Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2016-07-18 21:17:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/kernel-debug.changes 2016-07-07 15:09:31.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/kernel-debug.changes 2016-07-18 21:17:38.000000000 +0200 @@ -1,0 +2,48 @@ +Mon Jul 11 19:59:12 CEST 2016 - jsl...@suse.cz + +- Linux 4.6.4 (bnc#982729). +- Delete + patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch. +- commit 103c936 + +------------------------------------------------------------------- +Mon Jul 11 11:31:39 CEST 2016 - ti...@suse.de + +- apparmor: fix oops, validate buffer size in + apparmor_setprocattr() (CVE-2016-6187,bsc#988307). +- commit fbe379c + +------------------------------------------------------------------- +Thu Jul 7 02:10:04 CEST 2016 - ne...@suse.com + +- Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch + (bsc#986570 CVE-2016-1237). +- Update + patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch + (bsc#986570 CVE-2016-1237). +- commit 789949d + +------------------------------------------------------------------- +Wed Jul 6 08:13:54 CEST 2016 - ne...@suse.com + +- Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch + (bsc#986570 CVE#2016-1237). +- Update + patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch + (bsc#986570 CVE#2016-1237). +- commit 10c8c01 + +------------------------------------------------------------------- +Wed Jul 6 06:32:20 CEST 2016 - ne...@suse.com + +- nfsd: check permissions when setting ACLs (bsc#986570). +- posix_acl: Add set_posix_acl (bsc#986570). +- commit 2763888 + +------------------------------------------------------------------- +Mon Jun 27 11:01:27 CEST 2016 - mkube...@suse.cz + +- Update patches.kernel.org/patch-4.6.2-3 (add CVE-2016-4997 bsc#986362). +- commit fbd108c + +------------------------------------------------------------------- kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-vanilla.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kernel-debug.spec ++++++ --- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200 +++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.3 +%define patchversion 4.6.4 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: A Debug Version of the Kernel License: GPL-2.0 Group: System/Kernel -Version: 4.6.3 +Version: 4.6.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd4bcf2a +Release: <RELEASE>.g103c936 %else Release: 0 %endif kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200 +++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200 @@ -16,7 +16,7 @@ # -%define patchversion 4.6.3 +%define patchversion 4.6.4 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -27,9 +27,9 @@ Summary: Kernel Documentation (man pages) License: GPL-2.0 Group: Documentation/Man -Version: 4.6.3 +Version: 4.6.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd4bcf2a +Release: <RELEASE>.g103c936 %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200 +++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.3 +%define patchversion 4.6.4 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.6.3 +Version: 4.6.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd4bcf2a +Release: <RELEASE>.g103c936 %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200 +++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.6.3 +%define patchversion 4.6.4 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -51,9 +51,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.6.3 +Version: 4.6.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd4bcf2a +Release: <RELEASE>.g103c936 %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200 +++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.6.3 +%define patchversion 4.6.4 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.6.3 +Version: 4.6.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd4bcf2a +Release: <RELEASE>.g103c936 %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200 +++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.3 +%define patchversion 4.6.4 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.6.3 +Version: 4.6.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd4bcf2a +Release: <RELEASE>.g103c936 %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200 +++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.6 -%define patchversion 4.6.3 +%define patchversion 4.6.4 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.6.3 +Version: 4.6.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd4bcf2a +Release: <RELEASE>.g103c936 %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200 +++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.6.3 +Version: 4.6.4 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.gd4bcf2a +Release: <RELEASE>.g103c936 %else Release: 0 %endif ++++++ kernel-vanilla.spec ++++++ --- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:52.000000000 +0200 +++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:52.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.3 +%define patchversion 4.6.4 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: The Standard Kernel - without any SUSE patches License: GPL-2.0 Group: System/Kernel -Version: 4.6.3 +Version: 4.6.4 %if 0%{?is_kotd} -Release: <RELEASE>.gd4bcf2a +Release: <RELEASE>.g103c936 %else Release: 0 %endif ++++++ patches.drivers.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch new/patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch --- old/patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch 2016-06-04 09:38:20.000000000 +0200 +++ new/patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,50 +0,0 @@ -From aaf928767d4b3d73aeaa88c704a8d7f66d30730b Mon Sep 17 00:00:00 2001 -Subject: [PATCH] USB: xhci: Add broken streams quirk for - Frescologic device id 1009 -From: Hans de Goede <hdego...@redhat.com> -Date: 2016-06-01 19:01:29 -Patch-Mainline: Queued -Git-commit: d95815ba6a0f287213118c136e64d8c56daeaeab -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git -References: bnc#982729 - -I got one of these cards for testing uas with, it seems that with streams -it dma-s all over the place, corrupting memory. On my first tests it -managed to dma over the BIOS of the motherboard somehow and completely -bricked it. - -Tests on another motherboard show that it does work with streams disabled. - -Cc: sta...@vger.kernel.org -Signed-off-by: Hans de Goede <hdego...@redhat.com> -Signed-Off-By: Oliver Neukum <oneu...@suse.com> ---- - drivers/usb/host/xhci-pci.