4.2.8-300.fc23.gnu

11 files changed, 375 insertions, 476 deletions

diff --git a/freed-ora/current/f23/0001-ipv6-Avoid-creating-RTF_CACHE-from-a-rt-that-is-not-.patch b/freed-ora/current/f23/0001-ipv6-Avoid-creating-RTF_CACHE-from-a-rt-that-is-not-.patch
deleted file mode 100644
index 3390024d2..000000000
--- a/freed-ora/current/f23/0001-ipv6-Avoid-creating-RTF_CACHE-from-a-rt-that-is-not-.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 0d3f6d297bfb7af24d0508460fdb3d1ec4903fa3 Mon Sep 17 00:00:00 2001
-From: Martin KaFai Lau <kafai@fb.com>
-Date: Wed, 11 Nov 2015 11:51:06 -0800
-Subject: [PATCH] ipv6: Avoid creating RTF_CACHE from a rt that is not managed
- by fib6 tree
-
-The original bug report:
-https://bugzilla.redhat.com/show_bug.cgi?id=1272571
-
-The setup has a IPv4 GRE tunnel running in a IPSec.  The bug
-happens when ndisc starts sending router solicitation at the gre
-interface.  The simplified oops stack is like:
-
-__lock_acquire+0x1b2/0x1c30
-lock_acquire+0xb9/0x140
-_raw_write_lock_bh+0x3f/0x50
-__ip6_ins_rt+0x2e/0x60
-ip6_ins_rt+0x49/0x50
-~~~~~~~~
-__ip6_rt_update_pmtu.part.54+0x145/0x250
-ip6_rt_update_pmtu+0x2e/0x40
-~~~~~~~~
-ip_tunnel_xmit+0x1f1/0xf40
-__gre_xmit+0x7a/0x90
-ipgre_xmit+0x15a/0x220
-dev_hard_start_xmit+0x2bd/0x480
-__dev_queue_xmit+0x696/0x730
-dev_queue_xmit+0x10/0x20
-neigh_direct_output+0x11/0x20
-ip6_finish_output2+0x21f/0x770
-ip6_finish_output+0xa7/0x1d0
-ip6_output+0x56/0x190
-~~~~~~~~
-ndisc_send_skb+0x1d9/0x400
-ndisc_send_rs+0x88/0xc0
-~~~~~~~~
-
-The rt passed to ip6_rt_update_pmtu() is created by
-icmp6_dst_alloc() and it is not managed by the fib6 tree,
-so its rt6i_table == NULL.  When __ip6_rt_update_pmtu() creates
-a RTF_CACHE clone, the newly created clone also has rt6i_table == NULL
-and it causes the ip6_ins_rt() oops.
-
-During pmtu update, we only want to create a RTF_CACHE clone
-from a rt which is currently managed (or owned) by the
-fib6 tree.  It means either rt->rt6i_node != NULL or
-rt is a RTF_PCPU clone.
-
-It is worth to note that rt6i_table may not be NULL even it is
-not (yet) managed by the fib6 tree (e.g. addrconf_dst_alloc()).
-Hence, rt6i_node is a better check instead of rt6i_table.
-
-Fixes: 45e4fd26683c ("ipv6: Only create RTF_CACHE routes after encountering pmtu")
-Signed-off-by: Martin KaFai Lau <kafai@fb.com>
-Reported-by: Chris Siebenmann <cks-rhbugzilla@cs.toronto.edu>
-Cc: Chris Siebenmann <cks-rhbugzilla@cs.toronto.edu>
-Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv6/route.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index c8bc9b4..74907c5 100644
---- a/net/ipv6/route.c
-+++ b/net/ipv6/route.c
-@@ -1322,6 +1322,12 @@ static void rt6_do_update_pmtu(struct rt6_info *rt, u32 mtu)
- 	rt6_update_expires(rt, net->ipv6.sysctl.ip6_rt_mtu_expires);
- }
-
-+static bool rt6_cache_allowed_for_pmtu(const struct rt6_info *rt)
-+{
-+	return !(rt->rt6i_flags & RTF_CACHE) &&
-+		(rt->rt6i_flags & RTF_PCPU || rt->rt6i_node);
-+}
-+
- static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
- 				 const struct ipv6hdr *iph, u32 mtu)
- {
-@@ -1335,7 +1341,7 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
- 	if (mtu >= dst_mtu(dst))
- 		return;
-
--	if (rt6->rt6i_flags & RTF_CACHE) {
-+	if (!rt6_cache_allowed_for_pmtu(rt6)) {
- 		rt6_do_update_pmtu(rt6, mtu);
- 	} else {
- 		const struct in6_addr *daddr, *saddr;
--- 
-2.5.0
-
diff --git a/freed-ora/current/f23/Btrfs-fix-truncation-of-compressed-and-inlined-exten.patch b/freed-ora/current/f23/Btrfs-fix-truncation-of-compressed-and-inlined-exten.patch
deleted file mode 100644
index 1212966ef..000000000
--- a/freed-ora/current/f23/Btrfs-fix-truncation-of-compressed-and-inlined-exten.patch
+++ /dev/null
@@ -1,288 +0,0 @@
-From 0305cd5f7fca85dae392b9ba85b116896eb7c1c7 Mon Sep 17 00:00:00 2001
-From: Filipe Manana <fdmanana@suse.com>
-Date: Fri, 16 Oct 2015 12:34:25 +0100
-Subject: [PATCH] Btrfs: fix truncation of compressed and inlined extents
-
-When truncating a file to a smaller size which consists of an inline
-extent that is compressed, we did not discard (or made unusable) the
-data between the new file size and the old file size, wasting metadata
-space and allowing for the truncated data to be leaked and the data
-corruption/loss mentioned below.
