4.3.4-200.fc22.gnu

14 files changed, 616 insertions, 2339 deletions

diff --git a/freed-ora/current/f22/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch b/freed-ora/current/f22/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
new file mode 100644
index 000000000..c469460e5
--- /dev/null
+++ b/freed-ora/current/f22/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
@@ -0,0 +1,94 @@
+From cd1e1e286bb3c4fa8714c1e571ae082e510efd5d Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Tue, 1 Dec 2015 12:41:38 +0100
+Subject: [PATCH] HID: multitouch: fix input mode switching on some Elan panels
+
+as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481
+
+This bug reports mentions 6d4f5440 ("HID: multitouch: Fetch feature
+reports on demand for Win8 devices") as the origin of the problem but this
+commit actually masked 2 firmware bugs that are annihilating each other:
+
+The report descriptor declares two features in reports 3 and 5:
+
+0x05, 0x0d,                    // Usage Page (Digitizers)             318
+0x09, 0x0e,                    // Usage (Device Configuration)        320
+0xa1, 0x01,                    // Collection (Application)            322
+0x85, 0x03,                    //  Report ID (3)                      324
+0x09, 0x22,                    //  Usage (Finger)                     326
+0xa1, 0x00,                    //  Collection (Physical)              328
+0x09, 0x52,                    //   Usage (Inputmode)                 330
+0x15, 0x00,                    //   Logical Minimum (0)               332
+0x25, 0x0a,                    //   Logical Maximum (10)              334
+0x75, 0x08,                    //   Report Size (8)                   336
+0x95, 0x02,                    //   Report Count (2)                  338
+0xb1, 0x02,                    //   Feature (Data,Var,Abs)            340
+0xc0,                          //  End Collection                     342
+0x09, 0x22,                    //  Usage (Finger)                     343
+0xa1, 0x00,                    //  Collection (Physical)              345
+0x85, 0x05,                    //   Report ID (5)                     347
+0x09, 0x57,                    //   Usage (Surface Switch)            349
+0x09, 0x58,                    //   Usage (Button Switch)             351
+0x15, 0x00,                    //   Logical Minimum (0)               353
+0x75, 0x01,                    //   Report Size (1)                   355
+0x95, 0x02,                    //   Report Count (2)                  357
+0x25, 0x03,                    //   Logical Maximum (3)               359
+0xb1, 0x02,                    //   Feature (Data,Var,Abs)            361
+0x95, 0x0e,                    //   Report Count (14)                 363
+0xb1, 0x03,                    //   Feature (Cnst,Var,Abs)            365
+0xc0,                          //  End Collection                     367
+
+The report ID 3 presents 2 input mode features, while only the first one
+is handled by the device. Given that we did not checked if one was
+previously assigned, we were dealing with the ignored featured and we
+should never have been able to switch this panel into the multitouch mode.
+
+However, the firmware presents an other bugs which allowed 6d4f5440
+to counteract the faulty report descriptor. When we request the values
+of the feature 5, the firmware answers "03 03 00". The fields are correct
+but the report id is wrong. Before 6d4f5440, we retrieved all the features
+and injected them in the system. So when we called report 5, we injected
+in the system the report 3 with the values "03 00".
+Setting the second input mode to 03 in this report changed it to "03 03"
+and the touchpad switched to the mt mode. We could have set anything
+in the second field because the actual value (the first 03 in this report)
+was given by the query of report ID 5.
+
+To sum up: 2 bugs in the firmware were hiding that we were accessing the
+wrong feature.
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-multitouch.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index ba94044cb859..d866720412cd 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -357,8 +357,19 @@ static void mt_feature_mapping(struct hid_device *hdev,
+ 			break;
+ 		}
+ 
+-		td->inputmode = field->report->id;
+-		td->inputmode_index = usage->usage_index;
++		if (td->inputmode < 0) {
++			td->inputmode = field->report->id;
++			td->inputmode_index = usage->usage_index;
++		} else {
++			/*
++			 * Some elan panels wrongly declare 2 input mode
++			 * features, and silently ignore when we set the
++			 * value in the second field. Skip the second feature
++			 * and hope for the best.
++			 */
++			dev_info(&hdev->dev,
++				 "Ignoring the extra HID_DG_INPUTMODE\n");
++		}
+ 
+ 		break;
+ 	case HID_DG_CONTACTMAX:
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/freed-ora/current/f22/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
deleted file mode 100644
index 5eec95c62..000000000
--- a/freed-ora/current/f22/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Jan 2016 10:53:31 +0000
-Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring()
-
-This fixes CVE-2016-0728.
-
-If a thread is asked to join as a session keyring the keyring that's already
-set as its session, we leak a keyring reference.
-
-This can be tested with the following program:
-
-	#include <stddef.h>
-	#include <stdio.h>
-	#include <sys/types.h>
-	#include <keyutils.h>
-
-	int main(int argc, const char *argv[])
-	{
-		int i = 0;
-		key_serial_t serial;
-
-		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-				"leaked-keyring");
-		if (serial < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		if (keyctl(KEYCTL_SETPERM, serial,
-			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		for (i = 0; i < 100; i++) {
-			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-					"leaked-keyring");
-			if (serial < 0) {
-				perror("keyctl");
-				return -1;
-			}
-		}
-
-		return 0;
-	}
-
-If, after the program has run, there something like the following line in
-/proc/keys:
-
-3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
-
-with a usage count of 100 * the number of times the program has been run,
-then the kernel is malfunctioning.  If leaked-keyring has zero usages or
-has been garbage collected, then the problem is fixed.
-
-Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
-Signed-off-by: David Howells <dhowells@redhat.com>
-RH-bugzilla: 1298036
----
- security/keys/process_keys.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index 43b4cddbf2b3..7877e5cd4e23 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
- 		ret = PTR_ERR(keyring);
- 		goto error2;
- 	} else if (keyring == new->session_keyring) {
-+		key_put(keyring);
- 		ret = 0;
- 		goto error2;
- 	}
--- 
-2.5.0
-
diff --git a/freed-ora/current/f22/KEYS-Fix-race-between-read-and-revoke.patch b/freed-ora/current/f22/KEYS-Fix-race-between-read-and-revoke.patch
deleted file mode 100644
index df0d9376b..000000000
--- a/freed-ora/current/f22/KEYS-Fix-race-between-read-and-revoke.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From f144220f72062ed5359e0211f130670c915a12dd Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 14 Dec 2015 10:36:31 -0500
-Subject: [PATCH] KEYS: Fix race between read and revoke
-
-There's a race between keyctl_read() and keyctl_revoke().  If the revoke
-happens between keyctl_read() checking the validity of a key and the key's
-semaphore being taken, then the key type read method will see a revoked key.
-
-This causes a problem for the user-defined key type because it assumes in
-its read method that there will always be a payload in a non-revoked key
-and doesn't check for a NULL pointer.
-
-Fix this by making keyctl_read() check the validity of a key after taking
-semaphore instead of before.
-
-This was discovered by a multithreaded test program generated by syzkaller
-(http://github.com/google/syzkaller).  Here's a cleaned up version:
-
-	#include <sys/types.h>
-	#include <keyutils.h>
-	#include <pthread.h>
-	void *thr0(void *arg)
-	{
-		key_serial_t key = (unsigned long)arg;
-		keyctl_revoke(key);
-		return 0;
-	}
-	void *thr1(void *arg)
-	{
-		key_serial_t key = (unsigned long)arg;
-		char buffer[16];
-		keyctl_read(key, buffer, 16);
-		return 0;
-	}
-	int main()
-	{
-		key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
-		pthread_t th[5];
-		pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
-		pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
-		pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
-		pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
-		pthread_join(th[0], 0);
-		pthread_join(th[1], 0);
-		pthread_join(th[2], 0);
-		pthread_join(th[3], 0);
-		return 0;
-	}
-
-Build as:
-
-	cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
-
-Run as:
-
-	while keyctl-race; do :; done
-
-as it may need several iterations to crash the kernel.  The crash can be
-summarised as:
-
-	BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
-	IP: [<ffffffff81279b08>] user_read+0x56/0xa3
-	...
-	Call Trace:
-	 [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
-	 [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
-	 [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- security/keys/keyctl.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index fb111eafcb89..1c3872aeed14 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -751,16 +751,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
- 
- 	/* the key is probably readable - now try to read it */
- can_read_key:
--	ret = key_validate(key);
--	if (ret == 0) {
--		ret = -EOPNOTSUPP;
--		if (key->type->read) {
--			/* read the data with the semaphore held (since we
--			 * might sleep) */
--			down_read(&key->sem);
-+	ret = -EOPNOTSUPP;
-+	if (key->type->read) {
-+		/* Read the data with the semaphore held (since we might sleep)
-+		 * to protect against the key being updated or revoked.
-+		 */
-+		down_read(&key->sem);
-+		ret = key_validate(key);
-+		if (ret == 0)
- 			ret = key->type->read(key, buffer, buflen);
--			up_read(&key->sem);
--		}
-+		up_read(&key->sem);
- 	}
- 
- error2:
--- 
-2.5.0
-
diff --git a/freed-ora/current/f22/PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch b/freed-ora/current/f22/PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
new file mode 100644
index 000000000..c2082a3b4
--- /dev/null
+++ b/freed-ora/current/f22/PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
@@ -0,0 +1,119 @@
+From afa5b65015ff2a7f0b4ec8cab6f58fa47025259a Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Fri, 22 Jan 2016 08:11:46 -0500
+Subject: [PATCH] PNP: Add Haswell-ULT to Intel MCH size workaround
+
+Add device ID 0x0a04 for Haswell-ULT to the list of devices with MCH
+problems.
+
+From a Lenovo ThinkPad T440S:
+[    0.188604] pnp: PnP ACPI init
+[    0.189044] system 00:00: [mem 0x00000000-0x0009ffff] could not be reserved
+[    0.189048] system 00:00: [mem 0x000c0000-0x000c3fff] could not be reserved
+[    0.189050] system 00:00: [mem 0x000c4000-0x000c7fff] could not be reserved
+[    0.189052] system 00:00: [mem 0x000c8000-0x000cbfff] could not be reserved
+[    0.189054] system 00:00: [mem 0x000cc000-0x000cffff] could not be reserved
+[    0.189056] system 00:00: [mem 0x000d0000-0x000d3fff] has been reserved
+[    0.189058] system 00:00: [mem 0x000d4000-0x000d7fff] has been reserved
+[    0.189060] system 00:00: [mem 0x000d8000-0x000dbfff] has been reserved
+[    0.189061] system 00:00: [mem 0x000dc000-0x000dffff] has been reserved
+[    0.189063] system 00:00: [mem 0x000e0000-0x000e3fff] could not be reserved
+[    0.189065] system 00:00: [mem 0x000e4000-0x000e7fff] could not be reserved
+[    0.189067] system 00:00: [mem 0x000e8000-0x000ebfff] could not be reserved
+[    0.189069] system 00:00: [mem 0x000ec000-0x000effff] could not be reserved
+[    0.189071] system 00:00: [mem 0x000f0000-0x000fffff] could not be reserved
+[    0.189073] system 00:00: [mem 0x00100000-0xdf9fffff] could not be reserved
+[    0.189075] system 00:00: [mem 0xfec00000-0xfed3ffff] could not be reserved
+[    0.189078] system 00:00: [mem 0xfed4c000-0xffffffff] could not be reserved
+[    0.189082] system 00:00: Plug and Play ACPI device, IDs PNP0c01 (active)
+[    0.189216] system 00:01: [io  0x1800-0x189f] could not be reserved
+[    0.189220] system 00:01: [io  0x0800-0x087f] has been reserved
+[    0.189222] system 00:01: [io  0x0880-0x08ff] has been reserved
+[    0.189224] system 00:01: [io  0x0900-0x097f] has been reserved
+[    0.189226] system 00:01: [io  0x0980-0x09ff] has been reserved
+[    0.189229] system 00:01: [io  0x0a00-0x0a7f] has been reserved
+[    0.189231] system 00:01: [io  0x0a80-0x0aff] has been reserved
+[    0.189233] system 00:01: [io  0x0b00-0x0b7f] has been reserved
+[    0.189235] system 00:01: [io  0x0b80-0x0bff] has been reserved
+[    0.189238] system 00:01: [io  0x15e0-0x15ef] has been reserved
+[    0.189240] system 00:01: [io  0x1600-0x167f] has been reserved
+[    0.189242] system 00:01: [io  0x1640-0x165f] has been reserved
+[    0.189246] system 00:01: [mem 0xf8000000-0xfbffffff] could not be reserved
+[    0.189249] system 00:01: [mem 0x00000000-0x00000fff] could not be reserved
+[    0.189251] system 00:01: [mem 0xfed1c000-0xfed1ffff] has been reserved
+[    0.189254] system 00:01: [mem 0xfed10000-0xfed13fff] has been reserved
+[    0.189256] system 00:01: [mem 0xfed18000-0xfed18fff] has been reserved
+[    0.189258] system 00:01: [mem 0xfed19000-0xfed19fff] has been reserved
+[    0.189261] system 00:01: [mem 0xfed45000-0xfed4bfff] has been reserved
+[    0.189264] system 00:01: Plug and Play ACPI device, IDs PNP0c02 (active)
+[....]
+[    0.583653] resource sanity check: requesting [mem 0xfed10000-0xfed15fff], which spans more than pnp 00:01 [mem 0xfed10000-0xfed13fff]
+[    0.583654] ------------[ cut here ]------------
+[    0.583660] WARNING: CPU: 0 PID: 1 at arch/x86/mm/ioremap.c:198 __ioremap_caller+0x2c5/0x380()
+[    0.583661] Info: mapping multiple BARs. Your kernel is fine.
+[    0.583662] Modules linked in:
+
+[    0.583666] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.3.3-303.fc23.x86_64 #1
+[    0.583668] Hardware name: LENOVO 20AR001GXS/20AR001GXS, BIOS GJET86WW (2.36 ) 12/04/2015
+[    0.583670]  0000000000000000 0000000014cf7e59 ffff880214a1baf8 ffffffff813a625f
+[    0.583673]  ffff880214a1bb40 ffff880214a1bb30 ffffffff810a07c2 00000000fed10000
+[    0.583675]  ffffc90000cb8000 0000000000006000 0000000000000000 ffff8800d6381040
+[    0.583678] Call Trace:
+[    0.583683]  [<ffffffff813a625f>] dump_stack+0x44/0x55
+[    0.583686]  [<ffffffff810a07c2>] warn_slowpath_common+0x82/0xc0
+[    0.583688]  [<ffffffff810a085c>] warn_slowpath_fmt+0x5c/0x80
+[    0.583692]  [<ffffffff810a6fba>] ? iomem_map_sanity_check+0xba/0xd0
+[    0.583695]  [<ffffffff81065835>] __ioremap_caller+0x2c5/0x380
+[    0.583698]  [<ffffffff81065907>] ioremap_nocache+0x17/0x20
+[    0.583701]  [<ffffffff8103a119>] snb_uncore_imc_init_box+0x79/0xb0
+[    0.583705]  [<ffffffff81038900>] uncore_pci_probe+0xd0/0x1b0
+[    0.583707]  [<ffffffff813efda5>] local_pci_probe+0x45/0xa0
+[    0.583710]  [<ffffffff813f118d>] pci_device_probe+0xfd/0x140
+[    0.583713]  [<ffffffff814d9b52>] driver_probe_device+0x222/0x480
+[    0.583715]  [<ffffffff814d9e34>] __driver_attach+0x84/0x90
+[    0.583717]  [<ffffffff814d9db0>] ? driver_probe_device+0x480/0x480
+[    0.583720]  [<ffffffff814d762c>] bus_for_each_dev+0x6c/0xc0
+[    0.583722]  [<ffffffff814d930e>] driver_attach+0x1e/0x20
+[    0.583724]  [<ffffffff814d8e4b>] bus_add_driver+0x1eb/0x280
+[    0.583727]  [<ffffffff81d6af1a>] ? uncore_cpu_setup+0x12/0x12
+[    0.583729]  [<ffffffff814da680>] driver_register+0x60/0xe0
+[    0.583733]  [<ffffffff813ef78c>] __pci_register_driver+0x4c/0x50
+[    0.583736]  [<ffffffff81d6affc>] intel_uncore_init+0xe2/0x2e6
+[    0.583738]  [<ffffffff81d6af1a>] ? uncore_cpu_setup+0x12/0x12
+[    0.583741]  [<ffffffff81002123>] do_one_initcall+0xb3/0x200
+[    0.583745]  [<ffffffff810be500>] ? parse_args+0x1a0/0x4a0
+[    0.583749]  [<ffffffff81d5c1c8>] kernel_init_freeable+0x189/0x223
+[    0.583752]  [<ffffffff81775c40>] ? rest_init+0x80/0x80
+[    0.583754]  [<ffffffff81775c4e>] kernel_init+0xe/0xe0
+[    0.583758]  [<ffffffff81781adf>] ret_from_fork+0x3f/0x70
+[    0.583760]  [<ffffffff81775c40>] ? rest_init+0x80/0x80
+[    0.583765] ---[ end trace 077c426a39e018aa ]---
+
+00:00.0 Host bridge [0600]: Intel Corporation Haswell-ULT DRAM Controller [8086:0a04] (rev 0b)
+	Subsystem: Lenovo Device [17aa:220c]
+	Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
+	Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort+ >SERR- <PERR- INTx-
+	Latency: 0
+	Capabilities: <access denied>
+	Kernel driver in use: hsw_uncore
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ drivers/pnp/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pnp/quirks.c b/drivers/pnp/quirks.c
+index f700723ca5d6..d28e3ab9479c 100644
+--- a/drivers/pnp/quirks.c
++++ b/drivers/pnp/quirks.c
+@@ -342,6 +342,7 @@ static void quirk_amd_mmconfig_area(struct pnp_dev *dev)
+ /* Device IDs of parts that have 32KB MCH space */
+ static const unsigned int mch_quirk_devices[] = {
+ 	0x0154,	/* Ivy Bridge */
++	0x0a04, /* Haswell-ULT */
+ 	0x0c00,	/* Haswell */
+ 	0x1604, /* Broadwell */
+ };
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/kernel.spec b/freed-ora/current/f22/kernel.spec
index 4d9af2744..d5d595afc 100644
--- a/freed-ora/current/f22/kernel.spec
+++ b/freed-ora/current/f22/kernel.spec
@@ -90,7 +90,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 3
+%define stable_update 4
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -685,11 +685,6 @@ Patch572: alua_fix.patch
 #CVE-XXXX-XXXX rhbz 1291329 1291332
 Patch574: ovl-fix-permission-checking-for-setattr.patch
 
