.tile_config |= + ((gb_addr_config & PIPE_INTERLEAVE_SIZE_MASK) >> PIPE_INTERLEAVE_SIZE_SHIFT) << 8; + rdev->config.cayman.tile_config |= +diff --git a/drivers/gpu/drm/radeon/radeon_asic.h b/drivers/gpu/drm/radeon/radeon_asic.h +index 5991484..5ce9402 100644 +--- a/drivers/gpu/drm/radeon/radeon_asic.h ++++ b/drivers/gpu/drm/radeon/radeon_asic.h +@@ -253,13 +253,10 @@ void rs690_line_buffer_adjust(struct radeon_device *rdev, + * rv515 + */ + struct rv515_mc_save { +- u32 d1vga_control; +- u32 d2vga_control; + u32 vga_render_control; + u32 vga_hdp_control; +- u32 d1crtc_control; +- u32 d2crtc_control; + }; ++ + int rv515_init(struct radeon_device *rdev); + void rv515_fini(struct radeon_device *rdev); + uint32_t rv515_mc_rreg(struct radeon_device *rdev, uint32_t reg); +@@ -387,11 +384,10 @@ void r700_cp_fini(struct radeon_device *rdev); + * evergreen + */ + struct evergreen_mc_save { +- u32 vga_control[6]; + u32 vga_render_control; + u32 vga_hdp_control; +- u32 crtc_control[6]; + }; ++ + void evergreen_pcie_gart_tlb_flush(struct radeon_device *rdev); + int evergreen_init(struct radeon_device *rdev); + void evergreen_fini(struct radeon_device *rdev); +diff --git a/drivers/gpu/drm/radeon/rv515.c b/drivers/gpu/drm/radeon/rv515.c +index 6613ee9..d5f45b4 100644 +--- a/drivers/gpu/drm/radeon/rv515.c ++++ b/drivers/gpu/drm/radeon/rv515.c +@@ -281,12 +281,8 @@ int rv515_debugfs_ga_info_init(struct radeon_device *rdev) + + void rv515_mc_stop(struct radeon_device *rdev, struct rv515_mc_save *save) + { +- save->d1vga_control = RREG32(R_000330_D1VGA_CONTROL); +- save->d2vga_control = RREG32(R_000338_D2VGA_CONTROL); + save->vga_render_control = RREG32(R_000300_VGA_RENDER_CONTROL); + save->vga_hdp_control = RREG32(R_000328_VGA_HDP_CONTROL); +- save->d1crtc_control = RREG32(R_006080_D1CRTC_CONTROL); +- save->d2crtc_control = RREG32(R_006880_D2CRTC_CONTROL); + + /* Stop all video */ + WREG32(R_0068E8_D2CRTC_UPDATE_LOCK, 0); +@@ -311,15 +307,6 @@ void rv515_mc_resume(struct radeon_device *rdev, struct rv515_mc_save *save) + /* Unlock host access */ + WREG32(R_000328_VGA_HDP_CONTROL, save->vga_hdp_control); + mdelay(1); +- /* Restore video state */ +- WREG32(R_000330_D1VGA_CONTROL, save->d1vga_control); +- WREG32(R_000338_D2VGA_CONTROL, save->d2vga_control); +- WREG32(R_0060E8_D1CRTC_UPDATE_LOCK, 1); +- WREG32(R_0068E8_D2CRTC_UPDATE_LOCK, 1); +- WREG32(R_006080_D1CRTC_CONTROL, save->d1crtc_control); +- WREG32(R_006880_D2CRTC_CONTROL, save->d2crtc_control); +- WREG32(R_0060E8_D1CRTC_UPDATE_LOCK, 0); +- WREG32(R_0068E8_D2CRTC_UPDATE_LOCK, 0); + WREG32(R_000300_VGA_RENDER_CONTROL, save->vga_render_control); + } + +diff --git a/drivers/input/touchscreen/eeti_ts.c b/drivers/input/touchscreen/eeti_ts.c +index 7f8f538..4f938bb 100644 +--- a/drivers/input/touchscreen/eeti_ts.c ++++ b/drivers/input/touchscreen/eeti_ts.c +@@ -48,7 +48,7 @@ struct eeti_ts_priv { + struct input_dev *input; + struct work_struct work; + struct mutex mutex; +- int irq, irq_active_high; ++ int irq_gpio, irq, irq_active_high; + }; + + #define EETI_TS_BITDEPTH (11) +@@ -62,7 +62,7 @@ struct eeti_ts_priv { + + static inline int eeti_ts_irq_active(struct eeti_ts_priv *priv) + { +- return gpio_get_value(irq_to_gpio(priv->irq)) == priv->irq_active_high; ++ return gpio_get_value(priv->irq_gpio) == priv->irq_active_high; + } + + static void eeti_ts_read(struct work_struct *work) +@@ -157,7 +157,7 @@ static void eeti_ts_close(struct input_dev *dev) + static int __devinit eeti_ts_probe(struct i2c_client *client, + const struct i2c_device_id *idp) + { +- struct eeti_ts_platform_data *pdata; ++ struct eeti_ts_platform_data *pdata = client->dev.platform_data; + struct eeti_ts_priv *priv; + struct input_dev *input; + unsigned int irq_flags; +@@ -199,9 +199,12 @@ static int __devinit eeti_ts_probe(struct i2c_client *client, + + priv->client = client; + priv->input = input; +- priv->irq = client->irq; ++ priv->irq_gpio = pdata->irq_gpio; ++ priv->irq = gpio_to_irq(pdata->irq_gpio); + +- pdata = client->dev.platform_data; ++ err = gpio_request_one(pdata->irq_gpio, GPIOF_IN, client->name); ++ if (err < 0) ++ goto err1; + + if (pdata) + priv->irq_active_high = pdata->irq_active_high; +@@ -215,13 +218,13 @@ static int __devinit eeti_ts_probe(struct i2c_client *client, + + err = input_register_device(input); + if (err) +- goto err1; ++ goto err2; + + err = request_irq(priv->irq, eeti_ts_isr, irq_flags, + client->name, priv); + if (err) { + dev_err(&client->dev, "Unable to request touchscreen IRQ.\n"); +- goto err2; ++ goto err3; + } + + /* +@@ -233,9 +236,11 @@ static int __devinit eeti_ts_probe(struct i2c_client *client, + device_init_wakeup(&client->dev, 0); + return 0; + +-err2: ++err3: + input_unregister_device(input); + input = NULL; /* so we dont try to free it below */ ++err2: ++ gpio_free(pdata->irq_gpio); + err1: + input_free_device(input); + kfree(priv); +diff --git a/drivers/mfd/ezx-pcap.c b/drivers/mfd/ezx-pcap.c +index 43a76c4..db662e2 100644 +--- a/drivers/mfd/ezx-pcap.c ++++ b/drivers/mfd/ezx-pcap.c +@@ -202,7 +202,7 @@ static void pcap_isr_work(struct work_struct *work) + } + local_irq_enable(); + ezx_pcap_write(pcap, PCAP_REG_MSR, pcap->msr); +- } while (gpio_get_value(irq_to_gpio(pcap->spi->irq))); ++ } while (gpio_get_value(pdata->gpio)); + } + + static void pcap_irq_handler(unsigned int irq, struct irq_desc *desc) +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index 23406e6..ae286a9 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -325,6 +325,9 @@ static int ldisc_open(struct tty_struct *tty) + + sprintf(name, "cf%s", tty->name); + dev = alloc_netdev(sizeof(*ser), name, caifdev_setup); ++ if (!dev) ++ return -ENOMEM; ++ + ser = netdev_priv(dev); + ser->tty = tty_kref_get(tty); + ser->dev = dev; +diff --git a/drivers/net/ethernet/broadcom/bnx2.c b/drivers/net/ethernet/broadcom/bnx2.c +index 965c723..721adfd 100644 +--- a/drivers/net/ethernet/broadcom/bnx2.c ++++ b/drivers/net/ethernet/broadcom/bnx2.c +@@ -5378,7 +5378,7 @@ bnx2_free_tx_skbs(struct bnx2 *bp) + int k, last; + + if (skb == NULL) { +- j++; ++ j = NEXT_TX_BD(j); + continue; + } + +@@ -5390,8 +5390,8 @@ bnx2_free_tx_skbs(struct bnx2 *bp) + tx_buf->skb = NULL; + + last = tx_buf->nr_frags; +- j++; +- for (k = 0; k < last; k++, j++) { ++ j = NEXT_TX_BD(j); ++ for (k = 0; k < last; k++, j = NEXT_TX_BD(j)) { + tx_buf = &txr->tx_buf_ring[TX_RING_IDX(j)]; + dma_unmap_page(&bp->pdev->dev, + dma_unmap_addr(tx_buf, mapping), +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index de00805..0549261 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -4743,12 +4743,14 @@ static int __e1000_shutdown(struct pci_dev *pdev, bool *enable_wake) + e1000_setup_rctl(adapter); + e1000_set_rx_mode(netdev); + ++ rctl = er32(RCTL); ++ + /* turn on all-multi mode if wake on multicast is enabled */ +- if (wufc & E1000_WUFC_MC) { +- rctl = er32(RCTL); ++ if (wufc & E1000_WUFC_MC) + rctl |= E1000_RCTL_MPE; +- ew32(RCTL, rctl); +- } ++ ++ /* enable receives in the hardware */ ++ ew32(RCTL, rctl | E1000_RCTL_EN); + + if (hw->mac_type >= e1000_82540) { + ctrl = er32(CTRL); +diff --git a/drivers/net/ethernet/intel/e1000e/82571.c b/drivers/net/ethernet/intel/e1000e/82571.c +index 3072d35..4f4d52a 100644 +--- a/drivers/net/ethernet/intel/e1000e/82571.c ++++ b/drivers/net/ethernet/intel/e1000e/82571.c +@@ -1600,10 +1600,8 @@ static s32 e1000_check_for_serdes_link_82571(struct e1000_hw *hw) + * auto-negotiation in the TXCW register and disable + * forced link in the Device Control register in an + * attempt to auto-negotiate with our link partner. +- * If the partner code word is null, stop forcing +- * and restart auto negotiation. + */ +- if ((rxcw & E1000_RXCW_C) || !