-We were also not correctly decrementing the number of bytes used by the
-inode, we were setting it to zero, giving a wrong report for callers of
-the stat(2) syscall. The fsck tool also reported an error about a mismatch
-between the nbytes of the file versus the real space used by the file.
-
-Now because we weren't discarding the truncated region of the file, it
-was possible for a caller of the clone ioctl to actually read the data
-that was truncated, allowing for a security breach without requiring root
-access to the system, using only standard filesystem operations. The
-scenario is the following:
-
-   1) User A creates a file which consists of an inline and compressed
-      extent with a size of 2000 bytes - the file is not accessible to
-      any other users (no read, write or execution permission for anyone
-      else);
-
-   2) The user truncates the file to a size of 1000 bytes;
-
-   3) User A makes the file world readable;
-
-   4) User B creates a file consisting of an inline extent of 2000 bytes;
-
-   5) User B issues a clone operation from user A's file into its own
-      file (using a length argument of 0, clone the whole range);
-
-   6) User B now gets to see the 1000 bytes that user A truncated from
-      its file before it made its file world readbale. User B also lost
-      the bytes in the range [1000, 2000[ bytes from its own file, but
-      that might be ok if his/her intention was reading stale data from
-      user A that was never supposed to be public.
-
-Note that this contrasts with the case where we truncate a file from 2000
-bytes to 1000 bytes and then truncate it back from 1000 to 2000 bytes. In
-this case reading any byte from the range [1000, 2000[ will return a value
-of 0x00, instead of the original data.
-
-This problem exists since the clone ioctl was added and happens both with
-and without my recent data loss and file corruption fixes for the clone
-ioctl (patch "Btrfs: fix file corruption and data loss after cloning
-inline extents").
-
-So fix this by truncating the compressed inline extents as we do for the
-non-compressed case, which involves decompressing, if the data isn't already
-in the page cache, compressing the truncated version of the extent, writing
-the compressed content into the inline extent and then truncate it.
-
-The following test case for fstests reproduces the problem. In order for
-the test to pass both this fix and my previous fix for the clone ioctl
-that forbids cloning a smaller inline extent into a larger one,
-which is titled "Btrfs: fix file corruption and data loss after cloning
-inline extents", are needed. Without that other fix the test fails in a
-different way that does not leak the truncated data, instead part of
-destination file gets replaced with zeroes (because the destination file
-has a larger inline extent than the source).
-
-  seq=`basename $0`
-  seqres=$RESULT_DIR/$seq
-  echo "QA output created by $seq"
-  tmp=/tmp/$$
-  status=1	# failure is the default!
-  trap "_cleanup; exit \$status" 0 1 2 3 15
-
-  _cleanup()
-  {
-      rm -f $tmp.*
-  }
-
-  # get standard environment, filters and checks
-  . ./common/rc
-  . ./common/filter
-
-  # real QA test starts here
-  _need_to_be_root
-  _supported_fs btrfs
-  _supported_os Linux
-  _require_scratch
-  _require_cloner
-
-  rm -f $seqres.full
-
-  _scratch_mkfs >>$seqres.full 2>&1
-  _scratch_mount "-o compress"
-
-  # Create our test files. File foo is going to be the source of a clone operation
-  # and consists of a single inline extent with an uncompressed size of 512 bytes,
-  # while file bar consists of a single inline extent with an uncompressed size of
-  # 256 bytes. For our test's purpose, it's important that file bar has an inline
-  # extent with a size smaller than foo's inline extent.