-#CVE-2015-7550 rhbz 1291197 1291198
-Patch575: KEYS-Fix-race-between-read-and-revoke.patch
-
-Patch601: vrf-fix-memory-leak-on-registration.patch
-
 #CVE-2015-8709 rhbz 1295287 1295288
 Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
 
@@ -700,6 +695,7 @@ Patch605: KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
 
 #rhbz 1296677
 Patch606: HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch
+Patch641: HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
 
 #rhbz 1281368
 Patch607: drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch
@@ -735,10 +731,20 @@ Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
 Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch
 Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
 
-Patch633: net_43.mbox
+#CVE-2013-4312 rhbz 1297813 1300216
+Patch636: unix-properly-account-for-FDs-passed-over-unix-socke.patch
+
+#CVE-2016-0723 rhbz 1296253 1300224
+Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
+
+#rhbz 1279653
+Patch638: rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
 
-#CVE-2016-0728 rhbz 1296623 1297475
-Patch634: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
+#CVE-XXXX-XXXX rhbz 1300731 1300732
+Patch639: netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
+
+#rhbz 1300955
+Patch640: PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1526,11 +1532,6 @@ ApplyPatch alua_fix.patch
 #CVE-XXXX-XXXX rhbz 1291329 1291332
 ApplyPatch ovl-fix-permission-checking-for-setattr.patch
 
-#CVE-2015-7550 rhbz 1291197 1291198
-ApplyPatch KEYS-Fix-race-between-read-and-revoke.patch
-
-ApplyPatch vrf-fix-memory-leak-on-registration.patch
-
 #CVE-2015-8709 rhbz 1295287 1295288
 ApplyPatch ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
 
@@ -1541,6 +1542,7 @@ ApplyPatch KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
 
 #rhbz 1296677
 ApplyPatch HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch
+ApplyPatch HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
 
 #rhbz 1281368
 ApplyPatch drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch
@@ -1576,10 +1578,20 @@ ApplyPatch SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
 ApplyPatch btrfs-handle-invalid-num_stripes-in-sys_array.patch
 ApplyPatch Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
 
-ApplyPatch net_43.mbox
+#CVE-2013-4312 rhbz 1297813 1300216
+ApplyPatch unix-properly-account-for-FDs-passed-over-unix-socke.patch
+
+#CVE-2016-0723 rhbz 1296253 1300224
+ApplyPatch tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
 
-#CVE-2016-0728 rhbz 1296623 1297475
-ApplyPatch KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
+#rhbz 1279653
+ApplyPatch rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
+
+#CVE-XXXX-XXXX rhbz 1300731 1300732
+ApplyPatch netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
+
+#rhbz 1300955
+ApplyPatch PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2443,6 +2455,26 @@ fi
 #
 # 
 %changelog
+* Tue Jan 26 2016 Alexandre Oliva <lxoliva@fsfla.org> -libre
+* GNU Linux-libre 4.3.4-gnu.
+
+* Mon Jan 25 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.4-200
+- Add patch to fix some Elan touchpads (rhbz 1296677)
+
+* Sat Jan 23 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Linux v4.3.4
+
+* Fri Jan 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Fix backtrace from PNP conflict on Haswell-ULT (rhbz 1300955)
+
+* Thu Jan 21 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-XXXX-XXXX missing null ptr check in nf_nat_redirect_ipv4 (rhbz 1300731 1300732)
+- Fix incorrect country code issue on RTL8812AE devices (rhbz 1279653)
+
+* Wed Jan 20 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-0723 memory disclosure and crash in tty layer (rhbz 1296253 1300224)
+- CVE-2013-4312 file descr passed over unix sockects not properly accounted (rhbz 1297813 1300216)
+
 * Tue Jan 19 2016 Alexandre Oliva <lxoliva@fsfla.org> -libre
 * GNU Linux-libre 4.3.3-gnu.
 