(rxcw & E1000_RXCW_CW)) { ++ if (rxcw & E1000_RXCW_C) { + /* Enable autoneg, and unforce link up */ + ew32(TXCW, mac->txcw); + ew32(CTRL, (ctrl & ~E1000_CTRL_SLU)); +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 7bea9c6..a12c9bf 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1243,10 +1243,12 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, + int vnet_hdr_sz; + int ret; + +- if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) ++ if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) { + if (copy_from_user(&ifr, argp, ifreq_len)) + return -EFAULT; +- ++ } else { ++ memset(&ifr, 0, sizeof(ifr)); ++ } + if (cmd == TUNGETFEATURES) { + /* Currently this just means: "what IFF flags are valid?". + * This is needed because we never checked for invalid flags on +diff --git a/drivers/net/usb/kaweth.c b/drivers/net/usb/kaweth.c +index 582ca2d..c4c6a73 100644 +--- a/drivers/net/usb/kaweth.c ++++ b/drivers/net/usb/kaweth.c +@@ -1308,7 +1308,7 @@ static int kaweth_internal_control_msg(struct usb_device *usb_dev, + int retv; + int length = 0; /* shut up GCC */ + +- urb = usb_alloc_urb(0, GFP_NOIO); ++ urb = usb_alloc_urb(0, GFP_ATOMIC); + if (!urb) + return -ENOMEM; + +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c +index 7f97164..2b8e957 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -674,6 +674,7 @@ int ath9k_hw_init(struct ath_hw *ah) + case AR9300_DEVID_AR9340: + case AR9300_DEVID_AR9580: + case AR9300_DEVID_AR9462: ++ case AR9485_DEVID_AR1111: + break; + default: + if (common->bus_ops->ath_bus_type == ATH_USB) +diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h +index 1bd8edf..a5c4ba8 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.h ++++ b/drivers/net/wireless/ath/ath9k/hw.h +@@ -48,6 +48,7 @@ + #define AR9300_DEVID_AR9580 0x0033 + #define AR9300_DEVID_AR9462 0x0034 + #define AR9300_DEVID_AR9330 0x0035 ++#define AR9485_DEVID_AR1111 0x0037 + + #define AR5416_AR9100_DEVID 0x000b + +diff --git a/drivers/net/wireless/ath/ath9k/pci.c b/drivers/net/wireless/ath/ath9k/pci.c +index 2dcdf63..1883d39 100644 +--- a/drivers/net/wireless/ath/ath9k/pci.c ++++ b/drivers/net/wireless/ath/ath9k/pci.c +@@ -35,6 +35,7 @@ static DEFINE_PCI_DEVICE_TABLE(ath_pci_id_table) = { + { PCI_VDEVICE(ATHEROS, 0x0032) }, /* PCI-E AR9485 */ + { PCI_VDEVICE(ATHEROS, 0x0033) }, /* PCI-E AR9580 */ + { PCI_VDEVICE(ATHEROS, 0x0034) }, /* PCI-E AR9462 */ ++ { PCI_VDEVICE(ATHEROS, 0x0037) }, /* PCI-E AR1111/AR9485 */ + { 0 } + }; + +diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-rs.c b/drivers/net/wireless/iwlwifi/iwl-agn-rs.c +index 9ba2c1b..3395025 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-agn-rs.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn-rs.c +@@ -708,11 +708,14 @@ static int rs_toggle_antenna(u32 valid_ant, u32 *rate_n_flags, + */ + static bool rs_use_green(struct ieee80211_sta *sta) + { +- struct iwl_station_priv *sta_priv = (void *)sta->drv_priv; +- struct iwl_rxon_context *ctx = sta_priv->ctx; +- +- return (sta->ht_cap.cap & IEEE80211_HT_CAP_GRN_FLD) && +- !(ctx->ht.non_gf_sta_present); ++ /* ++ * There's a bug somewhere in this code that causes the ++ * scaling to get stuck because GF+SGI can't be combined ++ * in SISO rates. Until we find that bug, disable GF, it ++ * has only limited benefit and we still interoperate with ++ * GF APs since we can always receive GF transmissions. ++ */ ++ return false; + } + + /** +diff --git a/drivers/net/wireless/rt2x00/rt61pci.c b/drivers/net/wireless/rt2x00/rt61pci.c +index bf55b4a..d69f88c 100644 +--- a/drivers/net/wireless/rt2x00/rt61pci.c ++++ b/drivers/net/wireless/rt2x00/rt61pci.c +@@ -2243,8 +2243,7 @@ static void rt61pci_txdone(struct rt2x00_dev *rt2x00dev) + + static void rt61pci_wakeup(struct rt2x00_dev *rt2x00dev) + { +- struct ieee80211_conf conf = { .flags = 0 }; +- struct rt2x00lib_conf libconf = { .conf = &conf }; ++ struct rt2x00lib_conf libconf = { .conf = &rt2x00dev->hw->conf }; + + rt61pci_config(rt2x00dev, &libconf, IEEE80211_CONF_CHANGE_PS); + } +diff --git a/drivers/net/wireless/rtlwifi/usb.c b/drivers/net/wireless/rtlwifi/usb.c +index db34db6..a49e848 100644 +--- a/drivers/net/wireless/rtlwifi/usb.c ++++ b/drivers/net/wireless/rtlwifi/usb.c +@@ -120,15 +120,19 @@ static u32 _usb_read_sync(struct rtl_priv *rtlpriv, u32 addr, u16 len) + u8 request; + u16 wvalue; + u16 index; +- __le32 *data = &rtlpriv->usb_data[rtlpriv->usb_data_index]; ++ __le32 *data; ++ unsigned long flags; + ++ spin_lock_irqsave(&rtlpriv->locks.usb_lock, flags); ++ if (++rtlpriv->usb_data_index >= RTL_USB_MAX_RX_COUNT) ++ rtlpriv->usb_data_index = 0; ++ data = &rtlpriv->usb_data[rtlpriv->usb_data_index]; ++ spin_unlock_irqrestore(&rtlpriv->locks.usb_lock, flags); + request = REALTEK_USB_VENQT_CMD_REQ; + index = REALTEK_USB_VENQT_CMD_IDX; /* n/a */ + + wvalue = (u16)addr; + _usbctrl_vendorreq_sync_read(udev, request, wvalue, index, data, len); +- if (++rtlpriv->usb_data_index >= RTL_USB_MAX_RX_COUNT) +- rtlpriv->usb_data_index = 0; + return le32_to_cpu(*data); + } + +@@ -909,6 +913,10 @@ int __devinit rtl_usb_probe(struct usb_interface *intf, + GFP_KERNEL); + if (!rtlpriv->usb_data) + return -ENOMEM; ++ ++ /* this spin lock must be initialized early */ ++ spin_lock_init(&rtlpriv->locks.usb_lock); ++ + rtlpriv->usb_data_index = 0; + SET_IEEE80211_DEV(hw, &intf->dev); + udev = interface_to_usbdev(intf); +diff --git a/drivers/net/wireless/rtlwifi/wifi.h b/drivers/net/wireless/rtlwifi/wifi.h +index b1e9deb..deb87e9 100644 +--- a/drivers/net/wireless/rtlwifi/wifi.h ++++ b/drivers/net/wireless/rtlwifi/wifi.h +@@ -1550,6 +1550,7 @@ struct rtl_locks { + spinlock_t rf_lock; + spinlock_t lps_lock; + spinlock_t waitq_lock; ++ spinlock_t usb_lock; + + /*Dual mac*/ + spinlock_t cck_and_rw_pagea_lock; +diff --git a/fs/hfsplus/wrapper.c b/fs/hfsplus/wrapper.c +index 7daf4b8..90effcc 100644 +--- a/fs/hfsplus/wrapper.c ++++ b/fs/hfsplus/wrapper.c +@@ -56,7 +56,7 @@ int hfsplus_submit_bio(struct super_block *sb, sector_t sector, + DECLARE_COMPLETION_ONSTACK(wait); + struct bio *bio; + int ret = 0; +- unsigned int io_size; ++ u64 io_size; + loff_t start; + int offset; + +diff --git a/include/linux/input/eeti_ts.h b/include/linux/input/eeti_ts.h +index f875b31..16625d7 100644 +--- a/include/linux/input/eeti_ts.h ++++ b/include/linux/input/eeti_ts.h +@@ -2,6 +2,7 @@ + #define LINUX_INPUT_EETI_TS_H + + struct eeti_ts_platform_data { ++ int irq_gpio; + unsigned int irq_active_high; + }; + +diff --git a/include/linux/mfd/ezx-pcap.h b/include/linux/mfd/ezx-pcap.h +index 40c37216..32a1b5c 100644 +--- a/include/linux/mfd/ezx-pcap.h ++++ b/include/linux/mfd/ezx-pcap.h +@@ -16,6 +16,7 @@ struct pcap_subdev { + struct pcap_platform_data { + unsigned int irq_base; + unsigned int config; ++ int gpio; + void (*init) (void *); /* board specific init */ + int num_subdevs; + struct pcap_subdev *subdevs; +diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c +index 68223e4..4e9115d 100644 +--- a/net/caif/caif_dev.c ++++ b/net/caif/caif_dev.c +@@ -428,9 +428,9 @@ static int __init caif_device_init(void) + + static void __exit caif_device_exit(void) + { +- unregister_pernet_subsys(&caif_net_ops); + unregister_netdevice_notifier(&caif_device_notifier); + dev_remove_pack(&caif_packet_type); ++ unregister_pernet_subsys(&caif_net_ops); + } + + module_init(caif_device_init); +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 05842ab..0cf604b 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -670,6 +670,12 @@ static void set_operstate(struct net_device *dev, unsigned char transition) + } + } + ++static unsigned int rtnl_dev_get_flags(const struct net_device *dev) ++{ ++ return (dev->flags & ~(IFF_PROMISC | IFF_ALLMULTI)) | ++ (dev->gflags & (IFF_PROMISC | IFF_ALLMULTI)); ++} ++ + static unsigned int rtnl_dev_combine_flags(const struct net_device *dev, + const struct ifinfomsg *ifm) + { +@@ -678,7 +684,7 @@ static unsigned int rtnl_dev_combine_flags(const struct net_device *dev, + /* bugwards compatibility: ifi_change == 0 is treated as ~0 */ + if (ifm->ifi_change) + flags = (flags & ifm->ifi_change) | +- (dev->flags & ~ifm->ifi_change); ++ (rtnl_dev_get_flags(dev) & ~ifm->ifi_change); + + return flags; + } +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index 86f3b88..afaa735 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1725,8 +1725,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option) + case CIPSO_V4_TAG_LOCAL: + /* This is a non-standard tag that we only allow for + * local connections, so if the incoming interface is +- * not the loopback device drop the packet. */ +- if (!(skb->dev->flags & IFF_LOOPBACK)) { ++ * not the loopback device drop the packet. Further, ++ * there is no legitimate reason for setting this from ++ * userspace so reject it if skb is NULL. */ ++ if (skb == NULL || !