-  $XFS_IO_PROG -f -c "pwrite -S 0xa1 0 128"   \
-          -c "pwrite -S 0x2a 128 384" \
-          $SCRATCH_MNT/foo | _filter_xfs_io
-  $XFS_IO_PROG -f -c "pwrite -S 0xbb 0 256" $SCRATCH_MNT/bar | _filter_xfs_io
-
-  # Now durably persist all metadata and data. We do this to make sure that we get
-  # on disk an inline extent with a size of 512 bytes for file foo.
-  sync
-
-  # Now truncate our file foo to a smaller size. Because it consists of a
-  # compressed and inline extent, btrfs did not shrink the inline extent to the
-  # new size (if the extent was not compressed, btrfs would shrink it to 128
-  # bytes), it only updates the inode's i_size to 128 bytes.
-  $XFS_IO_PROG -c "truncate 128" $SCRATCH_MNT/foo
-
-  # Now clone foo's inline extent into bar.
-  # This clone operation should fail with errno EOPNOTSUPP because the source
-  # file consists only of an inline extent and the file's size is smaller than
-  # the inline extent of the destination (128 bytes < 256 bytes). However the
-  # clone ioctl was not prepared to deal with a file that has a size smaller
-  # than the size of its inline extent (something that happens only for compressed
-  # inline extents), resulting in copying the full inline extent from the source
-  # file into the destination file.
-  #
-  # Note that btrfs' clone operation for inline extents consists of removing the
-  # inline extent from the destination inode and copy the inline extent from the
-  # source inode into the destination inode, meaning that if the destination
-  # inode's inline extent is larger (N bytes) than the source inode's inline
-  # extent (M bytes), some bytes (N - M bytes) will be lost from the destination
-  # file. Btrfs could copy the source inline extent's data into the destination's
-  # inline extent so that we would not lose any data, but that's currently not
-  # done due to the complexity that would be needed to deal with such cases
-  # (specially when one or both extents are compressed), returning EOPNOTSUPP, as
-  # it's normally not a very common case to clone very small files (only case
-  # where we get inline extents) and copying inline extents does not save any
-  # space (unlike for normal, non-inlined extents).
-  $CLONER_PROG -s 0 -d 0 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar
-
-  # Now because the above clone operation used to succeed, and due to foo's inline
-  # extent not being shinked by the truncate operation, our file bar got the whole
-  # inline extent copied from foo, making us lose the last 128 bytes from bar
-  # which got replaced by the bytes in range [128, 256[ from foo before foo was
-  # truncated - in other words, data loss from bar and being able to read old and
-  # stale data from foo that should not be possible to read anymore through normal
-  # filesystem operations. Contrast with the case where we truncate a file from a
-  # size N to a smaller size M, truncate it back to size N and then read the range
-  # [M, N[, we should always get the value 0x00 for all the bytes in that range.
-
-  # We expected the clone operation to fail with errno EOPNOTSUPP and therefore
-  # not modify our file's bar data/metadata. So its content should be 256 bytes
-  # long with all bytes having the value 0xbb.
-  #
-  # Without the btrfs bug fix, the clone operation succeeded and resulted in
-  # leaking truncated data from foo, the bytes that belonged to its range
-  # [128, 256[, and losing data from bar in that same range. So reading the
-  # file gave us the following content:
-  #
-  # 0000000 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1
-  # *
-  # 0000200 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
-  # *
-  # 0000400
-  echo "File bar's content after the clone operation:"
-  od -t x1 $SCRATCH_MNT/bar
-
-  # Also because the foo's inline extent was not shrunk by the truncate
-  # operation, btrfs' fsck, which is run by the fstests framework everytime a
-  # test completes, failed reporting the following error:
-  #
-  #  root 5 inode 257 errors 400, nbytes wrong
-
-  status=0
-  exit
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Filipe Manana <fdmanana@suse.com>
----
- fs/btrfs/inode.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++----------
- 1 file changed, 68 insertions(+), 14 deletions(-)
-
-diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
-index 208db4e835f0..cbb4286490a1 100644
---- a/fs/btrfs/inode.c
-+++ b/fs/btrfs/inode.c
-@@ -4217,6 +4217,47 @@ static int truncate_space_check(struct btrfs_trans_handle *trans,
- 
- }
- 
-+static int truncate_inline_extent(struct inode *inode,
-+				  struct btrfs_path *path,
-+				  struct btrfs_key *found_key,
-+				  const u64 item_end,
-+				  const u64 new_size)
-+{
-+	struct extent_buffer *leaf = path->nodes[0];
-+	int slot = path->slots[0];
-+	struct btrfs_file_extent_item *fi;
-+	u32 size = (u32)(new_size - found_key->offset);
-+	struct btrfs_root *root = BTRFS_I(inode)->root;
-+
-+	fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item);
-+
-+	if (btrfs_file_extent_compression(leaf, fi) != BTRFS_COMPRESS_NONE) {
-+		loff_t offset = new_size;
-+		loff_t page_end = ALIGN(offset, PAGE_CACHE_SIZE);
-+
-+		/*
-+		 * Zero out the remaining of the last page of our inline extent,
-+		 * instead of directly truncating our inline extent here - that
-+		 * would be much more complex (decompressing all the data, then
-+		 * compressing the truncated data, which might be bigger than
-+		 * the size of the inline extent, resize the extent, etc).