diff --git a/freed-ora/current/f22/net_43.mbox b/freed-ora/current/f22/net_43.mbox
deleted file mode 100644
index 94e4c71ec..000000000
--- a/freed-ora/current/f22/net_43.mbox
+++ /dev/null
@@ -1,2086 +0,0 @@
-From 14b602561ad208203fb04a8eb3df052ad2c6551a Mon Sep 17 00:00:00 2001
-From: Guillaume Nault <g.nault@alphalink.fr>
-Date: Thu, 3 Dec 2015 16:49:32 +0100
-Subject: [PATCH 01/34] pppoe: fix memory corruption in padt work structure
-
-[ Upstream commit fe53985aaac83d516b38358d4f39921d9942a0e2 ]
-
-pppoe_connect() mustn't touch the padt_work field of pppoe sockets
-because that work could be already pending.
-
-[   21.473147] BUG: unable to handle kernel NULL pointer dereference at 00000004
-[   21.474523] IP: [<c1043177>] process_one_work+0x29/0x31c
-[   21.475164] *pde = 00000000
-[   21.475513] Oops: 0000 [#1] SMP
-[   21.475910] Modules linked in: pppoe pppox ppp_generic slhc crc32c_intel aesni_intel virtio_net xts aes_i586 lrw gf128mul ablk_helper cryptd evdev acpi_cpufreq processor serio_raw button ext4 crc16 mbcache jbd2 virtio_blk virtio_pci virtio_ring virtio
-[   21.476168] CPU: 2 PID: 164 Comm: kworker/2:2 Not tainted 4.4.0-rc1 #1
-[   21.476168] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
-[   21.476168] task: f5f83c00 ti: f5e28000 task.ti: f5e28000
-[   21.476168] EIP: 0060:[<c1043177>] EFLAGS: 00010046 CPU: 2
-[   21.476168] EIP is at process_one_work+0x29/0x31c
-[   21.484082] EAX: 00000000 EBX: f678b2a0 ECX: 00000004 EDX: 00000000
-[   21.484082] ESI: f6c69940 EDI: f5e29ef0 EBP: f5e29f0c ESP: f5e29edc
-[   21.484082]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
-[   21.484082] CR0: 80050033 CR2: 000000a4 CR3: 317ad000 CR4: 00040690
-[   21.484082] Stack:
-[   21.484082]  00000000 f6c69950 00000000 f6c69940 c0042338 f5e29f0c c1327945 00000000
-[   21.484082]  00000008 f678b2a0 f6c69940 f678b2b8 f5e29f30 c1043984 f5f83c00 f6c69970
-[   21.484082]  f678b2a0 c10437d3 f6775e80 f678b2a0 c10437d3 f5e29fac c1047059 f5e29f74
-[   21.484082] Call Trace:
-[   21.484082]  [<c1327945>] ? _raw_spin_lock_irq+0x28/0x30
-[   21.484082]  [<c1043984>] worker_thread+0x1b1/0x244
-[   21.484082]  [<c10437d3>] ? rescuer_thread+0x229/0x229
-[   21.484082]  [<c10437d3>] ? rescuer_thread+0x229/0x229
-[   21.484082]  [<c1047059>] kthread+0x8f/0x94
-[   21.484082]  [<c1327a32>] ? _raw_spin_unlock_irq+0x22/0x26
-[   21.484082]  [<c1327ee9>] ret_from_kernel_thread+0x21/0x38
-[   21.484082]  [<c1046fca>] ? kthread_parkme+0x19/0x19
-[   21.496082] Code: 5d c3 55 89 e5 57 56 53 89 c3 83 ec 24 89 d0 89 55 e0 8d 7d e4 e8 6c d8 ff ff b9 04 00 00 00 89 45 d8 8b 43 24 89 45 dc 8b 45 d8 <8b> 40 04 8b 80 e0 00 00 00 c1 e8 05 24 01 88 45 d7 8b 45 e0 8d
-[   21.496082] EIP: [<c1043177>] process_one_work+0x29/0x31c SS:ESP 0068:f5e29edc
-[   21.496082] CR2: 0000000000000004
-[   21.496082] ---[ end trace e362cc9cf10dae89 ]---
-
-Reported-by: Andrew <nitr0@seti.kr.ua>
-Fixes: 287f3a943fef ("pppoe: Use workqueue to die properly when a PADT is received")
-Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/ppp/pppoe.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
-index 5e0b432..0a37f84 100644
---- a/drivers/net/ppp/pppoe.c
-+++ b/drivers/net/ppp/pppoe.c
-@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket *sock, int kern)
- 	sk->sk_family		= PF_PPPOX;
- 	sk->sk_protocol		= PX_PROTO_OE;
- 
-+	INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work,
-+		  pppoe_unbind_sock_work);
-+
- 	return 0;
- }
- 
-@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr,
- 
- 	lock_sock(sk);
- 
--	INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work);
--
- 	error = -EINVAL;
- 	if (sp->sa_protocol != PX_PROTO_OE)
- 		goto end;
-@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr,
- 			po->pppoe_dev = NULL;
- 		}
- 
--		memset(sk_pppox(po) + 1, 0,
--		       sizeof(struct pppox_sock) - sizeof(struct sock));
-+		po->pppoe_ifindex = 0;
-+		memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa));
-+		memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay));
-+		memset(&po->chan, 0, sizeof(po->chan));
-+		po->next = NULL;
-+		po->num = 0;
-+
- 		sk->sk_state = PPPOX_NONE;
- 	}
- 
--- 
-2.4.1
-
-
-From 2d5925b5a6011084d1fac6b8d8625ddbcb7d95a6 Mon Sep 17 00:00:00 2001
-From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
-Date: Thu, 3 Dec 2015 17:21:50 +0100
-Subject: [PATCH 02/34] gre6: allow to update all parameters via rtnl
-
-[ Upstream commit 6a61d4dbf4f54b5683e0f1e58d873cecca7cb977 ]
-
-Parameters were updated only if the kernel was unable to find the tunnel
-with the new parameters, ie only if core pamareters were updated (keys,
-addr, link, type).
-Now it's possible to update ttl, hoplimit, flowinfo and flags.
-
-Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
-Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv6/ip6_gre.c | 8 +++-----
- 1 file changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
-index 3c7b931..e5ea177 100644
---- a/net/ipv6/ip6_gre.c
-+++ b/net/ipv6/ip6_gre.c
-@@ -1571,13 +1571,11 @@ static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[],
- 			return -EEXIST;
- 	} else {
- 		t = nt;
--
--		ip6gre_tunnel_unlink(ign, t);
--		ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
--		ip6gre_tunnel_link(ign, t);
--		netdev_state_change(dev);
- 	}
- 
-+	ip6gre_tunnel_unlink(ign, t);
-+	ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
-+	ip6gre_tunnel_link(ign, t);
- 	return 0;
- }
- 
--- 
-2.4.1
-
-
-From 3960bc911e092832dac3f9a42b435d2ec566e412 Mon Sep 17 00:00:00 2001
-From: Pavel Machek <pavel@ucw.cz>
-Date: Fri, 4 Dec 2015 09:50:00 +0100
-Subject: [PATCH 03/34] atl1c: Improve driver not to do order 4 GFP_ATOMIC
- allocation
-
-[ Upstream commit f2a3771ae8aca879c32336c76ad05a017629bae2 ]
-
-atl1c driver is doing order-4 allocation with GFP_ATOMIC
-priority. That often breaks  networking after resume. Switch to
-GFP_KERNEL. Still not ideal, but should be significantly better.
-
-atl1c_setup_ring_resources() is called from .open() function, and
-already uses GFP_KERNEL, so this change is safe.
-
-Signed-off-by: Pavel Machek <pavel@ucw.cz>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
-index 2795d6d..8b5988e 100644
---- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
-+++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
-@@ -1016,13 +1016,12 @@ static int atl1c_setup_ring_resources(struct atl1c_adapter *adapter)
- 		sizeof(struct atl1c_recv_ret_status) * rx_desc_count +
- 		8 * 4;
- 
--	ring_header->desc = pci_alloc_consistent(pdev, ring_header->size,
--				&ring_header->dma);
-+	ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size,
-+						&ring_header->dma, GFP_KERNEL);
- 	if (unlikely(!ring_header->desc)) {
--		dev_err(&pdev->dev, "pci_alloc_consistend failed\n");
-+		dev_err(&pdev->dev, "could not get memory for DMA buffer\n");
- 		goto err_nomem;
- 	}
--	memset(ring_header->desc, 0, ring_header->size);
- 	/* init TPD ring */
- 
- 	tpd_ring[0].dma = roundup(ring_header->dma, 8);
--- 
-2.4.1
-
-
-From cf2265157f68424a83d74a70962781c0470d3e83 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
-Date: Fri, 4 Dec 2015 14:15:08 +0100
-Subject: [PATCH 04/34] ipv6: keep existing flags when setting IFA_F_OPTIMISTIC
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit 9a1ec4612c9bfc94d4185e3459055a37a685e575 ]
-
-Commit 64236f3f3d74 ("ipv6: introduce IFA_F_STABLE_PRIVACY flag")
-failed to update the setting of the IFA_F_OPTIMISTIC flag, causing
-the IFA_F_STABLE_PRIVACY flag to be lost if IFA_F_OPTIMISTIC is set.
-
-Cc: Erik Kline <ek@google.com>
-Cc: Fernando Gont <fgont@si6networks.com>
-Cc: Lorenzo Colitti <lorenzo@google.com>
-Cc: YOSHIFUJI Hideaki/吉藤英明 <hideaki.yoshifuji@miraclelinux.com>
-Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Fixes: 64236f3f3d74 ("ipv6: introduce IFA_F_STABLE_PRIVACY flag")
-Signed-off-by: Bjørn Mork <bjorn@mork.no>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv6/addrconf.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index 3939dd2..ff873c8 100644
---- a/net/ipv6/addrconf.c
-+++ b/net/ipv6/addrconf.c
-@@ -2453,7 +2453,7 @@ ok:
- #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
- 			if (in6_dev->cnf.optimistic_dad &&
- 			    !net->ipv6.devconf_all->forwarding && sllao)
--				addr_flags = IFA_F_OPTIMISTIC;
-+				addr_flags |= IFA_F_OPTIMISTIC;
- #endif
- 
- 			/* Do not allow to create too much of autoconfigured
--- 
-2.4.1
-
-
-From e37caf36e65b943cb28ce6ce2d7bfb3c406ec277 Mon Sep 17 00:00:00 2001
-From: Jiri Benc <jbenc@redhat.com>
-Date: Fri, 4 Dec 2015 13:54:03 +0100
-Subject: [PATCH 05/34] vxlan: fix incorrect RCO bit in VXLAN header
-
-[ Upstream commit c5fb8caaf91ea6a92920cf24db10cfc94d58de0f ]
-
-Commit 3511494ce2f3d ("vxlan: Group Policy extension") changed definition of
-VXLAN_HF_RCO from 0x00200000 to BIT(24). This is obviously incorrect. It's
-also in violation with the RFC draft.
-
-Fixes: 3511494ce2f3d ("vxlan: Group Policy extension")
-Cc: Thomas Graf <tgraf@suug.ch>
-Cc: Tom Herbert <therbert@google.com>
-Signed-off-by: Jiri Benc <jbenc@redhat.com>
-Acked-by: Tom Herbert <tom@herbertland.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/vxlan.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/net/vxlan.h b/include/net/vxlan.h
-index 480a319..f4a4972 100644
---- a/include/net/vxlan.h
-+++ b/include/net/vxlan.h
-@@ -79,7 +79,7 @@ struct vxlanhdr {
- };
- 
- /* VXLAN header flags. */
--#define VXLAN_HF_RCO BIT(24)
-+#define VXLAN_HF_RCO BIT(21)
- #define VXLAN_HF_VNI BIT(27)
- #define VXLAN_HF_GBP BIT(31)
- 
--- 
-2.4.1
-
-
-From f7804be938a80839063eae490106d196281c763b Mon Sep 17 00:00:00 2001
-From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Date: Fri, 4 Dec 2015 15:14:03 -0200
-Subject: [PATCH 06/34] sctp: use the same clock as if sock source timestamps
- were on
-
-[ Upstream commit cb5e173ed7c03a0d4630ce68a95a186cce3cc872 ]
-
-SCTP echoes a cookie o INIT ACK chunks that contains a timestamp, for
-detecting stale cookies. This cookie is echoed back to the server by the
-client and then that timestamp is checked.
-
-Thing is, if the listening socket is using packet timestamping, the
-cookie is encoded with ktime_get() value and checked against
-ktime_get_real(), as done by __net_timestamp().
-
-The fix is to sctp also use ktime_get_real(), so we can compare bananas
-with bananas later no matter if packet timestamping was enabled or not.
-
-Fixes: 52db882f3fc2 ("net: sctp: migrate cookie life from timeval to ktime")
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Acked-by: Vlad Yasevich <vyasevich@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/sm_make_chunk.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
-index 7954c52..8d67d72 100644
---- a/net/sctp/sm_make_chunk.c
-+++ b/net/sctp/sm_make_chunk.c
-@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_cookie(const struct sctp_endpoint *ep,
- 
- 	/* Set an expiration time for the cookie.  */
- 	cookie->c.expiration = ktime_add(asoc->cookie_life,
--					 ktime_get());
-+					 ktime_get_real());
- 
- 	/* Copy the peer's init packet.  */
- 	memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr,
-@@ -1780,7 +1780,7 @@ no_hmac:
- 	if (sock_flag(ep->base.sk, SOCK_TIMESTAMP))
- 		kt = skb_get_ktime(skb);
- 	else
--		kt = ktime_get();
-+		kt = ktime_get_real();
- 
- 	if (!asoc && ktime_before(bear_cookie->expiration, kt)) {
- 		/*
--- 
-2.4.1
-
-
-From 46ad18aad09a087729289c5e5f57c86d1aab8d56 Mon Sep 17 00:00:00 2001
-From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Date: Fri, 4 Dec 2015 15:14:04 -0200
-Subject: [PATCH 07/34] sctp: update the netstamp_needed counter when copying
- sockets
-
-[ Upstream commit 01ce63c90170283a9855d1db4fe81934dddce648 ]
-
-Dmitry Vyukov reported that SCTP was triggering a WARN on socket destroy
-related to disabling sock timestamp.
-
-When SCTP accepts an association or peel one off, it copies sock flags
-but forgot to call net_enable_timestamp() if a packet timestamping flag
-was copied, leading to extra calls to net_disable_timestamp() whenever
-such clones were closed.
-
-The fix is to call net_enable_timestamp() whenever we copy a sock with
-that flag on, like tcp does.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Acked-by: Vlad Yasevich <vyasevich@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/sock.h | 2 ++
- net/core/sock.c    | 2 --
- net/sctp/socket.c  | 3 +++
- 3 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/include/net/sock.h b/include/net/sock.h
-index e237170..492855d 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -724,6 +724,8 @@ enum sock_flags {
- 	SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */
- };
- 
-+#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE))
-+
- static inline void sock_copy_flags(struct sock *nsk, struct sock *osk)
- {
- 	nsk->sk_flags = osk->sk_flags;
-diff --git a/net/core/sock.c b/net/core/sock.c
-index 3307c02..d7a7fc5 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -422,8 +422,6 @@ static void sock_warn_obsolete_bsdism(const char *name)
- 	}
- }
- 
--#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE))
--
- static void sock_disable_timestamp(struct sock *sk, unsigned long flags)
- {
- 	if (sk->sk_flags & flags) {
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 3ec88be..f19a67c 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -7195,6 +7195,9 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
- 	newinet->mc_ttl = 1;
- 	newinet->mc_index = 0;
- 	newinet->mc_list = NULL;
-+
-+	if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
-+		net_enable_timestamp();
- }
- 
- static inline void sctp_copy_descendant(struct sock *sk_to,
--- 
-2.4.1
-
-
-From 0081745cc115ec4147644b9ed464efc1bff5846e Mon Sep 17 00:00:00 2001
-From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Date: Fri, 4 Dec 2015 15:14:05 -0200
-Subject: [PATCH 08/34] sctp: also copy sk_tsflags when copying the socket
-
-[ Upstream commit 50a5ffb1ef535e3c6989711c51b5d61b543a3b45 ]
-
-As we are keeping timestamps on when copying the socket, we also have to
-copy sk_tsflags.
-
