commit: 4071022681de7405f4ef7b2778add1b9d08845cf Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Sat Jan 23 18:30:39 2016 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Sat Jan 23 18:30:39 2016 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=40710226
Linux 4.1.16. Includes patch for CVE-2016-0728 0000_README | 8 +- 1015_linux-4.1.16.patch | 1479 ++++++++++++++++++++ ...ing-refleak-in-join-session-CVE-2016-0728.patch | 81 -- 3 files changed, 1483 insertions(+), 85 deletions(-) diff --git a/0000_README b/0000_README index 18a8ebc..1ca97cd 100644 --- a/0000_README +++ b/0000_README @@ -103,6 +103,10 @@ Patch: 1014_linux-4.1.15.patch From: http://www.kernel.org Desc: Linux 4.1.15 +Patch: 1015_linux-4.1.16.patch +From: http://www.kernel.org +Desc: Linux 4.1.16 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. @@ -111,10 +115,6 @@ Patch: 1510_fs-enable-link-security-restrictions-by-default.patch From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/ Desc: Enable link security restrictions by default. -Patch: 1520_keyring-refleak-in-join-session-CVE-2016-0728.patch -From: https://bugs.gentoo.org/show_bug.cgi?id=572384 -Desc: Ensure that thread joining a session keyring does not leak the keyring reference. CVE-2016-0728. - Patch: 2700_ThinkPad-30-brightness-control-fix.patch From: Seth Forshee <[email protected]> Desc: ACPI: Disable Windows 8 compatibility for some Lenovo ThinkPads. diff --git a/1015_linux-4.1.16.patch b/1015_linux-4.1.16.patch new file mode 100644 index 0000000..44d7080 --- /dev/null +++ b/1015_linux-4.1.16.patch @@ -0,0 +1,1479 @@ +diff --git a/Makefile b/Makefile +index cf35f6bcffd8..7609f1dcdcb9 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 1 +-SUBLEVEL = 15 ++SUBLEVEL = 16 + EXTRAVERSION = + NAME = Series 4800 + +diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h +index f8319a0860fd..39be5acc9c48 100644 +--- a/drivers/char/tpm/tpm.h ++++ b/drivers/char/tpm/tpm.h +@@ -115,6 +115,13 @@ enum tpm2_startup_types { + TPM2_SU_STATE = 0x0001, + }; + ++enum tpm2_start_method { ++ TPM2_START_ACPI = 2, ++ TPM2_START_FIFO = 6, ++ TPM2_START_CRB = 7, ++ TPM2_START_CRB_WITH_ACPI = 8, ++}; ++ + struct tpm_chip; + + struct tpm_vendor_specific { +diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c +index 1267322595da..2b971b3e5c1c 100644 +--- a/drivers/char/tpm/tpm_crb.c ++++ b/drivers/char/tpm/tpm_crb.c +@@ -34,12 +34,6 @@ enum crb_defaults { + CRB_ACPI_START_INDEX = 1, + }; + +-enum crb_start_method { +- CRB_SM_ACPI_START = 2, +- CRB_SM_CRB = 7, +- CRB_SM_CRB_WITH_ACPI_START = 8, +-}; +- + struct acpi_tpm2 { + struct acpi_table_header hdr; + u16 platform_class; +@@ -220,12 +214,6 @@ static int crb_acpi_add(struct acpi_device *device) + u64 pa; + int rc; + +- chip = tpmm_chip_alloc(dev, &tpm_crb); +- if (IS_ERR(chip)) +- return PTR_ERR(chip); +- +- chip->flags = TPM_CHIP_FLAG_TPM2; +- + status = acpi_get_table(ACPI_SIG_TPM2, 1, + (struct acpi_table_header **) &buf); + if (ACPI_FAILURE(status)) { +@@ -233,13 +221,15 @@ static int crb_acpi_add(struct acpi_device *device) + return -ENODEV; + } + +- /* At least some versions of AMI BIOS have a bug that TPM2 table has +- * zero address for the control area and therefore we must fail. +- */ +- if (!buf->control_area_pa) { +- dev_err(dev, "TPM2 ACPI table has a zero address for the control area\n"); +- return -EINVAL; +- } ++ /* Should the FIFO driver handle this? */ ++ if (buf->start_method == TPM2_START_FIFO) ++ return -ENODEV; ++ ++ chip = tpmm_chip_alloc(dev, &tpm_crb); ++ if (IS_ERR(chip)) ++ return PTR_ERR(chip); ++ ++ chip->flags = TPM_CHIP_FLAG_TPM2; + + if (buf->hdr.length < sizeof(struct acpi_tpm2)) { + dev_err(dev, "TPM2 ACPI table has wrong size"); +@@ -259,11 +249,11 @@ static int crb_acpi_add(struct acpi_device *device) + * report only ACPI start but in practice seems to require both + * ACPI start and CRB start. + */ +- if (sm == CRB_SM_CRB || sm == CRB_SM_CRB_WITH_ACPI_START || ++ if (sm == TPM2_START_CRB || sm == TPM2_START_FIFO || + !strcmp(acpi_device_hid(device), "MSFT0101")) + priv->flags |= CRB_FL_CRB_START; + +- if (sm == CRB_SM_ACPI_START || sm == CRB_SM_CRB_WITH_ACPI_START) ++ if (sm == TPM2_START_ACPI || sm == TPM2_START_CRB_WITH_ACPI) + priv->flags |= CRB_FL_ACPI_START; + + priv->cca = (struct crb_control_area __iomem *) +diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c +index f2dffa770b8e..696ef1d56b4f 100644 +--- a/drivers/char/tpm/tpm_tis.c ++++ b/drivers/char/tpm/tpm_tis.c +@@ -1,6 +1,6 @@ + /* + * Copyright (C) 2005, 2006 IBM Corporation +- * Copyright (C) 2014 Intel Corporation ++ * Copyright (C) 2014, 2015 Intel Corporation + * + * Authors: + * Leendert van Doorn <[email protected]> +@@ -28,6 +28,7 @@ + #include <linux/wait.h> + #include <linux/acpi.h> + #include <linux/freezer.h> ++#include <acpi/actbl2.h> + #include "tpm.h" + + enum tis_access { +@@ -65,6 +66,17 @@ enum tis_defaults { + TIS_LONG_TIMEOUT = 2000, /* 2 sec */ + }; + ++struct tpm_info { ++ unsigned long start; ++ unsigned long len; ++ unsigned int irq; ++}; ++ ++static struct tpm_info tis_default_info = { ++ .start = TIS_MEM_BASE, ++ .len = TIS_MEM_LEN, ++ .irq = 0, ++}; + + /* Some timeout values are needed before it is known whether the chip is + * TPM 1.0 or TPM 2.0. +@@ -91,26 +103,54 @@ struct priv_data { + }; + + #if defined(CONFIG_PNP) && defined(CONFIG_ACPI) +-static int is_itpm(struct pnp_dev *dev) ++static int has_hid(struct acpi_device *dev, const char *hid) + { +- struct acpi_device *acpi = pnp_acpi_device(dev); + struct acpi_hardware_id *id; + +- if (!acpi) +- return 0; +- +- list_for_each_entry(id, &acpi->pnp.ids, list) { +- if (!strcmp("INTC0102", id->id)) ++ list_for_each_entry(id, &dev->pnp.ids, list) ++ if (!strcmp(hid, id->id)) + return 1; +- } + + return 