-+		 * We release the path because to get the page we might need to
-+		 * read the extent item from disk (data not in the page cache).
-+		 */
-+		btrfs_release_path(path);
-+		return btrfs_truncate_page(inode, offset, page_end - offset, 0);
-+	}
-+
-+	btrfs_set_file_extent_ram_bytes(leaf, fi, size);
-+	size = btrfs_file_extent_calc_inline_size(size);
-+	btrfs_truncate_item(root, path, size, 1);
-+
-+	if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
-+		inode_sub_bytes(inode, item_end + 1 - new_size);
-+
-+	return 0;
-+}
-+
- /*
-  * this can truncate away extent items, csum items and directory items.
-  * It starts at a high offset and removes keys until it can't find
-@@ -4411,27 +4452,40 @@ search_again:
- 			 * special encodings
- 			 */
- 			if (!del_item &&
--			    btrfs_file_extent_compression(leaf, fi) == 0 &&
- 			    btrfs_file_extent_encryption(leaf, fi) == 0 &&
- 			    btrfs_file_extent_other_encoding(leaf, fi) == 0) {
--				u32 size = new_size - found_key.offset;
--
--				if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
--					inode_sub_bytes(inode, item_end + 1 -
--							new_size);
- 
- 				/*
--				 * update the ram bytes to properly reflect
--				 * the new size of our item
-+				 * Need to release path in order to truncate a
-+				 * compressed extent. So delete any accumulated
-+				 * extent items so far.
- 				 */
--				btrfs_set_file_extent_ram_bytes(leaf, fi, size);
--				size =
--				    btrfs_file_extent_calc_inline_size(size);
--				btrfs_truncate_item(root, path, size, 1);
-+				if (btrfs_file_extent_compression(leaf, fi) !=
-+				    BTRFS_COMPRESS_NONE && pending_del_nr) {
-+					err = btrfs_del_items(trans, root, path,
-+							      pending_del_slot,
-+							      pending_del_nr);
-+					if (err) {
-+						btrfs_abort_transaction(trans,
-+									root,
-+									err);
-+						goto error;
-+					}
-+					pending_del_nr = 0;
-+				}
-+
-+				err = truncate_inline_extent(inode, path,
-+							     &found_key,
-+							     item_end,
-+							     new_size);
-+				if (err) {
-+					btrfs_abort_transaction(trans,
-+								root, err);
-+					goto error;
-+				}
- 			} else if (test_bit(BTRFS_ROOT_REF_COWS,
- 					    &root->state)) {
--				inode_sub_bytes(inode, item_end + 1 -
--						found_key.offset);
-+				inode_sub_bytes(inode, item_end + 1 - new_size);
- 			}
- 		}
- delete:
--- 
-2.5.0
-
diff --git a/freed-ora/current/f23/KEYS-Fix-race-between-read-and-revoke.patch b/freed-ora/current/f23/KEYS-Fix-race-between-read-and-revoke.patch
new file mode 100644
index 000000000..df0d9376b
--- /dev/null
+++ b/freed-ora/current/f23/KEYS-Fix-race-between-read-and-revoke.patch
@@ -0,0 +1,108 @@
+From f144220f72062ed5359e0211f130670c915a12dd Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 14 Dec 2015 10:36:31 -0500
+Subject: [PATCH] KEYS: Fix race between read and revoke
+
+There's a race between keyctl_read() and keyctl_revoke().  If the revoke
+happens between keyctl_read() checking the validity of a key and the key's
+semaphore being taken, then the key type read method will see a revoked key.
+
+This causes a problem for the user-defined key type because it assumes in
+its read method that there will always be a payload in a non-revoked key
+and doesn't check for a NULL pointer.
+
+Fix this by making keyctl_read() check the validity of a key after taking
+semaphore instead of before.