-This is needed since b9f40e21ef42 ("net-timestamp: move timestamp flags
-out of sk_flags").
-
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Acked-by: Vlad Yasevich <vyasevich@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/socket.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index f19a67c..84b1b50 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -7163,6 +7163,7 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
- 	newsk->sk_type = sk->sk_type;
- 	newsk->sk_bound_dev_if = sk->sk_bound_dev_if;
- 	newsk->sk_flags = sk->sk_flags;
-+	newsk->sk_tsflags = sk->sk_tsflags;
- 	newsk->sk_no_check_tx = sk->sk_no_check_tx;
- 	newsk->sk_no_check_rx = sk->sk_no_check_rx;
- 	newsk->sk_reuse = sk->sk_reuse;
--- 
-2.4.1
-
-
-From f1cf5767d87c24f3e9c7a780651230cc34485c39 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
-Date: Sat, 5 Dec 2015 13:01:50 +0100
-Subject: [PATCH 09/34] net: cdc_mbim: add "NDP to end" quirk for Huawei E3372
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit f8c0cfa5eca902d388c0b57c7ca29a1ff2e6d8c6 ]
-
-The Huawei E3372 (12d1:157d) needs this quirk in MBIM mode
-as well. Allow this by forcing the NTB to contain only a
-single NDP, and add a device specific entry for this ID.
-
-Due to the way Huawei use device IDs, this might be applied
-to other modems as well.  It is assumed that those modems
-will be based on the same firmware and will need this quirk
-too.  If not, it will still not harm normal usage, although
-multiplexing performance could be impacted.
-
-Cc: Enrico Mioso <mrkiko.rs@gmail.com>
-Reported-by: Sami Farin <hvtaifwkbgefbaei@gmail.com>
-Signed-off-by: Bjørn Mork <bjorn@mork.no>
-Acked-By: Enrico Mioso <mrkiko.rs@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/usb/cdc_mbim.c | 26 +++++++++++++++++++++++++-
- drivers/net/usb/cdc_ncm.c  | 10 +++++++++-
- 2 files changed, 34 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c
-index efc18e0..b6ea6ff 100644
---- a/drivers/net/usb/cdc_mbim.c
-+++ b/drivers/net/usb/cdc_mbim.c
-@@ -158,7 +158,7 @@ static int cdc_mbim_bind(struct usbnet *dev, struct usb_interface *intf)
- 	if (!cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting))
- 		goto err;
- 
--	ret = cdc_ncm_bind_common(dev, intf, data_altsetting, 0);
-+	ret = cdc_ncm_bind_common(dev, intf, data_altsetting, dev->driver_info->data);
- 	if (ret)
- 		goto err;
- 
-@@ -582,6 +582,26 @@ static const struct driver_info cdc_mbim_info_zlp = {
- 	.tx_fixup = cdc_mbim_tx_fixup,
- };
- 
-+/* The spefication explicitly allows NDPs to be placed anywhere in the
-+ * frame, but some devices fail unless the NDP is placed after the IP
-+ * packets.  Using the CDC_NCM_FLAG_NDP_TO_END flags to force this
-+ * behaviour.
-+ *
-+ * Note: The current implementation of this feature restricts each NTB
-+ * to a single NDP, implying that multiplexed sessions cannot share an
-+ * NTB. This might affect performace for multiplexed sessions.
-+ */
-+static const struct driver_info cdc_mbim_info_ndp_to_end = {
-+	.description = "CDC MBIM",
-+	.flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN,
-+	.bind = cdc_mbim_bind,
-+	.unbind = cdc_mbim_unbind,
-+	.manage_power = cdc_mbim_manage_power,
-+	.rx_fixup = cdc_mbim_rx_fixup,
-+	.tx_fixup = cdc_mbim_tx_fixup,
-+	.data = CDC_NCM_FLAG_NDP_TO_END,
-+};
-+
- static const struct usb_device_id mbim_devs[] = {
- 	/* This duplicate NCM entry is intentional. MBIM devices can
- 	 * be disguised as NCM by default, and this is necessary to
-@@ -597,6 +617,10 @@ static const struct usb_device_id mbim_devs[] = {
- 	{ USB_VENDOR_AND_INTERFACE_INFO(0x0bdb, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
- 	  .driver_info = (unsigned long)&cdc_mbim_info,
- 	},
-+	/* Huawei E3372 fails unless NDP comes after the IP packets */
-+	{ USB_DEVICE_AND_INTERFACE_INFO(0x12d1, 0x157d, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
-+	  .driver_info = (unsigned long)&cdc_mbim_info_ndp_to_end,
-+	},
- 	/* default entry */
- 	{ USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
- 	  .driver_info = (unsigned long)&cdc_mbim_info_zlp,
-diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
-index db40175..fa41a6d 100644
---- a/drivers/net/usb/cdc_ncm.c
-+++ b/drivers/net/usb/cdc_ncm.c
-@@ -1006,10 +1006,18 @@ static struct usb_cdc_ncm_ndp16 *cdc_ncm_ndp(struct cdc_ncm_ctx *ctx, struct sk_
- 	* NTH16 header as we would normally do. NDP isn't written to the SKB yet, and
- 	* the wNdpIndex field in the header is actually not consistent with reality. It will be later.
- 	*/
--	if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END)
-+	if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) {
- 		if (ctx->delayed_ndp16->dwSignature == sign)
- 			return ctx->delayed_ndp16;
- 
-+		/* We can only push a single NDP to the end. Return
-+		 * NULL to send what we've already got and queue this
-+		 * skb for later.
-+		 */
-+		else if (ctx->delayed_ndp16->dwSignature)
-+			return NULL;
-+	}
-+
- 	/* follow the chain of NDPs, looking for a match */
- 	while (ndpoffset) {
- 		ndp16 = (struct usb_cdc_ncm_ndp16 *)(skb->data + ndpoffset);
--- 
-2.4.1
-
-
-From 9ae2d6c090172e8f1782af19b10679f15bd42350 Mon Sep 17 00:00:00 2001
-From: Stefan Wahren <stefan.wahren@i2se.com>
-Date: Fri, 4 Dec 2015 16:29:10 +0100
-Subject: [PATCH 10/34] net: qca_spi: fix transmit queue timeout handling
-
-[ Upstream commit ed7d42e24effbd3681e909711a7a2119a85e9217 ]
-
-In case of a tx queue timeout every transmit is blocked until the
-QCA7000 resets himself and triggers a sync which makes the driver
-flushs the tx ring. So avoid this blocking situation by triggering
-the sync immediately after the timeout. Waking the queue doesn't
-make sense in this situation.
-
-Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
-Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/ethernet/qualcomm/qca_spi.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
-index 2f87909..60ccc29 100644
---- a/drivers/net/ethernet/qualcomm/qca_spi.c
-+++ b/drivers/net/ethernet/qualcomm/qca_spi.c
-@@ -736,9 +736,8 @@ qcaspi_netdev_tx_timeout(struct net_device *dev)
- 	netdev_info(qca->net_dev, "Transmit timeout at %ld, latency %ld\n",
- 		    jiffies, jiffies - dev->trans_start);
- 	qca->net_dev->stats.tx_errors++;
--	/* wake the queue if there is room */
--	if (qcaspi_tx_ring_has_space(&qca->txr))
--		netif_wake_queue(dev);
-+	/* Trigger tx queue flush and QCA7000 reset */
-+	qca->sync = QCASPI_SYNC_UNKNOWN;
- }
- 
- static int
--- 
-2.4.1
-
-
-From 43979766bb4c6f2e2c549793e0e659b22fb3c6de Mon Sep 17 00:00:00 2001
-From: Peter Wu <peter@lekensteyn.nl>
-Date: Tue, 8 Dec 2015 12:17:42 +0100
-Subject: [PATCH 11/34] r8152: fix lockup when runtime PM is enabled
-
-[ Upstream commit 90186af404ada5a47b875bf3c16d0b02bb023ea0 ]
-
-When an interface is brought up which was previously suspended (via
-runtime PM), it would hang. This happens because napi_disable is called
-before napi_enable.
-
-Solve this by avoiding napi_enable in the resume during open function
-(netif_running is true when open is called, IFF_UP is set after a
-successful open; netif_running is false when close is called, but IFF_UP
-is then still set).
-
-While at it, remove WORK_ENABLE check from rtl8152_open (introduced with
-the original change) because it cannot happen:
-
- - After this patch, runtime resume will not set it during rtl8152_open.
- - When link is up, rtl8152_open is not called.
- - When link is down during system/auto suspend/resume, it is not set.
-
-Fixes: 41cec84cf285 ("r8152: don't enable napi before rx ready")
-Link: https://lkml.kernel.org/r/20151205105912.GA1766@al
-Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-Acked-by: Hayes Wang <hayeswang@realtek.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/usb/r8152.c | 21 +++------------------
- 1 file changed, 3 insertions(+), 18 deletions(-)
-
-diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
-index d9427ca..2e32c41 100644
---- a/drivers/net/usb/r8152.c
-+++ b/drivers/net/usb/r8152.c
-@@ -3067,17 +3067,6 @@ static int rtl8152_open(struct net_device *netdev)
- 
- 	mutex_lock(&tp->control);
- 
--	/* The WORK_ENABLE may be set when autoresume occurs */
--	if (test_bit(WORK_ENABLE, &tp->flags)) {
--		clear_bit(WORK_ENABLE, &tp->flags);
--		usb_kill_urb(tp->intr_urb);
--		cancel_delayed_work_sync(&tp->schedule);
--
--		/* disable the tx/rx, if the workqueue has enabled them. */
--		if (netif_carrier_ok(netdev))
--			tp->rtl_ops.disable(tp);
--	}
--
- 	tp->rtl_ops.up(tp);
- 
- 	rtl8152_set_speed(tp, AUTONEG_ENABLE,
-@@ -3124,12 +3113,6 @@ static int rtl8152_close(struct net_device *netdev)
- 	} else {
- 		mutex_lock(&tp->control);
- 
--		/* The autosuspend may have been enabled and wouldn't
--		 * be disable when autoresume occurs, because the
--		 * netif_running() would be false.
--		 */
--		rtl_runtime_suspend_enable(tp, false);
--
- 		tp->rtl_ops.down(tp);
- 
- 		mutex_unlock(&tp->control);
-@@ -3512,7 +3495,7 @@ static int rtl8152_resume(struct usb_interface *intf)
- 		netif_device_attach(tp->netdev);
- 	}
- 
--	if (netif_running(tp->netdev)) {
-+	if (netif_running(tp->netdev) && tp->netdev->flags & IFF_UP) {
- 		if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) {
- 			rtl_runtime_suspend_enable(tp, false);
- 			clear_bit(SELECTIVE_SUSPEND, &tp->flags);
-@@ -3532,6 +3515,8 @@ static int rtl8152_resume(struct usb_interface *intf)
- 		}
- 		usb_submit_urb(tp->intr_urb, GFP_KERNEL);
- 	} else if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) {
-+		if (tp->netdev->flags & IFF_UP)
-+			rtl_runtime_suspend_enable(tp, false);
- 		clear_bit(SELECTIVE_SUSPEND, &tp->flags);
- 	}
- 
--- 
-2.4.1
-
-
-From bc386e51daba6547cb14ac06baf1f56c9274abde Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Wed, 9 Dec 2015 07:25:06 -0800
-Subject: [PATCH 12/34] ipv6: sctp: clone options to avoid use after free
-
-[ Upstream commit 9470e24f35ab81574da54e69df90c1eb4a96b43f ]
-
-SCTP is lacking proper np->opt cloning at accept() time.
-
-TCP and DCCP use ipv6_dup_options() helper, do the same
-in SCTP.
-
-We might later factorize this code in a common helper to avoid
-future mistakes.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Acked-by: Vlad Yasevich <vyasevich@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/ipv6.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
-index e917d27..40677cf 100644
---- a/net/sctp/ipv6.c
-+++ b/net/sctp/ipv6.c
-@@ -635,6 +635,7 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
- 	struct sock *newsk;
- 	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
- 	struct sctp6_sock *newsctp6sk;
-+	struct ipv6_txoptions *opt;
- 
- 	newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, 0);
- 	if (!newsk)
-@@ -654,6 +655,13 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
- 
- 	memcpy(newnp, np, sizeof(struct ipv6_pinfo));
- 
-+	rcu_read_lock();
-+	opt = rcu_dereference(np->opt);
-+	if (opt)
-+		opt = ipv6_dup_options(newsk, opt);
-+	RCU_INIT_POINTER(newnp->opt, opt);
-+	rcu_read_unlock();
-+
- 	/* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname()
- 	 * and getpeername().
- 	 */
--- 
-2.4.1
-
-
-From 15287a6a3cbca306a66640e371b2684e50a22565 Mon Sep 17 00:00:00 2001
-From: Andrew Lunn <andrew@lunn.ch>
-Date: Wed, 9 Dec 2015 19:56:31 +0100
-Subject: [PATCH 13/34] phy: micrel: Fix finding PHY properties in MAC node.
-
-[ Upstream commit 651df2183543bc92f5dbcf99cd9e236ead0bc4c5 ]
-
-commit 8b63ec1837fa ("phylib: Make PHYs children of their MDIO bus,
-not the bus' parent.")  changed the parenting of PHY devices, making
-them a child of the MDIO bus, instead of the MAC device. This broken
-the Micrel PHY driver which has a deprecated feature of allowing PHY
-properties to be placed into the MAC node.
-
-In order to find the MAC node, we need to walk up the tree of devices
-until we find one with an OF node attached.
-
-Reported-by: Dinh Nguyen <dinguyen@opensource.altera.com>
-Suggested-by: David Daney <david.daney@cavium.com>
-Acked-by: David Daney <david.daney@cavium.com>
-Fixes: 8b63ec1837fa ("phylib: Make PHYs children of their MDIO bus, not the bus' parent.")
-Signed-off-by: Andrew Lunn <andrew@lunn.ch>
-Tested-by: Dinh Nguyen <dinguyen@opensource.altera.com>
-Acked-by: Florian Fainelli <f.fainelli@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/phy/micrel.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
-index cf6312f..e13ad6c 100644
---- a/drivers/net/phy/micrel.c
-+++ b/drivers/net/phy/micrel.c
-@@ -339,9 +339,18 @@ static int ksz9021_config_init(struct phy_device *phydev)
- {
- 	const struct device *dev = &phydev->dev;
- 	const struct device_node *of_node = dev->of_node;
-+	const struct device *dev_walker;
- 
--	if (!of_node && dev->parent->of_node)
--		of_node = dev->parent->of_node;
-+	/* The Micrel driver has a deprecated option to place phy OF
-+	 * properties in the MAC node. Walk up the tree of devices to
-+	 * find a device with an OF node.
-+	 */
-+	dev_walker = &phydev->dev;
-+	do {
-+		of_node = dev_walker->of_node;
-+		dev_walker = dev_walker->parent;
-+
-+	} while (!of_node && dev_walker);
- 
- 	if (of_node) {
- 		ksz9021_load_values_from_of(phydev, of_node,
--- 
-2.4.1
-
-
-From 73e71dcb1df404661314ec7cb9aa27d209407d70 Mon Sep 17 00:00:00 2001
-From: Joe Stringer <joe@ovn.org>
-Date: Wed, 9 Dec 2015 14:07:39 -0800
-Subject: [PATCH 14/34] openvswitch: Fix helper reference leak
-
-[ Upstream commit 2f3ab9f9fc23811188b9d07d86e4d99ffee887f4 ]
-
-If the actions (re)allocation fails, or the actions list is larger than the
-maximum size, and the conntrack action is the last action when these
-problems are hit, then references to helper modules may be leaked. Fix
-the issue.
-
-Fixes: cae3a2627520 ("openvswitch: Allow attaching helpers to ct action")
-Signed-off-by: Joe Stringer <joe@ovn.org>
-Acked-by: Pravin B Shelar <pshelar@nicira.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/openvswitch/conntrack.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
-index 5009582..a808b0f 100644
---- a/net/openvswitch/conntrack.c
-+++ b/net/openvswitch/conntrack.c
-@@ -53,6 +53,8 @@ struct ovs_conntrack_info {