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c -index 47f6f9b..e020bc3 100644 ---- a/drivers/usb/host/xhci-pci.c -+++ b/drivers/usb/host/xhci-pci.c -@@ -30,6 +30,7 @@ - /* Device for a quirk */ - #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73 - #define PCI_DEVICE_ID_FRESCO_LOGIC_PDK 0x1000 -+#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1009 0x1009 - #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1400 0x1400 - - #define PCI_VENDOR_ID_ETRON 0x1b6f -@@ -97,6 +98,10 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) - xhci->quirks |= XHCI_TRUST_TX_LENGTH; - } - -+ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC && -+ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1009) -+ xhci->quirks |= XHCI_BROKEN_STREAMS; -+ - if (pdev->vendor == PCI_VENDOR_ID_NEC) - xhci->quirks |= XHCI_NEC_HOST; - --- -2.1.4 - ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/0001-posix_acl-Add-set_posix_acl.patch new/patches.fixes/0001-posix_acl-Add-set_posix_acl.patch --- old/patches.fixes/0001-posix_acl-Add-set_posix_acl.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/0001-posix_acl-Add-set_posix_acl.patch 2016-07-11 11:31:39.000000000 +0200 @@ -0,0 +1,89 @@ +From: Andreas Gruenbacher <agrue...@redhat.com> +Date: Wed, 22 Jun 2016 23:57:25 +0200 +Subject: [PATCH] posix_acl: Add set_posix_acl +Git-commit: 485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f +Patch-mainline: v4.7 +References: bsc#986570 CVE-2016-1237 + +Factor out part of posix_acl_xattr_set into a common function that takes +a posix_acl, which nfsd can also call. + +The prototype already exists in include/linux/posix_acl.h. + +Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com> +Cc: sta...@vger.kernel.org +Cc: Christoph Hellwig <h...@infradead.org> +Cc: Al Viro <v...@zeniv.linux.org.uk> +Signed-off-by: J. Bruce Fields <bfie...@redhat.com> +Acked-by: NeilBrown <ne...@suse.com> + +--- + fs/posix_acl.c | 43 ++++++++++++++++++++++++------------------- + 1 file changed, 24 insertions(+), 19 deletions(-) + +--- a/fs/posix_acl.c ++++ b/fs/posix_acl.c +@@ -786,39 +786,44 @@ posix_acl_xattr_get(const struct xattr_h + return error; + } + +-static int +-posix_acl_xattr_set(const struct xattr_handler *handler, +- struct dentry *dentry, const char *name, +- const void *value, size_t size, int flags) ++int ++set_posix_acl(struct inode *inode, int type, struct posix_acl *acl) + { +- struct inode *inode = d_backing_inode(dentry); +- struct posix_acl *acl = NULL; +- int ret; +- + if (!IS_POSIXACL(inode)) + return -EOPNOTSUPP; + if (!inode->i_op->set_acl) + return -EOPNOTSUPP; + +- if (handler->flags == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) +- return value ? -EACCES : 0; ++ if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) ++ return acl ? -EACCES : 0; + if (!inode_owner_or_capable(inode)) + return -EPERM; + ++ if (acl) { ++ int ret = posix_acl_valid(acl); ++ if (ret) ++ return ret; ++ } ++ return inode->i_op->set_acl(inode, acl, type); ++} ++EXPORT_SYMBOL(set_posix_acl); ++ ++static int ++posix_acl_xattr_set(const struct xattr_handler *handler, ++ struct dentry *dentry, ++ const char *name, const void *value, ++ size_t size, int flags) ++{ ++ struct inode *inode = d_backing_inode(dentry); ++ struct posix_acl *acl = NULL; ++ int ret; ++ + if (value) { + acl = posix_acl_from_xattr(&init_user_ns, value, size); + if (IS_ERR(acl)) + return PTR_ERR(acl); +- +- if (acl) { +- ret = posix_acl_valid(acl); +- if (ret) +- goto out; +- } + } +- +- ret = inode->i_op->set_acl(inode, acl, handler->flags); +-out: ++ ret = set_posix_acl(inode, handler->flags, acl); + posix_acl_release(acl); + return ret; + } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch new/patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch --- old/patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch 2016-07-11 11:31:39.000000000 +0200 @@ -0,0 +1,149 @@ +From: Ben Hutchings <b...@decadent.org.uk> +Date: Wed, 22 Jun 2016 19:43:35 +0100 +Subject: [PATCH] nfsd: check permissions when setting ACLs +Git-commit: 999653786df6954a31044528ac3f7a5dadca08f4 +Patch-mainline: v4.7 +References: bsc#986570 CVE-2016-1237 + +Use set_posix_acl, which includes proper permission checks, instead of +calling ->set_acl directly. Without this anyone may be able to grant +themselves permissions to a file by setting the ACL. + +Lock the inode to make the new checks atomic with respect to set_acl. +(Also, nfsd was the only caller of set_acl not locking the inode, so I +suspect this may fix other races.) + +This also simplifies the code, and ensures our ACLs are checked by +posix_acl_valid. + +The permission checks and the inode locking were lost with commit +4ac7249e, which changed nfsd to use the set_acl inode operation directly +instead of going through xattr handlers. + +Reported-by: David Sinquin <da...@sinquin.eu> +[agreu...@redhat.com: use set_posix_acl] +Fixes: 4ac7249e +Cc: Christoph Hellwig <h...@infradead.org> +Cc: Al Viro <v...@zeniv.linux.org.uk> +Cc: sta...@vger.kernel.org +Signed-off-by: J. Bruce Fields <bfie...@redhat.com> +Acked-by: NeilBrown <ne...@suse.com> + +--- + fs/nfsd/nfs2acl.c | 20 ++++++++++---------- + fs/nfsd/nfs3acl.c | 16 +++++++--------- + fs/nfsd/nfs4acl.c | 16 ++++++++-------- + 3 files changed, 25 insertions(+), 27 deletions(-) + +--- a/fs/nfsd/nfs2acl.c ++++ b/fs/nfsd/nfs2acl.c +@@ -104,22 +104,21 @@ static __be32 nfsacld_proc_setacl(struct + goto out; + + inode = d_inode(fh->fh_dentry); +- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { +- error = -EOPNOTSUPP; +- goto out_errno; +- } + + error = fh_want_write(fh); + if (error) + goto out_errno; + +- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); ++ fh_lock(fh); ++ ++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); + if (error) +- goto out_drop_write; +- error = inode->i_op->set_acl(inode, argp->acl_default, +- ACL_TYPE_DEFAULT); ++ goto out_drop_lock; ++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); + if (error) +- goto out_drop_write; ++ goto out_drop_lock; ++ ++ fh_unlock(fh); + + fh_drop_write(fh); + +@@ -131,7 +130,8 @@ out: + posix_acl_release(argp->acl_access); + posix_acl_release(argp->acl_default); + return nfserr; +-out_drop_write: ++out_drop_lock: ++ fh_unlock(fh); + fh_drop_write(fh); + out_errno: + nfserr = nfserrno(error); +--- a/fs/nfsd/nfs3acl.c ++++ b/fs/nfsd/nfs3acl.c +@@ -95,22 +95,20 @@ static __be32 nfsd3_proc_setacl(struct s + goto out; + + inode = d_inode(fh->fh_dentry); +- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { +- error = -EOPNOTSUPP; +- goto out_errno; +- } + + error = fh_want_write(fh); + if (error) + goto out_errno; + +- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); ++ fh_lock(fh); ++ ++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); + if (error) +- goto out_drop_write; +- error = inode->i_op->set_acl(inode, argp->acl_default, +- ACL_TYPE_DEFAULT); ++ goto out_drop_lock; ++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); + +-out_drop_write: ++out_drop_lock: ++ fh_unlock(fh); + fh_drop_write(fh); + out_errno: + nfserr = nfserrno(error); +--- a/fs/nfsd/nfs4acl.c ++++ b/fs/nfsd/nfs4acl.c +@@ -770,9 +770,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst + dentry = fhp->fh_dentry; + inode = d_inode(dentry); + +- if (!inode->i_op->set_acl || !IS_POSIXACL(inode)) +- return nfserr_attrnotsupp; +- + if (S_ISDIR(inode->i_mode)) + flags = NFS4_ACL_DIR; + +@@ -782,16 +779,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst + if (host_error < 0) + goto out_nfserr; + +- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS); ++ fh_lock(fhp); ++ ++ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl); + if (host_error < 0) +- goto out_release; ++ goto out_drop_lock; + + if (S_ISDIR(inode->i_mode)) { +- host_error = inode->i_op->set_acl(inode, dpacl, +- ACL_TYPE_DEFAULT); ++ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl); + } + +-out_release: ++out_drop_lock: ++ fh_unlock(fhp); ++ + posix_acl_release(pacl); + posix_acl_release(dpacl); + out_nfserr: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/apparmor-fix-oops-validate-buffer-size-in-apparmor_s new/patches.fixes/apparmor-fix-oops-validate-buffer-size-in-apparmor_s --- old/patches.fixes/apparmor-fix-oops-validate-buffer-size-in-apparmor_s 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/apparmor-fix-oops-validate-buffer-size-in-apparmor_s 2016-07-11 11:31:39.000000000 +0200 @@ -0,0 +1,117 @@ +From 30a46a4647fd1df9cf52e43bf467f0d9265096ca Mon Sep 17 00:00:00 2001 +From: Vegard Nossum <vegard.nos...@oracle.com> +Date: Thu, 7 Jul 2016 13:41:11 -0700 +Subject: [PATCH] apparmor: fix oops, validate buffer size in apparmor_setprocattr() +Git-commit: 30a46a4647fd1df9cf52e43bf467f0d9265096ca +Patch-mainline: 4.7-rc7 +References: CVE-2016-6187,bsc#988307 + +When proc_pid_attr_write() was changed to use memdup_user apparmor's +(interface violating) assumption that the setprocattr buffer was always +a single page was violated. + +The size test is not strictly speaking needed as proc_pid_attr_write() +will reject anything larger, but for the sake of robustness we can keep +it in. + +SMACK and SELinux look safe to me, but somebody else should probably +have a look just in case. + +Based on original patch from Vegard Nossum <vegard.nos...@oracle.com> +modified for the case that apparmor provides null termination. + +Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a +Reported-by: Vegard Nossum <vegard.nos...@oracle.com> +Cc: Al Viro <v...@zeniv.linux.org.uk> +Cc: John Johansen <john.johan...@canonical.com> +Cc: Paul Moore <p...@paul-moore.com> +Cc: Stephen Smalley <s...@tycho.nsa.gov> +Cc: Eric Paris <epa...@parisplace.org> +Cc: Casey Schaufler <ca...@schaufler-ca.com> +Cc: sta...@kernel.org +Signed-off-by: John Johansen <john.johan...@canonical.com> +Reviewed-by: Tyler Hicks <tyhi...@canonical.com> +Signed-off-by: James Morris <james.l.mor...@oracle.com> +Acked-by: Takashi Iwai <ti...@suse.de> + +--- + security/apparmor/lsm.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -524,34 +524,34 @@ static int apparmor_setprocattr(struct t + { + struct common_audit_data sa; + struct apparmor_audit_data aad = {0,}; +- char *command, *args = value; ++ char *command, *largs = NULL, *args = value; + size_t arg_size; + int error; + + if (size == 0) + return -EINVAL; +- /* args points to a PAGE_SIZE buffer, AppArmor requires that +- * the buffer must be null terminated or have size <= PAGE_SIZE -1 +- * so that AppArmor can null terminate them +- */ +- if (args[size - 1] != '\0') { +- if (size == PAGE_SIZE) +- return -EINVAL; +- args[size] = '\0'; +- } +- + /* task can only write its own attributes */ + if (current != task) + return -EACCES; + +- args = value; ++ /* AppArmor requires that the buffer must be null terminated atm */ ++ if (args[size - 1] != '\0') { ++ /* null terminate */ ++ largs = args = kmalloc(size + 1, GFP_KERNEL); ++ if (!args) ++ return -ENOMEM; ++ memcpy(args, value, size); ++ args[size] = '\0'; ++ } ++ ++ error = -EINVAL; + args = strim(args); + command = strsep(&args, " "); + if (!args) +- return -EINVAL; ++ goto out; + args = skip_spaces(args); + if (!*args) +- return -EINVAL; ++ goto out; + + arg_size = size - (args - (char *) value); + if (strcmp(name, "current") == 0) { +@@ -577,10 +577,12 @@ static int apparmor_setprocattr(struct t + goto fail; + } else + /* only support the "current" and "exec" process attributes */ +- return -EINVAL; ++ goto fail; + + if (!error) + error = size; ++out: ++ kfree(largs); + return error; + + fail: +@@ -589,9 +591,9 @@ fail: + aad.profile = aa_current_profile(); + aad.op = OP_SETPROCATTR; + aad.info = name; +- aad.error = -EINVAL; ++ aad.error = error = -EINVAL; + aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); +- return -EINVAL; ++ goto out; + } + + static int apparmor_task_setrlimit(struct task_struct *task, ++++++ patches.kernel.org.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/patch-4.6.2-3 new/patches.kernel.org/patch-4.6.2-3 --- old/patches.kernel.org/patch-4.6.2-3 2016-06-26 09:34:33.000000000 +0200 +++ new/patches.kernel.org/patch-4.6.2-3 2016-07-11 19:59:12.000000000 +0200 @@ -1,7 +1,7 @@ From: Jiri Slaby <jsl...@suse.cz> Subject: Linux 4.6.3 Patch-mainline: 4.6.3 -References: CVE-2016-4951 bsc#981058 bsc#983458 +References: CVE-2016-4951 CVE-2016-4997 bsc#981058 bsc#983458 bsc#986362 Git-commit: 79bb71bd1d93197ce227fa167b450b633f30a52b Git-commit: d7591f0c41ce3e67600a982bab6989ef0f07b3ce Git-commit: 09d9686047dbbe1cf4faa558d3ecc4aae2046054 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/patch-4.6.3-4 new/patches.kernel.org/patch-4.6.3-4 --- old/patches.kernel.org/patch-4.6.3-4 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/patch-4.6.3-4 2016-07-11 19:59:12.000000000 +0200 @@ -0,0 +1,1046 @@ +From: Jiri Slaby <jsl...@suse.cz> +Subject: Linux 4.6.4 +Patch-mainline: 4.6.4 +References: bnc#982729 +Git-commit: 4879efb34f7d49235fac334d76d9c6a77a021413 +Git-commit: f8a15a9650694feaa0dabf197b0c94d37cd3fb42 +Git-commit: d246dcb2331c5783743720e6510892eb1d2801d9 +Git-commit: dcb21ad4385731b7fc3ef39d255685f2f63c8c5d +Git-commit: 3425aa03f484d45dc21e0e791c2f6c74ea656421 +Git-commit: d95815ba6a0f287213118c136e64d8c56daeaeab +Git-commit: de95c40d5beaa47f6dc8fe9ac4159b4672b51523 +Git-commit: 27a41a83ec54d0edfcaf079310244e7f013a7701 +Git-commit: 04471eb8c3158c0ad9df4b24da845a63b2e8f23a +Git-commit: f3eec0cf784e0d6c47822ca6b66df3d5812af7e6 +Git-commit: 7b2c17f829545df27a910e8d82e133c21c9a8c9c +Git-commit: 84ac5d1140f716a616522f952734e850448d2556 +Git-commit: 32cb0b37098f4beeff5ad9e325f11b42a6ede56c +Git-commit: 81099f97bd31e25ff2719a435b1860fc3876122f +Git-commit: 593224ea77b1ca842f45cf76f4deeef44dfbacd1 +Git-commit: 055ddaace03580455a7b7dbea8e93d62acee61fc +Git-commit: 19ced623db2fe91604d69f7d86b03144c5107739 +Git-commit: 12d3f49e1ffbbf8cbbb60acae5a21103c5c841ac +Git-commit: 4a7d99ea1b27734558feb6833f180cd38a159940 +Git-commit: b560f03ddfb072bca65e9440ff0dc4f9b1d1f056 +Git-commit: ceb56070359b7329b5678b5d95a376fcb24767be +Git-commit: 9a0fee2b552b1235fb1706ae1fc664ae74573be8 +Git-commit: 0888d5f3c0f183ea6177355752ada433d370ac89 +Git-commit: 70a0dec45174c976c64b4c8c1d0898581f759948 +Git-commit: 21de12ee5568fd1aec47890c72967abf791ac80a +Git-commit: 962fcef33b03395051367181a0549d29d109d9a4 +Git-commit: d19af0a76444fde629667ecb823c0ee28f9f67d8 +Git-commit: d5d8760b78d0cfafe292f965f599988138b06a70 +Git-commit: daddef76c3deaaa7922f9d7b18edbf0a061215c3 +Git-commit: d15eccea69b96a5116169688dcc9baf6d1ce2751 +Git-commit: 6c0d54f1897d229748d4f41ef919078db6db2123 + +Signed-off-by: Jiri Slaby <jsl...