+
+This was discovered by a multithreaded test program generated by syzkaller
+(http://github.com/google/syzkaller).  Here's a cleaned up version:
+
+	#include <sys/types.h>
+	#include <keyutils.h>
+	#include <pthread.h>
+	void *thr0(void *arg)
+	{
+		key_serial_t key = (unsigned long)arg;
+		keyctl_revoke(key);
+		return 0;
+	}
+	void *thr1(void *arg)
+	{
+		key_serial_t key = (unsigned long)arg;
+		char buffer[16];
+		keyctl_read(key, buffer, 16);
+		return 0;
+	}
+	int main()
+	{
+		key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
+		pthread_t th[5];
+		pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
+		pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
+		pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
+		pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
+		pthread_join(th[0], 0);
+		pthread_join(th[1], 0);
+		pthread_join(th[2], 0);
+		pthread_join(th[3], 0);
+		return 0;
+	}
+
+Build as:
+
+	cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
+
+Run as:
+
+	while keyctl-race; do :; done
+
+as it may need several iterations to crash the kernel.  The crash can be
+summarised as:
+
+	BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+	IP: [<ffffffff81279b08>] user_read+0x56/0xa3
+	...
+	Call Trace:
+	 [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
+	 [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
+	 [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ security/keys/keyctl.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index fb111eafcb89..1c3872aeed14 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -751,16 +751,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
+ 
+ 	/* the key is probably readable - now try to read it */
+ can_read_key:
+-	ret = key_validate(key);
+-	if (ret == 0) {
+-		ret = -EOPNOTSUPP;
+-		if (key->type->read) {
+-			/* read the data with the semaphore held (since we
+-			 * might sleep) */
+-			down_read(&key->sem);
++	ret = -EOPNOTSUPP;
++	if (key->type->read) {
++		/* Read the data with the semaphore held (since we might sleep)
++		 * to protect against the key being updated or revoked.
++		 */
++		down_read(&key->sem);
++		ret = key_validate(key);
++		if (ret == 0)
+ 			ret = key->type->read(key, buffer, buflen);
+-			up_read(&key->sem);
+-		}
++		up_read(&key->sem);
+ 	}
+ 
+ error2:
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f23/RDS-fix-race-condition-when-sending-a-message-on-unb.patch b/freed-ora/current/f23/RDS-fix-race-condition-when-sending-a-message-on-unb.patch
deleted file mode 100644
index 8a44c84d3..000000000
--- a/freed-ora/current/f23/RDS-fix-race-condition-when-sending-a-message-on-unb.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 09dca584f0b6b3bb4fc5f13a388274cd76b69f18 Mon Sep 17 00:00:00 2001
-From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
-Date: Fri, 16 Oct 2015 17:11:42 +0200
-Subject: [PATCH] RDS: fix race condition when sending a message on unbound
- socket.
-
-Sasha's found a NULL pointer dereference in the RDS connection code when
-sending a message to an apparently unbound socket.  The problem is caused
-by the code checking if the socket is bound in rds_sendmsg(), which checks
-the rs_bound_addr field without taking a lock on the socket.  This opens a
-race where rs_bound_addr is temporarily set but where the transport is not
-in rds_bind(), leading to a NULL pointer dereference when trying to
-dereference 'trans' in __rds_conn_create().
-
-Vegard wrote a reproducer for this issue, so kindly ask him to share if
-you're interested.
-
-I cannot reproduce the NULL pointer dereference using Vegard's reproducer
-with this patch, whereas I could without.