- 	struct md_labels labels;
- };
- 
-+static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info);
-+
- static u16 key_to_nfproto(const struct sw_flow_key *key)
- {
- 	switch (ntohs(key->eth.type)) {
-@@ -708,7 +710,7 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr,
- 	nf_conntrack_get(&ct_info.ct->ct_general);
- 	return 0;
- err_free_ct:
--	nf_conntrack_free(ct_info.ct);
-+	__ovs_ct_free_action(&ct_info);
- 	return err;
- }
- 
-@@ -750,6 +752,11 @@ void ovs_ct_free_action(const struct nlattr *a)
- {
- 	struct ovs_conntrack_info *ct_info = nla_data(a);
- 
-+	__ovs_ct_free_action(ct_info);
-+}
-+
-+static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
-+{
- 	if (ct_info->helper)
- 		module_put(ct_info->helper->me);
- 	if (ct_info->ct)
--- 
-2.4.1
-
-
-From 7539fb022a74bb9b69fe5ad9125b899b83001a6d Mon Sep 17 00:00:00 2001
-From: Joe Stringer <joe@ovn.org>
-Date: Wed, 9 Dec 2015 14:07:40 -0800
-Subject: [PATCH 15/34] openvswitch: Respect conntrack zone even if invalid
-
-[ Upstream commit d110986c5ddb1caf576e8576044c0c831e3e7fa4 ]
-
-If userspace executes ct(zone=1), and the connection tracker determines
-that the packet is invalid, then the ct_zone flow key field is populated
-with the default zone rather than the zone that was specified. Even
-though connection tracking failed, this field should be updated with the
-value that the action specified. Fix the issue.
-
-Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
-Signed-off-by: Joe Stringer <joe@ovn.org>
-Acked-by: Pravin B Shelar <pshelar@nicira.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/openvswitch/conntrack.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
-index a808b0f..cad8c4b 100644
---- a/net/openvswitch/conntrack.c
-+++ b/net/openvswitch/conntrack.c
-@@ -143,6 +143,7 @@ static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state,
-  * previously sent the packet to conntrack via the ct action.
-  */
- static void ovs_ct_update_key(const struct sk_buff *skb,
-+			      const struct ovs_conntrack_info *info,
- 			      struct sw_flow_key *key, bool post_ct)
- {
- 	const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
-@@ -160,13 +161,15 @@ static void ovs_ct_update_key(const struct sk_buff *skb,
- 		zone = nf_ct_zone(ct);
- 	} else if (post_ct) {
- 		state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID;
-+		if (info)
-+			zone = &info->zone;
- 	}
- 	__ovs_ct_update_key(key, state, zone, ct);
- }
- 
- void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key)
- {
--	ovs_ct_update_key(skb, key, false);
-+	ovs_ct_update_key(skb, NULL, key, false);
- }
- 
- int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb)
-@@ -420,7 +423,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
- 		}
- 	}
- 
--	ovs_ct_update_key(skb, key, true);
-+	ovs_ct_update_key(skb, info, key, true);
- 
- 	return 0;
- }
--- 
-2.4.1
-
-
-From 9226d3bc36e0da4f99f5fe9138f46e34b631fda8 Mon Sep 17 00:00:00 2001
-From: stephen hemminger <stephen@networkplumber.org>
-Date: Thu, 10 Dec 2015 09:14:20 -0800
-Subject: [PATCH 16/34] uapi: export ila.h
-
-[ Upstream commit f7fc6bc414121954c45c5f18b70e2a8717d0d5b4 ]
-
-The file ila.h used for lightweight tunnels is being used by iproute2
-but is not exported yet.
-
-Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/uapi/linux/Kbuild | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/include/uapi/linux/Kbuild b/include/uapi/linux/Kbuild
-index f7b2db4..7fc5733 100644
---- a/include/uapi/linux/Kbuild
-+++ b/include/uapi/linux/Kbuild
-@@ -186,6 +186,7 @@ header-y += if_tunnel.h
- header-y += if_vlan.h
- header-y += if_x25.h
- header-y += igmp.h
-+header-y += ila.h
- header-y += in6.h
- header-y += inet_diag.h
- header-y += in.h
--- 
-2.4.1
-
-
-From 204ce70323cdcff523324a2dd02f3a4fa2c01754 Mon Sep 17 00:00:00 2001
-From: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Mon, 14 Dec 2015 22:03:39 +0100
-Subject: [PATCH 17/34] net: add validation for the socket syscall protocol
- argument
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ]
-
-郭永刚 reported that one could simply crash the kernel as root by
-using a simple program:
-
-	int socket_fd;
-	struct sockaddr_in addr;
-	addr.sin_port = 0;
-	addr.sin_addr.s_addr = INADDR_ANY;
-	addr.sin_family = 10;
-
-	socket_fd = socket(10,3,0x40000000);
-	connect(socket_fd , &addr,16);
-
-AF_INET, AF_INET6 sockets actually only support 8-bit protocol
-identifiers. inet_sock's skc_protocol field thus is sized accordingly,
-thus larger protocol identifiers simply cut off the higher bits and
-store a zero in the protocol fields.
-
-This could lead to e.g. NULL function pointer because as a result of
-the cut off inet_num is zero and we call down to inet_autobind, which
-is NULL for raw sockets.
-
-kernel: Call Trace:
-kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
-kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
-kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
-kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
-kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
-kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
-kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89
-
-I found no particular commit which introduced this problem.
-
-CVE: CVE-2015-8543
-Cc: Cong Wang <cwang@twopensource.com>
-Reported-by: 郭永刚 <guoyonggang@360.cn>
-Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/sock.h     | 1 +
- net/ax25/af_ax25.c     | 3 +++
- net/decnet/af_decnet.c | 3 +++
- net/ipv4/af_inet.c     | 3 +++
- net/ipv6/af_inet6.c    | 3 +++
- net/irda/af_irda.c     | 3 +++
- 6 files changed, 16 insertions(+)
-
-diff --git a/include/net/sock.h b/include/net/sock.h
-index 492855d..7ae032e 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -387,6 +387,7 @@ struct sock {
- 				sk_no_check_rx : 1,
- 				sk_userlocks : 4,
- 				sk_protocol  : 8,
-+#define SK_PROTOCOL_MAX U8_MAX
- 				sk_type      : 16;
- 	kmemcheck_bitfield_end(flags);
- 	int			sk_wmem_queued;
-diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
-index ae3a47f..fbd0acf 100644
---- a/net/ax25/af_ax25.c
-+++ b/net/ax25/af_ax25.c
-@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
- 	struct sock *sk;
- 	ax25_cb *ax25;
- 
-+	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+		return -EINVAL;
-+
- 	if (!net_eq(net, &init_net))
- 		return -EAFNOSUPPORT;
- 
-diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
-index 675cf94..6feddca 100644
---- a/net/decnet/af_decnet.c
-+++ b/net/decnet/af_decnet.c
-@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
- {
- 	struct sock *sk;
- 
-+	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+		return -EINVAL;
-+
- 	if (!net_eq(net, &init_net))
- 		return -EAFNOSUPPORT;
- 
-diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
-index 1d0c3ad..4b16cf3 100644
---- a/net/ipv4/af_inet.c
-+++ b/net/ipv4/af_inet.c
-@@ -261,6 +261,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
- 	int try_loading_module = 0;
- 	int err;
- 
-+	if (protocol < 0 || protocol >= IPPROTO_MAX)
-+		return -EINVAL;
-+
- 	sock->state = SS_UNCONNECTED;
- 
- 	/* Look for the requested type/protocol pair. */
-diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index 38d66dd..df095ee 100644
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
- 	int try_loading_module = 0;
- 	int err;
- 
-+	if (protocol < 0 || protocol >= IPPROTO_MAX)
-+		return -EINVAL;
-+
- 	/* Look for the requested type/protocol pair. */
- lookup_protocol:
- 	err = -ESOCKTNOSUPPORT;
-diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
-index fae6822..25f63a8 100644
---- a/net/irda/af_irda.c
-+++ b/net/irda/af_irda.c
-@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
- 	struct sock *sk;
- 	struct irda_sock *self;
- 
-+	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+		return -EINVAL;
-+
- 	if (net != &init_net)
- 		return -EAFNOSUPPORT;
- 
--- 
-2.4.1
-
-
-From 3b1d8cc00ea00bb6451a2db42b98179e109ac291 Mon Sep 17 00:00:00 2001
-From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
-Date: Fri, 4 Dec 2015 01:45:40 +0300
-Subject: [PATCH 18/34] sh_eth: fix kernel oops in skb_put()
-
-[ Upstream commit 248be83dcb3feb3f6332eb3d010a016402138484 ]
-
-In a low memory situation the following kernel oops occurs:
-
-Unable to handle kernel NULL pointer dereference at virtual address 00000050
-pgd = 8490c000
-[00000050] *pgd=4651e831, *pte=00000000, *ppte=00000000
-Internal error: Oops: 17 [#1] PREEMPT ARM
-Modules linked in:
-CPU: 0    Not tainted  (3.4-at16 #9)
-PC is at skb_put+0x10/0x98
-LR is at sh_eth_poll+0x2c8/0xa10
-pc : [<8035f780>]    lr : [<8028bf50>]    psr: 60000113
-sp : 84eb1a90  ip : 84eb1ac8  fp : 84eb1ac4
-r10: 0000003f  r9 : 000005ea  r8 : 00000000
-r7 : 00000000  r6 : 940453b0  r5 : 00030000  r4 : 9381b180
-r3 : 00000000  r2 : 00000000  r1 : 000005ea  r0 : 00000000
-Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
-Control: 10c53c7d  Table: 4248c059  DAC: 00000015
-Process klogd (pid: 2046, stack limit = 0x84eb02e8)
-[...]
-
-This is  because netdev_alloc_skb() fails and 'mdp->rx_skbuff[entry]' is left
-NULL but sh_eth_rx() later  uses it without checking.  Add such check...
-
-Reported-by: Yasushi SHOJI <yashi@atmark-techno.com>
-Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/ethernet/renesas/sh_eth.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
-index a484d8b..f3cbf90c 100644
---- a/drivers/net/ethernet/renesas/sh_eth.c
-+++ b/drivers/net/ethernet/renesas/sh_eth.c
-@@ -1481,6 +1481,7 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota)
- 		if (mdp->cd->shift_rd0)
- 			desc_status >>= 16;
- 
-+		skb = mdp->rx_skbuff[entry];
- 		if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 |
- 				   RD_RFS5 | RD_RFS6 | RD_RFS10)) {
- 			ndev->stats.rx_errors++;
-@@ -1496,12 +1497,11 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota)
- 				ndev->stats.rx_missed_errors++;
- 			if (desc_status & RD_RFS10)
- 				ndev->stats.rx_over_errors++;
--		} else {
-+		} else	if (skb) {
- 			if (!mdp->cd->hw_swap)
- 				sh_eth_soft_swap(
- 					phys_to_virt(ALIGN(rxdesc->addr, 4)),
- 					pkt_len + 2);
--			skb = mdp->rx_skbuff[entry];
- 			mdp->rx_skbuff[entry] = NULL;
- 			if (mdp->cd->rpadir)
- 				skb_reserve(skb, NET_IP_ALIGN);
--- 
-2.4.1
-
-
-From 864f5d3880ba7e9e3d11f8ba725f29b7f45ae508 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Mon, 14 Dec 2015 14:08:53 -0800
-Subject: [PATCH 19/34] net: fix IP early demux races
-
-[ Upstream commit 5037e9ef9454917b047f9f3a19b4dd179fbf7cd4 ]
-
-David Wilder reported crashes caused by dst reuse.
-
-<quote David>
-  I am seeing a crash on a distro V4.2.3 kernel caused by a double
-  release of a dst_entry.  In ipv4_dst_destroy() the call to
-  list_empty() finds a poisoned next pointer, indicating the dst_entry
-  has already been removed from the list and freed. The crash occurs
-  18 to 24 hours into a run of a network stress exerciser.
-</quote>
-
-Thanks to his detailed report and analysis, we were able to understand
-the core issue.
-
-IP early demux can associate a dst to skb, after a lookup in TCP/UDP
-sockets.
-
-When socket cache is not properly set, we want to store into
-sk->sk_dst_cache the dst for future IP early demux lookups,
-by acquiring a stable refcount on the dst.
-
-Problem is this acquisition is simply using an atomic_inc(),
-which works well, unless the dst was queued for destruction from
-dst_release() noticing dst refcount went to zero, if DST_NOCACHE
-was set on dst.
-
-We need to make sure current refcount is not zero before incrementing
-it, or risk double free as David reported.
-
-This patch, being a stable candidate, adds two new helpers, and use
-them only from IP early demux problematic paths.
-
-It might be possible to merge in net-next skb_dst_force() and
-skb_dst_force_safe(), but I prefer having the smallest patch for stable
-kernels : Maybe some skb_dst_force() callers do not expect skb->dst
-can suddenly be cleared.
-
-Can probably be backported back to linux-3.6 kernels
-
-Reported-by: David J. Wilder <dwilder@us.ibm.com>
-Tested-by: David J. Wilder <dwilder@us.ibm.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/dst.h   | 33 +++++++++++++++++++++++++++++++++
- include/net/sock.h  |  2 +-
- net/ipv4/tcp_ipv4.c |  5 ++---
- net/ipv6/tcp_ipv6.c |  3 +--
- 4 files changed, 37 insertions(+), 6 deletions(-)
-
-diff --git a/include/net/dst.h b/include/net/dst.h
-index 9261d92..e7fa2e2 100644
---- a/include/net/dst.h
-+++ b/include/net/dst.h
-@@ -322,6 +322,39 @@ static inline void skb_dst_force(struct sk_buff *skb)
- 	}
- }
- 
-+/**
-+ * dst_hold_safe - Take a reference on a dst if possible
-+ * @dst: pointer to dst entry
-+ *
-+ * This helper returns false if it could not safely
-+ * take a reference on a dst.
-+ */
-+static inline bool dst_hold_safe(struct dst_entry *dst)
-+{
-+	if (dst->flags & DST_NOCACHE)
-+		return atomic_inc_not_zero(&dst->__refcnt);
-+	dst_hold(dst);
-+	return true;
-+}
-+
-+/**
-+ * skb_dst_force_safe - makes sure skb dst is refcounted
-+ * @skb: buffer
-+ *
-+ * If dst is not yet refcounted and not destroyed, grab a ref on it.
-+ */
-+static inline void skb_dst_force_safe(struct sk_buff *skb)
-+{
-+	if (skb_dst_is_noref(skb)) {
-+		struct dst_entry *dst = skb_dst(skb);
-+
-+		if (!dst_hold_safe(dst))
-+			dst = NULL;
-+
-+		skb->_skb_refdst = (unsigned long)dst;
-+	}
-+}
-+
- 
- /**
-  *	__skb_tunnel_rx - prepare skb for rx reinsert
-diff --git a/include/net/sock.h b/include/net/sock.h
-index 7ae032e..bca709a 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -801,7 +801,7 @@ void sk_stream_write_space(struct sock *sk);
- static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb)
- {
- 	/* dont let skb dst not refcounted, we are going to leave rcu lock */
--	skb_dst_force(skb);
-+	skb_dst_force_safe(skb);
- 
- 	if (!sk->sk_backlog.tail)
- 		sk->sk_backlog.head = skb;
-diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index a7739c8..d77be28 100644
---- a/net/ipv4/tcp_ipv4.c
-+++ b/net/ipv4/tcp_ipv4.c
-@@ -1509,7 +1509,7 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb)