@suse.cz> +--- +diff --git a/Makefile b/Makefile +index c62b531d5a85..cd374426114a 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 6 +-SUBLEVEL = 3 ++SUBLEVEL = 4 + EXTRAVERSION = + NAME = Charred Weasel + +diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c +index 43fe85f20d57..7097a3395b25 100644 +--- a/crypto/crypto_user.c ++++ b/crypto/crypto_user.c +@@ -455,6 +455,7 @@ static const int crypto_msg_min[CRYPTO_NR_MSGTYPES] = { + [CRYPTO_MSG_NEWALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg), + [CRYPTO_MSG_DELALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg), + [CRYPTO_MSG_UPDATEALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg), ++ [CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg), + [CRYPTO_MSG_DELRNG - CRYPTO_MSG_BASE] = 0, + }; + +diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c +index 574e87c7f2b8..9acccad26928 100644 +--- a/drivers/crypto/ux500/hash/hash_core.c ++++ b/drivers/crypto/ux500/hash/hash_core.c +@@ -781,7 +781,7 @@ static int hash_process_data(struct hash_device_data *device_data, + &device_data->state); + memmove(req_ctx->state.buffer, + device_data->state.buffer, +- HASH_BLOCK_SIZE / sizeof(u32)); ++ HASH_BLOCK_SIZE); + if (ret) { + dev_err(device_data->dev, + "%s: hash_resume_state() failed!\n", +@@ -832,7 +832,7 @@ static int hash_process_data(struct hash_device_data *device_data, + + memmove(device_data->state.buffer, + req_ctx->state.buffer, +- HASH_BLOCK_SIZE / sizeof(u32)); ++ HASH_BLOCK_SIZE); + if (ret) { + dev_err(device_data->dev, "%s: hash_save_state() failed!\n", + __func__); +diff --git a/drivers/crypto/vmx/aes_cbc.c b/drivers/crypto/vmx/aes_cbc.c +index 495577b6d31b..94ad5c0adbcb 100644 +--- a/drivers/crypto/vmx/aes_cbc.c ++++ b/drivers/crypto/vmx/aes_cbc.c +@@ -182,7 +182,7 @@ struct crypto_alg p8_aes_cbc_alg = { + .cra_name = "cbc(aes)", + .cra_driver_name = "p8_aes_cbc", + .cra_module = THIS_MODULE, +- .cra_priority = 1000, ++ .cra_priority = 2000, + .cra_type = &crypto_blkcipher_type, + .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER | CRYPTO_ALG_NEED_FALLBACK, + .cra_alignmask = 0, +diff --git a/drivers/crypto/vmx/aes_ctr.c b/drivers/crypto/vmx/aes_ctr.c +index 0a3c1b04cf3c..38ed10d761d0 100644 +--- a/drivers/crypto/vmx/aes_ctr.c ++++ b/drivers/crypto/vmx/aes_ctr.c +@@ -166,7 +166,7 @@ struct crypto_alg p8_aes_ctr_alg = { + .cra_name = "ctr(aes)", + .cra_driver_name = "p8_aes_ctr", + .cra_module = THIS_MODULE, +- .cra_priority = 1000, ++ .cra_priority = 2000, + .cra_type = &crypto_blkcipher_type, + .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER | CRYPTO_ALG_NEED_FALLBACK, + .cra_alignmask = 0, +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 6dc810bce295..944a6dca0fcb 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -44,6 +44,9 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Creative SB Audigy 2 NX */ + { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* USB3503 */ ++ { USB_DEVICE(0x0424, 0x3503), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + /* Microsoft Wireless Laser Mouse 6000 Receiver */ + { USB_DEVICE(0x045e, 0x00e1), .driver_info = USB_QUIRK_RESET_RESUME }, + +@@ -173,6 +176,10 @@ static const struct usb_device_id usb_quirk_list[] = { + /* MAYA44USB sound device */ + { USB_DEVICE(0x0a92, 0x0091), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* ASUS Base Station(T100) */ ++ { USB_DEVICE(0x0b05, 0x17e0), .driver_info = ++ USB_QUIRK_IGNORE_REMOTE_WAKEUP }, ++ + /* Action Semiconductor flash disk */ + { USB_DEVICE(0x10d6, 0x2200), .driver_info = + USB_QUIRK_STRING_FETCH_255 }, +@@ -188,26 +195,22 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x1908, 0x1315), .driver_info = + USB_QUIRK_HONOR_BNUMINTERFACES }, + +- /* INTEL VALUE SSD */ +- { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, +- +- /* USB3503 */ +- { USB_DEVICE(0x0424, 0x3503), .driver_info = USB_QUIRK_RESET_RESUME }, +- +- /* ASUS Base Station(T100) */ +- { USB_DEVICE(0x0b05, 0x17e0), .driver_info = +- USB_QUIRK_IGNORE_REMOTE_WAKEUP }, +- + /* Protocol and OTG Electrical Test Device */ + { USB_DEVICE(0x1a0a, 0x0200), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + ++ /* Acer C120 LED Projector */ ++ { USB_DEVICE(0x1de1, 0xc102), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* Blackmagic Design Intensity Shuttle */ + { USB_DEVICE(0x1edb, 0xbd3b), .driver_info = USB_QUIRK_NO_LPM }, + + /* Blackmagic Design UltraStudio SDI */ + { USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* INTEL VALUE SSD */ ++ { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + { } /* terminating entry must be last */ + }; + +diff --git a/drivers/usb/dwc3/dwc3-exynos.c b/drivers/usb/dwc3/dwc3-exynos.c +index dd5cb5577dca..2f1fb7e7aa54 100644 +--- a/drivers/usb/dwc3/dwc3-exynos.c ++++ b/drivers/usb/dwc3/dwc3-exynos.c +@@ -128,12 +128,6 @@ static int dwc3_exynos_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, exynos); + +- ret = dwc3_exynos_register_phys(exynos); +- if (ret) { +- dev_err(dev, "couldn't register PHYs\n"); +- return ret; +- } +- + exynos->dev = dev; + + exynos->clk = devm_clk_get(dev, "usbdrd30"); +@@ -183,20 +177,29 @@ static int dwc3_exynos_probe(struct platform_device *pdev) + goto err3; + } + ++ ret = dwc3_exynos_register_phys(exynos); ++ if (ret) { ++ dev_err(dev, "couldn't register PHYs\n"); ++ goto err4; ++ } ++ + if (node) { + ret = of_platform_populate(node, NULL, NULL, dev); + if (ret) { + dev_err(dev, "failed to add dwc3 core\n"); +- goto err4; ++ goto err5; + } + } else { + dev_err(dev, "no device node, failed to add dwc3 core\n"); + ret = -ENODEV; +- goto err4; ++ goto err5; + } + + return 0; + ++err5: ++ platform_device_unregister(exynos->usb2_phy); ++ platform_device_unregister(exynos->usb3_phy); + err4: + regulator_disable(exynos->vdd10); + err3: +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index e64479f882a5..aa3707bdebb4 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -938,8 +938,11 @@ ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr) + struct usb_ep *ep = dev->gadget->ep0; + struct usb_request *req = dev->req; + +- if ((retval = setup_req (ep, req, 0)) == 0) +- retval = usb_ep_queue (ep, req, GFP_ATOMIC); ++ if ((retval = setup_req (ep, req, 0)) == 0) { ++ spin_unlock_irq (&dev->lock); ++ retval = usb_ep_queue (ep, req, GFP_KERNEL); ++ spin_lock_irq (&dev->lock); ++ } + dev->state = STATE_DEV_CONNECTED; + + /* assume that was SET_CONFIGURATION */ +@@ -1457,8 +1460,11 @@ delegate: + w_length); + if (value < 0) + break; ++ ++ spin_unlock (&dev->lock); + value = usb_ep_queue (gadget->ep0, dev->req, +- GFP_ATOMIC); ++ GFP_KERNEL); ++ spin_lock (&dev->lock); + if (value < 0) { + clean_req (gadget->ep0, dev->req); + break; +@@ -1481,11 +1487,14 @@ delegate: + if (value >= 0 && dev->state != STATE_DEV_SETUP) { + req->length = value; + req->zero = value < w_length; +- value = usb_ep_queue (gadget->ep0, req, GFP_ATOMIC); ++ ++ spin_unlock (&dev->lock); ++ value = usb_ep_queue (gadget->ep0, req, GFP_KERNEL); + if (value < 0) { + DBG (dev, "ep_queue --> %d\n", value); + req->status = 0; + } ++ return value; + } + + /* device stalls when value < 0 */ +diff --git a/drivers/usb/host/ehci-tegra.c b/drivers/usb/host/ehci-tegra.c +index 4031b372008e..c1c1024a054c 100644 +--- a/drivers/usb/host/ehci-tegra.c ++++ b/drivers/usb/host/ehci-tegra.c +@@ -89,7 +89,7 @@ static int tegra_reset_usb_controller(struct platform_device *pdev) + if (!usb1_reset_attempted) { + struct reset_control *usb1_reset; + +- usb1_reset = of_reset_control_get(phy_np, "usb"); ++ usb1_reset = of_reset_control_get(phy_np, "utmi-pads"); + if (IS_ERR(usb1_reset)) { + dev_warn(&pdev->dev, + "can't get utmi-pads reset from the PHY\n"); +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index 48672fac7ff3..c10972fcc8e4 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -37,6 +37,7 @@ + /* Device for a quirk */ + #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73 + #define PCI_DEVICE_ID_FRESCO_LOGIC_PDK 0x1000 ++#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1009 0x1009 + #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1400 0x1400 + + #define PCI_VENDOR_ID_ETRON 0x1b6f +@@ -114,6 +115,10 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + } + ++ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC && ++ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1009) ++ xhci->quirks |= XHCI_BROKEN_STREAMS; ++ + if (pdev->vendor == PCI_VENDOR_ID_NEC) + xhci->quirks |= XHCI_NEC_HOST; + +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index 474b5fa14900..d6e2b2751e50 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -194,6 +194,9 @@ static int xhci_plat_probe(struct platform_device *pdev) + ret = clk_prepare_enable(clk); + if (ret) + goto put_hcd; ++ } else if (PTR_ERR(clk) == -EPROBE_DEFER) { ++ ret = -EPROBE_DEFER; ++ goto put_hcd; + } + + xhci = hcd_to_xhci(hcd); +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 99b4ff42f7a0..8b5b2aca277d 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -290,6 +290,14 @@ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci) + + temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring); + xhci->cmd_ring_state = CMD_RING_STATE_ABORTED; ++ ++ /* ++ * Writing the CMD_RING_ABORT bit should cause a cmd completion event, ++ * however on some host hw the CMD_RING_RUNNING bit is correctly cleared ++ * but the completion event in never sent. Use the cmd timeout timer to ++ * handle those cases. Use twice the time to cover the bit polling retry ++ */ ++ mod_timer(&xhci->cmd_timer, jiffies + (2 * XHCI_CMD_DEFAULT_TIMEOUT)); + xhci_write_64(xhci, temp_64 | CMD_RING_ABORT, + &xhci->op_regs->cmd_ring); + +@@ -314,6 +322,7 @@ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci) + + xhci_err(xhci, "Stopped the command ring failed, " + "maybe the host is dead\n"); ++ del_timer(&xhci->cmd_timer); + xhci->xhc_state |= XHCI_STATE_DYING; + xhci_quiesce(xhci); + xhci_halt(xhci); +@@ -1253,22 +1262,21 @@ void xhci_handle_command_timeout(unsigned long data) + int ret; + unsigned long flags; + u64 hw_ring_state; +- struct xhci_command *cur_cmd = NULL; ++ bool second_timeout = false; + xhci = (struct xhci_hcd *) data; + + /* mark this command to be cancelled */ + spin_lock_irqsave(&xhci->lock, flags); + if (xhci->current_cmd) { +- cur_cmd = xhci->current_cmd; +- cur_cmd->status = COMP_CMD_ABORT; ++ if (xhci->current_cmd->status == COMP_CMD_ABORT) ++ second_timeout = true; ++ xhci->current_cmd->status = COMP_CMD_ABORT; + } + +- + /* Make sure command ring is running before aborting it */ + hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring); + if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) && + (hw_ring_state & CMD_RING_RUNNING)) { +- + spin_unlock_irqrestore(&xhci->lock, flags); + xhci_dbg(xhci, "Command timeout\n"); + ret = xhci_abort_cmd_ring(xhci); +@@ -1280,6 +1288,15 @@ void xhci_handle_command_timeout(unsigned long data) + } + return; + } ++ ++ /* command ring failed to restart, or host removed. Bail out */ ++ if (second_timeout || xhci->xhc_state & XHCI_STATE_REMOVING) { ++ spin_unlock_irqrestore(&xhci->lock, flags); ++ xhci_dbg(xhci, "command timed out twice, ring start fail?\n"); ++ xhci_cleanup_command_queue(xhci); ++ return; ++ } ++ + /* command timeout on stopped ring, ring can't be aborted */ + xhci_dbg(xhci, "Command timeout on stopped ring\n"); + xhci_handle_stopped_cmd_ring(xhci, xhci->current_cmd); +@@ -2728,7 +2745,8 @@ hw_died: + writel(irq_pending, &xhci->ir_set->irq_pending); + } + +- if (xhci->xhc_state & XHCI_STATE_DYING) { ++ if (xhci->xhc_state & XHCI_STATE_DYING || ++ xhci->xhc_state & XHCI_STATE_HALTED) { + xhci_dbg(xhci, "xHCI dying, ignoring interrupt. " + "Shouldn't IRQs be disabled?\n"); + /* Clear the event handler busy flag (RW1C); +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 9e71c96ad74a..327280535848 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -685,20 +685,23 @@ void xhci_stop(struct usb_hcd *hcd) + u32 temp; + struct xhci_hcd *xhci = hcd_to_xhci(hcd); + +- if (xhci->xhc_state & XHCI_STATE_HALTED) +- return; +- + mutex_lock(&xhci->mutex); +- spin_lock_irq(&xhci->lock); +- xhci->xhc_state |= XHCI_STATE_HALTED; +- xhci->cmd_ring_state = CMD_RING_STATE_STOPPED; + +- /* Make sure the xHC is halted for a USB3 roothub +- * (xhci_stop() could be called as part of failed init). +- */ +- xhci_halt(xhci); +- xhci_reset(xhci); +- spin_unlock_irq(&xhci->lock); ++ if (!(xhci->xhc_state & XHCI_STATE_HALTED)) { ++ spin_lock_irq(&xhci->lock); ++ ++ xhci->xhc_state |= XHCI_STATE_HALTED; ++ xhci->cmd_ring_state = CMD_RING_STATE_STOPPED; ++ xhci_halt(xhci); ++ xhci_reset(xhci); ++ ++ spin_unlock_irq(&xhci->lock); ++ } ++ ++ if (!usb_hcd_is_primary_hcd(hcd)) { ++ mutex_unlock(&xhci->mutex); ++ return; ++ } + + xhci_cleanup_msix(xhci); + +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index 39fd95833eb8..c84f4d0816e5 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -2429,7 +2429,8 @@ static void musb_restore_context(struct musb *musb) + musb_writew(musb_base, MUSB_INTRTXE, musb->intrtxe); + musb_writew(musb_base, MUSB_INTRRXE, musb->intrrxe); + musb_writeb(musb_base, MUSB_INTRUSBE, musb->context.intrusbe); +- musb_writeb(musb_base, MUSB_DEVCTL, musb->context.devctl); ++ if (musb->context.devctl & MUSB_DEVCTL_SESSION) ++ musb_writeb(musb_base, MUSB_DEVCTL, musb->context.devctl); + + for (i = 0; i < musb->config->num_eps; ++i) { + struct musb_hw_ep *hw_ep; +diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c +index 2f8ad7f1f482..8ff03228540a 100644 +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -594,14 +594,13 @@ musb_rx_reinit(struct musb *musb, struct musb_qh *qh, u8 epnum) + musb_writew(ep->regs, MUSB_TXCSR, 0); + + /* scrub all previous state, clearing toggle */ +- } else { +- csr = musb_readw(ep->regs, MUSB_RXCSR); +- if (csr & MUSB_RXCSR_RXPKTRDY) +- WARNING("rx%d, packet/%d ready?