0; + } ++ ++static inline int is_itpm(struct acpi_device *dev) ++{ ++ return has_hid(dev, "INTC0102"); ++} ++ ++static inline int is_fifo(struct acpi_device *dev) ++{ ++ struct acpi_table_tpm2 *tbl; ++ acpi_status st; ++ ++ /* TPM 1.2 FIFO */ ++ if (!has_hid(dev, "MSFT0101")) ++ return 1; ++ ++ st = acpi_get_table(ACPI_SIG_TPM2, 1, ++ (struct acpi_table_header **) &tbl); ++ if (ACPI_FAILURE(st)) { ++ dev_err(&dev->dev, "failed to get TPM2 ACPI table\n"); ++ return 0; ++ } ++ ++ if (le32_to_cpu(tbl->start_method) != TPM2_START_FIFO) ++ return 0; ++ ++ /* TPM 2.0 FIFO */ ++ return 1; ++} + #else +-static inline int is_itpm(struct pnp_dev *dev) ++static inline int is_itpm(struct acpi_device *dev) + { + return 0; + } ++ ++static inline int is_fifo(struct acpi_device *dev) ++{ ++ return 1; ++} + #endif + + /* Before we attempt to access the TPM we must see that the valid bit is set. +@@ -600,9 +640,8 @@ static void tpm_tis_remove(struct tpm_chip *chip) + release_locality(chip, chip->vendor.locality, 1); + } + +-static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle, +- resource_size_t start, resource_size_t len, +- unsigned int irq) ++static int tpm_tis_init(struct device *dev, struct tpm_info *tpm_info, ++ acpi_handle acpi_dev_handle) + { + u32 vendor, intfcaps, intmask; + int rc, i, irq_s, irq_e, probe; +@@ -622,7 +661,7 @@ static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle, + chip->acpi_dev_handle = acpi_dev_handle; + #endif + +- chip->vendor.iobase = devm_ioremap(dev, start, len); ++ chip->vendor.iobase = devm_ioremap(dev, tpm_info->start, tpm_info->len); + if (!chip->vendor.iobase) + return -EIO; + +@@ -707,7 +746,7 @@ static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle, + chip->vendor.iobase + + TPM_INT_ENABLE(chip->vendor.locality)); + if (interrupts) +- chip->vendor.irq = irq; ++ chip->vendor.irq = tpm_info->irq; + if (interrupts && !chip->vendor.irq) { + irq_s = + ioread8(chip->vendor.iobase + +@@ -890,27 +929,27 @@ static SIMPLE_DEV_PM_OPS(tpm_tis_pm, tpm_pm_suspend, tpm_tis_resume); + static int tpm_tis_pnp_init(struct pnp_dev *pnp_dev, + const struct pnp_device_id *pnp_id) + { +- resource_size_t start, len; +- unsigned int irq = 0; ++ struct tpm_info tpm_info = tis_default_info; + acpi_handle acpi_dev_handle = NULL; + +- start = pnp_mem_start(pnp_dev, 0); +- len = pnp_mem_len(pnp_dev, 0); ++ tpm_info.start = pnp_mem_start(pnp_dev, 0); ++ tpm_info.len = pnp_mem_len(pnp_dev, 0); + + if (pnp_irq_valid(pnp_dev, 0)) +- irq = pnp_irq(pnp_dev, 0); ++ tpm_info.irq = pnp_irq(pnp_dev, 0); + else + interrupts = false; + +- if (is_itpm(pnp_dev)) +- itpm = true; +- + #ifdef CONFIG_ACPI +- if (pnp_acpi_device(pnp_dev)) ++ if (pnp_acpi_device(pnp_dev)) { ++ if (is_itpm(pnp_acpi_device(pnp_dev))) ++ itpm = true; ++ + acpi_dev_handle = pnp_acpi_device(pnp_dev)->handle; ++ } + #endif + +- return tpm_tis_init(&pnp_dev->dev, acpi_dev_handle, start, len, irq); ++ return tpm_tis_init(&pnp_dev->dev, &tpm_info, acpi_dev_handle); + } + + static struct pnp_device_id tpm_pnp_tbl[] = { +@@ -930,6 +969,7 @@ MODULE_DEVICE_TABLE(pnp, tpm_pnp_tbl); + static void tpm_tis_pnp_remove(struct pnp_dev *dev) + { + struct tpm_chip *chip = pnp_get_drvdata(dev); ++ + tpm_chip_unregister(chip); + tpm_tis_remove(chip); + } +@@ -950,6 +990,79 @@ module_param_string(hid, tpm_pnp_tbl[TIS_HID_USR_IDX].id, + MODULE_PARM_DESC(hid, "Set additional specific HID for this driver to probe"); + #endif + ++#ifdef CONFIG_ACPI ++static int tpm_check_resource(struct acpi_resource *ares, void *data) ++{ ++ struct tpm_info *tpm_info = (struct tpm_info *) data; ++ struct resource res; ++ ++ if (acpi_dev_resource_interrupt(ares, 0, &res)) { ++ tpm_info->irq = res.start; ++ } else if (acpi_dev_resource_memory(ares, &res)) { ++ tpm_info->start = res.start; ++ tpm_info->len = resource_size(&res); ++ } ++ ++ return 1; ++} ++ ++static int tpm_tis_acpi_init(struct acpi_device *acpi_dev) ++{ ++ struct list_head resources; ++ struct tpm_info tpm_info = tis_default_info; ++ int ret; ++ ++ if (!is_fifo(acpi_dev)) ++ return -ENODEV; ++ ++ INIT_LIST_HEAD(&resources); ++ ret = acpi_dev_get_resources(acpi_dev, &resources, tpm_check_resource, ++ &tpm_info); ++ if (ret < 0) ++ return ret; ++ ++ acpi_dev_free_resource_list(&resources); ++ ++ if (!tpm_info.irq) ++ interrupts = false; ++ ++ if (is_itpm(acpi_dev)) ++ itpm = true; ++ ++ return tpm_tis_init(&acpi_dev->dev, &tpm_info, acpi_dev->handle); ++} ++ ++static int tpm_tis_acpi_remove(struct acpi_device *dev) ++{ ++ struct tpm_chip *chip = dev_get_drvdata(&dev->dev); ++ ++ tpm_chip_unregister(chip); ++ tpm_tis_remove(chip); ++ ++ return 0; ++} ++ ++static struct acpi_device_id tpm_acpi_tbl[] = { ++ {"MSFT0101", 0}, /* TPM 2.0 */ ++ /* Add new here */ ++ {"", 0}, /* User Specified */ ++ {"", 0} /* Terminator */ ++}; ++MODULE_DEVICE_TABLE(acpi, tpm_acpi_tbl); ++ ++static struct acpi_driver tis_acpi_driver = { ++ .name = "tpm_tis", ++ .ids = tpm_acpi_tbl, ++ .ops = { ++ .add = tpm_tis_acpi_init, ++ .remove = tpm_tis_acpi_remove, ++ }, ++ .drv = { ++ .pm = &tpm_tis_pm, ++ }, ++}; ++#endif ++ + static struct platform_driver tis_drv = { + .driver = { + .name = "tpm_tis", +@@ -966,9 +1079,25 @@ static int __init init_tis(void) + { + int rc; + #ifdef CONFIG_PNP +- if (!force) +- return pnp_register_driver(&tis_pnp_driver); ++ if (!force) { ++ rc = pnp_register_driver(&tis_pnp_driver); ++ if (rc) ++ return rc; ++ } ++#endif ++#ifdef CONFIG_ACPI ++ if (!force) { ++ rc = acpi_bus_register_driver(&tis_acpi_driver); ++ if (rc) { ++#ifdef CONFIG_PNP ++ pnp_unregister_driver(&tis_pnp_driver); + #endif ++ return rc; ++ } ++ } ++#endif ++ if (!force) ++ return 0; + + rc = platform_driver_register(&tis_drv); + if (rc < 0) +@@ -978,7 +1107,7 @@ static int __init init_tis(void) + rc = PTR_ERR(pdev); + goto err_dev; + } +- rc = tpm_tis_init(&pdev->dev, NULL, TIS_MEM_BASE, TIS_MEM_LEN, 0); ++ rc = tpm_tis_init(&pdev->dev, &tis_default_info, NULL); + if (rc) + goto err_init; + return 0; +@@ -992,9 +1121,14 @@ err_dev: + static void __exit cleanup_tis(void) + { + struct tpm_chip *chip; +-#ifdef CONFIG_PNP ++#if defined(CONFIG_PNP) || defined(CONFIG_ACPI) + if (!force) { ++#ifdef CONFIG_ACPI ++ acpi_bus_unregister_driver(&tis_acpi_driver); ++#endif ++#ifdef CONFIG_PNP + pnp_unregister_driver(&tis_pnp_driver); ++#endif + return; + } + #endif +diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +index 932bd1862f7a..6e9036a06515 100644 +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -1014,13 +1014,12 @@ static int atl1c_setup_ring_resources(struct atl1c_adapter *adapter) + sizeof(struct atl1c_recv_ret_status) * rx_desc_count + + 8 * 4; + +- ring_header->desc = pci_alloc_consistent(pdev, ring_header->size, +- &ring_header->dma); ++ ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size, ++ &ring_header->dma, GFP_KERNEL); + if (unlikely(!ring_header->desc)) { +- dev_err(&pdev->dev, "pci_alloc_consistend failed\n"); ++ dev_err(&pdev->dev, "could not get memory for DMA buffer\n"); + goto err_nomem; + } +- memset(ring_header->desc, 0, ring_header->size); + /* init TPD ring */ + + tpd_ring[0].dma = roundup(ring_header->dma, 8); +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 6af028d5f9bc..97e4df9bf407 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -736,9 +736,8 @@ qcaspi_netdev_tx_timeout(struct net_device *dev) + netdev_info(qca->net_dev, "Transmit timeout at %ld, latency %ld\n", + jiffies, jiffies - dev->trans_start); + qca->net_dev->stats.tx_errors++; +- /* wake the queue if there is room */ +- if (qcaspi_tx_ring_has_space(&qca->txr)) +- netif_wake_queue(dev); ++ /* Trigger tx queue flush and QCA7000 reset */ ++ qca->sync = QCASPI_SYNC_UNKNOWN; + } + + static int +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 7fb244f565b2..13463c4acc86 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1481,6 +1481,7 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota) + if (mdp->cd->shift_rd0) + desc_status >>= 16; + ++ skb = mdp->rx_skbuff[entry]; + if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 | + RD_RFS5 | RD_RFS6 | RD_RFS10)) { + ndev->stats.rx_errors++; +@@ -1496,12 +1497,11 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota) + ndev->stats.rx_missed_errors++; + if (desc_status & RD_RFS10) + ndev->stats.rx_over_errors++; +- } else { ++ } else if (skb) { + if (!mdp->cd->hw_swap) + sh_eth_soft_swap( + phys_to_virt(ALIGN(rxdesc->addr, 4)), + pkt_len + 2); +- skb = mdp->rx_skbuff[entry]; + mdp->rx_skbuff[entry] = NULL; + if (mdp->cd->rpadir) + skb_reserve(skb, NET_IP_ALIGN); +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index ab33262ed826..9c8fabed4444 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket *sock) + sk->sk_family = PF_PPPOX; + sk->sk_protocol = PX_PROTO_OE; + ++ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work, ++ pppoe_unbind_sock_work); ++ + return 0; + } + +@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, + + lock_sock(sk); + +- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work); +- + error = -EINVAL; + if (sp->sa_protocol != PX_PROTO_OE) + goto end; +@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, + po->pppoe_dev = NULL; + } + +- memset(sk_pppox(po) + 1, 0, +- sizeof(struct pppox_sock) - sizeof(struct sock)); ++ po->pppoe_ifindex = 0; ++ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa)); ++ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay)); ++ memset(&po->chan, 0, sizeof(po->chan)); ++ po->next = NULL; ++ po->num = 0; ++ + sk->sk_state = PPPOX_NONE; + } + +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index e3bfbd4d0136..0bacabfa486e 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -420,6 +420,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, + struct pptp_opt *opt = &po->proto.pptp; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + lock_sock(sk); + + opt->src_addr = sp->sa_addr.pptp; +@@ -441,6 +444,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr, + struct flowi4 fl4; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + if (sp->sa_protocol != PX_PROTO_PPTP) + return -EINVAL; + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index aafa1a1898e4..ce6fad1c43e6 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3006,17 +3006,6 @@ static int rtl8152_open(struct net_device *netdev) + + mutex_lock(&tp->control); + +- /* The WORK_ENABLE may be set when autoresume occurs */ +- if (test_bit(WORK_ENABLE, &tp->flags)) { +- clear_bit(WORK_ENABLE, &tp->flags); +- usb_kill_urb(tp->intr_urb); +- cancel_delayed_work_sync(&tp->schedule); +- +- /* disable the tx/rx, if the workqueue has enabled them. */ +- if (netif_carrier_ok(netdev)) +- tp->rtl_ops.disable(tp); +- } +- + tp->rtl_ops.up(tp); + + rtl8152_set_speed(tp, AUTONEG_ENABLE, +@@ -3063,12 +3052,6 @@ static int rtl8152_close(struct net_device *netdev) + } else { + mutex_lock(&tp->control); + +- /* The autosuspend may have been enabled and wouldn't +- * be disable when autoresume occurs, because the +- * netif_running() would be false. +- */ +- rtl_runtime_suspend_enable(tp, false); +- + tp->rtl_ops.down(tp); + + mutex_unlock(&tp->control); +@@ -3369,7 +3352,7 @@ static int rtl8152_resume(struct usb_interface *intf) + netif_device_attach(tp->netdev); + } + +- if (netif_running(tp->netdev)) { ++ if (netif_running(tp->netdev) && tp->netdev->flags & IFF_UP) { + if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { + rtl_runtime_suspend_enable(tp, false); + clear_bit(SELECTIVE_SUSPEND, &tp->flags); +@@ -3387,6 +3370,8 @@ static int rtl8152_resume(struct usb_interface *intf) + } + usb_submit_urb(tp->intr_urb, GFP_KERNEL); + } else if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { ++ if (tp->netdev->flags & IFF_UP) ++ rtl_runtime_suspend_enable(tp, false); + clear_bit(SELECTIVE_SUSPEND, &tp->flags); + } + +diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c +index 93e54a0f471a..35882dd690a6 100644 +--- a/drivers/platform/x86/toshiba_acpi.c ++++ b/drivers/platform/x86/toshiba_acpi.c +@@ -2764,6 +2764,7 @@ static int toshiba_acpi_add(struct acpi_device *acpi_dev) + ret = toshiba_function_keys_get(dev, &special_functions); + dev->kbd_function_keys_supported = !ret; + ++ dev->hotkey_event_type = 0; + if (toshiba_acpi_setup_keyboard(dev)) + pr_info("Unable to activate hotkeys\n"); + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index a086e1d69bc7..0fe15aec7ed0 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1848,6 +1848,11 @@ static const struct usb_device_id acm_ids[] = { + }, + #endif + ++ /* Exclude Infineon Flash Loader utility */ ++ { USB_DEVICE(0x058b, 0x0041), ++ .driver_info = IGNORE_DEVICE, ++ }, ++ + /* control interfaces without any protocol set */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM, + USB_CDC_PROTO_NONE) }, +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index b9ddf0c1ffe5..894894f2ff93 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -115,7 +115,8 @@ static void usb_parse_ss_endpoint_companion(struct device *ddev, int cfgno, + USB_SS_MULT(desc->bmAttributes) > 3) { + dev_warn(ddev, "Isoc endpoint has Mult of %d in " + "config %d interface %d altsetting %d ep %d: " +- "setting to 3\n", desc->bmAttributes + 1, ++ "setting to 3\n", ++ USB_SS_MULT(desc->bmAttributes), + cfgno, inum, asnum, ep->desc.bEndpointAddress); + ep->ss_ep_comp.bmAttributes = 2; + } +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 1e9a8c9aa531..d68c4a4db682 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -124,6 +124,10 @@ struct usb_hub *usb_hub_to_struct_hub(struct usb_device *hdev) + + int usb_device_supports_lpm(struct usb_device *udev) + { ++ /* Some devices have trouble with LPM */ ++ if (udev->quirks & USB_QUIRK_NO_LPM) ++ return 0; ++ + /* USB 2.1 (and greater) devices indicate LPM support through + * their USB 2.0 Extended Capabilities BOS descriptor. + */ +@@ -4493,6 +4497,8 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, + goto fail; + } + ++ usb_detect_quirks(udev); ++ + if (udev->wusb == 0 && le16_to_cpu(udev->descriptor.bcdUSB) >= 0x0201) { + retval = usb_get_bos_descriptor(udev); + if (!retval) { +@@ -4691,7 +4697,6 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + if (status < 0) + goto loop; + +- usb_detect_quirks(udev); + if (udev->quirks & USB_QUIRK_DELAY_INIT) + msleep(1000); + +@@ -5307,9 +5312,6 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + if (udev->usb2_hw_lpm_enabled == 1) + usb_set_usb2_hardware_lpm(udev, 0); + +- bos = udev->bos; +- udev->bos = NULL; +- + /* Disable LPM and LTM while we reset the device and reinstall the alt + * settings. Device-initiated LPM settings, and system exit latency + * settings are cleared when the device is reset, so we have to set +@@ -5318,15 +5320,18 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + ret = usb_unlocked_disable_lpm(udev); + if (ret) { + dev_err(&udev->dev, "%s Failed to disable LPM\n.", __func__); +- goto re_enumerate; ++ goto re_enumerate_no_bos; + } + ret = usb_disable_ltm(udev); + if (ret) { + dev_err(&udev->dev, "%s Failed to disable LTM\n.", + __func__); +- goto re_enumerate; ++ goto re_enumerate_no_bos; + } + ++ bos = udev->bos; ++ udev->bos = NULL; ++ + for (i = 0; i < SET_CONFIG_TRIES; ++i) { + + /* ep0 maxpacket size may change; let the HCD know about it. +@@ -5423,10 +5428,11 @@ done: + return 0; + + re_enumerate: +- /* LPM state doesn't matter when we're about to destroy the device. */ +- hub_port_logical_disconnect(parent_hub, port1); + usb_release_bos_descriptor(udev); + udev->bos = bos; ++re_enumerate_no_bos: ++ /* LPM state doesn't matter when we're about to destroy the device. */ ++ hub_port_logical_disconnect(parent_hub, port1); + return -ENODEV; + } + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index f5a381945db2..017c1de53aa5 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -199,6 +199,12 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x1a0a, 0x0200), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + ++ /* Blackmagic Design Intensity Shuttle */ ++ { USB_DEVICE(0x1edb, 0xbd3b), .driver_info = USB_QUIRK_NO_LPM }, ++ ++ /* Blackmagic Design UltraStudio SDI */ ++ { USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM }, ++ + { } /* terminating entry must be last */ + }; + +diff --git a/drivers/usb/gadget/udc/pxa27x_udc.c b/drivers/usb/gadget/udc/pxa27x_udc.c +index b51226abade6..7a454708e948 100644 +--- a/drivers/usb/gadget/udc/pxa27x_udc.c ++++ b/drivers/usb/gadget/udc/pxa27x_udc.c +@@ -2535,6 +2535,9 @@ static int pxa_udc_suspend(struct platform_device *_dev, pm_message_t state) + udc->pullup_resume = udc->pullup_on; + dplus_pullup(udc, 0); + ++ if (udc->driver) ++ udc->driver->disconnect(&udc->gadget); ++ + return 0; + } + +diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c +index dc31c425ce01..9f1c0538b211 100644 +--- a/drivers/usb/host/whci/qset.c ++++ b/drivers/usb/host/whci/qset.c +@@ -377,6 +377,10 @@ static int qset_fill_page_list(struct whc *whc, struct whc_std *std, gfp_t mem_f + if (std->pl_virt == NULL) + return -ENOMEM; + std->dma_addr = dma_map_single(whc->wusbhc.dev, std->pl_virt, pl_len, DMA_TO_DEVICE); ++ if (dma_mapping_error(whc->wusbhc.dev, std->dma_addr)) { ++ kfree(std->pl_virt); ++ return -EFAULT; ++ } + + for (p = 0; p < std->num_pointers; p++) { + std->pl_virt[p].buf_ptr = cpu_to_le64(dma_addr); +diff --git a/drivers/usb/musb/Kconfig