(skb->dev->flags & IFF_LOOPBACK)) { + err_offset = opt_iter; + goto validate_return_locked; + } +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 11ba922..ad466a7 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2391,7 +2391,10 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + /* Cap the max timeout in ms TCP will retry/retrans + * before giving up and aborting (ETIMEDOUT) a connection. + */ +- icsk->icsk_user_timeout = msecs_to_jiffies(val); ++ if (val < 0) ++ err = -EINVAL; ++ else ++ icsk->icsk_user_timeout = msecs_to_jiffies(val); + break; + default: + err = -ENOPROTOOPT; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 32e6ca2..a08a621 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5415,7 +5415,9 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb, + if (tp->copied_seq == tp->rcv_nxt && + len - tcp_header_len <= tp->ucopy.len) { + #ifdef CONFIG_NET_DMA +- if (tcp_dma_try_early_copy(sk, skb, tcp_header_len)) { ++ if (tp->ucopy.task == current && ++ sock_owned_by_user(sk) && ++ tcp_dma_try_early_copy(sk, skb, tcp_header_len)) { + copied_early = 1; + eaten = 1; + } +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index a7078fd..f85de8e 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -543,6 +543,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata) + + del_timer_sync(&sdata->u.mesh.housekeeping_timer); + del_timer_sync(&sdata->u.mesh.mesh_path_root_timer); ++ del_timer_sync(&sdata->u.mesh.mesh_path_timer); + /* + * If the timer fired while we waited for it, it will have + * requeued the work. Now the work will be running again +diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c +index 17859ea..351a69b 100644 +--- a/net/sched/sch_sfb.c ++++ b/net/sched/sch_sfb.c +@@ -559,6 +559,8 @@ static int sfb_dump(struct Qdisc *sch, struct sk_buff *skb) + + sch->qstats.backlog = q->qdisc->qstats.backlog; + opts = nla_nest_start(skb, TCA_OPTIONS); ++ if (opts == NULL) ++ goto nla_put_failure; + NLA_PUT(skb, TCA_SFB_PARMS, sizeof(opt), &opt); + return nla_nest_end(skb, opts); + +diff --git a/net/sctp/input.c b/net/sctp/input.c +index b7692aa..0fc18c7 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -736,15 +736,12 @@ static void __sctp_unhash_endpoint(struct sctp_endpoint *ep) + + epb = &ep->base; + +- if (hlist_unhashed(&epb->node)) +- return; +- + epb->hashent = sctp_ep_hashfn(epb->bind_addr.port); + + head = &sctp_ep_hashtable[epb->hashent]; + + sctp_write_lock(&head->lock); +- __hlist_del(&epb->node); ++ hlist_del_init(&epb->node); + sctp_write_unlock(&head->lock); + } + +@@ -825,7 +822,7 @@ static void __sctp_unhash_established(struct sctp_association *asoc) + head = &sctp_assoc_hashtable[epb->hashent]; + + sctp_write_lock(&head->lock); +- __hlist_del(&epb->node); ++ hlist_del_init(&epb->node); + sctp_write_unlock(&head->lock); + } + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 0075554..8e49d76 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1231,8 +1231,14 @@ out_free: + SCTP_DEBUG_PRINTK("About to exit __sctp_connect() free asoc: %p" + " kaddrs: %p err: %d\n", + asoc, kaddrs, err); +- if (asoc) ++ if (asoc) { ++ /* sctp_primitive_ASSOCIATE may have added this association ++ * To the hash table, try to unhash it, just in case, its a noop ++ * if it wasn't hashed so we're safe ++ */ ++ sctp_unhash_established(asoc); + sctp_association_free(asoc); ++ } + return err; + } + +@@ -1942,8 +1948,10 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, + goto out_unlock; + + out_free: +- if (new_asoc) ++ if (new_asoc) { ++ sctp_unhash_established(asoc); + sctp_association_free(asoc); ++ } + out_unlock: + sctp_release_sock(sk); + +diff --git a/net/wanrouter/wanmain.c b/net/wanrouter/wanmain.c +index 788a12c..2ab7850 100644 +--- a/net/wanrouter/wanmain.c ++++ b/net/wanrouter/wanmain.c +@@ -602,36 +602,31 @@ static int wanrouter_device_new_if(struct wan_device *wandev, + * successfully, add it to the interface list. + */ + +- if (dev->name == NULL) { +- err = -EINVAL; +- } else { ++#ifdef WANDEBUG ++ printk(KERN_INFO "%s: registering interface %s...\n", ++ wanrouter_modname, dev->name); ++#endif + +- #ifdef WANDEBUG +- printk(KERN_INFO "%s: registering interface %s...\n", +- wanrouter_modname, dev->name); +- #endif +- +- err = register_netdev(dev); +- if (!err) { +- struct net_device *slave = NULL; +- unsigned long smp_flags=0; +- +- lock_adapter_irq(&wandev->lock, &smp_flags); +- +- if (wandev->dev == NULL) { +- wandev->dev = dev; +- } else { +- for (slave=wandev->dev; +- DEV_TO_SLAVE(slave); +- slave = DEV_TO_SLAVE(slave)) +- DEV_TO_SLAVE(slave) = dev; +- } +- ++wandev->ndev; +- +- unlock_adapter_irq(&wandev->lock, &smp_flags); +- err = 0; /* done !!! */ +- goto out; ++ err = register_netdev(dev); ++ if (!err) { ++ struct net_device *slave = NULL; ++ unsigned long smp_flags=0; ++ ++ lock_adapter_irq(&wandev->lock, &smp_flags); ++ ++ if (wandev->dev == NULL) { ++ wandev->dev = dev; ++ } else { ++ for (slave=wandev->dev; ++ DEV_TO_SLAVE(slave); ++ slave = DEV_TO_SLAVE(slave)) ++ DEV_TO_SLAVE(slave) = dev; + } ++ ++wandev->ndev; ++ ++ unlock_adapter_irq(&wandev->lock, &smp_flags); ++ err = 0; /* done !!! */ ++ goto out; + } + if (wandev->del_if) + wandev->del_if(wandev, dev); +diff --git a/net/wireless/core.c b/net/wireless/core.c +index 220f3bd..8f5042d 100644 +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -971,6 +971,11 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb, + */ + synchronize_rcu(); + INIT_LIST_HEAD(&wdev->list); ++ /* ++ * Ensure that all events have been processed and ++ * freed. ++ */ ++ cfg80211_process_wdev_events(wdev); + break; + case NETDEV_PRE_UP: + if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype))) +diff --git a/net/wireless/core.h b/net/wireless/core.h +index b9ec306..02c3be3 100644 +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -426,6 +426,7 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev, + struct net_device *dev, enum nl80211_iftype ntype, + u32 *flags, struct vif_params *params); + void cfg80211_process_rdev_events(struct cfg80211_registered_device *rdev); ++void cfg80211_process_wdev_events(struct wireless_dev *wdev); + + int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev, + struct wireless_dev *wdev, +diff --git a/net/wireless/util.c b/net/wireless/util.c +index b5e4c1c..22fb802 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -725,7 +725,7 @@ void cfg80211_upload_connect_keys(struct wireless_dev *wdev) + wdev->connect_keys = NULL; + } + +-static void cfg80211_process_wdev_events(struct wireless_dev *wdev) ++void cfg80211_process_wdev_events(struct wireless_dev *wdev) + { + struct cfg80211_event *ev; + unsigned long flags; +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 51a1afc..402f330 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -3059,7 +3059,6 @@ static const struct snd_pci_quirk cxt5066_cfg_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x02d8, "Dell Vostro", CXT5066_DELL_VOSTRO), + SND_PCI_QUIRK(0x1028, 0x02f5, "Dell Vostro 320", CXT5066_IDEAPAD), + SND_PCI_QUIRK(0x1028, 0x0401, "Dell Vostro 1014", CXT5066_DELL_VOSTRO), +- SND_PCI_QUIRK(0x1028, 0x0402, "Dell Vostro", CXT5066_DELL_VOSTRO), + SND_PCI_QUIRK(0x1028, 0x0408, "Dell Inspiron One 19T", CXT5066_IDEAPAD), + SND_PCI_QUIRK(0x1028, 0x050f, "Dell Inspiron", CXT5066_IDEAPAD), + SND_PCI_QUIRK(0x1028, 0x0510, "Dell Vostro", CXT5066_IDEAPAD), +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 2e2eb93..32c8169 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4981,6 +4981,8 @@ static const struct alc_fixup alc269_fixups[] = { + [ALC269_FIXUP_PCM_44K] = { + .type = ALC_FIXUP_FUNC, + .v.func = alc269_fixup_pcm_44k, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_QUANTA_MUTE + }, + [ALC269_FIXUP_STEREO_DMIC] = { + .type = ALC_FIXUP_FUNC, +@@ -5077,9 +5079,10 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x21ca, "Thinkpad L412", ALC269_FIXUP_SKU_IGNORE), + SND_PCI_QUIRK(0x17aa, 0x21e9, "Thinkpad Edge 15", ALC269_FIXUP_SKU_IGNORE), + SND_PCI_QUIRK(0x17aa, 0x21f6, "Thinkpad T530", ALC269_FIXUP_LENOVO_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x21fa, "Thinkpad X230", ALC269_FIXUP_LENOVO_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x21fb, "Thinkpad T430s", ALC269_FIXUP_LENOVO_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2203, "Thinkpad X230 Tablet", ALC269_FIXUP_LENOVO_DOCK), +- SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_QUANTA_MUTE), +- SND_PCI_QUIRK(0x17aa, 0x3bf8, "Lenovo Ideapd", ALC269_FIXUP_PCM_44K), ++ SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K), + SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD), + + #if 1 diff --git a/3.2.27/4420_grsecurity-2.9.1-3.2.27-201208201521.patch b/3.2.28/4420_grsecurity-2.9.1-3.2.28-201208222030.patch index 7be4f7e..0f3c55e 100644 --- a/3.2.27/4420_grsecurity-2.9.1-3.2.27-201208201521.patch +++ b/3.2.28/4420_grsecurity-2.9.1-3.2.28-201208222030.patch @@ -245,7 +245,7 @@ index 88fd7f5..b318a78 100644 ============================================================== diff --git a/Makefile b/Makefile -index bdf851f..c020e9d 100644 +index 5368961..3fed4d4 