- 	if (likely(sk->sk_rx_dst))
- 		skb_dst_drop(skb);
- 	else
--		skb_dst_force(skb);
-+		skb_dst_force_safe(skb);
- 
- 	__skb_queue_tail(&tp->ucopy.prequeue, skb);
- 	tp->ucopy.memory += skb->truesize;
-@@ -1710,8 +1710,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
- {
- 	struct dst_entry *dst = skb_dst(skb);
- 
--	if (dst) {
--		dst_hold(dst);
-+	if (dst && dst_hold_safe(dst)) {
- 		sk->sk_rx_dst = dst;
- 		inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
- 	}
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index 9e9b77b..8935dc1 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
- {
- 	struct dst_entry *dst = skb_dst(skb);
- 
--	if (dst) {
-+	if (dst && dst_hold_safe(dst)) {
- 		const struct rt6_info *rt = (const struct rt6_info *)dst;
- 
--		dst_hold(dst);
- 		sk->sk_rx_dst = dst;
- 		inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
- 		inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt);
--- 
-2.4.1
-
-
-From 68743b8922086a882bf9ea135221a3a2229ca6be Mon Sep 17 00:00:00 2001
-From: WANG Cong <xiyou.wangcong@gmail.com>
-Date: Mon, 14 Dec 2015 13:48:36 -0800
-Subject: [PATCH 20/34] pptp: verify sockaddr_len in pptp_bind() and
- pptp_connect()
-
-[ Upstream commit 09ccfd238e5a0e670d8178cf50180ea81ae09ae1 ]
-
-Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/ppp/pptp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
-index 686f37d..b910cae 100644
---- a/drivers/net/ppp/pptp.c
-+++ b/drivers/net/ppp/pptp.c
-@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,
- 	struct pptp_opt *opt = &po->proto.pptp;
- 	int error = 0;
- 
-+	if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+		return -EINVAL;
-+
- 	lock_sock(sk);
- 
- 	opt->src_addr = sp->sa_addr.pptp;
-@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
- 	struct flowi4 fl4;
- 	int error = 0;
- 
-+	if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+		return -EINVAL;
-+
- 	if (sp->sa_protocol != PX_PROTO_PPTP)
- 		return -EINVAL;
- 
--- 
-2.4.1
-
-
-From a745f3ea43700db573910f2231d87a0d0f82e03b Mon Sep 17 00:00:00 2001
-From: Vlad Yasevich <vyasevich@gmail.com>
-Date: Mon, 16 Nov 2015 15:43:44 -0500
-Subject: [PATCH 21/34] vlan: Fix untag operations of stacked vlans with
- REORDER_HEADER off
-
-[ Upstream commit a6e18ff111701b4ff6947605bfbe9594ec42a6e8 ]
-
-When we have multiple stacked vlan devices all of which have
-turned off REORDER_HEADER flag, the untag operation does not
-locate the ethernet addresses correctly for nested vlans.
-The reason is that in case of REORDER_HEADER flag being off,
-the outer vlan headers are put back and the mac_len is adjusted
-to account for the presense of the header.  Then, the subsequent
-untag operation, for the next level vlan, always use VLAN_ETH_HLEN
-to locate the begining of the ethernet header and that ends up
-being a multiple of 4 bytes short of the actuall beginning
-of the mac header (the multiple depending on the how many vlan
-encapsulations ethere are).
-
-As a reslult, if there are multiple levles of vlan devices
-with REODER_HEADER being off, the recevied packets end up
-being dropped.
-
-To solve this, we use skb->mac_len as the offset.  The value
-is always set on receive path and starts out as a ETH_HLEN.
-The value is also updated when the vlan header manupations occur
-so we know it will be correct.
-
-Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/skbuff.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index fab4599..160193f 100644
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -4268,7 +4268,8 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
- 		return NULL;
- 	}
- 
--	memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN);
-+	memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len,
-+		2 * ETH_ALEN);
- 	skb->mac_header += VLAN_HLEN;
- 	return skb;
- }
--- 
-2.4.1
-
-
-From 3555f4b7a44fb052205049353ebf858291ae722d Mon Sep 17 00:00:00 2001
-From: Vlad Yasevich <vyasevich@gmail.com>
-Date: Mon, 14 Dec 2015 17:44:10 -0500
-Subject: [PATCH 22/34] skbuff: Fix offset error in skb_reorder_vlan_header
-
-[ Upstream commit f654861569872d10dcb79d9d7ca219b316f94ff0 ]
-
-skb_reorder_vlan_header is called after the vlan header has
-been pulled.  As a result the offset of the begining of
-the mac header has been incrased by 4 bytes (VLAN_HLEN).
-When moving the mac addresses, include this incrase in
-the offset calcualation so that the mac addresses are
-copied correctly.
-
-Fixes: a6e18ff1117 (vlan: Fix untag operations of stacked vlans with REORDER_HEADER off)
-CC: Nicolas Dichtel <nicolas.dichtel@6wind.com>
-CC: Patrick McHardy <kaber@trash.net>
-Signed-off-by: Vladislav Yasevich <vyasevich@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/skbuff.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index 160193f..1883d28 100644
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -4268,7 +4268,7 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
- 		return NULL;
- 	}
- 
--	memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len,
-+	memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
- 		2 * ETH_ALEN);
- 	skb->mac_header += VLAN_HLEN;
- 	return skb;
--- 
-2.4.1
-
-
-From ed74e375974b73498576c5e5305f0e1c0445e4f9 Mon Sep 17 00:00:00 2001
-From: WANG Cong <xiyou.wangcong@gmail.com>
-Date: Wed, 16 Dec 2015 23:39:04 -0800
-Subject: [PATCH 23/34] net: check both type and procotol for tcp sockets
-
-[ Upstream commit ac5cc977991d2dce85fc734a6c71ddb33f6fe3c1 ]
-
-Dmitry reported the following out-of-bound access:
-
-Call Trace:
- [<ffffffff816cec2e>] __asan_report_load4_noabort+0x3e/0x40
-mm/kasan/report.c:294
- [<ffffffff84affb14>] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880
- [<     inline     >] SYSC_setsockopt net/socket.c:1746
- [<ffffffff84aed7ee>] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729
- [<ffffffff85c18c76>] entry_SYSCALL_64_fastpath+0x16/0x7a
-arch/x86/entry/entry_64.S:185
-
-This is because we mistake a raw socket as a tcp socket.
-We should check both sk->sk_type and sk->sk_protocol to ensure
-it is a tcp socket.
-
-Willem points out __skb_complete_tx_timestamp() needs to fix as well.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
-Cc: Eric Dumazet <eric.dumazet@gmail.com>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Acked-by: Willem de Bruijn <willemb@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/skbuff.c | 3 ++-
- net/core/sock.c   | 3 ++-
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index 1883d28..1c1f87c 100644
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -3643,7 +3643,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb,
- 	serr->ee.ee_info = tstype;
- 	if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
- 		serr->ee.ee_data = skb_shinfo(skb)->tskey;
--		if (sk->sk_protocol == IPPROTO_TCP)
-+		if (sk->sk_protocol == IPPROTO_TCP &&
-+		    sk->sk_type == SOCK_STREAM)
- 			serr->ee.ee_data -= sk->sk_tskey;
- 	}
- 
-diff --git a/net/core/sock.c b/net/core/sock.c
-index d7a7fc5..dbbda99 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -860,7 +860,8 @@ set_rcvbuf:
- 
- 		if (val & SOF_TIMESTAMPING_OPT_ID &&
- 		    !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
--			if (sk->sk_protocol == IPPROTO_TCP) {
-+			if (sk->sk_protocol == IPPROTO_TCP &&
-+			    sk->sk_type == SOCK_STREAM) {
- 				if (sk->sk_state != TCP_ESTABLISHED) {
- 					ret = -EINVAL;
- 					break;
--- 
-2.4.1
-
-
-From b5b6dd8ecd8cbbc029b0eaf3acc077c61d2a5611 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 15 Dec 2015 09:43:12 -0800
-Subject: [PATCH 24/34] net_sched: make qdisc_tree_decrease_qlen() work for non
- mq
-
-[ Upstream commit 225734de70cd0a9e0b978f3583a4a87939271d5e ]
-
-Stas Nichiporovich reported a regression in his HFSC qdisc setup
-on a non multi queue device.
-
-It turns out I mistakenly added a TCQ_F_NOPARENT flag on all qdisc
-allocated in qdisc_create() for non multi queue devices, which was
-rather buggy. I was clearly mislead by the TCQ_F_ONETXQUEUE that is
-also set here for no good reason, since it only matters for the root
-qdisc.
-
-Fixes: 4eaf3b84f288 ("net_sched: fix qdisc_tree_decrease_qlen() races")
-Reported-by: Stas Nichiporovich <stasn77@gmail.com>
-Tested-by: Stas Nichiporovich <stasn77@gmail.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sched/sch_api.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
-index 7ec667d..b5c2cf2 100644
---- a/net/sched/sch_api.c
-+++ b/net/sched/sch_api.c
-@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue,
- 		}
- 		lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock);
- 		if (!netif_is_multiqueue(dev))
--			sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
-+			sch->flags |= TCQ_F_ONETXQUEUE;
- 	}
- 
- 	sch->handle = handle;
--- 
-2.4.1
-
-
-From a7ace68f6ce8e50a6c828595e1672c037f40c36a Mon Sep 17 00:00:00 2001
-From: "David S. Miller" <davem@davemloft.net>
-Date: Tue, 15 Dec 2015 15:39:08 -0500
-Subject: [PATCH 25/34] bluetooth: Validate socket address length in
- sco_sock_bind().
-
-[ Upstream commit 5233252fce714053f0151680933571a2da9cbfb4 ]
-
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/bluetooth/sco.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
-index f315c8d..15cb6c5 100644
---- a/net/bluetooth/sco.c
-+++ b/net/bluetooth/sco.c
-@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le
- 	if (!addr || addr->sa_family != AF_BLUETOOTH)
- 		return -EINVAL;
- 
-+	if (addr_len < sizeof(struct sockaddr_sco))
-+		return -EINVAL;
-+
- 	lock_sock(sk);
- 
- 	if (sk->sk_state != BT_OPEN) {
--- 
-2.4.1
-
-
-From 0d4975246467f450ce902e9dc442d647eb7ad516 Mon Sep 17 00:00:00 2001
-From: "tadeusz.struk@intel.com" <tadeusz.struk@intel.com>
-Date: Tue, 15 Dec 2015 10:46:17 -0800
-Subject: [PATCH 26/34] net: fix uninitialized variable issue
-
-[ Upstream commit 130ed5d105dde141e7fe60d5440aa53e0a84f13b ]
-
-msg_iocb needs to be initialized on the recv/recvfrom path.
-Otherwise afalg will wrongly interpret it as an async call.
-
-Cc: stable@vger.kernel.org
-Reported-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
-Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/socket.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/net/socket.c b/net/socket.c
-index 9963a0b..f3fbe17 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -1702,6 +1702,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
- 	msg.msg_name = addr ? (struct sockaddr *)&address : NULL;
- 	/* We assume all kernel code knows the size of sockaddr_storage */
- 	msg.msg_namelen = 0;
-+	msg.msg_iocb = NULL;
- 	if (sock->file->f_flags & O_NONBLOCK)
- 		flags |= MSG_DONTWAIT;
- 	err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags);
--- 
-2.4.1
-
-
-From 055a98ed38bb76ad811feec778f287e47d20bf41 Mon Sep 17 00:00:00 2001
-From: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Tue, 15 Dec 2015 22:59:12 +0100
-Subject: [PATCH 27/34] ipv6: automatically enable stable privacy mode if
- stable_secret set
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit 9b29c6962b70f232cde4076b1020191e1be0889d ]
-
-Bjørn reported that while we switch all interfaces to privacy stable mode
-when setting the secret, we don't set this mode for new interfaces. This
-does not make sense, so change this behaviour.
-
-Fixes: 622c81d57b392cc ("ipv6: generation of stable privacy addresses for link-local and autoconf")
-Reported-by: Bjørn Mork <bjorn@mork.no>
-Cc: Bjørn Mork <bjorn@mork.no>
-Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv6/addrconf.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index ff873c8..ddd3511 100644
---- a/net/ipv6/addrconf.c
-+++ b/net/ipv6/addrconf.c
-@@ -349,6 +349,12 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
- 	setup_timer(&ndev->rs_timer, addrconf_rs_timer,
- 		    (unsigned long)ndev);
- 	memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf));
-+
-+	if (ndev->cnf.stable_secret.initialized)
-+		ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
-+	else
-+		ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64;
-+
- 	ndev->cnf.mtu6 = dev->mtu;
- 	ndev->cnf.sysctl = NULL;
- 	ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl);
--- 
-2.4.1
-
-
-From e7763d6d443faf1a4a4026d3e8e98843784606c2 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 15 Dec 2015 20:56:44 -0800
-Subject: [PATCH 28/34] inet: tcp: fix inetpeer_set_addr_v4()
-
-[ Upstream commit 887dc9f2cef6e98dcccf807da5e6faf4f60ba483 ]
-
-David Ahern added a vif field in the a4 part of inetpeer_addr struct.
-
-This broke IPv4 TCP fast open client side and more generally tcp metrics
-cache, because inetpeer_addr_cmp() is now comparing two u32 instead of
-one.
-
-inetpeer_set_addr_v4() needs to properly init vif field, otherwise
-the comparison result depends on uninitialized data.
-
-Fixes: 192132b9a034 ("net: Add support for VRFs to inetpeer cache")
-Reported-by: Yuchung Cheng <ycheng@google.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Neal Cardwell <ncardwell@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/inetpeer.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
-index 4a6009d..235c781 100644
---- a/include/net/inetpeer.h
-+++ b/include/net/inetpeer.h
-@@ -78,6 +78,7 @@ void inet_initpeers(void) __init;
- static inline void inetpeer_set_addr_v4(struct inetpeer_addr *iaddr, __be32 ip)
- {
- 	iaddr->a4.addr = ip;
-+	iaddr->a4.vif = 0;
- 	iaddr->family = AF_INET;
- }
- 
--- 
-2.4.1
-
-
-From dc6f25bdfbf1027db505506d8795fef1234f342c Mon Sep 17 00:00:00 2001
-From: Herbert Xu <herbert@gondor.apana.org.au>
-Date: Wed, 16 Dec 2015 18:13:14 +0800
-Subject: [PATCH 29/34] rhashtable: Enforce minimum size on initial hash table
-
-[ Upstream commit 3a324606bbabfc30084ce9d08169910773ba9a92 ]
-
-William Hua <william.hua@canonical.com> wrote:
->
-> I wasn't aware there was an enforced minimum size. I simply set the
-> nelem_hint in the rhastable_params struct to 1, expecting it to grow as
-> needed. This caused a segfault afterwards when trying to insert an
-> element.
-
-OK we're doing the size computation before we enforce the limit
-on min_size.
-
----8<---
-We need to do the initial hash table size computation after we