-
-Complete earlier incomplete fix to CVE-2015-6937:
-
-  74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
-
-Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
-Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
-Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
-Cc: Vegard Nossum <vegard.nossum@oracle.com>
-Cc: Sasha Levin <sasha.levin@oracle.com>
-Cc: Chien Yen <chien.yen@oracle.com>
-Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
-Cc: David S. Miller <davem@davemloft.net>
-Cc: stable@vger.kernel.org
----
- net/rds/connection.c | 6 ------
- net/rds/send.c       | 4 +++-
- 2 files changed, 3 insertions(+), 7 deletions(-)
-
-diff --git a/net/rds/connection.c b/net/rds/connection.c
-index 9d66705f9d41..da6da57e5f36 100644
---- a/net/rds/connection.c
-+++ b/net/rds/connection.c
-@@ -187,12 +187,6 @@ new_conn:
- 		}
- 	}
- 
--	if (trans == NULL) {
--		kmem_cache_free(rds_conn_slab, conn);
--		conn = ERR_PTR(-ENODEV);
--		goto out;
--	}
--
- 	conn->c_trans = trans;
- 
- 	ret = trans->conn_alloc(conn, gfp);
-diff --git a/net/rds/send.c b/net/rds/send.c
-index e9430f537f9c..7b30c0f3180d 100644
---- a/net/rds/send.c
-+++ b/net/rds/send.c
-@@ -986,11 +986,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
- 		release_sock(sk);
- 	}
- 
--	/* racing with another thread binding seems ok here */
-+	lock_sock(sk);
- 	if (daddr == 0 || rs->rs_bound_addr == 0) {
-+		release_sock(sk);
- 		ret = -ENOTCONN; /* XXX not a great errno */
- 		goto out;
- 	}
-+	release_sock(sk);
- 
- 	/* size of rm including all sgs */
- 	ret = rds_rm_size(msg, payload_len);
--- 
-2.4.3
-
diff --git a/freed-ora/current/f23/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch b/freed-ora/current/f23/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
new file mode 100644
index 000000000..16788f756
--- /dev/null
+++ b/freed-ora/current/f23/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
@@ -0,0 +1,40 @@
+From 14b627c610f93c2700f9a3825ac10c35d51acfe4 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Mon, 7 Dec 2015 13:50:38 -0500
+Subject: [PATCH] ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill
+ dmi list
+
+One of the newest ideapad models also lacks a physical hw rfkill switch,
+and trying to read the hw rfkill switch through the ideapad module
+causes it to always reported blocking breaking wifi.
+
+Fix it by adding this model to the DMI list.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1286293
+Cc: stable@vger.kernel.org
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ drivers/platform/x86/ideapad-laptop.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
+index a313dfc0245f..d28db0e793df 100644
+--- a/drivers/platform/x86/ideapad-laptop.c
++++ b/drivers/platform/x86/ideapad-laptop.c
+@@ -865,6 +865,13 @@ static const struct dmi_system_id no_hw_rfkill_list[] = {
+ 		},
+ 	},
+ 	{
++		.ident = "Lenovo ideapad Y700-17ISK",
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-17ISK"),
++		},
++	},
++	{
+ 		.ident = "Lenovo Yoga 2 11 / 13 / Pro",
+ 		.matches = {
+ 			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f23/kernel.spec b/freed-ora/current/f23/kernel.spec
index be3a4a4a9..6be46bd54 100644
--- a/freed-ora/current/f23/kernel.spec
+++ b/freed-ora/current/f23/kernel.spec
@@ -90,7 +90,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 7
+%define stable_update 8
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -656,9 +656,6 @@ Patch513: nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch
 Patch517: vmwgfx-Rework-device-initialization.patch
 Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
 
-#CVE-2015-7990 rhbz 1276437 1276438
-Patch524: RDS-fix-race-condition-when-sending-a-message-on-unb.patch
-
 #rhbz 1272172
 Patch540: 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
 Patch541: 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
@@ -681,17 +678,11 @@ Patch556: netfilter-ipset-Fix-extension-alignment.patch
 Patch557: netfilter-ipset-Fix-hash-type-expiration.patch
 Patch558: netfilter-ipset-Fix-hash-type-expire-release-empty-h.patch
 
-#rhbz 1272571
-Patch559: 0001-ipv6-Avoid-creating-RTF_CACHE-from-a-rt-that-is-not-.patch
-
 #rhbz 1278688
 Patch560: 0001-KVM-x86-build-kvm_userspace_memory_region-in-x86_set.patch
 Patch561: 0002-KVM-x86-map-unmap-private-slots-in-__x86_set_memory_.patch
 Patch562: 0003-KVM-x86-fix-previous-commit-for-32-bit.patch
 
-#CVE-2015-8374 rhbz 1286261 1286262
-Patch565: Btrfs-fix-truncation-of-compressed-and-inlined-exten.patch
-
 #rhbz 1284059
 Patch566: KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
 
@@ -704,6 +695,18 @@ Patch568: Input-aiptek-fix-crash-on-detecting-device-without-e.patch
 #rhbz 1287819
 Patch570: HID-multitouch-enable-palm-rejection-if-device-imple.patch
 
+#rhbz 1286293
+Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
+
+#CVE-XXXX-XXXX rhbz 1291329 1291332
+Patch574: ovl-fix-permission-checking-for-setattr.patch
+
+#CVE-2015-7550 rhbz 1291197 1291198
+Patch575: KEYS-Fix-race-between-read-and-revoke.patch
+
+#CVE-2015-8543 rhbz 1290475 1290477
+Patch576: net-add-validation-for-the-socket-syscall-protocol-a.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2245,10 +2248,29 @@ fi
 #
 # 
 %changelog
-* Fri Dec 11 2015 Alexandre Oliva <lxoliva@fsfla.org> -libre
+* Fri Dec 18 2015 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.2.8-gnu.