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -20547,7 +20547,7 @@ index 94a4672..5c6b853 100644 local_irq_disable(); diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 7315488..187fb78 100644 +index 407789b..942f6a6 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1305,7 +1305,11 @@ static void reload_tss(void) @@ -20562,7 +20562,7 @@ index 7315488..187fb78 100644 load_TR_desc(); } -@@ -2633,8 +2637,11 @@ static __init int hardware_setup(void) +@@ -2634,8 +2638,11 @@ static __init int hardware_setup(void) if (!cpu_has_vmx_flexpriority()) flexpriority_enabled = 0; @@ -20576,7 +20576,7 @@ index 7315488..187fb78 100644 if (enable_ept && !cpu_has_vmx_ept_2m_page()) kvm_disable_largepages(); -@@ -3648,7 +3655,7 @@ static void vmx_set_constant_host_state(void) +@@ -3649,7 +3656,7 @@ static void vmx_set_constant_host_state(void) vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */ asm("mov $.Lkvm_vmx_return, %0" : "=r"(tmpl)); @@ -20585,7 +20585,7 @@ index 7315488..187fb78 100644 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32); vmcs_write32(HOST_IA32_SYSENTER_CS, low32); -@@ -6171,6 +6178,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6172,6 +6179,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) "jmp .Lkvm_vmx_return \n\t" ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t" ".Lkvm_vmx_return: " @@ -20598,7 +20598,7 @@ index 7315488..187fb78 100644 /* Save guest registers, load host registers, keep flags */ "mov %0, %c[wordsize](%%"R"sp) \n\t" "pop %0 \n\t" -@@ -6219,6 +6232,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6220,6 +6233,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) #endif [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)), [wordsize]"i"(sizeof(ulong)) @@ -20610,7 +20610,7 @@ index 7315488..187fb78 100644 : "cc", "memory" , R"ax", R"bx", R"di", R"si" #ifdef CONFIG_X86_64 -@@ -6247,7 +6265,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -6248,7 +6266,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) } } @@ -30926,7 +30926,7 @@ index ca67338..0003ba7 100644 return can_switch; } diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h -index d62c731..89d435b 100644 +index c364358..317c8de 100644 --- a/drivers/gpu/drm/i915/i915_drv.h +++ b/drivers/gpu/drm/i915/i915_drv.h @@ -229,7 +229,7 @@ struct drm_i915_display_funcs { @@ -30956,7 +30956,7 @@ index d62c731..89d435b 100644 }; #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base) -@@ -1276,7 +1276,7 @@ extern int intel_setup_gmbus(struct drm_device *dev); +@@ -1271,7 +1271,7 @@ extern int intel_setup_gmbus(struct drm_device *dev); extern void intel_teardown_gmbus(struct drm_device *dev); extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed); extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit); @@ -35401,7 +35401,7 @@ index e1159e5..e18684d 100644 /* Set media type */ switch (adapter->pdev->device) { diff --git a/drivers/net/ethernet/intel/e1000e/82571.c b/drivers/net/ethernet/intel/e1000e/82571.c -index 3072d35..a0f4827 100644 +index 4f4d52a..2317bbc 100644 --- a/drivers/net/ethernet/intel/e1000e/82571.c +++ b/drivers/net/ethernet/intel/e1000e/82571.c @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(struct e1000_adapter *adapter) @@ -35929,7 +35929,7 @@ index 46db5c5..37c1536 100644 err = platform_driver_register(&sk_isa_driver); if (err) diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 7bea9c6..7ef073c 100644 +index a12c9bf..3b1862d 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -359,7 +359,7 @@ static void tun_free_netdev(struct net_device *dev) @@ -36314,10 +36314,10 @@ index f5ae3c6..7936af3 100644 static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads) diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h -index 1bd8edf..10c6d30 100644 +index a5c4ba8..a2cea02 100644 --- a/drivers/net/wireless/ath/ath9k/hw.h +++ b/drivers/net/wireless/ath/ath9k/hw.h -@@ -605,7 +605,7 @@ struct ath_hw_private_ops { +@@ -606,7 +606,7 @@ struct ath_hw_private_ops { /* ANI */ void (*ani_cache_ini_regs)(struct ath_hw *ah); @@ -36326,7 +36326,7 @@ index 1bd8edf..10c6d30 100644 /** * struct ath_hw_ops - callbacks used by hardware code and driver code -@@ -635,7 +635,7 @@ struct ath_hw_ops { +@@ -636,7 +636,7 @@ struct ath_hw_ops { void (*antdiv_comb_conf_set)(struct ath_hw *ah, struct ath_hw_antcomb_conf *antconf); @@ -36335,7 +36335,7 @@ index 1bd8edf..10c6d30 100644 struct ath_nf_limits { s16 max; -@@ -655,7 +655,7 @@ enum ath_cal_list { +@@ -656,7 +656,7 @@ enum ath_cal_list { #define AH_FASTCC 0x4 struct ath_hw { @@ -44230,7 +44230,7 @@ index 6901578..d402eb5 100644 return hit; diff --git a/fs/compat.c b/fs/compat.c -index c987875..08771ca 100644 +index c987875..1b4dfbb 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -132,8 +132,8 @@ asmlinkage long compat_sys_utimes(const char __user *filename, struct compat_tim @@ -44351,6 +44351,38 @@ index c987875..08771ca 100644 if (__put_user_unaligned(d_off, &lastdirent->d_off)) error = -EFAULT; else +@@ -1174,11 +1192,14 @@ compat_sys_readv(unsigned long fd, const struct compat_iovec __user *vec, + struct file *file; + int fput_needed; + ssize_t ret; ++ loff_t pos; + + file = fget_light(fd, &fput_needed); + if (!file) + return -EBADF; +- ret = compat_readv(file, vec, vlen, &file->f_pos); ++ pos = file->f_pos; ++ ret = compat_readv(file, vec, vlen, &pos); ++ file->f_pos = pos; + fput_light(file, fput_needed); + return ret; + } +@@ -1233,11 +1254,14 @@ compat_sys_writev(unsigned long fd, const struct compat_iovec __user *vec, + struct file *file; + int fput_needed; + ssize_t ret; ++ loff_t pos; + + file = fget_light(fd, &fput_needed); + if (!file) + return -EBADF; +- ret = compat_writev(file, vec, vlen, &file->f_pos); ++ pos = file->f_pos; ++ ret = compat_writev(file, vec, vlen, &pos); ++ file->f_pos = pos; + fput_light(file, fput_needed); + return ret; + } diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c index 112e45a..b59845b 100644 --- a/fs/compat_binfmt_elf.c @@ -65631,6 +65663,23 @@ index d786b4f..4c3dd41 100644 #ifdef CONFIG_IP_MROUTE #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES +diff --git a/include/net/scm.h b/include/net/scm.h +index d456f4c..0c0017c 100644 +--- a/include/net/scm.h ++++ b/include/net/scm.h +@@ -71,9 +71,11 @@ static __inline__ void scm_destroy(struct scm_cookie *scm) + } + + static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, +- struct scm_cookie *scm) ++ struct scm_cookie *scm, bool forcecreds) + { + memset(scm, 0, sizeof(*scm)); ++ if (forcecreds) ++ scm_set_cred(scm, task_tgid(current), current_cred()); + unix_get_peersec_dgram(sock, scm); + if (msg->msg_controllen <= 0) + return 0; diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h index ad03988..0c5a964 100644 --- a/include/net/sctp/sctp.h @@ -76308,6 +76357,18 @@ index f41f026..fe76ea8 100644 __SONET_ITEMS #undef __HANDLE_ITEM } +diff --git a/net/atm/common.c b/net/atm/common.c +index 14ff9fe..0ca06e8 100644 +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -784,6 +784,7 @@ int vcc_getsockopt(struct socket *sock, int level, int optname, + + if (!vcc->dev || !test_bit(ATM_VF_ADDR, &vcc->flags)) + return -ENOTCONN; ++ memset(&pvc, 0, sizeof(pvc)); + pvc.sap_family = AF_ATMPVC; + pvc.sap_addr.itf = vcc->dev->number; + pvc.sap_addr.vpi = vcc->vpi; diff --git a/net/atm/lec.h b/net/atm/lec.h index dfc0719..47c5322 100644 --- a/net/atm/lec.h @@ -76351,6 +76412,18 @@ index 0d020de..011c7bb 100644 } static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev) +diff --git a/net/atm/pvc.c b/net/atm/pvc.c +index 3a73491..ae03240 100644 +--- a/net/atm/pvc.c ++++ b/net/atm/pvc.c +@@ -95,6 +95,7 @@ static int pvc_getname(struct socket *sock, struct sockaddr *sockaddr, + return -ENOTCONN; + *sockaddr_len = sizeof(struct sockaddr_atmpvc); + addr = (struct sockaddr_atmpvc *)sockaddr; ++ memset(addr, 0, sizeof(*addr)); + addr->sap_family = AF_ATMPVC; + addr->sap_addr.itf = vcc->dev->number; + addr->sap_addr.vpi = vcc->vpi; diff --git a/net/atm/resources.c b/net/atm/resources.c index 23f45ce..c748f1a 100644 --- a/net/atm/resources.c @@ -76491,6 +76564,26 @@ index 98bfbd5..47ccdd6 100644 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); } +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index f6afe3d..8361ee4 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -388,6 +388,7 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *add + *addr_len = sizeof(*haddr); + haddr->hci_family = AF_BLUETOOTH; + haddr->hci_dev = hdev->id; ++ haddr->hci_channel= 0; + + release_sock(sk); + return 0; +@@ -671,6 +672,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char + { + struct hci_filter *f = &hci_pi(sk)->filter; + ++ memset(&uf, 0, sizeof(uf)); + uf.type_mask = f->type_mask; + uf.opcode = f->opcode; + uf.event_mask[0] = *((u32 *) f->event_mask + 0); diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 17b5b1c..826d872 100644 --- a/net/bluetooth/l2cap_core.c @@ -76521,6 +76614,51 @@ index 17b5b1c..826d872 100644 goto done; } } +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 5c406d3..6dedd6f 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -293,6 +293,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l + + BT_DBG("sock %p, sk %p", sock, sk); + ++ memset(la, 0, sizeof(struct sockaddr_l2)); + addr->sa_family = AF_BLUETOOTH; + *len = sizeof(struct sockaddr_l2); + +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index 5417f61..7ee4ead 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -547,6 +547,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int * + + BT_DBG("sock %p, sk %p", sock, sk); + ++ memset(sa, 0, sizeof(*sa)); + sa->rc_family = AF_BLUETOOTH; + sa->rc_channel = rfcomm_pi(sk)->channel; + if (peer) +@@ -835,6 +836,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c + } + + sec.level = rfcomm_pi(sk)->sec_level; ++ sec.key_size = 0; + + len = min_t(unsigned int, len, sizeof(sec)); + if (copy_to_user(optval, (char *) &sec, len)) +diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c +index c258796..bc1eb56 100644 +--- a/net/bluetooth/rfcomm/tty.c ++++ b/net/bluetooth/rfcomm/tty.c +@@ -471,7 +471,7 @@ static int rfcomm_get_dev_list(void __user *arg) + + size = sizeof(*dl) + dev_num * sizeof(*di); + +- dl = kmalloc(size, GFP_KERNEL); ++ dl = kzalloc(size, GFP_KERNEL); + if (!dl) + return -ENOMEM; + diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 5ac1811..7eb2320 100644 --- a/net/bridge/br_multicast.c @@ -76547,21 +76685,6 @@ index 5864cc4..121f3a30 100644 BUGPRINT("c2u Didn't work\n"); ret = -EFAULT; break; -diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c -index 68223e4..4e9115d 100644 ---- a/net/caif/caif_dev.c -+++ b/net/caif/caif_dev.c -@@ -428,9 +428,9 @@ static int __init caif_device_init(void) - - static void __exit caif_device_exit(void) - { -- unregister_pernet_subsys(&caif_net_ops); - unregister_netdevice_notifier(&caif_device_notifier); - dev_remove_pack(&caif_packet_type); -+ unregister_pernet_subsys(&caif_net_ops); - } - - module_init(caif_device_init); diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index a986280..13444a1 100644 --- a/net/caif/caif_socket.c @@ -76738,6 +76861,80 @@ index 5cf5222..6f704ad 100644 p->sequence_no); list_del(&p->list); goto out; +diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c +index 8656909..a2ae45d 100644 +--- a/net/caif/chnl_net.c ++++ b/net/caif/chnl_net.c +@@ -74,7 +74,6 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt) + struct sk_buff *skb; + struct chnl_net *priv = container_of(layr, struct chnl_net, chnl); + int pktlen; +- int err = 0; + const u8 *ip_version; + u8 buf; + +@@ -95,8 +94,11 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt) + + /* check the version of IP */ + ip_version = skb_header_pointer(skb, 0, 1, &buf); +- if (!ip_version) ++ if (!ip_version) { ++ kfree_skb(skb); + return -EINVAL; ++ } ++ + switch (*ip_version >> 4) { + case 4: + skb->protocol = htons(ETH_P_IP); +@@ -105,6 +107,8 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt) + skb->protocol = htons(ETH_P_IPV6); + break; + default: ++ kfree_skb(skb); ++ priv->netdev->stats.rx_errors++; + return -EINVAL; + } + +@@ -123,7 +127,7 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt) + priv->netdev->stats.rx_packets++; + priv->netdev->stats.rx_bytes += pktlen; + +- return err; ++ return 0; + } + + static int delete_device(struct chnl_net *dev) +@@ -221,12 +225,16 @@ static int chnl_net_start_xmit(struct sk_buff *skb, struct net_device *dev) + + if (skb->len > priv->netdev->mtu) { + pr_warn("Size of skb exceeded MTU\n"); +- return -ENOSPC; ++ kfree_skb(skb); ++ dev->stats.tx_errors++; ++ return NETDEV_TX_OK; + } + + if (!priv->flowenabled) { + pr_debug("dropping packets flow off\n"); +- return NETDEV_TX_BUSY; ++ kfree_skb(skb); ++ dev->stats.tx_dropped++; ++ return NETDEV_TX_OK; + } + + if (priv->conn_req.protocol == CAIFPROTO_DATAGRAM_LOOP) +@@ -240,9 +248,8 @@ static int chnl_net_start_xmit(struct sk_buff *skb, struct net_device *dev) + /* Send the packet down the stack. */ + result = priv->chnl.dn->transmit(priv->chnl.dn, pkt); + if (result) { +- if (result == -EAGAIN) +- result = NETDEV_TX_BUSY; +- return result; ++ dev->stats.tx_dropped++; ++ return NETDEV_TX_OK; + } + + /* Update statistics. */ diff --git a/net/can/gw.c b/net/can/gw.c index 3d79b12..8de85fa 100644 --- a/net/can/gw.c @@ -77049,7 +77246,7 @@ index c40f27e..7f49254 100644 m->msg_iov = iov; diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index 05842ab..6d674ce 100644 +index 0cf604b..8d4b86f 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -57,7 +57,7 @@ struct rtnl_link { @@ -77186,6 +77383,40 @@ index 8d095b9..315c541 100644 } EXPORT_SYMBOL(sock_init_data); +diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h +index 75c3582..fb85d37 100644 +--- a/net/dccp/ccid.h ++++ b/net/dccp/ccid.h +@@ -246,7 +246,7 @@ static inline int ccid_hc_rx_getsockopt(struct ccid *ccid, struct sock *sk, + u32 __user *optval, int __user *optlen) + { + int rc = -ENOPROTOOPT; +- if (ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL) ++ if (ccid != NULL && ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL) + rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len, + optval, optlen); + return rc; +@@ -257,7 +257,7 @@ static inline int ccid_hc_tx_getsockopt(struct ccid *ccid, struct sock *sk, + u32 __user *optval, int __user *optlen) + { + int rc = -ENOPROTOOPT; +- if (ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL) ++ if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL) + rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len, + optval, optlen); + return rc; +diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c +index 3d604e1..4caf63f 100644 +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -532,6 +532,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len, + case DCCP_SOCKOPT_CCID_TX_INFO: + if (len < sizeof(tfrc)) + return -EINVAL; ++ memset(&tfrc, 0, sizeof(tfrc)); + tfrc.tfrctx_x = hc->tx_x; + tfrc.tfrctx_x_recv = hc->tx_x_recv; + tfrc.tfrctx_x_calc = hc->tx_x_calc; diff --git a/net/decnet/sysctl_net_decnet.c b/net/decnet/sysctl_net_decnet.c index 02e75d1..9a57a7c 100644 --- a/net/decnet/sysctl_net_decnet.c @@ -77221,23 +77452,6 @@ index 39a2d29..f39c0fe 100644 ---help--- Econet is a fairly old and slow networking protocol mainly used by Acorn computers to access file and print servers. It uses native -diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c -index 86f3b88..afaa735 100644 ---- a/net/ipv4/cipso_ipv4.c -+++ b/net/ipv4/cipso_ipv4.c -@@ -1725,8 +1725,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option) - case CIPSO_V4_TAG_LOCAL: - /* This is a non-standard tag that we only allow for - * local connections, so if the incoming interface is -- * not the loopback device drop the packet. */ -- if (!(skb->dev->flags & IFF_LOOPBACK)) { -+ * not the loopback device drop the packet. Further, -+ * there is no legitimate reason for setting this from -+ * userspace so reject it if skb is NULL. */ -+ if (skb == NULL || !