Hello community,
here is the log from the commit of package kernel-source for openSUSE:Factory
checked in at 2016-07-18 21:17:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kernel-source (Old)
and /work/SRC/openSUSE:Factory/.kernel-source.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source"
Changes:
--------
--- /work/SRC/openSUSE:Factory/kernel-source/kernel-debug.changes
2016-07-07 15:09:31.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.kernel-source.new/kernel-debug.changes
2016-07-18 21:17:38.000000000 +0200
@@ -1,0 +2,48 @@
+Mon Jul 11 19:59:12 CEST 2016 - jsl...@suse.cz
+
+- Linux 4.6.4 (bnc#982729).
+- Delete
+
patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch.
+- commit 103c936
+
+-------------------------------------------------------------------
+Mon Jul 11 11:31:39 CEST 2016 - ti...@suse.de
+
+- apparmor: fix oops, validate buffer size in
+ apparmor_setprocattr() (CVE-2016-6187,bsc#988307).
+- commit fbe379c
+
+-------------------------------------------------------------------
+Thu Jul 7 02:10:04 CEST 2016 - ne...@suse.com
+
+- Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch
+ (bsc#986570 CVE-2016-1237).
+- Update
+ patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch
+ (bsc#986570 CVE-2016-1237).
+- commit 789949d
+
+-------------------------------------------------------------------
+Wed Jul 6 08:13:54 CEST 2016 - ne...@suse.com
+
+- Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch
+ (bsc#986570 CVE#2016-1237).
+- Update
+ patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch
+ (bsc#986570 CVE#2016-1237).
+- commit 10c8c01
+
+-------------------------------------------------------------------
+Wed Jul 6 06:32:20 CEST 2016 - ne...@suse.com
+
+- nfsd: check permissions when setting ACLs (bsc#986570).
+- posix_acl: Add set_posix_acl (bsc#986570).
+- commit 2763888
+
+-------------------------------------------------------------------
+Mon Jun 27 11:01:27 CEST 2016 - mkube...@suse.cz
+
+- Update patches.kernel.org/patch-4.6.2-3 (add CVE-2016-4997 bsc#986362).
+- commit fbd108c
+
+-------------------------------------------------------------------
kernel-default.changes: same change
kernel-docs.changes: same change
kernel-lpae.changes: same change
kernel-obs-build.changes: same change
kernel-obs-qa.changes: same change
kernel-pae.changes: same change
kernel-source.changes: same change
kernel-syms.changes: same change
kernel-vanilla.changes: same change
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kernel-debug.spec ++++++
--- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200
+++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.6
-%define patchversion 4.6.3
+%define patchversion 4.6.4
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: A Debug Version of the Kernel
License: GPL-2.0
Group: System/Kernel
-Version: 4.6.3
+Version: 4.6.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd4bcf2a
+Release: <RELEASE>.g103c936
%else
Release: 0
%endif
kernel-default.spec: same change
++++++ kernel-docs.spec ++++++
--- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200
+++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200
@@ -16,7 +16,7 @@
#
-%define patchversion 4.6.3
+%define patchversion 4.6.4
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -27,9 +27,9 @@
Summary: Kernel Documentation (man pages)
License: GPL-2.0
Group: Documentation/Man
-Version: 4.6.3
+Version: 4.6.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd4bcf2a
+Release: <RELEASE>.g103c936
%else
Release: 0
%endif
++++++ kernel-lpae.spec ++++++
--- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200
+++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.6
-%define patchversion 4.6.3
+%define patchversion 4.6.4
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: Kernel for LPAE enabled systems
License: GPL-2.0
Group: System/Kernel
-Version: 4.6.3
+Version: 4.6.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd4bcf2a
+Release: <RELEASE>.g103c936
%else
Release: 0
%endif
++++++ kernel-obs-build.spec ++++++
--- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200
+++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200
@@ -19,7 +19,7 @@
#!BuildIgnore: post-build-checks
-%define patchversion 4.6.3
+%define patchversion 4.6.4
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -51,9 +51,9 @@
Summary: package kernel and initrd for OBS VM builds
License: GPL-2.0
Group: SLES
-Version: 4.6.3
+Version: 4.6.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd4bcf2a
+Release: <RELEASE>.g103c936
%else
Release: 0
%endif
++++++ kernel-obs-qa.spec ++++++
--- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200
+++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200
@@ -17,7 +17,7 @@
# needsrootforbuild
-%define patchversion 4.6.3
+%define patchversion 4.6.4
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -36,9 +36,9 @@
Summary: Basic QA tests for the kernel
License: GPL-2.0
Group: SLES
-Version: 4.6.3
+Version: 4.6.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd4bcf2a
+Release: <RELEASE>.g103c936
%else
Release: 0
%endif
++++++ kernel-pae.spec ++++++
--- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200
+++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.6
-%define patchversion 4.6.3
+%define patchversion 4.6.4
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: Kernel with PAE Support
License: GPL-2.0
Group: System/Kernel
-Version: 4.6.3
+Version: 4.6.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd4bcf2a
+Release: <RELEASE>.g103c936
%else
Release: 0
%endif
++++++ kernel-source.spec ++++++
--- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200
+++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.6
-%define patchversion 4.6.3
+%define patchversion 4.6.4
%define variant %{nil}
%define vanilla_only 0
@@ -30,9 +30,9 @@
Summary: The Linux Kernel Sources
License: GPL-2.0
Group: Development/Sources
-Version: 4.6.3
+Version: 4.6.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd4bcf2a
+Release: <RELEASE>.g103c936
%else
Release: 0
%endif
++++++ kernel-syms.spec ++++++
--- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200
+++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200
@@ -24,10 +24,10 @@
Summary: Kernel Symbol Versions (modversions)
License: GPL-2.0
Group: Development/Sources
-Version: 4.6.3
+Version: 4.6.4
%if %using_buildservice
%if 0%{?is_kotd}
-Release: <RELEASE>.gd4bcf2a
+Release: <RELEASE>.g103c936
%else
Release: 0
%endif
++++++ kernel-vanilla.spec ++++++
--- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200
+++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200
@@ -20,7 +20,7 @@
# needssslcertforbuild
%define srcversion 4.6
-%define patchversion 4.6.3
+%define patchversion 4.6.4
%define variant %{nil}
%define vanilla_only 0
@@ -61,9 +61,9 @@
Summary: The Standard Kernel - without any SUSE patches
License: GPL-2.0
Group: System/Kernel
-Version: 4.6.3
+Version: 4.6.4
%if 0%{?is_kotd}
-Release: <RELEASE>.gd4bcf2a
+Release: <RELEASE>.g103c936
%else
Release: 0
%endif
++++++ patches.drivers.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch
new/patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch
---
old/patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch
2016-06-04 09:38:20.000000000 +0200
+++
new/patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,50 +0,0 @@
-From aaf928767d4b3d73aeaa88c704a8d7f66d30730b Mon Sep 17 00:00:00 2001
-Subject: [PATCH] USB: xhci: Add broken streams quirk for
- Frescologic device id 1009
-From: Hans de Goede <hdego...@redhat.com>
-Date: 2016-06-01 19:01:29
-Patch-Mainline: Queued
-Git-commit: d95815ba6a0f287213118c136e64d8c56daeaeab
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
-References: bnc#982729
-
-I got one of these cards for testing uas with, it seems that with streams
-it dma-s all over the place, corrupting memory. On my first tests it
-managed to dma over the BIOS of the motherboard somehow and completely
-bricked it.
-
-Tests on another motherboard show that it does work with streams disabled.
-
-Cc: sta...@vger.kernel.org
-Signed-off-by: Hans de Goede <hdego...@redhat.com>
-Signed-Off-By: Oliver Neukum <oneu...@suse.com>
----
- drivers/usb/host/xhci-pci.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
-index 47f6f9b..e020bc3 100644
---- a/drivers/usb/host/xhci-pci.c
-+++ b/drivers/usb/host/xhci-pci.c
-@@ -30,6 +30,7 @@
- /* Device for a quirk */
- #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73
- #define PCI_DEVICE_ID_FRESCO_LOGIC_PDK 0x1000
-+#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1009 0x1009
- #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1400 0x1400
-
- #define PCI_VENDOR_ID_ETRON 0x1b6f
-@@ -97,6 +98,10 @@ static void xhci_pci_quirks(struct device *dev, struct
xhci_hcd *xhci)
- xhci->quirks |= XHCI_TRUST_TX_LENGTH;
- }
-
-+ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC &&
-+ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1009)
-+ xhci->quirks |= XHCI_BROKEN_STREAMS;
-+
- if (pdev->vendor == PCI_VENDOR_ID_NEC)
- xhci->quirks |= XHCI_NEC_HOST;
-
---
-2.1.4
-
++++++ patches.fixes.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/patches.fixes/0001-posix_acl-Add-set_posix_acl.patch
new/patches.fixes/0001-posix_acl-Add-set_posix_acl.patch
--- old/patches.fixes/0001-posix_acl-Add-set_posix_acl.patch 1970-01-01
01:00:00.000000000 +0100
+++ new/patches.fixes/0001-posix_acl-Add-set_posix_acl.patch 2016-07-11
11:31:39.000000000 +0200
@@ -0,0 +1,89 @@
+From: Andreas Gruenbacher <agrue...@redhat.com>
+Date: Wed, 22 Jun 2016 23:57:25 +0200
+Subject: [PATCH] posix_acl: Add set_posix_acl
+Git-commit: 485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f
+Patch-mainline: v4.7
+References: bsc#986570 CVE-2016-1237
+
+Factor out part of posix_acl_xattr_set into a common function that takes
+a posix_acl, which nfsd can also call.