\n", ep->epnum, +- musb_readw(ep->regs, MUSB_RXCOUNT)); +- +- musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG); + } ++ csr = musb_readw(ep->regs, MUSB_RXCSR); ++ if (csr & MUSB_RXCSR_RXPKTRDY) ++ WARNING("rx%d, packet/%d ready?\n", ep->epnum, ++ musb_readw(ep->regs, MUSB_RXCOUNT)); ++ ++ musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG); + + /* target addr and (for multipoint) hub addr/port */ + if (musb->is_multipoint) { +@@ -995,9 +994,15 @@ static void musb_bulk_nak_timeout(struct musb *musb, struct musb_hw_ep *ep, + if (is_in) { + dma = is_dma_capable() ? ep->rx_channel : NULL; + +- /* clear nak timeout bit */ ++ /* ++ * Need to stop the transaction by clearing REQPKT first ++ * then the NAK Timeout bit ref MUSBMHDRC USB 2.0 HIGH-SPEED ++ * DUAL-ROLE CONTROLLER Programmer's Guide, section 9.2.2 ++ */ + rx_csr = musb_readw(epio, MUSB_RXCSR); + rx_csr |= MUSB_RXCSR_H_WZC_BITS; ++ rx_csr &= ~MUSB_RXCSR_H_REQPKT; ++ musb_writew(epio, MUSB_RXCSR, rx_csr); + rx_csr &= ~MUSB_RXCSR_DATAERROR; + musb_writew(epio, MUSB_RXCSR, rx_csr); + +@@ -1551,7 +1556,7 @@ static int musb_rx_dma_iso_cppi41(struct dma_controller *dma, + struct urb *urb, + size_t len) + { +- struct dma_channel *channel = hw_ep->tx_channel; ++ struct dma_channel *channel = hw_ep->rx_channel; + void __iomem *epio = hw_ep->regs; + dma_addr_t *buf; + u32 length, res; +diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c +index 2eddbe538cda..5608af4a369d 100644 +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -2007,6 +2007,7 @@ static void mos7720_release(struct usb_serial *serial) + urblist_entry) + usb_unlink_urb(urbtrack->urb); + spin_unlock_irqrestore(&mos_parport->listlock, flags); ++ parport_del_port(mos_parport->pp); + + kref_put(&mos_parport->ref_count, destroy_mos_parport); + } +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index 16bc679dc2fc..ecc7d4b1dfa3 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -835,6 +835,7 @@ static int uas_slave_configure(struct scsi_device *sdev) + if (devinfo->flags & US_FL_BROKEN_FUA) + sdev->broken_fua = 1; + ++ scsi_change_queue_depth(sdev, devinfo->qdepth - 2); + return 0; + } + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index f1d5c5acc8dd..ca80d5830bfd 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -229,6 +229,10 @@ static inline struct bpf_prog *bpf_prog_get(u32 ufd) + static inline void bpf_prog_put(struct bpf_prog *prog) + { + } ++ ++static inline void bpf_prog_put_rcu(struct bpf_prog *prog) ++{ ++} + #endif /* CONFIG_BPF_SYSCALL */ + + /* verifier prototypes for helper functions called from eBPF programs */ +diff --git a/include/linux/net.h b/include/linux/net.h +index f840d77c6c31..9d90efe6a708 100644 +--- a/include/linux/net.h ++++ b/include/linux/net.h +@@ -252,7 +252,8 @@ do { \ + DEFINE_DYNAMIC_DEBUG_METADATA(descriptor, fmt); \ + if (unlikely(descriptor.flags & _DPRINTK_FLAGS_PRINT) && \ + net_ratelimit()) \ +- __dynamic_pr_debug(&descriptor, fmt, ##__VA_ARGS__); \ ++ __dynamic_pr_debug(&descriptor, pr_fmt(fmt), \ ++ ##__VA_ARGS__); \ + } while (0) + #elif defined(DEBUG) + #define net_dbg_ratelimited(fmt, ...) \ +diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h +index 4018b48f2b3b..a0596ca0e80a 100644 +--- a/include/linux/sock_diag.h ++++ b/include/linux/sock_diag.h +@@ -36,6 +36,9 @@ enum sknetlink_groups sock_diag_destroy_group(const struct sock *sk) + { + switch (sk->sk_family) { + case AF_INET: ++ if (sk->sk_type == SOCK_RAW) ++ return SKNLGRP_NONE; ++ + switch (sk->sk_protocol) { + case IPPROTO_TCP: + return SKNLGRP_INET_TCP_DESTROY; +@@ -45,6 +48,9 @@ enum sknetlink_groups sock_diag_destroy_group(const struct sock *sk) + return SKNLGRP_NONE; + } + case AF_INET6: ++ if (sk->sk_type == SOCK_RAW) ++ return SKNLGRP_NONE; ++ + switch (sk->sk_protocol) { + case IPPROTO_TCP: + return SKNLGRP_INET6_TCP_DESTROY; +diff --git a/kernel/events/core.c b/kernel/events/core.c +index c0ded2416615..a69c90cea05d 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7143,7 +7143,7 @@ static void perf_event_free_bpf_prog(struct perf_event *event) + prog = event->tp_event->prog; + if (prog) { + event->tp_event->prog = NULL; +- bpf_prog_put(prog); ++ bpf_prog_put_rcu(prog); + } + } + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index fbd0acf80b13..2fdebabbfacd 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -976,7 +976,8 @@ static int ax25_release(struct socket *sock) + release_sock(sk); + ax25_disconnect(ax25, 0); + lock_sock(sk); +- ax25_destroy_socket(ax25); ++ if (!sock_flag(ax25->sk, SOCK_DESTROY)) ++ ax25_destroy_socket(ax25); + break; + + case AX25_STATE_3: +diff --git a/net/ax25/ax25_ds_timer.c b/net/ax25/ax25_ds_timer.c +index 951cd57bb07d..5237dff6941d 100644 +--- a/net/ax25/ax25_ds_timer.c ++++ b/net/ax25/ax25_ds_timer.c +@@ -102,6 +102,7 @@ void ax25_ds_heartbeat_expiry(ax25_cb *ax25) + switch (ax25->state) { + + case AX25_STATE_0: ++ case AX25_STATE_2: + /* Magic here: If we listen() and a new link dies before it + is accepted() it isn't 'dead' so doesn't get removed. */ + if (!sk || sock_flag(sk, SOCK_DESTROY) || +@@ -111,6 +112,7 @@ void ax25_ds_heartbeat_expiry(ax25_cb *ax25) + sock_hold(sk); + ax25_destroy_socket(ax25); + bh_unlock_sock(sk); ++ /* Ungrab socket and destroy it */ + sock_put(sk); + } else + ax25_destroy_socket(ax25); +@@ -213,7 +215,8 @@ void ax25_ds_t1_timeout(ax25_cb *ax25) + case AX25_STATE_2: + if (ax25->n2count == ax25->n2) { + ax25_send_control(ax25, AX25_DISC, AX25_POLLON, AX25_COMMAND); +- ax25_disconnect(ax25, ETIMEDOUT); ++ if (!sock_flag(ax25->sk, SOCK_DESTROY)) ++ ax25_disconnect(ax25, ETIMEDOUT); + return; + } else { + ax25->n2count++; +diff --git a/net/ax25/ax25_std_timer.c b/net/ax25/ax25_std_timer.c +index 004467c9e6e1..2c0d6ef66f9d 100644 +--- a/net/ax25/ax25_std_timer.c ++++ b/net/ax25/ax25_std_timer.c +@@ -38,6 +38,7 @@ void ax25_std_heartbeat_expiry(ax25_cb *ax25) + + switch (ax25->state) { + case AX25_STATE_0: ++ case AX25_STATE_2: + /* Magic here: If we listen() and a new link dies before it + is accepted() it isn't 'dead' so doesn't get removed. */ + if (!sk || sock_flag(sk, SOCK_DESTROY) || +@@ -47,6 +48,7 @@ void ax25_std_heartbeat_expiry(ax25_cb *ax25) + sock_hold(sk); + ax25_destroy_socket(ax25); + bh_unlock_sock(sk); ++ /* Ungrab socket and destroy it */ + sock_put(sk); + } else + ax25_destroy_socket(ax25); +@@ -144,7 +146,8 @@ void ax25_std_t1timer_expiry(ax25_cb *ax25) + case AX25_STATE_2: + if (ax25->n2count == ax25->n2) { + ax25_send_control(ax25, AX25_DISC, AX25_POLLON, AX25_COMMAND); +- ax25_disconnect(ax25, ETIMEDOUT); ++ if (!sock_flag(ax25->sk, SOCK_DESTROY)) ++ ax25_disconnect(ax25, ETIMEDOUT); + return; + } else { + ax25->n2count++; +diff --git a/net/ax25/ax25_subr.c b/net/ax25/ax25_subr.c +index 3b78e8473a01..655a7d4c96e1 100644 +--- a/net/ax25/ax25_subr.c ++++ b/net/ax25/ax25_subr.c +@@ -264,7 +264,8 @@ void ax25_disconnect(ax25_cb *ax25, int reason) + { + ax25_clear_queues(ax25); + +- ax25_stop_heartbeat(ax25); ++ if (!sock_flag(ax25->sk, SOCK_DESTROY)) ++ ax25_stop_heartbeat(ax25); + ax25_stop_t1timer(ax25); + ax25_stop_t2timer(ax25); + ax25_stop_t3timer(ax25); +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 6852f3c7009c..43844144c9c4 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -464,8 +464,11 @@ static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br, + if (ipv6_dev_get_saddr(dev_net(br->dev), br->dev, &ip6h->daddr, 0, + &ip6h->saddr)) { + kfree_skb(skb); ++ br->has_ipv6_addr = 0; + return NULL; + } ++ ++ br->has_ipv6_addr = 1; + ipv6_eth_mc_map(&ip6h->daddr, eth->h_dest); + + hopopt = (u8 *)(ip6h + 1); +@@ -1745,6 +1748,7 @@ void br_multicast_init(struct net_bridge *br) + br->ip6_other_query.delay_time = 0; + br->ip6_querier.port = NULL; + #endif ++ br->has_ipv6_addr = 1; + + spin_lock_init(&br->multicast_lock); + setup_timer(&br->multicast_router_timer, +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index d9da857182ef..f516c53bafb6 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -304,6 +304,7 @@ struct net_bridge + u8 multicast_disabled:1; + u8 multicast_querier:1; + u8 multicast_query_use_ifaddr:1; ++ u8 has_ipv6_addr:1; + + u32 hash_elasticity; + u32 hash_max; +@@ -577,10 +578,22 @@ static inline bool br_multicast_is_router(struct net_bridge *br) + + static inline bool + __br_multicast_querier_exists(struct net_bridge *br, +- struct bridge_mcast_other_query *querier) ++ struct bridge_mcast_other_query *querier, ++ const bool is_ipv6) + { ++ bool own_querier_enabled; ++ ++ if (br->multicast_querier) { ++ if (is_ipv6 && !br->has_ipv6_addr) ++ own_querier_enabled = false; ++ else ++ own_querier_enabled = true; ++ } else { ++ own_querier_enabled = false; ++ } ++ + return time_is_before_jiffies(querier->delay_time) && +- (br->multicast_querier || timer_pending(&querier->timer)); ++ (own_querier_enabled || timer_pending(&querier->timer)); + } + + static inline bool br_multicast_querier_exists(struct net_bridge *br, +@@ -588,10 +601,12 @@ static inline bool br_multicast_querier_exists(struct net_bridge *br, + { + switch (eth->h_proto) { + case (htons(ETH_P_IP)): +- return __br_multicast_querier_exists(br, &br->ip4_other_query); ++ return __br_multicast_querier_exists(br, ++ &br->ip4_other_query, false); + #if IS_ENABLED(CONFIG_IPV6) + case (htons(ETH_P_IPV6)): +- return __br_multicast_querier_exists(br, &br->ip6_other_query); ++ return __br_multicast_querier_exists(br, ++ &br->ip6_other_query, true); + #endif + default: + return false; +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index f18ae91b652e..769cece9b00b 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2467,13 +2467,17 @@ int neigh_xmit(int index, struct net_device *dev, + tbl = neigh_tables[index]; + if (!tbl) + goto out; ++ rcu_read_lock_bh(); + neigh = __neigh_lookup_noref(tbl, addr, dev); + if (!neigh) + neigh = __neigh_create(tbl, addr, dev, false); + err = PTR_ERR(neigh); +- if (IS_ERR(neigh)) ++ if (IS_ERR(neigh)) { ++ rcu_read_unlock_bh(); + goto out_kfree_skb; ++ } + err = neigh->output(neigh, skb); ++ rcu_read_unlock_bh(); + } + else if (index == NEIGH_LINK_TABLE) { + err = dev_hard_header(skb, dev, ntohs(skb->protocol), +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index 477937465a20..d95631d09248 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -23,6 +23,11 @@ struct esp_skb_cb { + void *tmp; + }; + ++struct esp_output_extra { ++ __be32 seqhi; ++ u32 esphoff; ++}; ++ + #define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0])) + + static u32 esp4_get_mtu(struct xfrm_state *x, int mtu); +@@ -35,11 +40,11 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu); + * + * TODO: Use spare space in skb for this where possible. + */ +-static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags, int seqhilen) ++static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags, int extralen) + { + unsigned int len; + +- len = seqhilen; ++ len = extralen; + + len += crypto_aead_ivsize(aead); + +@@ -57,15 +62,16 @@ static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags, int seqhilen) + return kmalloc(len, GFP_ATOMIC); + } + +-static inline __be32 *esp_tmp_seqhi(void *tmp) ++static inline void *esp_tmp_extra(void *tmp) + { +- return PTR_ALIGN((__be32 *)tmp, __alignof__(__be32)); ++ return PTR_ALIGN(tmp, __alignof__(struct esp_output_extra)); + } +-static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp, int seqhilen) ++ ++static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp, int extralen) + { + return crypto_aead_ivsize(aead) ? +- PTR_ALIGN((u8 *)tmp + seqhilen, +- crypto_aead_alignmask(aead) + 1) : tmp + seqhilen; ++ PTR_ALIGN((u8 *)tmp + extralen, ++ crypto_aead_alignmask(aead) + 1) : tmp + extralen; + } + + static inline struct aead_request *esp_tmp_req(struct crypto_aead *aead, u8 *iv) +@@ -99,7 +105,7 @@ static void esp_restore_header(struct sk_buff *skb, unsigned int offset) + { + struct ip_esp_hdr *esph = (void *)(skb->data + offset); + void *tmp = ESP_SKB_CB(skb)->tmp; +- __be32 *seqhi = esp_tmp_seqhi(tmp); ++ __be32 *seqhi = esp_tmp_extra(tmp); + + esph->seq_no = esph->spi; + esph->spi = *seqhi; +@@ -107,7 +113,11 @@ static void esp_restore_header(struct sk_buff *skb, unsigned int offset) + + static void esp_output_restore_header(struct sk_buff *skb) + { +- esp_restore_header(skb, skb_transport_offset(skb) - sizeof(__be32)); ++ void *tmp = ESP_SKB_CB(skb)->tmp; ++ struct esp_output_extra *extra = esp_tmp_extra(tmp); ++ ++ esp_restore_header(skb, skb_transport_offset(skb) + extra->esphoff - ++ sizeof(__be32)); + } + + static void esp_output_done_esn(struct crypto_async_request *base, int err) +@@ -121,6 +131,7 @@ static void esp_output_done_esn(struct crypto_async_request *base, int err) + static int esp_output(struct xfrm_state *x, struct sk_buff *skb) + { + int err; ++ struct esp_output_extra *extra; + struct ip_esp_hdr *esph; + struct crypto_aead *aead; + struct aead_request *req; +@@ -137,8 +148,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) + int tfclen; + int nfrags; + int assoclen; +- int seqhilen; +- __be32 *seqhi; ++ int extralen; + __be64 seqno; + + /* skb is pure payload to encrypt */ +@@ -166,21 +176,21 