+
+* Tue Dec 15 2015 Justin Forbes <jforbes@fedoraproject.org> - 4.2.8-300
+- Linux v4.2.8
+
+* Tue Dec 15 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-8543 ipv6: DoS via NULL pointer dereference (rhbz 1290475 1290477)
+
+* Mon Dec 14 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-7550 Race between read and revoke keys (rhbz 1291197 1291198)
+- CVE-XXXX-XXXX permission bypass on overlayfs (rhbz 1291329 1291332)
+
+* Fri Dec 11 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-7446 unix sockects use after free (rhbz 1282688 1282712)
+
+* Thu Dec 10 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- Fix rfkill issues on ideapad Y700-17ISK (rhbz 1286293)
+
+* Wed Dec  9 2015 Alexandre Oliva <lxoliva@fsfla.org> -libre Fri Dec 11
 - GNU Linux-libre 4.2.7-gnu.
 
-* Wed Dec 09 2015 <jmforbes@fedoraproject.org> - 4.2.7-300
+* Wed Dec 09 2015 Justin Forbes <jforbes@fedoraproject.org> - 4.2.7-300
 - Linux v4.2.7
 
 * Thu Dec 03 2015 Josh Boyer <jwboyer@fedoraproject.org>
diff --git a/freed-ora/current/f23/net-add-validation-for-the-socket-syscall-protocol-a.patch b/freed-ora/current/f23/net-add-validation-for-the-socket-syscall-protocol-a.patch
new file mode 100644
index 000000000..ce387ea42
--- /dev/null
+++ b/freed-ora/current/f23/net-add-validation-for-the-socket-syscall-protocol-a.patch
@@ -0,0 +1,139 @@
+From 4da7dc22c91ad2c3144cb1d0d96e9611bc86da47 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon, 14 Dec 2015 22:03:39 +0100
+Subject: [PATCH] net: add validation for the socket syscall protocol argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+郭永刚 reported that one could simply crash the kernel as root by
+using a simple program:
+
+	int socket_fd;
+	struct sockaddr_in addr;
+	addr.sin_port = 0;
+	addr.sin_addr.s_addr = INADDR_ANY;
+	addr.sin_family = 10;
+
+	socket_fd = socket(10,3,0x40000000);
+	connect(socket_fd , &addr,16);
+
+AF_INET, AF_INET6 sockets actually only support 8-bit protocol
+identifiers. inet_sock's skc_protocol field thus is sized accordingly,
+thus larger protocol identifiers simply cut off the higher bits and
+store a zero in the protocol fields.
+
+This could lead to e.g. NULL function pointer because as a result of
+the cut off inet_num is zero and we call down to inet_autobind, which
+is NULL for raw sockets.
+
+kernel: Call Trace:
+kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
+kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
+kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
+kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
+kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
+kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
+kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89
+
+I found no particular commit which introduced this problem.
+
+CVE: CVE-2015-8543
+Cc: Cong Wang <cwang@twopensource.com>
+Reported-by: 郭永刚 <guoyonggang@360.cn>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/net/sock.h     | 1 +
+ net/ax25/af_ax25.c     | 3 +++
+ net/decnet/af_decnet.c | 3 +++
+ net/ipv4/af_inet.c     | 3 +++
+ net/ipv6/af_inet6.c    | 3 +++
+ net/irda/af_irda.c     | 3 +++
+ 6 files changed, 16 insertions(+)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 52d27ee924f4..2fa1fc00e8cb 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -403,6 +403,7 @@ struct sock {
+ 				sk_no_check_rx : 1,
+ 				sk_userlocks : 4,
+ 				sk_protocol  : 8,
++#define SK_PROTOCOL_MAX U8_MAX
+ 				sk_type      : 16;
+ 	kmemcheck_bitfield_end(flags);
+ 	int			sk_wmem_queued;
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index ae3a47f9d1d5..fbd0acf80b13 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
+ 	struct sock *sk;
+ 	ax25_cb *ax25;
+ 
++	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++		return -EINVAL;
++
+ 	if (!net_eq(net, &init_net))
+ 		return -EAFNOSUPPORT;
+ 
+diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
+index eebf5ac8ce18..13d6b1a6e0fc 100644
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
+ {
+ 	struct sock *sk;
+ 
++	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++		return -EINVAL;
++
+ 	if (!net_eq(net, &init_net))