+
+The prototype already exists in include/linux/posix_acl.h.
+
+Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com>
+Cc: sta...@vger.kernel.org
+Cc: Christoph Hellwig <h...@infradead.org>
+Cc: Al Viro <v...@zeniv.linux.org.uk>
+Signed-off-by: J. Bruce Fields <bfie...@redhat.com>
+Acked-by: NeilBrown <ne...@suse.com>
+
+---
+ fs/posix_acl.c | 43 ++++++++++++++++++++++++-------------------
+ 1 file changed, 24 insertions(+), 19 deletions(-)
+
+--- a/fs/posix_acl.c
++++ b/fs/posix_acl.c
+@@ -786,39 +786,44 @@ posix_acl_xattr_get(const struct xattr_h
+ return error;
+ }
+
+-static int
+-posix_acl_xattr_set(const struct xattr_handler *handler,
+- struct dentry *dentry, const char *name,
+- const void *value, size_t size, int flags)
++int
++set_posix_acl(struct inode *inode, int type, struct posix_acl *acl)
+ {
+- struct inode *inode = d_backing_inode(dentry);
+- struct posix_acl *acl = NULL;
+- int ret;
+-
+ if (!IS_POSIXACL(inode))
+ return -EOPNOTSUPP;
+ if (!inode->i_op->set_acl)
+ return -EOPNOTSUPP;
+
+- if (handler->flags == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
+- return value ? -EACCES : 0;
++ if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
++ return acl ? -EACCES : 0;
+ if (!inode_owner_or_capable(inode))
+ return -EPERM;
+
++ if (acl) {
++ int ret = posix_acl_valid(acl);
++ if (ret)
++ return ret;
++ }
++ return inode->i_op->set_acl(inode, acl, type);
++}
++EXPORT_SYMBOL(set_posix_acl);
++
++static int
++posix_acl_xattr_set(const struct xattr_handler *handler,
++ struct dentry *dentry,
++ const char *name, const void *value,
++ size_t size, int flags)
++{
++ struct inode *inode = d_backing_inode(dentry);
++ struct posix_acl *acl = NULL;
++ int ret;
++
+ if (value) {
+ acl = posix_acl_from_xattr(&init_user_ns, value, size);
+ if (IS_ERR(acl))
+ return PTR_ERR(acl);
+-
+- if (acl) {
+- ret = posix_acl_valid(acl);
+- if (ret)
+- goto out;
+- }
+ }
+-
+- ret = inode->i_op->set_acl(inode, acl, handler->flags);
+-out:
++ ret = set_posix_acl(inode, handler->flags, acl);
+ posix_acl_release(acl);
+ return ret;
+ }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch
new/patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch
--- old/patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch
1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch
2016-07-11 11:31:39.000000000 +0200
@@ -0,0 +1,149 @@
+From: Ben Hutchings <b...@decadent.org.uk>
+Date: Wed, 22 Jun 2016 19:43:35 +0100
+Subject: [PATCH] nfsd: check permissions when setting ACLs
+Git-commit: 999653786df6954a31044528ac3f7a5dadca08f4
+Patch-mainline: v4.7
+References: bsc#986570 CVE-2016-1237
+
+Use set_posix_acl, which includes proper permission checks, instead of
+calling ->set_acl directly. Without this anyone may be able to grant
+themselves permissions to a file by setting the ACL.
+
+Lock the inode to make the new checks atomic with respect to set_acl.
+(Also, nfsd was the only caller of set_acl not locking the inode, so I
+suspect this may fix other races.)
+
+This also simplifies the code, and ensures our ACLs are checked by
+posix_acl_valid.
+
+The permission checks and the inode locking were lost with commit
+4ac7249e, which changed nfsd to use the set_acl inode operation directly
+instead of going through xattr handlers.
+
+Reported-by: David Sinquin <da...@sinquin.eu>
+[agreu...@redhat.com: use set_posix_acl]
+Fixes: 4ac7249e
+Cc: Christoph Hellwig <h...@infradead.org>
+Cc: Al Viro <v...@zeniv.linux.org.uk>
+Cc: sta...@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfie...@redhat.com>
+Acked-by: NeilBrown <ne...@suse.com>
+
+---
+ fs/nfsd/nfs2acl.c | 20 ++++++++++----------
+ fs/nfsd/nfs3acl.c | 16 +++++++---------
+ fs/nfsd/nfs4acl.c | 16 ++++++++--------
+ 3 files changed, 25 insertions(+), 27 deletions(-)
+
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -104,22 +104,21 @@ static __be32 nfsacld_proc_setacl(struct
+ goto out;
+
+ inode = d_inode(fh->fh_dentry);
+- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
+- error = -EOPNOTSUPP;
+- goto out_errno;
+- }
+
+ error = fh_want_write(fh);
+ if (error)
+ goto out_errno;
+
+- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
++ fh_lock(fh);
++
++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
+ if (error)
+- goto out_drop_write;
+- error = inode->i_op->set_acl(inode, argp->acl_default,
+- ACL_TYPE_DEFAULT);
++ goto out_drop_lock;
++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
+ if (error)
+- goto out_drop_write;
++ goto out_drop_lock;
++
++ fh_unlock(fh);
+
+ fh_drop_write(fh);
+
+@@ -131,7 +130,8 @@ out:
+ posix_acl_release(argp->acl_access);
+ posix_acl_release(argp->acl_default);
+ return nfserr;
+-out_drop_write:
++out_drop_lock:
++ fh_unlock(fh);
+ fh_drop_write(fh);
+ out_errno:
+ nfserr = nfserrno(error);
+--- a/fs/nfsd/nfs3acl.c
++++ b/fs/nfsd/nfs3acl.c
+@@ -95,22 +95,20 @@ static __be32 nfsd3_proc_setacl(struct s
+ goto out;
+
+ inode = d_inode(fh->fh_dentry);
+- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
+- error = -EOPNOTSUPP;
+- goto out_errno;
+- }
+
+ error = fh_want_write(fh);
+ if (error)
+ goto out_errno;
+
+- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
++ fh_lock(fh);
++
++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
+ if (error)
+- goto out_drop_write;
+- error = inode->i_op->set_acl(inode, argp->acl_default,
+- ACL_TYPE_DEFAULT);
++ goto out_drop_lock;
++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
+
+-out_drop_write:
++out_drop_lock:
++ fh_unlock(fh);
+ fh_drop_write(fh);
+ out_errno:
+ nfserr = nfserrno(error);
+--- a/fs/nfsd/nfs4acl.c
++++ b/fs/nfsd/nfs4acl.c
+@@ -770,9 +770,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
+ dentry = fhp->fh_dentry;
+ inode = d_inode(dentry);
+
+- if (!inode->i_op->set_acl || !IS_POSIXACL(inode))
+- return nfserr_attrnotsupp;
+-
+ if (S_ISDIR(inode->i_mode))
+ flags = NFS4_ACL_DIR;
+
+@@ -782,16 +779,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
+ if (host_error < 0)
+ goto out_nfserr;
+
+- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS);
++ fh_lock(fhp);
++
++ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl);
+ if (host_error < 0)
+- goto out_release;
++ goto out_drop_lock;
+
+ if (S_ISDIR(inode->i_mode)) {
+- host_error = inode->i_op->set_acl(inode, dpacl,
+- ACL_TYPE_DEFAULT);
++ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl);
+ }
+
+-out_release:
++out_drop_lock:
++ fh_unlock(fhp);
++
+ posix_acl_release(pacl);
+ posix_acl_release(dpacl);
+ out_nfserr:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.fixes/apparmor-fix-oops-validate-buffer-size-in-apparmor_s
new/patches.fixes/apparmor-fix-oops-validate-buffer-size-in-apparmor_s
--- old/patches.fixes/apparmor-fix-oops-validate-buffer-size-in-apparmor_s
1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/apparmor-fix-oops-validate-buffer-size-in-apparmor_s
2016-07-11 11:31:39.000000000 +0200
@@ -0,0 +1,117 @@
+From 30a46a4647fd1df9cf52e43bf467f0d9265096ca Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nos...@oracle.com>
+Date: Thu, 7 Jul 2016 13:41:11 -0700
+Subject: [PATCH] apparmor: fix oops, validate buffer size in
apparmor_setprocattr()
+Git-commit: 30a46a4647fd1df9cf52e43bf467f0d9265096ca
+Patch-mainline: 4.7-rc7
+References: CVE-2016-6187,bsc#988307
+
+When proc_pid_attr_write() was changed to use memdup_user apparmor's
+(interface violating) assumption that the setprocattr buffer was always
+a single page was violated.