(skb->dev->flags & IFF_LOOPBACK)) { - err_offset = opt_iter; - goto validate_return_locked; - } diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 92fc5f6..b790d91 100644 --- a/net/ipv4/fib_frontend.c @@ -77561,10 +77775,10 @@ index 94cdbc5..0cb0063 100644 ts = peer->tcp_ts; tsage = get_seconds() - peer->tcp_ts_stamp; diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 32e6ca2..436489e 100644 +index a08a621..2e17402 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c -@@ -5836,7 +5836,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5838,7 +5838,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto discard; if (th->syn) { @@ -78325,6 +78539,26 @@ index 1e733e9..3d73c9f 100644 } while (!res); return res; } +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index a18e6c3..99a60d5 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -966,14 +966,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr, + struct sockaddr_llc sllc; + struct sock *sk = sock->sk; + struct llc_sock *llc = llc_sk(sk); +- int rc = 0; ++ int rc = -EBADF; + + memset(&sllc, 0, sizeof(sllc)); + lock_sock(sk); + if (sock_flag(sk, SOCK_ZAPPED)) + goto out; + *uaddrlen = sizeof(sllc); +- memset(uaddr, 0, *uaddrlen); + if (peer) { + rc = -ENOTCONN; + if (sk->sk_state != TCP_ESTABLISHED) diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 73495f1..ad51356 100644 --- a/net/mac80211/ieee80211_i.h @@ -78574,7 +78808,7 @@ index 6dc7d7d..e45913a 100644 if ((ipvs->sync_state & IP_VS_STATE_MASTER) && cp->protocol == IPPROTO_SCTP) { diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c -index e1a66cf..0910076 100644 +index e1a66cf..2772ca6 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -788,7 +788,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest, @@ -78613,7 +78847,15 @@ index e1a66cf..0910076 100644 entry.weight = atomic_read(&dest->weight); entry.u_threshold = dest->u_threshold; entry.l_threshold = dest->l_threshold; -@@ -3042,7 +3042,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) +@@ -2713,6 +2713,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) + { + struct ip_vs_timeout_user t; + ++ memset(&t, 0, sizeof(t)); + __ip_vs_get_timeouts(net, &t); + if (copy_to_user(user, &t, sizeof(t)) != 0) + ret = -EFAULT; +@@ -3042,7 +3043,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port); NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD, @@ -78807,7 +79049,7 @@ index 4fe4fb4..87a89e5 100644 return 0; } diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index a99fb41..740c2a4 100644 +index a99fb41..b6962a8 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -742,7 +742,7 @@ static void netlink_overrun(struct sock *sk) @@ -78819,6 +79061,15 @@ index a99fb41..740c2a4 100644 } static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid) +@@ -1333,7 +1333,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, + if (NULL == siocb->scm) + siocb->scm = &scm; + +- err = scm_send(sock, msg, siocb->scm); ++ err = scm_send(sock, msg, siocb->scm, true); + if (err < 0) + return err; + @@ -2001,7 +2001,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) sk_wmem_alloc_get(s), nlk->cb, @@ -79418,36 +79669,6 @@ index 7635107..4670276 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); -diff --git a/net/sctp/input.c b/net/sctp/input.c -index b7692aa..0fc18c7 100644 ---- a/net/sctp/input.c -+++ b/net/sctp/input.c -@@ -736,15 +736,12 @@ static void __sctp_unhash_endpoint(struct sctp_endpoint *ep) - - epb = &ep->base; - -- if (hlist_unhashed(&epb->node)) -- return; -- - epb->hashent = sctp_ep_hashfn(epb->bind_addr.port); - - head = &sctp_ep_hashtable[epb->hashent]; - - sctp_write_lock(&head->lock); -- __hlist_del(&epb->node); -+ hlist_del_init(&epb->node); - sctp_write_unlock(&head->lock); - } - -@@ -825,7 +822,7 @@ static void __sctp_unhash_established(struct sctp_association *asoc) - head = &sctp_assoc_hashtable[epb->hashent]; - - sctp_write_lock(&head->lock); -- __hlist_del(&epb->node); -+ hlist_del_init(&epb->node); - sctp_write_unlock(&head->lock); - } - diff --git a/net/sctp/proc.c b/net/sctp/proc.c index 1e2eee8..ce3967e 100644 --- a/net/sctp/proc.c @@ -79463,38 +79684,10 @@ index 1e2eee8..ce3967e 100644 assoc->assoc_id, assoc->sndbuf_used, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 0075554..ba19fd7 100644 +index 8e49d76..ba19fd7 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c -@@ -1231,8 +1231,14 @@ out_free: - SCTP_DEBUG_PRINTK("About to exit __sctp_connect() free asoc: %p" - " kaddrs: %p err: %d\n", - asoc, kaddrs, err); -- if (asoc) -+ if (asoc) { -+ /* sctp_primitive_ASSOCIATE may have added this association -+ * To the hash table, try to unhash it, just in case, its a noop -+ * if it wasn't hashed so we're safe -+ */ -+ sctp_unhash_established(asoc); - sctp_association_free(asoc); -+ } - return err; - } - -@@ -1942,8 +1948,10 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, - goto out_unlock; - - out_free: -- if (new_asoc) -+ if (new_asoc) { -+ sctp_unhash_established(asoc); - sctp_association_free(asoc); -+ } - out_unlock: - sctp_release_sock(sk); - -@@ -4575,7 +4583,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4583,7 +4583,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; if (space_left < addrlen) return -ENOMEM; @@ -79504,7 +79697,7 @@ index 0075554..ba19fd7 100644 to += addrlen; cnt++; diff --git a/net/socket.c b/net/socket.c -index 273cbce..fd1e8ff 100644 +index 273cbce..ed22cd4 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -79675,7 +79868,15 @@ index 273cbce..fd1e8ff 100644 uaddr_len = COMPAT_NAMELEN(msg); if (MSG_CMSG_COMPAT & flags) { err = verify_compat_iovec(msg_sys, iov, -@@ -2748,7 +2808,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2645,6 +2705,7 @@ static int dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32) + if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf))) + return -EFAULT; + ++ memset(&ifc, 0, sizeof(ifc)); + if (ifc32.ifcbuf == 0) { + ifc32.ifc_len = 0; + ifc.ifc_len = 0; +@@ -2748,7 +2809,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) } ifr = compat_alloc_user_space(buf_size); @@ -79684,7 +79885,7 @@ index 273cbce..fd1e8ff 100644 if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ)) return -EFAULT; -@@ -2772,12 +2832,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2772,12 +2833,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) offsetof(struct ethtool_rxnfc, fs.ring_cookie)); if (copy_in_user(rxnfc, compat_rxnfc, @@ -79701,7 +79902,7 @@ index 273cbce..fd1e8ff 100644 copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2789,12 +2849,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2789,12 +2850,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) if (convert_out) { if (copy_in_user(compat_rxnfc, rxnfc, @@ -79718,7 +79919,7 @@ index 273cbce..fd1e8ff 100644 copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2864,7 +2924,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2864,7 +2925,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -79727,7 +79928,7 @@ index 273cbce..fd1e8ff 100644 set_fs(old_fs); return err; -@@ -2973,7 +3033,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -2973,7 +3034,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -79736,7 +79937,7 @@ index 273cbce..fd1e8ff 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3078,7 +3138,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3078,7 +3139,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= __get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -79745,7 +79946,7 @@ index 273cbce..fd1e8ff 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3318,8 +3378,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3318,8 +3379,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -79756,7 +79957,7 @@ index 273cbce..fd1e8ff 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3339,7 +3399,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3339,7 +3400,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -80069,7 +80270,7 @@ index 1983717..4d6102c 100644 sub->evt.event = htohl(event, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index d99678a..3514a21 100644 +index d99678a..6786706 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -767,6 +767,12 @@ static struct sock *unix_find_other(struct net *net, @@ -80118,8 +80319,26 @@ index d99678a..3514a21 100644 mutex_unlock(&path.dentry->d_inode->i_mutex); dput(path.dentry); path.dentry = dentry; +@@ -1435,7 +1455,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock, + if (NULL == siocb->scm) + siocb->scm = &tmp_scm; + wait_for_unix_gc(); +- err = scm_send(sock, msg, siocb->scm); ++ err = scm_send(sock, msg, siocb->scm, false); + if (err < 0) + return err; + +@@ -1596,7 +1616,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock, + if (NULL == siocb->scm) + siocb->scm = &tmp_scm; + wait_for_unix_gc(); +- err = scm_send(sock, msg, siocb->scm); ++ err = scm_send(sock, msg, siocb->scm, false); + if (err < 0) + return err; + diff --git a/net/wireless/core.h b/net/wireless/core.h -index b9ec306..b4a563e 100644 +index 02c3be3..e022efa 100644 --- a/net/wireless/core.h +++ b/net/wireless/core.h @@ -27,7 +27,7 @@ struct cfg80211_registered_device { diff --git a/3.2.27/4430_grsec-remove-localversion-grsec.patch b/3.2.28/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.2.27/4430_grsec-remove-localversion-grsec.patch +++ b/3.2.28/4430_grsec-remove-localversion-grsec.patch diff --git a/3.2.27/4435_grsec-mute-warnings.patch b/3.2.28/4435_grsec-mute-warnings.patch index e85abd6..e85abd6 100644 --- a/3.2.27/4435_grsec-mute-warnings.patch +++ b/3.2.28/4435_grsec-mute-warnings.patch diff --git a/3.2.27/4440_grsec-remove-protected-paths.patch b/3.2.28/4440_grsec-remove-protected-paths.patch index 637934a..637934a 100644 --- a/3.2.27/4440_grsec-remove-protected-paths.patch +++ b/3.2.28/4440_grsec-remove-protected-paths.patch diff --git a/3.2.27/4450_grsec-kconfig-default-gids.patch b/3.2.28/4450_grsec-kconfig-default-gids.patch index 0ab1250..0ab1250 100644 --- a/3.2.27/4450_grsec-kconfig-default-gids.patch +++ b/3.2.28/4450_grsec-kconfig-default-gids.patch diff --git a/3.2.27/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.28/4465_selinux-avc_audit-log-curr_ip.patch index 48acad7..48acad7 100644 --- a/3.2.27/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.28/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.2.27/4470_disable-compat_vdso.patch b/3.2.28/4470_disable-compat_vdso.patch index 4742d01..4742d01 100644 --- a/3.2.27/4470_disable-compat_vdso.patch +++ b/3.2.28/4470_disable-compat_vdso.patch diff --git a/3.5.2/0000_README b/3.5.2/0000_README index 2baff0f..268fe76 100644 --- a/3.5.2/0000_README +++ b/3.5.2/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.5.2-201208201522.patch +Patch: 4420_grsecurity-2.9.1-3.5.2-201208222031.