b/drivers/usb/musb/Kconfig +index 39db8b603627..d1b9e0c7fb0d 100644 +--- a/drivers/usb/musb/Kconfig ++++ b/drivers/usb/musb/Kconfig +@@ -147,7 +147,7 @@ config USB_TI_CPPI_DMA + + config USB_TI_CPPI41_DMA + bool 'TI CPPI 4.1 (AM335x)' +- depends on ARCH_OMAP ++ depends on ARCH_OMAP && DMADEVICES + select TI_CPPI41 + + config USB_TUSB_OMAP_DMA +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index eac7ccaa3c85..7d4f51a32e66 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -132,7 +132,6 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */ +- { USB_DEVICE(0x10C4, 0xEA80) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */ + { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */ + { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */ +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c +index 3658662898fc..a204782ae530 100644 +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -53,6 +53,7 @@ DEVICE(funsoft, FUNSOFT_IDS); + + /* Infineon Flashloader driver */ + #define FLASHLOADER_IDS() \ ++ { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \ + { USB_DEVICE(0x8087, 0x0716) } + DEVICE(flashloader, FLASHLOADER_IDS); + +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index 6d3122afeed3..75e4979e6c15 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -796,6 +796,10 @@ static int uas_slave_configure(struct scsi_device *sdev) + if (devinfo->flags & US_FL_NO_REPORT_OPCODES) + sdev->no_report_opcodes = 1; + ++ /* A few buggy USB-ATA bridges don't understand FUA */ ++ if (devinfo->flags & US_FL_BROKEN_FUA) ++ sdev->broken_fua = 1; ++ + scsi_change_queue_depth(sdev, devinfo->qdepth - 2); + return 0; + } +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index 87898ca2ed17..4095824c8c6d 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1987,7 +1987,7 @@ UNUSUAL_DEV( 0x14cd, 0x6600, 0x0201, 0x0201, + US_FL_IGNORE_RESIDUE ), + + /* Reported by Michael Büsch <[email protected]> */ +-UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0114, ++UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0116, + "JMicron", + "USB to ATA/ATAPI Bridge", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, +diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h +index c85ea530085f..ccc113e83d88 100644 +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -132,7 +132,7 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x9999, + "JMicron", + "JMS567", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, +- US_FL_NO_REPORT_OPCODES), ++ US_FL_BROKEN_FUA | US_FL_NO_REPORT_OPCODES), + + /* Reported-by: Hans de Goede <[email protected]> */ + UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999, +diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h +index 9948c874e3f1..1d0043dc34e4 100644 +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -47,4 +47,7 @@ + /* device generates spurious wakeup, ignore remote wakeup capability */ + #define USB_QUIRK_IGNORE_REMOTE_WAKEUP BIT(9) + ++/* device can't handle Link Power Management */ ++#define USB_QUIRK_NO_LPM BIT(10) ++ + #endif /* __LINUX_USB_QUIRKS_H */ +diff --git a/include/net/dst.h b/include/net/dst.h +index 0fb99a26e973..182b812d45e1 100644 +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -312,6 +312,39 @@ static inline void skb_dst_force(struct sk_buff *skb) + } + } + ++/** ++ * dst_hold_safe - Take a reference on a dst if possible ++ * @dst: pointer to dst entry ++ * ++ * This helper returns false if it could not safely ++ * take a reference on a dst. ++ */ ++static inline bool dst_hold_safe(struct dst_entry *dst) ++{ ++ if (dst->flags & DST_NOCACHE) ++ return atomic_inc_not_zero(&dst->__refcnt); ++ dst_hold(dst); ++ return true; ++} ++ ++/** ++ * skb_dst_force_safe - makes sure skb dst is refcounted ++ * @skb: buffer ++ * ++ * If dst is not yet refcounted and not destroyed, grab a ref on it. ++ */ ++static inline void skb_dst_force_safe(struct sk_buff *skb) ++{ ++ if (skb_dst_is_noref(skb)) { ++ struct dst_entry *dst = skb_dst(skb); ++ ++ if (!dst_hold_safe(dst)) ++ dst = NULL; ++ ++ skb->_skb_refdst = (unsigned long)dst; ++ } ++} ++ + + /** + * __skb_tunnel_rx - prepare skb for rx reinsert +diff --git a/include/net/sock.h b/include/net/sock.h +index ed01a012f8d5..4c4b21c00828 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -386,6 +386,7 @@ struct sock { + sk_no_check_rx : 1, + sk_userlocks : 4, + sk_protocol : 8, ++#define SK_PROTOCOL_MAX U8_MAX + sk_type : 16; + kmemcheck_bitfield_end(flags); + int sk_wmem_queued; +@@ -722,6 +723,8 @@ enum sock_flags { + SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */ + }; + ++#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) ++ + static inline void sock_copy_flags(struct sock *nsk, struct sock *osk) + { + nsk->sk_flags = osk->sk_flags; +@@ -796,7 +799,7 @@ void sk_stream_write_space(struct sock *sk); + static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb) + { + /* dont let skb dst not refcounted, we are going to leave rcu lock */ +- skb_dst_force(skb); ++ skb_dst_force_safe(skb); + + if (!sk->sk_backlog.tail) + sk->sk_backlog.head = skb; +diff --git a/include/net/vxlan.h b/include/net/vxlan.h +index 0082b5d33d7d..7ef9272a405a 100644 +--- a/include/net/vxlan.h ++++ b/include/net/vxlan.h +@@ -78,7 +78,7 @@ struct vxlanhdr { + }; + + /* VXLAN header flags. */ +-#define VXLAN_HF_RCO BIT(24) ++#define VXLAN_HF_RCO BIT(21) + #define VXLAN_HF_VNI BIT(27) + #define VXLAN_HF_GBP BIT(31) + +diff --git a/lib/rhashtable.c b/lib/rhashtable.c +index cf910e48f8f2..5b17447efa8b 100644 +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -506,10 +506,11 @@ int rhashtable_walk_init(struct rhashtable *ht, struct rhashtable_iter *iter) + if (!iter->walker) + return -ENOMEM; + +- mutex_lock(&ht->mutex); +- iter->walker->tbl = rht_dereference(ht->tbl, ht); ++ spin_lock(&ht->lock); ++ iter->walker->tbl = ++ rcu_dereference_protected(ht->tbl, lockdep_is_held(&ht->lock)); + list_add(&iter->walker->list, &iter->walker->tbl->walkers); +- mutex_unlock(&ht->mutex); ++ spin_unlock(&ht->lock); + + return 0; + } +@@ -523,10 +524,10 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_init); + */ + void rhashtable_walk_exit(struct rhashtable_iter *iter) + { +- mutex_lock(&iter->ht->mutex); ++ spin_lock(&iter->ht->lock); + if (iter->walker->tbl) + list_del(&iter->walker->list); +- mutex_unlock(&iter->ht->mutex); ++ spin_unlock(&iter->ht->lock); + kfree(iter->walker); + } + EXPORT_SYMBOL_GPL(rhashtable_walk_exit); +@@ -550,14 +551,12 @@ int rhashtable_walk_start(struct rhashtable_iter *iter) + { + struct rhashtable *ht = iter->ht; + +- mutex_lock(&ht->mutex); ++ rcu_read_lock(); + ++ spin_lock(&ht->lock); + if (iter->walker->tbl) + list_del(&iter->walker->list); +- +- rcu_read_lock(); +- +- mutex_unlock(&ht->mutex); ++ spin_unlock(&ht->lock); + + if (!iter->walker->tbl) { + iter->walker->tbl = rht_dereference_rcu(ht->tbl, ht); +@@ -730,9 +729,6 @@ int rhashtable_init(struct rhashtable *ht, + if (params->nulls_base && params->nulls_base < (1U << RHT_BASE_SHIFT)) + return -EINVAL; + +- if (params->nelem_hint) +- size = rounded_hashtable_size(params); +- + memset(ht, 0, sizeof(*ht)); + mutex_init(&ht->mutex); + spin_lock_init(&ht->lock); +@@ -752,6 +748,9 @@ int rhashtable_init(struct rhashtable *ht, + + ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE); + ++ if (params->nelem_hint) ++ size = rounded_hashtable_size(&ht->p); ++ + /* The maximum (not average) chain length grows with the + * size of the hash table, at a rate of (log N)/(log log N). + * The value of 16 is selected so that even if the hash +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 330c1f4a5a0b..a64884bbf0ce 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -806,6 +806,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol, + struct sock *sk; + ax25_cb *ax25; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 4322c833e748..8611bc7bdd32 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -520,6 +520,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le + if (!addr || addr->sa_family != AF_BLUETOOTH) + return -EINVAL; + ++ if (addr_len < sizeof(struct sockaddr_sco)) ++ return -EINVAL; ++ + lock_sock(sk); + + if (sk->sk_state != BT_OPEN) { +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 075d2e78c87e..2e5fcda16570 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3661,7 +3661,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb, + serr->ee.ee_info = tstype; + if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) { + serr->ee.ee_data = skb_shinfo(skb)->tskey; +- if (sk->sk_protocol == IPPROTO_TCP) ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_type == SOCK_STREAM) + serr->ee.ee_data -= sk->sk_tskey; + } + +@@ -4200,7 +4201,8 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN); ++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, ++ 2 * ETH_ALEN); + skb->mac_header += VLAN_HLEN; + return skb; + } +diff --git a/net/core/sock.c b/net/core/sock.c +index dc30dc5bb1b8..47fc8bb3b946 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -421,8 +421,6 @@ static void sock_warn_obsolete_bsdism(const char *name) + } + } + +-#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) +- + static void sock_disable_timestamp(struct sock *sk, unsigned long flags) + { + if (sk->sk_flags & flags) { +@@ -861,7 +859,8 @@ set_rcvbuf: + + if (val & SOF_TIMESTAMPING_OPT_ID && + !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) { +- if (sk->sk_protocol == IPPROTO_TCP) { ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_type == SOCK_STREAM) { + if (sk->sk_state != TCP_ESTABLISHED) { + ret = -EINVAL; + break; +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index 754484b3cd0e..2783c538ec19 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol, + { + struct sock *sk; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index a5aa54ea6533..0cc98b135b8f 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -259,6 +259,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + sock->state = SS_UNCONNECTED; + + /* Look for the requested type/protocol pair. */ +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index 34968cd5c146..4b67937692c9 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -24,6 +24,7 @@ struct fou { + u16 type; + struct udp_offload udp_offloads; + struct list_head list; ++ struct rcu_head rcu; + }; + + #define FOU_F_REMCSUM_NOPARTIAL BIT(0) +@@ -421,7 +422,7 @@ static void fou_release(struct fou *fou) + list_del(&fou->list); + udp_tunnel_sock_release(sock); + +- kfree(fou); ++ kfree_rcu(fou, rcu); + } + + static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg *cfg) +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 88203e755af8..cd18c3d3251e 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1509,7 +1509,7 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb) + if (likely(sk->sk_rx_dst)) + skb_dst_drop(skb); + else +- skb_dst_force(skb); ++ skb_dst_force_safe(skb); + + __skb_queue_tail(&tp->ucopy.prequeue, skb); + tp->ucopy.memory += skb->truesize; +@@ -1714,8 +1714,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) + { + struct dst_entry *dst = skb_dst(skb); + +- if (dst) { +- dst_hold(dst); ++ if (dst && dst_hold_safe(dst)) { + sk->sk_rx_dst = dst; + inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; + } +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 986440b24978..1ea4322c3b0c 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3143,7 +3143,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn) + { + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_fastopen_request *fo = tp->fastopen_req; +- int syn_loss = 0, space, err = 0, copied; ++ int syn_loss = 0, space, err = 0; + unsigned long last_syn_loss = 0; + struct sk_buff *syn_data; + +@@ -3181,17 +3181,18 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn) + goto fallback; + syn_data->ip_summed = CHECKSUM_PARTIAL; + memcpy(syn_data->cb, syn->cb, sizeof(syn->cb)); +- copied = copy_from_iter(skb_put(syn_data, space), space, +- &fo->data->msg_iter); +- if (unlikely(!copied)) { +- kfree_skb(syn_data); +- goto fallback; +- } +- if (copied != space) { +- skb_trim(syn_data, copied); +- space = copied; ++ if (space) { ++ int copied = copy_from_iter(skb_put(syn_data, space), space, ++ &fo->data->msg_iter); ++ if (unlikely(!copied)) { ++ kfree_skb(syn_data); ++ goto fallback; ++ } ++ if (copied != space) { ++ skb_trim(syn_data, copied); ++ space = copied; ++ } + } +- + /* No more data pending in inet_wait_for_connect() */ + if (space == fo->size) + fo->data = NULL; +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index fd3aa6148dd1..a2d685030a34 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -343,6 +343,12 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev) + setup_timer(&ndev->rs_timer, addrconf_rs_timer, + (unsigned long)ndev); + memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf)); ++ ++ if (ndev->cnf.stable_secret.initialized) ++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY; ++ else ++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64; ++ + ndev->cnf.mtu6 = dev->mtu; + ndev->cnf.sysctl = NULL; + ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl); +@@ -2384,7 +2390,7 @@ ok: + #ifdef CONFIG_IPV6_OPTIMISTIC_DAD + if (in6_dev->cnf.optimistic_dad && + !net->ipv6.devconf_all->forwarding && sllao) +- addr_flags = IFA_F_OPTIMISTIC; ++ addr_flags |= IFA_F_OPTIMISTIC; + #endif + + /* Do not allow to create too much of autoconfigured +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 2d044d2a2ccf..bad62fa5e70f 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + /* Look for the requested type/protocol pair. */ + lookup_protocol: + err = -ESOCKTNOSUPPORT; +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 69f4f689f06a..76be7d311cc4 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1553,13 +1553,11 @@ static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[], + return -EEXIST; + } else { + t = nt; +- +- ip6gre_tunnel_unlink(ign, t); +- ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); +- ip6gre_tunnel_link(ign, t); +- netdev_state_change(dev); + } + ++ ip6gre_tunnel_unlink(ign, t); ++ ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); ++ ip6gre_tunnel_link(ign, t); + return 0; + } + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index cfb27f56c62f..c1938ad39f8c 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) + { + struct dst_entry *dst = skb_dst(skb); + +- if (dst) { ++ if (dst && dst_hold_safe(dst)) { + const struct rt6_info *rt = (const struct rt6_info *)dst; + +- dst_hold(dst); + sk->sk_rx_dst = dst; + inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; + if (rt->rt6i_node) +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index ee0ea25c8e7a..9a1edcde4ba5 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol, + struct sock *sk; + struct irda_sock *self; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (net != &init_net) + return -EAFNOSUPPORT; + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index d4b6f3682c14..68c599a5e1d1 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue, + } + lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock); + if (!netif_is_multiqueue(dev)) +- sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; ++ sch->flags |= TCQ_F_ONETXQUEUE; + } + + sch->handle = handle; +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 0e4198ee2370..3267a5cbb3e8 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -634,6 +634,7 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, + struct sock *newsk; + struct ipv6_pinfo *newnp, *np = inet6_sk(sk); + struct sctp6_sock *newsctp6sk; ++ struct ipv6_txoptions *opt; + + newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot); + if (!newsk) +@@ -653,6 +654,13 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, + + memcpy(newnp, np, sizeof(struct ipv6_pinfo)); + ++ rcu_read_lock(); ++ opt = rcu_dereference(np->opt); ++ if (opt) ++ opt = ipv6_dup_options(newsk, opt); ++ RCU_INIT_POINTER(newnp->opt, opt); ++ rcu_read_unlock(); ++ + /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname() + * and getpeername(). + */ +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index 06320c8c1c86..83a07d468644 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_cookie(const struct sctp_endpoint *ep, + + /* Set an expiration time for the cookie. */ + cookie->c.expiration = ktime_add(asoc->cookie_life, +- ktime_get()); ++ ktime_get_real()); + + /* Copy the peer's init packet. */ + memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr, +@@ -1780,7 +1780,7 @@ no_hmac: + if (sock_flag(ep->base.sk, SOCK_TIMESTAMP)) + kt = skb_get_ktime(skb); + else +- kt = ktime_get(); ++ kt = ktime_get_real(); + + if (!asoc && ktime_before(bear_cookie->expiration, kt)) { + /* +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 66d796075050..a63c2c87a0c6 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7175,6 +7175,7 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, + newsk->sk_type = sk->sk_type; + newsk->sk_bound_dev_if = sk->sk_bound_dev_if; + newsk->sk_flags = sk->sk_flags; ++ newsk->sk_tsflags = sk->sk_tsflags; + newsk->sk_no_check_tx = sk->sk_no_check_tx; + newsk->sk_no_check_rx = sk->sk_no_check_rx; + newsk->sk_reuse = sk->sk_reuse; +@@ -7207,6 +7208,9 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, + newinet->mc_ttl = 1; + newinet->mc_index = 0; + newinet->mc_list = NULL; ++ ++ if (newsk->sk_flags & SK_FLAGS_TIMESTAMP) ++ net_enable_timestamp(); + } + + static inline void sctp_copy_descendant(struct sock *sk_to, +diff --git a/net/socket.c b/net/socket.c +index 884e32997698..dcbfa868e398 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1705,6 +1705,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, + msg.msg_name = addr ? (struct sockaddr *)&address : NULL; + /* We assume all kernel code knows the size of sockaddr_storage */ + msg.msg_namelen = 0; ++ msg.msg_iocb = NULL; + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags); +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 1975fd8d1c10..a398f624c28d 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2072,14 +2072,7 @@ static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg, + + memset(&scm, 0, sizeof(scm)); + +- err = mutex_lock_interruptible(&u->readlock); +- if (unlikely(err)) { +- /* recvmsg() in non blocking mode is supposed to return -EAGAIN +- * sk_rcvtimeo is not honored by mutex_lock_interruptible() +- */ +- err = noblock ? -EAGAIN : -ERESTARTSYS; +- goto out; +- } ++ mutex_lock(&u->readlock); + + if (flags & MSG_PEEK) + skip = sk_peek_offset(sk, flags); +@@ -2120,12 +2113,12 @@ again: + + timeo = unix_stream_data_wait(sk, timeo, last); + +- if (signal_pending(current) +- || mutex_lock_interruptible(&u->readlock)) { ++ if (signal_pending(current)) { + err = sock_intr_errno(timeo); + goto out; + } + ++ mutex_lock(&u->readlock); + continue; + unlock: + unix_state_unlock(sk); +diff --git a/security/keys/gc.c b/security/keys/gc.c +index c7952375ac53..addf060399e0 100644 +--- a/security/keys/gc.c ++++ b/security/keys/gc.c +@@ -134,6 +134,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys) + kdebug("- %u", key->serial); + key_check(key); + ++ /* Throw away the key data if the key is instantiated */ ++ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) && ++ !test_bit(KEY_FLAG_NEGATIVE, &key->flags) && ++ key->type->destroy) ++ key->type->destroy(key); ++ + security_key_free(key); + + /* deal with the user's key tracking and quota */ +@@ -148,10 +154,6 @@ static noinline void key_gc_unused_keys(struct list_head *keys) + if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) + atomic_dec(&key->user->nikeys); + +- /* now throw away the key memory */ +- if (key->type->destroy) +- key->type->destroy(key); +- + key_user_put(key->user); + + kfree(key->description); +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index 0b9ec78a7a7a..26f0e0a11ed6 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) + + /* the key is probably readable - now try to read it */ + can_read_key: +- ret = key_validate(key); +- if (ret == 0) { +- ret = -EOPNOTSUPP; +- if (key->type->read) { +- /* read the data with the semaphore held (since we +- * might sleep) */ +- down_read(&key->sem); ++ ret = -EOPNOTSUPP; ++ if (key->type->read) { ++ /* Read the data with the semaphore held (since we might sleep) ++ * to protect against the key being updated or revoked. ++ */ ++ down_read(&key->sem); ++ ret = key_validate(key); ++ if (ret == 0) + ret = key->type->read(key, buffer, buflen); +- up_read(&key->sem); +- } ++ up_read(&key->sem); + } + + error2: +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index bd536cb221e2..db91639c81e3 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { ++ key_put(keyring); + ret = 0; + goto error2; + } diff --git a/1520_keyring-refleak-in-join-session-CVE-2016-0728.patch b/1520_keyring-refleak-in-join-session-CVE-2016-0728.patch deleted file mode 100644 index 49020d7..0000000 --- a/1520_keyring-refleak-in-join-session-CVE-2016-0728.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 Mon Sep 17 00:00:00 2001 -From: Yevgeny Pats <[email protected]> -Date: Tue, 19 Jan 2016 22:09:04 +0000 -Subject: KEYS: Fix keyring ref leak in join_session_keyring() - -This fixes CVE-2016-0728. - -If a thread is asked to join as a session keyring the keyring that's already -set as its session, we leak a keyring reference. - -This can be tested with the following program: - - #include <stddef.h> - #include <stdio.h> - #include <sys/types.h> - #include <keyutils.h> - - int main(int argc, const char *argv[]) - { - int i = 0; - key_serial_t serial; - - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, - "leaked-keyring"); - if (serial < 0) { - perror("keyctl"); - return -1; - } - - if (keyctl(KEYCTL_SETPERM, serial, - KEY_POS_ALL | KEY_USR_ALL) < 0) { - perror("keyctl"); - return -1; - } - - for (i = 0; i < 100; i++) { - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, - "leaked-keyring"); - if (serial < 0) { - perror("keyctl"); - return -1; - } - } - - return 0; - } - -If, after the program has run, there something like the following line in -/proc/keys: - -3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty - -with a usage count of 100 * the number of times the program has been run, -then the kernel is malfunctioning. If leaked-keyring has zero usages or -has been garbage collected, then the problem is fixed. - -Reported-by: Yevgeny Pats <[email protected]> -Signed-off-by: David Howells <[email protected]> -Acked-by: Don Zickus <[email protected]> -Acked-by: Prarit Bhargava <[email protected]> -Acked-by: Jarod Wilson <[email protected]> -Signed-off-by: James Morris <[email protected]> ---- - security/keys/process_keys.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index a3f85d2..e6d50172 100644 ---- a/security/keys/process_keys.c -+++ b/security/keys/process_keys.c -@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) - ret = PTR_ERR(keyring); - goto error2; - } else if (keyring == new->session_keyring) { -+ key_put(keyring); - ret = 0; - goto error2; - } --- -cgit v0.12 -