+
+The size test is not strictly speaking needed as proc_pid_attr_write()
+will reject anything larger, but for the sake of robustness we can keep
+it in.
+
+SMACK and SELinux look safe to me, but somebody else should probably
+have a look just in case.
+
+Based on original patch from Vegard Nossum <vegard.nos...@oracle.com>
+modified for the case that apparmor provides null termination.
+
+Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
+Reported-by: Vegard Nossum <vegard.nos...@oracle.com>
+Cc: Al Viro <v...@zeniv.linux.org.uk>
+Cc: John Johansen <john.johan...@canonical.com>
+Cc: Paul Moore <p...@paul-moore.com>
+Cc: Stephen Smalley <s...@tycho.nsa.gov>
+Cc: Eric Paris <epa...@parisplace.org>
+Cc: Casey Schaufler <ca...@schaufler-ca.com>
+Cc: sta...@kernel.org
+Signed-off-by: John Johansen <john.johan...@canonical.com>
+Reviewed-by: Tyler Hicks <tyhi...@canonical.com>
+Signed-off-by: James Morris <james.l.mor...@oracle.com>
+Acked-by: Takashi Iwai <ti...@suse.de>
+
+---
+ security/apparmor/lsm.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -524,34 +524,34 @@ static int apparmor_setprocattr(struct t
+ {
+ struct common_audit_data sa;
+ struct apparmor_audit_data aad = {0,};
+- char *command, *args = value;
++ char *command, *largs = NULL, *args = value;
+ size_t arg_size;
+ int error;
+
+ if (size == 0)
+ return -EINVAL;
+- /* args points to a PAGE_SIZE buffer, AppArmor requires that
+- * the buffer must be null terminated or have size <= PAGE_SIZE -1
+- * so that AppArmor can null terminate them
+- */
+- if (args[size - 1] != '\0') {
+- if (size == PAGE_SIZE)
+- return -EINVAL;
+- args[size] = '\0';
+- }
+-
+ /* task can only write its own attributes */
+ if (current != task)
+ return -EACCES;
+
+- args = value;
++ /* AppArmor requires that the buffer must be null terminated atm */
++ if (args[size - 1] != '\0') {
++ /* null terminate */
++ largs = args = kmalloc(size + 1, GFP_KERNEL);
++ if (!args)
++ return -ENOMEM;
++ memcpy(args, value, size);
++ args[size] = '\0';
++ }
++
++ error = -EINVAL;
+ args = strim(args);
+ command = strsep(&args, " ");
+ if (!args)
+- return -EINVAL;
++ goto out;
+ args = skip_spaces(args);
+ if (!*args)
+- return -EINVAL;
++ goto out;
+
+ arg_size = size - (args - (char *) value);
+ if (strcmp(name, "current") == 0) {
+@@ -577,10 +577,12 @@ static int apparmor_setprocattr(struct t
+ goto fail;
+ } else
+ /* only support the "current" and "exec" process attributes */
+- return -EINVAL;
++ goto fail;
+
+ if (!error)
+ error = size;
++out:
++ kfree(largs);
+ return error;
+
+ fail:
+@@ -589,9 +591,9 @@ fail:
+ aad.profile = aa_current_profile();
+ aad.op = OP_SETPROCATTR;
+ aad.info = name;
+- aad.error = -EINVAL;
++ aad.error = error = -EINVAL;
+ aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
+- return -EINVAL;
++ goto out;
+ }
+
+ static int apparmor_task_setrlimit(struct task_struct *task,
++++++ patches.kernel.org.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/patches.kernel.org/patch-4.6.2-3
new/patches.kernel.org/patch-4.6.2-3
--- old/patches.kernel.org/patch-4.6.2-3 2016-06-26 09:34:33.000000000
+0200
+++ new/patches.kernel.org/patch-4.6.2-3 2016-07-11 19:59:12.000000000
+0200
@@ -1,7 +1,7 @@
From: Jiri Slaby <jsl...@suse.cz>
Subject: Linux 4.6.3
Patch-mainline: 4.6.3
-References: CVE-2016-4951 bsc#981058 bsc#983458
+References: CVE-2016-4951 CVE-2016-4997 bsc#981058 bsc#983458 bsc#986362
Git-commit: 79bb71bd1d93197ce227fa167b450b633f30a52b
Git-commit: d7591f0c41ce3e67600a982bab6989ef0f07b3ce
Git-commit: 09d9686047dbbe1cf4faa558d3ecc4aae2046054
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/patches.kernel.org/patch-4.6.3-4
new/patches.kernel.org/patch-4.6.3-4
--- old/patches.kernel.org/patch-4.6.3-4 1970-01-01 01:00:00.000000000
+0100
+++ new/patches.kernel.org/patch-4.6.3-4 2016-07-11 19:59:12.000000000
+0200
@@ -0,0 +1,1046 @@
+From: Jiri Slaby <jsl...@suse.cz>
+Subject: Linux 4.6.4
+Patch-mainline: 4.6.4
+References: bnc#982729
+Git-commit: 4879efb34f7d49235fac334d76d9c6a77a021413
+Git-commit: f8a15a9650694feaa0dabf197b0c94d37cd3fb42
+Git-commit: d246dcb2331c5783743720e6510892eb1d2801d9
+Git-commit: dcb21ad4385731b7fc3ef39d255685f2f63c8c5d
+Git-commit: 3425aa03f484d45dc21e0e791c2f6c74ea656421
+Git-commit: d95815ba6a0f287213118c136e64d8c56daeaeab
+Git-commit: de95c40d5beaa47f6dc8fe9ac4159b4672b51523
+Git-commit: 27a41a83ec54d0edfcaf079310244e7f013a7701
+Git-commit: 04471eb8c3158c0ad9df4b24da845a63b2e8f23a
+Git-commit: f3eec0cf784e0d6c47822ca6b66df3d5812af7e6
+Git-commit: 7b2c17f829545df27a910e8d82e133c21c9a8c9c
+Git-commit: 84ac5d1140f716a616522f952734e850448d2556
+Git-commit: 32cb0b37098f4beeff5ad9e325f11b42a6ede56c
+Git-commit: 81099f97bd31e25ff2719a435b1860fc3876122f
+Git-commit: 593224ea77b1ca842f45cf76f4deeef44dfbacd1
+Git-commit: 055ddaace03580455a7b7dbea8e93d62acee61fc
+Git-commit: 19ced623db2fe91604d69f7d86b03144c5107739
+Git-commit: 12d3f49e1ffbbf8cbbb60acae5a21103c5c841ac
+Git-commit: 4a7d99ea1b27734558feb6833f180cd38a159940
+Git-commit: b560f03ddfb072bca65e9440ff0dc4f9b1d1f056
+Git-commit: ceb56070359b7329b5678b5d95a376fcb24767be
+Git-commit: 9a0fee2b552b1235fb1706ae1fc664ae74573be8
+Git-commit: 0888d5f3c0f183ea6177355752ada433d370ac89
+Git-commit: 70a0dec45174c976c64b4c8c1d0898581f759948
+Git-commit: 21de12ee5568fd1aec47890c72967abf791ac80a
+Git-commit: 962fcef33b03395051367181a0549d29d109d9a4
+Git-commit: d19af0a76444fde629667ecb823c0ee28f9f67d8
+Git-commit: d5d8760b78d0cfafe292f965f599988138b06a70
+Git-commit: daddef76c3deaaa7922f9d7b18edbf0a061215c3
+Git-commit: d15eccea69b96a5116169688dcc9baf6d1ce2751
+Git-commit: 6c0d54f1897d229748d4f41ef919078db6db2123
+
+Signed-off-by: Jiri Slaby <jsl...@suse.cz>
+---
+diff --git a/Makefile b/Makefile
+index c62b531d5a85..cd374426114a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 6
+-SUBLEVEL = 3
++SUBLEVEL = 4
+ EXTRAVERSION =
+ NAME = Charred Weasel
+
+diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
+index 43fe85f20d57..7097a3395b25 100644
+--- a/crypto/crypto_user.c
++++ b/crypto/crypto_user.c
+@@ -455,6 +455,7 @@ static const int crypto_msg_min[CRYPTO_NR_MSGTYPES] = {