+ 		return -EAFNOSUPPORT;
+ 
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 11c4ca13ec3b..5c5db6636704 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
+ 	int try_loading_module = 0;
+ 	int err;
+ 
++	if (protocol < 0 || protocol >= IPPROTO_MAX)
++		return -EINVAL;
++
+ 	sock->state = SS_UNCONNECTED;
+ 
+ 	/* Look for the requested type/protocol pair. */
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 8ec0df75f1c4..9f5137cd604e 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
+ 	int try_loading_module = 0;
+ 	int err;
+ 
++	if (protocol < 0 || protocol >= IPPROTO_MAX)
++		return -EINVAL;
++
+ 	/* Look for the requested type/protocol pair. */
+ lookup_protocol:
+ 	err = -ESOCKTNOSUPPORT;
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index e6aa48b5395c..923abd6b3064 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
+ 	struct sock *sk;
+ 	struct irda_sock *self;
+ 
++	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++		return -EINVAL;
++
+ 	if (net != &init_net)
+ 		return -EAFNOSUPPORT;
+ 
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f23/ovl-fix-permission-checking-for-setattr.patch b/freed-ora/current/f23/ovl-fix-permission-checking-for-setattr.patch
new file mode 100644
index 000000000..167ecda99
--- /dev/null
+++ b/freed-ora/current/f23/ovl-fix-permission-checking-for-setattr.patch
@@ -0,0 +1,46 @@
+From acff81ec2c79492b180fade3c2894425cd35a545 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <miklos@szeredi.hu>
+Date: Fri, 4 Dec 2015 19:18:48 +0100
+Subject: [PATCH] ovl: fix permission checking for setattr
+
+[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr()
+away - instead of "copy verbatim with metadata" + "chmod/chown/utimes"
+(with the former being always safe and the latter failing in case of
+insufficient permissions) it tries to combine these two.  Note that copyup
+itself will have to do ->setattr() anyway; _that_ is where the elevated
+capabilities are right.  Having these two ->setattr() (one to set verbatim
+copy of metadata, another to do what overlayfs ->setattr() had been asked
+to do in the first place) combined is where it breaks.
+
+Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+---
+ fs/overlayfs/inode.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
+index ec0c2a050043..961284936917 100644
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr)
+ 	if (err)
+ 		goto out;
+ 
+-	upperdentry = ovl_dentry_upper(dentry);
+-	if (upperdentry) {
++	err = ovl_copy_up(dentry);
++	if (!err) {
++		upperdentry = ovl_dentry_upper(dentry);
++
+ 		mutex_lock(&upperdentry->d_inode->i_mutex);
+ 		err = notify_change(upperdentry, attr, NULL);
+ 		mutex_unlock(&upperdentry->d_inode->i_mutex);
+-	} else {
+-		err = ovl_copy_up_last(dentry, attr, false);
+ 	}
+ 	ovl_drop_write(dentry);
+ out:
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f23/patch-4.2-gnu-4.2.7-gnu.xz.sign b/freed-ora/current/f23/patch-4.2-gnu-4.2.7-gnu.xz.sign
deleted file mode 100644
index 980201c93..000000000
--- a/freed-ora/current/f23/patch-4.2-gnu-4.2.7-gnu.xz.sign
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iEYEABECAAYFAlZo4qYACgkQvLfPh359R6dVsgCdGpyhy2S/eqm2pRRE3OX9UYTg
-9uMAn3yhpP2eBxZyGc9PeXV5YJIVY+tl
-=WDTn
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f23/patch-4.2-gnu-4.2.8-gnu.xz.sign b/freed-ora/current/f23/patch-4.2-gnu-4.2.8-gnu.xz.sign
new file mode 100644
index 000000000..02cdc521c
--- /dev/null
+++ b/freed-ora/current/f23/patch-4.2-gnu-4.2.8-gnu.xz.sign
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iEYEABECAAYFAlZxDsMACgkQvLfPh359R6dVvwCgjh0YvLly2b/IWqU92mdOAhHy
+JtYAoI4hAQ5nltobHygwjxBGf0r7f3zM
+=KEX0
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f23/sources b/freed-ora/current/f23/sources
index 3cafe5248..65159fb74 100644
--- a/freed-ora/current/f23/sources
+++ b/freed-ora/current/f23/sources
@@ -1,3 +1,3 @@
 a3202589b12b27d936631cbe80cbb1cc  linux-libre-4.2-gnu.tar.xz
 4c964bfba54d65b5b54cc898baddecad  perf-man-4.2.tar.gz
-d6b3e30f609337301e43b677ae2ba433  patch-4.2-gnu-4.2.7-gnu.xz
+4ad6a6f3a6b2b9cc67fd163e3a69cacd  patch-4.2-gnu-4.2.8-gnu.xz