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) + nfrags = err; + + assoclen = sizeof(*esph); +- seqhilen = 0; ++ extralen = 0; + + if (x->props.flags & XFRM_STATE_ESN) { +- seqhilen += sizeof(__be32); +- assoclen += seqhilen; ++ extralen += sizeof(*extra); ++ assoclen += sizeof(__be32); + } + +- tmp = esp_alloc_tmp(aead, nfrags, seqhilen); ++ tmp = esp_alloc_tmp(aead, nfrags, extralen); + if (!tmp) { + err = -ENOMEM; + goto error; + } + +- seqhi = esp_tmp_seqhi(tmp); +- iv = esp_tmp_iv(aead, tmp, seqhilen); ++ extra = esp_tmp_extra(tmp); ++ iv = esp_tmp_iv(aead, tmp, extralen); + req = esp_tmp_req(aead, iv); + sg = esp_req_sg(aead, req); + +@@ -247,8 +257,10 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) + * encryption. + */ + if ((x->props.flags & XFRM_STATE_ESN)) { +- esph = (void *)(skb_transport_header(skb) - sizeof(__be32)); +- *seqhi = esph->spi; ++ extra->esphoff = (unsigned char *)esph - ++ skb_transport_header(skb); ++ esph = (struct ip_esp_hdr *)((unsigned char *)esph - 4); ++ extra->seqhi = esph->spi; + esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.hi); + aead_request_set_callback(req, 0, esp_output_done_esn, skb); + } +@@ -445,7 +457,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) + goto out; + + ESP_SKB_CB(skb)->tmp = tmp; +- seqhi = esp_tmp_seqhi(tmp); ++ seqhi = esp_tmp_extra(tmp); + iv = esp_tmp_iv(aead, tmp, seqhilen); + req = esp_tmp_req(aead, iv); + sg = esp_req_sg(aead, req); +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index 395e2814a46d..a42dd8021b6b 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -891,8 +891,10 @@ static struct mfc_cache *ipmr_cache_alloc(void) + { + struct mfc_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL); + +- if (c) ++ if (c) { ++ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1; + c->mfc_un.res.minvif = MAXVIFS; ++ } + return c; + } + +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index a10e77103c88..e207cb2468da 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -1074,6 +1074,7 @@ static struct mfc6_cache *ip6mr_cache_alloc(void) + struct mfc6_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL); + if (!c) + return NULL; ++ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1; + c->mfc_un.res.minvif = MAXMIFS; + return c; + } +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 83384308d032..6c53e4eb0f09 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -560,13 +560,13 @@ static int ipip6_err(struct sk_buff *skb, u32 info) + + if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) { + ipv4_update_pmtu(skb, dev_net(skb->dev), info, +- t->parms.link, 0, IPPROTO_IPV6, 0); ++ t->parms.link, 0, iph->protocol, 0); + err = 0; + goto out; + } + if (type == ICMP_REDIRECT) { + ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0, +- IPPROTO_IPV6, 0); ++ iph->protocol, 0); + err = 0; + goto out; + } +diff --git a/net/kcm/kcmproc.c b/net/kcm/kcmproc.c +index 738008726cc6..fda7f4715c58 100644 +--- a/net/kcm/kcmproc.c ++++ b/net/kcm/kcmproc.c +@@ -241,6 +241,7 @@ static const struct file_operations kcm_seq_fops = { + .open = kcm_seq_open, + .read = seq_read, + .llseek = seq_lseek, ++ .release = seq_release_net, + }; + + static struct kcm_seq_muxinfo kcm_seq_muxinfo = { +diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c +index 8b5270008a6e..606323339e1f 100644 +--- a/net/sched/act_ipt.c ++++ b/net/sched/act_ipt.c +@@ -121,10 +121,13 @@ static int __tcf_ipt_init(struct tc_action_net *tn, struct nlattr *nla, + } + + td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]); +- if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) ++ if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) { ++ if (exists) ++ tcf_hash_release(a, bind); + return -EINVAL; ++ } + +- if (!tcf_hash_check(tn, index, a, bind)) { ++ if (!exists) { + ret = tcf_hash_create(tn, index, est, a, sizeof(*ipt), bind, + false); + if (ret) +diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c +index 2177eac0a61e..2e4bd2c0a50c 100644 +--- a/net/sched/sch_fifo.c ++++ b/net/sched/sch_fifo.c +@@ -37,14 +37,18 @@ static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch) + + static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc *sch) + { ++ unsigned int prev_backlog; ++ + if (likely(skb_queue_len(&sch->q) < sch->limit)) + return qdisc_enqueue_tail(skb, sch); + ++ prev_backlog = sch->qstats.backlog; + /* queue full, remove one skb to fulfill the limit */ + __qdisc_queue_drop_head(sch, &sch->q); + qdisc_qstats_drop(sch); + qdisc_enqueue_tail(skb, sch); + ++ qdisc_tree_reduce_backlog(sch, 0, prev_backlog - sch->qstats.backlog); + return NET_XMIT_CN; + } + +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index 4befe97a9034..b7c29d5b6f04 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -650,14 +650,14 @@ deliver: + #endif + + if (q->qdisc) { ++ unsigned int pkt_len = qdisc_pkt_len(skb); + int err = qdisc_enqueue(skb, q->qdisc); + +- if (unlikely(err != NET_XMIT_SUCCESS)) { +- if (net_xmit_drop_count(err)) { +- qdisc_qstats_drop(sch); +- qdisc_tree_reduce_backlog(sch, 1, +- qdisc_pkt_len(skb)); +- } ++ if (err != NET_XMIT_SUCCESS && ++ net_xmit_drop_count(err)) { ++ qdisc_qstats_drop(sch); ++ qdisc_tree_reduce_backlog(sch, 1, ++ pkt_len); + } + goto tfifo_dequeue; + } ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:53.000000000 +0200 +++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:53.000000000 +0200 @@ -30,6 +30,7 @@ patches.kernel.org/patch-4.6.1 patches.kernel.org/patch-4.6.1-2 patches.kernel.org/patch-4.6.2-3 + patches.kernel.org/patch-4.6.3-4 ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -249,6 +250,9 @@ # NFS ######################################################## + patches.fixes/0001-posix_acl-Add-set_posix_acl.patch + patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch + ######################################################## # lockd + statd ######################################################## @@ -376,7 +380,6 @@ # USB ######################################################## - patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch ######################################################## # I2C @@ -452,6 +455,7 @@ # patches.apparmor/apparmor-profiles-seq_file patches.apparmor/apparmor-temporary-work-around-for-bug-while-unloadi patches.apparmor/apparmor-allow-sys_cap_resource-to-be-sufficient-to-prlimit-another-task + patches.fixes/apparmor-fix-oops-validate-buffer-size-in-apparmor_s ######################################################## # Address space layout randomization ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.Iq1OYX/_old 2016-07-18 21:17:53.000000000 +0200 +++ /var/tmp/diff_new_pack.Iq1OYX/_new 2016-07-18 21:17:53.000000000 +0200 @@ -1,3 +1,3 @@ -2016-06-26 09:34:33 +0200 -GIT Revision: d4bcf2abd85a8d69da9d3f3e4e5dc57c556bca61 +2016-07-11 19:59:12 +0200 +GIT Revision: 103c93658e0b44729ee8882c4eee7d9b9bc5386d GIT Branch: stable