+ [CRYPTO_MSG_NEWALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
+ [CRYPTO_MSG_DELALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
+ [CRYPTO_MSG_UPDATEALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
++ [CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
+ [CRYPTO_MSG_DELRNG - CRYPTO_MSG_BASE] = 0,
+ };
+
+diff --git a/drivers/crypto/ux500/hash/hash_core.c
b/drivers/crypto/ux500/hash/hash_core.c
+index 574e87c7f2b8..9acccad26928 100644
+--- a/drivers/crypto/ux500/hash/hash_core.c
++++ b/drivers/crypto/ux500/hash/hash_core.c
+@@ -781,7 +781,7 @@ static int hash_process_data(struct hash_device_data
*device_data,
+ &device_data->state);
+ memmove(req_ctx->state.buffer,
+ device_data->state.buffer,
+- HASH_BLOCK_SIZE / sizeof(u32));
++ HASH_BLOCK_SIZE);
+ if (ret) {
+ dev_err(device_data->dev,
+ "%s: hash_resume_state()
failed!\n",
+@@ -832,7 +832,7 @@ static int hash_process_data(struct hash_device_data
*device_data,
+
+ memmove(device_data->state.buffer,
+ req_ctx->state.buffer,
+- HASH_BLOCK_SIZE / sizeof(u32));
++ HASH_BLOCK_SIZE);
+ if (ret) {
+ dev_err(device_data->dev, "%s:
hash_save_state() failed!\n",
+ __func__);
+diff --git a/drivers/crypto/vmx/aes_cbc.c b/drivers/crypto/vmx/aes_cbc.c
+index 495577b6d31b..94ad5c0adbcb 100644
+--- a/drivers/crypto/vmx/aes_cbc.c
++++ b/drivers/crypto/vmx/aes_cbc.c
+@@ -182,7 +182,7 @@ struct crypto_alg p8_aes_cbc_alg = {
+ .cra_name = "cbc(aes)",
+ .cra_driver_name = "p8_aes_cbc",
+ .cra_module = THIS_MODULE,
+- .cra_priority = 1000,
++ .cra_priority = 2000,
+ .cra_type = &crypto_blkcipher_type,
+ .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER | CRYPTO_ALG_NEED_FALLBACK,
+ .cra_alignmask = 0,
+diff --git a/drivers/crypto/vmx/aes_ctr.c b/drivers/crypto/vmx/aes_ctr.c
+index 0a3c1b04cf3c..38ed10d761d0 100644
+--- a/drivers/crypto/vmx/aes_ctr.c
++++ b/drivers/crypto/vmx/aes_ctr.c
+@@ -166,7 +166,7 @@ struct crypto_alg p8_aes_ctr_alg = {
+ .cra_name = "ctr(aes)",
+ .cra_driver_name = "p8_aes_ctr",
+ .cra_module = THIS_MODULE,
+- .cra_priority = 1000,
++ .cra_priority = 2000,
+ .cra_type = &crypto_blkcipher_type,
+ .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER | CRYPTO_ALG_NEED_FALLBACK,
+ .cra_alignmask = 0,
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index 6dc810bce295..944a6dca0fcb 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -44,6 +44,9 @@ static const struct usb_device_id usb_quirk_list[] = {
+ /* Creative SB Audigy 2 NX */
+ { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
+
++ /* USB3503 */
++ { USB_DEVICE(0x0424, 0x3503), .driver_info = USB_QUIRK_RESET_RESUME },
++
+ /* Microsoft Wireless Laser Mouse 6000 Receiver */
+ { USB_DEVICE(0x045e, 0x00e1), .driver_info = USB_QUIRK_RESET_RESUME },
+
+@@ -173,6 +176,10 @@ static const struct usb_device_id usb_quirk_list[] = {
+ /* MAYA44USB sound device */
+ { USB_DEVICE(0x0a92, 0x0091), .driver_info = USB_QUIRK_RESET_RESUME },
+
++ /* ASUS Base Station(T100) */
++ { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
++ USB_QUIRK_IGNORE_REMOTE_WAKEUP },
++
+ /* Action Semiconductor flash disk */
+ { USB_DEVICE(0x10d6, 0x2200), .driver_info =
+ USB_QUIRK_STRING_FETCH_255 },
+@@ -188,26 +195,22 @@ static const struct usb_device_id usb_quirk_list[] = {
+ { USB_DEVICE(0x1908, 0x1315), .driver_info =
+ USB_QUIRK_HONOR_BNUMINTERFACES },
+
+- /* INTEL VALUE SSD */
+- { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
+-
+- /* USB3503 */
+- { USB_DEVICE(0x0424, 0x3503), .driver_info = USB_QUIRK_RESET_RESUME },
+-
+- /* ASUS Base Station(T100) */
+- { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
+- USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+-
+ /* Protocol and OTG Electrical Test Device */
+ { USB_DEVICE(0x1a0a, 0x0200), .driver_info =
+ USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+
++ /* Acer C120 LED Projector */
++ { USB_DEVICE(0x1de1, 0xc102), .driver_info = USB_QUIRK_NO_LPM },
++
+ /* Blackmagic Design Intensity Shuttle */
+ { USB_DEVICE(0x1edb, 0xbd3b), .driver_info = USB_QUIRK_NO_LPM },
+
+ /* Blackmagic Design UltraStudio SDI */
+ { USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM },
+
++ /* INTEL VALUE SSD */
++ { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
++
+ { } /* terminating entry must be last */
+ };
+
+diff --git a/drivers/usb/dwc3/dwc3-exynos.c b/drivers/usb/dwc3/dwc3-exynos.c
+index dd5cb5577dca..2f1fb7e7aa54 100644
+--- a/drivers/usb/dwc3/dwc3-exynos.c
++++ b/drivers/usb/dwc3/dwc3-exynos.c
+@@ -128,12 +128,6 @@ static int dwc3_exynos_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, exynos);
+
+- ret = dwc3_exynos_register_phys(exynos);
+- if (ret) {
+- dev_err(dev, "couldn't register PHYs\n");
+- return ret;
+- }
+-
+ exynos->dev = dev;
+
+ exynos->clk = devm_clk_get(dev, "usbdrd30");
+@@ -183,20 +177,29 @@ static int dwc3_exynos_probe(struct platform_device
*pdev)
+ goto err3;
+ }
+
++ ret = dwc3_exynos_register_phys(exynos);
++ if (ret) {
++ dev_err(dev, "couldn't register PHYs\n");
++ goto err4;
++ }
++
+ if (node) {
+ ret = of_platform_populate(node, NULL, NULL, dev);
+ if (ret) {
+ dev_err(dev, "failed to add dwc3 core\n");
+- goto err4;
++ goto err5;
+ }
+ } else {
+ dev_err(dev, "no device node, failed to add dwc3 core\n");
+ ret = -ENODEV;
+- goto err4;
++ goto err5;
+ }
+
+ return 0;
+
++err5:
++ platform_device_unregister(exynos->usb2_phy);
++ platform_device_unregister(exynos->usb3_phy);
+ err4:
+ regulator_disable(exynos->vdd10);
+ err3:
+diff --git a/drivers/usb/gadget/legacy/inode.c
b/drivers/usb/gadget/legacy/inode.c
+index e64479f882a5..aa3707bdebb4 100644
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -938,8 +938,11 @@ ep0_read (struct file *fd, char __user *buf, size_t len,
loff_t *ptr)
+ struct usb_ep *ep = dev->gadget->ep0;
+ struct usb_request *req = dev->req;
+
+- if ((retval = setup_req (ep, req, 0)) == 0)
+- retval = usb_ep_queue (ep, req, GFP_ATOMIC);
++ if ((retval = setup_req (ep, req, 0)) == 0) {
++ spin_unlock_irq (&dev->lock);
++ retval = usb_ep_queue (ep, req, GFP_KERNEL);
++ spin_lock_irq (&dev->lock);