-have obtained the correct min_size/max_size parameters.  Otherwise
-we may end up with a hash table whose size is outside the allowed
-envelope.
-
-Fixes: a998f712f77e ("rhashtable: Round up/down min/max_size to...")
-Reported-by: William Hua <william.hua@canonical.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- lib/rhashtable.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/lib/rhashtable.c b/lib/rhashtable.c
-index a54ff89..d2daf67e 100644
---- a/lib/rhashtable.c
-+++ b/lib/rhashtable.c
-@@ -723,9 +723,6 @@ int rhashtable_init(struct rhashtable *ht,
- 	if (params->nulls_base && params->nulls_base < (1U << RHT_BASE_SHIFT))
- 		return -EINVAL;
- 
--	if (params->nelem_hint)
--		size = rounded_hashtable_size(params);
--
- 	memset(ht, 0, sizeof(*ht));
- 	mutex_init(&ht->mutex);
- 	spin_lock_init(&ht->lock);
-@@ -745,6 +742,9 @@ int rhashtable_init(struct rhashtable *ht,
- 
- 	ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE);
- 
-+	if (params->nelem_hint)
-+		size = rounded_hashtable_size(&ht->p);
-+
- 	/* The maximum (not average) chain length grows with the
- 	 * size of the hash table, at a rate of (log N)/(log log N).
- 	 * The value of 16 is selected so that even if the hash
--- 
-2.4.1
-
-
-From b91eef0e59aebcdaceb9bfeb61aafe0a345d2d81 Mon Sep 17 00:00:00 2001
-From: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
-Date: Tue, 15 Dec 2015 14:14:50 +1300
-Subject: [PATCH 30/34] gianfar: Don't enable RX Filer if not supported
-
-[ Upstream commit 7bff47da1ee23d00d1257905f2944c29594f799d ]
-
-After commit 15bf176db1fb ("gianfar: Don't enable the Filer w/o the
-Parser"), 'TSEC' model controllers (for example as seen on MPC8541E)
-always have 8 bytes stripped from the front of received frames.
-Only 'eTSEC' gianfar controllers have the RX Filer capability (amongst
-other enhancements). Previously this was treated as always enabled
-for both 'TSEC' and 'eTSEC' controllers.
-In commit 15bf176db1fb ("gianfar: Don't enable the Filer w/o the Parser")
-a subtle change was made to the setting of 'uses_rxfcb' to effectively
-always set it (since 'rx_filer_enable' was always true). This had the
-side-effect of always stripping 8 bytes from the front of received frames
-on 'TSEC' type controllers.
-
-We now only enable the RX Filer capability on controller types that
-support it, thereby avoiding the issue for 'TSEC' type controllers.
-
-Reviewed-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
-Reviewed-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
-Signed-off-by: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
-Reviewed-by: Claudiu Manoil <claudiu.manoil@freescale.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/ethernet/freescale/gianfar.c | 8 +++++---
- drivers/net/ethernet/freescale/gianfar.h | 1 +
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
-index ce38d26..bcb933e 100644
---- a/drivers/net/ethernet/freescale/gianfar.c
-+++ b/drivers/net/ethernet/freescale/gianfar.c
-@@ -894,7 +894,8 @@ static int gfar_of_init(struct platform_device *ofdev, struct net_device **pdev)
- 				     FSL_GIANFAR_DEV_HAS_VLAN |
- 				     FSL_GIANFAR_DEV_HAS_MAGIC_PACKET |
- 				     FSL_GIANFAR_DEV_HAS_EXTENDED_HASH |
--				     FSL_GIANFAR_DEV_HAS_TIMER;
-+				     FSL_GIANFAR_DEV_HAS_TIMER |
-+				     FSL_GIANFAR_DEV_HAS_RX_FILER;
- 
- 	err = of_property_read_string(np, "phy-connection-type", &ctype);
- 
-@@ -1393,8 +1394,9 @@ static int gfar_probe(struct platform_device *ofdev)
- 		priv->rx_queue[i]->rxic = DEFAULT_RXIC;
- 	}
- 
--	/* always enable rx filer */
--	priv->rx_filer_enable = 1;
-+	/* Always enable rx filer if available */
-+	priv->rx_filer_enable =
-+	    (priv->device_flags & FSL_GIANFAR_DEV_HAS_RX_FILER) ? 1 : 0;
- 	/* Enable most messages by default */
- 	priv->msg_enable = (NETIF_MSG_IFUP << 1 ) - 1;
- 	/* use pritority h/w tx queue scheduling for single queue devices */
-diff --git a/drivers/net/ethernet/freescale/gianfar.h b/drivers/net/ethernet/freescale/gianfar.h
-index 8c19948..3755372 100644
---- a/drivers/net/ethernet/freescale/gianfar.h
-+++ b/drivers/net/ethernet/freescale/gianfar.h
-@@ -917,6 +917,7 @@ struct gfar {
- #define FSL_GIANFAR_DEV_HAS_BD_STASHING		0x00000200
- #define FSL_GIANFAR_DEV_HAS_BUF_STASHING	0x00000400
- #define FSL_GIANFAR_DEV_HAS_TIMER		0x00000800
-+#define FSL_GIANFAR_DEV_HAS_RX_FILER		0x00002000
- 
- #if (MAXGROUPS == 2)
- #define DEFAULT_MAPPING 	0xAA
--- 
-2.4.1
-
-
-From e8fcabcaa1cc5d503b1dd7d94d9bb83e13610e96 Mon Sep 17 00:00:00 2001
-From: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Tue, 15 Dec 2015 21:01:53 +0100
-Subject: [PATCH 31/34] fou: clean up socket with kfree_rcu
-
-[ Upstream commit 3036facbb7be3a169e35be3b271162b0fa564a2d ]
-
-fou->udp_offloads is managed by RCU. As it is actually included inside
-the fou sockets, we cannot let the memory go out of scope before a grace
-period. We either can synchronize_rcu or switch over to kfree_rcu to
-manage the sockets. kfree_rcu seems appropriate as it is used by vxlan
-and geneve.
-
-Fixes: 23461551c00628c ("fou: Support for foo-over-udp RX path")
-Cc: Tom Herbert <tom@herbertland.com>
-Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/fou.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
-index e0fcbbb..bd903fe 100644
---- a/net/ipv4/fou.c
-+++ b/net/ipv4/fou.c
-@@ -24,6 +24,7 @@ struct fou {
- 	u16 type;
- 	struct udp_offload udp_offloads;
- 	struct list_head list;
-+	struct rcu_head rcu;
- };
- 
- #define FOU_F_REMCSUM_NOPARTIAL BIT(0)
-@@ -417,7 +418,7 @@ static void fou_release(struct fou *fou)
- 	list_del(&fou->list);
- 	udp_tunnel_sock_release(sock);
- 
--	kfree(fou);
-+	kfree_rcu(fou, rcu);
- }
- 
- static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg *cfg)
--- 
-2.4.1
-
-
-From 99450d55526ae8c64f343738542527c42e30ff78 Mon Sep 17 00:00:00 2001
-From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
-Date: Wed, 16 Dec 2015 20:09:25 +0000
-Subject: [PATCH 32/34] af_unix: Revert 'lock_interruptible' in stream receive
- code
-
-[ Upstream commit 3822b5c2fc62e3de8a0f33806ff279fb7df92432 ]
-
-With b3ca9b02b00704053a38bfe4c31dbbb9c13595d0, the AF_UNIX SOCK_STREAM
-receive code was changed from using mutex_lock(&u->readlock) to
-mutex_lock_interruptible(&u->readlock) to prevent signals from being
-delayed for an indefinite time if a thread sleeping on the mutex
-happened to be selected for handling the signal. But this was never a
-problem with the stream receive code (as opposed to its datagram
-counterpart) as that never went to sleep waiting for new messages with the
-mutex held and thus, wouldn't cause secondary readers to block on the
-mutex waiting for the sleeping primary reader. As the interruptible
-locking makes the code more complicated in exchange for no benefit,
-change it back to using mutex_lock.
-
-Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/unix/af_unix.c | 13 +++----------
- 1 file changed, 3 insertions(+), 10 deletions(-)
-
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 128b098..0fc6dba 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -2255,14 +2255,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
- 	/* Lock the socket to prevent queue disordering
- 	 * while sleeps in memcpy_tomsg
- 	 */
--	err = mutex_lock_interruptible(&u->readlock);
--	if (unlikely(err)) {
--		/* recvmsg() in non blocking mode is supposed to return -EAGAIN
--		 * sk_rcvtimeo is not honored by mutex_lock_interruptible()
--		 */
--		err = noblock ? -EAGAIN : -ERESTARTSYS;
--		goto out;
--	}
-+	mutex_lock(&u->readlock);
- 
- 	if (flags & MSG_PEEK)
- 		skip = sk_peek_offset(sk, flags);
-@@ -2306,12 +2299,12 @@ again:
- 			timeo = unix_stream_data_wait(sk, timeo, last,
- 						      last_len);
- 
--			if (signal_pending(current) ||
--			    mutex_lock_interruptible(&u->readlock)) {
-+			if (signal_pending(current)) {
- 				err = sock_intr_errno(timeo);
- 				goto out;
- 			}
- 
-+			mutex_lock(&u->readlock);
- 			continue;
- unlock:
- 			unix_state_unlock(sk);
--- 
-2.4.1
-
-
-From dc9c6c2fb77bda57cc2b06d2a2b1d1befd3819fc Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Wed, 16 Dec 2015 13:53:10 -0800
-Subject: [PATCH 33/34] tcp: restore fastopen with no data in SYN packet
-
-[ Upstream commit 07e100f984975cb0417a7d5e626d0409efbad478 ]
-
-Yuchung tracked a regression caused by commit 57be5bdad759 ("ip: convert
-tcp_sendmsg() to iov_iter primitives") for TCP Fast Open.
-
-Some Fast Open users do not actually add any data in the SYN packet.
-
-Fixes: 57be5bdad759 ("ip: convert tcp_sendmsg() to iov_iter primitives")
-Reported-by: Yuchung Cheng <ycheng@google.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Acked-by: Yuchung Cheng <ycheng@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/tcp_output.c | 23 ++++++++++++-----------
- 1 file changed, 12 insertions(+), 11 deletions(-)
-
-diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
-index 3dbee0d..c958596 100644
---- a/net/ipv4/tcp_output.c
-+++ b/net/ipv4/tcp_output.c
-@@ -3147,7 +3147,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
- {
- 	struct tcp_sock *tp = tcp_sk(sk);
- 	struct tcp_fastopen_request *fo = tp->fastopen_req;
--	int syn_loss = 0, space, err = 0, copied;
-+	int syn_loss = 0, space, err = 0;
- 	unsigned long last_syn_loss = 0;
- 	struct sk_buff *syn_data;
- 
-@@ -3185,17 +3185,18 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
- 		goto fallback;
- 	syn_data->ip_summed = CHECKSUM_PARTIAL;
- 	memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
--	copied = copy_from_iter(skb_put(syn_data, space), space,
--				&fo->data->msg_iter);
--	if (unlikely(!copied)) {
--		kfree_skb(syn_data);
--		goto fallback;
--	}
--	if (copied != space) {
--		skb_trim(syn_data, copied);
--		space = copied;
-+	if (space) {
-+		int copied = copy_from_iter(skb_put(syn_data, space), space,
-+					    &fo->data->msg_iter);
-+		if (unlikely(!copied)) {
-+			kfree_skb(syn_data);
-+			goto fallback;
-+		}
-+		if (copied != space) {
-+			skb_trim(syn_data, copied);
-+			space = copied;
-+		}
- 	}
--
- 	/* No more data pending in inet_wait_for_connect() */
- 	if (space == fo->size)
- 		fo->data = NULL;
--- 
-2.4.1
-
-
-From 51a41cd14356285e5e69c7657c55061a92e7ed79 Mon Sep 17 00:00:00 2001
-From: Herbert Xu <herbert@gondor.apana.org.au>
-Date: Wed, 16 Dec 2015 16:45:54 +0800
-Subject: [PATCH 34/34] rhashtable: Fix walker list corruption
-
-[ Upstream commit c6ff5268293ef98e48a99597e765ffc417e39fa5 ]
-
-The commit ba7c95ea3870fe7b847466d39a049ab6f156aa2c ("rhashtable:
-Fix sleeping inside RCU critical section in walk_stop") introduced
-a new spinlock for the walker list.  However, it did not convert
-all existing users of the list over to the new spin lock.  Some
-continued to use the old mutext for this purpose.  This obviously
-led to corruption of the list.
-
-The fix is to use the spin lock everywhere where we touch the list.
-
-This also allows us to do rcu_rad_lock before we take the lock in
-rhashtable_walk_start.  With the old mutex this would've deadlocked
-but it's safe with the new spin lock.
-
-Fixes: ba7c95ea3870 ("rhashtable: Fix sleeping inside RCU...")
-Reported-by: Colin Ian King <colin.king@canonical.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- lib/rhashtable.c | 19 +++++++++----------
- 1 file changed, 9 insertions(+), 10 deletions(-)
-
-diff --git a/lib/rhashtable.c b/lib/rhashtable.c
-index d2daf67e..aa388a7 100644
---- a/lib/rhashtable.c
-+++ b/lib/rhashtable.c
-@@ -503,10 +503,11 @@ int rhashtable_walk_init(struct rhashtable *ht, struct rhashtable_iter *iter)
- 	if (!iter->walker)
- 		return -ENOMEM;
- 
--	mutex_lock(&ht->mutex);
--	iter->walker->tbl = rht_dereference(ht->tbl, ht);
-+	spin_lock(&ht->lock);
-+	iter->walker->tbl =
-+		rcu_dereference_protected(ht->tbl, lockdep_is_held(&ht->lock));
- 	list_add(&iter->walker->list, &iter->walker->tbl->walkers);
--	mutex_unlock(&ht->mutex);
-+	spin_unlock(&ht->lock);
- 
- 	return 0;
- }
-@@ -520,10 +521,10 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_init);
-  */
- void rhashtable_walk_exit(struct rhashtable_iter *iter)
- {
--	mutex_lock(&iter->ht->mutex);
-+	spin_lock(&iter->ht->lock);
- 	if (iter->walker->tbl)
- 		list_del(&iter->walker->list);
--	mutex_unlock(&iter->ht->mutex);
-+	spin_unlock(&iter->ht->lock);
- 	kfree(iter->walker);
- }
- EXPORT_SYMBOL_GPL(rhashtable_walk_exit);
-@@ -547,14 +548,12 @@ int rhashtable_walk_start(struct rhashtable_iter *iter)
- {
- 	struct rhashtable *ht = iter->ht;
- 
--	mutex_lock(&ht->mutex);
-+	rcu_read_lock();
- 
-+	spin_lock(&ht->lock);
- 	if (iter->walker->tbl)
- 		list_del(&iter->walker->list);
--
--	rcu_read_lock();
--
--	mutex_unlock(&ht->mutex);
-+	spin_unlock(&ht->lock);
- 
- 	if (!iter->walker->tbl) {
- 		iter->walker->tbl = rht_dereference_rcu(ht->tbl, ht);
--- 
-2.4.1
-
diff --git a/freed-ora/current/f22/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch b/freed-ora/current/f22/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
new file mode 100644
index 000000000..3b2031981
--- /dev/null
+++ b/freed-ora/current/f22/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
@@ -0,0 +1,83 @@
+From f9688b8f6755c3c2eb5c7e2e22ab168d0cb97644 Mon Sep 17 00:00:00 2001
+From: Munehisa Kamata <kamatam@amazon.com>
+Date: Mon, 26 Oct 2015 19:10:52 -0700
+Subject: [PATCH] netfilter: nf_nat_redirect: add missing NULL pointer check
+
+Upstream commit 94f9cd81436c85d8c3a318ba92e236ede73752fc
+
+Commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT
+redirect IPv4 to use it from nf_tables") has introduced a trivial logic
+change which can result in the following crash.
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+IP: [<ffffffffa033002d>] nf_nat_redirect_ipv4+0x2d/0xa0 [nf_nat_redirect]
+PGD 3ba662067 PUD 3ba661067 PMD 0
+Oops: 0000 [#1] SMP
+Modules linked in: ipv6(E) xt_REDIRECT(E) nf_nat_redirect(E) xt_tcpudp(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) nf_conntrack(E) ip_tables(E) x_tables(E) binfmt_misc(E) xfs(E) libcrc32c(E) evbug(E) evdev(E) psmouse(E) i2c_piix4(E) i2c_core(E) acpi_cpufreq(E) button(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