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208201522.patch b/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208222031.patch index 61d4d0c..f04a5aa 100644 --- a/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208201522.patch +++ b/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208222031.patch @@ -43873,7 +43873,7 @@ index 6901578..d402eb5 100644 return hit; diff --git a/fs/compat.c b/fs/compat.c -index 6161255..512b1a1 100644 +index 6161255..9f28287 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -490,7 +490,7 @@ compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p) @@ -43983,6 +43983,38 @@ index 6161255..512b1a1 100644 if (__put_user_unaligned(d_off, &lastdirent->d_off)) error = -EFAULT; else +@@ -1155,11 +1173,14 @@ compat_sys_readv(unsigned long fd, const struct compat_iovec __user *vec, + struct file *file; + int fput_needed; + ssize_t ret; ++ loff_t pos; + + file = fget_light(fd, &fput_needed); + if (!file) + return -EBADF; +- ret = compat_readv(file, vec, vlen, &file->f_pos); ++ pos = file->f_pos; ++ ret = compat_readv(file, vec, vlen, &pos); ++ file->f_pos = pos; + fput_light(file, fput_needed); + return ret; + } +@@ -1221,11 +1242,14 @@ compat_sys_writev(unsigned long fd, const struct compat_iovec __user *vec, + struct file *file; + int fput_needed; + ssize_t ret; ++ loff_t pos; + + file = fget_light(fd, &fput_needed); + if (!file) + return -EBADF; +- ret = compat_writev(file, vec, vlen, &file->f_pos); ++ pos = file->f_pos; ++ ret = compat_writev(file, vec, vlen, &pos); ++ file->f_pos = pos; + fput_light(file, fput_needed); + return ret; + } diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c index 112e45a..b59845b 100644 --- a/fs/compat_binfmt_elf.c @@ -45093,6 +45125,18 @@ index 01434f2..bd995b4 100644 atomic_t s_lock_busy; /* locality groups */ +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 58a75fe..9752106 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -2663,6 +2663,7 @@ cont: + } + path[0].p_depth = depth; + path[0].p_hdr = ext_inode_hdr(inode); ++ i = 0; + + if (ext4_ext_check(inode, path[0].p_hdr, depth)) { + err = -EIO; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 1cd6994..5799d45 100644 --- a/fs/ext4/mballoc.c @@ -64645,6 +64689,23 @@ index bbd023a..97c6d0d 100644 #ifdef CONFIG_IP_MROUTE #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES +diff --git a/include/net/scm.h b/include/net/scm.h +index d456f4c..0c0017c 100644 +--- a/include/net/scm.h ++++ b/include/net/scm.h +@@ -71,9 +71,11 @@ static __inline__ void scm_destroy(struct scm_cookie *scm) + } + + static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, +- struct scm_cookie *scm) ++ struct scm_cookie *scm, bool forcecreds) + { + memset(scm, 0, sizeof(*scm)); ++ if (forcecreds) ++ scm_set_cred(scm, task_tgid(current), current_cred()); + unix_get_peersec_dgram(sock, scm); + if (msg->msg_controllen <= 0) + return 0; diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h index a2ef814..31a8e3f 100644 --- a/include/net/sctp/sctp.h @@ -75045,6 +75106,18 @@ index 876fbe8..8bbea9f 100644 __SONET_ITEMS #undef __HANDLE_ITEM } +diff --git a/net/atm/common.c b/net/atm/common.c +index b4b44db..0c0ad93 100644 +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -812,6 +812,7 @@ int vcc_getsockopt(struct socket *sock, int level, int optname, + + if (!vcc->dev || !test_bit(ATM_VF_ADDR, &vcc->flags)) + return -ENOTCONN; ++ memset(&pvc, 0, sizeof(pvc)); + pvc.sap_family = AF_ATMPVC; + pvc.sap_addr.itf = vcc->dev->number; + pvc.sap_addr.vpi = vcc->vpi; diff --git a/net/atm/lec.h b/net/atm/lec.h index a86aff9..3a0d6f6 100644 --- a/net/atm/lec.h @@ -75088,6 +75161,18 @@ index 0d020de..011c7bb 100644 } static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev) +diff --git a/net/atm/pvc.c b/net/atm/pvc.c +index 3a73491..ae03240 100644 +--- a/net/atm/pvc.c ++++ b/net/atm/pvc.c +@@ -95,6 +95,7 @@ static int pvc_getname(struct socket *sock, struct sockaddr *sockaddr, + return -ENOTCONN; + *sockaddr_len = sizeof(struct sockaddr_atmpvc); + addr = (struct sockaddr_atmpvc *)sockaddr; ++ memset(addr, 0, sizeof(*addr)); + addr->sap_family = AF_ATMPVC; + addr->sap_addr.itf = vcc->dev->number; + addr->sap_addr.vpi = vcc->vpi; diff --git a/net/atm/resources.c b/net/atm/resources.c index 23f45ce..c748f1a 100644 --- a/net/atm/resources.c @@ -75231,6 +75316,26 @@ index 74175c2..32f8901 100644 frag1->seqno = htons(seqno - 1); frag2->seqno = htons(seqno); +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 5914623..bedc768 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -706,6 +706,7 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, int *add + *addr_len = sizeof(*haddr); + haddr->hci_family = AF_BLUETOOTH; + haddr->hci_dev = hdev->id; ++ haddr->hci_channel= 0; + + release_sock(sk); + return 0; +@@ -1016,6 +1017,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname, char + { + struct hci_filter *f = &hci_pi(sk)->filter; + ++ memset(&uf, 0, sizeof(uf)); + uf.type_mask = f->type_mask; + uf.opcode = f->opcode; + uf.event_mask[0] = *((u32 *) f->event_mask + 0); diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 4554e80..b778671 100644 --- a/net/bluetooth/l2cap_core.c @@ -75248,8 +75353,40 @@ index 4554e80..b778671 100644 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && rfc.mode != chan->mode) +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 3bb1611..fcf656b 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -246,6 +246,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l + + BT_DBG("sock %p, sk %p", sock, sk); + ++ memset(la, 0, sizeof(struct sockaddr_l2)); + addr->sa_family = AF_BLUETOOTH; + *len = sizeof(struct sockaddr_l2); + +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index e8707de..2df6956 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -547,6 +547,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int * + + BT_DBG("sock %p, sk %p", sock, sk); + ++ memset(sa, 0, sizeof(*sa)); + sa->rc_family = AF_BLUETOOTH; + sa->rc_channel = rfcomm_pi(sk)->channel; + if (peer) +@@ -841,6 +842,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c + } + + sec.level = rfcomm_pi(sk)->sec_level; ++ sec.key_size = 0; + + len = min_t(unsigned int, len, sizeof(sec)); + if (copy_to_user(optval, (char *) &sec, len)) diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c -index d1820ff..d414b0e 100644 +index d1820ff..4f8c8f6 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -314,7 +314,7 @@ static void rfcomm_dev_del(struct rfcomm_dev *dev) @@ -75261,6 +75398,15 @@ index d1820ff..d414b0e 100644 spin_unlock_irqrestore(&dev->port.lock, flags); return; } +@@ -461,7 +461,7 @@ static int rfcomm_get_dev_list(void __user *arg) + + size = sizeof(*dl) + dev_num * sizeof(*di); + +- dl = kmalloc(size, GFP_KERNEL); ++ dl = kzalloc(size, GFP_KERNEL); + if (!dl) + return -ENOMEM; + @@ -669,10 +669,10 @@ static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp) return -ENODEV; @@ -75343,6 +75489,21 @@ index 047cd0e..461fd28 100644 p->sequence_no); list_del(&p->list); goto out; +diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c +index 69771c0..e597733 100644 +--- a/net/caif/chnl_net.c ++++ b/net/caif/chnl_net.c +@@ -94,6 +94,10 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt) + + /* check the version of IP */ + ip_version = skb_header_pointer(skb, 0, 1, &buf); ++ if (!ip_version) { ++ kfree_skb(skb); ++ return -EINVAL; ++ } + + switch (*ip_version >> 4) { + case 4: diff --git a/net/can/gw.c b/net/can/gw.c index b41acf2..3affb3a 100644 --- a/net/can/gw.c @@ -75836,6 +75997,40 @@ index 5fd1467..8b70900 100644 } EXPORT_SYMBOL_GPL(sock_diag_save_cookie); +diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h +index 75c3582..fb85d37 100644 +--- a/net/dccp/ccid.h ++++ b/net/dccp/ccid.h +@@ -246,7 +246,7 @@ static inline int ccid_hc_rx_getsockopt(struct ccid *ccid, struct sock *sk, + u32 __user *optval, int __user *optlen) + { + int rc = -ENOPROTOOPT; +- if (ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL) ++ if (ccid != NULL && ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL) + rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len, + optval, optlen); + return rc; +@@ -257,7 +257,7 @@ static inline int ccid_hc_tx_getsockopt(struct ccid *ccid, struct sock *sk, + u32 __user *optval, int __user *optlen) + { + int rc = -ENOPROTOOPT; +- if (ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL) ++ if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL) + rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len, + optval, optlen); + return rc; +diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c +index 8c67bed..ce0d140 100644 +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -531,6 +531,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len, + case DCCP_SOCKOPT_CCID_TX_INFO: + if (len < sizeof(tfrc)) + return -EINVAL; ++ memset(&tfrc, 0, sizeof(tfrc)); + tfrc.tfrctx_x = hc->tx_x; + tfrc.tfrctx_x_recv = hc->tx_x_recv; + tfrc.tfrctx_x_calc = hc->tx_x_calc; diff --git a/net/decnet/sysctl_net_decnet.c b/net/decnet/sysctl_net_decnet.c index a55eecc..dd8428c 100644 --- a/net/decnet/sysctl_net_decnet.c @@ -76859,6 +77054,38 @@ index 34e4185..8823368 100644 } while (!res); return res; } +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index 35e1e4b..9275471 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -410,6 +410,7 @@ static int l2tp_ip6_getname(struct socket *sock, struct sockaddr *uaddr, + lsa->l2tp_family = AF_INET6; + lsa->l2tp_flowinfo = 0; + lsa->l2tp_scope_id = 0; ++ lsa->l2tp_unused = 0; + if (peer) { + if (!lsk->peer_conn_id) + return -ENOTCONN; +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index fe5453c..a13c3e23 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -969,14 +969,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr, + struct sockaddr_llc sllc; + struct sock *sk = sock->sk; + struct llc_sock *llc = llc_sk(sk); +- int rc = 0; ++ int rc = -EBADF; + + memset(&sllc, 0, sizeof(sllc)); + lock_sock(sk); + if (sock_flag(sk, SOCK_ZAPPED)) + goto out; + *uaddrlen = sizeof(sllc); +- memset(uaddr, 0, *uaddrlen); + if (peer) { + rc = -ENOTCONN; + if (sk->sk_state != TCP_ESTABLISHED) diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 3f3cd50..d2cf249 100644 --- a/net/mac80211/ieee80211_i.h @@ -77117,7 +77344,7 @@ index a54b018c..07e0120 100644 if (ipvs->sync_state & IP_VS_STATE_MASTER) ip_vs_sync_conn(net, cp, pkts); diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c -index 84444dd..86adaa0 100644 +index 84444dd..f91c066 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -788,7 +788,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest, @@ -77156,7 +77383,15 @@ index 84444dd..86adaa0 100644 entry.weight = atomic_read(&dest->weight); entry.u_threshold = dest->u_threshold; entry.l_threshold = dest->l_threshold; -@@ -3089,7 +3089,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) +@@ -2759,6 +2759,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) + { + struct ip_vs_timeout_user t; + ++ memset(&t, 0, sizeof(t)); + __ip_vs_get_timeouts(net, &t); + if (copy_to_user(user, &t, sizeof(t)) != 0) + ret = -EFAULT; +@@ -3089,7 +3090,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) || nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) || nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD, @@ -77359,7 +77594,7 @@ index 4fe4fb4..87a89e5 100644 return 0; } diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index b3025a6..d63a537 100644 +index b3025a6..e21e5297 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -753,7 +753,7 @@ static void netlink_overrun(struct sock *sk) @@ -77371,6 +77606,15 @@ index b3025a6..d63a537 100644 } static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid) +@@ -1344,7 +1344,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, + if (NULL == siocb->scm) + siocb->scm = &scm; + +- err = scm_send(sock, msg, siocb->scm); ++ err = scm_send(sock, msg, siocb->scm, true); + if (err < 0) + return err; + @@ -2022,7 +2022,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) sk_wmem_alloc_get(s), nlk->cb, @@ -77994,7 +78238,7 @@ index 31c7bfc..bc380ae 100644 to += addrlen; cnt++; diff --git a/net/socket.c b/net/socket.c -index 0452dca..7e9758c 100644 +index 0452dca..0d601e0 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -78165,7 +78409,15 @@ index 0452dca..7e9758c 100644 uaddr_len = COMPAT_NAMELEN(msg); if (MSG_CMSG_COMPAT & flags) { err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); -@@ -2761,7 +2821,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2658,6 +2718,7 @@ static int dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32) + if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf))) + return -EFAULT; + ++ memset(&ifc, 0, sizeof(ifc)); + if (ifc32.ifcbuf == 0) { + ifc32.ifc_len = 0; + ifc.ifc_len = 0; +@@ -2761,7 +2822,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) } ifr = compat_alloc_user_space(buf_size); @@ -78174,7 +78426,7 @@ index 0452dca..7e9758c 100644 if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ)) return -EFAULT; -@@ -2785,12 +2845,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2785,12 +2846,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) offsetof(struct ethtool_rxnfc, fs.ring_cookie)); if (copy_in_user(rxnfc, compat_rxnfc, @@ -78191,7 +78443,7 @@ index 0452dca..7e9758c 100644 copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2802,12 +2862,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2802,12 +2863,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) if (convert_out) { if (copy_in_user(compat_rxnfc, rxnfc, @@ -78208,7 +78460,7 @@ index 0452dca..7e9758c 100644 copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2877,7 +2937,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2877,7 +2938,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -78217,7 +78469,7 @@ index 0452dca..7e9758c 100644 set_fs(old_fs); return err; -@@ -2986,7 +3046,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -2986,7 +3047,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -78226,7 +78478,7 @@ index 0452dca..7e9758c 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3091,7 +3151,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3091,7 +3152,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= __get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -78235,7 +78487,7 @@ index 0452dca..7e9758c 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3317,8 +3377,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3317,8 +3378,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -78246,7 +78498,7 @@ index 0452dca..7e9758c 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3338,7 +3398,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3338,7 +3399,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -78546,7 +78798,7 @@ index f976e9cd..560d055 100644 sub->evt.event = htohl(event, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 641f2e4..a63f5e1 100644 +index 641f2e4..590bb48 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -780,6 +780,12 @@ static struct sock *unix_find_other(struct net *net, @@ -78595,6 +78847,24 @@ index 641f2e4..a63f5e1 100644 mutex_unlock(&path.dentry->d_inode->i_mutex); dput(path.dentry); path.dentry = dentry; +@@ -1448,7 +1468,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock, + if (NULL == siocb->scm) + siocb->scm = &tmp_scm; + wait_for_unix_gc(); +- err = scm_send(sock, msg, siocb->scm); ++ err = scm_send(sock, msg, siocb->scm, false); + if (err < 0) + return err; + +@@ -1617,7 +1637,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock, + if (NULL == siocb->scm) + siocb->scm = &tmp_scm; + wait_for_unix_gc(); +- err = scm_send(sock, msg, siocb->scm); ++ err = scm_send(sock, msg, siocb->scm, false); + if (err < 0) + return err; + diff --git a/net/wireless/core.h b/net/wireless/core.h index bc686ef..27845e6 100644 --- a/net/wireless/core.h |