++ }
+ dev->state = STATE_DEV_CONNECTED;
+
+ /* assume that was SET_CONFIGURATION */
+@@ -1457,8 +1460,11 @@ delegate:
+ w_length);
+ if (value < 0)
+ break;
++
++ spin_unlock (&dev->lock);
+ value = usb_ep_queue (gadget->ep0, dev->req,
+- GFP_ATOMIC);
++ GFP_KERNEL);
++ spin_lock (&dev->lock);
+ if (value < 0) {
+ clean_req (gadget->ep0, dev->req);
+ break;
+@@ -1481,11 +1487,14 @@ delegate:
+ if (value >= 0 && dev->state != STATE_DEV_SETUP) {
+ req->length = value;
+ req->zero = value < w_length;
+- value = usb_ep_queue (gadget->ep0, req, GFP_ATOMIC);
++
++ spin_unlock (&dev->lock);
++ value = usb_ep_queue (gadget->ep0, req, GFP_KERNEL);
+ if (value < 0) {
+ DBG (dev, "ep_queue --> %d\n", value);
+ req->status = 0;
+ }
++ return value;
+ }
+
+ /* device stalls when value < 0 */
+diff --git a/drivers/usb/host/ehci-tegra.c b/drivers/usb/host/ehci-tegra.c
+index 4031b372008e..c1c1024a054c 100644
+--- a/drivers/usb/host/ehci-tegra.c
++++ b/drivers/usb/host/ehci-tegra.c
+@@ -89,7 +89,7 @@ static int tegra_reset_usb_controller(struct platform_device
*pdev)
+ if (!usb1_reset_attempted) {
+ struct reset_control *usb1_reset;
+
+- usb1_reset = of_reset_control_get(phy_np, "usb");
++ usb1_reset = of_reset_control_get(phy_np, "utmi-pads");
+ if (IS_ERR(usb1_reset)) {
+ dev_warn(&pdev->dev,
+ "can't get utmi-pads reset from the PHY\n");
+diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
+index 48672fac7ff3..c10972fcc8e4 100644
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -37,6 +37,7 @@
+ /* Device for a quirk */
+ #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73
+ #define PCI_DEVICE_ID_FRESCO_LOGIC_PDK 0x1000
++#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1009 0x1009
+ #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1400 0x1400
+
+ #define PCI_VENDOR_ID_ETRON 0x1b6f
+@@ -114,6 +115,10 @@ static void xhci_pci_quirks(struct device *dev, struct
xhci_hcd *xhci)
+ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
+ }
+
++ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC &&
++ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1009)
++ xhci->quirks |= XHCI_BROKEN_STREAMS;
++
+ if (pdev->vendor == PCI_VENDOR_ID_NEC)
+ xhci->quirks |= XHCI_NEC_HOST;
+
+diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
+index 474b5fa14900..d6e2b2751e50 100644
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -194,6 +194,9 @@ static int xhci_plat_probe(struct platform_device *pdev)
+ ret = clk_prepare_enable(clk);
+ if (ret)
+ goto put_hcd;
++ } else if (PTR_ERR(clk) == -EPROBE_DEFER) {
++ ret = -EPROBE_DEFER;
++ goto put_hcd;
+ }
+
+ xhci = hcd_to_xhci(hcd);
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index 99b4ff42f7a0..8b5b2aca277d 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -290,6 +290,14 @@ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci)
+
+ temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
+ xhci->cmd_ring_state = CMD_RING_STATE_ABORTED;
++
++ /*
++ * Writing the CMD_RING_ABORT bit should cause a cmd completion event,
++ * however on some host hw the CMD_RING_RUNNING bit is correctly cleared
++ * but the completion event in never sent. Use the cmd timeout timer to
++ * handle those cases. Use twice the time to cover the bit polling retry
++ */
++ mod_timer(&xhci->cmd_timer, jiffies + (2 * XHCI_CMD_DEFAULT_TIMEOUT));
+ xhci_write_64(xhci, temp_64 | CMD_RING_ABORT,
+ &xhci->op_regs->cmd_ring);
+
+@@ -314,6 +322,7 @@ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci)
+
+ xhci_err(xhci, "Stopped the command ring failed, "
+ "maybe the host is dead\n");
++ del_timer(&xhci->cmd_timer);
+ xhci->xhc_state |= XHCI_STATE_DYING;
+ xhci_quiesce(xhci);
+ xhci_halt(xhci);
+@@ -1253,22 +1262,21 @@ void xhci_handle_command_timeout(unsigned long data)
+ int ret;
+ unsigned long flags;
+ u64 hw_ring_state;
+- struct xhci_command *cur_cmd = NULL;
++ bool second_timeout = false;
+ xhci = (struct xhci_hcd *) data;
+
+ /* mark this command to be cancelled */
+ spin_lock_irqsave(&xhci->lock, flags);
+ if (xhci->current_cmd) {
+- cur_cmd = xhci->current_cmd;
+- cur_cmd->status = COMP_CMD_ABORT;
++ if (xhci->current_cmd->status == COMP_CMD_ABORT)
++ second_timeout = true;
++ xhci->current_cmd->status = COMP_CMD_ABORT;
+ }
+
+-
+ /* Make sure command ring is running before aborting it */
+ hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
+ if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) &&
+ (hw_ring_state & CMD_RING_RUNNING)) {
+-
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ xhci_dbg(xhci, "Command timeout\n");
+ ret = xhci_abort_cmd_ring(xhci);
+@@ -1280,6 +1288,15 @@ void xhci_handle_command_timeout(unsigned long data)
+ }
+ return;
+ }
++
++ /* command ring failed to restart, or host removed. Bail out */
++ if (second_timeout || xhci->xhc_state & XHCI_STATE_REMOVING) {
++ spin_unlock_irqrestore(&xhci->lock, flags);
++ xhci_dbg(xhci, "command timed out twice, ring start fail?\n");
++ xhci_cleanup_command_queue(xhci);
++ return;
++ }
++
+ /* command timeout on stopped ring, ring can't be aborted */
+ xhci_dbg(xhci, "Command timeout on stopped ring\n");
+ xhci_handle_stopped_cmd_ring(xhci, xhci->current_cmd);
+@@ -2728,7 +2745,8 @@ hw_died:
+ writel(irq_pending, &xhci->ir_set->irq_pending);
+ }
+
+- if (xhci->xhc_state & XHCI_STATE_DYING) {
++ if (xhci->xhc_state & XHCI_STATE_DYING ||
++ xhci->xhc_state & XHCI_STATE_HALTED) {
+ xhci_dbg(xhci, "xHCI dying, ignoring interrupt. "
+ "Shouldn't IRQs be disabled?\n");
+ /* Clear the event handler busy flag (RW1C);
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 9e71c96ad74a..327280535848 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -685,20 +685,23 @@ void xhci_stop(struct usb_hcd *hcd)
+ u32 temp;
+ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+
+- if (xhci->xhc_state & XHCI_STATE_HALTED)
+- return;
+-
+ mutex_lock(&xhci->mutex);
+- spin_lock_irq(&xhci->lock);
+- xhci->xhc_state |= XHCI_STATE_HALTED;
+- xhci->cmd_ring_state = CMD_RING_STATE_STOPPED;
+
+- /* Make sure the xHC is halted for a USB3 roothub
+- * (xhci_stop() could be called as part of failed init).