+CPU: 0 PID: 2536 Comm: ip Tainted: G            E   4.1.7-15.23.amzn1.x86_64 #1
+Hardware name: Xen HVM domU, BIOS 4.2.amazon 05/06/2015
+task: ffff8800eb438000 ti: ffff8803ba664000 task.ti: ffff8803ba664000
+[...]
+Call Trace:
+ <IRQ>
+ [<ffffffffa0334065>] redirect_tg4+0x15/0x20 [xt_REDIRECT]
+ [<ffffffffa02e2e99>] ipt_do_table+0x2b9/0x5e1 [ip_tables]
+ [<ffffffffa0328045>] iptable_nat_do_chain+0x25/0x30 [iptable_nat]
+ [<ffffffffa031777d>] nf_nat_ipv4_fn+0x13d/0x1f0 [nf_nat_ipv4]
+ [<ffffffffa0328020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
+ [<ffffffffa031785e>] nf_nat_ipv4_in+0x2e/0x90 [nf_nat_ipv4]
+ [<ffffffffa03280a5>] iptable_nat_ipv4_in+0x15/0x20 [iptable_nat]
+ [<ffffffff81449137>] nf_iterate+0x57/0x80
+ [<ffffffff814491f7>] nf_hook_slow+0x97/0x100
+ [<ffffffff814504d4>] ip_rcv+0x314/0x400
+
+unsigned int
+nf_nat_redirect_ipv4(struct sk_buff *skb,
+...
+{
+...
+		rcu_read_lock();
+		indev = __in_dev_get_rcu(skb->dev);
+		if (indev != NULL) {
+			ifa = indev->ifa_list;
+			newdst = ifa->ifa_local; <---
+		}
+		rcu_read_unlock();
+...
+}
+
+Before the commit, 'ifa' had been always checked before access. After the
+commit, however, it could be accessed even if it's NULL. Interestingly,
+this was once fixed in 2003.
+
+http://marc.info/?l=netfilter-devel&m=106668497403047&w=2
+
+In addition to the original one, we have seen the crash when packets that
+need to be redirected somehow arrive on an interface which hasn't been
+yet fully configured.
+
+This change just reverts the logic to the old behavior to avoid the crash.
+
+Fixes: 8b13eddfdf04 ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables")
+Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/netfilter/nf_nat_redirect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c
+index 97b75f9bfbcd..d43869879fcf 100644
+--- a/net/netfilter/nf_nat_redirect.c
++++ b/net/netfilter/nf_nat_redirect.c
+@@ -55,7 +55,7 @@ nf_nat_redirect_ipv4(struct sk_buff *skb,
+ 
+ 		rcu_read_lock();
+ 		indev = __in_dev_get_rcu(skb->dev);
+-		if (indev != NULL) {
++		if (indev && indev->ifa_list) {
+ 			ifa = indev->ifa_list;
+ 			newdst = ifa->ifa_local;
+ 		}
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/patch-4.3-gnu-4.3.3-gnu.xz.sign b/freed-ora/current/f22/patch-4.3-gnu-4.3.3-gnu.xz.sign
deleted file mode 100644
index b1075a971..000000000
--- a/freed-ora/current/f22/patch-4.3-gnu-4.3.3-gnu.xz.sign
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iEYEABECAAYFAlZwovIACgkQvLfPh359R6caWgCdEz0VGK6wRWadKdc+iPX5UE85
-r6cAn3xf8QR8uiDYORcmjNpOn7WHbqjp
-=u3/9
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f22/patch-4.3-gnu-4.3.4-gnu.xz.sign b/freed-ora/current/f22/patch-4.3-gnu-4.3.4-gnu.xz.sign
new file mode 100644
index 000000000..e5808527b
--- /dev/null
+++ b/freed-ora/current/f22/patch-4.3-gnu-4.3.4-gnu.xz.sign
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iEYEABECAAYFAlajwgYACgkQvLfPh359R6f0UgCfRvyz3b+m6xpQHmqIFwv04ERK
+UFUAnjG9quc+T+ppHu4HlEV7J+/uDATd
+=5Ili
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f22/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch b/freed-ora/current/f22/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
new file mode 100644
index 000000000..b3ab35e2c
--- /dev/null
+++ b/freed-ora/current/f22/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
@@ -0,0 +1,55 @@
+From 1bd0c273bcf537adadedd7cc69408b99afd1534c Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 20 Jan 2016 21:26:18 -0600
+Subject: [PATCH] rtlwifi: rtl8821ae: Fix 5G failure when EEPROM is incorrectly
+ encoded
+
+Recently, it has been reported that D-Link DWA-582 cards, which use an
+RTL8812AE chip are not able to scan for 5G networks. The problems started
+with kernel 4.2, which is the first version that had commit d10101a60372
+("rtlwifi: rtl8821ae: Fix problem with regulatory information"). With this
+patch, the driver went from setting a default channel plan to using
+the value derived from EEPROM.
+
+Bug reports at https://bugzilla.kernel.org/show_bug.cgi?id=111031 and
+https://bugzilla.redhat.com/show_bug.cgi?id=1279653 are examples of this
+problem.
+
+The problem was solved once I learned that the internal country code was
+resulting in a regulatory set with only 2.4 GHz channels. With the RTL8821AE
+chips available to me, the country code was such that both 2.4 and 5 GHz
+channels are allowed. The fix is to allow both bands even when the EEPROM
+is incorrectly encoded.
+
+Fixes: d10101a60372 ("rtlwifi: rtl8821ae: Fix problem with regulatory information")
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: littlesmartguy@gmail.com
+Cc: gabe@codehaus.org
+Cc: Stable <stable@vger.kernel.org> [v4.2+]
+---
+ drivers/net/wireless/rtlwifi/regd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/rtlwifi/regd.c b/drivers/net/wireless/rtlwifi/regd.c
+index a62bf0a65c32..5be34118e0af 100644
+--- a/drivers/net/wireless/rtlwifi/regd.c
++++ b/drivers/net/wireless/rtlwifi/regd.c
+@@ -351,7 +351,6 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select(
+ 	case COUNTRY_CODE_SPAIN:
+ 	case COUNTRY_CODE_FRANCE:
+ 	case COUNTRY_CODE_ISRAEL:
+-	case COUNTRY_CODE_WORLD_WIDE_13:
+ 		return &rtl_regdom_12_13;
+ 	case COUNTRY_CODE_MKK:
+ 	case COUNTRY_CODE_MKK1:
+@@ -360,6 +359,7 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select(
+ 		return &rtl_regdom_14_60_64;
+ 	case COUNTRY_CODE_GLOBAL_DOMAIN:
+ 		return &rtl_regdom_14;
++	case COUNTRY_CODE_WORLD_WIDE_13:
+ 	case COUNTRY_CODE_WORLD_WIDE_13_5G_ALL:
+ 		return &rtl_regdom_12_13_5g_all;
+ 	default:
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/sources b/freed-ora/current/f22/sources
index 13d310bd4..50855cbe5 100644
--- a/freed-ora/current/f22/sources
+++ b/freed-ora/current/f22/sources
@@ -1,3 +1,3 @@
 282b54dc98bfd44effbce76629c94dd0  linux-libre-4.3-gnu.tar.xz
 7c516c9528b9f9aac0136944b0200b7e  perf-man-4.3.tar.gz
-75d7ece291dd484f968718ee1ce6b2f1  patch-4.3-gnu-4.3.3-gnu.xz
+7cb84a9ef91cd3162e31a25c0e87c926  patch-4.3-gnu-4.3.4-gnu.xz
diff --git a/freed-ora/current/f22/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch b/freed-ora/current/f22/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
new file mode 100644
index 000000000..d169105db
--- /dev/null
+++ b/freed-ora/current/f22/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
@@ -0,0 +1,68 @@
+From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Sun, 10 Jan 2016 22:40:55 -0800
+Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
+
+ioctl(TIOCGETD) retrieves the line discipline id directly from the
+ldisc because the line discipline id (c_line) in termios is untrustworthy;
+userspace may have set termios via ioctl(TCSETS*) without actually
+changing the line discipline via ioctl(TIOCSETD).
+
+However, directly accessing the current ldisc via tty->ldisc is
+unsafe; the ldisc ptr dereferenced may be stale if the line discipline
+is changing via ioctl(TIOCSETD) or hangup.
+
+Wait for the line discipline reference (just like read() or write())
+to retrieve the "current" line discipline id.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+---
+ drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index f435977de740..bd4027e36910 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p)
+ }
+ 
+ /**
++ *	tiocgetd	-	get line discipline
++ *	@tty: tty device
++ *	@p: pointer to user data
++ *
++ *	Retrieves the line discipline id directly from the ldisc.
++ *
++ *	Locking: waits for ldisc reference (in case the line discipline
++ *		is changing or the tty is being hungup)
++ */
++
++static int tiocgetd(struct tty_struct *tty, int __user *p)
++{
++	struct tty_ldisc *ld;
++	int ret;
++
++	ld = tty_ldisc_ref_wait(tty);
++	ret = put_user(ld->ops->num, p);
++	tty_ldisc_deref(ld);
++	return ret;
++}
++
++/**
+  *	send_break	-	performed time break
+  *	@tty: device to break on
+  *	@duration: timeout in mS
+@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 	case TIOCGSID:
+ 		return tiocgsid(tty, real_tty, p);
+ 	case TIOCGETD:
+-		return put_user(tty->ldisc->ops->num, (int __user *)p);
++		return tiocgetd(tty, p);
+ 	case TIOCSETD:
+ 		return tiocsetd(tty, p);
+ 	case TIOCVHANGUP:
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/unix-properly-account-for-FDs-passed-over-unix-socke.patch b/freed-ora/current/f22/unix-properly-account-for-FDs-passed-over-unix-socke.patch
new file mode 100644
index 000000000..c263abf2b
--- /dev/null
+++ b/freed-ora/current/f22/unix-properly-account-for-FDs-passed-over-unix-socke.patch
@@ -0,0 +1,140 @@
+From 0cd038d23b86853d68993c94f3c713e4375fd61f Mon Sep 17 00:00:00 2001
+From: willy tarreau <w@1wt.eu>
+Date: Sun, 10 Jan 2016 07:54:56 +0100
+Subject: [PATCH] unix: properly account for FDs passed over unix sockets
+
+It is possible for a process to allocate and accumulate far more FDs than
+the process' limit by sending them over a unix socket then closing them
+to keep the process' fd count low.
+
+This change addresses this problem by keeping track of the number of FDs
+in flight per user and preventing non-privileged processes from having
+more FDs in flight than their configured FD limit.
+
+Reported-by: socketpair@gmail.com
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Mitigates: CVE-2013-4312 (Linux 2.0+)
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/linux/sched.h |  1 +
+ net/unix/af_unix.c    | 24 ++++++++++++++++++++----
+ net/unix/garbage.c    | 13 ++++++++-----
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index b7b9501b41af..f477e87ca46f 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -830,6 +830,7 @@ struct user_struct {
+ 	unsigned long mq_bytes;	/* How many bytes can be allocated to mqueue? */
+ #endif
+ 	unsigned long locked_shm; /* How many pages of mlocked shm ? */
++	unsigned long unix_inflight;	/* How many files in flight in unix sockets */
+ 
+ #ifdef CONFIG_KEYS
+ 	struct key *uid_keyring;	/* UID specific keyring */
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 128b0982c96b..9085de63bb81 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1498,6 +1498,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
+ 	sock_wfree(skb);
+ }
+ 
++/*
++ * The "user->unix_inflight" variable is protected by the garbage
++ * collection lock, and we just read it locklessly here. If you go
++ * over the limit, there might be a tiny race in actually noticing
++ * it across threads. Tough.
++ */
++static inline bool too_many_unix_fds(struct task_struct *p)
++{
++	struct user_struct *user = current_user();
++
++	if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
++		return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
++	return false;
++}
++
+ #define MAX_RECURSION_LEVEL 4
+ 
+ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+@@ -1506,6 +1521,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+ 	unsigned char max_level = 0;
+ 	int unix_sock_count = 0;
+ 
++	if (too_many_unix_fds(current))
++		return -ETOOMANYREFS;
++
+ 	for (i = scm->fp->count - 1; i >= 0; i--) {
+ 		struct sock *sk = unix_get_socket(scm->fp->fp[i]);
+ 
+@@ -1527,10 +1545,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+ 	if (!UNIXCB(skb).fp)
+ 		return -ENOMEM;
+ 
+-	if (unix_sock_count) {
+-		for (i = scm->fp->count - 1; i >= 0; i--)
+-			unix_inflight(scm->fp->fp[i]);
+-	}
++	for (i = scm->fp->count - 1; i >= 0; i--)
++		unix_inflight(scm->fp->fp[i]);
+ 	return max_level;
+ }
+ 
+diff --git a/net/unix/garbage.c b/net/unix/garbage.c
+index a73a226f2d33..8fcdc2283af5 100644
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
+ {
+ 	struct sock *s = unix_get_socket(fp);
+ 
++	spin_lock(&unix_gc_lock);
++
+ 	if (s) {
+ 		struct unix_sock *u = unix_sk(s);
+ 
+-		spin_lock(&unix_gc_lock);
+-
+ 		if (atomic_long_inc_return(&u->inflight) == 1) {
+ 			BUG_ON(!list_empty(&u->link));
+ 			list_add_tail(&u->link, &gc_inflight_list);
+@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
+ 			BUG_ON(list_empty(&u->link));
+ 		}
+ 		unix_tot_inflight++;
+-		spin_unlock(&unix_gc_lock);
+ 	}
++	fp->f_cred->user->unix_inflight++;
++	spin_unlock(&unix_gc_lock);
+ }
+ 
+ void unix_notinflight(struct file *fp)
+ {
+ 	struct sock *s = unix_get_socket(fp);
+ 
++	spin_lock(&unix_gc_lock);
++
+ 	if (s) {
+ 		struct unix_sock *u = unix_sk(s);
+ 
+-		spin_lock(&unix_gc_lock);
+ 		BUG_ON(list_empty(&u->link));
+ 
+ 		if (atomic_long_dec_and_test(&u->inflight))
+ 			list_del_init(&u->link);
+ 		unix_tot_inflight--;
+-		spin_unlock(&unix_gc_lock);
+ 	}
++	fp->f_cred->user->unix_inflight--;
++	spin_unlock(&unix_gc_lock);
+ }
+ 
+ static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/vrf-fix-memory-leak-on-registration.patch b/freed-ora/current/f22/vrf-fix-memory-leak-on-registration.patch
deleted file mode 100644
index 86c3dff69..000000000
--- a/freed-ora/current/f22/vrf-fix-memory-leak-on-registration.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 5780068e17af44a98d432d31448bb18a99ce64dc Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Tue, 15 Dec 2015 15:12:43 +0000
-Subject: [PATCH] vrf: Fix memory leak on registration failure in vrf_newlink()
-
-The backported version of commit 7f109f7cc371 ("vrf: fix double free
-and memory corruption on register_netdevice failure") incorrectly
-removed a kfree() from the failure path as well as the free_netdev().
-Add that back.
-
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- drivers/net/vrf.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
-index c9e309c..6c25fd0 100644
---- a/drivers/net/vrf.c
-+++ b/drivers/net/vrf.c
-@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
- {
- 	struct net_vrf *vrf = netdev_priv(dev);
- 	struct net_vrf_dev *vrf_ptr;
-+	int err;
-
- 	if (!data || !data[IFLA_VRF_TABLE])
- 		return -EINVAL;
-@@ -598,7 +599,10 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
-
- 	rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
-
--	return register_netdev(dev);
-+	err = register_netdev(dev);
-+	if (err)
-+		kfree(vrf_ptr);
-+	return err;
- }
-
- static size_t vrf_nl_getsize(const struct net_device *dev)
--- 
-2.5.0
-