+- */
+- xhci_halt(xhci);
+- xhci_reset(xhci);
+- spin_unlock_irq(&xhci->lock);
++ if (!(xhci->xhc_state & XHCI_STATE_HALTED)) {
++ spin_lock_irq(&xhci->lock);
++
++ xhci->xhc_state |= XHCI_STATE_HALTED;
++ xhci->cmd_ring_state = CMD_RING_STATE_STOPPED;
++ xhci_halt(xhci);
++ xhci_reset(xhci);
++
++ spin_unlock_irq(&xhci->lock);
++ }
++
++ if (!usb_hcd_is_primary_hcd(hcd)) {
++ mutex_unlock(&xhci->mutex);
++ return;
++ }
+
+ xhci_cleanup_msix(xhci);
+
+diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
+index 39fd95833eb8..c84f4d0816e5 100644
+--- a/drivers/usb/musb/musb_core.c
++++ b/drivers/usb/musb/musb_core.c
+@@ -2429,7 +2429,8 @@ static void musb_restore_context(struct musb *musb)
+ musb_writew(musb_base, MUSB_INTRTXE, musb->intrtxe);
+ musb_writew(musb_base, MUSB_INTRRXE, musb->intrrxe);
+ musb_writeb(musb_base, MUSB_INTRUSBE, musb->context.intrusbe);
+- musb_writeb(musb_base, MUSB_DEVCTL, musb->context.devctl);
++ if (musb->context.devctl & MUSB_DEVCTL_SESSION)
++ musb_writeb(musb_base, MUSB_DEVCTL, musb->context.devctl);
+
+ for (i = 0; i < musb->config->num_eps; ++i) {
+ struct musb_hw_ep *hw_ep;
+diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c
+index 2f8ad7f1f482..8ff03228540a 100644
+--- a/drivers/usb/musb/musb_host.c
++++ b/drivers/usb/musb/musb_host.c
+@@ -594,14 +594,13 @@ musb_rx_reinit(struct musb *musb, struct musb_qh *qh, u8
epnum)
+ musb_writew(ep->regs, MUSB_TXCSR, 0);
+
+ /* scrub all previous state, clearing toggle */
+- } else {
+- csr = musb_readw(ep->regs, MUSB_RXCSR);
+- if (csr & MUSB_RXCSR_RXPKTRDY)
+- WARNING("rx%d, packet/%d ready?\n", ep->epnum,
+- musb_readw(ep->regs, MUSB_RXCOUNT));
+-
+- musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG);
+ }
++ csr = musb_readw(ep->regs, MUSB_RXCSR);
++ if (csr & MUSB_RXCSR_RXPKTRDY)
++ WARNING("rx%d, packet/%d ready?\n", ep->epnum,
++ musb_readw(ep->regs, MUSB_RXCOUNT));
++
++ musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG);
+
+ /* target addr and (for multipoint) hub addr/port */
+ if (musb->is_multipoint) {
+@@ -995,9 +994,15 @@ static void musb_bulk_nak_timeout(struct musb *musb,
struct musb_hw_ep *ep,
+ if (is_in) {
+ dma = is_dma_capable() ? ep->rx_channel : NULL;
+
+- /* clear nak timeout bit */
++ /*
++ * Need to stop the transaction by clearing REQPKT first
++ * then the NAK Timeout bit ref MUSBMHDRC USB 2.0 HIGH-SPEED
++ * DUAL-ROLE CONTROLLER Programmer's Guide, section 9.2.2
++ */
+ rx_csr = musb_readw(epio, MUSB_RXCSR);
+ rx_csr |= MUSB_RXCSR_H_WZC_BITS;
++ rx_csr &= ~MUSB_RXCSR_H_REQPKT;
++ musb_writew(epio, MUSB_RXCSR, rx_csr);
+ rx_csr &= ~MUSB_RXCSR_DATAERROR;
+ musb_writew(epio, MUSB_RXCSR, rx_csr);
+
+@@ -1551,7 +1556,7 @@ static int musb_rx_dma_iso_cppi41(struct dma_controller
*dma,
+ struct urb *urb,
+ size_t len)
+ {
+- struct dma_channel *channel = hw_ep->tx_channel;
++ struct dma_channel *channel = hw_ep->rx_channel;
+ void __iomem *epio = hw_ep->regs;
+ dma_addr_t *buf;
+ u32 length, res;
+diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
+index 2eddbe538cda..5608af4a369d 100644
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -2007,6 +2007,7 @@ static void mos7720_release(struct usb_serial *serial)
+ urblist_entry)
+ usb_unlink_urb(urbtrack->urb);
+ spin_unlock_irqrestore(&mos_parport->listlock, flags);
++ parport_del_port(mos_parport->pp);
+
+ kref_put(&mos_parport->ref_count, destroy_mos_parport);
+ }
+diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
+index 16bc679dc2fc..ecc7d4b1dfa3 100644
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -835,6 +835,7 @@ static int uas_slave_configure(struct scsi_device *sdev)
+ if (devinfo->flags & US_FL_BROKEN_FUA)
+ sdev->broken_fua = 1;
+
++ scsi_change_queue_depth(sdev, devinfo->qdepth - 2);
+ return 0;
+ }
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index f1d5c5acc8dd..ca80d5830bfd 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -229,6 +229,10 @@ static inline struct bpf_prog *bpf_prog_get(u32 ufd)
+ static inline void bpf_prog_put(struct bpf_prog *prog)
+ {
+ }
++
++static inline void bpf_prog_put_rcu(struct bpf_prog *prog)
++{
++}
+ #endif /* CONFIG_BPF_SYSCALL */
+
+ /* verifier prototypes for helper functions called from eBPF programs */
+diff --git a/include/linux/net.h b/include/linux/net.h
+index f840d77c6c31..9d90efe6a708 100644
+--- a/include/linux/net.h
++++ b/include/linux/net.h
+@@ -252,7 +252,8 @@ do {
\
+ DEFINE_DYNAMIC_DEBUG_METADATA(descriptor, fmt); \
+ if (unlikely(descriptor.flags & _DPRINTK_FLAGS_PRINT) && \
+ net_ratelimit()) \
+- __dynamic_pr_debug(&descriptor, fmt, ##__VA_ARGS__); \
++ __dynamic_pr_debug(&descriptor, pr_fmt(fmt), \
++ ##__VA_ARGS__); \
+ } while (0)
+ #elif defined(DEBUG)
+ #define net_dbg_ratelimited(fmt, ...) \
+diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
+index 4018b48f2b3b..a0596ca0e80a 100644
+--- a/include/linux/sock_diag.h
++++ b/include/linux/sock_diag.h
+@@ -36,6 +36,9 @@ enum sknetlink_groups sock_diag_destroy_group(const struct
sock *sk)
+ {
+ switch (sk->sk_family) {
+ case AF_INET:
++ if (sk->sk_type == SOCK_RAW)
++ return SKNLGRP_NONE;
++
+ switch (sk->sk_protocol) {
+ case IPPROTO_TCP:
+ return SKNLGRP_INET_TCP_DESTROY;
+@@ -45,6 +48,9 @@ enum sknetlink_groups sock_diag_destroy_group(const struct
sock *sk)
+ return SKNLGRP_NONE;
+ }
+ case AF_INET6:
++ if (sk->sk_type == SOCK_RAW)
++ return SKNLGRP_NONE;
++
+ switch (sk->sk_protocol) {
+ case IPPROTO_TCP:
+ return SKNLGRP_INET6_TCP_DESTROY;
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index c0ded2416615..a69c90cea05d 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7143,7 +7143,7 @@ static void perf_event_free_bpf_prog(struct perf_event
*event)
+ prog = event->tp_event->prog;
+ if (prog) {
+ event->tp_event->prog = NULL;
+- bpf_prog_put(prog);
++ bpf_prog_put_rcu(prog);
+ }
+ }
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index fbd0acf80b13..2fdebabbfacd 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -976,7 +976,8 @@ static int ax25_release(struct socket *sock)
+ release_sock(sk);
+ ax25_disconnect(ax25, 0);
+ lock_sock(sk);
+- ax25_destroy_socket(ax25);
++ if (!sock_flag(ax25->sk, SOCK_DESTROY))
++ ax25_destroy_socket(ax25);
+ break;
+
+ case AX25_STATE_3:
+diff --git a/net/ax25/ax25_ds_timer.c b/net/ax25/ax25_ds_timer.c
+index 951cd57bb07d..5237dff6941d 100644
+--- a/net/ax25/ax25_ds_timer.c
++++ b/net/ax25/ax25_ds_timer.c
+@@ -102,6 +102,7 @@ void ax25_ds_heartbeat_expiry(ax25_cb *ax25)
+ switch (ax25->state) {
+
+ case AX25_STATE_0:
++ case AX25_STATE_2:
+ /* Magic here: If we listen() and a new link dies before it
+ is accepted() it isn't 'dead' so doesn't get removed. */
+ if (!sk || sock_flag(sk, SOCK_DESTROY) ||
+@@ -111,6 +112,7 @@ void ax25_ds_heartbeat_expiry(ax25_cb *ax25)
+ sock_hold(sk);
+ ax25_destroy_socket(ax25);
+ bh_unlock_sock(sk);
++ /* Ungrab socket and destroy it */
+ sock_put(sk);
+ } else
+ ax25_destroy_socket(ax25);
+@@ -213,7 +215,8 @@ void ax25_ds_t1_timeout(ax25_cb *ax25)
+ case AX25_STATE_2:
+ if (ax25->n2count == ax25->n2) {
+ ax25_send_control(ax25, AX25_DISC, AX25_POLLON,
AX25_COMMAND);
+- ax25_disconnect(ax25, ETIMEDOUT);
++ if (!sock_flag(ax25->sk, SOCK_DESTROY))
++ ax25_disconnect(ax25, ETIMEDOUT);
+ return;
+ } else {
+ ax25->n2count++;
+diff --git a/net/ax25/ax25_std_timer.c b/net/ax25/ax25_std_timer.c
+index 004467c9e6e1..2c0d6ef66f9d 100644
+--- a/net/ax25/ax25_std_timer.c
++++ b/net/ax25/ax25_std_timer.c
+@@ -38,6 +38,7 @@ void ax25_std_heartbeat_expiry(ax25_cb *ax25)
+
+ switch (ax25->state) {
+ case AX25_STATE_0:
++ case AX25_STATE_2:
+ /* Magic here: If we listen() and a new link dies before it
+ is accepted() it isn't 'dead' so doesn't get removed. */
+ if (!sk || sock_flag(sk, SOCK_DESTROY) ||
+@@ -47,6 +48,7 @@ void ax25_std_heartbeat_expiry(ax25_cb *ax25)
+ sock_hold(sk);
+ ax25_destroy_socket(ax25);
+ bh_unlock_sock(sk);
++ /* Ungrab socket and destroy it */
+ sock_put(sk);
+ } else
+ ax25_destroy_socket(ax25);
+@@ -144,7 +146,8 @@ void ax25_std_t1timer_expiry(ax25_cb *ax25)
+ case AX25_STATE_2:
+ if (ax25->n2count == ax25->n2) {
+ ax25_send_control(ax25, AX25_DISC, AX25_POLLON,
AX25_COMMAND);
+- ax25_disconnect(ax25, ETIMEDOUT);
++ if (!sock_flag(ax25->sk, SOCK_DESTROY))
++ ax25_disconnect(ax25, ETIMEDOUT);
+ return;
+ } else {
+ ax25->n2count++;
+diff --git a/net/ax25/ax25_subr.c b/net/ax25/ax25_subr.c
+index 3b78e8473a01..655a7d4c96e1 100644
+--- a/net/ax25/ax25_subr.c
++++ b/net/ax25/ax25_subr.c
+@@ -264,7 +264,8 @@ void ax25_disconnect(ax25_cb *ax25, int reason)
+ {
+ ax25_clear_queues(ax25);
+
+- ax25_stop_heartbeat(ax25);
++ if (!sock_flag(ax25->sk, SOCK_DESTROY))
++ ax25_stop_heartbeat(ax25);
+ ax25_stop_t1timer(ax25);
+ ax25_stop_t2timer(ax25);
+ ax25_stop_t3timer(ax25);
+diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
+index 6852f3c7009c..43844144c9c4 100644
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -464,8 +464,11 @@ static struct sk_buff
*br_ip6_multicast_alloc_query(struct net_bridge *br,
+ if (ipv6_dev_get_saddr(dev_net(br->dev), br->dev, &ip6h->daddr, 0,
+ &ip6h->saddr)) {
+ kfree_skb(skb);
++ br->has_ipv6_addr = 0;
+ return NULL;
+ }
++
++ br->has_ipv6_addr = 1;
+ ipv6_eth_mc_map(&ip6h->daddr, eth->h_dest);
+
+ hopopt = (u8 *)(ip6h + 1);
+@@ -1745,6 +1748,7 @@ void br_multicast_init(struct net_bridge *br)
+ br->ip6_other_query.delay_time = 0;
+ br->ip6_querier.port = NULL;
+ #endif
++ br->has_ipv6_addr = 1;
+
+ spin_lock_init(&br->multicast_lock);
+ setup_timer(&br->multicast_router_timer,
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index d9da857182ef..f516c53bafb6 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -304,6 +304,7 @@ struct net_bridge
+ u8 multicast_disabled:1;
+ u8 multicast_querier:1;
+ u8 multicast_query_use_ifaddr:1;
++ u8 has_ipv6_addr:1;
+
+ u32 hash_elasticity;
+ u32 hash_max;
+@@ -577,10 +578,22 @@ static inline bool br_multicast_is_router(struct
net_bridge *br)
+
+ static inline bool
+ __br_multicast_querier_exists(struct net_bridge *br,
+- struct bridge_mcast_other_query *querier)
++ struct bridge_mcast_other_query *querier,
++ const bool is_ipv6)
+ {
++ bool own_querier_enabled;
++
++ if (br->multicast_querier) {
++ if (is_ipv6 && !br->has_ipv6_addr)
++ own_querier_enabled = false;
++ else
++ own_querier_enabled = true;
++ } else {
++ own_querier_enabled = false;
++ }
++
+ return time_is_before_jiffies(querier->delay_time) &&
+- (br->multicast_querier || timer_pending(&querier->timer));
++ (own_querier_enabled || timer_pending(&querier->timer));
+ }
+
+ static inline bool br_multicast_querier_exists(struct net_bridge *br,
+@@ -588,10 +601,12 @@ static inline bool br_multicast_querier_exists(struct
net_bridge *br,
+ {
+ switch (eth->h_proto) {
+ case (htons(ETH_P_IP)):
+- return __br_multicast_querier_exists(br, &br->ip4_other_query);
++ return __br_multicast_querier_exists(br,
++ &br->ip4_other_query, false);
+ #if IS_ENABLED(CONFIG_IPV6)
+ case (htons(ETH_P_IPV6)):
+- return __br_multicast_querier_exists(br, &br->ip6_other_query);
++ return __br_multicast_querier_exists(br,
++ &br->ip6_other_query, true);
+ #endif
+ default:
+ return false;
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index f18ae91b652e..769cece9b00b 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -2467,13 +2467,17 @@ int neigh_xmit(int index, struct net_device *dev,
+ tbl = neigh_tables[index];
+ if (!tbl)
+ goto out;
++ rcu_read_lock_bh();
+ neigh = __neigh_lookup_noref(tbl, addr, dev);
+ if (!neigh)
+ neigh = __neigh_create(tbl, addr, dev, false);
+ err = PTR_ERR(neigh);
+- if (IS_ERR(neigh))
++ if (IS_ERR(neigh)) {
++ rcu_read_unlock_bh();
+ goto out_kfree_skb;
++ }
+ err = neigh->output(neigh, skb);
++ rcu_read_unlock_bh();
+ }
+ else if (index == NEIGH_LINK_TABLE) {
+ err = dev_hard_header(skb, dev, ntohs(skb->protocol),
+diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
+index 477937465a20..d95631d09248 100644
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -23,6 +23,11 @@ struct esp_skb_cb {
+ void *tmp;
+ };
+
++struct esp_output_extra {
++ __be32 seqhi;
++ u32 esphoff;
++};
++
+ #define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0]))
+
+ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu);
+@@ -35,11 +40,11 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu);
+ *
+ * TODO: Use spare space in skb for this where possible.
+ */
+-static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags, int seqhilen)
++static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags, int extralen)
+ {
+ unsigned int len;
+
+- len = seqhilen;
++ len = extralen;
+
+ len += crypto_aead_ivsize(aead);
+
+@@ -57,15 +62,16 @@ static void *esp_alloc_tmp(struct crypto_aead *aead, int
nfrags, int seqhilen)
+ return kmalloc(len, GFP_ATOMIC);
+ }
+
+-static inline __be32 *esp_tmp_seqhi(void *tmp)
++static inline void *esp_tmp_extra(void *tmp)
+ {
+- return PTR_ALIGN((__be32 *)tmp, __alignof__(__be32));
++ return PTR_ALIGN(tmp, __alignof__(struct esp_output_extra));
+ }
+-static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp, int
seqhilen)
++
++static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp, int
extralen)
+ {
+ return crypto_aead_ivsize(aead) ?
+- PTR_ALIGN((u8 *)tmp + seqhilen,
+- crypto_aead_alignmask(aead) + 1) : tmp + seqhilen;
++ PTR_ALIGN((u8 *)tmp + extralen,
++ crypto_aead_alignmask(aead) + 1) : tmp + extralen;
+ }
+
+ static inline struct aead_request *esp_tmp_req(struct crypto_aead *aead, u8
*iv)
+@@ -99,7 +105,7 @@ static void esp_restore_header(struct sk_buff *skb,
unsigned int offset)
+ {
+ struct ip_esp_hdr *esph = (void *)(skb->data + offset);
+ void *tmp = ESP_SKB_CB(skb)->tmp;
+- __be32 *seqhi = esp_tmp_seqhi(tmp);
++ __be32 *seqhi = esp_tmp_extra(tmp);
+
+ esph->seq_no = esph->spi;
+ esph->spi = *seqhi;
+@@ -107,7 +113,11 @@ static void esp_restore_header(struct sk_buff *skb,
unsigned int offset)
+
+ static void esp_output_restore_header(struct sk_buff *skb)
+ {
+- esp_restore_header(skb, skb_transport_offset(skb) - sizeof(__be32));
++ void *tmp = ESP_SKB_CB(skb)->tmp;
++ struct esp_output_extra *extra = esp_tmp_extra(tmp);
++
++ esp_restore_header(skb, skb_transport_offset(skb) + extra->esphoff -
++ sizeof(__be32));
+ }
+
+ static void esp_output_done_esn(struct crypto_async_request *base, int err)
+@@ -121,6 +131,7 @@ static void esp_output_done_esn(struct
crypto_async_request *base, int err)
+ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int err;
++ struct esp_output_extra *extra;
+ struct ip_esp_hdr *esph;
+ struct crypto_aead *aead;
+ struct aead_request *req;
+@@ -137,8 +148,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff
*skb)
+ int tfclen;
+ int nfrags;
+ int assoclen;
+- int seqhilen;
+- __be32 *seqhi;
++ int extralen;
+ __be64 seqno;
+
+ /* skb is pure payload to encrypt */
+@@ -166,21 +176,21 @@ static int esp_output(struct xfrm_state *x, struct
sk_buff *skb)
+ nfrags = err;
+
+ assoclen = sizeof(*esph);
+- seqhilen = 0;
++ extralen = 0;
+
+ if (x->props.flags & XFRM_STATE_ESN) {
+- seqhilen += sizeof(__be32);
+- assoclen += seqhilen;
++ extralen += sizeof(*extra);
++ assoclen += sizeof(__be32);
+ }
+
+- tmp = esp_alloc_tmp(aead, nfrags, seqhilen);
++ tmp = esp_alloc_tmp(aead, nfrags, extralen);
+ if (!tmp) {
+ err = -ENOMEM;
+ goto error;
+ }
+
+- seqhi = esp_tmp_seqhi(tmp);
+- iv = esp_tmp_iv(aead, tmp, seqhilen);
++ extra = esp_tmp_extra(tmp);
++ iv = esp_tmp_iv(aead, tmp, extralen);
+ req = esp_tmp_req(aead, iv);
+ sg = esp_req_sg(aead, req);
+
+@@ -247,8 +257,10 @@ static int esp_output(struct xfrm_state *x, struct
sk_buff *skb)
+ * encryption.
+ */
+ if ((x->props.flags & XFRM_STATE_ESN)) {
+- esph = (void *)(skb_transport_header(skb) - sizeof(__be32));
+- *seqhi = esph->spi;
++ extra->esphoff = (unsigned char *)esph -
++ skb_transport_header(skb);
++ esph = (struct ip_esp_hdr *)((unsigned char *)esph - 4);
++ extra->seqhi = esph->spi;
+ esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.hi);
+ aead_request_set_callback(req, 0, esp_output_done_esn, skb);
+ }
+@@ -445,7 +457,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff
*skb)
+ goto out;
+
+ ESP_SKB_CB(skb)->tmp = tmp;
+- seqhi = esp_tmp_seqhi(tmp);
++ seqhi = esp_tmp_extra(tmp);
+ iv = esp_tmp_iv(aead, tmp, seqhilen);
+ req = esp_tmp_req(aead, iv);
+ sg = esp_req_sg(aead, req);
+diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
+index 395e2814a46d..a42dd8021b6b 100644
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -891,8 +891,10 @@ static struct mfc_cache *ipmr_cache_alloc(void)
+ {
+ struct mfc_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL);
+
+- if (c)
++ if (c) {
++ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1;
+ c->mfc_un.res.minvif = MAXVIFS;
++ }
+ return c;
+ }
+
+diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
+index a10e77103c88..e207cb2468da 100644
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -1074,6 +1074,7 @@ static struct mfc6_cache *ip6mr_cache_alloc(void)
+ struct mfc6_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL);
+ if (!c)
+ return NULL;
++ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1;
+ c->mfc_un.res.minvif = MAXMIFS;
+ return c;
+ }
+diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
+index 83384308d032..6c53e4eb0f09 100644
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -560,13 +560,13 @@ static int ipip6_err(struct sk_buff *skb, u32 info)
+
+ if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
+ ipv4_update_pmtu(skb, dev_net(skb->dev), info,
+- t->parms.link, 0, IPPROTO_IPV6, 0);
++ t->parms.link, 0, iph->protocol, 0);
+ err = 0;
+ goto out;
+ }
+ if (type == ICMP_REDIRECT) {
+ ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0,
+- IPPROTO_IPV6, 0);
++ iph->protocol, 0);
+ err = 0;
+ goto out;
+ }
+diff --git a/net/kcm/kcmproc.c b/net/kcm/kcmproc.c
+index 738008726cc6..fda7f4715c58 100644
+--- a/net/kcm/kcmproc.c
++++ b/net/kcm/kcmproc.c
+@@ -241,6 +241,7 @@ static const struct file_operations kcm_seq_fops = {
+ .open = kcm_seq_open,
+ .read = seq_read,
+ .llseek = seq_lseek,
++ .release = seq_release_net,
+ };
+
+ static struct kcm_seq_muxinfo kcm_seq_muxinfo = {
+diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
+index 8b5270008a6e..606323339e1f 100644
+--- a/net/sched/act_ipt.c
++++ b/net/sched/act_ipt.c
+@@ -121,10 +121,13 @@ static int __tcf_ipt_init(struct tc_action_net *tn,
struct nlattr *nla,
+ }
+
+ td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]);
+- if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size)
++ if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) {
++ if (exists)
++ tcf_hash_release(a, bind);
+ return -EINVAL;
++ }
+
+- if (!tcf_hash_check(tn, index, a, bind)) {
++ if (!exists) {
+ ret = tcf_hash_create(tn, index, est, a, sizeof(*ipt), bind,
+ false);
+ if (ret)
+diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c
+index 2177eac0a61e..2e4bd2c0a50c 100644
+--- a/net/sched/sch_fifo.c
++++ b/net/sched/sch_fifo.c
+@@ -37,14 +37,18 @@ static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc
*sch)
+
+ static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+ {
++ unsigned int prev_backlog;
++
+ if (likely(skb_queue_len(&sch->q) < sch->limit))
+ return qdisc_enqueue_tail(skb, sch);
+
++ prev_backlog = sch->qstats.backlog;
+ /* queue full, remove one skb to fulfill the limit */
+ __qdisc_queue_drop_head(sch, &sch->q);
+ qdisc_qstats_drop(sch);
+ qdisc_enqueue_tail(skb, sch);
+
++ qdisc_tree_reduce_backlog(sch, 0, prev_backlog - sch->qstats.backlog);
+ return NET_XMIT_CN;
+ }
+
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index 4befe97a9034..b7c29d5b6f04 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -650,14 +650,14 @@ deliver:
+ #endif
+
+ if (q->qdisc) {
++ unsigned int pkt_len = qdisc_pkt_len(skb);
+ int err = qdisc_enqueue(skb, q->qdisc);
+
+- if (unlikely(err != NET_XMIT_SUCCESS)) {
+- if (net_xmit_drop_count(err)) {
+- qdisc_qstats_drop(sch);
+- qdisc_tree_reduce_backlog(sch,
1,
+-
qdisc_pkt_len(skb));
+- }
++ if (err != NET_XMIT_SUCCESS &&
++ net_xmit_drop_count(err)) {
++ qdisc_qstats_drop(sch);
++ qdisc_tree_reduce_backlog(sch, 1,
++ pkt_len);
+ }
+ goto tfifo_dequeue;
+ }
++++++ series.conf ++++++
--- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:53.000000000 +0200
+++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:53.000000000 +0200
@@ -30,6 +30,7 @@
patches.kernel.org/patch-4.6.1
patches.kernel.org/patch-4.6.1-2
patches.kernel.org/patch-4.6.2-3
+ patches.kernel.org/patch-4.6.3-4
########################################################
# Build fixes that apply to the vanilla kernel too.
@@ -249,6 +250,9 @@
# NFS
########################################################
+ patches.fixes/0001-posix_acl-Add-set_posix_acl.patch
+ patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch
+
########################################################
# lockd + statd
########################################################
@@ -376,7 +380,6 @@
# USB
########################################################
-
patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch
########################################################
# I2C
@@ -452,6 +455,7 @@
# patches.apparmor/apparmor-profiles-seq_file
patches.apparmor/apparmor-temporary-work-around-for-bug-while-unloadi
patches.apparmor/apparmor-allow-sys_cap_resource-to-be-sufficient-to-prlimit-another-task
+ patches.fixes/apparmor-fix-oops-validate-buffer-size-in-apparmor_s
########################################################
# Address space layout randomization
++++++ source-timestamp ++++++
--- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:53.000000000 +0200
+++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:53.000000000 +0200
@@ -1,3 +1,3 @@
-2016-06-26 09:34:33 +0200
-GIT Revision: d4bcf2abd85a8d69da9d3f3e4e5dc57c556bca61
+2016-07-11 19:59:12 +0200
+GIT Revision: 103c93658e0b44729ee8882c4eee7d9b9bc5386d
GIT Branch: stable
